GNU Linux-libre 4.19.242-gnu1
[releases.git] / net / wireless / nl80211.c
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2015-2017  Intel Deutschland GmbH
7  * Copyright (C) 2018 Intel Corporation
8  */
9
10 #include <linux/if.h>
11 #include <linux/module.h>
12 #include <linux/err.h>
13 #include <linux/slab.h>
14 #include <linux/list.h>
15 #include <linux/if_ether.h>
16 #include <linux/ieee80211.h>
17 #include <linux/nl80211.h>
18 #include <linux/rtnetlink.h>
19 #include <linux/netlink.h>
20 #include <linux/nospec.h>
21 #include <linux/etherdevice.h>
22 #include <net/net_namespace.h>
23 #include <net/genetlink.h>
24 #include <net/cfg80211.h>
25 #include <net/sock.h>
26 #include <net/inet_connection_sock.h>
27 #include "core.h"
28 #include "nl80211.h"
29 #include "reg.h"
30 #include "rdev-ops.h"
31
32 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
33                                    struct genl_info *info,
34                                    struct cfg80211_crypto_settings *settings,
35                                    int cipher_limit);
36
37 /* the netlink family */
38 static struct genl_family nl80211_fam;
39
40 /* multicast groups */
41 enum nl80211_multicast_groups {
42         NL80211_MCGRP_CONFIG,
43         NL80211_MCGRP_SCAN,
44         NL80211_MCGRP_REGULATORY,
45         NL80211_MCGRP_MLME,
46         NL80211_MCGRP_VENDOR,
47         NL80211_MCGRP_NAN,
48         NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
49 };
50
51 static const struct genl_multicast_group nl80211_mcgrps[] = {
52         [NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
53         [NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
54         [NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
55         [NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
56         [NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
57         [NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
58 #ifdef CONFIG_NL80211_TESTMODE
59         [NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
60 #endif
61 };
62
63 /* returns ERR_PTR values */
64 static struct wireless_dev *
65 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
66 {
67         struct cfg80211_registered_device *rdev;
68         struct wireless_dev *result = NULL;
69         bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
70         bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
71         u64 wdev_id;
72         int wiphy_idx = -1;
73         int ifidx = -1;
74
75         ASSERT_RTNL();
76
77         if (!have_ifidx && !have_wdev_id)
78                 return ERR_PTR(-EINVAL);
79
80         if (have_ifidx)
81                 ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82         if (have_wdev_id) {
83                 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84                 wiphy_idx = wdev_id >> 32;
85         }
86
87         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
88                 struct wireless_dev *wdev;
89
90                 if (wiphy_net(&rdev->wiphy) != netns)
91                         continue;
92
93                 if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
94                         continue;
95
96                 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
97                         if (have_ifidx && wdev->netdev &&
98                             wdev->netdev->ifindex == ifidx) {
99                                 result = wdev;
100                                 break;
101                         }
102                         if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
103                                 result = wdev;
104                                 break;
105                         }
106                 }
107
108                 if (result)
109                         break;
110         }
111
112         if (result)
113                 return result;
114         return ERR_PTR(-ENODEV);
115 }
116
117 static struct cfg80211_registered_device *
118 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
119 {
120         struct cfg80211_registered_device *rdev = NULL, *tmp;
121         struct net_device *netdev;
122
123         ASSERT_RTNL();
124
125         if (!attrs[NL80211_ATTR_WIPHY] &&
126             !attrs[NL80211_ATTR_IFINDEX] &&
127             !attrs[NL80211_ATTR_WDEV])
128                 return ERR_PTR(-EINVAL);
129
130         if (attrs[NL80211_ATTR_WIPHY])
131                 rdev = cfg80211_rdev_by_wiphy_idx(
132                                 nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
133
134         if (attrs[NL80211_ATTR_WDEV]) {
135                 u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
136                 struct wireless_dev *wdev;
137                 bool found = false;
138
139                 tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
140                 if (tmp) {
141                         /* make sure wdev exists */
142                         list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
143                                 if (wdev->identifier != (u32)wdev_id)
144                                         continue;
145                                 found = true;
146                                 break;
147                         }
148
149                         if (!found)
150                                 tmp = NULL;
151
152                         if (rdev && tmp != rdev)
153                                 return ERR_PTR(-EINVAL);
154                         rdev = tmp;
155                 }
156         }
157
158         if (attrs[NL80211_ATTR_IFINDEX]) {
159                 int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
160
161                 netdev = __dev_get_by_index(netns, ifindex);
162                 if (netdev) {
163                         if (netdev->ieee80211_ptr)
164                                 tmp = wiphy_to_rdev(
165                                         netdev->ieee80211_ptr->wiphy);
166                         else
167                                 tmp = NULL;
168
169                         /* not wireless device -- return error */
170                         if (!tmp)
171                                 return ERR_PTR(-EINVAL);
172
173                         /* mismatch -- return error */
174                         if (rdev && tmp != rdev)
175                                 return ERR_PTR(-EINVAL);
176
177                         rdev = tmp;
178                 }
179         }
180
181         if (!rdev)
182                 return ERR_PTR(-ENODEV);
183
184         if (netns != wiphy_net(&rdev->wiphy))
185                 return ERR_PTR(-ENODEV);
186
187         return rdev;
188 }
189
190 /*
191  * This function returns a pointer to the driver
192  * that the genl_info item that is passed refers to.
193  *
194  * The result of this can be a PTR_ERR and hence must
195  * be checked with IS_ERR() for errors.
196  */
197 static struct cfg80211_registered_device *
198 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
199 {
200         return __cfg80211_rdev_from_attrs(netns, info->attrs);
201 }
202
203 static int validate_beacon_head(const struct nlattr *attr,
204                                 struct netlink_ext_ack *extack)
205 {
206         const u8 *data = nla_data(attr);
207         unsigned int len = nla_len(attr);
208         const struct element *elem;
209         const struct ieee80211_mgmt *mgmt = (void *)data;
210         unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
211                                          u.beacon.variable);
212
213         if (len < fixedlen)
214                 goto err;
215
216         if (ieee80211_hdrlen(mgmt->frame_control) !=
217             offsetof(struct ieee80211_mgmt, u.beacon))
218                 goto err;
219
220         data += fixedlen;
221         len -= fixedlen;
222
223         for_each_element(elem, data, len) {
224                 /* nothing */
225         }
226
227         if (for_each_element_completed(elem, data, len))
228                 return 0;
229
230 err:
231         NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
232         return -EINVAL;
233 }
234
235 /* policy for the attributes */
236 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
237         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
238         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
239                                       .len = 20-1 },
240         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
241
242         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
243         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
244         [NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
245         [NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
246         [NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
247
248         [NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
249         [NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
250         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
251         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
252         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
253         [NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
254
255         [NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
256         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
257         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
258
259         [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
260         [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
261
262         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
263         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
264                                     .len = WLAN_MAX_KEY_LEN },
265         [NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
266         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
267         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
268         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
269         [NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
270
271         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
272         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
273         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
274                                        .len = IEEE80211_MAX_DATA_LEN },
275         [NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
276                                        .len = IEEE80211_MAX_DATA_LEN },
277         [NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
278         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
279         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
280         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
281                                                .len = NL80211_MAX_SUPP_RATES },
282         [NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
283         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
284         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
285         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
286                                    .len = IEEE80211_MAX_MESH_ID_LEN },
287         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_BINARY,
288                                           .len = ETH_ALEN },
289
290         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
291         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
292
293         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
294         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
295         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
296         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
297                                            .len = NL80211_MAX_SUPP_RATES },
298         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
299
300         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
301         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
302
303         [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
304
305         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
306         [NL80211_ATTR_IE] = { .type = NLA_BINARY,
307                               .len = IEEE80211_MAX_DATA_LEN },
308         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
309         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
310
311         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
312                                 .len = IEEE80211_MAX_SSID_LEN },
313         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
314         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
315         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
316         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
317         [NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
318         [NL80211_ATTR_STA_FLAGS2] = {
319                 .len = sizeof(struct nl80211_sta_flag_update),
320         },
321         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
322         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
323         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
324         [NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
325         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
326         [NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
327         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
328         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
329         [NL80211_ATTR_PID] = { .type = NLA_U32 },
330         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
331         [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
332         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
333         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
334         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
335         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
336                                  .len = IEEE80211_MAX_DATA_LEN },
337         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
338         [NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
339         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
340         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
341         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
342         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
343         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
344         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
345         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
346         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
347         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
348         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
349         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
350         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
351         [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
352         [NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
353         [NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
354         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
355         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
356         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
357         [NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
358         [NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
359                                          .len = IEEE80211_MAX_DATA_LEN },
360         [NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
361                                          .len = IEEE80211_MAX_DATA_LEN },
362         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
363         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
364         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
365         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
366         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
367         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
368         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
369         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
370         [NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
371         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
372         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
373                                       .len = IEEE80211_MAX_DATA_LEN },
374         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
375         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
376         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
377                 .len = NL80211_HT_CAPABILITY_LEN
378         },
379         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
380         [NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
381         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
382         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
383         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
384         [NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
385         [NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
386         [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
387         [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
388         [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
389         [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
390         [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
391         [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
392         [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
393         [NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
394         [NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
395         [NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
396         [NL80211_ATTR_VHT_CAPABILITY_MASK] = {
397                 .len = NL80211_VHT_CAPABILITY_LEN,
398         },
399         [NL80211_ATTR_MDID] = { .type = NLA_U16 },
400         [NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
401                                   .len = IEEE80211_MAX_DATA_LEN },
402         [NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
403         [NL80211_ATTR_MAX_CRIT_PROT_DURATION] = { .type = NLA_U16 },
404         [NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
405         [NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
406         [NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
407         [NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
408         [NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
409         [NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
410         [NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
411         [NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
412         [NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
413         [NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
414         [NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
415         [NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
416         [NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
417         [NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
418                                    .len = IEEE80211_QOS_MAP_LEN_MAX },
419         [NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
420         [NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
421         [NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
422         [NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
423         [NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
424         [NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
425         [NL80211_ATTR_TSID] = { .type = NLA_U8 },
426         [NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
427         [NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
428         [NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
429         [NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
430         [NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
431         [NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
432         [NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
433         [NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
434         [NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
435         [NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
436         [NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
437         [NL80211_ATTR_STA_SUPPORT_P2P_PS] = { .type = NLA_U8 },
438         [NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
439                 .len = VHT_MUMIMO_GROUPS_DATA_LEN
440         },
441         [NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = { .len = ETH_ALEN },
442         [NL80211_ATTR_NAN_MASTER_PREF] = { .type = NLA_U8 },
443         [NL80211_ATTR_BANDS] = { .type = NLA_U32 },
444         [NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
445         [NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
446                                     .len = FILS_MAX_KEK_LEN },
447         [NL80211_ATTR_FILS_NONCES] = { .len = 2 * FILS_NONCE_LEN },
448         [NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
449         [NL80211_ATTR_BSSID] = { .len = ETH_ALEN },
450         [NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
451         [NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
452                 .len = sizeof(struct nl80211_bss_select_rssi_adjust)
453         },
454         [NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
455         [NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
456                                              .len = FILS_ERP_MAX_USERNAME_LEN },
457         [NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
458                                           .len = FILS_ERP_MAX_REALM_LEN },
459         [NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
460         [NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
461                                         .len = FILS_ERP_MAX_RRK_LEN },
462         [NL80211_ATTR_FILS_CACHE_ID] = { .len = 2 },
463         [NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
464         [NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
465         [NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
466
467         [NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
468         [NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
469         [NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
470         [NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
471                                          .len = NL80211_HE_MAX_CAPABILITY_LEN },
472 };
473
474 /* policy for the key attributes */
475 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
476         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
477         [NL80211_KEY_IDX] = { .type = NLA_U8 },
478         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
479         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
480         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
481         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
482         [NL80211_KEY_TYPE] = { .type = NLA_U32 },
483         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
484 };
485
486 /* policy for the key default flags */
487 static const struct nla_policy
488 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
489         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
490         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
491 };
492
493 #ifdef CONFIG_PM
494 /* policy for WoWLAN attributes */
495 static const struct nla_policy
496 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
497         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
498         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
499         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
500         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
501         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
502         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
503         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
504         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
505         [NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
506         [NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
507 };
508
509 static const struct nla_policy
510 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
511         [NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
512         [NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
513         [NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
514         [NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
515         [NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
516         [NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
517         [NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
518                 .len = sizeof(struct nl80211_wowlan_tcp_data_seq)
519         },
520         [NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
521                 .len = sizeof(struct nl80211_wowlan_tcp_data_token)
522         },
523         [NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
524         [NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
525         [NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
526 };
527 #endif /* CONFIG_PM */
528
529 /* policy for coalesce rule attributes */
530 static const struct nla_policy
531 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
532         [NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
533         [NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
534         [NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
535 };
536
537 /* policy for GTK rekey offload attributes */
538 static const struct nla_policy
539 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
540         [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
541         [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
542         [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
543 };
544
545 static const struct nla_policy
546 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
547         [NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
548                                                  .len = IEEE80211_MAX_SSID_LEN },
549         [NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = { .len = ETH_ALEN },
550         [NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
551 };
552
553 static const struct nla_policy
554 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
555         [NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
556         [NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
557 };
558
559 static const struct nla_policy
560 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
561         [NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
562         [NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
563         [NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
564                 .len = sizeof(struct nl80211_bss_select_rssi_adjust)
565         },
566 };
567
568 /* policy for NAN function attributes */
569 static const struct nla_policy
570 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
571         [NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
572         [NL80211_NAN_FUNC_SERVICE_ID] = {
573                                     .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
574         [NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
575         [NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
576         [NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
577         [NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
578         [NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
579         [NL80211_NAN_FUNC_FOLLOW_UP_DEST] = { .len = ETH_ALEN },
580         [NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
581         [NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
582         [NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
583                         .len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
584         [NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
585         [NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
586         [NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
587         [NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
588         [NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
589 };
590
591 /* policy for Service Response Filter attributes */
592 static const struct nla_policy
593 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
594         [NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
595         [NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
596                                  .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
597         [NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
598         [NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
599 };
600
601 /* policy for packet pattern attributes */
602 static const struct nla_policy
603 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
604         [NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
605         [NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
606         [NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
607 };
608
609 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
610                                      struct netlink_callback *cb,
611                                      struct cfg80211_registered_device **rdev,
612                                      struct wireless_dev **wdev)
613 {
614         int err;
615
616         if (!cb->args[0]) {
617                 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
618                                   genl_family_attrbuf(&nl80211_fam),
619                                   nl80211_fam.maxattr, nl80211_policy, NULL);
620                 if (err)
621                         return err;
622
623                 *wdev = __cfg80211_wdev_from_attrs(
624                                         sock_net(skb->sk),
625                                         genl_family_attrbuf(&nl80211_fam));
626                 if (IS_ERR(*wdev))
627                         return PTR_ERR(*wdev);
628                 *rdev = wiphy_to_rdev((*wdev)->wiphy);
629                 /* 0 is the first index - add 1 to parse only once */
630                 cb->args[0] = (*rdev)->wiphy_idx + 1;
631                 cb->args[1] = (*wdev)->identifier;
632         } else {
633                 /* subtract the 1 again here */
634                 struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
635                 struct wireless_dev *tmp;
636
637                 if (!wiphy)
638                         return -ENODEV;
639                 *rdev = wiphy_to_rdev(wiphy);
640                 *wdev = NULL;
641
642                 list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
643                         if (tmp->identifier == cb->args[1]) {
644                                 *wdev = tmp;
645                                 break;
646                         }
647                 }
648
649                 if (!*wdev)
650                         return -ENODEV;
651         }
652
653         return 0;
654 }
655
656 /* IE validation */
657 static bool is_valid_ie_attr(const struct nlattr *attr)
658 {
659         const u8 *pos;
660         int len;
661
662         if (!attr)
663                 return true;
664
665         pos = nla_data(attr);
666         len = nla_len(attr);
667
668         while (len) {
669                 u8 elemlen;
670
671                 if (len < 2)
672                         return false;
673                 len -= 2;
674
675                 elemlen = pos[1];
676                 if (elemlen > len)
677                         return false;
678
679                 len -= elemlen;
680                 pos += 2 + elemlen;
681         }
682
683         return true;
684 }
685
686 /* message building helper */
687 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
688                                    int flags, u8 cmd)
689 {
690         /* since there is no private header just add the generic one */
691         return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
692 }
693
694 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
695                                      const struct ieee80211_reg_rule *rule)
696 {
697         int j;
698         struct nlattr *nl_wmm_rules =
699                 nla_nest_start(msg, NL80211_FREQUENCY_ATTR_WMM);
700
701         if (!nl_wmm_rules)
702                 goto nla_put_failure;
703
704         for (j = 0; j < IEEE80211_NUM_ACS; j++) {
705                 struct nlattr *nl_wmm_rule = nla_nest_start(msg, j);
706
707                 if (!nl_wmm_rule)
708                         goto nla_put_failure;
709
710                 if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
711                                 rule->wmm_rule.client[j].cw_min) ||
712                     nla_put_u16(msg, NL80211_WMMR_CW_MAX,
713                                 rule->wmm_rule.client[j].cw_max) ||
714                     nla_put_u8(msg, NL80211_WMMR_AIFSN,
715                                rule->wmm_rule.client[j].aifsn) ||
716                     nla_put_u16(msg, NL80211_WMMR_TXOP,
717                                 rule->wmm_rule.client[j].cot))
718                         goto nla_put_failure;
719
720                 nla_nest_end(msg, nl_wmm_rule);
721         }
722         nla_nest_end(msg, nl_wmm_rules);
723
724         return 0;
725
726 nla_put_failure:
727         return -ENOBUFS;
728 }
729
730 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
731                                    struct ieee80211_channel *chan,
732                                    bool large)
733 {
734         /* Some channels must be completely excluded from the
735          * list to protect old user-space tools from breaking
736          */
737         if (!large && chan->flags &
738             (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
739                 return 0;
740
741         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
742                         chan->center_freq))
743                 goto nla_put_failure;
744
745         if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
746             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
747                 goto nla_put_failure;
748         if (chan->flags & IEEE80211_CHAN_NO_IR) {
749                 if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
750                         goto nla_put_failure;
751                 if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
752                         goto nla_put_failure;
753         }
754         if (chan->flags & IEEE80211_CHAN_RADAR) {
755                 if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
756                         goto nla_put_failure;
757                 if (large) {
758                         u32 time;
759
760                         time = elapsed_jiffies_msecs(chan->dfs_state_entered);
761
762                         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
763                                         chan->dfs_state))
764                                 goto nla_put_failure;
765                         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
766                                         time))
767                                 goto nla_put_failure;
768                         if (nla_put_u32(msg,
769                                         NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
770                                         chan->dfs_cac_ms))
771                                 goto nla_put_failure;
772                 }
773         }
774
775         if (large) {
776                 if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
777                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
778                         goto nla_put_failure;
779                 if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
780                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
781                         goto nla_put_failure;
782                 if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
783                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
784                         goto nla_put_failure;
785                 if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
786                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
787                         goto nla_put_failure;
788                 if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
789                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
790                         goto nla_put_failure;
791                 if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
792                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
793                         goto nla_put_failure;
794                 if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
795                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
796                         goto nla_put_failure;
797                 if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
798                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
799                         goto nla_put_failure;
800         }
801
802         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
803                         DBM_TO_MBM(chan->max_power)))
804                 goto nla_put_failure;
805
806         if (large) {
807                 const struct ieee80211_reg_rule *rule =
808                         freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
809
810                 if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
811                         if (nl80211_msg_put_wmm_rules(msg, rule))
812                                 goto nla_put_failure;
813                 }
814         }
815
816         return 0;
817
818  nla_put_failure:
819         return -ENOBUFS;
820 }
821
822 static bool nl80211_put_txq_stats(struct sk_buff *msg,
823                                   struct cfg80211_txq_stats *txqstats,
824                                   int attrtype)
825 {
826         struct nlattr *txqattr;
827
828 #define PUT_TXQVAL_U32(attr, memb) do {                                   \
829         if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&         \
830             nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
831                 return false;                                             \
832         } while (0)
833
834         txqattr = nla_nest_start(msg, attrtype);
835         if (!txqattr)
836                 return false;
837
838         PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
839         PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
840         PUT_TXQVAL_U32(FLOWS, flows);
841         PUT_TXQVAL_U32(DROPS, drops);
842         PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
843         PUT_TXQVAL_U32(OVERLIMIT, overlimit);
844         PUT_TXQVAL_U32(OVERMEMORY, overmemory);
845         PUT_TXQVAL_U32(COLLISIONS, collisions);
846         PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
847         PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
848         PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
849         nla_nest_end(msg, txqattr);
850
851 #undef PUT_TXQVAL_U32
852         return true;
853 }
854
855 /* netlink command implementations */
856
857 struct key_parse {
858         struct key_params p;
859         int idx;
860         int type;
861         bool def, defmgmt;
862         bool def_uni, def_multi;
863 };
864
865 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
866                                  struct key_parse *k)
867 {
868         struct nlattr *tb[NL80211_KEY_MAX + 1];
869         int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
870                                    nl80211_key_policy, info->extack);
871         if (err)
872                 return err;
873
874         k->def = !!tb[NL80211_KEY_DEFAULT];
875         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
876
877         if (k->def) {
878                 k->def_uni = true;
879                 k->def_multi = true;
880         }
881         if (k->defmgmt)
882                 k->def_multi = true;
883
884         if (tb[NL80211_KEY_IDX])
885                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
886
887         if (tb[NL80211_KEY_DATA]) {
888                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
889                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
890         }
891
892         if (tb[NL80211_KEY_SEQ]) {
893                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
894                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
895         }
896
897         if (tb[NL80211_KEY_CIPHER])
898                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
899
900         if (tb[NL80211_KEY_TYPE]) {
901                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
902                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
903                         return genl_err_attr(info, -EINVAL,
904                                              tb[NL80211_KEY_TYPE]);
905         }
906
907         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
908                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
909
910                 err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
911                                        tb[NL80211_KEY_DEFAULT_TYPES],
912                                        nl80211_key_default_policy,
913                                        info->extack);
914                 if (err)
915                         return err;
916
917                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
918                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
919         }
920
921         return 0;
922 }
923
924 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
925 {
926         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
927                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
928                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
929         }
930
931         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
932                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
933                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
934         }
935
936         if (info->attrs[NL80211_ATTR_KEY_IDX])
937                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
938
939         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
940                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
941
942         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
943         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
944
945         if (k->def) {
946                 k->def_uni = true;
947                 k->def_multi = true;
948         }
949         if (k->defmgmt)
950                 k->def_multi = true;
951
952         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
953                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
954                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES) {
955                         GENL_SET_ERR_MSG(info, "key type out of range");
956                         return -EINVAL;
957                 }
958         }
959
960         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
961                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
962                 int err = nla_parse_nested(kdt,
963                                            NUM_NL80211_KEY_DEFAULT_TYPES - 1,
964                                            info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
965                                            nl80211_key_default_policy,
966                                            info->extack);
967                 if (err)
968                         return err;
969
970                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
971                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
972         }
973
974         return 0;
975 }
976
977 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
978 {
979         int err;
980
981         memset(k, 0, sizeof(*k));
982         k->idx = -1;
983         k->type = -1;
984
985         if (info->attrs[NL80211_ATTR_KEY])
986                 err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
987         else
988                 err = nl80211_parse_key_old(info, k);
989
990         if (err)
991                 return err;
992
993         if (k->def && k->defmgmt) {
994                 GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
995                 return -EINVAL;
996         }
997
998         if (k->defmgmt) {
999                 if (k->def_uni || !k->def_multi) {
1000                         GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
1001                         return -EINVAL;
1002                 }
1003         }
1004
1005         if (k->idx != -1) {
1006                 if (k->defmgmt) {
1007                         if (k->idx < 4 || k->idx > 5) {
1008                                 GENL_SET_ERR_MSG(info,
1009                                                  "defmgmt key idx not 4 or 5");
1010                                 return -EINVAL;
1011                         }
1012                 } else if (k->def) {
1013                         if (k->idx < 0 || k->idx > 3) {
1014                                 GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1015                                 return -EINVAL;
1016                         }
1017                 } else {
1018                         if (k->idx < 0 || k->idx > 5) {
1019                                 GENL_SET_ERR_MSG(info, "key idx not 0-5");
1020                                 return -EINVAL;
1021                         }
1022                 }
1023         }
1024
1025         return 0;
1026 }
1027
1028 static struct cfg80211_cached_keys *
1029 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1030                        struct genl_info *info, bool *no_ht)
1031 {
1032         struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1033         struct key_parse parse;
1034         struct nlattr *key;
1035         struct cfg80211_cached_keys *result;
1036         int rem, err, def = 0;
1037         bool have_key = false;
1038
1039         nla_for_each_nested(key, keys, rem) {
1040                 have_key = true;
1041                 break;
1042         }
1043
1044         if (!have_key)
1045                 return NULL;
1046
1047         result = kzalloc(sizeof(*result), GFP_KERNEL);
1048         if (!result)
1049                 return ERR_PTR(-ENOMEM);
1050
1051         result->def = -1;
1052
1053         nla_for_each_nested(key, keys, rem) {
1054                 memset(&parse, 0, sizeof(parse));
1055                 parse.idx = -1;
1056
1057                 err = nl80211_parse_key_new(info, key, &parse);
1058                 if (err)
1059                         goto error;
1060                 err = -EINVAL;
1061                 if (!parse.p.key)
1062                         goto error;
1063                 if (parse.idx < 0 || parse.idx > 3) {
1064                         GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1065                         goto error;
1066                 }
1067                 if (parse.def) {
1068                         if (def) {
1069                                 GENL_SET_ERR_MSG(info,
1070                                                  "only one key can be default");
1071                                 goto error;
1072                         }
1073                         def = 1;
1074                         result->def = parse.idx;
1075                         if (!parse.def_uni || !parse.def_multi)
1076                                 goto error;
1077                 } else if (parse.defmgmt)
1078                         goto error;
1079                 err = cfg80211_validate_key_settings(rdev, &parse.p,
1080                                                      parse.idx, false, NULL);
1081                 if (err)
1082                         goto error;
1083                 if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1084                     parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1085                         GENL_SET_ERR_MSG(info, "connect key must be WEP");
1086                         err = -EINVAL;
1087                         goto error;
1088                 }
1089                 result->params[parse.idx].cipher = parse.p.cipher;
1090                 result->params[parse.idx].key_len = parse.p.key_len;
1091                 result->params[parse.idx].key = result->data[parse.idx];
1092                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1093
1094                 /* must be WEP key if we got here */
1095                 if (no_ht)
1096                         *no_ht = true;
1097         }
1098
1099         if (result->def < 0) {
1100                 err = -EINVAL;
1101                 GENL_SET_ERR_MSG(info, "need a default/TX key");
1102                 goto error;
1103         }
1104
1105         return result;
1106  error:
1107         kfree(result);
1108         return ERR_PTR(err);
1109 }
1110
1111 static int nl80211_key_allowed(struct wireless_dev *wdev)
1112 {
1113         ASSERT_WDEV_LOCK(wdev);
1114
1115         switch (wdev->iftype) {
1116         case NL80211_IFTYPE_AP:
1117         case NL80211_IFTYPE_AP_VLAN:
1118         case NL80211_IFTYPE_P2P_GO:
1119         case NL80211_IFTYPE_MESH_POINT:
1120                 break;
1121         case NL80211_IFTYPE_ADHOC:
1122         case NL80211_IFTYPE_STATION:
1123         case NL80211_IFTYPE_P2P_CLIENT:
1124                 if (!wdev->current_bss)
1125                         return -ENOLINK;
1126                 break;
1127         case NL80211_IFTYPE_UNSPECIFIED:
1128         case NL80211_IFTYPE_OCB:
1129         case NL80211_IFTYPE_MONITOR:
1130         case NL80211_IFTYPE_NAN:
1131         case NL80211_IFTYPE_P2P_DEVICE:
1132         case NL80211_IFTYPE_WDS:
1133         case NUM_NL80211_IFTYPES:
1134                 return -EINVAL;
1135         }
1136
1137         return 0;
1138 }
1139
1140 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1141                                                         struct nlattr *tb)
1142 {
1143         struct ieee80211_channel *chan;
1144
1145         if (tb == NULL)
1146                 return NULL;
1147         chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1148         if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1149                 return NULL;
1150         return chan;
1151 }
1152
1153 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1154 {
1155         struct nlattr *nl_modes = nla_nest_start(msg, attr);
1156         int i;
1157
1158         if (!nl_modes)
1159                 goto nla_put_failure;
1160
1161         i = 0;
1162         while (ifmodes) {
1163                 if ((ifmodes & 1) && nla_put_flag(msg, i))
1164                         goto nla_put_failure;
1165                 ifmodes >>= 1;
1166                 i++;
1167         }
1168
1169         nla_nest_end(msg, nl_modes);
1170         return 0;
1171
1172 nla_put_failure:
1173         return -ENOBUFS;
1174 }
1175
1176 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1177                                           struct sk_buff *msg,
1178                                           bool large)
1179 {
1180         struct nlattr *nl_combis;
1181         int i, j;
1182
1183         nl_combis = nla_nest_start(msg,
1184                                 NL80211_ATTR_INTERFACE_COMBINATIONS);
1185         if (!nl_combis)
1186                 goto nla_put_failure;
1187
1188         for (i = 0; i < wiphy->n_iface_combinations; i++) {
1189                 const struct ieee80211_iface_combination *c;
1190                 struct nlattr *nl_combi, *nl_limits;
1191
1192                 c = &wiphy->iface_combinations[i];
1193
1194                 nl_combi = nla_nest_start(msg, i + 1);
1195                 if (!nl_combi)
1196                         goto nla_put_failure;
1197
1198                 nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
1199                 if (!nl_limits)
1200                         goto nla_put_failure;
1201
1202                 for (j = 0; j < c->n_limits; j++) {
1203                         struct nlattr *nl_limit;
1204
1205                         nl_limit = nla_nest_start(msg, j + 1);
1206                         if (!nl_limit)
1207                                 goto nla_put_failure;
1208                         if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1209                                         c->limits[j].max))
1210                                 goto nla_put_failure;
1211                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1212                                                 c->limits[j].types))
1213                                 goto nla_put_failure;
1214                         nla_nest_end(msg, nl_limit);
1215                 }
1216
1217                 nla_nest_end(msg, nl_limits);
1218
1219                 if (c->beacon_int_infra_match &&
1220                     nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1221                         goto nla_put_failure;
1222                 if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1223                                 c->num_different_channels) ||
1224                     nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1225                                 c->max_interfaces))
1226                         goto nla_put_failure;
1227                 if (large &&
1228                     (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1229                                 c->radar_detect_widths) ||
1230                      nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1231                                 c->radar_detect_regions)))
1232                         goto nla_put_failure;
1233                 if (c->beacon_int_min_gcd &&
1234                     nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1235                                 c->beacon_int_min_gcd))
1236                         goto nla_put_failure;
1237
1238                 nla_nest_end(msg, nl_combi);
1239         }
1240
1241         nla_nest_end(msg, nl_combis);
1242
1243         return 0;
1244 nla_put_failure:
1245         return -ENOBUFS;
1246 }
1247
1248 #ifdef CONFIG_PM
1249 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1250                                         struct sk_buff *msg)
1251 {
1252         const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1253         struct nlattr *nl_tcp;
1254
1255         if (!tcp)
1256                 return 0;
1257
1258         nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1259         if (!nl_tcp)
1260                 return -ENOBUFS;
1261
1262         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1263                         tcp->data_payload_max))
1264                 return -ENOBUFS;
1265
1266         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1267                         tcp->data_payload_max))
1268                 return -ENOBUFS;
1269
1270         if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1271                 return -ENOBUFS;
1272
1273         if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1274                                 sizeof(*tcp->tok), tcp->tok))
1275                 return -ENOBUFS;
1276
1277         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1278                         tcp->data_interval_max))
1279                 return -ENOBUFS;
1280
1281         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1282                         tcp->wake_payload_max))
1283                 return -ENOBUFS;
1284
1285         nla_nest_end(msg, nl_tcp);
1286         return 0;
1287 }
1288
1289 static int nl80211_send_wowlan(struct sk_buff *msg,
1290                                struct cfg80211_registered_device *rdev,
1291                                bool large)
1292 {
1293         struct nlattr *nl_wowlan;
1294
1295         if (!rdev->wiphy.wowlan)
1296                 return 0;
1297
1298         nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1299         if (!nl_wowlan)
1300                 return -ENOBUFS;
1301
1302         if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1303              nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1304             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1305              nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1306             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1307              nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1308             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1309              nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1310             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1311              nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1312             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1313              nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1314             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1315              nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1316             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1317              nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1318                 return -ENOBUFS;
1319
1320         if (rdev->wiphy.wowlan->n_patterns) {
1321                 struct nl80211_pattern_support pat = {
1322                         .max_patterns = rdev->wiphy.wowlan->n_patterns,
1323                         .min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1324                         .max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1325                         .max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1326                 };
1327
1328                 if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1329                             sizeof(pat), &pat))
1330                         return -ENOBUFS;
1331         }
1332
1333         if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1334             nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1335                         rdev->wiphy.wowlan->max_nd_match_sets))
1336                 return -ENOBUFS;
1337
1338         if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1339                 return -ENOBUFS;
1340
1341         nla_nest_end(msg, nl_wowlan);
1342
1343         return 0;
1344 }
1345 #endif
1346
1347 static int nl80211_send_coalesce(struct sk_buff *msg,
1348                                  struct cfg80211_registered_device *rdev)
1349 {
1350         struct nl80211_coalesce_rule_support rule;
1351
1352         if (!rdev->wiphy.coalesce)
1353                 return 0;
1354
1355         rule.max_rules = rdev->wiphy.coalesce->n_rules;
1356         rule.max_delay = rdev->wiphy.coalesce->max_delay;
1357         rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1358         rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1359         rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1360         rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1361
1362         if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1363                 return -ENOBUFS;
1364
1365         return 0;
1366 }
1367
1368 static int
1369 nl80211_send_iftype_data(struct sk_buff *msg,
1370                          const struct ieee80211_sband_iftype_data *iftdata)
1371 {
1372         const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1373
1374         if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1375                                 iftdata->types_mask))
1376                 return -ENOBUFS;
1377
1378         if (he_cap->has_he) {
1379                 if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1380                             sizeof(he_cap->he_cap_elem.mac_cap_info),
1381                             he_cap->he_cap_elem.mac_cap_info) ||
1382                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1383                             sizeof(he_cap->he_cap_elem.phy_cap_info),
1384                             he_cap->he_cap_elem.phy_cap_info) ||
1385                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1386                             sizeof(he_cap->he_mcs_nss_supp),
1387                             &he_cap->he_mcs_nss_supp) ||
1388                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1389                             sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1390                         return -ENOBUFS;
1391         }
1392
1393         return 0;
1394 }
1395
1396 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1397                                       struct ieee80211_supported_band *sband)
1398 {
1399         struct nlattr *nl_rates, *nl_rate;
1400         struct ieee80211_rate *rate;
1401         int i;
1402
1403         /* add HT info */
1404         if (sband->ht_cap.ht_supported &&
1405             (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1406                      sizeof(sband->ht_cap.mcs),
1407                      &sband->ht_cap.mcs) ||
1408              nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1409                          sband->ht_cap.cap) ||
1410              nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1411                         sband->ht_cap.ampdu_factor) ||
1412              nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1413                         sband->ht_cap.ampdu_density)))
1414                 return -ENOBUFS;
1415
1416         /* add VHT info */
1417         if (sband->vht_cap.vht_supported &&
1418             (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1419                      sizeof(sband->vht_cap.vht_mcs),
1420                      &sband->vht_cap.vht_mcs) ||
1421              nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1422                          sband->vht_cap.cap)))
1423                 return -ENOBUFS;
1424
1425         if (sband->n_iftype_data) {
1426                 struct nlattr *nl_iftype_data =
1427                         nla_nest_start(msg, NL80211_BAND_ATTR_IFTYPE_DATA);
1428                 int err;
1429
1430                 if (!nl_iftype_data)
1431                         return -ENOBUFS;
1432
1433                 for (i = 0; i < sband->n_iftype_data; i++) {
1434                         struct nlattr *iftdata;
1435
1436                         iftdata = nla_nest_start(msg, i + 1);
1437                         if (!iftdata)
1438                                 return -ENOBUFS;
1439
1440                         err = nl80211_send_iftype_data(msg,
1441                                                        &sband->iftype_data[i]);
1442                         if (err)
1443                                 return err;
1444
1445                         nla_nest_end(msg, iftdata);
1446                 }
1447
1448                 nla_nest_end(msg, nl_iftype_data);
1449         }
1450
1451         /* add bitrates */
1452         nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1453         if (!nl_rates)
1454                 return -ENOBUFS;
1455
1456         for (i = 0; i < sband->n_bitrates; i++) {
1457                 nl_rate = nla_nest_start(msg, i);
1458                 if (!nl_rate)
1459                         return -ENOBUFS;
1460
1461                 rate = &sband->bitrates[i];
1462                 if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1463                                 rate->bitrate))
1464                         return -ENOBUFS;
1465                 if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1466                     nla_put_flag(msg,
1467                                  NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1468                         return -ENOBUFS;
1469
1470                 nla_nest_end(msg, nl_rate);
1471         }
1472
1473         nla_nest_end(msg, nl_rates);
1474
1475         return 0;
1476 }
1477
1478 static int
1479 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1480                          const struct ieee80211_txrx_stypes *mgmt_stypes)
1481 {
1482         u16 stypes;
1483         struct nlattr *nl_ftypes, *nl_ifs;
1484         enum nl80211_iftype ift;
1485         int i;
1486
1487         if (!mgmt_stypes)
1488                 return 0;
1489
1490         nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1491         if (!nl_ifs)
1492                 return -ENOBUFS;
1493
1494         for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1495                 nl_ftypes = nla_nest_start(msg, ift);
1496                 if (!nl_ftypes)
1497                         return -ENOBUFS;
1498                 i = 0;
1499                 stypes = mgmt_stypes[ift].tx;
1500                 while (stypes) {
1501                         if ((stypes & 1) &&
1502                             nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1503                                         (i << 4) | IEEE80211_FTYPE_MGMT))
1504                                 return -ENOBUFS;
1505                         stypes >>= 1;
1506                         i++;
1507                 }
1508                 nla_nest_end(msg, nl_ftypes);
1509         }
1510
1511         nla_nest_end(msg, nl_ifs);
1512
1513         nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1514         if (!nl_ifs)
1515                 return -ENOBUFS;
1516
1517         for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1518                 nl_ftypes = nla_nest_start(msg, ift);
1519                 if (!nl_ftypes)
1520                         return -ENOBUFS;
1521                 i = 0;
1522                 stypes = mgmt_stypes[ift].rx;
1523                 while (stypes) {
1524                         if ((stypes & 1) &&
1525                             nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1526                                         (i << 4) | IEEE80211_FTYPE_MGMT))
1527                                 return -ENOBUFS;
1528                         stypes >>= 1;
1529                         i++;
1530                 }
1531                 nla_nest_end(msg, nl_ftypes);
1532         }
1533         nla_nest_end(msg, nl_ifs);
1534
1535         return 0;
1536 }
1537
1538 #define CMD(op, n)                                                      \
1539          do {                                                           \
1540                 if (rdev->ops->op) {                                    \
1541                         i++;                                            \
1542                         if (nla_put_u32(msg, i, NL80211_CMD_ ## n))     \
1543                                 goto nla_put_failure;                   \
1544                 }                                                       \
1545         } while (0)
1546
1547 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1548                                         struct sk_buff *msg)
1549 {
1550         int i = 0;
1551
1552         /*
1553          * do *NOT* add anything into this function, new things need to be
1554          * advertised only to new versions of userspace that can deal with
1555          * the split (and they can't possibly care about new features...
1556          */
1557         CMD(add_virtual_intf, NEW_INTERFACE);
1558         CMD(change_virtual_intf, SET_INTERFACE);
1559         CMD(add_key, NEW_KEY);
1560         CMD(start_ap, START_AP);
1561         CMD(add_station, NEW_STATION);
1562         CMD(add_mpath, NEW_MPATH);
1563         CMD(update_mesh_config, SET_MESH_CONFIG);
1564         CMD(change_bss, SET_BSS);
1565         CMD(auth, AUTHENTICATE);
1566         CMD(assoc, ASSOCIATE);
1567         CMD(deauth, DEAUTHENTICATE);
1568         CMD(disassoc, DISASSOCIATE);
1569         CMD(join_ibss, JOIN_IBSS);
1570         CMD(join_mesh, JOIN_MESH);
1571         CMD(set_pmksa, SET_PMKSA);
1572         CMD(del_pmksa, DEL_PMKSA);
1573         CMD(flush_pmksa, FLUSH_PMKSA);
1574         if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1575                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1576         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1577         CMD(mgmt_tx, FRAME);
1578         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1579         if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1580                 i++;
1581                 if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1582                         goto nla_put_failure;
1583         }
1584         if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1585             rdev->ops->join_mesh) {
1586                 i++;
1587                 if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1588                         goto nla_put_failure;
1589         }
1590         CMD(set_wds_peer, SET_WDS_PEER);
1591         if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1592                 CMD(tdls_mgmt, TDLS_MGMT);
1593                 CMD(tdls_oper, TDLS_OPER);
1594         }
1595         if (rdev->wiphy.max_sched_scan_reqs)
1596                 CMD(sched_scan_start, START_SCHED_SCAN);
1597         CMD(probe_client, PROBE_CLIENT);
1598         CMD(set_noack_map, SET_NOACK_MAP);
1599         if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1600                 i++;
1601                 if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1602                         goto nla_put_failure;
1603         }
1604         CMD(start_p2p_device, START_P2P_DEVICE);
1605         CMD(set_mcast_rate, SET_MCAST_RATE);
1606 #ifdef CONFIG_NL80211_TESTMODE
1607         CMD(testmode_cmd, TESTMODE);
1608 #endif
1609
1610         if (rdev->ops->connect || rdev->ops->auth) {
1611                 i++;
1612                 if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1613                         goto nla_put_failure;
1614         }
1615
1616         if (rdev->ops->disconnect || rdev->ops->deauth) {
1617                 i++;
1618                 if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1619                         goto nla_put_failure;
1620         }
1621
1622         return i;
1623  nla_put_failure:
1624         return -ENOBUFS;
1625 }
1626
1627 struct nl80211_dump_wiphy_state {
1628         s64 filter_wiphy;
1629         long start;
1630         long split_start, band_start, chan_start, capa_start;
1631         bool split;
1632 };
1633
1634 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1635                               enum nl80211_commands cmd,
1636                               struct sk_buff *msg, u32 portid, u32 seq,
1637                               int flags, struct nl80211_dump_wiphy_state *state)
1638 {
1639         void *hdr;
1640         struct nlattr *nl_bands, *nl_band;
1641         struct nlattr *nl_freqs, *nl_freq;
1642         struct nlattr *nl_cmds;
1643         enum nl80211_band band;
1644         struct ieee80211_channel *chan;
1645         int i;
1646         const struct ieee80211_txrx_stypes *mgmt_stypes =
1647                                 rdev->wiphy.mgmt_stypes;
1648         u32 features;
1649
1650         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1651         if (!hdr)
1652                 return -ENOBUFS;
1653
1654         if (WARN_ON(!state))
1655                 return -EINVAL;
1656
1657         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1658             nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1659                            wiphy_name(&rdev->wiphy)) ||
1660             nla_put_u32(msg, NL80211_ATTR_GENERATION,
1661                         cfg80211_rdev_list_generation))
1662                 goto nla_put_failure;
1663
1664         if (cmd != NL80211_CMD_NEW_WIPHY)
1665                 goto finish;
1666
1667         switch (state->split_start) {
1668         case 0:
1669                 if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1670                                rdev->wiphy.retry_short) ||
1671                     nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1672                                rdev->wiphy.retry_long) ||
1673                     nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1674                                 rdev->wiphy.frag_threshold) ||
1675                     nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1676                                 rdev->wiphy.rts_threshold) ||
1677                     nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1678                                rdev->wiphy.coverage_class) ||
1679                     nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1680                                rdev->wiphy.max_scan_ssids) ||
1681                     nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1682                                rdev->wiphy.max_sched_scan_ssids) ||
1683                     nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1684                                 rdev->wiphy.max_scan_ie_len) ||
1685                     nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1686                                 rdev->wiphy.max_sched_scan_ie_len) ||
1687                     nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1688                                rdev->wiphy.max_match_sets) ||
1689                     nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1690                                 rdev->wiphy.max_sched_scan_plans) ||
1691                     nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1692                                 rdev->wiphy.max_sched_scan_plan_interval) ||
1693                     nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1694                                 rdev->wiphy.max_sched_scan_plan_iterations))
1695                         goto nla_put_failure;
1696
1697                 if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1698                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1699                         goto nla_put_failure;
1700                 if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1701                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1702                         goto nla_put_failure;
1703                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1704                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1705                         goto nla_put_failure;
1706                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1707                     nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1708                         goto nla_put_failure;
1709                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1710                     nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1711                         goto nla_put_failure;
1712                 if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1713                     nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1714                         goto nla_put_failure;
1715                 state->split_start++;
1716                 if (state->split)
1717                         break;
1718         case 1:
1719                 if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1720                             sizeof(u32) * rdev->wiphy.n_cipher_suites,
1721                             rdev->wiphy.cipher_suites))
1722                         goto nla_put_failure;
1723
1724                 if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1725                                rdev->wiphy.max_num_pmkids))
1726                         goto nla_put_failure;
1727
1728                 if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1729                     nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1730                         goto nla_put_failure;
1731
1732                 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1733                                 rdev->wiphy.available_antennas_tx) ||
1734                     nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1735                                 rdev->wiphy.available_antennas_rx))
1736                         goto nla_put_failure;
1737
1738                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1739                     nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1740                                 rdev->wiphy.probe_resp_offload))
1741                         goto nla_put_failure;
1742
1743                 if ((rdev->wiphy.available_antennas_tx ||
1744                      rdev->wiphy.available_antennas_rx) &&
1745                     rdev->ops->get_antenna) {
1746                         u32 tx_ant = 0, rx_ant = 0;
1747                         int res;
1748
1749                         res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1750                         if (!res) {
1751                                 if (nla_put_u32(msg,
1752                                                 NL80211_ATTR_WIPHY_ANTENNA_TX,
1753                                                 tx_ant) ||
1754                                     nla_put_u32(msg,
1755                                                 NL80211_ATTR_WIPHY_ANTENNA_RX,
1756                                                 rx_ant))
1757                                         goto nla_put_failure;
1758                         }
1759                 }
1760
1761                 state->split_start++;
1762                 if (state->split)
1763                         break;
1764         case 2:
1765                 if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1766                                         rdev->wiphy.interface_modes))
1767                                 goto nla_put_failure;
1768                 state->split_start++;
1769                 if (state->split)
1770                         break;
1771         case 3:
1772                 nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1773                 if (!nl_bands)
1774                         goto nla_put_failure;
1775
1776                 for (band = state->band_start;
1777                      band < NUM_NL80211_BANDS; band++) {
1778                         struct ieee80211_supported_band *sband;
1779
1780                         sband = rdev->wiphy.bands[band];
1781
1782                         if (!sband)
1783                                 continue;
1784
1785                         nl_band = nla_nest_start(msg, band);
1786                         if (!nl_band)
1787                                 goto nla_put_failure;
1788
1789                         switch (state->chan_start) {
1790                         case 0:
1791                                 if (nl80211_send_band_rateinfo(msg, sband))
1792                                         goto nla_put_failure;
1793                                 state->chan_start++;
1794                                 if (state->split)
1795                                         break;
1796                         default:
1797                                 /* add frequencies */
1798                                 nl_freqs = nla_nest_start(
1799                                         msg, NL80211_BAND_ATTR_FREQS);
1800                                 if (!nl_freqs)
1801                                         goto nla_put_failure;
1802
1803                                 for (i = state->chan_start - 1;
1804                                      i < sband->n_channels;
1805                                      i++) {
1806                                         nl_freq = nla_nest_start(msg, i);
1807                                         if (!nl_freq)
1808                                                 goto nla_put_failure;
1809
1810                                         chan = &sband->channels[i];
1811
1812                                         if (nl80211_msg_put_channel(
1813                                                         msg, &rdev->wiphy, chan,
1814                                                         state->split))
1815                                                 goto nla_put_failure;
1816
1817                                         nla_nest_end(msg, nl_freq);
1818                                         if (state->split)
1819                                                 break;
1820                                 }
1821                                 if (i < sband->n_channels)
1822                                         state->chan_start = i + 2;
1823                                 else
1824                                         state->chan_start = 0;
1825                                 nla_nest_end(msg, nl_freqs);
1826                         }
1827
1828                         nla_nest_end(msg, nl_band);
1829
1830                         if (state->split) {
1831                                 /* start again here */
1832                                 if (state->chan_start)
1833                                         band--;
1834                                 break;
1835                         }
1836                 }
1837                 nla_nest_end(msg, nl_bands);
1838
1839                 if (band < NUM_NL80211_BANDS)
1840                         state->band_start = band + 1;
1841                 else
1842                         state->band_start = 0;
1843
1844                 /* if bands & channels are done, continue outside */
1845                 if (state->band_start == 0 && state->chan_start == 0)
1846                         state->split_start++;
1847                 if (state->split)
1848                         break;
1849         case 4:
1850                 nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1851                 if (!nl_cmds)
1852                         goto nla_put_failure;
1853
1854                 i = nl80211_add_commands_unsplit(rdev, msg);
1855                 if (i < 0)
1856                         goto nla_put_failure;
1857                 if (state->split) {
1858                         CMD(crit_proto_start, CRIT_PROTOCOL_START);
1859                         CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1860                         if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1861                                 CMD(channel_switch, CHANNEL_SWITCH);
1862                         CMD(set_qos_map, SET_QOS_MAP);
1863                         if (rdev->wiphy.features &
1864                                         NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1865                                 CMD(add_tx_ts, ADD_TX_TS);
1866                         CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
1867                         CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
1868                 }
1869 #undef CMD
1870
1871                 nla_nest_end(msg, nl_cmds);
1872                 state->split_start++;
1873                 if (state->split)
1874                         break;
1875         case 5:
1876                 if (rdev->ops->remain_on_channel &&
1877                     (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1878                     nla_put_u32(msg,
1879                                 NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1880                                 rdev->wiphy.max_remain_on_channel_duration))
1881                         goto nla_put_failure;
1882
1883                 if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1884                     nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1885                         goto nla_put_failure;
1886
1887                 if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1888                         goto nla_put_failure;
1889                 state->split_start++;
1890                 if (state->split)
1891                         break;
1892         case 6:
1893 #ifdef CONFIG_PM
1894                 if (nl80211_send_wowlan(msg, rdev, state->split))
1895                         goto nla_put_failure;
1896                 state->split_start++;
1897                 if (state->split)
1898                         break;
1899 #else
1900                 state->split_start++;
1901 #endif
1902         case 7:
1903                 if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1904                                         rdev->wiphy.software_iftypes))
1905                         goto nla_put_failure;
1906
1907                 if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1908                                                    state->split))
1909                         goto nla_put_failure;
1910
1911                 state->split_start++;
1912                 if (state->split)
1913                         break;
1914         case 8:
1915                 if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1916                     nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1917                                 rdev->wiphy.ap_sme_capa))
1918                         goto nla_put_failure;
1919
1920                 features = rdev->wiphy.features;
1921                 /*
1922                  * We can only add the per-channel limit information if the
1923                  * dump is split, otherwise it makes it too big. Therefore
1924                  * only advertise it in that case.
1925                  */
1926                 if (state->split)
1927                         features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1928                 if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1929                         goto nla_put_failure;
1930
1931                 if (rdev->wiphy.ht_capa_mod_mask &&
1932                     nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1933                             sizeof(*rdev->wiphy.ht_capa_mod_mask),
1934                             rdev->wiphy.ht_capa_mod_mask))
1935                         goto nla_put_failure;
1936
1937                 if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1938                     rdev->wiphy.max_acl_mac_addrs &&
1939                     nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1940                                 rdev->wiphy.max_acl_mac_addrs))
1941                         goto nla_put_failure;
1942
1943                 /*
1944                  * Any information below this point is only available to
1945                  * applications that can deal with it being split. This
1946                  * helps ensure that newly added capabilities don't break
1947                  * older tools by overrunning their buffers.
1948                  *
1949                  * We still increment split_start so that in the split
1950                  * case we'll continue with more data in the next round,
1951                  * but break unconditionally so unsplit data stops here.
1952                  */
1953                 if (state->split)
1954                         state->split_start++;
1955                 else
1956                         state->split_start = 0;
1957                 break;
1958         case 9:
1959                 if (rdev->wiphy.extended_capabilities &&
1960                     (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1961                              rdev->wiphy.extended_capabilities_len,
1962                              rdev->wiphy.extended_capabilities) ||
1963                      nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1964                              rdev->wiphy.extended_capabilities_len,
1965                              rdev->wiphy.extended_capabilities_mask)))
1966                         goto nla_put_failure;
1967
1968                 if (rdev->wiphy.vht_capa_mod_mask &&
1969                     nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1970                             sizeof(*rdev->wiphy.vht_capa_mod_mask),
1971                             rdev->wiphy.vht_capa_mod_mask))
1972                         goto nla_put_failure;
1973
1974                 state->split_start++;
1975                 break;
1976         case 10:
1977                 if (nl80211_send_coalesce(msg, rdev))
1978                         goto nla_put_failure;
1979
1980                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1981                     (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1982                      nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1983                         goto nla_put_failure;
1984
1985                 if (rdev->wiphy.max_ap_assoc_sta &&
1986                     nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1987                                 rdev->wiphy.max_ap_assoc_sta))
1988                         goto nla_put_failure;
1989
1990                 state->split_start++;
1991                 break;
1992         case 11:
1993                 if (rdev->wiphy.n_vendor_commands) {
1994                         const struct nl80211_vendor_cmd_info *info;
1995                         struct nlattr *nested;
1996
1997                         nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1998                         if (!nested)
1999                                 goto nla_put_failure;
2000
2001                         for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2002                                 info = &rdev->wiphy.vendor_commands[i].info;
2003                                 if (nla_put(msg, i + 1, sizeof(*info), info))
2004                                         goto nla_put_failure;
2005                         }
2006                         nla_nest_end(msg, nested);
2007                 }
2008
2009                 if (rdev->wiphy.n_vendor_events) {
2010                         const struct nl80211_vendor_cmd_info *info;
2011                         struct nlattr *nested;
2012
2013                         nested = nla_nest_start(msg,
2014                                                 NL80211_ATTR_VENDOR_EVENTS);
2015                         if (!nested)
2016                                 goto nla_put_failure;
2017
2018                         for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2019                                 info = &rdev->wiphy.vendor_events[i];
2020                                 if (nla_put(msg, i + 1, sizeof(*info), info))
2021                                         goto nla_put_failure;
2022                         }
2023                         nla_nest_end(msg, nested);
2024                 }
2025                 state->split_start++;
2026                 break;
2027         case 12:
2028                 if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2029                     nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2030                                rdev->wiphy.max_num_csa_counters))
2031                         goto nla_put_failure;
2032
2033                 if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2034                     nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2035                         goto nla_put_failure;
2036
2037                 if (rdev->wiphy.max_sched_scan_reqs &&
2038                     nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2039                                 rdev->wiphy.max_sched_scan_reqs))
2040                         goto nla_put_failure;
2041
2042                 if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2043                             sizeof(rdev->wiphy.ext_features),
2044                             rdev->wiphy.ext_features))
2045                         goto nla_put_failure;
2046
2047                 if (rdev->wiphy.bss_select_support) {
2048                         struct nlattr *nested;
2049                         u32 bss_select_support = rdev->wiphy.bss_select_support;
2050
2051                         nested = nla_nest_start(msg, NL80211_ATTR_BSS_SELECT);
2052                         if (!nested)
2053                                 goto nla_put_failure;
2054
2055                         i = 0;
2056                         while (bss_select_support) {
2057                                 if ((bss_select_support & 1) &&
2058                                     nla_put_flag(msg, i))
2059                                         goto nla_put_failure;
2060                                 i++;
2061                                 bss_select_support >>= 1;
2062                         }
2063                         nla_nest_end(msg, nested);
2064                 }
2065
2066                 state->split_start++;
2067                 break;
2068         case 13:
2069                 if (rdev->wiphy.num_iftype_ext_capab &&
2070                     rdev->wiphy.iftype_ext_capab) {
2071                         struct nlattr *nested_ext_capab, *nested;
2072
2073                         nested = nla_nest_start(msg,
2074                                                 NL80211_ATTR_IFTYPE_EXT_CAPA);
2075                         if (!nested)
2076                                 goto nla_put_failure;
2077
2078                         for (i = state->capa_start;
2079                              i < rdev->wiphy.num_iftype_ext_capab; i++) {
2080                                 const struct wiphy_iftype_ext_capab *capab;
2081
2082                                 capab = &rdev->wiphy.iftype_ext_capab[i];
2083
2084                                 nested_ext_capab = nla_nest_start(msg, i);
2085                                 if (!nested_ext_capab ||
2086                                     nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2087                                                 capab->iftype) ||
2088                                     nla_put(msg, NL80211_ATTR_EXT_CAPA,
2089                                             capab->extended_capabilities_len,
2090                                             capab->extended_capabilities) ||
2091                                     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2092                                             capab->extended_capabilities_len,
2093                                             capab->extended_capabilities_mask))
2094                                         goto nla_put_failure;
2095
2096                                 nla_nest_end(msg, nested_ext_capab);
2097                                 if (state->split)
2098                                         break;
2099                         }
2100                         nla_nest_end(msg, nested);
2101                         if (i < rdev->wiphy.num_iftype_ext_capab) {
2102                                 state->capa_start = i + 1;
2103                                 break;
2104                         }
2105                 }
2106
2107                 if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2108                                 rdev->wiphy.nan_supported_bands))
2109                         goto nla_put_failure;
2110
2111                 if (wiphy_ext_feature_isset(&rdev->wiphy,
2112                                             NL80211_EXT_FEATURE_TXQS)) {
2113                         struct cfg80211_txq_stats txqstats = {};
2114                         int res;
2115
2116                         res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2117                         if (!res &&
2118                             !nl80211_put_txq_stats(msg, &txqstats,
2119                                                    NL80211_ATTR_TXQ_STATS))
2120                                 goto nla_put_failure;
2121
2122                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2123                                         rdev->wiphy.txq_limit))
2124                                 goto nla_put_failure;
2125                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2126                                         rdev->wiphy.txq_memory_limit))
2127                                 goto nla_put_failure;
2128                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2129                                         rdev->wiphy.txq_quantum))
2130                                 goto nla_put_failure;
2131                 }
2132
2133                 /* done */
2134                 state->split_start = 0;
2135                 break;
2136         }
2137  finish:
2138         genlmsg_end(msg, hdr);
2139         return 0;
2140
2141  nla_put_failure:
2142         genlmsg_cancel(msg, hdr);
2143         return -EMSGSIZE;
2144 }
2145
2146 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2147                                     struct netlink_callback *cb,
2148                                     struct nl80211_dump_wiphy_state *state)
2149 {
2150         struct nlattr **tb = genl_family_attrbuf(&nl80211_fam);
2151         int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, tb,
2152                               nl80211_fam.maxattr, nl80211_policy, NULL);
2153         /* ignore parse errors for backward compatibility */
2154         if (ret)
2155                 return 0;
2156
2157         state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2158         if (tb[NL80211_ATTR_WIPHY])
2159                 state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2160         if (tb[NL80211_ATTR_WDEV])
2161                 state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2162         if (tb[NL80211_ATTR_IFINDEX]) {
2163                 struct net_device *netdev;
2164                 struct cfg80211_registered_device *rdev;
2165                 int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2166
2167                 netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2168                 if (!netdev)
2169                         return -ENODEV;
2170                 if (netdev->ieee80211_ptr) {
2171                         rdev = wiphy_to_rdev(
2172                                 netdev->ieee80211_ptr->wiphy);
2173                         state->filter_wiphy = rdev->wiphy_idx;
2174                 }
2175         }
2176
2177         return 0;
2178 }
2179
2180 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2181 {
2182         int idx = 0, ret;
2183         struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2184         struct cfg80211_registered_device *rdev;
2185
2186         rtnl_lock();
2187         if (!state) {
2188                 state = kzalloc(sizeof(*state), GFP_KERNEL);
2189                 if (!state) {
2190                         rtnl_unlock();
2191                         return -ENOMEM;
2192                 }
2193                 state->filter_wiphy = -1;
2194                 ret = nl80211_dump_wiphy_parse(skb, cb, state);
2195                 if (ret) {
2196                         kfree(state);
2197                         rtnl_unlock();
2198                         return ret;
2199                 }
2200                 cb->args[0] = (long)state;
2201         }
2202
2203         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2204                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2205                         continue;
2206                 if (++idx <= state->start)
2207                         continue;
2208                 if (state->filter_wiphy != -1 &&
2209                     state->filter_wiphy != rdev->wiphy_idx)
2210                         continue;
2211                 /* attempt to fit multiple wiphy data chunks into the skb */
2212                 do {
2213                         ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2214                                                  skb,
2215                                                  NETLINK_CB(cb->skb).portid,
2216                                                  cb->nlh->nlmsg_seq,
2217                                                  NLM_F_MULTI, state);
2218                         if (ret < 0) {
2219                                 /*
2220                                  * If sending the wiphy data didn't fit (ENOBUFS
2221                                  * or EMSGSIZE returned), this SKB is still
2222                                  * empty (so it's not too big because another
2223                                  * wiphy dataset is already in the skb) and
2224                                  * we've not tried to adjust the dump allocation
2225                                  * yet ... then adjust the alloc size to be
2226                                  * bigger, and return 1 but with the empty skb.
2227                                  * This results in an empty message being RX'ed
2228                                  * in userspace, but that is ignored.
2229                                  *
2230                                  * We can then retry with the larger buffer.
2231                                  */
2232                                 if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2233                                     !skb->len && !state->split &&
2234                                     cb->min_dump_alloc < 4096) {
2235                                         cb->min_dump_alloc = 4096;
2236                                         state->split_start = 0;
2237                                         rtnl_unlock();
2238                                         return 1;
2239                                 }
2240                                 idx--;
2241                                 break;
2242                         }
2243                 } while (state->split_start > 0);
2244                 break;
2245         }
2246         rtnl_unlock();
2247
2248         state->start = idx;
2249
2250         return skb->len;
2251 }
2252
2253 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2254 {
2255         kfree((void *)cb->args[0]);
2256         return 0;
2257 }
2258
2259 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2260 {
2261         struct sk_buff *msg;
2262         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2263         struct nl80211_dump_wiphy_state state = {};
2264
2265         msg = nlmsg_new(4096, GFP_KERNEL);
2266         if (!msg)
2267                 return -ENOMEM;
2268
2269         if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2270                                info->snd_portid, info->snd_seq, 0,
2271                                &state) < 0) {
2272                 nlmsg_free(msg);
2273                 return -ENOBUFS;
2274         }
2275
2276         return genlmsg_reply(msg, info);
2277 }
2278
2279 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2280         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
2281         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
2282         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
2283         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
2284         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
2285 };
2286
2287 static int parse_txq_params(struct nlattr *tb[],
2288                             struct ieee80211_txq_params *txq_params)
2289 {
2290         u8 ac;
2291
2292         if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2293             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2294             !tb[NL80211_TXQ_ATTR_AIFS])
2295                 return -EINVAL;
2296
2297         ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2298         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2299         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2300         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2301         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2302
2303         if (ac >= NL80211_NUM_ACS)
2304                 return -EINVAL;
2305         txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2306         return 0;
2307 }
2308
2309 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2310 {
2311         /*
2312          * You can only set the channel explicitly for WDS interfaces,
2313          * all others have their channel managed via their respective
2314          * "establish a connection" command (connect, join, ...)
2315          *
2316          * For AP/GO and mesh mode, the channel can be set with the
2317          * channel userspace API, but is only stored and passed to the
2318          * low-level driver when the AP starts or the mesh is joined.
2319          * This is for backward compatibility, userspace can also give
2320          * the channel in the start-ap or join-mesh commands instead.
2321          *
2322          * Monitors are special as they are normally slaved to
2323          * whatever else is going on, so they have their own special
2324          * operation to set the monitor channel if possible.
2325          */
2326         return !wdev ||
2327                 wdev->iftype == NL80211_IFTYPE_AP ||
2328                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2329                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
2330                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
2331 }
2332
2333 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2334                                  struct genl_info *info,
2335                                  struct cfg80211_chan_def *chandef)
2336 {
2337         u32 control_freq;
2338
2339         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
2340                 return -EINVAL;
2341
2342         control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
2343
2344         memset(chandef, 0, sizeof(*chandef));
2345
2346         chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2347         chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2348         chandef->center_freq1 = control_freq;
2349         chandef->center_freq2 = 0;
2350
2351         /* Primary channel not allowed */
2352         if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
2353                 return -EINVAL;
2354
2355         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2356                 enum nl80211_channel_type chantype;
2357
2358                 chantype = nla_get_u32(
2359                                 info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2360
2361                 switch (chantype) {
2362                 case NL80211_CHAN_NO_HT:
2363                 case NL80211_CHAN_HT20:
2364                 case NL80211_CHAN_HT40PLUS:
2365                 case NL80211_CHAN_HT40MINUS:
2366                         cfg80211_chandef_create(chandef, chandef->chan,
2367                                                 chantype);
2368                         /* user input for center_freq is incorrect */
2369                         if (info->attrs[NL80211_ATTR_CENTER_FREQ1] &&
2370                             chandef->center_freq1 != nla_get_u32(
2371                                         info->attrs[NL80211_ATTR_CENTER_FREQ1]))
2372                                 return -EINVAL;
2373                         /* center_freq2 must be zero */
2374                         if (info->attrs[NL80211_ATTR_CENTER_FREQ2] &&
2375                             nla_get_u32(info->attrs[NL80211_ATTR_CENTER_FREQ2]))
2376                                 return -EINVAL;
2377                         break;
2378                 default:
2379                         return -EINVAL;
2380                 }
2381         } else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2382                 chandef->width =
2383                         nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2384                 if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
2385                         chandef->center_freq1 =
2386                                 nla_get_u32(
2387                                         info->attrs[NL80211_ATTR_CENTER_FREQ1]);
2388                 if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
2389                         chandef->center_freq2 =
2390                                 nla_get_u32(
2391                                         info->attrs[NL80211_ATTR_CENTER_FREQ2]);
2392         }
2393
2394         if (!cfg80211_chandef_valid(chandef))
2395                 return -EINVAL;
2396
2397         if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2398                                      IEEE80211_CHAN_DISABLED))
2399                 return -EINVAL;
2400
2401         if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2402              chandef->width == NL80211_CHAN_WIDTH_10) &&
2403             !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
2404                 return -EINVAL;
2405
2406         return 0;
2407 }
2408
2409 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2410                                  struct net_device *dev,
2411                                  struct genl_info *info)
2412 {
2413         struct cfg80211_chan_def chandef;
2414         int result;
2415         enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2416         struct wireless_dev *wdev = NULL;
2417
2418         if (dev)
2419                 wdev = dev->ieee80211_ptr;
2420         if (!nl80211_can_set_dev_channel(wdev))
2421                 return -EOPNOTSUPP;
2422         if (wdev)
2423                 iftype = wdev->iftype;
2424
2425         result = nl80211_parse_chandef(rdev, info, &chandef);
2426         if (result)
2427                 return result;
2428
2429         switch (iftype) {
2430         case NL80211_IFTYPE_AP:
2431         case NL80211_IFTYPE_P2P_GO:
2432                 if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2433                                                    iftype)) {
2434                         result = -EINVAL;
2435                         break;
2436                 }
2437                 if (wdev->beacon_interval) {
2438                         if (!dev || !rdev->ops->set_ap_chanwidth ||
2439                             !(rdev->wiphy.features &
2440                               NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2441                                 result = -EBUSY;
2442                                 break;
2443                         }
2444
2445                         /* Only allow dynamic channel width changes */
2446                         if (chandef.chan != wdev->preset_chandef.chan) {
2447                                 result = -EBUSY;
2448                                 break;
2449                         }
2450                         result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2451                         if (result)
2452                                 break;
2453                 }
2454                 wdev->preset_chandef = chandef;
2455                 result = 0;
2456                 break;
2457         case NL80211_IFTYPE_MESH_POINT:
2458                 result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2459                 break;
2460         case NL80211_IFTYPE_MONITOR:
2461                 result = cfg80211_set_monitor_channel(rdev, &chandef);
2462                 break;
2463         default:
2464                 result = -EINVAL;
2465         }
2466
2467         return result;
2468 }
2469
2470 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2471 {
2472         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2473         struct net_device *netdev = info->user_ptr[1];
2474
2475         return __nl80211_set_channel(rdev, netdev, info);
2476 }
2477
2478 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2479 {
2480         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2481         struct net_device *dev = info->user_ptr[1];
2482         struct wireless_dev *wdev = dev->ieee80211_ptr;
2483         const u8 *bssid;
2484
2485         if (!info->attrs[NL80211_ATTR_MAC])
2486                 return -EINVAL;
2487
2488         if (netif_running(dev))
2489                 return -EBUSY;
2490
2491         if (!rdev->ops->set_wds_peer)
2492                 return -EOPNOTSUPP;
2493
2494         if (wdev->iftype != NL80211_IFTYPE_WDS)
2495                 return -EOPNOTSUPP;
2496
2497         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2498         return rdev_set_wds_peer(rdev, dev, bssid);
2499 }
2500
2501 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2502 {
2503         struct cfg80211_registered_device *rdev;
2504         struct net_device *netdev = NULL;
2505         struct wireless_dev *wdev;
2506         int result = 0, rem_txq_params = 0;
2507         struct nlattr *nl_txq_params;
2508         u32 changed;
2509         u8 retry_short = 0, retry_long = 0;
2510         u32 frag_threshold = 0, rts_threshold = 0;
2511         u8 coverage_class = 0;
2512         u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2513
2514         ASSERT_RTNL();
2515
2516         /*
2517          * Try to find the wiphy and netdev. Normally this
2518          * function shouldn't need the netdev, but this is
2519          * done for backward compatibility -- previously
2520          * setting the channel was done per wiphy, but now
2521          * it is per netdev. Previous userland like hostapd
2522          * also passed a netdev to set_wiphy, so that it is
2523          * possible to let that go to the right netdev!
2524          */
2525
2526         if (info->attrs[NL80211_ATTR_IFINDEX]) {
2527                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2528
2529                 netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2530                 if (netdev && netdev->ieee80211_ptr)
2531                         rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2532                 else
2533                         netdev = NULL;
2534         }
2535
2536         if (!netdev) {
2537                 rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2538                                                   info->attrs);
2539                 if (IS_ERR(rdev))
2540                         return PTR_ERR(rdev);
2541                 wdev = NULL;
2542                 netdev = NULL;
2543                 result = 0;
2544         } else
2545                 wdev = netdev->ieee80211_ptr;
2546
2547         /*
2548          * end workaround code, by now the rdev is available
2549          * and locked, and wdev may or may not be NULL.
2550          */
2551
2552         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2553                 result = cfg80211_dev_rename(
2554                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2555
2556         if (result)
2557                 return result;
2558
2559         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2560                 struct ieee80211_txq_params txq_params;
2561                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2562
2563                 if (!rdev->ops->set_txq_params)
2564                         return -EOPNOTSUPP;
2565
2566                 if (!netdev)
2567                         return -EINVAL;
2568
2569                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2570                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2571                         return -EINVAL;
2572
2573                 if (!netif_running(netdev))
2574                         return -ENETDOWN;
2575
2576                 nla_for_each_nested(nl_txq_params,
2577                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2578                                     rem_txq_params) {
2579                         result = nla_parse_nested(tb, NL80211_TXQ_ATTR_MAX,
2580                                                   nl_txq_params,
2581                                                   txq_params_policy,
2582                                                   info->extack);
2583                         if (result)
2584                                 return result;
2585                         result = parse_txq_params(tb, &txq_params);
2586                         if (result)
2587                                 return result;
2588
2589                         result = rdev_set_txq_params(rdev, netdev,
2590                                                      &txq_params);
2591                         if (result)
2592                                 return result;
2593                 }
2594         }
2595
2596         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2597                 result = __nl80211_set_channel(
2598                         rdev,
2599                         nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2600                         info);
2601                 if (result)
2602                         return result;
2603         }
2604
2605         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2606                 struct wireless_dev *txp_wdev = wdev;
2607                 enum nl80211_tx_power_setting type;
2608                 int idx, mbm = 0;
2609
2610                 if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2611                         txp_wdev = NULL;
2612
2613                 if (!rdev->ops->set_tx_power)
2614                         return -EOPNOTSUPP;
2615
2616                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2617                 type = nla_get_u32(info->attrs[idx]);
2618
2619                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2620                     (type != NL80211_TX_POWER_AUTOMATIC))
2621                         return -EINVAL;
2622
2623                 if (type != NL80211_TX_POWER_AUTOMATIC) {
2624                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2625                         mbm = nla_get_u32(info->attrs[idx]);
2626                 }
2627
2628                 result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2629                 if (result)
2630                         return result;
2631         }
2632
2633         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2634             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2635                 u32 tx_ant, rx_ant;
2636
2637                 if ((!rdev->wiphy.available_antennas_tx &&
2638                      !rdev->wiphy.available_antennas_rx) ||
2639                     !rdev->ops->set_antenna)
2640                         return -EOPNOTSUPP;
2641
2642                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2643                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2644
2645                 /* reject antenna configurations which don't match the
2646                  * available antenna masks, except for the "all" mask */
2647                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2648                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2649                         return -EINVAL;
2650
2651                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2652                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2653
2654                 result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2655                 if (result)
2656                         return result;
2657         }
2658
2659         changed = 0;
2660
2661         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2662                 retry_short = nla_get_u8(
2663                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2664                 if (retry_short == 0)
2665                         return -EINVAL;
2666
2667                 changed |= WIPHY_PARAM_RETRY_SHORT;
2668         }
2669
2670         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2671                 retry_long = nla_get_u8(
2672                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2673                 if (retry_long == 0)
2674                         return -EINVAL;
2675
2676                 changed |= WIPHY_PARAM_RETRY_LONG;
2677         }
2678
2679         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2680                 frag_threshold = nla_get_u32(
2681                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2682                 if (frag_threshold < 256)
2683                         return -EINVAL;
2684
2685                 if (frag_threshold != (u32) -1) {
2686                         /*
2687                          * Fragments (apart from the last one) are required to
2688                          * have even length. Make the fragmentation code
2689                          * simpler by stripping LSB should someone try to use
2690                          * odd threshold value.
2691                          */
2692                         frag_threshold &= ~0x1;
2693                 }
2694                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2695         }
2696
2697         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2698                 rts_threshold = nla_get_u32(
2699                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2700                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
2701         }
2702
2703         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2704                 if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2705                         return -EINVAL;
2706
2707                 coverage_class = nla_get_u8(
2708                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2709                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
2710         }
2711
2712         if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2713                 if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2714                         return -EOPNOTSUPP;
2715
2716                 changed |= WIPHY_PARAM_DYN_ACK;
2717         }
2718
2719         if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
2720                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2721                                              NL80211_EXT_FEATURE_TXQS))
2722                         return -EOPNOTSUPP;
2723                 txq_limit = nla_get_u32(
2724                         info->attrs[NL80211_ATTR_TXQ_LIMIT]);
2725                 changed |= WIPHY_PARAM_TXQ_LIMIT;
2726         }
2727
2728         if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
2729                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2730                                              NL80211_EXT_FEATURE_TXQS))
2731                         return -EOPNOTSUPP;
2732                 txq_memory_limit = nla_get_u32(
2733                         info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
2734                 changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
2735         }
2736
2737         if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
2738                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2739                                              NL80211_EXT_FEATURE_TXQS))
2740                         return -EOPNOTSUPP;
2741                 txq_quantum = nla_get_u32(
2742                         info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
2743                 changed |= WIPHY_PARAM_TXQ_QUANTUM;
2744         }
2745
2746         if (changed) {
2747                 u8 old_retry_short, old_retry_long;
2748                 u32 old_frag_threshold, old_rts_threshold;
2749                 u8 old_coverage_class;
2750                 u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
2751
2752                 if (!rdev->ops->set_wiphy_params)
2753                         return -EOPNOTSUPP;
2754
2755                 old_retry_short = rdev->wiphy.retry_short;
2756                 old_retry_long = rdev->wiphy.retry_long;
2757                 old_frag_threshold = rdev->wiphy.frag_threshold;
2758                 old_rts_threshold = rdev->wiphy.rts_threshold;
2759                 old_coverage_class = rdev->wiphy.coverage_class;
2760                 old_txq_limit = rdev->wiphy.txq_limit;
2761                 old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
2762                 old_txq_quantum = rdev->wiphy.txq_quantum;
2763
2764                 if (changed & WIPHY_PARAM_RETRY_SHORT)
2765                         rdev->wiphy.retry_short = retry_short;
2766                 if (changed & WIPHY_PARAM_RETRY_LONG)
2767                         rdev->wiphy.retry_long = retry_long;
2768                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2769                         rdev->wiphy.frag_threshold = frag_threshold;
2770                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2771                         rdev->wiphy.rts_threshold = rts_threshold;
2772                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2773                         rdev->wiphy.coverage_class = coverage_class;
2774                 if (changed & WIPHY_PARAM_TXQ_LIMIT)
2775                         rdev->wiphy.txq_limit = txq_limit;
2776                 if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
2777                         rdev->wiphy.txq_memory_limit = txq_memory_limit;
2778                 if (changed & WIPHY_PARAM_TXQ_QUANTUM)
2779                         rdev->wiphy.txq_quantum = txq_quantum;
2780
2781                 result = rdev_set_wiphy_params(rdev, changed);
2782                 if (result) {
2783                         rdev->wiphy.retry_short = old_retry_short;
2784                         rdev->wiphy.retry_long = old_retry_long;
2785                         rdev->wiphy.frag_threshold = old_frag_threshold;
2786                         rdev->wiphy.rts_threshold = old_rts_threshold;
2787                         rdev->wiphy.coverage_class = old_coverage_class;
2788                         rdev->wiphy.txq_limit = old_txq_limit;
2789                         rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
2790                         rdev->wiphy.txq_quantum = old_txq_quantum;
2791                         return result;
2792                 }
2793         }
2794         return 0;
2795 }
2796
2797 static inline u64 wdev_id(struct wireless_dev *wdev)
2798 {
2799         return (u64)wdev->identifier |
2800                ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2801 }
2802
2803 static int nl80211_send_chandef(struct sk_buff *msg,
2804                                 const struct cfg80211_chan_def *chandef)
2805 {
2806         if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2807                 return -EINVAL;
2808
2809         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2810                         chandef->chan->center_freq))
2811                 return -ENOBUFS;
2812         switch (chandef->width) {
2813         case NL80211_CHAN_WIDTH_20_NOHT:
2814         case NL80211_CHAN_WIDTH_20:
2815         case NL80211_CHAN_WIDTH_40:
2816                 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2817                                 cfg80211_get_chandef_type(chandef)))
2818                         return -ENOBUFS;
2819                 break;
2820         default:
2821                 break;
2822         }
2823         if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2824                 return -ENOBUFS;
2825         if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2826                 return -ENOBUFS;
2827         if (chandef->center_freq2 &&
2828             nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2829                 return -ENOBUFS;
2830         return 0;
2831 }
2832
2833 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2834                               struct cfg80211_registered_device *rdev,
2835                               struct wireless_dev *wdev, bool removal)
2836 {
2837         struct net_device *dev = wdev->netdev;
2838         u8 cmd = NL80211_CMD_NEW_INTERFACE;
2839         void *hdr;
2840
2841         if (removal)
2842                 cmd = NL80211_CMD_DEL_INTERFACE;
2843
2844         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2845         if (!hdr)
2846                 return -1;
2847
2848         if (dev &&
2849             (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2850              nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2851                 goto nla_put_failure;
2852
2853         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2854             nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2855             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
2856                               NL80211_ATTR_PAD) ||
2857             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2858             nla_put_u32(msg, NL80211_ATTR_GENERATION,
2859                         rdev->devlist_generation ^
2860                         (cfg80211_rdev_list_generation << 2)) ||
2861             nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
2862                 goto nla_put_failure;
2863
2864         if (rdev->ops->get_channel) {
2865                 int ret;
2866                 struct cfg80211_chan_def chandef = {};
2867
2868                 ret = rdev_get_channel(rdev, wdev, &chandef);
2869                 if (ret == 0) {
2870                         if (nl80211_send_chandef(msg, &chandef))
2871                                 goto nla_put_failure;
2872                 }
2873         }
2874
2875         if (rdev->ops->get_tx_power) {
2876                 int dbm, ret;
2877
2878                 ret = rdev_get_tx_power(rdev, wdev, &dbm);
2879                 if (ret == 0 &&
2880                     nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
2881                                 DBM_TO_MBM(dbm)))
2882                         goto nla_put_failure;
2883         }
2884
2885         wdev_lock(wdev);
2886         switch (wdev->iftype) {
2887         case NL80211_IFTYPE_AP:
2888                 if (wdev->ssid_len &&
2889                     nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2890                         goto nla_put_failure_locked;
2891                 break;
2892         case NL80211_IFTYPE_STATION:
2893         case NL80211_IFTYPE_P2P_CLIENT:
2894         case NL80211_IFTYPE_ADHOC: {
2895                 const u8 *ssid_ie;
2896                 if (!wdev->current_bss)
2897                         break;
2898                 rcu_read_lock();
2899                 ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
2900                                                WLAN_EID_SSID);
2901                 if (ssid_ie &&
2902                     nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
2903                         goto nla_put_failure_rcu_locked;
2904                 rcu_read_unlock();
2905                 break;
2906                 }
2907         default:
2908                 /* nothing */
2909                 break;
2910         }
2911         wdev_unlock(wdev);
2912
2913         if (rdev->ops->get_txq_stats) {
2914                 struct cfg80211_txq_stats txqstats = {};
2915                 int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
2916
2917                 if (ret == 0 &&
2918                     !nl80211_put_txq_stats(msg, &txqstats,
2919                                            NL80211_ATTR_TXQ_STATS))
2920                         goto nla_put_failure;
2921         }
2922
2923         genlmsg_end(msg, hdr);
2924         return 0;
2925
2926  nla_put_failure_rcu_locked:
2927         rcu_read_unlock();
2928  nla_put_failure_locked:
2929         wdev_unlock(wdev);
2930  nla_put_failure:
2931         genlmsg_cancel(msg, hdr);
2932         return -EMSGSIZE;
2933 }
2934
2935 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2936 {
2937         int wp_idx = 0;
2938         int if_idx = 0;
2939         int wp_start = cb->args[0];
2940         int if_start = cb->args[1];
2941         int filter_wiphy = -1;
2942         struct cfg80211_registered_device *rdev;
2943         struct wireless_dev *wdev;
2944         int ret;
2945
2946         rtnl_lock();
2947         if (!cb->args[2]) {
2948                 struct nl80211_dump_wiphy_state state = {
2949                         .filter_wiphy = -1,
2950                 };
2951
2952                 ret = nl80211_dump_wiphy_parse(skb, cb, &state);
2953                 if (ret)
2954                         goto out_unlock;
2955
2956                 filter_wiphy = state.filter_wiphy;
2957
2958                 /*
2959                  * if filtering, set cb->args[2] to +1 since 0 is the default
2960                  * value needed to determine that parsing is necessary.
2961                  */
2962                 if (filter_wiphy >= 0)
2963                         cb->args[2] = filter_wiphy + 1;
2964                 else
2965                         cb->args[2] = -1;
2966         } else if (cb->args[2] > 0) {
2967                 filter_wiphy = cb->args[2] - 1;
2968         }
2969
2970         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2971                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2972                         continue;
2973                 if (wp_idx < wp_start) {
2974                         wp_idx++;
2975                         continue;
2976                 }
2977
2978                 if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
2979                         continue;
2980
2981                 if_idx = 0;
2982
2983                 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
2984                         if (if_idx < if_start) {
2985                                 if_idx++;
2986                                 continue;
2987                         }
2988                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2989                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
2990                                                rdev, wdev, false) < 0) {
2991                                 goto out;
2992                         }
2993                         if_idx++;
2994                 }
2995
2996                 wp_idx++;
2997         }
2998  out:
2999         cb->args[0] = wp_idx;
3000         cb->args[1] = if_idx;
3001
3002         ret = skb->len;
3003  out_unlock:
3004         rtnl_unlock();
3005
3006         return ret;
3007 }
3008
3009 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3010 {
3011         struct sk_buff *msg;
3012         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3013         struct wireless_dev *wdev = info->user_ptr[1];
3014
3015         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3016         if (!msg)
3017                 return -ENOMEM;
3018
3019         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3020                                rdev, wdev, false) < 0) {
3021                 nlmsg_free(msg);
3022                 return -ENOBUFS;
3023         }
3024
3025         return genlmsg_reply(msg, info);
3026 }
3027
3028 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3029         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3030         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3031         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3032         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3033         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3034         [NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3035 };
3036
3037 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3038 {
3039         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3040         int flag;
3041
3042         *mntrflags = 0;
3043
3044         if (!nla)
3045                 return -EINVAL;
3046
3047         if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX, nla,
3048                              mntr_flags_policy, NULL))
3049                 return -EINVAL;
3050
3051         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3052                 if (flags[flag])
3053                         *mntrflags |= (1<<flag);
3054
3055         *mntrflags |= MONITOR_FLAG_CHANGED;
3056
3057         return 0;
3058 }
3059
3060 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3061                                      enum nl80211_iftype type,
3062                                      struct genl_info *info,
3063                                      struct vif_params *params)
3064 {
3065         bool change = false;
3066         int err;
3067
3068         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3069                 if (type != NL80211_IFTYPE_MONITOR)
3070                         return -EINVAL;
3071
3072                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3073                                           &params->flags);
3074                 if (err)
3075                         return err;
3076
3077                 change = true;
3078         }
3079
3080         if (params->flags & MONITOR_FLAG_ACTIVE &&
3081             !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3082                 return -EOPNOTSUPP;
3083
3084         if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3085                 const u8 *mumimo_groups;
3086                 u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3087
3088                 if (type != NL80211_IFTYPE_MONITOR)
3089                         return -EINVAL;
3090
3091                 if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3092                         return -EOPNOTSUPP;
3093
3094                 mumimo_groups =
3095                         nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3096
3097                 /* bits 0 and 63 are reserved and must be zero */
3098                 if ((mumimo_groups[0] & BIT(0)) ||
3099                     (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3100                         return -EINVAL;
3101
3102                 params->vht_mumimo_groups = mumimo_groups;
3103                 change = true;
3104         }
3105
3106         if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3107                 u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3108
3109                 if (type != NL80211_IFTYPE_MONITOR)
3110                         return -EINVAL;
3111
3112                 if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3113                         return -EOPNOTSUPP;
3114
3115                 params->vht_mumimo_follow_addr =
3116                         nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3117                 change = true;
3118         }
3119
3120         return change ? 1 : 0;
3121 }
3122
3123 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3124                                struct net_device *netdev, u8 use_4addr,
3125                                enum nl80211_iftype iftype)
3126 {
3127         if (!use_4addr) {
3128                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3129                         return -EBUSY;
3130                 return 0;
3131         }
3132
3133         switch (iftype) {
3134         case NL80211_IFTYPE_AP_VLAN:
3135                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3136                         return 0;
3137                 break;
3138         case NL80211_IFTYPE_STATION:
3139                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3140                         return 0;
3141                 break;
3142         default:
3143                 break;
3144         }
3145
3146         return -EOPNOTSUPP;
3147 }
3148
3149 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3150 {
3151         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3152         struct vif_params params;
3153         int err;
3154         enum nl80211_iftype otype, ntype;
3155         struct net_device *dev = info->user_ptr[1];
3156         bool change = false;
3157
3158         memset(&params, 0, sizeof(params));
3159
3160         otype = ntype = dev->ieee80211_ptr->iftype;
3161
3162         if (info->attrs[NL80211_ATTR_IFTYPE]) {
3163                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3164                 if (otype != ntype)
3165                         change = true;
3166                 if (ntype > NL80211_IFTYPE_MAX)
3167                         return -EINVAL;
3168         }
3169
3170         if (info->attrs[NL80211_ATTR_MESH_ID]) {
3171                 struct wireless_dev *wdev = dev->ieee80211_ptr;
3172
3173                 if (ntype != NL80211_IFTYPE_MESH_POINT)
3174                         return -EINVAL;
3175                 if (netif_running(dev))
3176                         return -EBUSY;
3177
3178                 wdev_lock(wdev);
3179                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3180                              IEEE80211_MAX_MESH_ID_LEN);
3181                 wdev->mesh_id_up_len =
3182                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3183                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3184                        wdev->mesh_id_up_len);
3185                 wdev_unlock(wdev);
3186         }
3187
3188         if (info->attrs[NL80211_ATTR_4ADDR]) {
3189                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3190                 change = true;
3191                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3192                 if (err)
3193                         return err;
3194         } else {
3195                 params.use_4addr = -1;
3196         }
3197
3198         err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3199         if (err < 0)
3200                 return err;
3201         if (err > 0)
3202                 change = true;
3203
3204         if (change)
3205                 err = cfg80211_change_iface(rdev, dev, ntype, &params);
3206         else
3207                 err = 0;
3208
3209         if (!err && params.use_4addr != -1)
3210                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
3211
3212         return err;
3213 }
3214
3215 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3216 {
3217         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3218         struct vif_params params;
3219         struct wireless_dev *wdev;
3220         struct sk_buff *msg;
3221         int err;
3222         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3223
3224         /* to avoid failing a new interface creation due to pending removal */
3225         cfg80211_destroy_ifaces(rdev);
3226
3227         memset(&params, 0, sizeof(params));
3228
3229         if (!info->attrs[NL80211_ATTR_IFNAME])
3230                 return -EINVAL;
3231
3232         if (info->attrs[NL80211_ATTR_IFTYPE]) {
3233                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3234                 if (type > NL80211_IFTYPE_MAX)
3235                         return -EINVAL;
3236         }
3237
3238         if (!rdev->ops->add_virtual_intf)
3239                 return -EOPNOTSUPP;
3240
3241         if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3242              rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3243             info->attrs[NL80211_ATTR_MAC]) {
3244                 nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3245                            ETH_ALEN);
3246                 if (!is_valid_ether_addr(params.macaddr))
3247                         return -EADDRNOTAVAIL;
3248         }
3249
3250         if (info->attrs[NL80211_ATTR_4ADDR]) {
3251                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3252                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3253                 if (err)
3254                         return err;
3255         }
3256
3257         if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3258                 return -EOPNOTSUPP;
3259
3260         err = nl80211_parse_mon_options(rdev, type, info, &params);
3261         if (err < 0)
3262                 return err;
3263
3264         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3265         if (!msg)
3266                 return -ENOMEM;
3267
3268         wdev = rdev_add_virtual_intf(rdev,
3269                                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3270                                 NET_NAME_USER, type, &params);
3271         if (WARN_ON(!wdev)) {
3272                 nlmsg_free(msg);
3273                 return -EPROTO;
3274         } else if (IS_ERR(wdev)) {
3275                 nlmsg_free(msg);
3276                 return PTR_ERR(wdev);
3277         }
3278
3279         if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3280                 wdev->owner_nlportid = info->snd_portid;
3281
3282         switch (type) {
3283         case NL80211_IFTYPE_MESH_POINT:
3284                 if (!info->attrs[NL80211_ATTR_MESH_ID])
3285                         break;
3286                 wdev_lock(wdev);
3287                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3288                              IEEE80211_MAX_MESH_ID_LEN);
3289                 wdev->mesh_id_up_len =
3290                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3291                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3292                        wdev->mesh_id_up_len);
3293                 wdev_unlock(wdev);
3294                 break;
3295         case NL80211_IFTYPE_NAN:
3296         case NL80211_IFTYPE_P2P_DEVICE:
3297                 /*
3298                  * P2P Device and NAN do not have a netdev, so don't go
3299                  * through the netdev notifier and must be added here
3300                  */
3301                 mutex_init(&wdev->mtx);
3302                 INIT_LIST_HEAD(&wdev->event_list);
3303                 spin_lock_init(&wdev->event_lock);
3304                 INIT_LIST_HEAD(&wdev->mgmt_registrations);
3305                 spin_lock_init(&wdev->mgmt_registrations_lock);
3306
3307                 wdev->identifier = ++rdev->wdev_id;
3308                 list_add_rcu(&wdev->list, &rdev->wiphy.wdev_list);
3309                 rdev->devlist_generation++;
3310                 break;
3311         default:
3312                 break;
3313         }
3314
3315         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3316                                rdev, wdev, false) < 0) {
3317                 nlmsg_free(msg);
3318                 return -ENOBUFS;
3319         }
3320
3321         /*
3322          * For wdevs which have no associated netdev object (e.g. of type
3323          * NL80211_IFTYPE_P2P_DEVICE), emit the NEW_INTERFACE event here.
3324          * For all other types, the event will be generated from the
3325          * netdev notifier
3326          */
3327         if (!wdev->netdev)
3328                 nl80211_notify_iface(rdev, wdev, NL80211_CMD_NEW_INTERFACE);
3329
3330         return genlmsg_reply(msg, info);
3331 }
3332
3333 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3334 {
3335         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3336         struct wireless_dev *wdev = info->user_ptr[1];
3337
3338         if (!rdev->ops->del_virtual_intf)
3339                 return -EOPNOTSUPP;
3340
3341         /*
3342          * If we remove a wireless device without a netdev then clear
3343          * user_ptr[1] so that nl80211_post_doit won't dereference it
3344          * to check if it needs to do dev_put(). Otherwise it crashes
3345          * since the wdev has been freed, unlike with a netdev where
3346          * we need the dev_put() for the netdev to really be freed.
3347          */
3348         if (!wdev->netdev)
3349                 info->user_ptr[1] = NULL;
3350
3351         return rdev_del_virtual_intf(rdev, wdev);
3352 }
3353
3354 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3355 {
3356         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3357         struct net_device *dev = info->user_ptr[1];
3358         u16 noack_map;
3359
3360         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3361                 return -EINVAL;
3362
3363         if (!rdev->ops->set_noack_map)
3364                 return -EOPNOTSUPP;
3365
3366         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3367
3368         return rdev_set_noack_map(rdev, dev, noack_map);
3369 }
3370
3371 struct get_key_cookie {
3372         struct sk_buff *msg;
3373         int error;
3374         int idx;
3375 };
3376
3377 static void get_key_callback(void *c, struct key_params *params)
3378 {
3379         struct nlattr *key;
3380         struct get_key_cookie *cookie = c;
3381
3382         if ((params->key &&
3383              nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3384                      params->key_len, params->key)) ||
3385             (params->seq &&
3386              nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3387                      params->seq_len, params->seq)) ||
3388             (params->cipher &&
3389              nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3390                          params->cipher)))
3391                 goto nla_put_failure;
3392
3393         key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
3394         if (!key)
3395                 goto nla_put_failure;
3396
3397         if ((params->key &&
3398              nla_put(cookie->msg, NL80211_KEY_DATA,
3399                      params->key_len, params->key)) ||
3400             (params->seq &&
3401              nla_put(cookie->msg, NL80211_KEY_SEQ,
3402                      params->seq_len, params->seq)) ||
3403             (params->cipher &&
3404              nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3405                          params->cipher)))
3406                 goto nla_put_failure;
3407
3408         if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3409                 goto nla_put_failure;
3410
3411         nla_nest_end(cookie->msg, key);
3412
3413         return;
3414  nla_put_failure:
3415         cookie->error = 1;
3416 }
3417
3418 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3419 {
3420         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3421         int err;
3422         struct net_device *dev = info->user_ptr[1];
3423         u8 key_idx = 0;
3424         const u8 *mac_addr = NULL;
3425         bool pairwise;
3426         struct get_key_cookie cookie = {
3427                 .error = 0,
3428         };
3429         void *hdr;
3430         struct sk_buff *msg;
3431
3432         if (info->attrs[NL80211_ATTR_KEY_IDX])
3433                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3434
3435         if (key_idx > 5)
3436                 return -EINVAL;
3437
3438         if (info->attrs[NL80211_ATTR_MAC])
3439                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3440
3441         pairwise = !!mac_addr;
3442         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3443                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3444
3445                 if (kt >= NUM_NL80211_KEYTYPES)
3446                         return -EINVAL;
3447                 if (kt != NL80211_KEYTYPE_GROUP &&
3448                     kt != NL80211_KEYTYPE_PAIRWISE)
3449                         return -EINVAL;
3450                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3451         }
3452
3453         if (!rdev->ops->get_key)
3454                 return -EOPNOTSUPP;
3455
3456         if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3457                 return -ENOENT;
3458
3459         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3460         if (!msg)
3461                 return -ENOMEM;
3462
3463         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3464                              NL80211_CMD_NEW_KEY);
3465         if (!hdr)
3466                 goto nla_put_failure;
3467
3468         cookie.msg = msg;
3469         cookie.idx = key_idx;
3470
3471         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3472             nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3473                 goto nla_put_failure;
3474         if (mac_addr &&
3475             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3476                 goto nla_put_failure;
3477
3478         err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3479                            get_key_callback);
3480
3481         if (err)
3482                 goto free_msg;
3483
3484         if (cookie.error)
3485                 goto nla_put_failure;
3486
3487         genlmsg_end(msg, hdr);
3488         return genlmsg_reply(msg, info);
3489
3490  nla_put_failure:
3491         err = -ENOBUFS;
3492  free_msg:
3493         nlmsg_free(msg);
3494         return err;
3495 }
3496
3497 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3498 {
3499         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3500         struct key_parse key;
3501         int err;
3502         struct net_device *dev = info->user_ptr[1];
3503
3504         err = nl80211_parse_key(info, &key);
3505         if (err)
3506                 return err;
3507
3508         if (key.idx < 0)
3509                 return -EINVAL;
3510
3511         /* only support setting default key */
3512         if (!key.def && !key.defmgmt)
3513                 return -EINVAL;
3514
3515         wdev_lock(dev->ieee80211_ptr);
3516
3517         if (key.def) {
3518                 if (!rdev->ops->set_default_key) {
3519                         err = -EOPNOTSUPP;
3520                         goto out;
3521                 }
3522
3523                 err = nl80211_key_allowed(dev->ieee80211_ptr);
3524                 if (err)
3525                         goto out;
3526
3527                 err = rdev_set_default_key(rdev, dev, key.idx,
3528                                                  key.def_uni, key.def_multi);
3529
3530                 if (err)
3531                         goto out;
3532
3533 #ifdef CONFIG_CFG80211_WEXT
3534                 dev->ieee80211_ptr->wext.default_key = key.idx;
3535 #endif
3536         } else {
3537                 if (key.def_uni || !key.def_multi) {
3538                         err = -EINVAL;
3539                         goto out;
3540                 }
3541
3542                 if (!rdev->ops->set_default_mgmt_key) {
3543                         err = -EOPNOTSUPP;
3544                         goto out;
3545                 }
3546
3547                 err = nl80211_key_allowed(dev->ieee80211_ptr);
3548                 if (err)
3549                         goto out;
3550
3551                 err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3552                 if (err)
3553                         goto out;
3554
3555 #ifdef CONFIG_CFG80211_WEXT
3556                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3557 #endif
3558         }
3559
3560  out:
3561         wdev_unlock(dev->ieee80211_ptr);
3562
3563         return err;
3564 }
3565
3566 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3567 {
3568         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3569         int err;
3570         struct net_device *dev = info->user_ptr[1];
3571         struct key_parse key;
3572         const u8 *mac_addr = NULL;
3573
3574         err = nl80211_parse_key(info, &key);
3575         if (err)
3576                 return err;
3577
3578         if (!key.p.key)
3579                 return -EINVAL;
3580
3581         if (info->attrs[NL80211_ATTR_MAC])
3582                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3583
3584         if (key.type == -1) {
3585                 if (mac_addr)
3586                         key.type = NL80211_KEYTYPE_PAIRWISE;
3587                 else
3588                         key.type = NL80211_KEYTYPE_GROUP;
3589         }
3590
3591         /* for now */
3592         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3593             key.type != NL80211_KEYTYPE_GROUP)
3594                 return -EINVAL;
3595
3596         if (!rdev->ops->add_key)
3597                 return -EOPNOTSUPP;
3598
3599         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3600                                            key.type == NL80211_KEYTYPE_PAIRWISE,
3601                                            mac_addr))
3602                 return -EINVAL;
3603
3604         wdev_lock(dev->ieee80211_ptr);
3605         err = nl80211_key_allowed(dev->ieee80211_ptr);
3606         if (!err)
3607                 err = rdev_add_key(rdev, dev, key.idx,
3608                                    key.type == NL80211_KEYTYPE_PAIRWISE,
3609                                     mac_addr, &key.p);
3610         wdev_unlock(dev->ieee80211_ptr);
3611
3612         return err;
3613 }
3614
3615 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3616 {
3617         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3618         int err;
3619         struct net_device *dev = info->user_ptr[1];
3620         u8 *mac_addr = NULL;
3621         struct key_parse key;
3622
3623         err = nl80211_parse_key(info, &key);
3624         if (err)
3625                 return err;
3626
3627         if (info->attrs[NL80211_ATTR_MAC])
3628                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3629
3630         if (key.type == -1) {
3631                 if (mac_addr)
3632                         key.type = NL80211_KEYTYPE_PAIRWISE;
3633                 else
3634                         key.type = NL80211_KEYTYPE_GROUP;
3635         }
3636
3637         /* for now */
3638         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3639             key.type != NL80211_KEYTYPE_GROUP)
3640                 return -EINVAL;
3641
3642         if (!cfg80211_valid_key_idx(rdev, key.idx,
3643                                     key.type == NL80211_KEYTYPE_PAIRWISE))
3644                 return -EINVAL;
3645
3646         if (!rdev->ops->del_key)
3647                 return -EOPNOTSUPP;
3648
3649         wdev_lock(dev->ieee80211_ptr);
3650         err = nl80211_key_allowed(dev->ieee80211_ptr);
3651
3652         if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3653             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3654                 err = -ENOENT;
3655
3656         if (!err)
3657                 err = rdev_del_key(rdev, dev, key.idx,
3658                                    key.type == NL80211_KEYTYPE_PAIRWISE,
3659                                    mac_addr);
3660
3661 #ifdef CONFIG_CFG80211_WEXT
3662         if (!err) {
3663                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
3664                         dev->ieee80211_ptr->wext.default_key = -1;
3665                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3666                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3667         }
3668 #endif
3669         wdev_unlock(dev->ieee80211_ptr);
3670
3671         return err;
3672 }
3673
3674 /* This function returns an error or the number of nested attributes */
3675 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3676 {
3677         struct nlattr *attr;
3678         int n_entries = 0, tmp;
3679
3680         nla_for_each_nested(attr, nl_attr, tmp) {
3681                 if (nla_len(attr) != ETH_ALEN)
3682                         return -EINVAL;
3683
3684                 n_entries++;
3685         }
3686
3687         return n_entries;
3688 }
3689
3690 /*
3691  * This function parses ACL information and allocates memory for ACL data.
3692  * On successful return, the calling function is responsible to free the
3693  * ACL buffer returned by this function.
3694  */
3695 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3696                                                 struct genl_info *info)
3697 {
3698         enum nl80211_acl_policy acl_policy;
3699         struct nlattr *attr;
3700         struct cfg80211_acl_data *acl;
3701         int i = 0, n_entries, tmp;
3702
3703         if (!wiphy->max_acl_mac_addrs)
3704                 return ERR_PTR(-EOPNOTSUPP);
3705
3706         if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3707                 return ERR_PTR(-EINVAL);
3708
3709         acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3710         if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3711             acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3712                 return ERR_PTR(-EINVAL);
3713
3714         if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3715                 return ERR_PTR(-EINVAL);
3716
3717         n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3718         if (n_entries < 0)
3719                 return ERR_PTR(n_entries);
3720
3721         if (n_entries > wiphy->max_acl_mac_addrs)
3722                 return ERR_PTR(-ENOTSUPP);
3723
3724         acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3725                       GFP_KERNEL);
3726         if (!acl)
3727                 return ERR_PTR(-ENOMEM);
3728
3729         nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3730                 memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3731                 i++;
3732         }
3733
3734         acl->n_acl_entries = n_entries;
3735         acl->acl_policy = acl_policy;
3736
3737         return acl;
3738 }
3739
3740 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3741 {
3742         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3743         struct net_device *dev = info->user_ptr[1];
3744         struct cfg80211_acl_data *acl;
3745         int err;
3746
3747         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3748             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3749                 return -EOPNOTSUPP;
3750
3751         if (!dev->ieee80211_ptr->beacon_interval)
3752                 return -EINVAL;
3753
3754         acl = parse_acl_data(&rdev->wiphy, info);
3755         if (IS_ERR(acl))
3756                 return PTR_ERR(acl);
3757
3758         err = rdev_set_mac_acl(rdev, dev, acl);
3759
3760         kfree(acl);
3761
3762         return err;
3763 }
3764
3765 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
3766                            u8 *rates, u8 rates_len)
3767 {
3768         u8 i;
3769         u32 mask = 0;
3770
3771         for (i = 0; i < rates_len; i++) {
3772                 int rate = (rates[i] & 0x7f) * 5;
3773                 int ridx;
3774
3775                 for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
3776                         struct ieee80211_rate *srate =
3777                                 &sband->bitrates[ridx];
3778                         if (rate == srate->bitrate) {
3779                                 mask |= 1 << ridx;
3780                                 break;
3781                         }
3782                 }
3783                 if (ridx == sband->n_bitrates)
3784                         return 0; /* rate not found */
3785         }
3786
3787         return mask;
3788 }
3789
3790 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
3791                                u8 *rates, u8 rates_len,
3792                                u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
3793 {
3794         u8 i;
3795
3796         memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
3797
3798         for (i = 0; i < rates_len; i++) {
3799                 int ridx, rbit;
3800
3801                 ridx = rates[i] / 8;
3802                 rbit = BIT(rates[i] % 8);
3803
3804                 /* check validity */
3805                 if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
3806                         return false;
3807
3808                 /* check availability */
3809                 ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
3810                 if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
3811                         mcs[ridx] |= rbit;
3812                 else
3813                         return false;
3814         }
3815
3816         return true;
3817 }
3818
3819 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
3820 {
3821         u16 mcs_mask = 0;
3822
3823         switch (vht_mcs_map) {
3824         case IEEE80211_VHT_MCS_NOT_SUPPORTED:
3825                 break;
3826         case IEEE80211_VHT_MCS_SUPPORT_0_7:
3827                 mcs_mask = 0x00FF;
3828                 break;
3829         case IEEE80211_VHT_MCS_SUPPORT_0_8:
3830                 mcs_mask = 0x01FF;
3831                 break;
3832         case IEEE80211_VHT_MCS_SUPPORT_0_9:
3833                 mcs_mask = 0x03FF;
3834                 break;
3835         default:
3836                 break;
3837         }
3838
3839         return mcs_mask;
3840 }
3841
3842 static void vht_build_mcs_mask(u16 vht_mcs_map,
3843                                u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
3844 {
3845         u8 nss;
3846
3847         for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
3848                 vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
3849                 vht_mcs_map >>= 2;
3850         }
3851 }
3852
3853 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
3854                              struct nl80211_txrate_vht *txrate,
3855                              u16 mcs[NL80211_VHT_NSS_MAX])
3856 {
3857         u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3858         u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
3859         u8 i;
3860
3861         if (!sband->vht_cap.vht_supported)
3862                 return false;
3863
3864         memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
3865
3866         /* Build vht_mcs_mask from VHT capabilities */
3867         vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
3868
3869         for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
3870                 if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
3871                         mcs[i] = txrate->mcs[i];
3872                 else
3873                         return false;
3874         }
3875
3876         return true;
3877 }
3878
3879 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
3880         [NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
3881                                     .len = NL80211_MAX_SUPP_RATES },
3882         [NL80211_TXRATE_HT] = { .type = NLA_BINARY,
3883                                 .len = NL80211_MAX_SUPP_HT_RATES },
3884         [NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
3885         [NL80211_TXRATE_GI] = { .type = NLA_U8 },
3886 };
3887
3888 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
3889                                          struct cfg80211_bitrate_mask *mask)
3890 {
3891         struct nlattr *tb[NL80211_TXRATE_MAX + 1];
3892         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3893         int rem, i;
3894         struct nlattr *tx_rates;
3895         struct ieee80211_supported_band *sband;
3896         u16 vht_tx_mcs_map;
3897
3898         memset(mask, 0, sizeof(*mask));
3899         /* Default to all rates enabled */
3900         for (i = 0; i < NUM_NL80211_BANDS; i++) {
3901                 sband = rdev->wiphy.bands[i];
3902
3903                 if (!sband)
3904                         continue;
3905
3906                 mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
3907                 memcpy(mask->control[i].ht_mcs,
3908                        sband->ht_cap.mcs.rx_mask,
3909                        sizeof(mask->control[i].ht_mcs));
3910
3911                 if (!sband->vht_cap.vht_supported)
3912                         continue;
3913
3914                 vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3915                 vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
3916         }
3917
3918         /* if no rates are given set it back to the defaults */
3919         if (!info->attrs[NL80211_ATTR_TX_RATES])
3920                 goto out;
3921
3922         /* The nested attribute uses enum nl80211_band as the index. This maps
3923          * directly to the enum nl80211_band values used in cfg80211.
3924          */
3925         BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
3926         nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
3927                 enum nl80211_band band = nla_type(tx_rates);
3928                 int err;
3929
3930                 if (band < 0 || band >= NUM_NL80211_BANDS)
3931                         return -EINVAL;
3932                 sband = rdev->wiphy.bands[band];
3933                 if (sband == NULL)
3934                         return -EINVAL;
3935                 err = nla_parse_nested(tb, NL80211_TXRATE_MAX, tx_rates,
3936                                        nl80211_txattr_policy, info->extack);
3937                 if (err)
3938                         return err;
3939                 if (tb[NL80211_TXRATE_LEGACY]) {
3940                         mask->control[band].legacy = rateset_to_mask(
3941                                 sband,
3942                                 nla_data(tb[NL80211_TXRATE_LEGACY]),
3943                                 nla_len(tb[NL80211_TXRATE_LEGACY]));
3944                         if ((mask->control[band].legacy == 0) &&
3945                             nla_len(tb[NL80211_TXRATE_LEGACY]))
3946                                 return -EINVAL;
3947                 }
3948                 if (tb[NL80211_TXRATE_HT]) {
3949                         if (!ht_rateset_to_mask(
3950                                         sband,
3951                                         nla_data(tb[NL80211_TXRATE_HT]),
3952                                         nla_len(tb[NL80211_TXRATE_HT]),
3953                                         mask->control[band].ht_mcs))
3954                                 return -EINVAL;
3955                 }
3956                 if (tb[NL80211_TXRATE_VHT]) {
3957                         if (!vht_set_mcs_mask(
3958                                         sband,
3959                                         nla_data(tb[NL80211_TXRATE_VHT]),
3960                                         mask->control[band].vht_mcs))
3961                                 return -EINVAL;
3962                 }
3963                 if (tb[NL80211_TXRATE_GI]) {
3964                         mask->control[band].gi =
3965                                 nla_get_u8(tb[NL80211_TXRATE_GI]);
3966                         if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
3967                                 return -EINVAL;
3968                 }
3969
3970                 if (mask->control[band].legacy == 0) {
3971                         /* don't allow empty legacy rates if HT or VHT
3972                          * are not even supported.
3973                          */
3974                         if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
3975                               rdev->wiphy.bands[band]->vht_cap.vht_supported))
3976                                 return -EINVAL;
3977
3978                         for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
3979                                 if (mask->control[band].ht_mcs[i])
3980                                         goto out;
3981
3982                         for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
3983                                 if (mask->control[band].vht_mcs[i])
3984                                         goto out;
3985
3986                         /* legacy and mcs rates may not be both empty */
3987                         return -EINVAL;
3988                 }
3989         }
3990
3991 out:
3992         return 0;
3993 }
3994
3995 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
3996                                    enum nl80211_band band,
3997                                    struct cfg80211_bitrate_mask *beacon_rate)
3998 {
3999         u32 count_ht, count_vht, i;
4000         u32 rate = beacon_rate->control[band].legacy;
4001
4002         /* Allow only one rate */
4003         if (hweight32(rate) > 1)
4004                 return -EINVAL;
4005
4006         count_ht = 0;
4007         for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4008                 if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4009                         return -EINVAL;
4010                 } else if (beacon_rate->control[band].ht_mcs[i]) {
4011                         count_ht++;
4012                         if (count_ht > 1)
4013                                 return -EINVAL;
4014                 }
4015                 if (count_ht && rate)
4016                         return -EINVAL;
4017         }
4018
4019         count_vht = 0;
4020         for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4021                 if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4022                         return -EINVAL;
4023                 } else if (beacon_rate->control[band].vht_mcs[i]) {
4024                         count_vht++;
4025                         if (count_vht > 1)
4026                                 return -EINVAL;
4027                 }
4028                 if (count_vht && rate)
4029                         return -EINVAL;
4030         }
4031
4032         if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4033                 return -EINVAL;
4034
4035         if (rate &&
4036             !wiphy_ext_feature_isset(&rdev->wiphy,
4037                                      NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4038                 return -EINVAL;
4039         if (count_ht &&
4040             !wiphy_ext_feature_isset(&rdev->wiphy,
4041                                      NL80211_EXT_FEATURE_BEACON_RATE_HT))
4042                 return -EINVAL;
4043         if (count_vht &&
4044             !wiphy_ext_feature_isset(&rdev->wiphy,
4045                                      NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4046                 return -EINVAL;
4047
4048         return 0;
4049 }
4050
4051 static int nl80211_parse_beacon(struct nlattr *attrs[],
4052                                 struct cfg80211_beacon_data *bcn)
4053 {
4054         bool haveinfo = false;
4055
4056         if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
4057             !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
4058             !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
4059             !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
4060                 return -EINVAL;
4061
4062         memset(bcn, 0, sizeof(*bcn));
4063
4064         if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4065                 int ret = validate_beacon_head(attrs[NL80211_ATTR_BEACON_HEAD],
4066                                                NULL);
4067
4068                 if (ret)
4069                         return ret;
4070
4071                 bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4072                 bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4073                 if (!bcn->head_len)
4074                         return -EINVAL;
4075                 haveinfo = true;
4076         }
4077
4078         if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4079                 bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4080                 bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4081                 haveinfo = true;
4082         }
4083
4084         if (!haveinfo)
4085                 return -EINVAL;
4086
4087         if (attrs[NL80211_ATTR_IE]) {
4088                 bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4089                 bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4090         }
4091
4092         if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4093                 bcn->proberesp_ies =
4094                         nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4095                 bcn->proberesp_ies_len =
4096                         nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4097         }
4098
4099         if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4100                 bcn->assocresp_ies =
4101                         nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4102                 bcn->assocresp_ies_len =
4103                         nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4104         }
4105
4106         if (attrs[NL80211_ATTR_PROBE_RESP]) {
4107                 bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4108                 bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4109         }
4110
4111         return 0;
4112 }
4113
4114 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4115                                             const u8 *rates)
4116 {
4117         int i;
4118
4119         if (!rates)
4120                 return;
4121
4122         for (i = 0; i < rates[1]; i++) {
4123                 if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4124                         params->ht_required = true;
4125                 if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4126                         params->vht_required = true;
4127         }
4128 }
4129
4130 /*
4131  * Since the nl80211 API didn't include, from the beginning, attributes about
4132  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4133  * benefit of drivers that rebuild IEs in the firmware.
4134  */
4135 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4136 {
4137         const struct cfg80211_beacon_data *bcn = &params->beacon;
4138         size_t ies_len = bcn->tail_len;
4139         const u8 *ies = bcn->tail;
4140         const u8 *rates;
4141         const u8 *cap;
4142
4143         rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4144         nl80211_check_ap_rate_selectors(params, rates);
4145
4146         rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4147         nl80211_check_ap_rate_selectors(params, rates);
4148
4149         cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4150         if (cap && cap[1] >= sizeof(*params->ht_cap))
4151                 params->ht_cap = (void *)(cap + 2);
4152         cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4153         if (cap && cap[1] >= sizeof(*params->vht_cap))
4154                 params->vht_cap = (void *)(cap + 2);
4155 }
4156
4157 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4158                                    struct cfg80211_ap_settings *params)
4159 {
4160         struct wireless_dev *wdev;
4161         bool ret = false;
4162
4163         list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4164                 if (wdev->iftype != NL80211_IFTYPE_AP &&
4165                     wdev->iftype != NL80211_IFTYPE_P2P_GO)
4166                         continue;
4167
4168                 if (!wdev->preset_chandef.chan)
4169                         continue;
4170
4171                 params->chandef = wdev->preset_chandef;
4172                 ret = true;
4173                 break;
4174         }
4175
4176         return ret;
4177 }
4178
4179 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4180                                     enum nl80211_auth_type auth_type,
4181                                     enum nl80211_commands cmd)
4182 {
4183         if (auth_type > NL80211_AUTHTYPE_MAX)
4184                 return false;
4185
4186         switch (cmd) {
4187         case NL80211_CMD_AUTHENTICATE:
4188                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4189                     auth_type == NL80211_AUTHTYPE_SAE)
4190                         return false;
4191                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
4192                                              NL80211_EXT_FEATURE_FILS_STA) &&
4193                     (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4194                      auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4195                      auth_type == NL80211_AUTHTYPE_FILS_PK))
4196                         return false;
4197                 return true;
4198         case NL80211_CMD_CONNECT:
4199                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4200                     auth_type == NL80211_AUTHTYPE_SAE)
4201                         return false;
4202
4203                 /* FILS with SK PFS or PK not supported yet */
4204                 if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4205                     auth_type == NL80211_AUTHTYPE_FILS_PK)
4206                         return false;
4207                 if (!wiphy_ext_feature_isset(
4208                             &rdev->wiphy,
4209                             NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4210                     auth_type == NL80211_AUTHTYPE_FILS_SK)
4211                         return false;
4212                 return true;
4213         case NL80211_CMD_START_AP:
4214                 /* SAE not supported yet */
4215                 if (auth_type == NL80211_AUTHTYPE_SAE)
4216                         return false;
4217                 /* FILS not supported yet */
4218                 if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4219                     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4220                     auth_type == NL80211_AUTHTYPE_FILS_PK)
4221                         return false;
4222                 return true;
4223         default:
4224                 return false;
4225         }
4226 }
4227
4228 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4229 {
4230         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4231         struct net_device *dev = info->user_ptr[1];
4232         struct wireless_dev *wdev = dev->ieee80211_ptr;
4233         struct cfg80211_ap_settings params;
4234         int err;
4235
4236         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4237             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4238                 return -EOPNOTSUPP;
4239
4240         if (!rdev->ops->start_ap)
4241                 return -EOPNOTSUPP;
4242
4243         if (wdev->beacon_interval)
4244                 return -EALREADY;
4245
4246         memset(&params, 0, sizeof(params));
4247
4248         /* these are required for START_AP */
4249         if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4250             !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4251             !info->attrs[NL80211_ATTR_BEACON_HEAD])
4252                 return -EINVAL;
4253
4254         err = nl80211_parse_beacon(info->attrs, &params.beacon);
4255         if (err)
4256                 return err;
4257
4258         params.beacon_interval =
4259                 nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4260         params.dtim_period =
4261                 nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4262
4263         err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4264                                            params.beacon_interval);
4265         if (err)
4266                 return err;
4267
4268         /*
4269          * In theory, some of these attributes should be required here
4270          * but since they were not used when the command was originally
4271          * added, keep them optional for old user space programs to let
4272          * them continue to work with drivers that do not need the
4273          * additional information -- drivers must check!
4274          */
4275         if (info->attrs[NL80211_ATTR_SSID]) {
4276                 params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4277                 params.ssid_len =
4278                         nla_len(info->attrs[NL80211_ATTR_SSID]);
4279                 if (params.ssid_len == 0 ||
4280                     params.ssid_len > IEEE80211_MAX_SSID_LEN)
4281                         return -EINVAL;
4282         }
4283
4284         if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
4285                 params.hidden_ssid = nla_get_u32(
4286                         info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4287                 if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
4288                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
4289                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
4290                         return -EINVAL;
4291         }
4292
4293         params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4294
4295         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4296                 params.auth_type = nla_get_u32(
4297                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
4298                 if (!nl80211_valid_auth_type(rdev, params.auth_type,
4299                                              NL80211_CMD_START_AP))
4300                         return -EINVAL;
4301         } else
4302                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4303
4304         err = nl80211_crypto_settings(rdev, info, &params.crypto,
4305                                       NL80211_MAX_NR_CIPHER_SUITES);
4306         if (err)
4307                 return err;
4308
4309         if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4310                 if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4311                         return -EOPNOTSUPP;
4312                 params.inactivity_timeout = nla_get_u16(
4313                         info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4314         }
4315
4316         if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4317                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4318                         return -EINVAL;
4319                 params.p2p_ctwindow =
4320                         nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4321                 if (params.p2p_ctwindow > 127)
4322                         return -EINVAL;
4323                 if (params.p2p_ctwindow != 0 &&
4324                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4325                         return -EINVAL;
4326         }
4327
4328         if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4329                 u8 tmp;
4330
4331                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4332                         return -EINVAL;
4333                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4334                 if (tmp > 1)
4335                         return -EINVAL;
4336                 params.p2p_opp_ps = tmp;
4337                 if (params.p2p_opp_ps != 0 &&
4338                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4339                         return -EINVAL;
4340         }
4341
4342         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4343                 err = nl80211_parse_chandef(rdev, info, &params.chandef);
4344                 if (err)
4345                         return err;
4346         } else if (wdev->preset_chandef.chan) {
4347                 params.chandef = wdev->preset_chandef;
4348         } else if (!nl80211_get_ap_channel(rdev, &params))
4349                 return -EINVAL;
4350
4351         if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4352                                            wdev->iftype))
4353                 return -EINVAL;
4354
4355         if (info->attrs[NL80211_ATTR_TX_RATES]) {
4356                 err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4357                 if (err)
4358                         return err;
4359
4360                 err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4361                                               &params.beacon_rate);
4362                 if (err)
4363                         return err;
4364         }
4365
4366         if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4367                 params.smps_mode =
4368                         nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4369                 switch (params.smps_mode) {
4370                 case NL80211_SMPS_OFF:
4371                         break;
4372                 case NL80211_SMPS_STATIC:
4373                         if (!(rdev->wiphy.features &
4374                               NL80211_FEATURE_STATIC_SMPS))
4375                                 return -EINVAL;
4376                         break;
4377                 case NL80211_SMPS_DYNAMIC:
4378                         if (!(rdev->wiphy.features &
4379                               NL80211_FEATURE_DYNAMIC_SMPS))
4380                                 return -EINVAL;
4381                         break;
4382                 default:
4383                         return -EINVAL;
4384                 }
4385         } else {
4386                 params.smps_mode = NL80211_SMPS_OFF;
4387         }
4388
4389         params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4390         if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4391                 return -EOPNOTSUPP;
4392
4393         if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4394                 params.acl = parse_acl_data(&rdev->wiphy, info);
4395                 if (IS_ERR(params.acl))
4396                         return PTR_ERR(params.acl);
4397         }
4398
4399         nl80211_calculate_ap_params(&params);
4400
4401         wdev_lock(wdev);
4402         err = rdev_start_ap(rdev, dev, &params);
4403         if (!err) {
4404                 wdev->preset_chandef = params.chandef;
4405                 wdev->beacon_interval = params.beacon_interval;
4406                 wdev->chandef = params.chandef;
4407                 wdev->ssid_len = params.ssid_len;
4408                 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4409
4410                 if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4411                         wdev->conn_owner_nlportid = info->snd_portid;
4412         }
4413         wdev_unlock(wdev);
4414
4415         kfree(params.acl);
4416
4417         return err;
4418 }
4419
4420 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4421 {
4422         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4423         struct net_device *dev = info->user_ptr[1];
4424         struct wireless_dev *wdev = dev->ieee80211_ptr;
4425         struct cfg80211_beacon_data params;
4426         int err;
4427
4428         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4429             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4430                 return -EOPNOTSUPP;
4431
4432         if (!rdev->ops->change_beacon)
4433                 return -EOPNOTSUPP;
4434
4435         if (!wdev->beacon_interval)
4436                 return -EINVAL;
4437
4438         err = nl80211_parse_beacon(info->attrs, &params);
4439         if (err)
4440                 return err;
4441
4442         wdev_lock(wdev);
4443         err = rdev_change_beacon(rdev, dev, &params);
4444         wdev_unlock(wdev);
4445
4446         return err;
4447 }
4448
4449 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4450 {
4451         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4452         struct net_device *dev = info->user_ptr[1];
4453
4454         return cfg80211_stop_ap(rdev, dev, false);
4455 }
4456
4457 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4458         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4459         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4460         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4461         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4462         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4463         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4464 };
4465
4466 static int parse_station_flags(struct genl_info *info,
4467                                enum nl80211_iftype iftype,
4468                                struct station_parameters *params)
4469 {
4470         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4471         struct nlattr *nla;
4472         int flag;
4473
4474         /*
4475          * Try parsing the new attribute first so userspace
4476          * can specify both for older kernels.
4477          */
4478         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4479         if (nla) {
4480                 struct nl80211_sta_flag_update *sta_flags;
4481
4482                 sta_flags = nla_data(nla);
4483                 params->sta_flags_mask = sta_flags->mask;
4484                 params->sta_flags_set = sta_flags->set;
4485                 params->sta_flags_set &= params->sta_flags_mask;
4486                 if ((params->sta_flags_mask |
4487                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4488                         return -EINVAL;
4489                 return 0;
4490         }
4491
4492         /* if present, parse the old attribute */
4493
4494         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4495         if (!nla)
4496                 return 0;
4497
4498         if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX, nla,
4499                              sta_flags_policy, info->extack))
4500                 return -EINVAL;
4501
4502         /*
4503          * Only allow certain flags for interface types so that
4504          * other attributes are silently ignored. Remember that
4505          * this is backward compatibility code with old userspace
4506          * and shouldn't be hit in other cases anyway.
4507          */
4508         switch (iftype) {
4509         case NL80211_IFTYPE_AP:
4510         case NL80211_IFTYPE_AP_VLAN:
4511         case NL80211_IFTYPE_P2P_GO:
4512                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4513                                          BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4514                                          BIT(NL80211_STA_FLAG_WME) |
4515                                          BIT(NL80211_STA_FLAG_MFP);
4516                 break;
4517         case NL80211_IFTYPE_P2P_CLIENT:
4518         case NL80211_IFTYPE_STATION:
4519                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4520                                          BIT(NL80211_STA_FLAG_TDLS_PEER);
4521                 break;
4522         case NL80211_IFTYPE_MESH_POINT:
4523                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4524                                          BIT(NL80211_STA_FLAG_MFP) |
4525                                          BIT(NL80211_STA_FLAG_AUTHORIZED);
4526                 break;
4527         default:
4528                 return -EINVAL;
4529         }
4530
4531         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4532                 if (flags[flag]) {
4533                         params->sta_flags_set |= (1<<flag);
4534
4535                         /* no longer support new API additions in old API */
4536                         if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4537                                 return -EINVAL;
4538                 }
4539         }
4540
4541         return 0;
4542 }
4543
4544 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
4545                                  int attr)
4546 {
4547         struct nlattr *rate;
4548         u32 bitrate;
4549         u16 bitrate_compat;
4550         enum nl80211_rate_info rate_flg;
4551
4552         rate = nla_nest_start(msg, attr);
4553         if (!rate)
4554                 return false;
4555
4556         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4557         bitrate = cfg80211_calculate_bitrate(info);
4558         /* report 16-bit bitrate only if we can */
4559         bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4560         if (bitrate > 0 &&
4561             nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4562                 return false;
4563         if (bitrate_compat > 0 &&
4564             nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4565                 return false;
4566
4567         switch (info->bw) {
4568         case RATE_INFO_BW_5:
4569                 rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4570                 break;
4571         case RATE_INFO_BW_10:
4572                 rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4573                 break;
4574         default:
4575                 WARN_ON(1);
4576                 /* fall through */
4577         case RATE_INFO_BW_20:
4578                 rate_flg = 0;
4579                 break;
4580         case RATE_INFO_BW_40:
4581                 rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4582                 break;
4583         case RATE_INFO_BW_80:
4584                 rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4585                 break;
4586         case RATE_INFO_BW_160:
4587                 rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4588                 break;
4589         case RATE_INFO_BW_HE_RU:
4590                 rate_flg = 0;
4591                 WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
4592         }
4593
4594         if (rate_flg && nla_put_flag(msg, rate_flg))
4595                 return false;
4596
4597         if (info->flags & RATE_INFO_FLAGS_MCS) {
4598                 if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4599                         return false;
4600                 if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4601                     nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4602                         return false;
4603         } else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4604                 if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4605                         return false;
4606                 if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4607                         return false;
4608                 if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4609                     nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4610                         return false;
4611         } else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
4612                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
4613                         return false;
4614                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
4615                         return false;
4616                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
4617                         return false;
4618                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
4619                         return false;
4620                 if (info->bw == RATE_INFO_BW_HE_RU &&
4621                     nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
4622                                info->he_ru_alloc))
4623                         return false;
4624         }
4625
4626         nla_nest_end(msg, rate);
4627         return true;
4628 }
4629
4630 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4631                                int id)
4632 {
4633         void *attr;
4634         int i = 0;
4635
4636         if (!mask)
4637                 return true;
4638
4639         attr = nla_nest_start(msg, id);
4640         if (!attr)
4641                 return false;
4642
4643         for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
4644                 if (!(mask & BIT(i)))
4645                         continue;
4646
4647                 if (nla_put_u8(msg, i, signal[i]))
4648                         return false;
4649         }
4650
4651         nla_nest_end(msg, attr);
4652
4653         return true;
4654 }
4655
4656 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
4657                                 u32 seq, int flags,
4658                                 struct cfg80211_registered_device *rdev,
4659                                 struct net_device *dev,
4660                                 const u8 *mac_addr, struct station_info *sinfo)
4661 {
4662         void *hdr;
4663         struct nlattr *sinfoattr, *bss_param;
4664
4665         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4666         if (!hdr) {
4667                 cfg80211_sinfo_release_content(sinfo);
4668                 return -1;
4669         }
4670
4671         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4672             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
4673             nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
4674                 goto nla_put_failure;
4675
4676         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
4677         if (!sinfoattr)
4678                 goto nla_put_failure;
4679
4680 #define PUT_SINFO(attr, memb, type) do {                                \
4681         BUILD_BUG_ON(sizeof(type) == sizeof(u64));                      \
4682         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&       \
4683             nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,            \
4684                              sinfo->memb))                              \
4685                 goto nla_put_failure;                                   \
4686         } while (0)
4687 #define PUT_SINFO_U64(attr, memb) do {                                  \
4688         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&       \
4689             nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,           \
4690                               sinfo->memb, NL80211_STA_INFO_PAD))       \
4691                 goto nla_put_failure;                                   \
4692         } while (0)
4693
4694         PUT_SINFO(CONNECTED_TIME, connected_time, u32);
4695         PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
4696
4697         if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
4698                              BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
4699             nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
4700                         (u32)sinfo->rx_bytes))
4701                 goto nla_put_failure;
4702
4703         if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
4704                              BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
4705             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
4706                         (u32)sinfo->tx_bytes))
4707                 goto nla_put_failure;
4708
4709         PUT_SINFO_U64(RX_BYTES64, rx_bytes);
4710         PUT_SINFO_U64(TX_BYTES64, tx_bytes);
4711         PUT_SINFO(LLID, llid, u16);
4712         PUT_SINFO(PLID, plid, u16);
4713         PUT_SINFO(PLINK_STATE, plink_state, u8);
4714         PUT_SINFO_U64(RX_DURATION, rx_duration);
4715
4716         switch (rdev->wiphy.signal_type) {
4717         case CFG80211_SIGNAL_TYPE_MBM:
4718                 PUT_SINFO(SIGNAL, signal, u8);
4719                 PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
4720                 break;
4721         default:
4722                 break;
4723         }
4724         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
4725                 if (!nl80211_put_signal(msg, sinfo->chains,
4726                                         sinfo->chain_signal,
4727                                         NL80211_STA_INFO_CHAIN_SIGNAL))
4728                         goto nla_put_failure;
4729         }
4730         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
4731                 if (!nl80211_put_signal(msg, sinfo->chains,
4732                                         sinfo->chain_signal_avg,
4733                                         NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
4734                         goto nla_put_failure;
4735         }
4736         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
4737                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
4738                                           NL80211_STA_INFO_TX_BITRATE))
4739                         goto nla_put_failure;
4740         }
4741         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
4742                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
4743                                           NL80211_STA_INFO_RX_BITRATE))
4744                         goto nla_put_failure;
4745         }
4746
4747         PUT_SINFO(RX_PACKETS, rx_packets, u32);
4748         PUT_SINFO(TX_PACKETS, tx_packets, u32);
4749         PUT_SINFO(TX_RETRIES, tx_retries, u32);
4750         PUT_SINFO(TX_FAILED, tx_failed, u32);
4751         PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
4752         PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
4753         PUT_SINFO(LOCAL_PM, local_pm, u32);
4754         PUT_SINFO(PEER_PM, peer_pm, u32);
4755         PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
4756
4757         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
4758                 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
4759                 if (!bss_param)
4760                         goto nla_put_failure;
4761
4762                 if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
4763                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
4764                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
4765                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
4766                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
4767                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
4768                     nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
4769                                sinfo->bss_param.dtim_period) ||
4770                     nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
4771                                 sinfo->bss_param.beacon_interval))
4772                         goto nla_put_failure;
4773
4774                 nla_nest_end(msg, bss_param);
4775         }
4776         if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
4777             nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
4778                     sizeof(struct nl80211_sta_flag_update),
4779                     &sinfo->sta_flags))
4780                 goto nla_put_failure;
4781
4782         PUT_SINFO_U64(T_OFFSET, t_offset);
4783         PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
4784         PUT_SINFO_U64(BEACON_RX, rx_beacon);
4785         PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
4786         PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
4787         if (wiphy_ext_feature_isset(&rdev->wiphy,
4788                                     NL80211_EXT_FEATURE_DATA_ACK_SIGNAL_SUPPORT))
4789                 PUT_SINFO(DATA_ACK_SIGNAL_AVG, avg_ack_signal, s8);
4790
4791 #undef PUT_SINFO
4792 #undef PUT_SINFO_U64
4793
4794         if (sinfo->pertid) {
4795                 struct nlattr *tidsattr;
4796                 int tid;
4797
4798                 tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
4799                 if (!tidsattr)
4800                         goto nla_put_failure;
4801
4802                 for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
4803                         struct cfg80211_tid_stats *tidstats;
4804                         struct nlattr *tidattr;
4805
4806                         tidstats = &sinfo->pertid[tid];
4807
4808                         if (!tidstats->filled)
4809                                 continue;
4810
4811                         tidattr = nla_nest_start(msg, tid + 1);
4812                         if (!tidattr)
4813                                 goto nla_put_failure;
4814
4815 #define PUT_TIDVAL_U64(attr, memb) do {                                 \
4816         if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&       \
4817             nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,          \
4818                               tidstats->memb, NL80211_TID_STATS_PAD))   \
4819                 goto nla_put_failure;                                   \
4820         } while (0)
4821
4822                         PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
4823                         PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
4824                         PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
4825                         PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
4826
4827 #undef PUT_TIDVAL_U64
4828                         if ((tidstats->filled &
4829                              BIT(NL80211_TID_STATS_TXQ_STATS)) &&
4830                             !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
4831                                                    NL80211_TID_STATS_TXQ_STATS))
4832                                 goto nla_put_failure;
4833
4834                         nla_nest_end(msg, tidattr);
4835                 }
4836
4837                 nla_nest_end(msg, tidsattr);
4838         }
4839
4840         nla_nest_end(msg, sinfoattr);
4841
4842         if (sinfo->assoc_req_ies_len &&
4843             nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
4844                     sinfo->assoc_req_ies))
4845                 goto nla_put_failure;
4846
4847         cfg80211_sinfo_release_content(sinfo);
4848         genlmsg_end(msg, hdr);
4849         return 0;
4850
4851  nla_put_failure:
4852         cfg80211_sinfo_release_content(sinfo);
4853         genlmsg_cancel(msg, hdr);
4854         return -EMSGSIZE;
4855 }
4856
4857 static int nl80211_dump_station(struct sk_buff *skb,
4858                                 struct netlink_callback *cb)
4859 {
4860         struct station_info sinfo;
4861         struct cfg80211_registered_device *rdev;
4862         struct wireless_dev *wdev;
4863         u8 mac_addr[ETH_ALEN];
4864         int sta_idx = cb->args[2];
4865         int err;
4866
4867         rtnl_lock();
4868         err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4869         if (err)
4870                 goto out_err;
4871
4872         if (!wdev->netdev) {
4873                 err = -EINVAL;
4874                 goto out_err;
4875         }
4876
4877         if (!rdev->ops->dump_station) {
4878                 err = -EOPNOTSUPP;
4879                 goto out_err;
4880         }
4881
4882         while (1) {
4883                 memset(&sinfo, 0, sizeof(sinfo));
4884                 err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
4885                                         mac_addr, &sinfo);
4886                 if (err == -ENOENT)
4887                         break;
4888                 if (err)
4889                         goto out_err;
4890
4891                 if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
4892                                 NETLINK_CB(cb->skb).portid,
4893                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4894                                 rdev, wdev->netdev, mac_addr,
4895                                 &sinfo) < 0)
4896                         goto out;
4897
4898                 sta_idx++;
4899         }
4900
4901  out:
4902         cb->args[2] = sta_idx;
4903         err = skb->len;
4904  out_err:
4905         rtnl_unlock();
4906
4907         return err;
4908 }
4909
4910 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
4911 {
4912         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4913         struct net_device *dev = info->user_ptr[1];
4914         struct station_info sinfo;
4915         struct sk_buff *msg;
4916         u8 *mac_addr = NULL;
4917         int err;
4918
4919         memset(&sinfo, 0, sizeof(sinfo));
4920
4921         if (!info->attrs[NL80211_ATTR_MAC])
4922                 return -EINVAL;
4923
4924         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4925
4926         if (!rdev->ops->get_station)
4927                 return -EOPNOTSUPP;
4928
4929         err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
4930         if (err)
4931                 return err;
4932
4933         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4934         if (!msg) {
4935                 cfg80211_sinfo_release_content(&sinfo);
4936                 return -ENOMEM;
4937         }
4938
4939         if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
4940                                  info->snd_portid, info->snd_seq, 0,
4941                                  rdev, dev, mac_addr, &sinfo) < 0) {
4942                 nlmsg_free(msg);
4943                 return -ENOBUFS;
4944         }
4945
4946         return genlmsg_reply(msg, info);
4947 }
4948
4949 int cfg80211_check_station_change(struct wiphy *wiphy,
4950                                   struct station_parameters *params,
4951                                   enum cfg80211_station_type statype)
4952 {
4953         if (params->listen_interval != -1 &&
4954             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4955                 return -EINVAL;
4956
4957         if (params->support_p2p_ps != -1 &&
4958             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4959                 return -EINVAL;
4960
4961         if (params->aid &&
4962             !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
4963             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4964                 return -EINVAL;
4965
4966         /* When you run into this, adjust the code below for the new flag */
4967         BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4968
4969         switch (statype) {
4970         case CFG80211_STA_MESH_PEER_KERNEL:
4971         case CFG80211_STA_MESH_PEER_USER:
4972                 /*
4973                  * No ignoring the TDLS flag here -- the userspace mesh
4974                  * code doesn't have the bug of including TDLS in the
4975                  * mask everywhere.
4976                  */
4977                 if (params->sta_flags_mask &
4978                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4979                                   BIT(NL80211_STA_FLAG_MFP) |
4980                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
4981                         return -EINVAL;
4982                 break;
4983         case CFG80211_STA_TDLS_PEER_SETUP:
4984         case CFG80211_STA_TDLS_PEER_ACTIVE:
4985                 if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4986                         return -EINVAL;
4987                 /* ignore since it can't change */
4988                 params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4989                 break;
4990         default:
4991                 /* disallow mesh-specific things */
4992                 if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4993                         return -EINVAL;
4994                 if (params->local_pm)
4995                         return -EINVAL;
4996                 if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4997                         return -EINVAL;
4998         }
4999
5000         if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5001             statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5002                 /* TDLS can't be set, ... */
5003                 if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5004                         return -EINVAL;
5005                 /*
5006                  * ... but don't bother the driver with it. This works around
5007                  * a hostapd/wpa_supplicant issue -- it always includes the
5008                  * TLDS_PEER flag in the mask even for AP mode.
5009                  */
5010                 params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5011         }
5012
5013         if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5014             statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5015                 /* reject other things that can't change */
5016                 if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5017                         return -EINVAL;
5018                 if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5019                         return -EINVAL;
5020                 if (params->supported_rates)
5021                         return -EINVAL;
5022                 if (params->ext_capab || params->ht_capa || params->vht_capa ||
5023                     params->he_capa)
5024                         return -EINVAL;
5025         }
5026
5027         if (statype != CFG80211_STA_AP_CLIENT &&
5028             statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5029                 if (params->vlan)
5030                         return -EINVAL;
5031         }
5032
5033         switch (statype) {
5034         case CFG80211_STA_AP_MLME_CLIENT:
5035                 /* Use this only for authorizing/unauthorizing a station */
5036                 if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5037                         return -EOPNOTSUPP;
5038                 break;
5039         case CFG80211_STA_AP_CLIENT:
5040         case CFG80211_STA_AP_CLIENT_UNASSOC:
5041                 /* accept only the listed bits */
5042                 if (params->sta_flags_mask &
5043                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5044                                   BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5045                                   BIT(NL80211_STA_FLAG_ASSOCIATED) |
5046                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5047                                   BIT(NL80211_STA_FLAG_WME) |
5048                                   BIT(NL80211_STA_FLAG_MFP)))
5049                         return -EINVAL;
5050
5051                 /* but authenticated/associated only if driver handles it */
5052                 if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5053                     params->sta_flags_mask &
5054                                 (BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5055                                  BIT(NL80211_STA_FLAG_ASSOCIATED)))
5056                         return -EINVAL;
5057                 break;
5058         case CFG80211_STA_IBSS:
5059         case CFG80211_STA_AP_STA:
5060                 /* reject any changes other than AUTHORIZED */
5061                 if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5062                         return -EINVAL;
5063                 break;
5064         case CFG80211_STA_TDLS_PEER_SETUP:
5065                 /* reject any changes other than AUTHORIZED or WME */
5066                 if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5067                                                BIT(NL80211_STA_FLAG_WME)))
5068                         return -EINVAL;
5069                 /* force (at least) rates when authorizing */
5070                 if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5071                     !params->supported_rates)
5072                         return -EINVAL;
5073                 break;
5074         case CFG80211_STA_TDLS_PEER_ACTIVE:
5075                 /* reject any changes */
5076                 return -EINVAL;
5077         case CFG80211_STA_MESH_PEER_KERNEL:
5078                 if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5079                         return -EINVAL;
5080                 break;
5081         case CFG80211_STA_MESH_PEER_USER:
5082                 if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5083                     params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5084                         return -EINVAL;
5085                 break;
5086         }
5087
5088         /*
5089          * Older kernel versions ignored this attribute entirely, so don't
5090          * reject attempts to update it but mark it as unused instead so the
5091          * driver won't look at the data.
5092          */
5093         if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5094             statype != CFG80211_STA_TDLS_PEER_SETUP)
5095                 params->opmode_notif_used = false;
5096
5097         return 0;
5098 }
5099 EXPORT_SYMBOL(cfg80211_check_station_change);
5100
5101 /*
5102  * Get vlan interface making sure it is running and on the right wiphy.
5103  */
5104 static struct net_device *get_vlan(struct genl_info *info,
5105                                    struct cfg80211_registered_device *rdev)
5106 {
5107         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5108         struct net_device *v;
5109         int ret;
5110
5111         if (!vlanattr)
5112                 return NULL;
5113
5114         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5115         if (!v)
5116                 return ERR_PTR(-ENODEV);
5117
5118         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5119                 ret = -EINVAL;
5120                 goto error;
5121         }
5122
5123         if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5124             v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5125             v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5126                 ret = -EINVAL;
5127                 goto error;
5128         }
5129
5130         if (!netif_running(v)) {
5131                 ret = -ENETDOWN;
5132                 goto error;
5133         }
5134
5135         return v;
5136  error:
5137         dev_put(v);
5138         return ERR_PTR(ret);
5139 }
5140
5141 static const struct nla_policy
5142 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5143         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5144         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5145 };
5146
5147 static int nl80211_parse_sta_wme(struct genl_info *info,
5148                                  struct station_parameters *params)
5149 {
5150         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5151         struct nlattr *nla;
5152         int err;
5153
5154         /* parse WME attributes if present */
5155         if (!info->attrs[NL80211_ATTR_STA_WME])
5156                 return 0;
5157
5158         nla = info->attrs[NL80211_ATTR_STA_WME];
5159         err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
5160                                nl80211_sta_wme_policy, info->extack);
5161         if (err)
5162                 return err;
5163
5164         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5165                 params->uapsd_queues = nla_get_u8(
5166                         tb[NL80211_STA_WME_UAPSD_QUEUES]);
5167         if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5168                 return -EINVAL;
5169
5170         if (tb[NL80211_STA_WME_MAX_SP])
5171                 params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5172
5173         if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5174                 return -EINVAL;
5175
5176         params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5177
5178         return 0;
5179 }
5180
5181 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5182                                       struct station_parameters *params)
5183 {
5184         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5185                 params->supported_channels =
5186                      nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5187                 params->supported_channels_len =
5188                      nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5189                 /*
5190                  * Need to include at least one (first channel, number of
5191                  * channels) tuple for each subband, and must have proper
5192                  * tuples for the rest of the data as well.
5193                  */
5194                 if (params->supported_channels_len < 2)
5195                         return -EINVAL;
5196                 if (params->supported_channels_len % 2)
5197                         return -EINVAL;
5198         }
5199
5200         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5201                 params->supported_oper_classes =
5202                  nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5203                 params->supported_oper_classes_len =
5204                   nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5205                 /*
5206                  * The value of the Length field of the Supported Operating
5207                  * Classes element is between 2 and 253.
5208                  */
5209                 if (params->supported_oper_classes_len < 2 ||
5210                     params->supported_oper_classes_len > 253)
5211                         return -EINVAL;
5212         }
5213         return 0;
5214 }
5215
5216 static int nl80211_set_station_tdls(struct genl_info *info,
5217                                     struct station_parameters *params)
5218 {
5219         int err;
5220         /* Dummy STA entry gets updated once the peer capabilities are known */
5221         if (info->attrs[NL80211_ATTR_PEER_AID])
5222                 params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5223         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5224                 params->ht_capa =
5225                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5226         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5227                 params->vht_capa =
5228                         nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5229         if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5230                 params->he_capa =
5231                         nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5232                 params->he_capa_len =
5233                         nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5234
5235                 if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5236                         return -EINVAL;
5237         }
5238
5239         err = nl80211_parse_sta_channel_info(info, params);
5240         if (err)
5241                 return err;
5242
5243         return nl80211_parse_sta_wme(info, params);
5244 }
5245
5246 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5247 {
5248         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5249         struct net_device *dev = info->user_ptr[1];
5250         struct station_parameters params;
5251         u8 *mac_addr;
5252         int err;
5253
5254         memset(&params, 0, sizeof(params));
5255
5256         if (!rdev->ops->change_station)
5257                 return -EOPNOTSUPP;
5258
5259         /*
5260          * AID and listen_interval properties can be set only for unassociated
5261          * station. Include these parameters here and will check them in
5262          * cfg80211_check_station_change().
5263          */
5264         if (info->attrs[NL80211_ATTR_STA_AID])
5265                 params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5266
5267         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5268                 params.listen_interval =
5269                      nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5270         else
5271                 params.listen_interval = -1;
5272
5273         if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5274                 u8 tmp;
5275
5276                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5277                 if (tmp >= NUM_NL80211_P2P_PS_STATUS)
5278                         return -EINVAL;
5279
5280                 params.support_p2p_ps = tmp;
5281         } else {
5282                 params.support_p2p_ps = -1;
5283         }
5284
5285         if (!info->attrs[NL80211_ATTR_MAC])
5286                 return -EINVAL;
5287
5288         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5289
5290         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5291                 params.supported_rates =
5292                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5293                 params.supported_rates_len =
5294                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5295         }
5296
5297         if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5298                 params.capability =
5299                         nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5300                 params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5301         }
5302
5303         if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5304                 params.ext_capab =
5305                         nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5306                 params.ext_capab_len =
5307                         nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5308         }
5309
5310         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5311                 return -EINVAL;
5312
5313         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
5314                 params.plink_action =
5315                         nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5316                 if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
5317                         return -EINVAL;
5318         }
5319
5320         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5321                 params.plink_state =
5322                         nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5323                 if (params.plink_state >= NUM_NL80211_PLINK_STATES)
5324                         return -EINVAL;
5325                 if (info->attrs[NL80211_ATTR_MESH_PEER_AID]) {
5326                         params.peer_aid = nla_get_u16(
5327                                 info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5328                         if (params.peer_aid > IEEE80211_MAX_AID)
5329                                 return -EINVAL;
5330                 }
5331                 params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5332         }
5333
5334         if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
5335                 enum nl80211_mesh_power_mode pm = nla_get_u32(
5336                         info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5337
5338                 if (pm <= NL80211_MESH_POWER_UNKNOWN ||
5339                     pm > NL80211_MESH_POWER_MAX)
5340                         return -EINVAL;
5341
5342                 params.local_pm = pm;
5343         }
5344
5345         if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5346                 params.opmode_notif_used = true;
5347                 params.opmode_notif =
5348                         nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5349         }
5350
5351         /* Include parameters for TDLS peer (will check later) */
5352         err = nl80211_set_station_tdls(info, &params);
5353         if (err)
5354                 return err;
5355
5356         params.vlan = get_vlan(info, rdev);
5357         if (IS_ERR(params.vlan))
5358                 return PTR_ERR(params.vlan);
5359
5360         switch (dev->ieee80211_ptr->iftype) {
5361         case NL80211_IFTYPE_AP:
5362         case NL80211_IFTYPE_AP_VLAN:
5363         case NL80211_IFTYPE_P2P_GO:
5364         case NL80211_IFTYPE_P2P_CLIENT:
5365         case NL80211_IFTYPE_STATION:
5366         case NL80211_IFTYPE_ADHOC:
5367         case NL80211_IFTYPE_MESH_POINT:
5368                 break;
5369         default:
5370                 err = -EOPNOTSUPP;
5371                 goto out_put_vlan;
5372         }
5373
5374         /* driver will call cfg80211_check_station_change() */
5375         err = rdev_change_station(rdev, dev, mac_addr, &params);
5376
5377  out_put_vlan:
5378         if (params.vlan)
5379                 dev_put(params.vlan);
5380
5381         return err;
5382 }
5383
5384 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
5385 {
5386         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5387         int err;
5388         struct net_device *dev = info->user_ptr[1];
5389         struct station_parameters params;
5390         u8 *mac_addr = NULL;
5391         u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5392                          BIT(NL80211_STA_FLAG_ASSOCIATED);
5393
5394         memset(&params, 0, sizeof(params));
5395
5396         if (!rdev->ops->add_station)
5397                 return -EOPNOTSUPP;
5398
5399         if (!info->attrs[NL80211_ATTR_MAC])
5400                 return -EINVAL;
5401
5402         if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5403                 return -EINVAL;
5404
5405         if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
5406                 return -EINVAL;
5407
5408         if (!info->attrs[NL80211_ATTR_STA_AID] &&
5409             !info->attrs[NL80211_ATTR_PEER_AID])
5410                 return -EINVAL;
5411
5412         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5413         params.supported_rates =
5414                 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5415         params.supported_rates_len =
5416                 nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5417         params.listen_interval =
5418                 nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5419
5420         if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5421                 u8 tmp;
5422
5423                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5424                 if (tmp >= NUM_NL80211_P2P_PS_STATUS)
5425                         return -EINVAL;
5426
5427                 params.support_p2p_ps = tmp;
5428         } else {
5429                 /*
5430                  * if not specified, assume it's supported for P2P GO interface,
5431                  * and is NOT supported for AP interface
5432                  */
5433                 params.support_p2p_ps =
5434                         dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
5435         }
5436
5437         if (info->attrs[NL80211_ATTR_PEER_AID])
5438                 params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5439         else
5440                 params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5441         if (!params.aid || params.aid > IEEE80211_MAX_AID)
5442                 return -EINVAL;
5443
5444         if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5445                 params.capability =
5446                         nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5447                 params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5448         }
5449
5450         if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5451                 params.ext_capab =
5452                         nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5453                 params.ext_capab_len =
5454                         nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5455         }
5456
5457         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5458                 params.ht_capa =
5459                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5460
5461         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5462                 params.vht_capa =
5463                         nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5464
5465         if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5466                 params.he_capa =
5467                         nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5468                 params.he_capa_len =
5469                         nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5470
5471                 /* max len is validated in nla policy */
5472                 if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5473                         return -EINVAL;
5474         }
5475
5476         if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5477                 params.opmode_notif_used = true;
5478                 params.opmode_notif =
5479                         nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5480         }
5481
5482         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
5483                 params.plink_action =
5484                         nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5485                 if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
5486                         return -EINVAL;
5487         }
5488
5489         err = nl80211_parse_sta_channel_info(info, &params);
5490         if (err)
5491                 return err;
5492
5493         err = nl80211_parse_sta_wme(info, &params);
5494         if (err)
5495                 return err;
5496
5497         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5498                 return -EINVAL;
5499
5500         /* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
5501          * as userspace might just pass through the capabilities from the IEs
5502          * directly, rather than enforcing this restriction and returning an
5503          * error in this case.
5504          */
5505         if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5506                 params.ht_capa = NULL;
5507                 params.vht_capa = NULL;
5508
5509                 /* HE requires WME */
5510                 if (params.he_capa_len)
5511                         return -EINVAL;
5512         }
5513
5514         /* When you run into this, adjust the code below for the new flag */
5515         BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5516
5517         switch (dev->ieee80211_ptr->iftype) {
5518         case NL80211_IFTYPE_AP:
5519         case NL80211_IFTYPE_AP_VLAN:
5520         case NL80211_IFTYPE_P2P_GO:
5521                 /* ignore WME attributes if iface/sta is not capable */
5522                 if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5523                     !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5524                         params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5525
5526                 /* TDLS peers cannot be added */
5527                 if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5528                     info->attrs[NL80211_ATTR_PEER_AID])
5529                         return -EINVAL;
5530                 /* but don't bother the driver with it */
5531                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5532
5533                 /* allow authenticated/associated only if driver handles it */
5534                 if (!(rdev->wiphy.features &
5535                                 NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5536                     params.sta_flags_mask & auth_assoc)
5537                         return -EINVAL;
5538
5539                 /* Older userspace, or userspace wanting to be compatible with
5540                  * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5541                  * and assoc flags in the mask, but assumes the station will be
5542                  * added as associated anyway since this was the required driver
5543                  * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5544                  * introduced.
5545                  * In order to not bother drivers with this quirk in the API
5546                  * set the flags in both the mask and set for new stations in
5547                  * this case.
5548                  */
5549                 if (!(params.sta_flags_mask & auth_assoc)) {
5550                         params.sta_flags_mask |= auth_assoc;
5551                         params.sta_flags_set |= auth_assoc;
5552                 }
5553
5554                 /* must be last in here for error handling */
5555                 params.vlan = get_vlan(info, rdev);
5556                 if (IS_ERR(params.vlan))
5557                         return PTR_ERR(params.vlan);
5558                 break;
5559         case NL80211_IFTYPE_MESH_POINT:
5560                 /* ignore uAPSD data */
5561                 params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5562
5563                 /* associated is disallowed */
5564                 if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5565                         return -EINVAL;
5566                 /* TDLS peers cannot be added */
5567                 if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5568                     info->attrs[NL80211_ATTR_PEER_AID])
5569                         return -EINVAL;
5570                 break;
5571         case NL80211_IFTYPE_STATION:
5572         case NL80211_IFTYPE_P2P_CLIENT:
5573                 /* ignore uAPSD data */
5574                 params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5575
5576                 /* these are disallowed */
5577                 if (params.sta_flags_mask &
5578                                 (BIT(NL80211_STA_FLAG_ASSOCIATED) |
5579                                  BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5580                         return -EINVAL;
5581                 /* Only TDLS peers can be added */
5582                 if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5583                         return -EINVAL;
5584                 /* Can only add if TDLS ... */
5585                 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5586                         return -EOPNOTSUPP;
5587                 /* ... with external setup is supported */
5588                 if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5589                         return -EOPNOTSUPP;
5590                 /*
5591                  * Older wpa_supplicant versions always mark the TDLS peer
5592                  * as authorized, but it shouldn't yet be.
5593                  */
5594                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
5595                 break;
5596         default:
5597                 return -EOPNOTSUPP;
5598         }
5599
5600         /* be aware of params.vlan when changing code here */
5601
5602         err = rdev_add_station(rdev, dev, mac_addr, &params);
5603
5604         if (params.vlan)
5605                 dev_put(params.vlan);
5606         return err;
5607 }
5608
5609 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
5610 {
5611         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5612         struct net_device *dev = info->user_ptr[1];
5613         struct station_del_parameters params;
5614
5615         memset(&params, 0, sizeof(params));
5616
5617         if (info->attrs[NL80211_ATTR_MAC])
5618                 params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
5619
5620         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5621             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5622             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5623             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5624                 return -EINVAL;
5625
5626         if (!rdev->ops->del_station)
5627                 return -EOPNOTSUPP;
5628
5629         if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
5630                 params.subtype =
5631                         nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
5632                 if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
5633                     params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
5634                         return -EINVAL;
5635         } else {
5636                 /* Default to Deauthentication frame */
5637                 params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
5638         }
5639
5640         if (info->attrs[NL80211_ATTR_REASON_CODE]) {
5641                 params.reason_code =
5642                         nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5643                 if (params.reason_code == 0)
5644                         return -EINVAL; /* 0 is reserved */
5645         } else {
5646                 /* Default to reason code 2 */
5647                 params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
5648         }
5649
5650         return rdev_del_station(rdev, dev, &params);
5651 }
5652
5653 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
5654                                 int flags, struct net_device *dev,
5655                                 u8 *dst, u8 *next_hop,
5656                                 struct mpath_info *pinfo)
5657 {
5658         void *hdr;
5659         struct nlattr *pinfoattr;
5660
5661         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
5662         if (!hdr)
5663                 return -1;
5664
5665         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5666             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
5667             nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
5668             nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
5669                 goto nla_put_failure;
5670
5671         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
5672         if (!pinfoattr)
5673                 goto nla_put_failure;
5674         if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
5675             nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
5676                         pinfo->frame_qlen))
5677                 goto nla_put_failure;
5678         if (((pinfo->filled & MPATH_INFO_SN) &&
5679              nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
5680             ((pinfo->filled & MPATH_INFO_METRIC) &&
5681              nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
5682                          pinfo->metric)) ||
5683             ((pinfo->filled & MPATH_INFO_EXPTIME) &&
5684              nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
5685                          pinfo->exptime)) ||
5686             ((pinfo->filled & MPATH_INFO_FLAGS) &&
5687              nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
5688                         pinfo->flags)) ||
5689             ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
5690              nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
5691                          pinfo->discovery_timeout)) ||
5692             ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
5693              nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
5694                         pinfo->discovery_retries)))
5695                 goto nla_put_failure;
5696
5697         nla_nest_end(msg, pinfoattr);
5698
5699         genlmsg_end(msg, hdr);
5700         return 0;
5701
5702  nla_put_failure:
5703         genlmsg_cancel(msg, hdr);
5704         return -EMSGSIZE;
5705 }
5706
5707 static int nl80211_dump_mpath(struct sk_buff *skb,
5708                               struct netlink_callback *cb)
5709 {
5710         struct mpath_info pinfo;
5711         struct cfg80211_registered_device *rdev;
5712         struct wireless_dev *wdev;
5713         u8 dst[ETH_ALEN];
5714         u8 next_hop[ETH_ALEN];
5715         int path_idx = cb->args[2];
5716         int err;
5717
5718         rtnl_lock();
5719         err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
5720         if (err)
5721                 goto out_err;
5722
5723         if (!rdev->ops->dump_mpath) {
5724                 err = -EOPNOTSUPP;
5725                 goto out_err;
5726         }
5727
5728         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5729                 err = -EOPNOTSUPP;
5730                 goto out_err;
5731         }
5732
5733         while (1) {
5734                 err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
5735                                       next_hop, &pinfo);
5736                 if (err == -ENOENT)
5737                         break;
5738                 if (err)
5739                         goto out_err;
5740
5741                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5742                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
5743                                        wdev->netdev, dst, next_hop,
5744                                        &pinfo) < 0)
5745                         goto out;
5746
5747                 path_idx++;
5748         }
5749
5750  out:
5751         cb->args[2] = path_idx;
5752         err = skb->len;
5753  out_err:
5754         rtnl_unlock();
5755         return err;
5756 }
5757
5758 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
5759 {
5760         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5761         int err;
5762         struct net_device *dev = info->user_ptr[1];
5763         struct mpath_info pinfo;
5764         struct sk_buff *msg;
5765         u8 *dst = NULL;
5766         u8 next_hop[ETH_ALEN];
5767
5768         memset(&pinfo, 0, sizeof(pinfo));
5769
5770         if (!info->attrs[NL80211_ATTR_MAC])
5771                 return -EINVAL;
5772
5773         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5774
5775         if (!rdev->ops->get_mpath)
5776                 return -EOPNOTSUPP;
5777
5778         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5779                 return -EOPNOTSUPP;
5780
5781         err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
5782         if (err)
5783                 return err;
5784
5785         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5786         if (!msg)
5787                 return -ENOMEM;
5788
5789         if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5790                                  dev, dst, next_hop, &pinfo) < 0) {
5791                 nlmsg_free(msg);
5792                 return -ENOBUFS;
5793         }
5794
5795         return genlmsg_reply(msg, info);
5796 }
5797
5798 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
5799 {
5800         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5801         struct net_device *dev = info->user_ptr[1];
5802         u8 *dst = NULL;
5803         u8 *next_hop = NULL;
5804
5805         if (!info->attrs[NL80211_ATTR_MAC])
5806                 return -EINVAL;
5807
5808         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5809                 return -EINVAL;
5810
5811         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5812         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5813
5814         if (!rdev->ops->change_mpath)
5815                 return -EOPNOTSUPP;
5816
5817         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5818                 return -EOPNOTSUPP;
5819
5820         return rdev_change_mpath(rdev, dev, dst, next_hop);
5821 }
5822
5823 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
5824 {
5825         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5826         struct net_device *dev = info->user_ptr[1];
5827         u8 *dst = NULL;
5828         u8 *next_hop = NULL;
5829
5830         if (!info->attrs[NL80211_ATTR_MAC])
5831                 return -EINVAL;
5832
5833         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5834                 return -EINVAL;
5835
5836         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5837         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5838
5839         if (!rdev->ops->add_mpath)
5840                 return -EOPNOTSUPP;
5841
5842         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5843                 return -EOPNOTSUPP;
5844
5845         return rdev_add_mpath(rdev, dev, dst, next_hop);
5846 }
5847
5848 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
5849 {
5850         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5851         struct net_device *dev = info->user_ptr[1];
5852         u8 *dst = NULL;
5853
5854         if (info->attrs[NL80211_ATTR_MAC])
5855                 dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5856
5857         if (!rdev->ops->del_mpath)
5858                 return -EOPNOTSUPP;
5859
5860         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5861                 return -EOPNOTSUPP;
5862
5863         return rdev_del_mpath(rdev, dev, dst);
5864 }
5865
5866 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
5867 {
5868         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5869         int err;
5870         struct net_device *dev = info->user_ptr[1];
5871         struct mpath_info pinfo;
5872         struct sk_buff *msg;
5873         u8 *dst = NULL;
5874         u8 mpp[ETH_ALEN];
5875
5876         memset(&pinfo, 0, sizeof(pinfo));
5877
5878         if (!info->attrs[NL80211_ATTR_MAC])
5879                 return -EINVAL;
5880
5881         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5882
5883         if (!rdev->ops->get_mpp)
5884                 return -EOPNOTSUPP;
5885
5886         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5887                 return -EOPNOTSUPP;
5888
5889         err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
5890         if (err)
5891                 return err;
5892
5893         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5894         if (!msg)
5895                 return -ENOMEM;
5896
5897         if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5898                                dev, dst, mpp, &pinfo) < 0) {
5899                 nlmsg_free(msg);
5900                 return -ENOBUFS;
5901         }
5902
5903         return genlmsg_reply(msg, info);
5904 }
5905
5906 static int nl80211_dump_mpp(struct sk_buff *skb,
5907                             struct netlink_callback *cb)
5908 {
5909         struct mpath_info pinfo;
5910         struct cfg80211_registered_device *rdev;
5911         struct wireless_dev *wdev;
5912         u8 dst[ETH_ALEN];
5913         u8 mpp[ETH_ALEN];
5914         int path_idx = cb->args[2];
5915         int err;
5916
5917         rtnl_lock();
5918         err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
5919         if (err)
5920                 goto out_err;
5921
5922         if (!rdev->ops->dump_mpp) {
5923                 err = -EOPNOTSUPP;
5924                 goto out_err;
5925         }
5926
5927         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5928                 err = -EOPNOTSUPP;
5929                 goto out_err;
5930         }
5931
5932         while (1) {
5933                 err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
5934                                     mpp, &pinfo);
5935                 if (err == -ENOENT)
5936                         break;
5937                 if (err)
5938                         goto out_err;
5939
5940                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5941                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
5942                                        wdev->netdev, dst, mpp,
5943                                        &pinfo) < 0)
5944                         goto out;
5945
5946                 path_idx++;
5947         }
5948
5949  out:
5950         cb->args[2] = path_idx;
5951         err = skb->len;
5952  out_err:
5953         rtnl_unlock();
5954         return err;
5955 }
5956
5957 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
5958 {
5959         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5960         struct net_device *dev = info->user_ptr[1];
5961         struct wireless_dev *wdev = dev->ieee80211_ptr;
5962         struct bss_parameters params;
5963         int err;
5964
5965         memset(&params, 0, sizeof(params));
5966         /* default to not changing parameters */
5967         params.use_cts_prot = -1;
5968         params.use_short_preamble = -1;
5969         params.use_short_slot_time = -1;
5970         params.ap_isolate = -1;
5971         params.ht_opmode = -1;
5972         params.p2p_ctwindow = -1;
5973         params.p2p_opp_ps = -1;
5974
5975         if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
5976                 params.use_cts_prot =
5977                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
5978         if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
5979                 params.use_short_preamble =
5980                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
5981         if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
5982                 params.use_short_slot_time =
5983                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
5984         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5985                 params.basic_rates =
5986                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5987                 params.basic_rates_len =
5988                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5989         }
5990         if (info->attrs[NL80211_ATTR_AP_ISOLATE])
5991                 params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
5992         if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
5993                 params.ht_opmode =
5994                         nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
5995
5996         if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5997                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5998                         return -EINVAL;
5999                 params.p2p_ctwindow =
6000                         nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6001                 if (params.p2p_ctwindow < 0)
6002                         return -EINVAL;
6003                 if (params.p2p_ctwindow != 0 &&
6004                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6005                         return -EINVAL;
6006         }
6007
6008         if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6009                 u8 tmp;
6010
6011                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6012                         return -EINVAL;
6013                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6014                 if (tmp > 1)
6015                         return -EINVAL;
6016                 params.p2p_opp_ps = tmp;
6017                 if (params.p2p_opp_ps &&
6018                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6019                         return -EINVAL;
6020         }
6021
6022         if (!rdev->ops->change_bss)
6023                 return -EOPNOTSUPP;
6024
6025         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6026             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6027                 return -EOPNOTSUPP;
6028
6029         wdev_lock(wdev);
6030         err = rdev_change_bss(rdev, dev, &params);
6031         wdev_unlock(wdev);
6032
6033         return err;
6034 }
6035
6036 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6037 {
6038         char *data = NULL;
6039         bool is_indoor;
6040         enum nl80211_user_reg_hint_type user_reg_hint_type;
6041         u32 owner_nlportid;
6042
6043         /*
6044          * You should only get this when cfg80211 hasn't yet initialized
6045          * completely when built-in to the kernel right between the time
6046          * window between nl80211_init() and regulatory_init(), if that is
6047          * even possible.
6048          */
6049         if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6050                 return -EINPROGRESS;
6051
6052         if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6053                 user_reg_hint_type =
6054                   nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6055         else
6056                 user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6057
6058         switch (user_reg_hint_type) {
6059         case NL80211_USER_REG_HINT_USER:
6060         case NL80211_USER_REG_HINT_CELL_BASE:
6061                 if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6062                         return -EINVAL;
6063
6064                 data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6065                 return regulatory_hint_user(data, user_reg_hint_type);
6066         case NL80211_USER_REG_HINT_INDOOR:
6067                 if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6068                         owner_nlportid = info->snd_portid;
6069                         is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6070                 } else {
6071                         owner_nlportid = 0;
6072                         is_indoor = true;
6073                 }
6074
6075                 return regulatory_hint_indoor(is_indoor, owner_nlportid);
6076         default:
6077                 return -EINVAL;
6078         }
6079 }
6080
6081 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6082 {
6083         return reg_reload_regdb();
6084 }
6085
6086 static int nl80211_get_mesh_config(struct sk_buff *skb,
6087                                    struct genl_info *info)
6088 {
6089         struct cfg80211_registered_device *rdev = info->user_ptr[0];
6090         struct net_device *dev = info->user_ptr[1];
6091         struct wireless_dev *wdev = dev->ieee80211_ptr;
6092         struct mesh_config cur_params;
6093         int err = 0;
6094         void *hdr;
6095         struct nlattr *pinfoattr;
6096         struct sk_buff *msg;
6097
6098         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6099                 return -EOPNOTSUPP;
6100
6101         if (!rdev->ops->get_mesh_config)
6102                 return -EOPNOTSUPP;
6103
6104         wdev_lock(wdev);
6105         /* If not connected, get default parameters */
6106         if (!wdev->mesh_id_len)
6107                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6108         else
6109                 err = rdev_get_mesh_config(rdev, dev, &cur_params);
6110         wdev_unlock(wdev);
6111
6112         if (err)
6113                 return err;
6114
6115         /* Draw up a netlink message to send back */
6116         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6117         if (!msg)
6118                 return -ENOMEM;
6119         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6120                              NL80211_CMD_GET_MESH_CONFIG);
6121         if (!hdr)
6122                 goto out;
6123         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
6124         if (!pinfoattr)
6125                 goto nla_put_failure;
6126         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6127             nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6128                         cur_params.dot11MeshRetryTimeout) ||
6129             nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6130                         cur_params.dot11MeshConfirmTimeout) ||
6131             nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6132                         cur_params.dot11MeshHoldingTimeout) ||
6133             nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6134                         cur_params.dot11MeshMaxPeerLinks) ||
6135             nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6136                        cur_params.dot11MeshMaxRetries) ||
6137             nla_put_u8(msg, NL80211_MESHCONF_TTL,
6138                        cur_params.dot11MeshTTL) ||
6139             nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6140                        cur_params.element_ttl) ||
6141             nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6142                        cur_params.auto_open_plinks) ||
6143             nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6144                         cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6145             nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6146                        cur_params.dot11MeshHWMPmaxPREQretries) ||
6147             nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6148                         cur_params.path_refresh_time) ||
6149             nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6150                         cur_params.min_discovery_timeout) ||
6151             nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6152                         cur_params.dot11MeshHWMPactivePathTimeout) ||
6153             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6154                         cur_params.dot11MeshHWMPpreqMinInterval) ||
6155             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6156                         cur_params.dot11MeshHWMPperrMinInterval) ||
6157             nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6158                         cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6159             nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6160                        cur_params.dot11MeshHWMPRootMode) ||
6161             nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6162                         cur_params.dot11MeshHWMPRannInterval) ||
6163             nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6164                        cur_params.dot11MeshGateAnnouncementProtocol) ||
6165             nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6166                        cur_params.dot11MeshForwarding) ||
6167             nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6168                         cur_params.rssi_threshold) ||
6169             nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6170                         cur_params.ht_opmode) ||
6171             nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6172                         cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6173             nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6174                         cur_params.dot11MeshHWMProotInterval) ||
6175             nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6176                         cur_params.dot11MeshHWMPconfirmationInterval) ||
6177             nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6178                         cur_params.power_mode) ||
6179             nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6180                         cur_params.dot11MeshAwakeWindowDuration) ||
6181             nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6182                         cur_params.plink_timeout))
6183                 goto nla_put_failure;
6184         nla_nest_end(msg, pinfoattr);
6185         genlmsg_end(msg, hdr);
6186         return genlmsg_reply(msg, info);
6187
6188  nla_put_failure:
6189  out:
6190         nlmsg_free(msg);
6191         return -ENOBUFS;
6192 }
6193
6194 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6195         [NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
6196         [NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
6197         [NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
6198         [NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
6199         [NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
6200         [NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
6201         [NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
6202         [NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
6203         [NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
6204         [NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6205         [NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6206         [NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
6207         [NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6208         [NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
6209         [NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
6210         [NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
6211         [NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
6212         [NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
6213         [NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
6214         [NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
6215         [NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
6216         [NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6217         [NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6218         [NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
6219         [NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
6220         [NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
6221         [NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6222         [NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6223 };
6224
6225 static const struct nla_policy
6226         nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6227         [NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6228         [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6229         [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6230         [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6231         [NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6232         [NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6233         [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
6234                                     .len = IEEE80211_MAX_DATA_LEN },
6235         [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6236 };
6237
6238 static int nl80211_check_bool(const struct nlattr *nla, u8 min, u8 max, bool *out)
6239 {
6240         u8 val = nla_get_u8(nla);
6241         if (val < min || val > max)
6242                 return -EINVAL;
6243         *out = val;
6244         return 0;
6245 }
6246
6247 static int nl80211_check_u8(const struct nlattr *nla, u8 min, u8 max, u8 *out)
6248 {
6249         u8 val = nla_get_u8(nla);
6250         if (val < min || val > max)
6251                 return -EINVAL;
6252         *out = val;
6253         return 0;
6254 }
6255
6256 static int nl80211_check_u16(const struct nlattr *nla, u16 min, u16 max, u16 *out)
6257 {
6258         u16 val = nla_get_u16(nla);
6259         if (val < min || val > max)
6260                 return -EINVAL;
6261         *out = val;
6262         return 0;
6263 }
6264
6265 static int nl80211_check_u32(const struct nlattr *nla, u32 min, u32 max, u32 *out)
6266 {
6267         u32 val = nla_get_u32(nla);
6268         if (val < min || val > max)
6269                 return -EINVAL;
6270         *out = val;
6271         return 0;
6272 }
6273
6274 static int nl80211_check_s32(const struct nlattr *nla, s32 min, s32 max, s32 *out)
6275 {
6276         s32 val = nla_get_s32(nla);
6277         if (val < min || val > max)
6278                 return -EINVAL;
6279         *out = val;
6280         return 0;
6281 }
6282
6283 static int nl80211_check_power_mode(const struct nlattr *nla,
6284                                     enum nl80211_mesh_power_mode min,
6285                                     enum nl80211_mesh_power_mode max,
6286                                     enum nl80211_mesh_power_mode *out)
6287 {
6288         u32 val = nla_get_u32(nla);
6289         if (val < min || val > max)
6290                 return -EINVAL;
6291         *out = val;
6292         return 0;
6293 }
6294
6295 static int nl80211_parse_mesh_config(struct genl_info *info,
6296                                      struct mesh_config *cfg,
6297                                      u32 *mask_out)
6298 {
6299         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6300         u32 mask = 0;
6301         u16 ht_opmode;
6302
6303 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
6304 do {                                                                        \
6305         if (tb[attr]) {                                                     \
6306                 if (fn(tb[attr], min, max, &cfg->param))                    \
6307                         return -EINVAL;                                     \
6308                 mask |= (1 << (attr - 1));                                  \
6309         }                                                                   \
6310 } while (0)
6311
6312         if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6313                 return -EINVAL;
6314         if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
6315                              info->attrs[NL80211_ATTR_MESH_CONFIG],
6316                              nl80211_meshconf_params_policy, info->extack))
6317                 return -EINVAL;
6318
6319         /* This makes sure that there aren't more than 32 mesh config
6320          * parameters (otherwise our bitfield scheme would not work.) */
6321         BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6322
6323         /* Fill in the params struct */
6324         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
6325                                   mask, NL80211_MESHCONF_RETRY_TIMEOUT,
6326                                   nl80211_check_u16);
6327         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
6328                                   mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6329                                   nl80211_check_u16);
6330         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
6331                                   mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
6332                                   nl80211_check_u16);
6333         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
6334                                   mask, NL80211_MESHCONF_MAX_PEER_LINKS,
6335                                   nl80211_check_u16);
6336         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
6337                                   mask, NL80211_MESHCONF_MAX_RETRIES,
6338                                   nl80211_check_u8);
6339         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
6340                                   mask, NL80211_MESHCONF_TTL, nl80211_check_u8);
6341         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
6342                                   mask, NL80211_MESHCONF_ELEMENT_TTL,
6343                                   nl80211_check_u8);
6344         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
6345                                   mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6346                                   nl80211_check_bool);
6347         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6348                                   1, 255, mask,
6349                                   NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6350                                   nl80211_check_u32);
6351         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
6352                                   mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6353                                   nl80211_check_u8);
6354         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
6355                                   mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
6356                                   nl80211_check_u32);
6357         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
6358                                   mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6359                                   nl80211_check_u16);
6360         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
6361                                   1, 65535, mask,
6362                                   NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6363                                   nl80211_check_u32);
6364         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
6365                                   1, 65535, mask,
6366                                   NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6367                                   nl80211_check_u16);
6368         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
6369                                   1, 65535, mask,
6370                                   NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6371                                   nl80211_check_u16);
6372         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6373                                   dot11MeshHWMPnetDiameterTraversalTime,
6374                                   1, 65535, mask,
6375                                   NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6376                                   nl80211_check_u16);
6377         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
6378                                   mask, NL80211_MESHCONF_HWMP_ROOTMODE,
6379                                   nl80211_check_u8);
6380         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
6381                                   mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6382                                   nl80211_check_u16);
6383         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6384                                   dot11MeshGateAnnouncementProtocol, 0, 1,
6385                                   mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6386                                   nl80211_check_bool);
6387         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
6388                                   mask, NL80211_MESHCONF_FORWARDING,
6389                                   nl80211_check_bool);
6390         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
6391                                   mask, NL80211_MESHCONF_RSSI_THRESHOLD,
6392                                   nl80211_check_s32);
6393         /*
6394          * Check HT operation mode based on
6395          * IEEE 802.11-2016 9.4.2.57 HT Operation element.
6396          */
6397         if (tb[NL80211_MESHCONF_HT_OPMODE]) {
6398                 ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
6399
6400                 if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
6401                                   IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
6402                                   IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
6403                         return -EINVAL;
6404
6405                 /* NON_HT_STA bit is reserved, but some programs set it */
6406                 ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
6407
6408                 cfg->ht_opmode = ht_opmode;
6409                 mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
6410         }
6411         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
6412                                   1, 65535, mask,
6413                                   NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6414                                   nl80211_check_u32);
6415         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
6416                                   mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6417                                   nl80211_check_u16);
6418         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6419                                   dot11MeshHWMPconfirmationInterval,
6420                                   1, 65535, mask,
6421                                   NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6422                                   nl80211_check_u16);
6423         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
6424                                   NL80211_MESH_POWER_ACTIVE,
6425                                   NL80211_MESH_POWER_MAX,
6426                                   mask, NL80211_MESHCONF_POWER_MODE,
6427                                   nl80211_check_power_mode);
6428         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
6429                                   0, 65535, mask,
6430                                   NL80211_MESHCONF_AWAKE_WINDOW, nl80211_check_u16);
6431         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 0, 0xffffffff,
6432                                   mask, NL80211_MESHCONF_PLINK_TIMEOUT,
6433                                   nl80211_check_u32);
6434         if (mask_out)
6435                 *mask_out = mask;
6436
6437         return 0;
6438
6439 #undef FILL_IN_MESH_PARAM_IF_SET
6440 }
6441
6442 static int nl80211_parse_mesh_setup(struct genl_info *info,
6443                                      struct mesh_setup *setup)
6444 {
6445         struct cfg80211_registered_device *rdev = info->user_ptr[0];
6446         struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
6447
6448         if (!info->attrs[NL80211_ATTR_MESH_SETUP])
6449                 return -EINVAL;
6450         if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
6451                              info->attrs[NL80211_ATTR_MESH_SETUP],
6452                              nl80211_mesh_setup_params_policy, info->extack))
6453                 return -EINVAL;
6454
6455         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
6456                 setup->sync_method =
6457                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
6458                  IEEE80211_SYNC_METHOD_VENDOR :
6459                  IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
6460
6461         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
6462                 setup->path_sel_proto =
6463                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
6464                  IEEE80211_PATH_PROTOCOL_VENDOR :
6465                  IEEE80211_PATH_PROTOCOL_HWMP;
6466
6467         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
6468                 setup->path_metric =
6469                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
6470                  IEEE80211_PATH_METRIC_VENDOR :
6471                  IEEE80211_PATH_METRIC_AIRTIME;
6472
6473         if (tb[NL80211_MESH_SETUP_IE]) {
6474                 struct nlattr *ieattr =
6475                         tb[NL80211_MESH_SETUP_IE];
6476                 if (!is_valid_ie_attr(ieattr))
6477                         return -EINVAL;
6478                 setup->ie = nla_data(ieattr);
6479                 setup->ie_len = nla_len(ieattr);
6480         }
6481         if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
6482             !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
6483                 return -EINVAL;
6484         setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
6485         setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
6486         setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
6487         if (setup->is_secure)
6488                 setup->user_mpm = true;
6489
6490         if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
6491                 if (!setup->user_mpm)
6492                         return -EINVAL;
6493                 setup->auth_id =
6494                         nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
6495         }
6496
6497         return 0;
6498 }
6499
6500 static int nl80211_update_mesh_config(struct sk_buff *skb,
6501                                       struct genl_info *info)
6502 {
6503         struct cfg80211_registered_device *rdev = info->user_ptr[0];
6504         struct net_device *dev = info->user_ptr[1];
6505         struct wireless_dev *wdev = dev->ieee80211_ptr;
6506         struct mesh_config cfg;
6507         u32 mask;
6508         int err;
6509
6510         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6511                 return -EOPNOTSUPP;
6512
6513         if (!rdev->ops->update_mesh_config)
6514                 return -EOPNOTSUPP;
6515
6516         err = nl80211_parse_mesh_config(info, &cfg, &mask);
6517         if (err)
6518                 return err;
6519
6520         wdev_lock(wdev);
6521         if (!wdev->mesh_id_len)
6522                 err = -ENOLINK;
6523
6524         if (!err)
6525                 err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6526
6527         wdev_unlock(wdev);
6528
6529         return err;
6530 }
6531
6532 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6533                               struct sk_buff *msg)
6534 {
6535         struct nlattr *nl_reg_rules;
6536         unsigned int i;
6537
6538         if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6539             (regdom->dfs_region &&
6540              nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6541                 goto nla_put_failure;
6542
6543         nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
6544         if (!nl_reg_rules)
6545                 goto nla_put_failure;
6546
6547         for (i = 0; i < regdom->n_reg_rules; i++) {
6548                 struct nlattr *nl_reg_rule;
6549                 const struct ieee80211_reg_rule *reg_rule;
6550                 const struct ieee80211_freq_range *freq_range;
6551                 const struct ieee80211_power_rule *power_rule;
6552                 unsigned int max_bandwidth_khz;
6553
6554                 reg_rule = &regdom->reg_rules[i];
6555                 freq_range = &reg_rule->freq_range;
6556                 power_rule = &reg_rule->power_rule;
6557
6558                 nl_reg_rule = nla_nest_start(msg, i);
6559                 if (!nl_reg_rule)
6560                         goto nla_put_failure;
6561
6562                 max_bandwidth_khz = freq_range->max_bandwidth_khz;
6563                 if (!max_bandwidth_khz)
6564                         max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6565                                                                   reg_rule);
6566
6567                 if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6568                                 reg_rule->flags) ||
6569                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6570                                 freq_range->start_freq_khz) ||
6571                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6572                                 freq_range->end_freq_khz) ||
6573                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6574                                 max_bandwidth_khz) ||
6575                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6576                                 power_rule->max_antenna_gain) ||
6577                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6578                                 power_rule->max_eirp) ||
6579                     nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6580                                 reg_rule->dfs_cac_ms))
6581                         goto nla_put_failure;
6582
6583                 nla_nest_end(msg, nl_reg_rule);
6584         }
6585
6586         nla_nest_end(msg, nl_reg_rules);
6587         return 0;
6588
6589 nla_put_failure:
6590         return -EMSGSIZE;
6591 }
6592
6593 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6594 {
6595         const struct ieee80211_regdomain *regdom = NULL;
6596         struct cfg80211_registered_device *rdev;
6597         struct wiphy *wiphy = NULL;
6598         struct sk_buff *msg;
6599         void *hdr;
6600
6601         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6602         if (!msg)
6603                 return -ENOBUFS;
6604
6605         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6606                              NL80211_CMD_GET_REG);
6607         if (!hdr)
6608                 goto put_failure;
6609
6610         if (info->attrs[NL80211_ATTR_WIPHY]) {
6611                 bool self_managed;
6612
6613                 rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6614                 if (IS_ERR(rdev)) {
6615                         nlmsg_free(msg);
6616                         return PTR_ERR(rdev);
6617                 }
6618
6619                 wiphy = &rdev->wiphy;
6620                 self_managed = wiphy->regulatory_flags &
6621                                REGULATORY_WIPHY_SELF_MANAGED;
6622                 regdom = get_wiphy_regdom(wiphy);
6623
6624                 /* a self-managed-reg device must have a private regdom */
6625                 if (WARN_ON(!regdom && self_managed)) {
6626                         nlmsg_free(msg);
6627                         return -EINVAL;
6628                 }
6629
6630                 if (regdom &&
6631                     nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6632                         goto nla_put_failure;
6633         }
6634
6635         if (!wiphy && reg_last_request_cell_base() &&
6636             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6637                         NL80211_USER_REG_HINT_CELL_BASE))
6638                 goto nla_put_failure;
6639
6640         rcu_read_lock();
6641
6642         if (!regdom)
6643                 regdom = rcu_dereference(cfg80211_regdomain);
6644
6645         if (nl80211_put_regdom(regdom, msg))
6646                 goto nla_put_failure_rcu;
6647
6648         rcu_read_unlock();
6649
6650         genlmsg_end(msg, hdr);
6651         return genlmsg_reply(msg, info);
6652
6653 nla_put_failure_rcu:
6654         rcu_read_unlock();
6655 nla_put_failure:
6656 put_failure:
6657         nlmsg_free(msg);
6658         return -EMSGSIZE;
6659 }
6660
6661 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
6662                                u32 seq, int flags, struct wiphy *wiphy,
6663                                const struct ieee80211_regdomain *regdom)
6664 {
6665         void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6666                                    NL80211_CMD_GET_REG);
6667
6668         if (!hdr)
6669                 return -1;
6670
6671         genl_dump_check_consistent(cb, hdr);
6672
6673         if (nl80211_put_regdom(regdom, msg))
6674                 goto nla_put_failure;
6675
6676         if (!wiphy && reg_last_request_cell_base() &&
6677             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6678                         NL80211_USER_REG_HINT_CELL_BASE))
6679                 goto nla_put_failure;
6680
6681         if (wiphy &&
6682             nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6683                 goto nla_put_failure;
6684
6685         if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
6686             nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
6687                 goto nla_put_failure;
6688
6689         genlmsg_end(msg, hdr);
6690         return 0;
6691
6692 nla_put_failure:
6693         genlmsg_cancel(msg, hdr);
6694         return -EMSGSIZE;
6695 }
6696
6697 static int nl80211_get_reg_dump(struct sk_buff *skb,
6698                                 struct netlink_callback *cb)
6699 {
6700         const struct ieee80211_regdomain *regdom = NULL;
6701         struct cfg80211_registered_device *rdev;
6702         int err, reg_idx, start = cb->args[2];
6703
6704         rtnl_lock();
6705
6706         if (cfg80211_regdomain && start == 0) {
6707                 err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6708                                           NLM_F_MULTI, NULL,
6709                                           rtnl_dereference(cfg80211_regdomain));
6710                 if (err < 0)
6711                         goto out_err;
6712         }
6713
6714         /* the global regdom is idx 0 */
6715         reg_idx = 1;
6716         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
6717                 regdom = get_wiphy_regdom(&rdev->wiphy);
6718                 if (!regdom)
6719                         continue;
6720
6721                 if (++reg_idx <= start)
6722                         continue;
6723
6724                 err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6725                                           NLM_F_MULTI, &rdev->wiphy, regdom);
6726                 if (err < 0) {
6727                         reg_idx--;
6728                         break;
6729                 }
6730         }
6731
6732         cb->args[2] = reg_idx;
6733         err = skb->len;
6734 out_err:
6735         rtnl_unlock();
6736         return err;
6737 }
6738
6739 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
6740 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
6741         [NL80211_ATTR_REG_RULE_FLAGS]           = { .type = NLA_U32 },
6742         [NL80211_ATTR_FREQ_RANGE_START]         = { .type = NLA_U32 },
6743         [NL80211_ATTR_FREQ_RANGE_END]           = { .type = NLA_U32 },
6744         [NL80211_ATTR_FREQ_RANGE_MAX_BW]        = { .type = NLA_U32 },
6745         [NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]  = { .type = NLA_U32 },
6746         [NL80211_ATTR_POWER_RULE_MAX_EIRP]      = { .type = NLA_U32 },
6747         [NL80211_ATTR_DFS_CAC_TIME]             = { .type = NLA_U32 },
6748 };
6749
6750 static int parse_reg_rule(struct nlattr *tb[],
6751         struct ieee80211_reg_rule *reg_rule)
6752 {
6753         struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
6754         struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
6755
6756         if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
6757                 return -EINVAL;
6758         if (!tb[NL80211_ATTR_FREQ_RANGE_START])
6759                 return -EINVAL;
6760         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
6761                 return -EINVAL;
6762         if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
6763                 return -EINVAL;
6764         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
6765                 return -EINVAL;
6766
6767         reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
6768
6769         freq_range->start_freq_khz =
6770                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
6771         freq_range->end_freq_khz =
6772                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
6773         freq_range->max_bandwidth_khz =
6774                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
6775
6776         power_rule->max_eirp =
6777                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
6778
6779         if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
6780                 power_rule->max_antenna_gain =
6781                         nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
6782
6783         if (tb[NL80211_ATTR_DFS_CAC_TIME])
6784                 reg_rule->dfs_cac_ms =
6785                         nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
6786
6787         return 0;
6788 }
6789
6790 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
6791 {
6792         struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
6793         struct nlattr *nl_reg_rule;
6794         char *alpha2;
6795         int rem_reg_rules, r;
6796         u32 num_rules = 0, rule_idx = 0, size_of_regd;
6797         enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
6798         struct ieee80211_regdomain *rd;
6799
6800         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6801                 return -EINVAL;
6802
6803         if (!info->attrs[NL80211_ATTR_REG_RULES])
6804                 return -EINVAL;
6805
6806         alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6807
6808         if (info->attrs[NL80211_ATTR_DFS_REGION])
6809                 dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
6810
6811         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6812                             rem_reg_rules) {
6813                 num_rules++;
6814                 if (num_rules > NL80211_MAX_SUPP_REG_RULES)
6815                         return -EINVAL;
6816         }
6817
6818         if (!reg_is_valid_request(alpha2))
6819                 return -EINVAL;
6820
6821         size_of_regd = sizeof(struct ieee80211_regdomain) +
6822                        num_rules * sizeof(struct ieee80211_reg_rule);
6823
6824         rd = kzalloc(size_of_regd, GFP_KERNEL);
6825         if (!rd)
6826                 return -ENOMEM;
6827
6828         rd->n_reg_rules = num_rules;
6829         rd->alpha2[0] = alpha2[0];
6830         rd->alpha2[1] = alpha2[1];
6831
6832         /*
6833          * Disable DFS master mode if the DFS region was
6834          * not supported or known on this kernel.
6835          */
6836         if (reg_supported_dfs_region(dfs_region))
6837                 rd->dfs_region = dfs_region;
6838
6839         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6840                             rem_reg_rules) {
6841                 r = nla_parse_nested(tb, NL80211_REG_RULE_ATTR_MAX,
6842                                      nl_reg_rule, reg_rule_policy,
6843                                      info->extack);
6844                 if (r)
6845                         goto bad_reg;
6846                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
6847                 if (r)
6848                         goto bad_reg;
6849
6850                 rule_idx++;
6851
6852                 if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
6853                         r = -EINVAL;
6854                         goto bad_reg;
6855                 }
6856         }
6857
6858         /* set_regdom takes ownership of rd */
6859         return set_regdom(rd, REGD_SOURCE_CRDA);
6860  bad_reg:
6861         kfree(rd);
6862         return r;
6863 }
6864 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
6865
6866 static int validate_scan_freqs(struct nlattr *freqs)
6867 {
6868         struct nlattr *attr1, *attr2;
6869         int n_channels = 0, tmp1, tmp2;
6870
6871         nla_for_each_nested(attr1, freqs, tmp1)
6872                 if (nla_len(attr1) != sizeof(u32))
6873                         return 0;
6874
6875         nla_for_each_nested(attr1, freqs, tmp1) {
6876                 n_channels++;
6877                 /*
6878                  * Some hardware has a limited channel list for
6879                  * scanning, and it is pretty much nonsensical
6880                  * to scan for a channel twice, so disallow that
6881                  * and don't require drivers to check that the
6882                  * channel list they get isn't longer than what
6883                  * they can scan, as long as they can scan all
6884                  * the channels they registered at once.
6885                  */
6886                 nla_for_each_nested(attr2, freqs, tmp2)
6887                         if (attr1 != attr2 &&
6888                             nla_get_u32(attr1) == nla_get_u32(attr2))
6889                                 return 0;
6890         }
6891
6892         return n_channels;
6893 }
6894
6895 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
6896 {
6897         return b < NUM_NL80211_BANDS && wiphy->bands[b];
6898 }
6899
6900 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
6901                             struct cfg80211_bss_selection *bss_select)
6902 {
6903         struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
6904         struct nlattr *nest;
6905         int err;
6906         bool found = false;
6907         int i;
6908
6909         /* only process one nested attribute */
6910         nest = nla_data(nla);
6911         if (!nla_ok(nest, nla_len(nest)))
6912                 return -EINVAL;
6913
6914         err = nla_parse_nested(attr, NL80211_BSS_SELECT_ATTR_MAX, nest,
6915                                nl80211_bss_select_policy, NULL);
6916         if (err)
6917                 return err;
6918
6919         /* only one attribute may be given */
6920         for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
6921                 if (attr[i]) {
6922                         if (found)
6923                                 return -EINVAL;
6924                         found = true;
6925                 }
6926         }
6927
6928         bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
6929
6930         if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
6931                 bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
6932
6933         if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
6934                 bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
6935                 bss_select->param.band_pref =
6936                         nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
6937                 if (!is_band_valid(wiphy, bss_select->param.band_pref))
6938                         return -EINVAL;
6939         }
6940
6941         if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
6942                 struct nl80211_bss_select_rssi_adjust *adj_param;
6943
6944                 adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
6945                 bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
6946                 bss_select->param.adjust.band = adj_param->band;
6947                 bss_select->param.adjust.delta = adj_param->delta;
6948                 if (!is_band_valid(wiphy, bss_select->param.adjust.band))
6949                         return -EINVAL;
6950         }
6951
6952         /* user-space did not provide behaviour attribute */
6953         if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
6954                 return -EINVAL;
6955
6956         if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
6957                 return -EINVAL;
6958
6959         return 0;
6960 }
6961
6962 static int nl80211_parse_random_mac(struct nlattr **attrs,
6963                                     u8 *mac_addr, u8 *mac_addr_mask)
6964 {
6965         int i;
6966
6967         if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
6968                 eth_zero_addr(mac_addr);
6969                 eth_zero_addr(mac_addr_mask);
6970                 mac_addr[0] = 0x2;
6971                 mac_addr_mask[0] = 0x3;
6972
6973                 return 0;
6974         }
6975
6976         /* need both or none */
6977         if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
6978                 return -EINVAL;
6979
6980         memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
6981         memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
6982
6983         /* don't allow or configure an mcast address */
6984         if (!is_multicast_ether_addr(mac_addr_mask) ||
6985             is_multicast_ether_addr(mac_addr))
6986                 return -EINVAL;
6987
6988         /*
6989          * allow users to pass a MAC address that has bits set outside
6990          * of the mask, but don't bother drivers with having to deal
6991          * with such bits
6992          */
6993         for (i = 0; i < ETH_ALEN; i++)
6994                 mac_addr[i] &= mac_addr_mask[i];
6995
6996         return 0;
6997 }
6998
6999 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7000 {
7001         ASSERT_WDEV_LOCK(wdev);
7002
7003         if (!cfg80211_beaconing_iface_active(wdev))
7004                 return true;
7005
7006         if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7007                 return true;
7008
7009         return regulatory_pre_cac_allowed(wdev->wiphy);
7010 }
7011
7012 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7013                                     enum nl80211_ext_feature_index feat)
7014 {
7015         if (!(flags & flag))
7016                 return true;
7017         if (wiphy_ext_feature_isset(wiphy, feat))
7018                 return true;
7019         return false;
7020 }
7021
7022 static int
7023 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7024                          void *request, struct nlattr **attrs,
7025                          bool is_sched_scan)
7026 {
7027         u8 *mac_addr, *mac_addr_mask;
7028         u32 *flags;
7029         enum nl80211_feature_flags randomness_flag;
7030
7031         if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7032                 return 0;
7033
7034         if (is_sched_scan) {
7035                 struct cfg80211_sched_scan_request *req = request;
7036
7037                 randomness_flag = wdev ?
7038                                   NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7039                                   NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7040                 flags = &req->flags;
7041                 mac_addr = req->mac_addr;
7042                 mac_addr_mask = req->mac_addr_mask;
7043         } else {
7044                 struct cfg80211_scan_request *req = request;
7045
7046                 randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7047                 flags = &req->flags;
7048                 mac_addr = req->mac_addr;
7049                 mac_addr_mask = req->mac_addr_mask;
7050         }
7051
7052         *flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7053
7054         if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7055              !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7056             !nl80211_check_scan_feat(wiphy, *flags,
7057                                      NL80211_SCAN_FLAG_LOW_SPAN,
7058                                      NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7059             !nl80211_check_scan_feat(wiphy, *flags,
7060                                      NL80211_SCAN_FLAG_LOW_POWER,
7061                                      NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7062             !nl80211_check_scan_feat(wiphy, *flags,
7063                                      NL80211_SCAN_FLAG_HIGH_ACCURACY,
7064                                      NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7065             !nl80211_check_scan_feat(wiphy, *flags,
7066                                      NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7067                                      NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7068             !nl80211_check_scan_feat(wiphy, *flags,
7069                                      NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7070                                      NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7071             !nl80211_check_scan_feat(wiphy, *flags,
7072                                      NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7073                                      NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7074             !nl80211_check_scan_feat(wiphy, *flags,
7075                                      NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7076                                      NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7077             !nl80211_check_scan_feat(wiphy, *flags,
7078                                      NL80211_SCAN_FLAG_RANDOM_SN,
7079                                      NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7080             !nl80211_check_scan_feat(wiphy, *flags,
7081                                      NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7082                                      NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7083                 return -EOPNOTSUPP;
7084
7085         if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7086                 int err;
7087
7088                 if (!(wiphy->features & randomness_flag) ||
7089                     (wdev && wdev->current_bss))
7090                         return -EOPNOTSUPP;
7091
7092                 err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7093                 if (err)
7094                         return err;
7095         }
7096
7097         return 0;
7098 }
7099
7100 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7101 {
7102         struct cfg80211_registered_device *rdev = info->user_ptr[0];
7103         struct wireless_dev *wdev = info->user_ptr[1];
7104         struct cfg80211_scan_request *request;
7105         struct nlattr *attr;
7106         struct wiphy *wiphy;
7107         int err, tmp, n_ssids = 0, n_channels, i;
7108         size_t ie_len;
7109
7110         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7111                 return -EINVAL;
7112
7113         wiphy = &rdev->wiphy;
7114
7115         if (wdev->iftype == NL80211_IFTYPE_NAN)
7116                 return -EOPNOTSUPP;
7117
7118         if (!rdev->ops->scan)
7119                 return -EOPNOTSUPP;
7120
7121         if (rdev->scan_req || rdev->scan_msg) {
7122                 err = -EBUSY;
7123                 goto unlock;
7124         }
7125
7126         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7127                 n_channels = validate_scan_freqs(
7128                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7129                 if (!n_channels) {
7130                         err = -EINVAL;
7131                         goto unlock;
7132                 }
7133         } else {
7134                 n_channels = ieee80211_get_num_supported_channels(wiphy);
7135         }
7136
7137         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7138                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7139                         n_ssids++;
7140
7141         if (n_ssids > wiphy->max_scan_ssids) {
7142                 err = -EINVAL;
7143                 goto unlock;
7144         }
7145
7146         if (info->attrs[NL80211_ATTR_IE])
7147                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7148         else
7149                 ie_len = 0;
7150
7151         if (ie_len > wiphy->max_scan_ie_len) {
7152                 err = -EINVAL;
7153                 goto unlock;
7154         }
7155
7156         request = kzalloc(sizeof(*request)
7157                         + sizeof(*request->ssids) * n_ssids
7158                         + sizeof(*request->channels) * n_channels
7159                         + ie_len, GFP_KERNEL);
7160         if (!request) {
7161                 err = -ENOMEM;
7162                 goto unlock;
7163         }
7164
7165         if (n_ssids)
7166                 request->ssids = (void *)&request->channels[n_channels];
7167         request->n_ssids = n_ssids;
7168         if (ie_len) {
7169                 if (n_ssids)
7170                         request->ie = (void *)(request->ssids + n_ssids);
7171                 else
7172                         request->ie = (void *)(request->channels + n_channels);
7173         }
7174
7175         i = 0;
7176         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7177                 /* user specified, bail out if channel not found */
7178                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7179                         struct ieee80211_channel *chan;
7180
7181                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7182
7183                         if (!chan) {
7184                                 err = -EINVAL;
7185                                 goto out_free;
7186                         }
7187
7188                         /* ignore disabled channels */
7189                         if (chan->flags & IEEE80211_CHAN_DISABLED)
7190                                 continue;
7191
7192                         request->channels[i] = chan;
7193                         i++;
7194                 }
7195         } else {
7196                 enum nl80211_band band;
7197
7198                 /* all channels */
7199                 for (band = 0; band < NUM_NL80211_BANDS; band++) {
7200                         int j;
7201
7202                         if (!wiphy->bands[band])
7203                                 continue;
7204                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7205                                 struct ieee80211_channel *chan;
7206
7207                                 chan = &wiphy->bands[band]->channels[j];
7208
7209                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
7210                                         continue;
7211
7212                                 request->channels[i] = chan;
7213                                 i++;
7214                         }
7215                 }
7216         }
7217
7218         if (!i) {
7219                 err = -EINVAL;
7220                 goto out_free;
7221         }
7222
7223         request->n_channels = i;
7224
7225         wdev_lock(wdev);
7226         if (!cfg80211_off_channel_oper_allowed(wdev)) {
7227                 struct ieee80211_channel *chan;
7228
7229                 if (request->n_channels != 1) {
7230                         wdev_unlock(wdev);
7231                         err = -EBUSY;
7232                         goto out_free;
7233                 }
7234
7235                 chan = request->channels[0];
7236                 if (chan->center_freq != wdev->chandef.chan->center_freq) {
7237                         wdev_unlock(wdev);
7238                         err = -EBUSY;
7239                         goto out_free;
7240                 }
7241         }
7242         wdev_unlock(wdev);
7243
7244         i = 0;
7245         if (n_ssids) {
7246                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7247                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7248                                 err = -EINVAL;
7249                                 goto out_free;
7250                         }
7251                         request->ssids[i].ssid_len = nla_len(attr);
7252                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7253                         i++;
7254                 }
7255         }
7256
7257         if (info->attrs[NL80211_ATTR_IE]) {
7258                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7259                 memcpy((void *)request->ie,
7260                        nla_data(info->attrs[NL80211_ATTR_IE]),
7261                        request->ie_len);
7262         }
7263
7264         for (i = 0; i < NUM_NL80211_BANDS; i++)
7265                 if (wiphy->bands[i])
7266                         request->rates[i] =
7267                                 (1 << wiphy->bands[i]->n_bitrates) - 1;
7268
7269         if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7270                 nla_for_each_nested(attr,
7271                                     info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7272                                     tmp) {
7273                         enum nl80211_band band = nla_type(attr);
7274
7275                         if (band < 0 || band >= NUM_NL80211_BANDS) {
7276                                 err = -EINVAL;
7277                                 goto out_free;
7278                         }
7279
7280                         if (!wiphy->bands[band])
7281                                 continue;
7282
7283                         err = ieee80211_get_ratemask(wiphy->bands[band],
7284                                                      nla_data(attr),
7285                                                      nla_len(attr),
7286                                                      &request->rates[band]);
7287                         if (err)
7288                                 goto out_free;
7289                 }
7290         }
7291
7292         if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7293                 if (!wiphy_ext_feature_isset(wiphy,
7294                                         NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7295                         err = -EOPNOTSUPP;
7296                         goto out_free;
7297                 }
7298
7299                 request->duration =
7300                         nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7301                 request->duration_mandatory =
7302                         nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7303         }
7304
7305         err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7306                                        false);
7307         if (err)
7308                 goto out_free;
7309
7310         request->no_cck =
7311                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7312
7313         /* Initial implementation used NL80211_ATTR_MAC to set the specific
7314          * BSSID to scan for. This was problematic because that same attribute
7315          * was already used for another purpose (local random MAC address). The
7316          * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7317          * compatibility with older userspace components, also use the
7318          * NL80211_ATTR_MAC value here if it can be determined to be used for
7319          * the specific BSSID use case instead of the random MAC address
7320          * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7321          */
7322         if (info->attrs[NL80211_ATTR_BSSID])
7323                 memcpy(request->bssid,
7324                        nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7325         else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7326                  info->attrs[NL80211_ATTR_MAC])
7327                 memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7328                        ETH_ALEN);
7329         else
7330                 eth_broadcast_addr(request->bssid);
7331
7332         request->wdev = wdev;
7333         request->wiphy = &rdev->wiphy;
7334         request->scan_start = jiffies;
7335
7336         rdev->scan_req = request;
7337         err = rdev_scan(rdev, request);
7338
7339         if (!err) {
7340                 nl80211_send_scan_start(rdev, wdev);
7341                 if (wdev->netdev)
7342                         dev_hold(wdev->netdev);
7343         } else {
7344  out_free:
7345                 rdev->scan_req = NULL;
7346                 kfree(request);
7347         }
7348
7349  unlock:
7350         return err;
7351 }
7352
7353 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7354 {
7355         struct cfg80211_registered_device *rdev = info->user_ptr[0];
7356         struct wireless_dev *wdev = info->user_ptr[1];
7357
7358         if (!rdev->ops->abort_scan)
7359                 return -EOPNOTSUPP;
7360
7361         if (rdev->scan_msg)
7362                 return 0;
7363
7364         if (!rdev->scan_req)
7365                 return -ENOENT;
7366
7367         rdev_abort_scan(rdev, wdev);
7368         return 0;
7369 }
7370
7371 static int
7372 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
7373                                struct cfg80211_sched_scan_request *request,
7374                                struct nlattr **attrs)
7375 {
7376         int tmp, err, i = 0;
7377         struct nlattr *attr;
7378
7379         if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7380                 u32 interval;
7381
7382                 /*
7383                  * If scan plans are not specified,
7384                  * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
7385                  * case one scan plan will be set with the specified scan
7386                  * interval and infinite number of iterations.
7387                  */
7388                 interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
7389                 if (!interval)
7390                         return -EINVAL;
7391
7392                 request->scan_plans[0].interval =
7393                         DIV_ROUND_UP(interval, MSEC_PER_SEC);
7394                 if (!request->scan_plans[0].interval)
7395                         return -EINVAL;
7396
7397                 if (request->scan_plans[0].interval >
7398                     wiphy->max_sched_scan_plan_interval)
7399                         request->scan_plans[0].interval =
7400                                 wiphy->max_sched_scan_plan_interval;
7401
7402                 return 0;
7403         }
7404
7405         nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
7406                 struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
7407
7408                 if (WARN_ON(i >= n_plans))
7409                         return -EINVAL;
7410
7411                 err = nla_parse_nested(plan, NL80211_SCHED_SCAN_PLAN_MAX,
7412                                        attr, nl80211_plan_policy, NULL);
7413                 if (err)
7414                         return err;
7415
7416                 if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
7417                         return -EINVAL;
7418
7419                 request->scan_plans[i].interval =
7420                         nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
7421                 if (!request->scan_plans[i].interval ||
7422                     request->scan_plans[i].interval >
7423                     wiphy->max_sched_scan_plan_interval)
7424                         return -EINVAL;
7425
7426                 if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
7427                         request->scan_plans[i].iterations =
7428                                 nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
7429                         if (!request->scan_plans[i].iterations ||
7430                             (request->scan_plans[i].iterations >
7431                              wiphy->max_sched_scan_plan_iterations))
7432                                 return -EINVAL;
7433                 } else if (i < n_plans - 1) {
7434                         /*
7435                          * All scan plans but the last one must specify
7436                          * a finite number of iterations
7437                          */
7438                         return -EINVAL;
7439                 }
7440
7441                 i++;
7442         }
7443
7444         /*
7445          * The last scan plan must not specify the number of
7446          * iterations, it is supposed to run infinitely
7447          */
7448         if (request->scan_plans[n_plans - 1].iterations)
7449                 return  -EINVAL;
7450
7451         return 0;
7452 }
7453
7454 static struct cfg80211_sched_scan_request *
7455 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
7456                          struct nlattr **attrs, int max_match_sets)
7457 {
7458         struct cfg80211_sched_scan_request *request;
7459         struct nlattr *attr;
7460         int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
7461         enum nl80211_band band;
7462         size_t ie_len;
7463         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
7464         s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
7465
7466         if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
7467                 return ERR_PTR(-EINVAL);
7468
7469         if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7470                 n_channels = validate_scan_freqs(
7471                                 attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7472                 if (!n_channels)
7473                         return ERR_PTR(-EINVAL);
7474         } else {
7475                 n_channels = ieee80211_get_num_supported_channels(wiphy);
7476         }
7477
7478         if (attrs[NL80211_ATTR_SCAN_SSIDS])
7479                 nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7480                                     tmp)
7481                         n_ssids++;
7482
7483         if (n_ssids > wiphy->max_sched_scan_ssids)
7484                 return ERR_PTR(-EINVAL);
7485
7486         /*
7487          * First, count the number of 'real' matchsets. Due to an issue with
7488          * the old implementation, matchsets containing only the RSSI attribute
7489          * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
7490          * RSSI for all matchsets, rather than their own matchset for reporting
7491          * all APs with a strong RSSI. This is needed to be compatible with
7492          * older userspace that treated a matchset with only the RSSI as the
7493          * global RSSI for all other matchsets - if there are other matchsets.
7494          */
7495         if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7496                 nla_for_each_nested(attr,
7497                                     attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7498                                     tmp) {
7499                         struct nlattr *rssi;
7500
7501                         err = nla_parse_nested(tb,
7502                                                NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7503                                                attr, nl80211_match_policy,
7504                                                NULL);
7505                         if (err)
7506                                 return ERR_PTR(err);
7507
7508                         /* SSID and BSSID are mutually exclusive */
7509                         if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
7510                             tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
7511                                 return ERR_PTR(-EINVAL);
7512
7513                         /* add other standalone attributes here */
7514                         if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
7515                             tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
7516                                 n_match_sets++;
7517                                 continue;
7518                         }
7519                         rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7520                         if (rssi)
7521                                 default_match_rssi = nla_get_s32(rssi);
7522                 }
7523         }
7524
7525         /* However, if there's no other matchset, add the RSSI one */
7526         if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
7527                 n_match_sets = 1;
7528
7529         if (n_match_sets > max_match_sets)
7530                 return ERR_PTR(-EINVAL);
7531
7532         if (attrs[NL80211_ATTR_IE])
7533                 ie_len = nla_len(attrs[NL80211_ATTR_IE]);
7534         else
7535                 ie_len = 0;
7536
7537         if (ie_len > wiphy->max_sched_scan_ie_len)
7538                 return ERR_PTR(-EINVAL);
7539
7540         if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7541                 /*
7542                  * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
7543                  * each scan plan already specifies its own interval
7544                  */
7545                 if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7546                         return ERR_PTR(-EINVAL);
7547
7548                 nla_for_each_nested(attr,
7549                                     attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
7550                         n_plans++;
7551         } else {
7552                 /*
7553                  * The scan interval attribute is kept for backward
7554                  * compatibility. If no scan plans are specified and sched scan
7555                  * interval is specified, one scan plan will be set with this
7556                  * scan interval and infinite number of iterations.
7557                  */
7558                 if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7559                         return ERR_PTR(-EINVAL);
7560
7561                 n_plans = 1;
7562         }
7563
7564         if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
7565                 return ERR_PTR(-EINVAL);
7566
7567         if (!wiphy_ext_feature_isset(
7568                     wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
7569             (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
7570              attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
7571                 return ERR_PTR(-EINVAL);
7572
7573         request = kzalloc(sizeof(*request)
7574                         + sizeof(*request->ssids) * n_ssids
7575                         + sizeof(*request->match_sets) * n_match_sets
7576                         + sizeof(*request->scan_plans) * n_plans
7577                         + sizeof(*request->channels) * n_channels
7578                         + ie_len, GFP_KERNEL);
7579         if (!request)
7580                 return ERR_PTR(-ENOMEM);
7581
7582         if (n_ssids)
7583                 request->ssids = (void *)&request->channels[n_channels];
7584         request->n_ssids = n_ssids;
7585         if (ie_len) {
7586                 if (n_ssids)
7587                         request->ie = (void *)(request->ssids + n_ssids);
7588                 else
7589                         request->ie = (void *)(request->channels + n_channels);
7590         }
7591
7592         if (n_match_sets) {
7593                 if (request->ie)
7594                         request->match_sets = (void *)(request->ie + ie_len);
7595                 else if (n_ssids)
7596                         request->match_sets =
7597                                 (void *)(request->ssids + n_ssids);
7598                 else
7599                         request->match_sets =
7600                                 (void *)(request->channels + n_channels);
7601         }
7602         request->n_match_sets = n_match_sets;
7603
7604         if (n_match_sets)
7605                 request->scan_plans = (void *)(request->match_sets +
7606                                                n_match_sets);
7607         else if (request->ie)
7608                 request->scan_plans = (void *)(request->ie + ie_len);
7609         else if (n_ssids)
7610                 request->scan_plans = (void *)(request->ssids + n_ssids);
7611         else
7612                 request->scan_plans = (void *)(request->channels + n_channels);
7613
7614         request->n_scan_plans = n_plans;
7615
7616         i = 0;
7617         if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7618                 /* user specified, bail out if channel not found */
7619                 nla_for_each_nested(attr,
7620                                     attrs[NL80211_ATTR_SCAN_FREQUENCIES],
7621                                     tmp) {
7622                         struct ieee80211_channel *chan;
7623
7624                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7625
7626                         if (!chan) {
7627                                 err = -EINVAL;
7628                                 goto out_free;
7629                         }
7630
7631                         /* ignore disabled channels */
7632                         if (chan->flags & IEEE80211_CHAN_DISABLED)
7633                                 continue;
7634
7635                         request->channels[i] = chan;
7636                         i++;
7637                 }
7638         } else {
7639                 /* all channels */
7640                 for (band = 0; band < NUM_NL80211_BANDS; band++) {
7641                         int j;
7642
7643                         if (!wiphy->bands[band])
7644                                 continue;
7645                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7646                                 struct ieee80211_channel *chan;
7647
7648                                 chan = &wiphy->bands[band]->channels[j];
7649
7650                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
7651                                         continue;
7652
7653                                 request->channels[i] = chan;
7654                                 i++;
7655                         }
7656                 }
7657         }
7658
7659         if (!i) {
7660                 err = -EINVAL;
7661                 goto out_free;
7662         }
7663
7664         request->n_channels = i;
7665
7666         i = 0;
7667         if (n_ssids) {
7668                 nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7669                                     tmp) {
7670                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7671                                 err = -EINVAL;
7672                                 goto out_free;
7673                         }
7674                         request->ssids[i].ssid_len = nla_len(attr);
7675                         memcpy(request->ssids[i].ssid, nla_data(attr),
7676                                nla_len(attr));
7677                         i++;
7678                 }
7679         }
7680
7681         i = 0;
7682         if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7683                 nla_for_each_nested(attr,
7684                                     attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7685                                     tmp) {
7686                         struct nlattr *ssid, *bssid, *rssi;
7687
7688                         err = nla_parse_nested(tb,
7689                                                NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7690                                                attr, nl80211_match_policy,
7691                                                NULL);
7692                         if (err)
7693                                 goto out_free;
7694                         ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
7695                         bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
7696                         if (ssid || bssid) {
7697                                 if (WARN_ON(i >= n_match_sets)) {
7698                                         /* this indicates a programming error,
7699                                          * the loop above should have verified
7700                                          * things properly
7701                                          */
7702                                         err = -EINVAL;
7703                                         goto out_free;
7704                                 }
7705
7706                                 if (ssid) {
7707                                         if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
7708                                                 err = -EINVAL;
7709                                                 goto out_free;
7710                                         }
7711                                         memcpy(request->match_sets[i].ssid.ssid,
7712                                                nla_data(ssid), nla_len(ssid));
7713                                         request->match_sets[i].ssid.ssid_len =
7714                                                 nla_len(ssid);
7715                                 }
7716                                 if (bssid) {
7717                                         if (nla_len(bssid) != ETH_ALEN) {
7718                                                 err = -EINVAL;
7719                                                 goto out_free;
7720                                         }
7721                                         memcpy(request->match_sets[i].bssid,
7722                                                nla_data(bssid), ETH_ALEN);
7723                                 }
7724
7725                                 /* special attribute - old implementation w/a */
7726                                 request->match_sets[i].rssi_thold =
7727                                         default_match_rssi;
7728                                 rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7729                                 if (rssi)
7730                                         request->match_sets[i].rssi_thold =
7731                                                 nla_get_s32(rssi);
7732                         }
7733                         i++;
7734                 }
7735
7736                 /* there was no other matchset, so the RSSI one is alone */
7737                 if (i == 0 && n_match_sets)
7738                         request->match_sets[0].rssi_thold = default_match_rssi;
7739
7740                 request->min_rssi_thold = INT_MAX;
7741                 for (i = 0; i < n_match_sets; i++)
7742                         request->min_rssi_thold =
7743                                 min(request->match_sets[i].rssi_thold,
7744                                     request->min_rssi_thold);
7745         } else {
7746                 request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
7747         }
7748
7749         if (ie_len) {
7750                 request->ie_len = ie_len;
7751                 memcpy((void *)request->ie,
7752                        nla_data(attrs[NL80211_ATTR_IE]),
7753                        request->ie_len);
7754         }
7755
7756         err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
7757         if (err)
7758                 goto out_free;
7759
7760         if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
7761                 request->delay =
7762                         nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
7763
7764         if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
7765                 request->relative_rssi = nla_get_s8(
7766                         attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
7767                 request->relative_rssi_set = true;
7768         }
7769
7770         if (request->relative_rssi_set &&
7771             attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
7772                 struct nl80211_bss_select_rssi_adjust *rssi_adjust;
7773
7774                 rssi_adjust = nla_data(
7775                         attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
7776                 request->rssi_adjust.band = rssi_adjust->band;
7777                 request->rssi_adjust.delta = rssi_adjust->delta;
7778                 if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
7779                         err = -EINVAL;
7780                         goto out_free;
7781                 }
7782         }
7783
7784         err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
7785         if (err)
7786                 goto out_free;
7787
7788         request->scan_start = jiffies;
7789
7790         return request;
7791
7792 out_free:
7793         kfree(request);
7794         return ERR_PTR(err);
7795 }
7796
7797 static int nl80211_start_sched_scan(struct sk_buff *skb,
7798                                     struct genl_info *info)
7799 {
7800         struct cfg80211_registered_device *rdev = info->user_ptr[0];
7801         struct net_device *dev = info->user_ptr[1];
7802         struct wireless_dev *wdev = dev->ieee80211_ptr;
7803         struct cfg80211_sched_scan_request *sched_scan_req;
7804         bool want_multi;
7805         int err;
7806
7807         if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
7808                 return -EOPNOTSUPP;
7809
7810         want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
7811         err = cfg80211_sched_scan_req_possible(rdev, want_multi);
7812         if (err)
7813                 return err;
7814
7815         sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
7816                                                   info->attrs,
7817                                                   rdev->wiphy.max_match_sets);
7818
7819         err = PTR_ERR_OR_ZERO(sched_scan_req);
7820         if (err)
7821                 goto out_err;
7822
7823         /* leave request id zero for legacy request
7824          * or if driver does not support multi-scheduled scan
7825          */
7826         if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1) {
7827                 while (!sched_scan_req->reqid)
7828                         sched_scan_req->reqid = rdev->wiphy.cookie_counter++;
7829         }
7830
7831         err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
7832         if (err)
7833                 goto out_free;
7834
7835         sched_scan_req->dev = dev;
7836         sched_scan_req->wiphy = &rdev->wiphy;
7837
7838         if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
7839                 sched_scan_req->owner_nlportid = info->snd_portid;
7840
7841         cfg80211_add_sched_scan_req(rdev, sched_scan_req);
7842
7843         nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
7844         return 0;
7845
7846 out_free:
7847         kfree(sched_scan_req);
7848 out_err:
7849         return err;
7850 }
7851
7852 static int nl80211_stop_sched_scan(struct sk_buff *skb,
7853                                    struct genl_info *info)
7854 {
7855         struct cfg80211_sched_scan_request *req;
7856         struct cfg80211_registered_device *rdev = info->user_ptr[0];
7857         u64 cookie;
7858
7859         if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
7860                 return -EOPNOTSUPP;
7861
7862         if (info->attrs[NL80211_ATTR_COOKIE]) {
7863                 cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7864                 return __cfg80211_stop_sched_scan(rdev, cookie, false);
7865         }
7866
7867         req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
7868                                      struct cfg80211_sched_scan_request,
7869                                      list);
7870         if (!req || req->reqid ||
7871             (req->owner_nlportid &&
7872              req->owner_nlportid != info->snd_portid))
7873                 return -ENOENT;
7874
7875         return cfg80211_stop_sched_scan_req(rdev, req, false);
7876 }
7877
7878 static int nl80211_start_radar_detection(struct sk_buff *skb,
7879                                          struct genl_info *info)
7880 {
7881         struct cfg80211_registered_device *rdev = info->user_ptr[0];
7882         struct net_device *dev = info->user_ptr[1];
7883         struct wireless_dev *wdev = dev->ieee80211_ptr;
7884         struct wiphy *wiphy = wdev->wiphy;
7885         struct cfg80211_chan_def chandef;
7886         enum nl80211_dfs_regions dfs_region;
7887         unsigned int cac_time_ms;
7888         int err;
7889
7890         dfs_region = reg_get_dfs_region(wiphy);
7891         if (dfs_region == NL80211_DFS_UNSET)
7892                 return -EINVAL;
7893
7894         err = nl80211_parse_chandef(rdev, info, &chandef);
7895         if (err)
7896                 return err;
7897
7898         if (netif_carrier_ok(dev))
7899                 return -EBUSY;
7900
7901         if (wdev->cac_started)
7902                 return -EBUSY;
7903
7904         err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
7905         if (err < 0)
7906                 return err;
7907
7908         if (err == 0)
7909                 return -EINVAL;
7910
7911         if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
7912                 return -EINVAL;
7913
7914         /* CAC start is offloaded to HW and can't be started manually */
7915         if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
7916                 return -EOPNOTSUPP;
7917
7918         if (!rdev->ops->start_radar_detection)
7919                 return -EOPNOTSUPP;
7920
7921         cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
7922         if (WARN_ON(!cac_time_ms))
7923                 cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
7924
7925         err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
7926         if (!err) {
7927                 wdev->chandef = chandef;
7928                 wdev->cac_started = true;
7929                 wdev->cac_start_time = jiffies;
7930                 wdev->cac_time_ms = cac_time_ms;
7931         }
7932         return err;
7933 }
7934
7935 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
7936 {
7937         struct cfg80211_registered_device *rdev = info->user_ptr[0];
7938         struct net_device *dev = info->user_ptr[1];
7939         struct wireless_dev *wdev = dev->ieee80211_ptr;
7940         struct cfg80211_csa_settings params;
7941         /* csa_attrs is defined static to avoid waste of stack size - this
7942          * function is called under RTNL lock, so this should not be a problem.
7943          */
7944         static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
7945         int err;
7946         bool need_new_beacon = false;
7947         bool need_handle_dfs_flag = true;
7948         int len, i;
7949         u32 cs_count;
7950
7951         if (!rdev->ops->channel_switch ||
7952             !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
7953                 return -EOPNOTSUPP;
7954
7955         switch (dev->ieee80211_ptr->iftype) {
7956         case NL80211_IFTYPE_AP:
7957         case NL80211_IFTYPE_P2P_GO:
7958                 need_new_beacon = true;
7959                 /* For all modes except AP the handle_dfs flag needs to be
7960                  * supplied to tell the kernel that userspace will handle radar
7961                  * events when they happen. Otherwise a switch to a channel
7962                  * requiring DFS will be rejected.
7963                  */
7964                 need_handle_dfs_flag = false;
7965
7966                 /* useless if AP is not running */
7967                 if (!wdev->beacon_interval)
7968                         return -ENOTCONN;
7969                 break;
7970         case NL80211_IFTYPE_ADHOC:
7971                 if (!wdev->ssid_len)
7972                         return -ENOTCONN;
7973                 break;
7974         case NL80211_IFTYPE_MESH_POINT:
7975                 if (!wdev->mesh_id_len)
7976                         return -ENOTCONN;
7977                 break;
7978         default:
7979                 return -EOPNOTSUPP;
7980         }
7981
7982         memset(&params, 0, sizeof(params));
7983
7984         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7985             !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
7986                 return -EINVAL;
7987
7988         /* only important for AP, IBSS and mesh create IEs internally */
7989         if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
7990                 return -EINVAL;
7991
7992         /* Even though the attribute is u32, the specification says
7993          * u8, so let's make sure we don't overflow.
7994          */
7995         cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
7996         if (cs_count > 255)
7997                 return -EINVAL;
7998
7999         params.count = cs_count;
8000
8001         if (!need_new_beacon)
8002                 goto skip_beacons;
8003
8004         err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
8005         if (err)
8006                 return err;
8007
8008         err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
8009                                info->attrs[NL80211_ATTR_CSA_IES],
8010                                nl80211_policy, info->extack);
8011         if (err)
8012                 return err;
8013
8014         err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
8015         if (err)
8016                 return err;
8017
8018         if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
8019                 return -EINVAL;
8020
8021         len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8022         if (!len || (len % sizeof(u16)))
8023                 return -EINVAL;
8024
8025         params.n_counter_offsets_beacon = len / sizeof(u16);
8026         if (rdev->wiphy.max_num_csa_counters &&
8027             (params.n_counter_offsets_beacon >
8028              rdev->wiphy.max_num_csa_counters))
8029                 return -EINVAL;
8030
8031         params.counter_offsets_beacon =
8032                 nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8033
8034         /* sanity checks - counters should fit and be the same */
8035         for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8036                 u16 offset = params.counter_offsets_beacon[i];
8037
8038                 if (offset >= params.beacon_csa.tail_len)
8039                         return -EINVAL;
8040
8041                 if (params.beacon_csa.tail[offset] != params.count)
8042                         return -EINVAL;
8043         }
8044
8045         if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
8046                 len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8047                 if (!len || (len % sizeof(u16)))
8048                         return -EINVAL;
8049
8050                 params.n_counter_offsets_presp = len / sizeof(u16);
8051                 if (rdev->wiphy.max_num_csa_counters &&
8052                     (params.n_counter_offsets_presp >
8053                      rdev->wiphy.max_num_csa_counters))
8054                         return -EINVAL;
8055
8056                 params.counter_offsets_presp =
8057                         nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8058
8059                 /* sanity checks - counters should fit and be the same */
8060                 for (i = 0; i < params.n_counter_offsets_presp; i++) {
8061                         u16 offset = params.counter_offsets_presp[i];
8062
8063                         if (offset >= params.beacon_csa.probe_resp_len)
8064                                 return -EINVAL;
8065
8066                         if (params.beacon_csa.probe_resp[offset] !=
8067                             params.count)
8068                                 return -EINVAL;
8069                 }
8070         }
8071
8072 skip_beacons:
8073         err = nl80211_parse_chandef(rdev, info, &params.chandef);
8074         if (err)
8075                 return err;
8076
8077         if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8078                                            wdev->iftype))
8079                 return -EINVAL;
8080
8081         err = cfg80211_chandef_dfs_required(wdev->wiphy,
8082                                             &params.chandef,
8083                                             wdev->iftype);
8084         if (err < 0)
8085                 return err;
8086
8087         if (err > 0) {
8088                 params.radar_required = true;
8089                 if (need_handle_dfs_flag &&
8090                     !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8091                         return -EINVAL;
8092                 }
8093         }
8094
8095         if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8096                 params.block_tx = true;
8097
8098         wdev_lock(wdev);
8099         err = rdev_channel_switch(rdev, dev, &params);
8100         wdev_unlock(wdev);
8101
8102         return err;
8103 }
8104
8105 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8106                             u32 seq, int flags,
8107                             struct cfg80211_registered_device *rdev,
8108                             struct wireless_dev *wdev,
8109                             struct cfg80211_internal_bss *intbss)
8110 {
8111         struct cfg80211_bss *res = &intbss->pub;
8112         const struct cfg80211_bss_ies *ies;
8113         void *hdr;
8114         struct nlattr *bss;
8115
8116         ASSERT_WDEV_LOCK(wdev);
8117
8118         hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8119                              NL80211_CMD_NEW_SCAN_RESULTS);
8120         if (!hdr)
8121                 return -1;
8122
8123         genl_dump_check_consistent(cb, hdr);
8124
8125         if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
8126                 goto nla_put_failure;
8127         if (wdev->netdev &&
8128             nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
8129                 goto nla_put_failure;
8130         if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8131                               NL80211_ATTR_PAD))
8132                 goto nla_put_failure;
8133
8134         bss = nla_nest_start(msg, NL80211_ATTR_BSS);
8135         if (!bss)
8136                 goto nla_put_failure;
8137         if ((!is_zero_ether_addr(res->bssid) &&
8138              nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
8139                 goto nla_put_failure;
8140
8141         rcu_read_lock();
8142         /* indicate whether we have probe response data or not */
8143         if (rcu_access_pointer(res->proberesp_ies) &&
8144             nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
8145                 goto fail_unlock_rcu;
8146
8147         /* this pointer prefers to be pointed to probe response data
8148          * but is always valid
8149          */
8150         ies = rcu_dereference(res->ies);
8151         if (ies) {
8152                 if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
8153                                       NL80211_BSS_PAD))
8154                         goto fail_unlock_rcu;
8155                 if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
8156                                         ies->len, ies->data))
8157                         goto fail_unlock_rcu;
8158         }
8159
8160         /* and this pointer is always (unless driver didn't know) beacon data */
8161         ies = rcu_dereference(res->beacon_ies);
8162         if (ies && ies->from_beacon) {
8163                 if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
8164                                       NL80211_BSS_PAD))
8165                         goto fail_unlock_rcu;
8166                 if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
8167                                         ies->len, ies->data))
8168                         goto fail_unlock_rcu;
8169         }
8170         rcu_read_unlock();
8171
8172         if (res->beacon_interval &&
8173             nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8174                 goto nla_put_failure;
8175         if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8176             nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8177             nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8178             nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8179                         jiffies_to_msecs(jiffies - intbss->ts)))
8180                 goto nla_put_failure;
8181
8182         if (intbss->parent_tsf &&
8183             (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8184                                intbss->parent_tsf, NL80211_BSS_PAD) ||
8185              nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8186                      intbss->parent_bssid)))
8187                 goto nla_put_failure;
8188
8189         if (intbss->ts_boottime &&
8190             nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8191                               intbss->ts_boottime, NL80211_BSS_PAD))
8192                 goto nla_put_failure;
8193
8194         if (!nl80211_put_signal(msg, intbss->pub.chains,
8195                                 intbss->pub.chain_signal,
8196                                 NL80211_BSS_CHAIN_SIGNAL))
8197                 goto nla_put_failure;
8198
8199         switch (rdev->wiphy.signal_type) {
8200         case CFG80211_SIGNAL_TYPE_MBM:
8201                 if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8202                         goto nla_put_failure;
8203                 break;
8204         case CFG80211_SIGNAL_TYPE_UNSPEC:
8205                 if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8206                         goto nla_put_failure;
8207                 break;
8208         default:
8209                 break;
8210         }
8211
8212         switch (wdev->iftype) {
8213         case NL80211_IFTYPE_P2P_CLIENT:
8214         case NL80211_IFTYPE_STATION:
8215                 if (intbss == wdev->current_bss &&
8216                     nla_put_u32(msg, NL80211_BSS_STATUS,
8217                                 NL80211_BSS_STATUS_ASSOCIATED))
8218                         goto nla_put_failure;
8219                 break;
8220         case NL80211_IFTYPE_ADHOC:
8221                 if (intbss == wdev->current_bss &&
8222                     nla_put_u32(msg, NL80211_BSS_STATUS,
8223                                 NL80211_BSS_STATUS_IBSS_JOINED))
8224                         goto nla_put_failure;
8225                 break;
8226         default:
8227                 break;
8228         }
8229
8230         nla_nest_end(msg, bss);
8231
8232         genlmsg_end(msg, hdr);
8233         return 0;
8234
8235  fail_unlock_rcu:
8236         rcu_read_unlock();
8237  nla_put_failure:
8238         genlmsg_cancel(msg, hdr);
8239         return -EMSGSIZE;
8240 }
8241
8242 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8243 {
8244         struct cfg80211_registered_device *rdev;
8245         struct cfg80211_internal_bss *scan;
8246         struct wireless_dev *wdev;
8247         int start = cb->args[2], idx = 0;
8248         int err;
8249
8250         rtnl_lock();
8251         err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
8252         if (err) {
8253                 rtnl_unlock();
8254                 return err;
8255         }
8256
8257         wdev_lock(wdev);
8258         spin_lock_bh(&rdev->bss_lock);
8259
8260         /*
8261          * dump_scan will be called multiple times to break up the scan results
8262          * into multiple messages.  It is unlikely that any more bss-es will be
8263          * expired after the first call, so only call only call this on the
8264          * first dump_scan invocation.
8265          */
8266         if (start == 0)
8267                 cfg80211_bss_expire(rdev);
8268
8269         cb->seq = rdev->bss_generation;
8270
8271         list_for_each_entry(scan, &rdev->bss_list, list) {
8272                 if (++idx <= start)
8273                         continue;
8274                 if (nl80211_send_bss(skb, cb,
8275                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
8276                                 rdev, wdev, scan) < 0) {
8277                         idx--;
8278                         break;
8279                 }
8280         }
8281
8282         spin_unlock_bh(&rdev->bss_lock);
8283         wdev_unlock(wdev);
8284
8285         cb->args[2] = idx;
8286         rtnl_unlock();
8287
8288         return skb->len;
8289 }
8290
8291 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
8292                                int flags, struct net_device *dev,
8293                                bool allow_radio_stats,
8294                                struct survey_info *survey)
8295 {
8296         void *hdr;
8297         struct nlattr *infoattr;
8298
8299         /* skip radio stats if userspace didn't request them */
8300         if (!survey->channel && !allow_radio_stats)
8301                 return 0;
8302
8303         hdr = nl80211hdr_put(msg, portid, seq, flags,
8304                              NL80211_CMD_NEW_SURVEY_RESULTS);
8305         if (!hdr)
8306                 return -ENOMEM;
8307
8308         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
8309                 goto nla_put_failure;
8310
8311         infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
8312         if (!infoattr)
8313                 goto nla_put_failure;
8314
8315         if (survey->channel &&
8316             nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
8317                         survey->channel->center_freq))
8318                 goto nla_put_failure;
8319
8320         if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
8321             nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
8322                 goto nla_put_failure;
8323         if ((survey->filled & SURVEY_INFO_IN_USE) &&
8324             nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
8325                 goto nla_put_failure;
8326         if ((survey->filled & SURVEY_INFO_TIME) &&
8327             nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
8328                         survey->time, NL80211_SURVEY_INFO_PAD))
8329                 goto nla_put_failure;
8330         if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
8331             nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
8332                               survey->time_busy, NL80211_SURVEY_INFO_PAD))
8333                 goto nla_put_failure;
8334         if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
8335             nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
8336                               survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
8337                 goto nla_put_failure;
8338         if ((survey->filled & SURVEY_INFO_TIME_RX) &&
8339             nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
8340                               survey->time_rx, NL80211_SURVEY_INFO_PAD))
8341                 goto nla_put_failure;
8342         if ((survey->filled & SURVEY_INFO_TIME_TX) &&
8343             nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
8344                               survey->time_tx, NL80211_SURVEY_INFO_PAD))
8345                 goto nla_put_failure;
8346         if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
8347             nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
8348                               survey->time_scan, NL80211_SURVEY_INFO_PAD))
8349                 goto nla_put_failure;
8350
8351         nla_nest_end(msg, infoattr);
8352
8353         genlmsg_end(msg, hdr);
8354         return 0;
8355
8356  nla_put_failure:
8357         genlmsg_cancel(msg, hdr);
8358         return -EMSGSIZE;
8359 }
8360
8361 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
8362 {
8363         struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
8364         struct survey_info survey;
8365         struct cfg80211_registered_device *rdev;
8366         struct wireless_dev *wdev;
8367         int survey_idx = cb->args[2];
8368         int res;
8369         bool radio_stats;
8370
8371         rtnl_lock();
8372         res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
8373         if (res)
8374                 goto out_err;
8375
8376         /* prepare_wdev_dump parsed the attributes */
8377         radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
8378
8379         if (!wdev->netdev) {
8380                 res = -EINVAL;
8381                 goto out_err;
8382         }
8383
8384         if (!rdev->ops->dump_survey) {
8385                 res = -EOPNOTSUPP;
8386                 goto out_err;
8387         }
8388
8389         while (1) {
8390                 res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
8391                 if (res == -ENOENT)
8392                         break;
8393                 if (res)
8394                         goto out_err;
8395
8396                 /* don't send disabled channels, but do send non-channel data */
8397                 if (survey.channel &&
8398                     survey.channel->flags & IEEE80211_CHAN_DISABLED) {
8399                         survey_idx++;
8400                         continue;
8401                 }
8402
8403                 if (nl80211_send_survey(skb,
8404                                 NETLINK_CB(cb->skb).portid,
8405                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
8406                                 wdev->netdev, radio_stats, &survey) < 0)
8407                         goto out;
8408                 survey_idx++;
8409         }
8410
8411  out:
8412         cb->args[2] = survey_idx;
8413         res = skb->len;
8414  out_err:
8415         rtnl_unlock();
8416         return res;
8417 }
8418
8419 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
8420 {
8421         return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
8422                                   NL80211_WPA_VERSION_2));
8423 }
8424
8425 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
8426 {
8427         struct cfg80211_registered_device *rdev = info->user_ptr[0];
8428         struct net_device *dev = info->user_ptr[1];
8429         struct ieee80211_channel *chan;
8430         const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
8431         int err, ssid_len, ie_len = 0, auth_data_len = 0;
8432         enum nl80211_auth_type auth_type;
8433         struct key_parse key;
8434         bool local_state_change;
8435
8436         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8437                 return -EINVAL;
8438
8439         if (!info->attrs[NL80211_ATTR_MAC])
8440                 return -EINVAL;
8441
8442         if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
8443                 return -EINVAL;
8444
8445         if (!info->attrs[NL80211_ATTR_SSID])
8446                 return -EINVAL;
8447
8448         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8449                 return -EINVAL;
8450
8451         err = nl80211_parse_key(info, &key);
8452         if (err)
8453                 return err;
8454
8455         if (key.idx >= 0) {
8456                 if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
8457                         return -EINVAL;
8458                 if (!key.p.key || !key.p.key_len)
8459                         return -EINVAL;
8460                 if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
8461                      key.p.key_len != WLAN_KEY_LEN_WEP40) &&
8462                     (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
8463                      key.p.key_len != WLAN_KEY_LEN_WEP104))
8464                         return -EINVAL;
8465                 if (key.idx > 3)
8466                         return -EINVAL;
8467         } else {
8468                 key.p.key_len = 0;
8469                 key.p.key = NULL;
8470         }
8471
8472         if (key.idx >= 0) {
8473                 int i;
8474                 bool ok = false;
8475
8476                 for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
8477                         if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
8478                                 ok = true;
8479                                 break;
8480                         }
8481                 }
8482                 if (!ok)
8483                         return -EINVAL;
8484         }
8485
8486         if (!rdev->ops->auth)
8487                 return -EOPNOTSUPP;
8488
8489         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8490             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8491                 return -EOPNOTSUPP;
8492
8493         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8494         chan = nl80211_get_valid_chan(&rdev->wiphy,
8495                                       info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8496         if (!chan)
8497                 return -EINVAL;
8498
8499         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8500         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8501
8502         if (info->attrs[NL80211_ATTR_IE]) {
8503                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8504                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8505         }
8506
8507         auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8508         if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
8509                 return -EINVAL;
8510
8511         if ((auth_type == NL80211_AUTHTYPE_SAE ||
8512              auth_type == NL80211_AUTHTYPE_FILS_SK ||
8513              auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
8514              auth_type == NL80211_AUTHTYPE_FILS_PK) &&
8515             !info->attrs[NL80211_ATTR_AUTH_DATA])
8516                 return -EINVAL;
8517
8518         if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
8519                 if (auth_type != NL80211_AUTHTYPE_SAE &&
8520                     auth_type != NL80211_AUTHTYPE_FILS_SK &&
8521                     auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
8522                     auth_type != NL80211_AUTHTYPE_FILS_PK)
8523                         return -EINVAL;
8524                 auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
8525                 auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
8526                 /* need to include at least Auth Transaction and Status Code */
8527                 if (auth_data_len < 4)
8528                         return -EINVAL;
8529         }
8530
8531         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8532
8533         /*
8534          * Since we no longer track auth state, ignore
8535          * requests to only change local state.
8536          */
8537         if (local_state_change)
8538                 return 0;
8539
8540         wdev_lock(dev->ieee80211_ptr);
8541         err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
8542                                  ssid, ssid_len, ie, ie_len,
8543                                  key.p.key, key.p.key_len, key.idx,
8544                                  auth_data, auth_data_len);
8545         wdev_unlock(dev->ieee80211_ptr);
8546         return err;
8547 }
8548
8549 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
8550                                      struct genl_info *info)
8551 {
8552         if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8553                 GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
8554                 return -EINVAL;
8555         }
8556
8557         if (!rdev->ops->tx_control_port ||
8558             !wiphy_ext_feature_isset(&rdev->wiphy,
8559                                      NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
8560                 return -EOPNOTSUPP;
8561
8562         return 0;
8563 }
8564
8565 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
8566                                    struct genl_info *info,
8567                                    struct cfg80211_crypto_settings *settings,
8568                                    int cipher_limit)
8569 {
8570         memset(settings, 0, sizeof(*settings));
8571
8572         settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
8573
8574         if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
8575                 u16 proto;
8576
8577                 proto = nla_get_u16(
8578                         info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
8579                 settings->control_port_ethertype = cpu_to_be16(proto);
8580                 if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
8581                     proto != ETH_P_PAE)
8582                         return -EINVAL;
8583                 if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
8584                         settings->control_port_no_encrypt = true;
8585         } else
8586                 settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
8587
8588         if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
8589                 int r = validate_pae_over_nl80211(rdev, info);
8590
8591                 if (r < 0)
8592                         return r;
8593
8594                 settings->control_port_over_nl80211 = true;
8595         }
8596
8597         if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
8598                 void *data;
8599                 int len, i;
8600
8601                 data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8602                 len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8603                 settings->n_ciphers_pairwise = len / sizeof(u32);
8604
8605                 if (len % sizeof(u32))
8606                         return -EINVAL;
8607
8608                 if (settings->n_ciphers_pairwise > cipher_limit)
8609                         return -EINVAL;
8610
8611                 memcpy(settings->ciphers_pairwise, data, len);
8612
8613                 for (i = 0; i < settings->n_ciphers_pairwise; i++)
8614                         if (!cfg80211_supported_cipher_suite(
8615                                         &rdev->wiphy,
8616                                         settings->ciphers_pairwise[i]))
8617                                 return -EINVAL;
8618         }
8619
8620         if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
8621                 settings->cipher_group =
8622                         nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
8623                 if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
8624                                                      settings->cipher_group))
8625                         return -EINVAL;
8626         }
8627
8628         if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
8629                 settings->wpa_versions =
8630                         nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
8631                 if (!nl80211_valid_wpa_versions(settings->wpa_versions))
8632                         return -EINVAL;
8633         }
8634
8635         if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
8636                 void *data;
8637                 int len;
8638
8639                 data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
8640                 len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
8641                 settings->n_akm_suites = len / sizeof(u32);
8642
8643                 if (len % sizeof(u32))
8644                         return -EINVAL;
8645
8646                 if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
8647                         return -EINVAL;
8648
8649                 memcpy(settings->akm_suites, data, len);
8650         }
8651
8652         if (info->attrs[NL80211_ATTR_PMK]) {
8653                 if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
8654                         return -EINVAL;
8655                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
8656                                              NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
8657                         return -EINVAL;
8658                 settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
8659         }
8660
8661         return 0;
8662 }
8663
8664 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
8665 {
8666         struct cfg80211_registered_device *rdev = info->user_ptr[0];
8667         struct net_device *dev = info->user_ptr[1];
8668         struct ieee80211_channel *chan;
8669         struct cfg80211_assoc_request req = {};
8670         const u8 *bssid, *ssid;
8671         int err, ssid_len = 0;
8672
8673         if (dev->ieee80211_ptr->conn_owner_nlportid &&
8674             dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8675                 return -EPERM;
8676
8677         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8678                 return -EINVAL;
8679
8680         if (!info->attrs[NL80211_ATTR_MAC] ||
8681             !info->attrs[NL80211_ATTR_SSID] ||
8682             !info->attrs[NL80211_ATTR_WIPHY_FREQ])
8683                 return -EINVAL;
8684
8685         if (!rdev->ops->assoc)
8686                 return -EOPNOTSUPP;
8687
8688         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8689             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8690                 return -EOPNOTSUPP;
8691
8692         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8693
8694         chan = nl80211_get_valid_chan(&rdev->wiphy,
8695                                       info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8696         if (!chan)
8697                 return -EINVAL;
8698
8699         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8700         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8701
8702         if (info->attrs[NL80211_ATTR_IE]) {
8703                 req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8704                 req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8705         }
8706
8707         if (info->attrs[NL80211_ATTR_USE_MFP]) {
8708                 enum nl80211_mfp mfp =
8709                         nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8710                 if (mfp == NL80211_MFP_REQUIRED)
8711                         req.use_mfp = true;
8712                 else if (mfp != NL80211_MFP_NO)
8713                         return -EINVAL;
8714         }
8715
8716         if (info->attrs[NL80211_ATTR_PREV_BSSID])
8717                 req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8718
8719         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8720                 req.flags |= ASSOC_REQ_DISABLE_HT;
8721
8722         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8723                 memcpy(&req.ht_capa_mask,
8724                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8725                        sizeof(req.ht_capa_mask));
8726
8727         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8728                 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8729                         return -EINVAL;
8730                 memcpy(&req.ht_capa,
8731                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8732                        sizeof(req.ht_capa));
8733         }
8734
8735         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
8736                 req.flags |= ASSOC_REQ_DISABLE_VHT;
8737
8738         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8739                 memcpy(&req.vht_capa_mask,
8740                        nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
8741                        sizeof(req.vht_capa_mask));
8742
8743         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
8744                 if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8745                         return -EINVAL;
8746                 memcpy(&req.vht_capa,
8747                        nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
8748                        sizeof(req.vht_capa));
8749         }
8750
8751         if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
8752                 if (!((rdev->wiphy.features &
8753                         NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
8754                        (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
8755                     !wiphy_ext_feature_isset(&rdev->wiphy,
8756                                              NL80211_EXT_FEATURE_RRM))
8757                         return -EINVAL;
8758                 req.flags |= ASSOC_REQ_USE_RRM;
8759         }
8760
8761         if (info->attrs[NL80211_ATTR_FILS_KEK]) {
8762                 req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
8763                 req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
8764                 if (!info->attrs[NL80211_ATTR_FILS_NONCES])
8765                         return -EINVAL;
8766                 req.fils_nonces =
8767                         nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
8768         }
8769
8770         err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
8771         if (!err) {
8772                 wdev_lock(dev->ieee80211_ptr);
8773
8774                 err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
8775                                           ssid, ssid_len, &req);
8776
8777                 if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8778                         dev->ieee80211_ptr->conn_owner_nlportid =
8779                                 info->snd_portid;
8780                         memcpy(dev->ieee80211_ptr->disconnect_bssid,
8781                                bssid, ETH_ALEN);
8782                 }
8783
8784                 wdev_unlock(dev->ieee80211_ptr);
8785         }
8786
8787         return err;
8788 }
8789
8790 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
8791 {
8792         struct cfg80211_registered_device *rdev = info->user_ptr[0];
8793         struct net_device *dev = info->user_ptr[1];
8794         const u8 *ie = NULL, *bssid;
8795         int ie_len = 0, err;
8796         u16 reason_code;
8797         bool local_state_change;
8798
8799         if (dev->ieee80211_ptr->conn_owner_nlportid &&
8800             dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8801                 return -EPERM;
8802
8803         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8804                 return -EINVAL;
8805
8806         if (!info->attrs[NL80211_ATTR_MAC])
8807                 return -EINVAL;
8808
8809         if (!info->attrs[NL80211_ATTR_REASON_CODE])
8810                 return -EINVAL;
8811
8812         if (!rdev->ops->deauth)
8813                 return -EOPNOTSUPP;
8814
8815         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8816             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8817                 return -EOPNOTSUPP;
8818
8819         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8820
8821         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8822         if (reason_code == 0) {
8823                 /* Reason Code 0 is reserved */
8824                 return -EINVAL;
8825         }
8826
8827         if (info->attrs[NL80211_ATTR_IE]) {
8828                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8829                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8830         }
8831
8832         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8833
8834         wdev_lock(dev->ieee80211_ptr);
8835         err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
8836                                    local_state_change);
8837         wdev_unlock(dev->ieee80211_ptr);
8838         return err;
8839 }
8840
8841 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
8842 {
8843         struct cfg80211_registered_device *rdev = info->user_ptr[0];
8844         struct net_device *dev = info->user_ptr[1];
8845         const u8 *ie = NULL, *bssid;
8846         int ie_len = 0, err;
8847         u16 reason_code;
8848         bool local_state_change;
8849
8850         if (dev->ieee80211_ptr->conn_owner_nlportid &&
8851             dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8852                 return -EPERM;
8853
8854         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8855                 return -EINVAL;
8856
8857         if (!info->attrs[NL80211_ATTR_MAC])
8858                 return -EINVAL;
8859
8860         if (!info->attrs[NL80211_ATTR_REASON_CODE])
8861                 return -EINVAL;
8862
8863         if (!rdev->ops->disassoc)
8864                 return -EOPNOTSUPP;
8865
8866         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8867             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8868                 return -EOPNOTSUPP;
8869
8870         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8871
8872         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8873         if (reason_code == 0) {
8874                 /* Reason Code 0 is reserved */
8875                 return -EINVAL;
8876         }
8877
8878         if (info->attrs[NL80211_ATTR_IE]) {
8879                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8880                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8881         }
8882
8883         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8884
8885         wdev_lock(dev->ieee80211_ptr);
8886         err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
8887                                      local_state_change);
8888         wdev_unlock(dev->ieee80211_ptr);
8889         return err;
8890 }
8891
8892 static bool
8893 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
8894                          int mcast_rate[NUM_NL80211_BANDS],
8895                          int rateval)
8896 {
8897         struct wiphy *wiphy = &rdev->wiphy;
8898         bool found = false;
8899         int band, i;
8900
8901         for (band = 0; band < NUM_NL80211_BANDS; band++) {
8902                 struct ieee80211_supported_band *sband;
8903
8904                 sband = wiphy->bands[band];
8905                 if (!sband)
8906                         continue;
8907
8908                 for (i = 0; i < sband->n_bitrates; i++) {
8909                         if (sband->bitrates[i].bitrate == rateval) {
8910                                 mcast_rate[band] = i + 1;
8911                                 found = true;
8912                                 break;
8913                         }
8914                 }
8915         }
8916
8917         return found;
8918 }
8919
8920 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
8921 {
8922         struct cfg80211_registered_device *rdev = info->user_ptr[0];
8923         struct net_device *dev = info->user_ptr[1];
8924         struct cfg80211_ibss_params ibss;
8925         struct wiphy *wiphy;
8926         struct cfg80211_cached_keys *connkeys = NULL;
8927         int err;
8928
8929         memset(&ibss, 0, sizeof(ibss));
8930
8931         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8932                 return -EINVAL;
8933
8934         if (!info->attrs[NL80211_ATTR_SSID] ||
8935             !nla_len(info->attrs[NL80211_ATTR_SSID]))
8936                 return -EINVAL;
8937
8938         ibss.beacon_interval = 100;
8939
8940         if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
8941                 ibss.beacon_interval =
8942                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8943
8944         err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
8945                                            ibss.beacon_interval);
8946         if (err)
8947                 return err;
8948
8949         if (!rdev->ops->join_ibss)
8950                 return -EOPNOTSUPP;
8951
8952         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
8953                 return -EOPNOTSUPP;
8954
8955         wiphy = &rdev->wiphy;
8956
8957         if (info->attrs[NL80211_ATTR_MAC]) {
8958                 ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8959
8960                 if (!is_valid_ether_addr(ibss.bssid))
8961                         return -EINVAL;
8962         }
8963         ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8964         ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8965
8966         if (info->attrs[NL80211_ATTR_IE]) {
8967                 ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8968                 ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8969         }
8970
8971         err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
8972         if (err)
8973                 return err;
8974
8975         if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
8976                                      NL80211_IFTYPE_ADHOC))
8977                 return -EINVAL;
8978
8979         switch (ibss.chandef.width) {
8980         case NL80211_CHAN_WIDTH_5:
8981         case NL80211_CHAN_WIDTH_10:
8982         case NL80211_CHAN_WIDTH_20_NOHT:
8983                 break;
8984         case NL80211_CHAN_WIDTH_20:
8985         case NL80211_CHAN_WIDTH_40:
8986                 if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
8987                         return -EINVAL;
8988                 break;
8989         case NL80211_CHAN_WIDTH_80:
8990         case NL80211_CHAN_WIDTH_80P80:
8991         case NL80211_CHAN_WIDTH_160:
8992                 if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
8993                         return -EINVAL;
8994                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
8995                                              NL80211_EXT_FEATURE_VHT_IBSS))
8996                         return -EINVAL;
8997                 break;
8998         default:
8999                 return -EINVAL;
9000         }
9001
9002         ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9003         ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9004
9005         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9006                 u8 *rates =
9007                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9008                 int n_rates =
9009                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9010                 struct ieee80211_supported_band *sband =
9011                         wiphy->bands[ibss.chandef.chan->band];
9012
9013                 err = ieee80211_get_ratemask(sband, rates, n_rates,
9014                                              &ibss.basic_rates);
9015                 if (err)
9016                         return err;
9017         }
9018
9019         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9020                 memcpy(&ibss.ht_capa_mask,
9021                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9022                        sizeof(ibss.ht_capa_mask));
9023
9024         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9025                 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9026                         return -EINVAL;
9027                 memcpy(&ibss.ht_capa,
9028                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9029                        sizeof(ibss.ht_capa));
9030         }
9031
9032         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9033             !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9034                         nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9035                 return -EINVAL;
9036
9037         if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9038                 bool no_ht = false;
9039
9040                 connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9041                 if (IS_ERR(connkeys))
9042                         return PTR_ERR(connkeys);
9043
9044                 if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9045                     no_ht) {
9046                         kzfree(connkeys);
9047                         return -EINVAL;
9048                 }
9049         }
9050
9051         ibss.control_port =
9052                 nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9053
9054         if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9055                 int r = validate_pae_over_nl80211(rdev, info);
9056
9057                 if (r < 0) {
9058                         kzfree(connkeys);
9059                         return r;
9060                 }
9061
9062                 ibss.control_port_over_nl80211 = true;
9063         }
9064
9065         ibss.userspace_handles_dfs =
9066                 nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9067
9068         wdev_lock(dev->ieee80211_ptr);
9069         err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9070         if (err)
9071                 kzfree(connkeys);
9072         else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9073                 dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9074         wdev_unlock(dev->ieee80211_ptr);
9075
9076         return err;
9077 }
9078
9079 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9080 {
9081         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9082         struct net_device *dev = info->user_ptr[1];
9083
9084         if (!rdev->ops->leave_ibss)
9085                 return -EOPNOTSUPP;
9086
9087         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9088                 return -EOPNOTSUPP;
9089
9090         return cfg80211_leave_ibss(rdev, dev, false);
9091 }
9092
9093 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9094 {
9095         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9096         struct net_device *dev = info->user_ptr[1];
9097         int mcast_rate[NUM_NL80211_BANDS];
9098         u32 nla_rate;
9099         int err;
9100
9101         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9102             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
9103             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
9104                 return -EOPNOTSUPP;
9105
9106         if (!rdev->ops->set_mcast_rate)
9107                 return -EOPNOTSUPP;
9108
9109         memset(mcast_rate, 0, sizeof(mcast_rate));
9110
9111         if (!info->attrs[NL80211_ATTR_MCAST_RATE])
9112                 return -EINVAL;
9113
9114         nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
9115         if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
9116                 return -EINVAL;
9117
9118         err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
9119
9120         return err;
9121 }
9122
9123 static struct sk_buff *
9124 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
9125                             struct wireless_dev *wdev, int approxlen,
9126                             u32 portid, u32 seq, enum nl80211_commands cmd,
9127                             enum nl80211_attrs attr,
9128                             const struct nl80211_vendor_cmd_info *info,
9129                             gfp_t gfp)
9130 {
9131         struct sk_buff *skb;
9132         void *hdr;
9133         struct nlattr *data;
9134
9135         skb = nlmsg_new(approxlen + 100, gfp);
9136         if (!skb)
9137                 return NULL;
9138
9139         hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
9140         if (!hdr) {
9141                 kfree_skb(skb);
9142                 return NULL;
9143         }
9144
9145         if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9146                 goto nla_put_failure;
9147
9148         if (info) {
9149                 if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
9150                                 info->vendor_id))
9151                         goto nla_put_failure;
9152                 if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
9153                                 info->subcmd))
9154                         goto nla_put_failure;
9155         }
9156
9157         if (wdev) {
9158                 if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
9159                                       wdev_id(wdev), NL80211_ATTR_PAD))
9160                         goto nla_put_failure;
9161                 if (wdev->netdev &&
9162                     nla_put_u32(skb, NL80211_ATTR_IFINDEX,
9163                                 wdev->netdev->ifindex))
9164                         goto nla_put_failure;
9165         }
9166
9167         data = nla_nest_start(skb, attr);
9168         if (!data)
9169                 goto nla_put_failure;
9170
9171         ((void **)skb->cb)[0] = rdev;
9172         ((void **)skb->cb)[1] = hdr;
9173         ((void **)skb->cb)[2] = data;
9174
9175         return skb;
9176
9177  nla_put_failure:
9178         kfree_skb(skb);
9179         return NULL;
9180 }
9181
9182 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9183                                            struct wireless_dev *wdev,
9184                                            enum nl80211_commands cmd,
9185                                            enum nl80211_attrs attr,
9186                                            int vendor_event_idx,
9187                                            int approxlen, gfp_t gfp)
9188 {
9189         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9190         const struct nl80211_vendor_cmd_info *info;
9191
9192         switch (cmd) {
9193         case NL80211_CMD_TESTMODE:
9194                 if (WARN_ON(vendor_event_idx != -1))
9195                         return NULL;
9196                 info = NULL;
9197                 break;
9198         case NL80211_CMD_VENDOR:
9199                 if (WARN_ON(vendor_event_idx < 0 ||
9200                             vendor_event_idx >= wiphy->n_vendor_events))
9201                         return NULL;
9202                 info = &wiphy->vendor_events[vendor_event_idx];
9203                 break;
9204         default:
9205                 WARN_ON(1);
9206                 return NULL;
9207         }
9208
9209         return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
9210                                            cmd, attr, info, gfp);
9211 }
9212 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9213
9214 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9215 {
9216         struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9217         void *hdr = ((void **)skb->cb)[1];
9218         struct nlattr *data = ((void **)skb->cb)[2];
9219         enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9220
9221         /* clear CB data for netlink core to own from now on */
9222         memset(skb->cb, 0, sizeof(skb->cb));
9223
9224         nla_nest_end(skb, data);
9225         genlmsg_end(skb, hdr);
9226
9227         if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9228                 mcgrp = NL80211_MCGRP_VENDOR;
9229
9230         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
9231                                 mcgrp, gfp);
9232 }
9233 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9234
9235 #ifdef CONFIG_NL80211_TESTMODE
9236 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9237 {
9238         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9239         struct wireless_dev *wdev =
9240                 __cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9241         int err;
9242
9243         if (!rdev->ops->testmode_cmd)
9244                 return -EOPNOTSUPP;
9245
9246         if (IS_ERR(wdev)) {
9247                 err = PTR_ERR(wdev);
9248                 if (err != -EINVAL)
9249                         return err;
9250                 wdev = NULL;
9251         } else if (wdev->wiphy != &rdev->wiphy) {
9252                 return -EINVAL;
9253         }
9254
9255         if (!info->attrs[NL80211_ATTR_TESTDATA])
9256                 return -EINVAL;
9257
9258         rdev->cur_cmd_info = info;
9259         err = rdev_testmode_cmd(rdev, wdev,
9260                                 nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
9261                                 nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
9262         rdev->cur_cmd_info = NULL;
9263
9264         return err;
9265 }
9266
9267 static int nl80211_testmode_dump(struct sk_buff *skb,
9268                                  struct netlink_callback *cb)
9269 {
9270         struct cfg80211_registered_device *rdev;
9271         int err;
9272         long phy_idx;
9273         void *data = NULL;
9274         int data_len = 0;
9275
9276         rtnl_lock();
9277
9278         if (cb->args[0]) {
9279                 /*
9280                  * 0 is a valid index, but not valid for args[0],
9281                  * so we need to offset by 1.
9282                  */
9283                 phy_idx = cb->args[0] - 1;
9284
9285                 rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
9286                 if (!rdev) {
9287                         err = -ENOENT;
9288                         goto out_err;
9289                 }
9290         } else {
9291                 struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
9292
9293                 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
9294                                   attrbuf, nl80211_fam.maxattr,
9295                                   nl80211_policy, NULL);
9296                 if (err)
9297                         goto out_err;
9298
9299                 rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
9300                 if (IS_ERR(rdev)) {
9301                         err = PTR_ERR(rdev);
9302                         goto out_err;
9303                 }
9304                 phy_idx = rdev->wiphy_idx;
9305
9306                 if (attrbuf[NL80211_ATTR_TESTDATA])
9307                         cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
9308         }
9309
9310         if (cb->args[1]) {
9311                 data = nla_data((void *)cb->args[1]);
9312                 data_len = nla_len((void *)cb->args[1]);
9313         }
9314
9315         if (!rdev->ops->testmode_dump) {
9316                 err = -EOPNOTSUPP;
9317                 goto out_err;
9318         }
9319
9320         while (1) {
9321                 void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
9322                                            cb->nlh->nlmsg_seq, NLM_F_MULTI,
9323                                            NL80211_CMD_TESTMODE);
9324                 struct nlattr *tmdata;
9325
9326                 if (!hdr)
9327                         break;
9328
9329                 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
9330                         genlmsg_cancel(skb, hdr);
9331                         break;
9332                 }
9333
9334                 tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
9335                 if (!tmdata) {
9336                         genlmsg_cancel(skb, hdr);
9337                         break;
9338                 }
9339                 err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
9340                 nla_nest_end(skb, tmdata);
9341
9342                 if (err == -ENOBUFS || err == -ENOENT) {
9343                         genlmsg_cancel(skb, hdr);
9344                         break;
9345                 } else if (err) {
9346                         genlmsg_cancel(skb, hdr);
9347                         goto out_err;
9348                 }
9349
9350                 genlmsg_end(skb, hdr);
9351         }
9352
9353         err = skb->len;
9354         /* see above */
9355         cb->args[0] = phy_idx + 1;
9356  out_err:
9357         rtnl_unlock();
9358         return err;
9359 }
9360 #endif
9361
9362 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
9363 {
9364         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9365         struct net_device *dev = info->user_ptr[1];
9366         struct cfg80211_connect_params connect;
9367         struct wiphy *wiphy;
9368         struct cfg80211_cached_keys *connkeys = NULL;
9369         int err;
9370
9371         memset(&connect, 0, sizeof(connect));
9372
9373         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9374                 return -EINVAL;
9375
9376         if (!info->attrs[NL80211_ATTR_SSID] ||
9377             !nla_len(info->attrs[NL80211_ATTR_SSID]))
9378                 return -EINVAL;
9379
9380         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9381                 connect.auth_type =
9382                         nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9383                 if (!nl80211_valid_auth_type(rdev, connect.auth_type,
9384                                              NL80211_CMD_CONNECT))
9385                         return -EINVAL;
9386         } else
9387                 connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
9388
9389         connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
9390
9391         if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
9392             !wiphy_ext_feature_isset(&rdev->wiphy,
9393                                      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
9394                 return -EINVAL;
9395         connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
9396
9397         err = nl80211_crypto_settings(rdev, info, &connect.crypto,
9398                                       NL80211_MAX_NR_CIPHER_SUITES);
9399         if (err)
9400                 return err;
9401
9402         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9403             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9404                 return -EOPNOTSUPP;
9405
9406         wiphy = &rdev->wiphy;
9407
9408         connect.bg_scan_period = -1;
9409         if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
9410                 (wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
9411                 connect.bg_scan_period =
9412                         nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
9413         }
9414
9415         if (info->attrs[NL80211_ATTR_MAC])
9416                 connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9417         else if (info->attrs[NL80211_ATTR_MAC_HINT])
9418                 connect.bssid_hint =
9419                         nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
9420         connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9421         connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9422
9423         if (info->attrs[NL80211_ATTR_IE]) {
9424                 connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9425                 connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9426         }
9427
9428         if (info->attrs[NL80211_ATTR_USE_MFP]) {
9429                 connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9430                 if (connect.mfp == NL80211_MFP_OPTIONAL &&
9431                     !wiphy_ext_feature_isset(&rdev->wiphy,
9432                                              NL80211_EXT_FEATURE_MFP_OPTIONAL))
9433                         return -EOPNOTSUPP;
9434
9435                 if (connect.mfp != NL80211_MFP_REQUIRED &&
9436                     connect.mfp != NL80211_MFP_NO &&
9437                     connect.mfp != NL80211_MFP_OPTIONAL)
9438                         return -EINVAL;
9439         } else {
9440                 connect.mfp = NL80211_MFP_NO;
9441         }
9442
9443         if (info->attrs[NL80211_ATTR_PREV_BSSID])
9444                 connect.prev_bssid =
9445                         nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9446
9447         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9448                 connect.channel = nl80211_get_valid_chan(
9449                         wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9450                 if (!connect.channel)
9451                         return -EINVAL;
9452         } else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
9453                 connect.channel_hint = nl80211_get_valid_chan(
9454                         wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
9455                 if (!connect.channel_hint)
9456                         return -EINVAL;
9457         }
9458
9459         if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9460                 connkeys = nl80211_parse_connkeys(rdev, info, NULL);
9461                 if (IS_ERR(connkeys))
9462                         return PTR_ERR(connkeys);
9463         }
9464
9465         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9466                 connect.flags |= ASSOC_REQ_DISABLE_HT;
9467
9468         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9469                 memcpy(&connect.ht_capa_mask,
9470                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9471                        sizeof(connect.ht_capa_mask));
9472
9473         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9474                 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
9475                         kzfree(connkeys);
9476                         return -EINVAL;
9477                 }
9478                 memcpy(&connect.ht_capa,
9479                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9480                        sizeof(connect.ht_capa));
9481         }
9482
9483         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9484                 connect.flags |= ASSOC_REQ_DISABLE_VHT;
9485
9486         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9487                 memcpy(&connect.vht_capa_mask,
9488                        nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9489                        sizeof(connect.vht_capa_mask));
9490
9491         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9492                 if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
9493                         kzfree(connkeys);
9494                         return -EINVAL;
9495                 }
9496                 memcpy(&connect.vht_capa,
9497                        nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9498                        sizeof(connect.vht_capa));
9499         }
9500
9501         if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9502                 if (!((rdev->wiphy.features &
9503                         NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9504                        (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9505                     !wiphy_ext_feature_isset(&rdev->wiphy,
9506                                              NL80211_EXT_FEATURE_RRM)) {
9507                         kzfree(connkeys);
9508                         return -EINVAL;
9509                 }
9510                 connect.flags |= ASSOC_REQ_USE_RRM;
9511         }
9512
9513         connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
9514         if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
9515                 kzfree(connkeys);
9516                 return -EOPNOTSUPP;
9517         }
9518
9519         if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
9520                 /* bss selection makes no sense if bssid is set */
9521                 if (connect.bssid) {
9522                         kzfree(connkeys);
9523                         return -EINVAL;
9524                 }
9525
9526                 err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
9527                                        wiphy, &connect.bss_select);
9528                 if (err) {
9529                         kzfree(connkeys);
9530                         return err;
9531                 }
9532         }
9533
9534         if (wiphy_ext_feature_isset(&rdev->wiphy,
9535                                     NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
9536             info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9537             info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9538             info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9539             info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9540                 connect.fils_erp_username =
9541                         nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9542                 connect.fils_erp_username_len =
9543                         nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9544                 connect.fils_erp_realm =
9545                         nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9546                 connect.fils_erp_realm_len =
9547                         nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9548                 connect.fils_erp_next_seq_num =
9549                         nla_get_u16(
9550                            info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9551                 connect.fils_erp_rrk =
9552                         nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9553                 connect.fils_erp_rrk_len =
9554                         nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9555         } else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9556                    info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9557                    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9558                    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9559                 kzfree(connkeys);
9560                 return -EINVAL;
9561         }
9562
9563         if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
9564                 if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9565                         kzfree(connkeys);
9566                         GENL_SET_ERR_MSG(info,
9567                                          "external auth requires connection ownership");
9568                         return -EINVAL;
9569                 }
9570                 connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
9571         }
9572
9573         wdev_lock(dev->ieee80211_ptr);
9574
9575         err = cfg80211_connect(rdev, dev, &connect, connkeys,
9576                                connect.prev_bssid);
9577         if (err)
9578                 kzfree(connkeys);
9579
9580         if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9581                 dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9582                 if (connect.bssid)
9583                         memcpy(dev->ieee80211_ptr->disconnect_bssid,
9584                                connect.bssid, ETH_ALEN);
9585                 else
9586                         memset(dev->ieee80211_ptr->disconnect_bssid,
9587                                0, ETH_ALEN);
9588         }
9589
9590         wdev_unlock(dev->ieee80211_ptr);
9591
9592         return err;
9593 }
9594
9595 static int nl80211_update_connect_params(struct sk_buff *skb,
9596                                          struct genl_info *info)
9597 {
9598         struct cfg80211_connect_params connect = {};
9599         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9600         struct net_device *dev = info->user_ptr[1];
9601         struct wireless_dev *wdev = dev->ieee80211_ptr;
9602         bool fils_sk_offload;
9603         u32 auth_type;
9604         u32 changed = 0;
9605         int ret;
9606
9607         if (!rdev->ops->update_connect_params)
9608                 return -EOPNOTSUPP;
9609
9610         if (info->attrs[NL80211_ATTR_IE]) {
9611                 if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9612                         return -EINVAL;
9613                 connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9614                 connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9615                 changed |= UPDATE_ASSOC_IES;
9616         }
9617
9618         fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
9619                                                   NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
9620
9621         /*
9622          * when driver supports fils-sk offload all attributes must be
9623          * provided. So the else covers "fils-sk-not-all" and
9624          * "no-fils-sk-any".
9625          */
9626         if (fils_sk_offload &&
9627             info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9628             info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9629             info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9630             info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9631                 connect.fils_erp_username =
9632                         nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9633                 connect.fils_erp_username_len =
9634                         nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9635                 connect.fils_erp_realm =
9636                         nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9637                 connect.fils_erp_realm_len =
9638                         nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9639                 connect.fils_erp_next_seq_num =
9640                         nla_get_u16(
9641                            info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9642                 connect.fils_erp_rrk =
9643                         nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9644                 connect.fils_erp_rrk_len =
9645                         nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9646                 changed |= UPDATE_FILS_ERP_INFO;
9647         } else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9648                    info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9649                    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9650                    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9651                 return -EINVAL;
9652         }
9653
9654         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9655                 auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9656                 if (!nl80211_valid_auth_type(rdev, auth_type,
9657                                              NL80211_CMD_CONNECT))
9658                         return -EINVAL;
9659
9660                 if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
9661                     fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
9662                         return -EINVAL;
9663
9664                 connect.auth_type = auth_type;
9665                 changed |= UPDATE_AUTH_TYPE;
9666         }
9667
9668         wdev_lock(dev->ieee80211_ptr);
9669         if (!wdev->current_bss)
9670                 ret = -ENOLINK;
9671         else
9672                 ret = rdev_update_connect_params(rdev, dev, &connect, changed);
9673         wdev_unlock(dev->ieee80211_ptr);
9674
9675         return ret;
9676 }
9677
9678 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
9679 {
9680         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9681         struct net_device *dev = info->user_ptr[1];
9682         u16 reason;
9683         int ret;
9684
9685         if (dev->ieee80211_ptr->conn_owner_nlportid &&
9686             dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9687                 return -EPERM;
9688
9689         if (!info->attrs[NL80211_ATTR_REASON_CODE])
9690                 reason = WLAN_REASON_DEAUTH_LEAVING;
9691         else
9692                 reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9693
9694         if (reason == 0)
9695                 return -EINVAL;
9696
9697         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9698             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9699                 return -EOPNOTSUPP;
9700
9701         wdev_lock(dev->ieee80211_ptr);
9702         ret = cfg80211_disconnect(rdev, dev, reason, true);
9703         wdev_unlock(dev->ieee80211_ptr);
9704         return ret;
9705 }
9706
9707 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
9708 {
9709         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9710         struct net *net;
9711         int err;
9712
9713         if (info->attrs[NL80211_ATTR_PID]) {
9714                 u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
9715
9716                 net = get_net_ns_by_pid(pid);
9717         } else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
9718                 u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
9719
9720                 net = get_net_ns_by_fd(fd);
9721         } else {
9722                 return -EINVAL;
9723         }
9724
9725         if (IS_ERR(net))
9726                 return PTR_ERR(net);
9727
9728         err = 0;
9729
9730         /* check if anything to do */
9731         if (!net_eq(wiphy_net(&rdev->wiphy), net))
9732                 err = cfg80211_switch_netns(rdev, net);
9733
9734         put_net(net);
9735         return err;
9736 }
9737
9738 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
9739 {
9740         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9741         int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
9742                         struct cfg80211_pmksa *pmksa) = NULL;
9743         struct net_device *dev = info->user_ptr[1];
9744         struct cfg80211_pmksa pmksa;
9745
9746         memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
9747
9748         if (!info->attrs[NL80211_ATTR_PMKID])
9749                 return -EINVAL;
9750
9751         pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
9752
9753         if (info->attrs[NL80211_ATTR_MAC]) {
9754                 pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9755         } else if (info->attrs[NL80211_ATTR_SSID] &&
9756                    info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
9757                    (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
9758                     info->attrs[NL80211_ATTR_PMK])) {
9759                 pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9760                 pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9761                 pmksa.cache_id =
9762                         nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
9763         } else {
9764                 return -EINVAL;
9765         }
9766         if (info->attrs[NL80211_ATTR_PMK]) {
9767                 pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9768                 pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
9769         }
9770
9771         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9772             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9773                 return -EOPNOTSUPP;
9774
9775         switch (info->genlhdr->cmd) {
9776         case NL80211_CMD_SET_PMKSA:
9777                 rdev_ops = rdev->ops->set_pmksa;
9778                 break;
9779         case NL80211_CMD_DEL_PMKSA:
9780                 rdev_ops = rdev->ops->del_pmksa;
9781                 break;
9782         default:
9783                 WARN_ON(1);
9784                 break;
9785         }
9786
9787         if (!rdev_ops)
9788                 return -EOPNOTSUPP;
9789
9790         return rdev_ops(&rdev->wiphy, dev, &pmksa);
9791 }
9792
9793 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
9794 {
9795         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9796         struct net_device *dev = info->user_ptr[1];
9797
9798         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9799             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9800                 return -EOPNOTSUPP;
9801
9802         if (!rdev->ops->flush_pmksa)
9803                 return -EOPNOTSUPP;
9804
9805         return rdev_flush_pmksa(rdev, dev);
9806 }
9807
9808 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
9809 {
9810         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9811         struct net_device *dev = info->user_ptr[1];
9812         u8 action_code, dialog_token;
9813         u32 peer_capability = 0;
9814         u16 status_code;
9815         u8 *peer;
9816         bool initiator;
9817
9818         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
9819             !rdev->ops->tdls_mgmt)
9820                 return -EOPNOTSUPP;
9821
9822         if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
9823             !info->attrs[NL80211_ATTR_STATUS_CODE] ||
9824             !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
9825             !info->attrs[NL80211_ATTR_IE] ||
9826             !info->attrs[NL80211_ATTR_MAC])
9827                 return -EINVAL;
9828
9829         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9830         action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
9831         status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
9832         dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
9833         initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
9834         if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
9835                 peer_capability =
9836                         nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
9837
9838         return rdev_tdls_mgmt(rdev, dev, peer, action_code,
9839                               dialog_token, status_code, peer_capability,
9840                               initiator,
9841                               nla_data(info->attrs[NL80211_ATTR_IE]),
9842                               nla_len(info->attrs[NL80211_ATTR_IE]));
9843 }
9844
9845 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
9846 {
9847         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9848         struct net_device *dev = info->user_ptr[1];
9849         enum nl80211_tdls_operation operation;
9850         u8 *peer;
9851
9852         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
9853             !rdev->ops->tdls_oper)
9854                 return -EOPNOTSUPP;
9855
9856         if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
9857             !info->attrs[NL80211_ATTR_MAC])
9858                 return -EINVAL;
9859
9860         operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
9861         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9862
9863         return rdev_tdls_oper(rdev, dev, peer, operation);
9864 }
9865
9866 static int nl80211_remain_on_channel(struct sk_buff *skb,
9867                                      struct genl_info *info)
9868 {
9869         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9870         struct wireless_dev *wdev = info->user_ptr[1];
9871         struct cfg80211_chan_def chandef;
9872         const struct cfg80211_chan_def *compat_chandef;
9873         struct sk_buff *msg;
9874         void *hdr;
9875         u64 cookie;
9876         u32 duration;
9877         int err;
9878
9879         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9880             !info->attrs[NL80211_ATTR_DURATION])
9881                 return -EINVAL;
9882
9883         duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
9884
9885         if (!rdev->ops->remain_on_channel ||
9886             !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
9887                 return -EOPNOTSUPP;
9888
9889         /*
9890          * We should be on that channel for at least a minimum amount of
9891          * time (10ms) but no longer than the driver supports.
9892          */
9893         if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
9894             duration > rdev->wiphy.max_remain_on_channel_duration)
9895                 return -EINVAL;
9896
9897         err = nl80211_parse_chandef(rdev, info, &chandef);
9898         if (err)
9899                 return err;
9900
9901         wdev_lock(wdev);
9902         if (!cfg80211_off_channel_oper_allowed(wdev) &&
9903             !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
9904                 compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
9905                                                              &chandef);
9906                 if (compat_chandef != &chandef) {
9907                         wdev_unlock(wdev);
9908                         return -EBUSY;
9909                 }
9910         }
9911         wdev_unlock(wdev);
9912
9913         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9914         if (!msg)
9915                 return -ENOMEM;
9916
9917         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9918                              NL80211_CMD_REMAIN_ON_CHANNEL);
9919         if (!hdr) {
9920                 err = -ENOBUFS;
9921                 goto free_msg;
9922         }
9923
9924         err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
9925                                      duration, &cookie);
9926
9927         if (err)
9928                 goto free_msg;
9929
9930         if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
9931                               NL80211_ATTR_PAD))
9932                 goto nla_put_failure;
9933
9934         genlmsg_end(msg, hdr);
9935
9936         return genlmsg_reply(msg, info);
9937
9938  nla_put_failure:
9939         err = -ENOBUFS;
9940  free_msg:
9941         nlmsg_free(msg);
9942         return err;
9943 }
9944
9945 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
9946                                             struct genl_info *info)
9947 {
9948         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9949         struct wireless_dev *wdev = info->user_ptr[1];
9950         u64 cookie;
9951
9952         if (!info->attrs[NL80211_ATTR_COOKIE])
9953                 return -EINVAL;
9954
9955         if (!rdev->ops->cancel_remain_on_channel)
9956                 return -EOPNOTSUPP;
9957
9958         cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9959
9960         return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
9961 }
9962
9963 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
9964                                        struct genl_info *info)
9965 {
9966         struct cfg80211_bitrate_mask mask;
9967         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9968         struct net_device *dev = info->user_ptr[1];
9969         int err;
9970
9971         if (!rdev->ops->set_bitrate_mask)
9972                 return -EOPNOTSUPP;
9973
9974         err = nl80211_parse_tx_bitrate_mask(info, &mask);
9975         if (err)
9976                 return err;
9977
9978         return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
9979 }
9980
9981 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
9982 {
9983         struct cfg80211_registered_device *rdev = info->user_ptr[0];
9984         struct wireless_dev *wdev = info->user_ptr[1];
9985         u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
9986
9987         if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
9988                 return -EINVAL;
9989
9990         if (info->attrs[NL80211_ATTR_FRAME_TYPE])
9991                 frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
9992
9993         switch (wdev->iftype) {
9994         case NL80211_IFTYPE_STATION:
9995         case NL80211_IFTYPE_ADHOC:
9996         case NL80211_IFTYPE_P2P_CLIENT:
9997         case NL80211_IFTYPE_AP:
9998         case NL80211_IFTYPE_AP_VLAN:
9999         case NL80211_IFTYPE_MESH_POINT:
10000         case NL80211_IFTYPE_P2P_GO:
10001         case NL80211_IFTYPE_P2P_DEVICE:
10002                 break;
10003         case NL80211_IFTYPE_NAN:
10004         default:
10005                 return -EOPNOTSUPP;
10006         }
10007
10008         /* not much point in registering if we can't reply */
10009         if (!rdev->ops->mgmt_tx)
10010                 return -EOPNOTSUPP;
10011
10012         return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10013                         nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10014                         nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
10015 }
10016
10017 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10018 {
10019         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10020         struct wireless_dev *wdev = info->user_ptr[1];
10021         struct cfg80211_chan_def chandef;
10022         int err;
10023         void *hdr = NULL;
10024         u64 cookie;
10025         struct sk_buff *msg = NULL;
10026         struct cfg80211_mgmt_tx_params params = {
10027                 .dont_wait_for_ack =
10028                         info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10029         };
10030
10031         if (!info->attrs[NL80211_ATTR_FRAME])
10032                 return -EINVAL;
10033
10034         if (!rdev->ops->mgmt_tx)
10035                 return -EOPNOTSUPP;
10036
10037         switch (wdev->iftype) {
10038         case NL80211_IFTYPE_P2P_DEVICE:
10039                 if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10040                         return -EINVAL;
10041         case NL80211_IFTYPE_STATION:
10042         case NL80211_IFTYPE_ADHOC:
10043         case NL80211_IFTYPE_P2P_CLIENT:
10044         case NL80211_IFTYPE_AP:
10045         case NL80211_IFTYPE_AP_VLAN:
10046         case NL80211_IFTYPE_MESH_POINT:
10047         case NL80211_IFTYPE_P2P_GO:
10048                 break;
10049         case NL80211_IFTYPE_NAN:
10050         default:
10051                 return -EOPNOTSUPP;
10052         }
10053
10054         if (info->attrs[NL80211_ATTR_DURATION]) {
10055                 if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10056                         return -EINVAL;
10057                 params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10058
10059                 /*
10060                  * We should wait on the channel for at least a minimum amount
10061                  * of time (10ms) but no longer than the driver supports.
10062                  */
10063                 if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10064                     params.wait > rdev->wiphy.max_remain_on_channel_duration)
10065                         return -EINVAL;
10066         }
10067
10068         params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
10069
10070         if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10071                 return -EINVAL;
10072
10073         params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10074
10075         /* get the channel if any has been specified, otherwise pass NULL to
10076          * the driver. The latter will use the current one
10077          */
10078         chandef.chan = NULL;
10079         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10080                 err = nl80211_parse_chandef(rdev, info, &chandef);
10081                 if (err)
10082                         return err;
10083         }
10084
10085         if (!chandef.chan && params.offchan)
10086                 return -EINVAL;
10087
10088         wdev_lock(wdev);
10089         if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
10090                 wdev_unlock(wdev);
10091                 return -EBUSY;
10092         }
10093         wdev_unlock(wdev);
10094
10095         params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
10096         params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
10097
10098         if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
10099                 int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10100                 int i;
10101
10102                 if (len % sizeof(u16))
10103                         return -EINVAL;
10104
10105                 params.n_csa_offsets = len / sizeof(u16);
10106                 params.csa_offsets =
10107                         nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10108
10109                 /* check that all the offsets fit the frame */
10110                 for (i = 0; i < params.n_csa_offsets; i++) {
10111                         if (params.csa_offsets[i] >= params.len)
10112                                 return -EINVAL;
10113                 }
10114         }
10115
10116         if (!params.dont_wait_for_ack) {
10117                 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10118                 if (!msg)
10119                         return -ENOMEM;
10120
10121                 hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10122                                      NL80211_CMD_FRAME);
10123                 if (!hdr) {
10124                         err = -ENOBUFS;
10125                         goto free_msg;
10126                 }
10127         }
10128
10129         params.chan = chandef.chan;
10130         err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
10131         if (err)
10132                 goto free_msg;
10133
10134         if (msg) {
10135                 if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10136                                       NL80211_ATTR_PAD))
10137                         goto nla_put_failure;
10138
10139                 genlmsg_end(msg, hdr);
10140                 return genlmsg_reply(msg, info);
10141         }
10142
10143         return 0;
10144
10145  nla_put_failure:
10146         err = -ENOBUFS;
10147  free_msg:
10148         nlmsg_free(msg);
10149         return err;
10150 }
10151
10152 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
10153 {
10154         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10155         struct wireless_dev *wdev = info->user_ptr[1];
10156         u64 cookie;
10157
10158         if (!info->attrs[NL80211_ATTR_COOKIE])
10159                 return -EINVAL;
10160
10161         if (!rdev->ops->mgmt_tx_cancel_wait)
10162                 return -EOPNOTSUPP;
10163
10164         switch (wdev->iftype) {
10165         case NL80211_IFTYPE_STATION:
10166         case NL80211_IFTYPE_ADHOC:
10167         case NL80211_IFTYPE_P2P_CLIENT:
10168         case NL80211_IFTYPE_AP:
10169         case NL80211_IFTYPE_AP_VLAN:
10170         case NL80211_IFTYPE_P2P_GO:
10171         case NL80211_IFTYPE_P2P_DEVICE:
10172                 break;
10173         case NL80211_IFTYPE_NAN:
10174         default:
10175                 return -EOPNOTSUPP;
10176         }
10177
10178         cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10179
10180         return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10181 }
10182
10183 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10184 {
10185         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10186         struct wireless_dev *wdev;
10187         struct net_device *dev = info->user_ptr[1];
10188         u8 ps_state;
10189         bool state;
10190         int err;
10191
10192         if (!info->attrs[NL80211_ATTR_PS_STATE])
10193                 return -EINVAL;
10194
10195         ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10196
10197         if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
10198                 return -EINVAL;
10199
10200         wdev = dev->ieee80211_ptr;
10201
10202         if (!rdev->ops->set_power_mgmt)
10203                 return -EOPNOTSUPP;
10204
10205         state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10206
10207         if (state == wdev->ps)
10208                 return 0;
10209
10210         err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10211         if (!err)
10212                 wdev->ps = state;
10213         return err;
10214 }
10215
10216 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10217 {
10218         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10219         enum nl80211_ps_state ps_state;
10220         struct wireless_dev *wdev;
10221         struct net_device *dev = info->user_ptr[1];
10222         struct sk_buff *msg;
10223         void *hdr;
10224         int err;
10225
10226         wdev = dev->ieee80211_ptr;
10227
10228         if (!rdev->ops->set_power_mgmt)
10229                 return -EOPNOTSUPP;
10230
10231         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10232         if (!msg)
10233                 return -ENOMEM;
10234
10235         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10236                              NL80211_CMD_GET_POWER_SAVE);
10237         if (!hdr) {
10238                 err = -ENOBUFS;
10239                 goto free_msg;
10240         }
10241
10242         if (wdev->ps)
10243                 ps_state = NL80211_PS_ENABLED;
10244         else
10245                 ps_state = NL80211_PS_DISABLED;
10246
10247         if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
10248                 goto nla_put_failure;
10249
10250         genlmsg_end(msg, hdr);
10251         return genlmsg_reply(msg, info);
10252
10253  nla_put_failure:
10254         err = -ENOBUFS;
10255  free_msg:
10256         nlmsg_free(msg);
10257         return err;
10258 }
10259
10260 static const struct nla_policy
10261 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
10262         [NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
10263         [NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
10264         [NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
10265         [NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
10266         [NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
10267         [NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
10268         [NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
10269 };
10270
10271 static int nl80211_set_cqm_txe(struct genl_info *info,
10272                                u32 rate, u32 pkts, u32 intvl)
10273 {
10274         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10275         struct net_device *dev = info->user_ptr[1];
10276         struct wireless_dev *wdev = dev->ieee80211_ptr;
10277
10278         if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
10279                 return -EINVAL;
10280
10281         if (!rdev->ops->set_cqm_txe_config)
10282                 return -EOPNOTSUPP;
10283
10284         if (wdev->iftype != NL80211_IFTYPE_STATION &&
10285             wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10286                 return -EOPNOTSUPP;
10287
10288         return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
10289 }
10290
10291 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
10292                                     struct net_device *dev)
10293 {
10294         struct wireless_dev *wdev = dev->ieee80211_ptr;
10295         s32 last, low, high;
10296         u32 hyst;
10297         int i, n, low_index;
10298         int err;
10299
10300         /* RSSI reporting disabled? */
10301         if (!wdev->cqm_config)
10302                 return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
10303
10304         /*
10305          * Obtain current RSSI value if possible, if not and no RSSI threshold
10306          * event has been received yet, we should receive an event after a
10307          * connection is established and enough beacons received to calculate
10308          * the average.
10309          */
10310         if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
10311             rdev->ops->get_station) {
10312                 struct station_info sinfo = {};
10313                 u8 *mac_addr;
10314
10315                 mac_addr = wdev->current_bss->pub.bssid;
10316
10317                 err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
10318                 if (err)
10319                         return err;
10320
10321                 cfg80211_sinfo_release_content(&sinfo);
10322                 if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
10323                         wdev->cqm_config->last_rssi_event_value =
10324                                 (s8) sinfo.rx_beacon_signal_avg;
10325         }
10326
10327         last = wdev->cqm_config->last_rssi_event_value;
10328         hyst = wdev->cqm_config->rssi_hyst;
10329         n = wdev->cqm_config->n_rssi_thresholds;
10330
10331         for (i = 0; i < n; i++) {
10332                 i = array_index_nospec(i, n);
10333                 if (last < wdev->cqm_config->rssi_thresholds[i])
10334                         break;
10335         }
10336
10337         low_index = i - 1;
10338         if (low_index >= 0) {
10339                 low_index = array_index_nospec(low_index, n);
10340                 low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
10341         } else {
10342                 low = S32_MIN;
10343         }
10344         if (i < n) {
10345                 i = array_index_nospec(i, n);
10346                 high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
10347         } else {
10348                 high = S32_MAX;
10349         }
10350
10351         return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
10352 }
10353
10354 static int nl80211_set_cqm_rssi(struct genl_info *info,
10355                                 const s32 *thresholds, int n_thresholds,
10356                                 u32 hysteresis)
10357 {
10358         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10359         struct net_device *dev = info->user_ptr[1];
10360         struct wireless_dev *wdev = dev->ieee80211_ptr;
10361         int i, err;
10362         s32 prev = S32_MIN;
10363
10364         /* Check all values negative and sorted */
10365         for (i = 0; i < n_thresholds; i++) {
10366                 if (thresholds[i] > 0 || thresholds[i] <= prev)
10367                         return -EINVAL;
10368
10369                 prev = thresholds[i];
10370         }
10371
10372         if (wdev->iftype != NL80211_IFTYPE_STATION &&
10373             wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10374                 return -EOPNOTSUPP;
10375
10376         wdev_lock(wdev);
10377         cfg80211_cqm_config_free(wdev);
10378         wdev_unlock(wdev);
10379
10380         if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
10381                 if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
10382                         return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
10383
10384                 return rdev_set_cqm_rssi_config(rdev, dev,
10385                                                 thresholds[0], hysteresis);
10386         }
10387
10388         if (!wiphy_ext_feature_isset(&rdev->wiphy,
10389                                      NL80211_EXT_FEATURE_CQM_RSSI_LIST))
10390                 return -EOPNOTSUPP;
10391
10392         if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
10393                 n_thresholds = 0;
10394
10395         wdev_lock(wdev);
10396         if (n_thresholds) {
10397                 struct cfg80211_cqm_config *cqm_config;
10398
10399                 cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
10400                                      n_thresholds * sizeof(s32), GFP_KERNEL);
10401                 if (!cqm_config) {
10402                         err = -ENOMEM;
10403                         goto unlock;
10404                 }
10405
10406                 cqm_config->rssi_hyst = hysteresis;
10407                 cqm_config->n_rssi_thresholds = n_thresholds;
10408                 memcpy(cqm_config->rssi_thresholds, thresholds,
10409                        n_thresholds * sizeof(s32));
10410
10411                 wdev->cqm_config = cqm_config;
10412         }
10413
10414         err = cfg80211_cqm_rssi_update(rdev, dev);
10415
10416 unlock:
10417         wdev_unlock(wdev);
10418
10419         return err;
10420 }
10421
10422 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
10423 {
10424         struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
10425         struct nlattr *cqm;
10426         int err;
10427
10428         cqm = info->attrs[NL80211_ATTR_CQM];
10429         if (!cqm)
10430                 return -EINVAL;
10431
10432         err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
10433                                nl80211_attr_cqm_policy, info->extack);
10434         if (err)
10435                 return err;
10436
10437         if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
10438             attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
10439                 const s32 *thresholds =
10440                         nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10441                 int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10442                 u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
10443
10444                 if (len % 4)
10445                         return -EINVAL;
10446
10447                 return nl80211_set_cqm_rssi(info, thresholds, len / 4,
10448                                             hysteresis);
10449         }
10450
10451         if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
10452             attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
10453             attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
10454                 u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
10455                 u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
10456                 u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
10457
10458                 return nl80211_set_cqm_txe(info, rate, pkts, intvl);
10459         }
10460
10461         return -EINVAL;
10462 }
10463
10464 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
10465 {
10466         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10467         struct net_device *dev = info->user_ptr[1];
10468         struct ocb_setup setup = {};
10469         int err;
10470
10471         err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10472         if (err)
10473                 return err;
10474
10475         return cfg80211_join_ocb(rdev, dev, &setup);
10476 }
10477
10478 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
10479 {
10480         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10481         struct net_device *dev = info->user_ptr[1];
10482
10483         return cfg80211_leave_ocb(rdev, dev);
10484 }
10485
10486 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
10487 {
10488         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10489         struct net_device *dev = info->user_ptr[1];
10490         struct mesh_config cfg;
10491         struct mesh_setup setup;
10492         int err;
10493
10494         /* start with default */
10495         memcpy(&cfg, &default_mesh_config, sizeof(cfg));
10496         memcpy(&setup, &default_mesh_setup, sizeof(setup));
10497
10498         if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
10499                 /* and parse parameters if given */
10500                 err = nl80211_parse_mesh_config(info, &cfg, NULL);
10501                 if (err)
10502                         return err;
10503         }
10504
10505         if (!info->attrs[NL80211_ATTR_MESH_ID] ||
10506             !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
10507                 return -EINVAL;
10508
10509         setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
10510         setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
10511
10512         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10513             !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
10514                             nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10515                         return -EINVAL;
10516
10517         if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
10518                 setup.beacon_interval =
10519                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10520
10521                 err = cfg80211_validate_beacon_int(rdev,
10522                                                    NL80211_IFTYPE_MESH_POINT,
10523                                                    setup.beacon_interval);
10524                 if (err)
10525                         return err;
10526         }
10527
10528         if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
10529                 setup.dtim_period =
10530                         nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
10531                 if (setup.dtim_period < 1 || setup.dtim_period > 100)
10532                         return -EINVAL;
10533         }
10534
10535         if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
10536                 /* parse additional setup parameters if given */
10537                 err = nl80211_parse_mesh_setup(info, &setup);
10538                 if (err)
10539                         return err;
10540         }
10541
10542         if (setup.user_mpm)
10543                 cfg.auto_open_plinks = false;
10544
10545         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10546                 err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10547                 if (err)
10548                         return err;
10549         } else {
10550                 /* __cfg80211_join_mesh() will sort it out */
10551                 setup.chandef.chan = NULL;
10552         }
10553
10554         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10555                 u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10556                 int n_rates =
10557                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10558                 struct ieee80211_supported_band *sband;
10559
10560                 if (!setup.chandef.chan)
10561                         return -EINVAL;
10562
10563                 sband = rdev->wiphy.bands[setup.chandef.chan->band];
10564
10565                 err = ieee80211_get_ratemask(sband, rates, n_rates,
10566                                              &setup.basic_rates);
10567                 if (err)
10568                         return err;
10569         }
10570
10571         if (info->attrs[NL80211_ATTR_TX_RATES]) {
10572                 err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
10573                 if (err)
10574                         return err;
10575
10576                 if (!setup.chandef.chan)
10577                         return -EINVAL;
10578
10579                 err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
10580                                               &setup.beacon_rate);
10581                 if (err)
10582                         return err;
10583         }
10584
10585         setup.userspace_handles_dfs =
10586                 nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10587
10588         if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10589                 int r = validate_pae_over_nl80211(rdev, info);
10590
10591                 if (r < 0)
10592                         return r;
10593
10594                 setup.control_port_over_nl80211 = true;
10595         }
10596
10597         wdev_lock(dev->ieee80211_ptr);
10598         err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
10599         if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
10600                 dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10601         wdev_unlock(dev->ieee80211_ptr);
10602
10603         return err;
10604 }
10605
10606 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
10607 {
10608         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10609         struct net_device *dev = info->user_ptr[1];
10610
10611         return cfg80211_leave_mesh(rdev, dev);
10612 }
10613
10614 #ifdef CONFIG_PM
10615 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
10616                                         struct cfg80211_registered_device *rdev)
10617 {
10618         struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
10619         struct nlattr *nl_pats, *nl_pat;
10620         int i, pat_len;
10621
10622         if (!wowlan->n_patterns)
10623                 return 0;
10624
10625         nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
10626         if (!nl_pats)
10627                 return -ENOBUFS;
10628
10629         for (i = 0; i < wowlan->n_patterns; i++) {
10630                 nl_pat = nla_nest_start(msg, i + 1);
10631                 if (!nl_pat)
10632                         return -ENOBUFS;
10633                 pat_len = wowlan->patterns[i].pattern_len;
10634                 if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
10635                             wowlan->patterns[i].mask) ||
10636                     nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
10637                             wowlan->patterns[i].pattern) ||
10638                     nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
10639                                 wowlan->patterns[i].pkt_offset))
10640                         return -ENOBUFS;
10641                 nla_nest_end(msg, nl_pat);
10642         }
10643         nla_nest_end(msg, nl_pats);
10644
10645         return 0;
10646 }
10647
10648 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
10649                                    struct cfg80211_wowlan_tcp *tcp)
10650 {
10651         struct nlattr *nl_tcp;
10652
10653         if (!tcp)
10654                 return 0;
10655
10656         nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
10657         if (!nl_tcp)
10658                 return -ENOBUFS;
10659
10660         if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
10661             nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
10662             nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
10663             nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
10664             nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
10665             nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
10666                     tcp->payload_len, tcp->payload) ||
10667             nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
10668                         tcp->data_interval) ||
10669             nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
10670                     tcp->wake_len, tcp->wake_data) ||
10671             nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
10672                     DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
10673                 return -ENOBUFS;
10674
10675         if (tcp->payload_seq.len &&
10676             nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
10677                     sizeof(tcp->payload_seq), &tcp->payload_seq))
10678                 return -ENOBUFS;
10679
10680         if (tcp->payload_tok.len &&
10681             nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
10682                     sizeof(tcp->payload_tok) + tcp->tokens_size,
10683                     &tcp->payload_tok))
10684                 return -ENOBUFS;
10685
10686         nla_nest_end(msg, nl_tcp);
10687
10688         return 0;
10689 }
10690
10691 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
10692                                   struct cfg80211_sched_scan_request *req)
10693 {
10694         struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
10695         int i;
10696
10697         if (!req)
10698                 return 0;
10699
10700         nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
10701         if (!nd)
10702                 return -ENOBUFS;
10703
10704         if (req->n_scan_plans == 1 &&
10705             nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
10706                         req->scan_plans[0].interval * 1000))
10707                 return -ENOBUFS;
10708
10709         if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
10710                 return -ENOBUFS;
10711
10712         if (req->relative_rssi_set) {
10713                 struct nl80211_bss_select_rssi_adjust rssi_adjust;
10714
10715                 if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
10716                                req->relative_rssi))
10717                         return -ENOBUFS;
10718
10719                 rssi_adjust.band = req->rssi_adjust.band;
10720                 rssi_adjust.delta = req->rssi_adjust.delta;
10721                 if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
10722                             sizeof(rssi_adjust), &rssi_adjust))
10723                         return -ENOBUFS;
10724         }
10725
10726         freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10727         if (!freqs)
10728                 return -ENOBUFS;
10729
10730         for (i = 0; i < req->n_channels; i++) {
10731                 if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10732                         return -ENOBUFS;
10733         }
10734
10735         nla_nest_end(msg, freqs);
10736
10737         if (req->n_match_sets) {
10738                 matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
10739                 if (!matches)
10740                         return -ENOBUFS;
10741
10742                 for (i = 0; i < req->n_match_sets; i++) {
10743                         match = nla_nest_start(msg, i);
10744                         if (!match)
10745                                 return -ENOBUFS;
10746
10747                         if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
10748                                     req->match_sets[i].ssid.ssid_len,
10749                                     req->match_sets[i].ssid.ssid))
10750                                 return -ENOBUFS;
10751                         nla_nest_end(msg, match);
10752                 }
10753                 nla_nest_end(msg, matches);
10754         }
10755
10756         scan_plans = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
10757         if (!scan_plans)
10758                 return -ENOBUFS;
10759
10760         for (i = 0; i < req->n_scan_plans; i++) {
10761                 scan_plan = nla_nest_start(msg, i + 1);
10762                 if (!scan_plan)
10763                         return -ENOBUFS;
10764
10765                 if (!scan_plan ||
10766                     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
10767                                 req->scan_plans[i].interval) ||
10768                     (req->scan_plans[i].iterations &&
10769                      nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
10770                                  req->scan_plans[i].iterations)))
10771                         return -ENOBUFS;
10772                 nla_nest_end(msg, scan_plan);
10773         }
10774         nla_nest_end(msg, scan_plans);
10775
10776         nla_nest_end(msg, nd);
10777
10778         return 0;
10779 }
10780
10781 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
10782 {
10783         struct cfg80211_registered_device *rdev = info->user_ptr[0];
10784         struct sk_buff *msg;
10785         void *hdr;
10786         u32 size = NLMSG_DEFAULT_SIZE;
10787
10788         if (!rdev->wiphy.wowlan)
10789                 return -EOPNOTSUPP;
10790
10791         if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
10792                 /* adjust size to have room for all the data */
10793                 size += rdev->wiphy.wowlan_config->tcp->tokens_size +
10794                         rdev->wiphy.wowlan_config->tcp->payload_len +
10795                         rdev->wiphy.wowlan_config->tcp->wake_len +
10796                         rdev->wiphy.wowlan_config->tcp->wake_len / 8;
10797         }
10798
10799         msg = nlmsg_new(size, GFP_KERNEL);
10800         if (!msg)
10801                 return -ENOMEM;
10802
10803         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10804                              NL80211_CMD_GET_WOWLAN);
10805         if (!hdr)
10806                 goto nla_put_failure;
10807
10808         if (rdev->wiphy.wowlan_config) {
10809                 struct nlattr *nl_wowlan;
10810
10811                 nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
10812                 if (!nl_wowlan)
10813                         goto nla_put_failure;
10814
10815                 if ((rdev->wiphy.wowlan_config->any &&
10816                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
10817                     (rdev->wiphy.wowlan_config->disconnect &&
10818                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
10819                     (rdev->wiphy.wowlan_config->magic_pkt &&
10820                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
10821                     (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
10822                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
10823                     (rdev->wiphy.wowlan_config->eap_identity_req &&
10824                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
10825                     (rdev->wiphy.wowlan_config->four_way_handshake &&
10826                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
10827                     (rdev->wiphy.wowlan_config->rfkill_release &&
10828                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
10829                         goto nla_put_failure;
10830
10831                 if (nl80211_send_wowlan_patterns(msg, rdev))
10832                         goto nla_put_failure;
10833
10834                 if (nl80211_send_wowlan_tcp(msg,
10835                                             rdev->wiphy.wowlan_config->tcp))
10836                         goto nla_put_failure;
10837
10838                 if (nl80211_send_wowlan_nd(
10839                             msg,
10840                             rdev->wiphy.wowlan_config->nd_config))
10841                         goto nla_put_failure;
10842
10843                 nla_nest_end(msg, nl_wowlan);
10844         }
10845
10846         genlmsg_end(msg, hdr);
10847         return genlmsg_reply(msg, info);
10848
10849 nla_put_failure:
10850         nlmsg_free(msg);
10851         return -ENOBUFS;
10852 }
10853
10854 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
10855                                     struct nlattr *attr,
10856                                     struct cfg80211_wowlan *trig)
10857 {
10858         struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
10859         struct cfg80211_wowlan_tcp *cfg;
10860         struct nl80211_wowlan_tcp_data_token *tok = NULL;
10861         struct nl80211_wowlan_tcp_data_seq *seq = NULL;
10862         u32 size;
10863         u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
10864         int err, port;
10865
10866         if (!rdev->wiphy.wowlan->tcp)
10867                 return -EINVAL;
10868
10869         err = nla_parse_nested(tb, MAX_NL80211_WOWLAN_TCP, attr,
10870                                nl80211_wowlan_tcp_policy, NULL);
10871         if (err)
10872                 return err;
10873
10874         if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
10875             !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
10876             !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
10877             !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
10878             !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
10879             !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
10880             !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
10881             !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
10882                 return -EINVAL;
10883
10884         data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
10885         if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
10886                 return -EINVAL;
10887
10888         if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
10889                         rdev->wiphy.wowlan->tcp->data_interval_max ||
10890             nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
10891                 return -EINVAL;
10892
10893         wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
10894         if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
10895                 return -EINVAL;
10896
10897         wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
10898         if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
10899                 return -EINVAL;
10900
10901         if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
10902                 u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
10903
10904                 tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
10905                 tokens_size = tokln - sizeof(*tok);
10906
10907                 if (!tok->len || tokens_size % tok->len)
10908                         return -EINVAL;
10909                 if (!rdev->wiphy.wowlan->tcp->tok)
10910                         return -EINVAL;
10911                 if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
10912                         return -EINVAL;
10913                 if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
10914                         return -EINVAL;
10915                 if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
10916                         return -EINVAL;
10917                 if (tok->offset + tok->len > data_size)
10918                         return -EINVAL;
10919         }
10920
10921         if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
10922                 seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
10923                 if (!rdev->wiphy.wowlan->tcp->seq)
10924                         return -EINVAL;
10925                 if (seq->len == 0 || seq->len > 4)
10926                         return -EINVAL;
10927                 if (seq->len + seq->offset > data_size)
10928                         return -EINVAL;
10929         }
10930
10931         size = sizeof(*cfg);
10932         size += data_size;
10933         size += wake_size + wake_mask_size;
10934         size += tokens_size;
10935
10936         cfg = kzalloc(size, GFP_KERNEL);
10937         if (!cfg)
10938                 return -ENOMEM;
10939         cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
10940         cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
10941         memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
10942                ETH_ALEN);
10943         if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
10944                 port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
10945         else
10946                 port = 0;
10947 #ifdef CONFIG_INET
10948         /* allocate a socket and port for it and use it */
10949         err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
10950                             IPPROTO_TCP, &cfg->sock, 1);
10951         if (err) {
10952                 kfree(cfg);
10953                 return err;
10954         }
10955         if (inet_csk_get_port(cfg->sock->sk, port)) {
10956                 sock_release(cfg->sock);
10957                 kfree(cfg);
10958                 return -EADDRINUSE;
10959         }
10960         cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
10961 #else
10962         if (!port) {
10963                 kfree(cfg);
10964                 return -EINVAL;
10965         }
10966         cfg->src_port = port;
10967 #endif
10968
10969         cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
10970         cfg->payload_len = data_size;
10971         cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
10972         memcpy((void *)cfg->payload,
10973                nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
10974                data_size);
10975         if (seq)
10976                 cfg->payload_seq = *seq;
10977         cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
10978         cfg->wake_len = wake_size;
10979         cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
10980         memcpy((void *)cfg->wake_data,
10981                nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
10982                wake_size);
10983         cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
10984                          data_size + wake_size;
10985         memcpy((void *)cfg->wake_mask,
10986                nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
10987                wake_mask_size);
10988         if (tok) {
10989                 cfg->tokens_size = tokens_size;
10990                 memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
10991         }
10992
10993         trig->tcp = cfg;
10994
10995         return 0;
10996 }
10997
10998 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
10999                                    const struct wiphy_wowlan_support *wowlan,
11000                                    struct nlattr *attr,
11001                                    struct cfg80211_wowlan *trig)
11002 {
11003         struct nlattr **tb;
11004         int err;
11005
11006         tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11007         if (!tb)
11008                 return -ENOMEM;
11009
11010         if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11011                 err = -EOPNOTSUPP;
11012                 goto out;
11013         }
11014
11015         err = nla_parse_nested(tb, NL80211_ATTR_MAX, attr, nl80211_policy,
11016                                NULL);
11017         if (err)
11018                 goto out;
11019
11020         trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11021                                                    wowlan->max_nd_match_sets);
11022         err = PTR_ERR_OR_ZERO(trig->nd_config);
11023         if (err)
11024                 trig->nd_config = NULL;
11025
11026 out:
11027         kfree(tb);
11028         return err;
11029 }
11030
11031 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11032 {
11033         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11034         struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11035         struct cfg80211_wowlan new_triggers = {};
11036         struct cfg80211_wowlan *ntrig;
11037         const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11038         int err, i;
11039         bool prev_enabled = rdev->wiphy.wowlan_config;
11040         bool regular = false;
11041
11042         if (!wowlan)
11043                 return -EOPNOTSUPP;
11044
11045         if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11046                 cfg80211_rdev_free_wowlan(rdev);
11047                 rdev->wiphy.wowlan_config = NULL;
11048                 goto set_wakeup;
11049         }
11050
11051         err = nla_parse_nested(tb, MAX_NL80211_WOWLAN_TRIG,
11052                                info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11053                                nl80211_wowlan_policy, info->extack);
11054         if (err)
11055                 return err;
11056
11057         if (tb[NL80211_WOWLAN_TRIG_ANY]) {
11058                 if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
11059                         return -EINVAL;
11060                 new_triggers.any = true;
11061         }
11062
11063         if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
11064                 if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
11065                         return -EINVAL;
11066                 new_triggers.disconnect = true;
11067                 regular = true;
11068         }
11069
11070         if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
11071                 if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
11072                         return -EINVAL;
11073                 new_triggers.magic_pkt = true;
11074                 regular = true;
11075         }
11076
11077         if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
11078                 return -EINVAL;
11079
11080         if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
11081                 if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
11082                         return -EINVAL;
11083                 new_triggers.gtk_rekey_failure = true;
11084                 regular = true;
11085         }
11086
11087         if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
11088                 if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
11089                         return -EINVAL;
11090                 new_triggers.eap_identity_req = true;
11091                 regular = true;
11092         }
11093
11094         if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
11095                 if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
11096                         return -EINVAL;
11097                 new_triggers.four_way_handshake = true;
11098                 regular = true;
11099         }
11100
11101         if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
11102                 if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
11103                         return -EINVAL;
11104                 new_triggers.rfkill_release = true;
11105                 regular = true;
11106         }
11107
11108         if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
11109                 struct nlattr *pat;
11110                 int n_patterns = 0;
11111                 int rem, pat_len, mask_len, pkt_offset;
11112                 struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11113
11114                 regular = true;
11115
11116                 nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11117                                     rem)
11118                         n_patterns++;
11119                 if (n_patterns > wowlan->n_patterns)
11120                         return -EINVAL;
11121
11122                 new_triggers.patterns = kcalloc(n_patterns,
11123                                                 sizeof(new_triggers.patterns[0]),
11124                                                 GFP_KERNEL);
11125                 if (!new_triggers.patterns)
11126                         return -ENOMEM;
11127
11128                 new_triggers.n_patterns = n_patterns;
11129                 i = 0;
11130
11131                 nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11132                                     rem) {
11133                         u8 *mask_pat;
11134
11135                         err = nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
11136                                                nl80211_packet_pattern_policy,
11137                                                info->extack);
11138                         if (err)
11139                                 goto error;
11140
11141                         err = -EINVAL;
11142                         if (!pat_tb[NL80211_PKTPAT_MASK] ||
11143                             !pat_tb[NL80211_PKTPAT_PATTERN])
11144                                 goto error;
11145                         pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11146                         mask_len = DIV_ROUND_UP(pat_len, 8);
11147                         if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11148                                 goto error;
11149                         if (pat_len > wowlan->pattern_max_len ||
11150                             pat_len < wowlan->pattern_min_len)
11151                                 goto error;
11152
11153                         if (!pat_tb[NL80211_PKTPAT_OFFSET])
11154                                 pkt_offset = 0;
11155                         else
11156                                 pkt_offset = nla_get_u32(
11157                                         pat_tb[NL80211_PKTPAT_OFFSET]);
11158                         if (pkt_offset > wowlan->max_pkt_offset)
11159                                 goto error;
11160                         new_triggers.patterns[i].pkt_offset = pkt_offset;
11161
11162                         mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11163                         if (!mask_pat) {
11164                                 err = -ENOMEM;
11165                                 goto error;
11166                         }
11167                         new_triggers.patterns[i].mask = mask_pat;
11168                         memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11169                                mask_len);
11170                         mask_pat += mask_len;
11171                         new_triggers.patterns[i].pattern = mask_pat;
11172                         new_triggers.patterns[i].pattern_len = pat_len;
11173                         memcpy(mask_pat,
11174                                nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11175                                pat_len);
11176                         i++;
11177                 }
11178         }
11179
11180         if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
11181                 regular = true;
11182                 err = nl80211_parse_wowlan_tcp(
11183                         rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11184                         &new_triggers);
11185                 if (err)
11186                         goto error;
11187         }
11188
11189         if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11190                 regular = true;
11191                 err = nl80211_parse_wowlan_nd(
11192                         rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11193                         &new_triggers);
11194                 if (err)
11195                         goto error;
11196         }
11197
11198         /* The 'any' trigger means the device continues operating more or less
11199          * as in its normal operation mode and wakes up the host on most of the
11200          * normal interrupts (like packet RX, ...)
11201          * It therefore makes little sense to combine with the more constrained
11202          * wakeup trigger modes.
11203          */
11204         if (new_triggers.any && regular) {
11205                 err = -EINVAL;
11206                 goto error;
11207         }
11208
11209         ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11210         if (!ntrig) {
11211                 err = -ENOMEM;
11212                 goto error;
11213         }
11214         cfg80211_rdev_free_wowlan(rdev);
11215         rdev->wiphy.wowlan_config = ntrig;
11216
11217  set_wakeup:
11218         if (rdev->ops->set_wakeup &&
11219             prev_enabled != !!rdev->wiphy.wowlan_config)
11220                 rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11221
11222         return 0;
11223  error:
11224         for (i = 0; i < new_triggers.n_patterns; i++)
11225                 kfree(new_triggers.patterns[i].mask);
11226         kfree(new_triggers.patterns);
11227         if (new_triggers.tcp && new_triggers.tcp->sock)
11228                 sock_release(new_triggers.tcp->sock);
11229         kfree(new_triggers.tcp);
11230         kfree(new_triggers.nd_config);
11231         return err;
11232 }
11233 #endif
11234
11235 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
11236                                        struct cfg80211_registered_device *rdev)
11237 {
11238         struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
11239         int i, j, pat_len;
11240         struct cfg80211_coalesce_rules *rule;
11241
11242         if (!rdev->coalesce->n_rules)
11243                 return 0;
11244
11245         nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
11246         if (!nl_rules)
11247                 return -ENOBUFS;
11248
11249         for (i = 0; i < rdev->coalesce->n_rules; i++) {
11250                 nl_rule = nla_nest_start(msg, i + 1);
11251                 if (!nl_rule)
11252                         return -ENOBUFS;
11253
11254                 rule = &rdev->coalesce->rules[i];
11255                 if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
11256                                 rule->delay))
11257                         return -ENOBUFS;
11258
11259                 if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
11260                                 rule->condition))
11261                         return -ENOBUFS;
11262
11263                 nl_pats = nla_nest_start(msg,
11264                                 NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
11265                 if (!nl_pats)
11266                         return -ENOBUFS;
11267
11268                 for (j = 0; j < rule->n_patterns; j++) {
11269                         nl_pat = nla_nest_start(msg, j + 1);
11270                         if (!nl_pat)
11271                                 return -ENOBUFS;
11272                         pat_len = rule->patterns[j].pattern_len;
11273                         if (nla_put(msg, NL80211_PKTPAT_MASK,
11274                                     DIV_ROUND_UP(pat_len, 8),
11275                                     rule->patterns[j].mask) ||
11276                             nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11277                                     rule->patterns[j].pattern) ||
11278                             nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11279                                         rule->patterns[j].pkt_offset))
11280                                 return -ENOBUFS;
11281                         nla_nest_end(msg, nl_pat);
11282                 }
11283                 nla_nest_end(msg, nl_pats);
11284                 nla_nest_end(msg, nl_rule);
11285         }
11286         nla_nest_end(msg, nl_rules);
11287
11288         return 0;
11289 }
11290
11291 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
11292 {
11293         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11294         struct sk_buff *msg;
11295         void *hdr;
11296
11297         if (!rdev->wiphy.coalesce)
11298                 return -EOPNOTSUPP;
11299
11300         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11301         if (!msg)
11302                 return -ENOMEM;
11303
11304         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11305                              NL80211_CMD_GET_COALESCE);
11306         if (!hdr)
11307                 goto nla_put_failure;
11308
11309         if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
11310                 goto nla_put_failure;
11311
11312         genlmsg_end(msg, hdr);
11313         return genlmsg_reply(msg, info);
11314
11315 nla_put_failure:
11316         nlmsg_free(msg);
11317         return -ENOBUFS;
11318 }
11319
11320 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
11321 {
11322         struct cfg80211_coalesce *coalesce = rdev->coalesce;
11323         int i, j;
11324         struct cfg80211_coalesce_rules *rule;
11325
11326         if (!coalesce)
11327                 return;
11328
11329         for (i = 0; i < coalesce->n_rules; i++) {
11330                 rule = &coalesce->rules[i];
11331                 for (j = 0; j < rule->n_patterns; j++)
11332                         kfree(rule->patterns[j].mask);
11333                 kfree(rule->patterns);
11334         }
11335         kfree(coalesce->rules);
11336         kfree(coalesce);
11337         rdev->coalesce = NULL;
11338 }
11339
11340 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
11341                                        struct nlattr *rule,
11342                                        struct cfg80211_coalesce_rules *new_rule)
11343 {
11344         int err, i;
11345         const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11346         struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
11347         int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
11348         struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11349
11350         err = nla_parse_nested(tb, NL80211_ATTR_COALESCE_RULE_MAX, rule,
11351                                nl80211_coalesce_policy, NULL);
11352         if (err)
11353                 return err;
11354
11355         if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
11356                 new_rule->delay =
11357                         nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
11358         if (new_rule->delay > coalesce->max_delay)
11359                 return -EINVAL;
11360
11361         if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
11362                 new_rule->condition =
11363                         nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
11364         if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
11365             new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
11366                 return -EINVAL;
11367
11368         if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
11369                 return -EINVAL;
11370
11371         nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11372                             rem)
11373                 n_patterns++;
11374         if (n_patterns > coalesce->n_patterns)
11375                 return -EINVAL;
11376
11377         new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
11378                                      GFP_KERNEL);
11379         if (!new_rule->patterns)
11380                 return -ENOMEM;
11381
11382         new_rule->n_patterns = n_patterns;
11383         i = 0;
11384
11385         nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11386                             rem) {
11387                 u8 *mask_pat;
11388
11389                 err = nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
11390                                        nl80211_packet_pattern_policy, NULL);
11391                 if (err)
11392                         return err;
11393
11394                 if (!pat_tb[NL80211_PKTPAT_MASK] ||
11395                     !pat_tb[NL80211_PKTPAT_PATTERN])
11396                         return -EINVAL;
11397                 pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11398                 mask_len = DIV_ROUND_UP(pat_len, 8);
11399                 if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11400                         return -EINVAL;
11401                 if (pat_len > coalesce->pattern_max_len ||
11402                     pat_len < coalesce->pattern_min_len)
11403                         return -EINVAL;
11404
11405                 if (!pat_tb[NL80211_PKTPAT_OFFSET])
11406                         pkt_offset = 0;
11407                 else
11408                         pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
11409                 if (pkt_offset > coalesce->max_pkt_offset)
11410                         return -EINVAL;
11411                 new_rule->patterns[i].pkt_offset = pkt_offset;
11412
11413                 mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11414                 if (!mask_pat)
11415                         return -ENOMEM;
11416
11417                 new_rule->patterns[i].mask = mask_pat;
11418                 memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11419                        mask_len);
11420
11421                 mask_pat += mask_len;
11422                 new_rule->patterns[i].pattern = mask_pat;
11423                 new_rule->patterns[i].pattern_len = pat_len;
11424                 memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11425                        pat_len);
11426                 i++;
11427         }
11428
11429         return 0;
11430 }
11431
11432 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
11433 {
11434         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11435         const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11436         struct cfg80211_coalesce new_coalesce = {};
11437         struct cfg80211_coalesce *n_coalesce;
11438         int err, rem_rule, n_rules = 0, i, j;
11439         struct nlattr *rule;
11440         struct cfg80211_coalesce_rules *tmp_rule;
11441
11442         if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
11443                 return -EOPNOTSUPP;
11444
11445         if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
11446                 cfg80211_rdev_free_coalesce(rdev);
11447                 rdev_set_coalesce(rdev, NULL);
11448                 return 0;
11449         }
11450
11451         nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11452                             rem_rule)
11453                 n_rules++;
11454         if (n_rules > coalesce->n_rules)
11455                 return -EINVAL;
11456
11457         new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
11458                                      GFP_KERNEL);
11459         if (!new_coalesce.rules)
11460                 return -ENOMEM;
11461
11462         new_coalesce.n_rules = n_rules;
11463         i = 0;
11464
11465         nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11466                             rem_rule) {
11467                 err = nl80211_parse_coalesce_rule(rdev, rule,
11468                                                   &new_coalesce.rules[i]);
11469                 if (err)
11470                         goto error;
11471
11472                 i++;
11473         }
11474
11475         err = rdev_set_coalesce(rdev, &new_coalesce);
11476         if (err)
11477                 goto error;
11478
11479         n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
11480         if (!n_coalesce) {
11481                 err = -ENOMEM;
11482                 goto error;
11483         }
11484         cfg80211_rdev_free_coalesce(rdev);
11485         rdev->coalesce = n_coalesce;
11486
11487         return 0;
11488 error:
11489         for (i = 0; i < new_coalesce.n_rules; i++) {
11490                 tmp_rule = &new_coalesce.rules[i];
11491                 for (j = 0; j < tmp_rule->n_patterns; j++)
11492                         kfree(tmp_rule->patterns[j].mask);
11493                 kfree(tmp_rule->patterns);
11494         }
11495         kfree(new_coalesce.rules);
11496
11497         return err;
11498 }
11499
11500 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
11501 {
11502         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11503         struct net_device *dev = info->user_ptr[1];
11504         struct wireless_dev *wdev = dev->ieee80211_ptr;
11505         struct nlattr *tb[NUM_NL80211_REKEY_DATA];
11506         struct cfg80211_gtk_rekey_data rekey_data = {};
11507         int err;
11508
11509         if (!info->attrs[NL80211_ATTR_REKEY_DATA])
11510                 return -EINVAL;
11511
11512         err = nla_parse_nested(tb, MAX_NL80211_REKEY_DATA,
11513                                info->attrs[NL80211_ATTR_REKEY_DATA],
11514                                nl80211_rekey_policy, info->extack);
11515         if (err)
11516                 return err;
11517
11518         if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
11519             !tb[NL80211_REKEY_DATA_KCK])
11520                 return -EINVAL;
11521         if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
11522                 return -ERANGE;
11523         if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
11524                 return -ERANGE;
11525         if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
11526                 return -ERANGE;
11527
11528         rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
11529         rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
11530         rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
11531
11532         wdev_lock(wdev);
11533         if (!wdev->current_bss) {
11534                 err = -ENOTCONN;
11535                 goto out;
11536         }
11537
11538         if (!rdev->ops->set_rekey_data) {
11539                 err = -EOPNOTSUPP;
11540                 goto out;
11541         }
11542
11543         err = rdev_set_rekey_data(rdev, dev, &rekey_data);
11544  out:
11545         wdev_unlock(wdev);
11546         return err;
11547 }
11548
11549 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
11550                                              struct genl_info *info)
11551 {
11552         struct net_device *dev = info->user_ptr[1];
11553         struct wireless_dev *wdev = dev->ieee80211_ptr;
11554
11555         if (wdev->iftype != NL80211_IFTYPE_AP &&
11556             wdev->iftype != NL80211_IFTYPE_P2P_GO)
11557                 return -EINVAL;
11558
11559         if (wdev->ap_unexpected_nlportid)
11560                 return -EBUSY;
11561
11562         wdev->ap_unexpected_nlportid = info->snd_portid;
11563         return 0;
11564 }
11565
11566 static int nl80211_probe_client(struct sk_buff *skb,
11567                                 struct genl_info *info)
11568 {
11569         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11570         struct net_device *dev = info->user_ptr[1];
11571         struct wireless_dev *wdev = dev->ieee80211_ptr;
11572         struct sk_buff *msg;
11573         void *hdr;
11574         const u8 *addr;
11575         u64 cookie;
11576         int err;
11577
11578         if (wdev->iftype != NL80211_IFTYPE_AP &&
11579             wdev->iftype != NL80211_IFTYPE_P2P_GO)
11580                 return -EOPNOTSUPP;
11581
11582         if (!info->attrs[NL80211_ATTR_MAC])
11583                 return -EINVAL;
11584
11585         if (!rdev->ops->probe_client)
11586                 return -EOPNOTSUPP;
11587
11588         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11589         if (!msg)
11590                 return -ENOMEM;
11591
11592         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11593                              NL80211_CMD_PROBE_CLIENT);
11594         if (!hdr) {
11595                 err = -ENOBUFS;
11596                 goto free_msg;
11597         }
11598
11599         addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
11600
11601         err = rdev_probe_client(rdev, dev, addr, &cookie);
11602         if (err)
11603                 goto free_msg;
11604
11605         if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11606                               NL80211_ATTR_PAD))
11607                 goto nla_put_failure;
11608
11609         genlmsg_end(msg, hdr);
11610
11611         return genlmsg_reply(msg, info);
11612
11613  nla_put_failure:
11614         err = -ENOBUFS;
11615  free_msg:
11616         nlmsg_free(msg);
11617         return err;
11618 }
11619
11620 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
11621 {
11622         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11623         struct cfg80211_beacon_registration *reg, *nreg;
11624         int rv;
11625
11626         if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
11627                 return -EOPNOTSUPP;
11628
11629         nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
11630         if (!nreg)
11631                 return -ENOMEM;
11632
11633         /* First, check if already registered. */
11634         spin_lock_bh(&rdev->beacon_registrations_lock);
11635         list_for_each_entry(reg, &rdev->beacon_registrations, list) {
11636                 if (reg->nlportid == info->snd_portid) {
11637                         rv = -EALREADY;
11638                         goto out_err;
11639                 }
11640         }
11641         /* Add it to the list */
11642         nreg->nlportid = info->snd_portid;
11643         list_add(&nreg->list, &rdev->beacon_registrations);
11644
11645         spin_unlock_bh(&rdev->beacon_registrations_lock);
11646
11647         return 0;
11648 out_err:
11649         spin_unlock_bh(&rdev->beacon_registrations_lock);
11650         kfree(nreg);
11651         return rv;
11652 }
11653
11654 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
11655 {
11656         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11657         struct wireless_dev *wdev = info->user_ptr[1];
11658         int err;
11659
11660         if (!rdev->ops->start_p2p_device)
11661                 return -EOPNOTSUPP;
11662
11663         if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11664                 return -EOPNOTSUPP;
11665
11666         if (wdev_running(wdev))
11667                 return 0;
11668
11669         if (rfkill_blocked(rdev->rfkill))
11670                 return -ERFKILL;
11671
11672         err = rdev_start_p2p_device(rdev, wdev);
11673         if (err)
11674                 return err;
11675
11676         wdev->is_running = true;
11677         rdev->opencount++;
11678
11679         return 0;
11680 }
11681
11682 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
11683 {
11684         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11685         struct wireless_dev *wdev = info->user_ptr[1];
11686
11687         if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11688                 return -EOPNOTSUPP;
11689
11690         if (!rdev->ops->stop_p2p_device)
11691                 return -EOPNOTSUPP;
11692
11693         cfg80211_stop_p2p_device(rdev, wdev);
11694
11695         return 0;
11696 }
11697
11698 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
11699 {
11700         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11701         struct wireless_dev *wdev = info->user_ptr[1];
11702         struct cfg80211_nan_conf conf = {};
11703         int err;
11704
11705         if (wdev->iftype != NL80211_IFTYPE_NAN)
11706                 return -EOPNOTSUPP;
11707
11708         if (wdev_running(wdev))
11709                 return -EEXIST;
11710
11711         if (rfkill_blocked(rdev->rfkill))
11712                 return -ERFKILL;
11713
11714         if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
11715                 return -EINVAL;
11716
11717         conf.master_pref =
11718                 nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
11719         if (!conf.master_pref)
11720                 return -EINVAL;
11721
11722         if (info->attrs[NL80211_ATTR_BANDS]) {
11723                 u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
11724
11725                 if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
11726                         return -EOPNOTSUPP;
11727
11728                 if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
11729                         return -EINVAL;
11730
11731                 conf.bands = bands;
11732         }
11733
11734         err = rdev_start_nan(rdev, wdev, &conf);
11735         if (err)
11736                 return err;
11737
11738         wdev->is_running = true;
11739         rdev->opencount++;
11740
11741         return 0;
11742 }
11743
11744 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
11745 {
11746         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11747         struct wireless_dev *wdev = info->user_ptr[1];
11748
11749         if (wdev->iftype != NL80211_IFTYPE_NAN)
11750                 return -EOPNOTSUPP;
11751
11752         cfg80211_stop_nan(rdev, wdev);
11753
11754         return 0;
11755 }
11756
11757 static int validate_nan_filter(struct nlattr *filter_attr)
11758 {
11759         struct nlattr *attr;
11760         int len = 0, n_entries = 0, rem;
11761
11762         nla_for_each_nested(attr, filter_attr, rem) {
11763                 len += nla_len(attr);
11764                 n_entries++;
11765         }
11766
11767         if (len >= U8_MAX)
11768                 return -EINVAL;
11769
11770         return n_entries;
11771 }
11772
11773 static int handle_nan_filter(struct nlattr *attr_filter,
11774                              struct cfg80211_nan_func *func,
11775                              bool tx)
11776 {
11777         struct nlattr *attr;
11778         int n_entries, rem, i;
11779         struct cfg80211_nan_func_filter *filter;
11780
11781         n_entries = validate_nan_filter(attr_filter);
11782         if (n_entries < 0)
11783                 return n_entries;
11784
11785         BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
11786
11787         filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
11788         if (!filter)
11789                 return -ENOMEM;
11790
11791         i = 0;
11792         nla_for_each_nested(attr, attr_filter, rem) {
11793                 filter[i].filter = nla_memdup(attr, GFP_KERNEL);
11794                 if (!filter[i].filter)
11795                         goto err;
11796
11797                 filter[i].len = nla_len(attr);
11798                 i++;
11799         }
11800         if (tx) {
11801                 func->num_tx_filters = n_entries;
11802                 func->tx_filters = filter;
11803         } else {
11804                 func->num_rx_filters = n_entries;
11805                 func->rx_filters = filter;
11806         }
11807
11808         return 0;
11809
11810 err:
11811         i = 0;
11812         nla_for_each_nested(attr, attr_filter, rem) {
11813                 kfree(filter[i].filter);
11814                 i++;
11815         }
11816         kfree(filter);
11817         return -ENOMEM;
11818 }
11819
11820 static int nl80211_nan_add_func(struct sk_buff *skb,
11821                                 struct genl_info *info)
11822 {
11823         struct cfg80211_registered_device *rdev = info->user_ptr[0];
11824         struct wireless_dev *wdev = info->user_ptr[1];
11825         struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
11826         struct cfg80211_nan_func *func;
11827         struct sk_buff *msg = NULL;
11828         void *hdr = NULL;
11829         int err = 0;
11830
11831         if (wdev->iftype != NL80211_IFTYPE_NAN)
11832                 return -EOPNOTSUPP;
11833
11834         if (!wdev_running(wdev))
11835                 return -ENOTCONN;
11836
11837         if (!info->attrs[NL80211_ATTR_NAN_FUNC])
11838                 return -EINVAL;
11839
11840         err = nla_parse_nested(tb, NL80211_NAN_FUNC_ATTR_MAX,
11841                                info->attrs[NL80211_ATTR_NAN_FUNC],
11842                                nl80211_nan_func_policy, info->extack);
11843         if (err)
11844                 return err;
11845
11846         func = kzalloc(sizeof(*func), GFP_KERNEL);
11847         if (!func)
11848                 return -ENOMEM;
11849
11850         func->cookie = wdev->wiphy->cookie_counter++;
11851
11852         if (!tb[NL80211_NAN_FUNC_TYPE] ||
11853             nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
11854                 err = -EINVAL;
11855                 goto out;
11856         }
11857
11858
11859         func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
11860
11861         if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
11862                 err = -EINVAL;
11863                 goto out;
11864         }
11865
11866         memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
11867                sizeof(func->service_id));
11868
11869         func->close_range =
11870                 nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
11871
11872         if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
11873                 func->serv_spec_info_len =
11874                         nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
11875                 func->serv_spec_info =
11876                         kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
11877                                 func->serv_spec_info_len,
11878                                 GFP_KERNEL);
11879                 if (!func->serv_spec_info) {
11880                         err = -ENOMEM;
11881                         goto out;
11882                 }
11883         }
11884
11885         if (tb[NL80211_NAN_FUNC_TTL])
11886                 func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
11887
11888         switch (func->type) {
11889         case NL80211_NAN_FUNC_PUBLISH:
11890                 if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
11891                         err = -EINVAL;
11892                         goto out;
11893                 }
11894
11895                 func->publish_type =
11896                         nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
11897                 func->publish_bcast =
11898                         nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
11899
11900                 if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
11901                         func->publish_bcast) {
11902                         err = -EINVAL;
11903                         goto out;
11904                 }
11905                 break;
11906         case NL80211_NAN_FUNC_SUBSCRIBE:
11907                 func->subscribe_active =
11908                         nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
11909                 break;
11910         case NL80211_NAN_FUNC_FOLLOW_UP:
11911                 if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
11912                     !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
11913                     !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
11914                         err = -EINVAL;
11915                         goto out;
11916                 }
11917
11918                 func->followup_id =
11919                         nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
11920                 func->followup_reqid =
11921                         nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
11922                 memcpy(func->followup_dest.addr,
11923                        nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
11924                        sizeof(func->followup_dest.addr));
11925                 if (func->ttl) {
11926                         err = -EINVAL;
11927                         goto out;
11928                 }
11929                 break;
11930         default:
11931                 err = -EINVAL;
11932                 goto out;
11933         }
11934
11935         if (tb[NL80211_NAN_FUNC_SRF]) {
11936                 struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
11937
11938                 err = nla_parse_nested(srf_tb, NL80211_NAN_SRF_ATTR_MAX,
11939                                        tb[NL80211_NAN_FUNC_SRF],
11940                                        nl80211_nan_srf_policy, info->extack);
11941                 if (err)
11942                         goto out;
11943
11944                 func->srf_include =
11945                         nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
11946
11947                 if (srf_tb[NL80211_NAN_SRF_BF]) {
11948                         if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
11949                             !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
11950                                 err = -EINVAL;
11951                                 goto out;
11952                         }
11953
11954                         func->srf_bf_len =
11955                                 nla_len(srf_tb[NL80211_NAN_SRF_BF]);
11956                         func->srf_bf =
11957                                 kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
11958                                         func->srf_bf_len, GFP_KERNEL);
11959                         if (!func->srf_bf) {
11960                                 err = -ENOMEM;
11961                                 goto out;
11962                         }
11963
11964                         func->srf_bf_idx =
11965                                 nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
11966                 } else {
11967                         struct nlattr *attr, *mac_attr =
11968                                 srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
11969                         int n_entries, rem, i = 0;
11970
11971                         if (!mac_attr) {
11972                                 err = -EINVAL;
11973                                 goto out;
11974                         }
11975
11976                         n_entries = validate_acl_mac_addrs(mac_attr);
11977                         if (n_entries <= 0) {
11978                                 err = -EINVAL;
11979                                 goto out;
11980                         }
11981
11982                         func->srf_num_macs = n_entries;
11983                         func->srf_macs =
11984                                 kcalloc(n_entries, sizeof(*func->srf_macs),
11985                                         GFP_KERNEL);
11986                         if (!func->srf_macs) {
11987                                 err = -ENOMEM;
11988                                 goto out;
11989                         }
11990
11991                         nla_for_each_nested(attr, mac_attr, rem)
11992                                 memcpy(func->srf_macs[i++].addr, nla_data(attr),
11993                                        sizeof(*func->srf_macs));
11994                 }
11995         }
11996
11997         if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
11998                 err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
11999                                         func, true);
12000                 if (err)
12001                         goto out;
12002         }
12003
12004         if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12005                 err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12006                                         func, false);
12007                 if (err)
12008                         goto out;
12009         }
12010
12011         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12012         if (!msg) {
12013                 err = -ENOMEM;
12014                 goto out;
12015         }
12016
12017         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12018                              NL80211_CMD_ADD_NAN_FUNCTION);
12019         /* This can't really happen - we just allocated 4KB */
12020         if (WARN_ON(!hdr)) {
12021                 err = -ENOMEM;
12022                 goto out;
12023         }
12024
12025         err = rdev_add_nan_func(rdev, wdev, func);
12026 out:
12027         if (err < 0) {
12028                 cfg80211_free_nan_func(func);
12029                 nlmsg_free(msg);
12030                 return err;
12031         }
12032
12033         /* propagate the instance id and cookie to userspace  */
12034         if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12035                               NL80211_ATTR_PAD))
12036                 goto nla_put_failure;
12037
12038         func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC);
12039         if (!func_attr)
12040                 goto nla_put_failure;
12041
12042         if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12043                        func->instance_id))
12044                 goto nla_put_failure;
12045
12046         nla_nest_end(msg, func_attr);
12047
12048         genlmsg_end(msg, hdr);
12049         return genlmsg_reply(msg, info);
12050
12051 nla_put_failure:
12052         nlmsg_free(msg);
12053         return -ENOBUFS;
12054 }
12055
12056 static int nl80211_nan_del_func(struct sk_buff *skb,
12057                                struct genl_info *info)
12058 {
12059         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12060         struct wireless_dev *wdev = info->user_ptr[1];
12061         u64 cookie;
12062
12063         if (wdev->iftype != NL80211_IFTYPE_NAN)
12064                 return -EOPNOTSUPP;
12065
12066         if (!wdev_running(wdev))
12067                 return -ENOTCONN;
12068
12069         if (!info->attrs[NL80211_ATTR_COOKIE])
12070                 return -EINVAL;
12071
12072         cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12073
12074         rdev_del_nan_func(rdev, wdev, cookie);
12075
12076         return 0;
12077 }
12078
12079 static int nl80211_nan_change_config(struct sk_buff *skb,
12080                                      struct genl_info *info)
12081 {
12082         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12083         struct wireless_dev *wdev = info->user_ptr[1];
12084         struct cfg80211_nan_conf conf = {};
12085         u32 changed = 0;
12086
12087         if (wdev->iftype != NL80211_IFTYPE_NAN)
12088                 return -EOPNOTSUPP;
12089
12090         if (!wdev_running(wdev))
12091                 return -ENOTCONN;
12092
12093         if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
12094                 conf.master_pref =
12095                         nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12096                 if (conf.master_pref <= 1 || conf.master_pref == 255)
12097                         return -EINVAL;
12098
12099                 changed |= CFG80211_NAN_CONF_CHANGED_PREF;
12100         }
12101
12102         if (info->attrs[NL80211_ATTR_BANDS]) {
12103                 u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12104
12105                 if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12106                         return -EOPNOTSUPP;
12107
12108                 if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12109                         return -EINVAL;
12110
12111                 conf.bands = bands;
12112                 changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
12113         }
12114
12115         if (!changed)
12116                 return -EINVAL;
12117
12118         return rdev_nan_change_conf(rdev, wdev, &conf, changed);
12119 }
12120
12121 void cfg80211_nan_match(struct wireless_dev *wdev,
12122                         struct cfg80211_nan_match_params *match, gfp_t gfp)
12123 {
12124         struct wiphy *wiphy = wdev->wiphy;
12125         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12126         struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
12127         struct sk_buff *msg;
12128         void *hdr;
12129
12130         if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
12131                 return;
12132
12133         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12134         if (!msg)
12135                 return;
12136
12137         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
12138         if (!hdr) {
12139                 nlmsg_free(msg);
12140                 return;
12141         }
12142
12143         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12144             (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12145                                          wdev->netdev->ifindex)) ||
12146             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12147                               NL80211_ATTR_PAD))
12148                 goto nla_put_failure;
12149
12150         if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
12151                               NL80211_ATTR_PAD) ||
12152             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
12153                 goto nla_put_failure;
12154
12155         match_attr = nla_nest_start(msg, NL80211_ATTR_NAN_MATCH);
12156         if (!match_attr)
12157                 goto nla_put_failure;
12158
12159         local_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_LOCAL);
12160         if (!local_func_attr)
12161                 goto nla_put_failure;
12162
12163         if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
12164                 goto nla_put_failure;
12165
12166         nla_nest_end(msg, local_func_attr);
12167
12168         peer_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_PEER);
12169         if (!peer_func_attr)
12170                 goto nla_put_failure;
12171
12172         if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
12173             nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
12174                 goto nla_put_failure;
12175
12176         if (match->info && match->info_len &&
12177             nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
12178                     match->info))
12179                 goto nla_put_failure;
12180
12181         nla_nest_end(msg, peer_func_attr);
12182         nla_nest_end(msg, match_attr);
12183         genlmsg_end(msg, hdr);
12184
12185         if (!wdev->owner_nlportid)
12186                 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12187                                         msg, 0, NL80211_MCGRP_NAN, gfp);
12188         else
12189                 genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12190                                 wdev->owner_nlportid);
12191
12192         return;
12193
12194 nla_put_failure:
12195         nlmsg_free(msg);
12196 }
12197 EXPORT_SYMBOL(cfg80211_nan_match);
12198
12199 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12200                                   u8 inst_id,
12201                                   enum nl80211_nan_func_term_reason reason,
12202                                   u64 cookie, gfp_t gfp)
12203 {
12204         struct wiphy *wiphy = wdev->wiphy;
12205         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12206         struct sk_buff *msg;
12207         struct nlattr *func_attr;
12208         void *hdr;
12209
12210         if (WARN_ON(!inst_id))
12211                 return;
12212
12213         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12214         if (!msg)
12215                 return;
12216
12217         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12218         if (!hdr) {
12219                 nlmsg_free(msg);
12220                 return;
12221         }
12222
12223         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12224             (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12225                                          wdev->netdev->ifindex)) ||
12226             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12227                               NL80211_ATTR_PAD))
12228                 goto nla_put_failure;
12229
12230         if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12231                               NL80211_ATTR_PAD))
12232                 goto nla_put_failure;
12233
12234         func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC);
12235         if (!func_attr)
12236                 goto nla_put_failure;
12237
12238         if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12239             nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12240                 goto nla_put_failure;
12241
12242         nla_nest_end(msg, func_attr);
12243         genlmsg_end(msg, hdr);
12244
12245         if (!wdev->owner_nlportid)
12246                 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12247                                         msg, 0, NL80211_MCGRP_NAN, gfp);
12248         else
12249                 genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12250                                 wdev->owner_nlportid);
12251
12252         return;
12253
12254 nla_put_failure:
12255         nlmsg_free(msg);
12256 }
12257 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
12258
12259 static int nl80211_get_protocol_features(struct sk_buff *skb,
12260                                          struct genl_info *info)
12261 {
12262         void *hdr;
12263         struct sk_buff *msg;
12264
12265         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12266         if (!msg)
12267                 return -ENOMEM;
12268
12269         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12270                              NL80211_CMD_GET_PROTOCOL_FEATURES);
12271         if (!hdr)
12272                 goto nla_put_failure;
12273
12274         if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
12275                         NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
12276                 goto nla_put_failure;
12277
12278         genlmsg_end(msg, hdr);
12279         return genlmsg_reply(msg, info);
12280
12281  nla_put_failure:
12282         kfree_skb(msg);
12283         return -ENOBUFS;
12284 }
12285
12286 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
12287 {
12288         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12289         struct cfg80211_update_ft_ies_params ft_params;
12290         struct net_device *dev = info->user_ptr[1];
12291
12292         if (!rdev->ops->update_ft_ies)
12293                 return -EOPNOTSUPP;
12294
12295         if (!info->attrs[NL80211_ATTR_MDID] ||
12296             !info->attrs[NL80211_ATTR_IE] ||
12297             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
12298                 return -EINVAL;
12299
12300         memset(&ft_params, 0, sizeof(ft_params));
12301         ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
12302         ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12303         ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12304
12305         return rdev_update_ft_ies(rdev, dev, &ft_params);
12306 }
12307
12308 static int nl80211_crit_protocol_start(struct sk_buff *skb,
12309                                        struct genl_info *info)
12310 {
12311         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12312         struct wireless_dev *wdev = info->user_ptr[1];
12313         enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
12314         u16 duration;
12315         int ret;
12316
12317         if (!rdev->ops->crit_proto_start)
12318                 return -EOPNOTSUPP;
12319
12320         if (WARN_ON(!rdev->ops->crit_proto_stop))
12321                 return -EINVAL;
12322
12323         if (rdev->crit_proto_nlportid)
12324                 return -EBUSY;
12325
12326         /* determine protocol if provided */
12327         if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
12328                 proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
12329
12330         if (proto >= NUM_NL80211_CRIT_PROTO)
12331                 return -EINVAL;
12332
12333         /* timeout must be provided */
12334         if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
12335                 return -EINVAL;
12336
12337         duration =
12338                 nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
12339
12340         if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
12341                 return -ERANGE;
12342
12343         ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
12344         if (!ret)
12345                 rdev->crit_proto_nlportid = info->snd_portid;
12346
12347         return ret;
12348 }
12349
12350 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
12351                                       struct genl_info *info)
12352 {
12353         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12354         struct wireless_dev *wdev = info->user_ptr[1];
12355
12356         if (!rdev->ops->crit_proto_stop)
12357                 return -EOPNOTSUPP;
12358
12359         if (rdev->crit_proto_nlportid) {
12360                 rdev->crit_proto_nlportid = 0;
12361                 rdev_crit_proto_stop(rdev, wdev);
12362         }
12363         return 0;
12364 }
12365
12366 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
12367 {
12368         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12369         struct wireless_dev *wdev =
12370                 __cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
12371         int i, err;
12372         u32 vid, subcmd;
12373
12374         if (!rdev->wiphy.vendor_commands)
12375                 return -EOPNOTSUPP;
12376
12377         if (IS_ERR(wdev)) {
12378                 err = PTR_ERR(wdev);
12379                 if (err != -EINVAL)
12380                         return err;
12381                 wdev = NULL;
12382         } else if (wdev->wiphy != &rdev->wiphy) {
12383                 return -EINVAL;
12384         }
12385
12386         if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
12387             !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
12388                 return -EINVAL;
12389
12390         vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
12391         subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
12392         for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
12393                 const struct wiphy_vendor_command *vcmd;
12394                 void *data = NULL;
12395                 int len = 0;
12396
12397                 vcmd = &rdev->wiphy.vendor_commands[i];
12398
12399                 if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12400                         continue;
12401
12402                 if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12403                                    WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12404                         if (!wdev)
12405                                 return -EINVAL;
12406                         if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12407                             !wdev->netdev)
12408                                 return -EINVAL;
12409
12410                         if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12411                                 if (!wdev_running(wdev))
12412                                         return -ENETDOWN;
12413                         }
12414                 } else {
12415                         wdev = NULL;
12416                 }
12417
12418                 if (!vcmd->doit)
12419                         return -EOPNOTSUPP;
12420
12421                 if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
12422                         data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12423                         len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12424                 }
12425
12426                 rdev->cur_cmd_info = info;
12427                 err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
12428                                                           data, len);
12429                 rdev->cur_cmd_info = NULL;
12430                 return err;
12431         }
12432
12433         return -EOPNOTSUPP;
12434 }
12435
12436 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
12437                                        struct netlink_callback *cb,
12438                                        struct cfg80211_registered_device **rdev,
12439                                        struct wireless_dev **wdev)
12440 {
12441         struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
12442         u32 vid, subcmd;
12443         unsigned int i;
12444         int vcmd_idx = -1;
12445         int err;
12446         void *data = NULL;
12447         unsigned int data_len = 0;
12448
12449         if (cb->args[0]) {
12450                 /* subtract the 1 again here */
12451                 struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
12452                 struct wireless_dev *tmp;
12453
12454                 if (!wiphy)
12455                         return -ENODEV;
12456                 *rdev = wiphy_to_rdev(wiphy);
12457                 *wdev = NULL;
12458
12459                 if (cb->args[1]) {
12460                         list_for_each_entry(tmp, &wiphy->wdev_list, list) {
12461                                 if (tmp->identifier == cb->args[1] - 1) {
12462                                         *wdev = tmp;
12463                                         break;
12464                                 }
12465                         }
12466                 }
12467
12468                 /* keep rtnl locked in successful case */
12469                 return 0;
12470         }
12471
12472         err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, attrbuf,
12473                           nl80211_fam.maxattr, nl80211_policy, NULL);
12474         if (err)
12475                 return err;
12476
12477         if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
12478             !attrbuf[NL80211_ATTR_VENDOR_SUBCMD])
12479                 return -EINVAL;
12480
12481         *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
12482         if (IS_ERR(*wdev))
12483                 *wdev = NULL;
12484
12485         *rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12486         if (IS_ERR(*rdev))
12487                 return PTR_ERR(*rdev);
12488
12489         vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
12490         subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
12491
12492         for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
12493                 const struct wiphy_vendor_command *vcmd;
12494
12495                 vcmd = &(*rdev)->wiphy.vendor_commands[i];
12496
12497                 if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12498                         continue;
12499
12500                 if (!vcmd->dumpit)
12501                         return -EOPNOTSUPP;
12502
12503                 vcmd_idx = i;
12504                 break;
12505         }
12506
12507         if (vcmd_idx < 0)
12508                 return -EOPNOTSUPP;
12509
12510         if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
12511                 data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12512                 data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12513         }
12514
12515         /* 0 is the first index - add 1 to parse only once */
12516         cb->args[0] = (*rdev)->wiphy_idx + 1;
12517         /* add 1 to know if it was NULL */
12518         cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
12519         cb->args[2] = vcmd_idx;
12520         cb->args[3] = (unsigned long)data;
12521         cb->args[4] = data_len;
12522
12523         /* keep rtnl locked in successful case */
12524         return 0;
12525 }
12526
12527 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
12528                                    struct netlink_callback *cb)
12529 {
12530         struct cfg80211_registered_device *rdev;
12531         struct wireless_dev *wdev;
12532         unsigned int vcmd_idx;
12533         const struct wiphy_vendor_command *vcmd;
12534         void *data;
12535         int data_len;
12536         int err;
12537         struct nlattr *vendor_data;
12538
12539         rtnl_lock();
12540         err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
12541         if (err)
12542                 goto out;
12543
12544         vcmd_idx = cb->args[2];
12545         data = (void *)cb->args[3];
12546         data_len = cb->args[4];
12547         vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
12548
12549         if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12550                            WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12551                 if (!wdev) {
12552                         err = -EINVAL;
12553                         goto out;
12554                 }
12555                 if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12556                     !wdev->netdev) {
12557                         err = -EINVAL;
12558                         goto out;
12559                 }
12560
12561                 if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12562                         if (!wdev_running(wdev)) {
12563                                 err = -ENETDOWN;
12564                                 goto out;
12565                         }
12566                 }
12567         }
12568
12569         while (1) {
12570                 void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
12571                                            cb->nlh->nlmsg_seq, NLM_F_MULTI,
12572                                            NL80211_CMD_VENDOR);
12573                 if (!hdr)
12574                         break;
12575
12576                 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12577                     (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12578                                                wdev_id(wdev),
12579                                                NL80211_ATTR_PAD))) {
12580                         genlmsg_cancel(skb, hdr);
12581                         break;
12582                 }
12583
12584                 vendor_data = nla_nest_start(skb, NL80211_ATTR_VENDOR_DATA);
12585                 if (!vendor_data) {
12586                         genlmsg_cancel(skb, hdr);
12587                         break;
12588                 }
12589
12590                 err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
12591                                    (unsigned long *)&cb->args[5]);
12592                 nla_nest_end(skb, vendor_data);
12593
12594                 if (err == -ENOBUFS || err == -ENOENT) {
12595                         genlmsg_cancel(skb, hdr);
12596                         break;
12597                 } else if (err) {
12598                         genlmsg_cancel(skb, hdr);
12599                         goto out;
12600                 }
12601
12602                 genlmsg_end(skb, hdr);
12603         }
12604
12605         err = skb->len;
12606  out:
12607         rtnl_unlock();
12608         return err;
12609 }
12610
12611 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
12612                                            enum nl80211_commands cmd,
12613                                            enum nl80211_attrs attr,
12614                                            int approxlen)
12615 {
12616         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12617
12618         if (WARN_ON(!rdev->cur_cmd_info))
12619                 return NULL;
12620
12621         return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
12622                                            rdev->cur_cmd_info->snd_portid,
12623                                            rdev->cur_cmd_info->snd_seq,
12624                                            cmd, attr, NULL, GFP_KERNEL);
12625 }
12626 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
12627
12628 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
12629 {
12630         struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
12631         void *hdr = ((void **)skb->cb)[1];
12632         struct nlattr *data = ((void **)skb->cb)[2];
12633
12634         /* clear CB data for netlink core to own from now on */
12635         memset(skb->cb, 0, sizeof(skb->cb));
12636
12637         if (WARN_ON(!rdev->cur_cmd_info)) {
12638                 kfree_skb(skb);
12639                 return -EINVAL;
12640         }
12641
12642         nla_nest_end(skb, data);
12643         genlmsg_end(skb, hdr);
12644         return genlmsg_reply(skb, rdev->cur_cmd_info);
12645 }
12646 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
12647
12648 static int nl80211_set_qos_map(struct sk_buff *skb,
12649                                struct genl_info *info)
12650 {
12651         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12652         struct cfg80211_qos_map *qos_map = NULL;
12653         struct net_device *dev = info->user_ptr[1];
12654         u8 *pos, len, num_des, des_len, des;
12655         int ret;
12656
12657         if (!rdev->ops->set_qos_map)
12658                 return -EOPNOTSUPP;
12659
12660         if (info->attrs[NL80211_ATTR_QOS_MAP]) {
12661                 pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
12662                 len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
12663
12664                 if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
12665                     len > IEEE80211_QOS_MAP_LEN_MAX)
12666                         return -EINVAL;
12667
12668                 qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
12669                 if (!qos_map)
12670                         return -ENOMEM;
12671
12672                 num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
12673                 if (num_des) {
12674                         des_len = num_des *
12675                                 sizeof(struct cfg80211_dscp_exception);
12676                         memcpy(qos_map->dscp_exception, pos, des_len);
12677                         qos_map->num_des = num_des;
12678                         for (des = 0; des < num_des; des++) {
12679                                 if (qos_map->dscp_exception[des].up > 7) {
12680                                         kfree(qos_map);
12681                                         return -EINVAL;
12682                                 }
12683                         }
12684                         pos += des_len;
12685                 }
12686                 memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
12687         }
12688
12689         wdev_lock(dev->ieee80211_ptr);
12690         ret = nl80211_key_allowed(dev->ieee80211_ptr);
12691         if (!ret)
12692                 ret = rdev_set_qos_map(rdev, dev, qos_map);
12693         wdev_unlock(dev->ieee80211_ptr);
12694
12695         kfree(qos_map);
12696         return ret;
12697 }
12698
12699 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
12700 {
12701         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12702         struct net_device *dev = info->user_ptr[1];
12703         struct wireless_dev *wdev = dev->ieee80211_ptr;
12704         const u8 *peer;
12705         u8 tsid, up;
12706         u16 admitted_time = 0;
12707         int err;
12708
12709         if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
12710                 return -EOPNOTSUPP;
12711
12712         if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
12713             !info->attrs[NL80211_ATTR_USER_PRIO])
12714                 return -EINVAL;
12715
12716         tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
12717         if (tsid >= IEEE80211_NUM_TIDS)
12718                 return -EINVAL;
12719
12720         up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
12721         if (up >= IEEE80211_NUM_UPS)
12722                 return -EINVAL;
12723
12724         /* WMM uses TIDs 0-7 even for TSPEC */
12725         if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
12726                 /* TODO: handle 802.11 TSPEC/admission control
12727                  * need more attributes for that (e.g. BA session requirement);
12728                  * change the WMM adminssion test above to allow both then
12729                  */
12730                 return -EINVAL;
12731         }
12732
12733         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12734
12735         if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
12736                 admitted_time =
12737                         nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
12738                 if (!admitted_time)
12739                         return -EINVAL;
12740         }
12741
12742         wdev_lock(wdev);
12743         switch (wdev->iftype) {
12744         case NL80211_IFTYPE_STATION:
12745         case NL80211_IFTYPE_P2P_CLIENT:
12746                 if (wdev->current_bss)
12747                         break;
12748                 err = -ENOTCONN;
12749                 goto out;
12750         default:
12751                 err = -EOPNOTSUPP;
12752                 goto out;
12753         }
12754
12755         err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
12756
12757  out:
12758         wdev_unlock(wdev);
12759         return err;
12760 }
12761
12762 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
12763 {
12764         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12765         struct net_device *dev = info->user_ptr[1];
12766         struct wireless_dev *wdev = dev->ieee80211_ptr;
12767         const u8 *peer;
12768         u8 tsid;
12769         int err;
12770
12771         if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
12772                 return -EINVAL;
12773
12774         tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
12775         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12776
12777         wdev_lock(wdev);
12778         err = rdev_del_tx_ts(rdev, dev, tsid, peer);
12779         wdev_unlock(wdev);
12780
12781         return err;
12782 }
12783
12784 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
12785                                        struct genl_info *info)
12786 {
12787         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12788         struct net_device *dev = info->user_ptr[1];
12789         struct wireless_dev *wdev = dev->ieee80211_ptr;
12790         struct cfg80211_chan_def chandef = {};
12791         const u8 *addr;
12792         u8 oper_class;
12793         int err;
12794
12795         if (!rdev->ops->tdls_channel_switch ||
12796             !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
12797                 return -EOPNOTSUPP;
12798
12799         switch (dev->ieee80211_ptr->iftype) {
12800         case NL80211_IFTYPE_STATION:
12801         case NL80211_IFTYPE_P2P_CLIENT:
12802                 break;
12803         default:
12804                 return -EOPNOTSUPP;
12805         }
12806
12807         if (!info->attrs[NL80211_ATTR_MAC] ||
12808             !info->attrs[NL80211_ATTR_OPER_CLASS])
12809                 return -EINVAL;
12810
12811         err = nl80211_parse_chandef(rdev, info, &chandef);
12812         if (err)
12813                 return err;
12814
12815         /*
12816          * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
12817          * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
12818          * specification is not defined for them.
12819          */
12820         if (chandef.chan->band == NL80211_BAND_2GHZ &&
12821             chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
12822             chandef.width != NL80211_CHAN_WIDTH_20)
12823                 return -EINVAL;
12824
12825         /* we will be active on the TDLS link */
12826         if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
12827                                            wdev->iftype))
12828                 return -EINVAL;
12829
12830         /* don't allow switching to DFS channels */
12831         if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
12832                 return -EINVAL;
12833
12834         addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12835         oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
12836
12837         wdev_lock(wdev);
12838         err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
12839         wdev_unlock(wdev);
12840
12841         return err;
12842 }
12843
12844 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
12845                                               struct genl_info *info)
12846 {
12847         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12848         struct net_device *dev = info->user_ptr[1];
12849         struct wireless_dev *wdev = dev->ieee80211_ptr;
12850         const u8 *addr;
12851
12852         if (!rdev->ops->tdls_channel_switch ||
12853             !rdev->ops->tdls_cancel_channel_switch ||
12854             !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
12855                 return -EOPNOTSUPP;
12856
12857         switch (dev->ieee80211_ptr->iftype) {
12858         case NL80211_IFTYPE_STATION:
12859         case NL80211_IFTYPE_P2P_CLIENT:
12860                 break;
12861         default:
12862                 return -EOPNOTSUPP;
12863         }
12864
12865         if (!info->attrs[NL80211_ATTR_MAC])
12866                 return -EINVAL;
12867
12868         addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12869
12870         wdev_lock(wdev);
12871         rdev_tdls_cancel_channel_switch(rdev, dev, addr);
12872         wdev_unlock(wdev);
12873
12874         return 0;
12875 }
12876
12877 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
12878                                             struct genl_info *info)
12879 {
12880         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12881         struct net_device *dev = info->user_ptr[1];
12882         struct wireless_dev *wdev = dev->ieee80211_ptr;
12883         const struct nlattr *nla;
12884         bool enabled;
12885
12886         if (!rdev->ops->set_multicast_to_unicast)
12887                 return -EOPNOTSUPP;
12888
12889         if (wdev->iftype != NL80211_IFTYPE_AP &&
12890             wdev->iftype != NL80211_IFTYPE_P2P_GO)
12891                 return -EOPNOTSUPP;
12892
12893         nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
12894         enabled = nla_get_flag(nla);
12895
12896         return rdev_set_multicast_to_unicast(rdev, dev, enabled);
12897 }
12898
12899 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
12900 {
12901         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12902         struct net_device *dev = info->user_ptr[1];
12903         struct wireless_dev *wdev = dev->ieee80211_ptr;
12904         struct cfg80211_pmk_conf pmk_conf = {};
12905         int ret;
12906
12907         if (wdev->iftype != NL80211_IFTYPE_STATION &&
12908             wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12909                 return -EOPNOTSUPP;
12910
12911         if (!wiphy_ext_feature_isset(&rdev->wiphy,
12912                                      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12913                 return -EOPNOTSUPP;
12914
12915         if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
12916                 return -EINVAL;
12917
12918         wdev_lock(wdev);
12919         if (!wdev->current_bss) {
12920                 ret = -ENOTCONN;
12921                 goto out;
12922         }
12923
12924         pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
12925         if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
12926                 ret = -EINVAL;
12927                 goto out;
12928         }
12929
12930         pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12931         pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12932         if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
12933             pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
12934                 ret = -EINVAL;
12935                 goto out;
12936         }
12937
12938         if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
12939                 int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
12940
12941                 if (r0_name_len != WLAN_PMK_NAME_LEN) {
12942                         ret = -EINVAL;
12943                         goto out;
12944                 }
12945
12946                 pmk_conf.pmk_r0_name =
12947                         nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
12948         }
12949
12950         ret = rdev_set_pmk(rdev, dev, &pmk_conf);
12951 out:
12952         wdev_unlock(wdev);
12953         return ret;
12954 }
12955
12956 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
12957 {
12958         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12959         struct net_device *dev = info->user_ptr[1];
12960         struct wireless_dev *wdev = dev->ieee80211_ptr;
12961         const u8 *aa;
12962         int ret;
12963
12964         if (wdev->iftype != NL80211_IFTYPE_STATION &&
12965             wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12966                 return -EOPNOTSUPP;
12967
12968         if (!wiphy_ext_feature_isset(&rdev->wiphy,
12969                                      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12970                 return -EOPNOTSUPP;
12971
12972         if (!info->attrs[NL80211_ATTR_MAC])
12973                 return -EINVAL;
12974
12975         wdev_lock(wdev);
12976         aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
12977         ret = rdev_del_pmk(rdev, dev, aa);
12978         wdev_unlock(wdev);
12979
12980         return ret;
12981 }
12982
12983 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
12984 {
12985         struct cfg80211_registered_device *rdev = info->user_ptr[0];
12986         struct net_device *dev = info->user_ptr[1];
12987         struct cfg80211_external_auth_params params;
12988
12989         if (!rdev->ops->external_auth)
12990                 return -EOPNOTSUPP;
12991
12992         if (!info->attrs[NL80211_ATTR_SSID])
12993                 return -EINVAL;
12994
12995         if (!info->attrs[NL80211_ATTR_BSSID])
12996                 return -EINVAL;
12997
12998         if (!info->attrs[NL80211_ATTR_STATUS_CODE])
12999                 return -EINVAL;
13000
13001         memset(&params, 0, sizeof(params));
13002
13003         params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13004         if (params.ssid.ssid_len == 0 ||
13005             params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
13006                 return -EINVAL;
13007         memcpy(params.ssid.ssid, nla_data(info->attrs[NL80211_ATTR_SSID]),
13008                params.ssid.ssid_len);
13009
13010         memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
13011                ETH_ALEN);
13012
13013         params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13014
13015         return rdev_external_auth(rdev, dev, &params);
13016 }
13017
13018 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
13019 {
13020         struct cfg80211_registered_device *rdev = info->user_ptr[0];
13021         struct net_device *dev = info->user_ptr[1];
13022         struct wireless_dev *wdev = dev->ieee80211_ptr;
13023         const u8 *buf;
13024         size_t len;
13025         u8 *dest;
13026         u16 proto;
13027         bool noencrypt;
13028         int err;
13029
13030         if (!wiphy_ext_feature_isset(&rdev->wiphy,
13031                                      NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
13032                 return -EOPNOTSUPP;
13033
13034         if (!rdev->ops->tx_control_port)
13035                 return -EOPNOTSUPP;
13036
13037         if (!info->attrs[NL80211_ATTR_FRAME] ||
13038             !info->attrs[NL80211_ATTR_MAC] ||
13039             !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
13040                 GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
13041                 return -EINVAL;
13042         }
13043
13044         wdev_lock(wdev);
13045
13046         switch (wdev->iftype) {
13047         case NL80211_IFTYPE_AP:
13048         case NL80211_IFTYPE_P2P_GO:
13049         case NL80211_IFTYPE_MESH_POINT:
13050                 break;
13051         case NL80211_IFTYPE_ADHOC:
13052         case NL80211_IFTYPE_STATION:
13053         case NL80211_IFTYPE_P2P_CLIENT:
13054                 if (wdev->current_bss)
13055                         break;
13056                 err = -ENOTCONN;
13057                 goto out;
13058         default:
13059                 err = -EOPNOTSUPP;
13060                 goto out;
13061         }
13062
13063         wdev_unlock(wdev);
13064
13065         buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13066         len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13067         dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13068         proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
13069         noencrypt =
13070                 nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
13071
13072         return rdev_tx_control_port(rdev, dev, buf, len,
13073                                     dest, cpu_to_be16(proto), noencrypt);
13074
13075  out:
13076         wdev_unlock(wdev);
13077         return err;
13078 }
13079
13080 #define NL80211_FLAG_NEED_WIPHY         0x01
13081 #define NL80211_FLAG_NEED_NETDEV        0x02
13082 #define NL80211_FLAG_NEED_RTNL          0x04
13083 #define NL80211_FLAG_CHECK_NETDEV_UP    0x08
13084 #define NL80211_FLAG_NEED_NETDEV_UP     (NL80211_FLAG_NEED_NETDEV |\
13085                                          NL80211_FLAG_CHECK_NETDEV_UP)
13086 #define NL80211_FLAG_NEED_WDEV          0x10
13087 /* If a netdev is associated, it must be UP, P2P must be started */
13088 #define NL80211_FLAG_NEED_WDEV_UP       (NL80211_FLAG_NEED_WDEV |\
13089                                          NL80211_FLAG_CHECK_NETDEV_UP)
13090 #define NL80211_FLAG_CLEAR_SKB          0x20
13091
13092 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
13093                             struct genl_info *info)
13094 {
13095         struct cfg80211_registered_device *rdev;
13096         struct wireless_dev *wdev;
13097         struct net_device *dev;
13098         bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
13099
13100         if (rtnl)
13101                 rtnl_lock();
13102
13103         if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
13104                 rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
13105                 if (IS_ERR(rdev)) {
13106                         if (rtnl)
13107                                 rtnl_unlock();
13108                         return PTR_ERR(rdev);
13109                 }
13110                 info->user_ptr[0] = rdev;
13111         } else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
13112                    ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13113                 ASSERT_RTNL();
13114
13115                 wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
13116                                                   info->attrs);
13117                 if (IS_ERR(wdev)) {
13118                         if (rtnl)
13119                                 rtnl_unlock();
13120                         return PTR_ERR(wdev);
13121                 }
13122
13123                 dev = wdev->netdev;
13124                 rdev = wiphy_to_rdev(wdev->wiphy);
13125
13126                 if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
13127                         if (!dev) {
13128                                 if (rtnl)
13129                                         rtnl_unlock();
13130                                 return -EINVAL;
13131                         }
13132
13133                         info->user_ptr[1] = dev;
13134                 } else {
13135                         info->user_ptr[1] = wdev;
13136                 }
13137
13138                 if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
13139                     !wdev_running(wdev)) {
13140                         if (rtnl)
13141                                 rtnl_unlock();
13142                         return -ENETDOWN;
13143                 }
13144
13145                 if (dev)
13146                         dev_hold(dev);
13147
13148                 info->user_ptr[0] = rdev;
13149         }
13150
13151         return 0;
13152 }
13153
13154 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
13155                               struct genl_info *info)
13156 {
13157         if (info->user_ptr[1]) {
13158                 if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13159                         struct wireless_dev *wdev = info->user_ptr[1];
13160
13161                         if (wdev->netdev)
13162                                 dev_put(wdev->netdev);
13163                 } else {
13164                         dev_put(info->user_ptr[1]);
13165                 }
13166         }
13167
13168         if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
13169                 rtnl_unlock();
13170
13171         /* If needed, clear the netlink message payload from the SKB
13172          * as it might contain key data that shouldn't stick around on
13173          * the heap after the SKB is freed. The netlink message header
13174          * is still needed for further processing, so leave it intact.
13175          */
13176         if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
13177                 struct nlmsghdr *nlh = nlmsg_hdr(skb);
13178
13179                 memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
13180         }
13181 }
13182
13183 static const struct genl_ops nl80211_ops[] = {
13184         {
13185                 .cmd = NL80211_CMD_GET_WIPHY,
13186                 .doit = nl80211_get_wiphy,
13187                 .dumpit = nl80211_dump_wiphy,
13188                 .done = nl80211_dump_wiphy_done,
13189                 .policy = nl80211_policy,
13190                 /* can be retrieved by unprivileged users */
13191                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13192                                   NL80211_FLAG_NEED_RTNL,
13193         },
13194         {
13195                 .cmd = NL80211_CMD_SET_WIPHY,
13196                 .doit = nl80211_set_wiphy,
13197                 .policy = nl80211_policy,
13198                 .flags = GENL_UNS_ADMIN_PERM,
13199                 .internal_flags = NL80211_FLAG_NEED_RTNL,
13200         },
13201         {
13202                 .cmd = NL80211_CMD_GET_INTERFACE,
13203                 .doit = nl80211_get_interface,
13204                 .dumpit = nl80211_dump_interface,
13205                 .policy = nl80211_policy,
13206                 /* can be retrieved by unprivileged users */
13207                 .internal_flags = NL80211_FLAG_NEED_WDEV |
13208                                   NL80211_FLAG_NEED_RTNL,
13209         },
13210         {
13211                 .cmd = NL80211_CMD_SET_INTERFACE,
13212                 .doit = nl80211_set_interface,
13213                 .policy = nl80211_policy,
13214                 .flags = GENL_UNS_ADMIN_PERM,
13215                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13216                                   NL80211_FLAG_NEED_RTNL,
13217         },
13218         {
13219                 .cmd = NL80211_CMD_NEW_INTERFACE,
13220                 .doit = nl80211_new_interface,
13221                 .policy = nl80211_policy,
13222                 .flags = GENL_UNS_ADMIN_PERM,
13223                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13224                                   NL80211_FLAG_NEED_RTNL,
13225         },
13226         {
13227                 .cmd = NL80211_CMD_DEL_INTERFACE,
13228                 .doit = nl80211_del_interface,
13229                 .policy = nl80211_policy,
13230                 .flags = GENL_UNS_ADMIN_PERM,
13231                 .internal_flags = NL80211_FLAG_NEED_WDEV |
13232                                   NL80211_FLAG_NEED_RTNL,
13233         },
13234         {
13235                 .cmd = NL80211_CMD_GET_KEY,
13236                 .doit = nl80211_get_key,
13237                 .policy = nl80211_policy,
13238                 .flags = GENL_UNS_ADMIN_PERM,
13239                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13240                                   NL80211_FLAG_NEED_RTNL,
13241         },
13242         {
13243                 .cmd = NL80211_CMD_SET_KEY,
13244                 .doit = nl80211_set_key,
13245                 .policy = nl80211_policy,
13246                 .flags = GENL_UNS_ADMIN_PERM,
13247                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13248                                   NL80211_FLAG_NEED_RTNL |
13249                                   NL80211_FLAG_CLEAR_SKB,
13250         },
13251         {
13252                 .cmd = NL80211_CMD_NEW_KEY,
13253                 .doit = nl80211_new_key,
13254                 .policy = nl80211_policy,
13255                 .flags = GENL_UNS_ADMIN_PERM,
13256                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13257                                   NL80211_FLAG_NEED_RTNL |
13258                                   NL80211_FLAG_CLEAR_SKB,
13259         },
13260         {
13261                 .cmd = NL80211_CMD_DEL_KEY,
13262                 .doit = nl80211_del_key,
13263                 .policy = nl80211_policy,
13264                 .flags = GENL_UNS_ADMIN_PERM,
13265                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13266                                   NL80211_FLAG_NEED_RTNL,
13267         },
13268         {
13269                 .cmd = NL80211_CMD_SET_BEACON,
13270                 .policy = nl80211_policy,
13271                 .flags = GENL_UNS_ADMIN_PERM,
13272                 .doit = nl80211_set_beacon,
13273                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13274                                   NL80211_FLAG_NEED_RTNL,
13275         },
13276         {
13277                 .cmd = NL80211_CMD_START_AP,
13278                 .policy = nl80211_policy,
13279                 .flags = GENL_UNS_ADMIN_PERM,
13280                 .doit = nl80211_start_ap,
13281                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13282                                   NL80211_FLAG_NEED_RTNL,
13283         },
13284         {
13285                 .cmd = NL80211_CMD_STOP_AP,
13286                 .policy = nl80211_policy,
13287                 .flags = GENL_UNS_ADMIN_PERM,
13288                 .doit = nl80211_stop_ap,
13289                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13290                                   NL80211_FLAG_NEED_RTNL,
13291         },
13292         {
13293                 .cmd = NL80211_CMD_GET_STATION,
13294                 .doit = nl80211_get_station,
13295                 .dumpit = nl80211_dump_station,
13296                 .policy = nl80211_policy,
13297                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13298                                   NL80211_FLAG_NEED_RTNL,
13299         },
13300         {
13301                 .cmd = NL80211_CMD_SET_STATION,
13302                 .doit = nl80211_set_station,
13303                 .policy = nl80211_policy,
13304                 .flags = GENL_UNS_ADMIN_PERM,
13305                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13306                                   NL80211_FLAG_NEED_RTNL,
13307         },
13308         {
13309                 .cmd = NL80211_CMD_NEW_STATION,
13310                 .doit = nl80211_new_station,
13311                 .policy = nl80211_policy,
13312                 .flags = GENL_UNS_ADMIN_PERM,
13313                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13314                                   NL80211_FLAG_NEED_RTNL,
13315         },
13316         {
13317                 .cmd = NL80211_CMD_DEL_STATION,
13318                 .doit = nl80211_del_station,
13319                 .policy = nl80211_policy,
13320                 .flags = GENL_UNS_ADMIN_PERM,
13321                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13322                                   NL80211_FLAG_NEED_RTNL,
13323         },
13324         {
13325                 .cmd = NL80211_CMD_GET_MPATH,
13326                 .doit = nl80211_get_mpath,
13327                 .dumpit = nl80211_dump_mpath,
13328                 .policy = nl80211_policy,
13329                 .flags = GENL_UNS_ADMIN_PERM,
13330                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13331                                   NL80211_FLAG_NEED_RTNL,
13332         },
13333         {
13334                 .cmd = NL80211_CMD_GET_MPP,
13335                 .doit = nl80211_get_mpp,
13336                 .dumpit = nl80211_dump_mpp,
13337                 .policy = nl80211_policy,
13338                 .flags = GENL_UNS_ADMIN_PERM,
13339                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13340                                   NL80211_FLAG_NEED_RTNL,
13341         },
13342         {
13343                 .cmd = NL80211_CMD_SET_MPATH,
13344                 .doit = nl80211_set_mpath,
13345                 .policy = nl80211_policy,
13346                 .flags = GENL_UNS_ADMIN_PERM,
13347                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13348                                   NL80211_FLAG_NEED_RTNL,
13349         },
13350         {
13351                 .cmd = NL80211_CMD_NEW_MPATH,
13352                 .doit = nl80211_new_mpath,
13353                 .policy = nl80211_policy,
13354                 .flags = GENL_UNS_ADMIN_PERM,
13355                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13356                                   NL80211_FLAG_NEED_RTNL,
13357         },
13358         {
13359                 .cmd = NL80211_CMD_DEL_MPATH,
13360                 .doit = nl80211_del_mpath,
13361                 .policy = nl80211_policy,
13362                 .flags = GENL_UNS_ADMIN_PERM,
13363                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13364                                   NL80211_FLAG_NEED_RTNL,
13365         },
13366         {
13367                 .cmd = NL80211_CMD_SET_BSS,
13368                 .doit = nl80211_set_bss,
13369                 .policy = nl80211_policy,
13370                 .flags = GENL_UNS_ADMIN_PERM,
13371                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13372                                   NL80211_FLAG_NEED_RTNL,
13373         },
13374         {
13375                 .cmd = NL80211_CMD_GET_REG,
13376                 .doit = nl80211_get_reg_do,
13377                 .dumpit = nl80211_get_reg_dump,
13378                 .policy = nl80211_policy,
13379                 .internal_flags = NL80211_FLAG_NEED_RTNL,
13380                 /* can be retrieved by unprivileged users */
13381         },
13382 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
13383         {
13384                 .cmd = NL80211_CMD_SET_REG,
13385                 .doit = nl80211_set_reg,
13386                 .policy = nl80211_policy,
13387                 .flags = GENL_ADMIN_PERM,
13388                 .internal_flags = NL80211_FLAG_NEED_RTNL,
13389         },
13390 #endif
13391         {
13392                 .cmd = NL80211_CMD_REQ_SET_REG,
13393                 .doit = nl80211_req_set_reg,
13394                 .policy = nl80211_policy,
13395                 .flags = GENL_ADMIN_PERM,
13396         },
13397         {
13398                 .cmd = NL80211_CMD_RELOAD_REGDB,
13399                 .doit = nl80211_reload_regdb,
13400                 .policy = nl80211_policy,
13401                 .flags = GENL_ADMIN_PERM,
13402         },
13403         {
13404                 .cmd = NL80211_CMD_GET_MESH_CONFIG,
13405                 .doit = nl80211_get_mesh_config,
13406                 .policy = nl80211_policy,
13407                 /* can be retrieved by unprivileged users */
13408                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13409                                   NL80211_FLAG_NEED_RTNL,
13410         },
13411         {
13412                 .cmd = NL80211_CMD_SET_MESH_CONFIG,
13413                 .doit = nl80211_update_mesh_config,
13414                 .policy = nl80211_policy,
13415                 .flags = GENL_UNS_ADMIN_PERM,
13416                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13417                                   NL80211_FLAG_NEED_RTNL,
13418         },
13419         {
13420                 .cmd = NL80211_CMD_TRIGGER_SCAN,
13421                 .doit = nl80211_trigger_scan,
13422                 .policy = nl80211_policy,
13423                 .flags = GENL_UNS_ADMIN_PERM,
13424                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13425                                   NL80211_FLAG_NEED_RTNL,
13426         },
13427         {
13428                 .cmd = NL80211_CMD_ABORT_SCAN,
13429                 .doit = nl80211_abort_scan,
13430                 .policy = nl80211_policy,
13431                 .flags = GENL_UNS_ADMIN_PERM,
13432                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13433                                   NL80211_FLAG_NEED_RTNL,
13434         },
13435         {
13436                 .cmd = NL80211_CMD_GET_SCAN,
13437                 .policy = nl80211_policy,
13438                 .dumpit = nl80211_dump_scan,
13439         },
13440         {
13441                 .cmd = NL80211_CMD_START_SCHED_SCAN,
13442                 .doit = nl80211_start_sched_scan,
13443                 .policy = nl80211_policy,
13444                 .flags = GENL_UNS_ADMIN_PERM,
13445                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13446                                   NL80211_FLAG_NEED_RTNL,
13447         },
13448         {
13449                 .cmd = NL80211_CMD_STOP_SCHED_SCAN,
13450                 .doit = nl80211_stop_sched_scan,
13451                 .policy = nl80211_policy,
13452                 .flags = GENL_UNS_ADMIN_PERM,
13453                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13454                                   NL80211_FLAG_NEED_RTNL,
13455         },
13456         {
13457                 .cmd = NL80211_CMD_AUTHENTICATE,
13458                 .doit = nl80211_authenticate,
13459                 .policy = nl80211_policy,
13460                 .flags = GENL_UNS_ADMIN_PERM,
13461                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13462                                   NL80211_FLAG_NEED_RTNL |
13463                                   NL80211_FLAG_CLEAR_SKB,
13464         },
13465         {
13466                 .cmd = NL80211_CMD_ASSOCIATE,
13467                 .doit = nl80211_associate,
13468                 .policy = nl80211_policy,
13469                 .flags = GENL_UNS_ADMIN_PERM,
13470                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13471                                   NL80211_FLAG_NEED_RTNL |
13472                                   NL80211_FLAG_CLEAR_SKB,
13473         },
13474         {
13475                 .cmd = NL80211_CMD_DEAUTHENTICATE,
13476                 .doit = nl80211_deauthenticate,
13477                 .policy = nl80211_policy,
13478                 .flags = GENL_UNS_ADMIN_PERM,
13479                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13480                                   NL80211_FLAG_NEED_RTNL,
13481         },
13482         {
13483                 .cmd = NL80211_CMD_DISASSOCIATE,
13484                 .doit = nl80211_disassociate,
13485                 .policy = nl80211_policy,
13486                 .flags = GENL_UNS_ADMIN_PERM,
13487                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13488                                   NL80211_FLAG_NEED_RTNL,
13489         },
13490         {
13491                 .cmd = NL80211_CMD_JOIN_IBSS,
13492                 .doit = nl80211_join_ibss,
13493                 .policy = nl80211_policy,
13494                 .flags = GENL_UNS_ADMIN_PERM,
13495                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13496                                   NL80211_FLAG_NEED_RTNL,
13497         },
13498         {
13499                 .cmd = NL80211_CMD_LEAVE_IBSS,
13500                 .doit = nl80211_leave_ibss,
13501                 .policy = nl80211_policy,
13502                 .flags = GENL_UNS_ADMIN_PERM,
13503                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13504                                   NL80211_FLAG_NEED_RTNL,
13505         },
13506 #ifdef CONFIG_NL80211_TESTMODE
13507         {
13508                 .cmd = NL80211_CMD_TESTMODE,
13509                 .doit = nl80211_testmode_do,
13510                 .dumpit = nl80211_testmode_dump,
13511                 .policy = nl80211_policy,
13512                 .flags = GENL_UNS_ADMIN_PERM,
13513                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13514                                   NL80211_FLAG_NEED_RTNL,
13515         },
13516 #endif
13517         {
13518                 .cmd = NL80211_CMD_CONNECT,
13519                 .doit = nl80211_connect,
13520                 .policy = nl80211_policy,
13521                 .flags = GENL_UNS_ADMIN_PERM,
13522                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13523                                   NL80211_FLAG_NEED_RTNL |
13524                                   NL80211_FLAG_CLEAR_SKB,
13525         },
13526         {
13527                 .cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
13528                 .doit = nl80211_update_connect_params,
13529                 .policy = nl80211_policy,
13530                 .flags = GENL_ADMIN_PERM,
13531                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13532                                   NL80211_FLAG_NEED_RTNL |
13533                                   NL80211_FLAG_CLEAR_SKB,
13534         },
13535         {
13536                 .cmd = NL80211_CMD_DISCONNECT,
13537                 .doit = nl80211_disconnect,
13538                 .policy = nl80211_policy,
13539                 .flags = GENL_UNS_ADMIN_PERM,
13540                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13541                                   NL80211_FLAG_NEED_RTNL,
13542         },
13543         {
13544                 .cmd = NL80211_CMD_SET_WIPHY_NETNS,
13545                 .doit = nl80211_wiphy_netns,
13546                 .policy = nl80211_policy,
13547                 .flags = GENL_UNS_ADMIN_PERM,
13548                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13549                                   NL80211_FLAG_NEED_RTNL,
13550         },
13551         {
13552                 .cmd = NL80211_CMD_GET_SURVEY,
13553                 .policy = nl80211_policy,
13554                 .dumpit = nl80211_dump_survey,
13555         },
13556         {
13557                 .cmd = NL80211_CMD_SET_PMKSA,
13558                 .doit = nl80211_setdel_pmksa,
13559                 .policy = nl80211_policy,
13560                 .flags = GENL_UNS_ADMIN_PERM,
13561                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13562                                   NL80211_FLAG_NEED_RTNL |
13563                                   NL80211_FLAG_CLEAR_SKB,
13564         },
13565         {
13566                 .cmd = NL80211_CMD_DEL_PMKSA,
13567                 .doit = nl80211_setdel_pmksa,
13568                 .policy = nl80211_policy,
13569                 .flags = GENL_UNS_ADMIN_PERM,
13570                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13571                                   NL80211_FLAG_NEED_RTNL,
13572         },
13573         {
13574                 .cmd = NL80211_CMD_FLUSH_PMKSA,
13575                 .doit = nl80211_flush_pmksa,
13576                 .policy = nl80211_policy,
13577                 .flags = GENL_UNS_ADMIN_PERM,
13578                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13579                                   NL80211_FLAG_NEED_RTNL,
13580         },
13581         {
13582                 .cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
13583                 .doit = nl80211_remain_on_channel,
13584                 .policy = nl80211_policy,
13585                 .flags = GENL_UNS_ADMIN_PERM,
13586                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13587                                   NL80211_FLAG_NEED_RTNL,
13588         },
13589         {
13590                 .cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
13591                 .doit = nl80211_cancel_remain_on_channel,
13592                 .policy = nl80211_policy,
13593                 .flags = GENL_UNS_ADMIN_PERM,
13594                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13595                                   NL80211_FLAG_NEED_RTNL,
13596         },
13597         {
13598                 .cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
13599                 .doit = nl80211_set_tx_bitrate_mask,
13600                 .policy = nl80211_policy,
13601                 .flags = GENL_UNS_ADMIN_PERM,
13602                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13603                                   NL80211_FLAG_NEED_RTNL,
13604         },
13605         {
13606                 .cmd = NL80211_CMD_REGISTER_FRAME,
13607                 .doit = nl80211_register_mgmt,
13608                 .policy = nl80211_policy,
13609                 .flags = GENL_UNS_ADMIN_PERM,
13610                 .internal_flags = NL80211_FLAG_NEED_WDEV |
13611                                   NL80211_FLAG_NEED_RTNL,
13612         },
13613         {
13614                 .cmd = NL80211_CMD_FRAME,
13615                 .doit = nl80211_tx_mgmt,
13616                 .policy = nl80211_policy,
13617                 .flags = GENL_UNS_ADMIN_PERM,
13618                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13619                                   NL80211_FLAG_NEED_RTNL,
13620         },
13621         {
13622                 .cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
13623                 .doit = nl80211_tx_mgmt_cancel_wait,
13624                 .policy = nl80211_policy,
13625                 .flags = GENL_UNS_ADMIN_PERM,
13626                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13627                                   NL80211_FLAG_NEED_RTNL,
13628         },
13629         {
13630                 .cmd = NL80211_CMD_SET_POWER_SAVE,
13631                 .doit = nl80211_set_power_save,
13632                 .policy = nl80211_policy,
13633                 .flags = GENL_UNS_ADMIN_PERM,
13634                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13635                                   NL80211_FLAG_NEED_RTNL,
13636         },
13637         {
13638                 .cmd = NL80211_CMD_GET_POWER_SAVE,
13639                 .doit = nl80211_get_power_save,
13640                 .policy = nl80211_policy,
13641                 /* can be retrieved by unprivileged users */
13642                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13643                                   NL80211_FLAG_NEED_RTNL,
13644         },
13645         {
13646                 .cmd = NL80211_CMD_SET_CQM,
13647                 .doit = nl80211_set_cqm,
13648                 .policy = nl80211_policy,
13649                 .flags = GENL_UNS_ADMIN_PERM,
13650                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13651                                   NL80211_FLAG_NEED_RTNL,
13652         },
13653         {
13654                 .cmd = NL80211_CMD_SET_CHANNEL,
13655                 .doit = nl80211_set_channel,
13656                 .policy = nl80211_policy,
13657                 .flags = GENL_UNS_ADMIN_PERM,
13658                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13659                                   NL80211_FLAG_NEED_RTNL,
13660         },
13661         {
13662                 .cmd = NL80211_CMD_SET_WDS_PEER,
13663                 .doit = nl80211_set_wds_peer,
13664                 .policy = nl80211_policy,
13665                 .flags = GENL_UNS_ADMIN_PERM,
13666                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13667                                   NL80211_FLAG_NEED_RTNL,
13668         },
13669         {
13670                 .cmd = NL80211_CMD_JOIN_MESH,
13671                 .doit = nl80211_join_mesh,
13672                 .policy = nl80211_policy,
13673                 .flags = GENL_UNS_ADMIN_PERM,
13674                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13675                                   NL80211_FLAG_NEED_RTNL,
13676         },
13677         {
13678                 .cmd = NL80211_CMD_LEAVE_MESH,
13679                 .doit = nl80211_leave_mesh,
13680                 .policy = nl80211_policy,
13681                 .flags = GENL_UNS_ADMIN_PERM,
13682                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13683                                   NL80211_FLAG_NEED_RTNL,
13684         },
13685         {
13686                 .cmd = NL80211_CMD_JOIN_OCB,
13687                 .doit = nl80211_join_ocb,
13688                 .policy = nl80211_policy,
13689                 .flags = GENL_UNS_ADMIN_PERM,
13690                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13691                                   NL80211_FLAG_NEED_RTNL,
13692         },
13693         {
13694                 .cmd = NL80211_CMD_LEAVE_OCB,
13695                 .doit = nl80211_leave_ocb,
13696                 .policy = nl80211_policy,
13697                 .flags = GENL_UNS_ADMIN_PERM,
13698                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13699                                   NL80211_FLAG_NEED_RTNL,
13700         },
13701 #ifdef CONFIG_PM
13702         {
13703                 .cmd = NL80211_CMD_GET_WOWLAN,
13704                 .doit = nl80211_get_wowlan,
13705                 .policy = nl80211_policy,
13706                 /* can be retrieved by unprivileged users */
13707                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13708                                   NL80211_FLAG_NEED_RTNL,
13709         },
13710         {
13711                 .cmd = NL80211_CMD_SET_WOWLAN,
13712                 .doit = nl80211_set_wowlan,
13713                 .policy = nl80211_policy,
13714                 .flags = GENL_UNS_ADMIN_PERM,
13715                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13716                                   NL80211_FLAG_NEED_RTNL,
13717         },
13718 #endif
13719         {
13720                 .cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
13721                 .doit = nl80211_set_rekey_data,
13722                 .policy = nl80211_policy,
13723                 .flags = GENL_UNS_ADMIN_PERM,
13724                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13725                                   NL80211_FLAG_NEED_RTNL |
13726                                   NL80211_FLAG_CLEAR_SKB,
13727         },
13728         {
13729                 .cmd = NL80211_CMD_TDLS_MGMT,
13730                 .doit = nl80211_tdls_mgmt,
13731                 .policy = nl80211_policy,
13732                 .flags = GENL_UNS_ADMIN_PERM,
13733                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13734                                   NL80211_FLAG_NEED_RTNL,
13735         },
13736         {
13737                 .cmd = NL80211_CMD_TDLS_OPER,
13738                 .doit = nl80211_tdls_oper,
13739                 .policy = nl80211_policy,
13740                 .flags = GENL_UNS_ADMIN_PERM,
13741                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13742                                   NL80211_FLAG_NEED_RTNL,
13743         },
13744         {
13745                 .cmd = NL80211_CMD_UNEXPECTED_FRAME,
13746                 .doit = nl80211_register_unexpected_frame,
13747                 .policy = nl80211_policy,
13748                 .flags = GENL_UNS_ADMIN_PERM,
13749                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13750                                   NL80211_FLAG_NEED_RTNL,
13751         },
13752         {
13753                 .cmd = NL80211_CMD_PROBE_CLIENT,
13754                 .doit = nl80211_probe_client,
13755                 .policy = nl80211_policy,
13756                 .flags = GENL_UNS_ADMIN_PERM,
13757                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13758                                   NL80211_FLAG_NEED_RTNL,
13759         },
13760         {
13761                 .cmd = NL80211_CMD_REGISTER_BEACONS,
13762                 .doit = nl80211_register_beacons,
13763                 .policy = nl80211_policy,
13764                 .flags = GENL_UNS_ADMIN_PERM,
13765                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13766                                   NL80211_FLAG_NEED_RTNL,
13767         },
13768         {
13769                 .cmd = NL80211_CMD_SET_NOACK_MAP,
13770                 .doit = nl80211_set_noack_map,
13771                 .policy = nl80211_policy,
13772                 .flags = GENL_UNS_ADMIN_PERM,
13773                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13774                                   NL80211_FLAG_NEED_RTNL,
13775         },
13776         {
13777                 .cmd = NL80211_CMD_START_P2P_DEVICE,
13778                 .doit = nl80211_start_p2p_device,
13779                 .policy = nl80211_policy,
13780                 .flags = GENL_UNS_ADMIN_PERM,
13781                 .internal_flags = NL80211_FLAG_NEED_WDEV |
13782                                   NL80211_FLAG_NEED_RTNL,
13783         },
13784         {
13785                 .cmd = NL80211_CMD_STOP_P2P_DEVICE,
13786                 .doit = nl80211_stop_p2p_device,
13787                 .policy = nl80211_policy,
13788                 .flags = GENL_UNS_ADMIN_PERM,
13789                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13790                                   NL80211_FLAG_NEED_RTNL,
13791         },
13792         {
13793                 .cmd = NL80211_CMD_START_NAN,
13794                 .doit = nl80211_start_nan,
13795                 .policy = nl80211_policy,
13796                 .flags = GENL_ADMIN_PERM,
13797                 .internal_flags = NL80211_FLAG_NEED_WDEV |
13798                                   NL80211_FLAG_NEED_RTNL,
13799         },
13800         {
13801                 .cmd = NL80211_CMD_STOP_NAN,
13802                 .doit = nl80211_stop_nan,
13803                 .policy = nl80211_policy,
13804                 .flags = GENL_ADMIN_PERM,
13805                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13806                                   NL80211_FLAG_NEED_RTNL,
13807         },
13808         {
13809                 .cmd = NL80211_CMD_ADD_NAN_FUNCTION,
13810                 .doit = nl80211_nan_add_func,
13811                 .policy = nl80211_policy,
13812                 .flags = GENL_ADMIN_PERM,
13813                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13814                                   NL80211_FLAG_NEED_RTNL,
13815         },
13816         {
13817                 .cmd = NL80211_CMD_DEL_NAN_FUNCTION,
13818                 .doit = nl80211_nan_del_func,
13819                 .policy = nl80211_policy,
13820                 .flags = GENL_ADMIN_PERM,
13821                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13822                                   NL80211_FLAG_NEED_RTNL,
13823         },
13824         {
13825                 .cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
13826                 .doit = nl80211_nan_change_config,
13827                 .policy = nl80211_policy,
13828                 .flags = GENL_ADMIN_PERM,
13829                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13830                                   NL80211_FLAG_NEED_RTNL,
13831         },
13832         {
13833                 .cmd = NL80211_CMD_SET_MCAST_RATE,
13834                 .doit = nl80211_set_mcast_rate,
13835                 .policy = nl80211_policy,
13836                 .flags = GENL_UNS_ADMIN_PERM,
13837                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13838                                   NL80211_FLAG_NEED_RTNL,
13839         },
13840         {
13841                 .cmd = NL80211_CMD_SET_MAC_ACL,
13842                 .doit = nl80211_set_mac_acl,
13843                 .policy = nl80211_policy,
13844                 .flags = GENL_UNS_ADMIN_PERM,
13845                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13846                                   NL80211_FLAG_NEED_RTNL,
13847         },
13848         {
13849                 .cmd = NL80211_CMD_RADAR_DETECT,
13850                 .doit = nl80211_start_radar_detection,
13851                 .policy = nl80211_policy,
13852                 .flags = GENL_UNS_ADMIN_PERM,
13853                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13854                                   NL80211_FLAG_NEED_RTNL,
13855         },
13856         {
13857                 .cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
13858                 .doit = nl80211_get_protocol_features,
13859                 .policy = nl80211_policy,
13860         },
13861         {
13862                 .cmd = NL80211_CMD_UPDATE_FT_IES,
13863                 .doit = nl80211_update_ft_ies,
13864                 .policy = nl80211_policy,
13865                 .flags = GENL_UNS_ADMIN_PERM,
13866                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13867                                   NL80211_FLAG_NEED_RTNL,
13868         },
13869         {
13870                 .cmd = NL80211_CMD_CRIT_PROTOCOL_START,
13871                 .doit = nl80211_crit_protocol_start,
13872                 .policy = nl80211_policy,
13873                 .flags = GENL_UNS_ADMIN_PERM,
13874                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13875                                   NL80211_FLAG_NEED_RTNL,
13876         },
13877         {
13878                 .cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
13879                 .doit = nl80211_crit_protocol_stop,
13880                 .policy = nl80211_policy,
13881                 .flags = GENL_UNS_ADMIN_PERM,
13882                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13883                                   NL80211_FLAG_NEED_RTNL,
13884         },
13885         {
13886                 .cmd = NL80211_CMD_GET_COALESCE,
13887                 .doit = nl80211_get_coalesce,
13888                 .policy = nl80211_policy,
13889                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13890                                   NL80211_FLAG_NEED_RTNL,
13891         },
13892         {
13893                 .cmd = NL80211_CMD_SET_COALESCE,
13894                 .doit = nl80211_set_coalesce,
13895                 .policy = nl80211_policy,
13896                 .flags = GENL_UNS_ADMIN_PERM,
13897                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13898                                   NL80211_FLAG_NEED_RTNL,
13899         },
13900         {
13901                 .cmd = NL80211_CMD_CHANNEL_SWITCH,
13902                 .doit = nl80211_channel_switch,
13903                 .policy = nl80211_policy,
13904                 .flags = GENL_UNS_ADMIN_PERM,
13905                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13906                                   NL80211_FLAG_NEED_RTNL,
13907         },
13908         {
13909                 .cmd = NL80211_CMD_VENDOR,
13910                 .doit = nl80211_vendor_cmd,
13911                 .dumpit = nl80211_vendor_cmd_dump,
13912                 .policy = nl80211_policy,
13913                 .flags = GENL_UNS_ADMIN_PERM,
13914                 .internal_flags = NL80211_FLAG_NEED_WIPHY |
13915                                   NL80211_FLAG_NEED_RTNL |
13916                                   NL80211_FLAG_CLEAR_SKB,
13917         },
13918         {
13919                 .cmd = NL80211_CMD_SET_QOS_MAP,
13920                 .doit = nl80211_set_qos_map,
13921                 .policy = nl80211_policy,
13922                 .flags = GENL_UNS_ADMIN_PERM,
13923                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13924                                   NL80211_FLAG_NEED_RTNL,
13925         },
13926         {
13927                 .cmd = NL80211_CMD_ADD_TX_TS,
13928                 .doit = nl80211_add_tx_ts,
13929                 .policy = nl80211_policy,
13930                 .flags = GENL_UNS_ADMIN_PERM,
13931                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13932                                   NL80211_FLAG_NEED_RTNL,
13933         },
13934         {
13935                 .cmd = NL80211_CMD_DEL_TX_TS,
13936                 .doit = nl80211_del_tx_ts,
13937                 .policy = nl80211_policy,
13938                 .flags = GENL_UNS_ADMIN_PERM,
13939                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13940                                   NL80211_FLAG_NEED_RTNL,
13941         },
13942         {
13943                 .cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
13944                 .doit = nl80211_tdls_channel_switch,
13945                 .policy = nl80211_policy,
13946                 .flags = GENL_UNS_ADMIN_PERM,
13947                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13948                                   NL80211_FLAG_NEED_RTNL,
13949         },
13950         {
13951                 .cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
13952                 .doit = nl80211_tdls_cancel_channel_switch,
13953                 .policy = nl80211_policy,
13954                 .flags = GENL_UNS_ADMIN_PERM,
13955                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13956                                   NL80211_FLAG_NEED_RTNL,
13957         },
13958         {
13959                 .cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
13960                 .doit = nl80211_set_multicast_to_unicast,
13961                 .policy = nl80211_policy,
13962                 .flags = GENL_UNS_ADMIN_PERM,
13963                 .internal_flags = NL80211_FLAG_NEED_NETDEV |
13964                                   NL80211_FLAG_NEED_RTNL,
13965         },
13966         {
13967                 .cmd = NL80211_CMD_SET_PMK,
13968                 .doit = nl80211_set_pmk,
13969                 .policy = nl80211_policy,
13970                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13971                                   NL80211_FLAG_NEED_RTNL |
13972                                   NL80211_FLAG_CLEAR_SKB,
13973         },
13974         {
13975                 .cmd = NL80211_CMD_DEL_PMK,
13976                 .doit = nl80211_del_pmk,
13977                 .policy = nl80211_policy,
13978                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13979                                   NL80211_FLAG_NEED_RTNL,
13980         },
13981         {
13982                 .cmd = NL80211_CMD_EXTERNAL_AUTH,
13983                 .doit = nl80211_external_auth,
13984                 .policy = nl80211_policy,
13985                 .flags = GENL_ADMIN_PERM,
13986                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13987                                   NL80211_FLAG_NEED_RTNL,
13988         },
13989         {
13990                 .cmd = NL80211_CMD_CONTROL_PORT_FRAME,
13991                 .doit = nl80211_tx_control_port,
13992                 .policy = nl80211_policy,
13993                 .flags = GENL_UNS_ADMIN_PERM,
13994                 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13995                                   NL80211_FLAG_NEED_RTNL,
13996         },
13997 };
13998
13999 static struct genl_family nl80211_fam __ro_after_init = {
14000         .name = NL80211_GENL_NAME,      /* have users key off the name instead */
14001         .hdrsize = 0,                   /* no private header */
14002         .version = 1,                   /* no particular meaning now */
14003         .maxattr = NL80211_ATTR_MAX,
14004         .netnsok = true,
14005         .pre_doit = nl80211_pre_doit,
14006         .post_doit = nl80211_post_doit,
14007         .module = THIS_MODULE,
14008         .ops = nl80211_ops,
14009         .n_ops = ARRAY_SIZE(nl80211_ops),
14010         .mcgrps = nl80211_mcgrps,
14011         .n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
14012 };
14013
14014 /* notification functions */
14015
14016 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
14017                           enum nl80211_commands cmd)
14018 {
14019         struct sk_buff *msg;
14020         struct nl80211_dump_wiphy_state state = {};
14021
14022         WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
14023                 cmd != NL80211_CMD_DEL_WIPHY);
14024
14025         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14026         if (!msg)
14027                 return;
14028
14029         if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
14030                 nlmsg_free(msg);
14031                 return;
14032         }
14033
14034         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14035                                 NL80211_MCGRP_CONFIG, GFP_KERNEL);
14036 }
14037
14038 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
14039                                 struct wireless_dev *wdev,
14040                                 enum nl80211_commands cmd)
14041 {
14042         struct sk_buff *msg;
14043
14044         WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
14045                 cmd != NL80211_CMD_DEL_INTERFACE);
14046
14047         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14048         if (!msg)
14049                 return;
14050
14051         if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev,
14052                                cmd == NL80211_CMD_DEL_INTERFACE) < 0) {
14053                 nlmsg_free(msg);
14054                 return;
14055         }
14056
14057         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14058                                 NL80211_MCGRP_CONFIG, GFP_KERNEL);
14059 }
14060
14061 static int nl80211_add_scan_req(struct sk_buff *msg,
14062                                 struct cfg80211_registered_device *rdev)
14063 {
14064         struct cfg80211_scan_request *req = rdev->scan_req;
14065         struct nlattr *nest;
14066         int i;
14067
14068         if (WARN_ON(!req))
14069                 return 0;
14070
14071         nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
14072         if (!nest)
14073                 goto nla_put_failure;
14074         for (i = 0; i < req->n_ssids; i++) {
14075                 if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
14076                         goto nla_put_failure;
14077         }
14078         nla_nest_end(msg, nest);
14079
14080         nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14081         if (!nest)
14082                 goto nla_put_failure;
14083         for (i = 0; i < req->n_channels; i++) {
14084                 if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14085                         goto nla_put_failure;
14086         }
14087         nla_nest_end(msg, nest);
14088
14089         if (req->ie &&
14090             nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
14091                 goto nla_put_failure;
14092
14093         if (req->flags &&
14094             nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
14095                 goto nla_put_failure;
14096
14097         if (req->info.scan_start_tsf &&
14098             (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
14099                                req->info.scan_start_tsf, NL80211_BSS_PAD) ||
14100              nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
14101                      req->info.tsf_bssid)))
14102                 goto nla_put_failure;
14103
14104         return 0;
14105  nla_put_failure:
14106         return -ENOBUFS;
14107 }
14108
14109 static int nl80211_prep_scan_msg(struct sk_buff *msg,
14110                                  struct cfg80211_registered_device *rdev,
14111                                  struct wireless_dev *wdev,
14112                                  u32 portid, u32 seq, int flags,
14113                                  u32 cmd)
14114 {
14115         void *hdr;
14116
14117         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
14118         if (!hdr)
14119                 return -1;
14120
14121         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14122             (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14123                                          wdev->netdev->ifindex)) ||
14124             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14125                               NL80211_ATTR_PAD))
14126                 goto nla_put_failure;
14127
14128         /* ignore errors and send incomplete event anyway */
14129         nl80211_add_scan_req(msg, rdev);
14130
14131         genlmsg_end(msg, hdr);
14132         return 0;
14133
14134  nla_put_failure:
14135         genlmsg_cancel(msg, hdr);
14136         return -EMSGSIZE;
14137 }
14138
14139 static int
14140 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
14141                             struct cfg80211_sched_scan_request *req, u32 cmd)
14142 {
14143         void *hdr;
14144
14145         hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14146         if (!hdr)
14147                 return -1;
14148
14149         if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
14150                         wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
14151             nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
14152             nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
14153                               NL80211_ATTR_PAD))
14154                 goto nla_put_failure;
14155
14156         genlmsg_end(msg, hdr);
14157         return 0;
14158
14159  nla_put_failure:
14160         genlmsg_cancel(msg, hdr);
14161         return -EMSGSIZE;
14162 }
14163
14164 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
14165                              struct wireless_dev *wdev)
14166 {
14167         struct sk_buff *msg;
14168
14169         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14170         if (!msg)
14171                 return;
14172
14173         if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14174                                   NL80211_CMD_TRIGGER_SCAN) < 0) {
14175                 nlmsg_free(msg);
14176                 return;
14177         }
14178
14179         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14180                                 NL80211_MCGRP_SCAN, GFP_KERNEL);
14181 }
14182
14183 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
14184                                        struct wireless_dev *wdev, bool aborted)
14185 {
14186         struct sk_buff *msg;
14187
14188         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14189         if (!msg)
14190                 return NULL;
14191
14192         if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14193                                   aborted ? NL80211_CMD_SCAN_ABORTED :
14194                                             NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
14195                 nlmsg_free(msg);
14196                 return NULL;
14197         }
14198
14199         return msg;
14200 }
14201
14202 /* send message created by nl80211_build_scan_msg() */
14203 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
14204                            struct sk_buff *msg)
14205 {
14206         if (!msg)
14207                 return;
14208
14209         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14210                                 NL80211_MCGRP_SCAN, GFP_KERNEL);
14211 }
14212
14213 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
14214 {
14215         struct sk_buff *msg;
14216
14217         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14218         if (!msg)
14219                 return;
14220
14221         if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
14222                 nlmsg_free(msg);
14223                 return;
14224         }
14225
14226         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
14227                                 NL80211_MCGRP_SCAN, GFP_KERNEL);
14228 }
14229
14230 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
14231                                           struct regulatory_request *request)
14232 {
14233         /* Userspace can always count this one always being set */
14234         if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
14235                 goto nla_put_failure;
14236
14237         if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
14238                 if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14239                                NL80211_REGDOM_TYPE_WORLD))
14240                         goto nla_put_failure;
14241         } else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
14242                 if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14243                                NL80211_REGDOM_TYPE_CUSTOM_WORLD))
14244                         goto nla_put_failure;
14245         } else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
14246                    request->intersect) {
14247                 if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14248                                NL80211_REGDOM_TYPE_INTERSECTION))
14249                         goto nla_put_failure;
14250         } else {
14251                 if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14252                                NL80211_REGDOM_TYPE_COUNTRY) ||
14253                     nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
14254                                    request->alpha2))
14255                         goto nla_put_failure;
14256         }
14257
14258         if (request->wiphy_idx != WIPHY_IDX_INVALID) {
14259                 struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
14260
14261                 if (wiphy &&
14262                     nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
14263                         goto nla_put_failure;
14264
14265                 if (wiphy &&
14266                     wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
14267                     nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
14268                         goto nla_put_failure;
14269         }
14270
14271         return true;
14272
14273 nla_put_failure:
14274         return false;
14275 }
14276
14277 /*
14278  * This can happen on global regulatory changes or device specific settings
14279  * based on custom regulatory domains.
14280  */
14281 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
14282                                      struct regulatory_request *request)
14283 {
14284         struct sk_buff *msg;
14285         void *hdr;
14286
14287         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14288         if (!msg)
14289                 return;
14290
14291         hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
14292         if (!hdr) {
14293                 nlmsg_free(msg);
14294                 return;
14295         }
14296
14297         if (nl80211_reg_change_event_fill(msg, request) == false)
14298                 goto nla_put_failure;
14299
14300         genlmsg_end(msg, hdr);
14301
14302         rcu_read_lock();
14303         genlmsg_multicast_allns(&nl80211_fam, msg, 0,
14304                                 NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
14305         rcu_read_unlock();
14306
14307         return;
14308
14309 nla_put_failure:
14310         nlmsg_free(msg);
14311 }
14312
14313 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
14314                                     struct net_device *netdev,
14315                                     const u8 *buf, size_t len,
14316                                     enum nl80211_commands cmd, gfp_t gfp,
14317                                     int uapsd_queues)
14318 {
14319         struct sk_buff *msg;
14320         void *hdr;
14321
14322         msg = nlmsg_new(100 + len, gfp);
14323         if (!msg)
14324                 return;
14325
14326         hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14327         if (!hdr) {
14328                 nlmsg_free(msg);
14329                 return;
14330         }
14331
14332         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14333             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14334             nla_put(msg, NL80211_ATTR_FRAME, len, buf))
14335                 goto nla_put_failure;
14336
14337         if (uapsd_queues >= 0) {
14338                 struct nlattr *nla_wmm =
14339                         nla_nest_start(msg, NL80211_ATTR_STA_WME);
14340                 if (!nla_wmm)
14341                         goto nla_put_failure;
14342
14343                 if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
14344                                uapsd_queues))
14345                         goto nla_put_failure;
14346
14347                 nla_nest_end(msg, nla_wmm);
14348         }
14349
14350         genlmsg_end(msg, hdr);
14351
14352         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14353                                 NL80211_MCGRP_MLME, gfp);
14354         return;
14355
14356  nla_put_failure:
14357         nlmsg_free(msg);
14358 }
14359
14360 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
14361                           struct net_device *netdev, const u8 *buf,
14362                           size_t len, gfp_t gfp)
14363 {
14364         nl80211_send_mlme_event(rdev, netdev, buf, len,
14365                                 NL80211_CMD_AUTHENTICATE, gfp, -1);
14366 }
14367
14368 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
14369                            struct net_device *netdev, const u8 *buf,
14370                            size_t len, gfp_t gfp, int uapsd_queues)
14371 {
14372         nl80211_send_mlme_event(rdev, netdev, buf, len,
14373                                 NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
14374 }
14375
14376 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
14377                          struct net_device *netdev, const u8 *buf,
14378                          size_t len, gfp_t gfp)
14379 {
14380         nl80211_send_mlme_event(rdev, netdev, buf, len,
14381                                 NL80211_CMD_DEAUTHENTICATE, gfp, -1);
14382 }
14383
14384 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
14385                            struct net_device *netdev, const u8 *buf,
14386                            size_t len, gfp_t gfp)
14387 {
14388         nl80211_send_mlme_event(rdev, netdev, buf, len,
14389                                 NL80211_CMD_DISASSOCIATE, gfp, -1);
14390 }
14391
14392 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
14393                                   size_t len)
14394 {
14395         struct wireless_dev *wdev = dev->ieee80211_ptr;
14396         struct wiphy *wiphy = wdev->wiphy;
14397         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14398         const struct ieee80211_mgmt *mgmt = (void *)buf;
14399         u32 cmd;
14400
14401         if (WARN_ON(len < 2))
14402                 return;
14403
14404         if (ieee80211_is_deauth(mgmt->frame_control))
14405                 cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
14406         else
14407                 cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
14408
14409         trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
14410         nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
14411 }
14412 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
14413
14414 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
14415                                       struct net_device *netdev, int cmd,
14416                                       const u8 *addr, gfp_t gfp)
14417 {
14418         struct sk_buff *msg;
14419         void *hdr;
14420
14421         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14422         if (!msg)
14423                 return;
14424
14425         hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14426         if (!hdr) {
14427                 nlmsg_free(msg);
14428                 return;
14429         }
14430
14431         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14432             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14433             nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14434             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
14435                 goto nla_put_failure;
14436
14437         genlmsg_end(msg, hdr);
14438
14439         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14440                                 NL80211_MCGRP_MLME, gfp);
14441         return;
14442
14443  nla_put_failure:
14444         nlmsg_free(msg);
14445 }
14446
14447 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
14448                                struct net_device *netdev, const u8 *addr,
14449                                gfp_t gfp)
14450 {
14451         nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
14452                                   addr, gfp);
14453 }
14454
14455 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
14456                                 struct net_device *netdev, const u8 *addr,
14457                                 gfp_t gfp)
14458 {
14459         nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
14460                                   addr, gfp);
14461 }
14462
14463 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
14464                                  struct net_device *netdev,
14465                                  struct cfg80211_connect_resp_params *cr,
14466                                  gfp_t gfp)
14467 {
14468         struct sk_buff *msg;
14469         void *hdr;
14470
14471         msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
14472                         cr->fils.kek_len + cr->fils.pmk_len +
14473                         (cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14474         if (!msg)
14475                 return;
14476
14477         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
14478         if (!hdr) {
14479                 nlmsg_free(msg);
14480                 return;
14481         }
14482
14483         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14484             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14485             (cr->bssid &&
14486              nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
14487             nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
14488                         cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
14489                         cr->status) ||
14490             (cr->status < 0 &&
14491              (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14492               nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
14493                           cr->timeout_reason))) ||
14494             (cr->req_ie &&
14495              nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
14496             (cr->resp_ie &&
14497              nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
14498                      cr->resp_ie)) ||
14499             (cr->fils.update_erp_next_seq_num &&
14500              nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
14501                          cr->fils.erp_next_seq_num)) ||
14502             (cr->status == WLAN_STATUS_SUCCESS &&
14503              ((cr->fils.kek &&
14504                nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
14505                        cr->fils.kek)) ||
14506               (cr->fils.pmk &&
14507                nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
14508               (cr->fils.pmkid &&
14509                nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
14510                 goto nla_put_failure;
14511
14512         genlmsg_end(msg, hdr);
14513
14514         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14515                                 NL80211_MCGRP_MLME, gfp);
14516         return;
14517
14518  nla_put_failure:
14519         nlmsg_free(msg);
14520 }
14521
14522 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
14523                          struct net_device *netdev,
14524                          struct cfg80211_roam_info *info, gfp_t gfp)
14525 {
14526         struct sk_buff *msg;
14527         void *hdr;
14528         const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
14529
14530         msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
14531                         info->fils.kek_len + info->fils.pmk_len +
14532                         (info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14533         if (!msg)
14534                 return;
14535
14536         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
14537         if (!hdr) {
14538                 nlmsg_free(msg);
14539                 return;
14540         }
14541
14542         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14543             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14544             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
14545             (info->req_ie &&
14546              nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
14547                      info->req_ie)) ||
14548             (info->resp_ie &&
14549              nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
14550                      info->resp_ie)) ||
14551             (info->fils.update_erp_next_seq_num &&
14552              nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
14553                          info->fils.erp_next_seq_num)) ||
14554             (info->fils.kek &&
14555              nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
14556                      info->fils.kek)) ||
14557             (info->fils.pmk &&
14558              nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
14559             (info->fils.pmkid &&
14560              nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
14561                 goto nla_put_failure;
14562
14563         genlmsg_end(msg, hdr);
14564
14565         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14566                                 NL80211_MCGRP_MLME, gfp);
14567         return;
14568
14569  nla_put_failure:
14570         nlmsg_free(msg);
14571 }
14572
14573 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
14574                                   struct net_device *netdev, const u8 *bssid)
14575 {
14576         struct sk_buff *msg;
14577         void *hdr;
14578
14579         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14580         if (!msg)
14581                 return;
14582
14583         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
14584         if (!hdr) {
14585                 nlmsg_free(msg);
14586                 return;
14587         }
14588
14589         if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
14590                 goto nla_put_failure;
14591
14592         genlmsg_end(msg, hdr);
14593
14594         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14595                                 NL80211_MCGRP_MLME, GFP_KERNEL);
14596         return;
14597
14598  nla_put_failure:
14599         nlmsg_free(msg);
14600 }
14601
14602 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
14603                                struct net_device *netdev, u16 reason,
14604                                const u8 *ie, size_t ie_len, bool from_ap)
14605 {
14606         struct sk_buff *msg;
14607         void *hdr;
14608
14609         msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
14610         if (!msg)
14611                 return;
14612
14613         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
14614         if (!hdr) {
14615                 nlmsg_free(msg);
14616                 return;
14617         }
14618
14619         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14620             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14621             (reason &&
14622              nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
14623             (from_ap &&
14624              nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
14625             (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
14626                 goto nla_put_failure;
14627
14628         genlmsg_end(msg, hdr);
14629
14630         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14631                                 NL80211_MCGRP_MLME, GFP_KERNEL);
14632         return;
14633
14634  nla_put_failure:
14635         nlmsg_free(msg);
14636 }
14637
14638 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
14639                              struct net_device *netdev, const u8 *bssid,
14640                              gfp_t gfp)
14641 {
14642         struct sk_buff *msg;
14643         void *hdr;
14644
14645         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14646         if (!msg)
14647                 return;
14648
14649         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
14650         if (!hdr) {
14651                 nlmsg_free(msg);
14652                 return;
14653         }
14654
14655         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14656             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14657             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
14658                 goto nla_put_failure;
14659
14660         genlmsg_end(msg, hdr);
14661
14662         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14663                                 NL80211_MCGRP_MLME, gfp);
14664         return;
14665
14666  nla_put_failure:
14667         nlmsg_free(msg);
14668 }
14669
14670 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
14671                                         const u8* ie, u8 ie_len, gfp_t gfp)
14672 {
14673         struct wireless_dev *wdev = dev->ieee80211_ptr;
14674         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14675         struct sk_buff *msg;
14676         void *hdr;
14677
14678         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
14679                 return;
14680
14681         trace_cfg80211_notify_new_peer_candidate(dev, addr);
14682
14683         msg = nlmsg_new(100 + ie_len, gfp);
14684         if (!msg)
14685                 return;
14686
14687         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
14688         if (!hdr) {
14689                 nlmsg_free(msg);
14690                 return;
14691         }
14692
14693         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14694             nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14695             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
14696             (ie_len && ie &&
14697              nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
14698                 goto nla_put_failure;
14699
14700         genlmsg_end(msg, hdr);
14701
14702         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14703                                 NL80211_MCGRP_MLME, gfp);
14704         return;
14705
14706  nla_put_failure:
14707         nlmsg_free(msg);
14708 }
14709 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
14710
14711 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
14712                                  struct net_device *netdev, const u8 *addr,
14713                                  enum nl80211_key_type key_type, int key_id,
14714                                  const u8 *tsc, gfp_t gfp)
14715 {
14716         struct sk_buff *msg;
14717         void *hdr;
14718
14719         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14720         if (!msg)
14721                 return;
14722
14723         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
14724         if (!hdr) {
14725                 nlmsg_free(msg);
14726                 return;
14727         }
14728
14729         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14730             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14731             (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
14732             nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
14733             (key_id != -1 &&
14734              nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
14735             (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
14736                 goto nla_put_failure;
14737
14738         genlmsg_end(msg, hdr);
14739
14740         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14741                                 NL80211_MCGRP_MLME, gfp);
14742         return;
14743
14744  nla_put_failure:
14745         nlmsg_free(msg);
14746 }
14747
14748 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
14749                                     struct ieee80211_channel *channel_before,
14750                                     struct ieee80211_channel *channel_after)
14751 {
14752         struct sk_buff *msg;
14753         void *hdr;
14754         struct nlattr *nl_freq;
14755
14756         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
14757         if (!msg)
14758                 return;
14759
14760         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
14761         if (!hdr) {
14762                 nlmsg_free(msg);
14763                 return;
14764         }
14765
14766         /*
14767          * Since we are applying the beacon hint to a wiphy we know its
14768          * wiphy_idx is valid
14769          */
14770         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
14771                 goto nla_put_failure;
14772
14773         /* Before */
14774         nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
14775         if (!nl_freq)
14776                 goto nla_put_failure;
14777
14778         if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
14779                 goto nla_put_failure;
14780         nla_nest_end(msg, nl_freq);
14781
14782         /* After */
14783         nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
14784         if (!nl_freq)
14785                 goto nla_put_failure;
14786
14787         if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
14788                 goto nla_put_failure;
14789         nla_nest_end(msg, nl_freq);
14790
14791         genlmsg_end(msg, hdr);
14792
14793         rcu_read_lock();
14794         genlmsg_multicast_allns(&nl80211_fam, msg, 0,
14795                                 NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
14796         rcu_read_unlock();
14797
14798         return;
14799
14800 nla_put_failure:
14801         nlmsg_free(msg);
14802 }
14803
14804 static void nl80211_send_remain_on_chan_event(
14805         int cmd, struct cfg80211_registered_device *rdev,
14806         struct wireless_dev *wdev, u64 cookie,
14807         struct ieee80211_channel *chan,
14808         unsigned int duration, gfp_t gfp)
14809 {
14810         struct sk_buff *msg;
14811         void *hdr;
14812
14813         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14814         if (!msg)
14815                 return;
14816
14817         hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14818         if (!hdr) {
14819                 nlmsg_free(msg);
14820                 return;
14821         }
14822
14823         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14824             (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14825                                          wdev->netdev->ifindex)) ||
14826             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14827                               NL80211_ATTR_PAD) ||
14828             nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
14829             nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
14830                         NL80211_CHAN_NO_HT) ||
14831             nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14832                               NL80211_ATTR_PAD))
14833                 goto nla_put_failure;
14834
14835         if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
14836             nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
14837                 goto nla_put_failure;
14838
14839         genlmsg_end(msg, hdr);
14840
14841         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14842                                 NL80211_MCGRP_MLME, gfp);
14843         return;
14844
14845  nla_put_failure:
14846         nlmsg_free(msg);
14847 }
14848
14849 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
14850                                struct ieee80211_channel *chan,
14851                                unsigned int duration, gfp_t gfp)
14852 {
14853         struct wiphy *wiphy = wdev->wiphy;
14854         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14855
14856         trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
14857         nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
14858                                           rdev, wdev, cookie, chan,
14859                                           duration, gfp);
14860 }
14861 EXPORT_SYMBOL(cfg80211_ready_on_channel);
14862
14863 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
14864                                         struct ieee80211_channel *chan,
14865                                         gfp_t gfp)
14866 {
14867         struct wiphy *wiphy = wdev->wiphy;
14868         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14869
14870         trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
14871         nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
14872                                           rdev, wdev, cookie, chan, 0, gfp);
14873 }
14874 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
14875
14876 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
14877                       struct station_info *sinfo, gfp_t gfp)
14878 {
14879         struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
14880         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14881         struct sk_buff *msg;
14882
14883         trace_cfg80211_new_sta(dev, mac_addr, sinfo);
14884
14885         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14886         if (!msg)
14887                 return;
14888
14889         if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
14890                                  rdev, dev, mac_addr, sinfo) < 0) {
14891                 nlmsg_free(msg);
14892                 return;
14893         }
14894
14895         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14896                                 NL80211_MCGRP_MLME, gfp);
14897 }
14898 EXPORT_SYMBOL(cfg80211_new_sta);
14899
14900 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
14901                             struct station_info *sinfo, gfp_t gfp)
14902 {
14903         struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
14904         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14905         struct sk_buff *msg;
14906         struct station_info empty_sinfo = {};
14907
14908         if (!sinfo)
14909                 sinfo = &empty_sinfo;
14910
14911         trace_cfg80211_del_sta(dev, mac_addr);
14912
14913         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14914         if (!msg) {
14915                 cfg80211_sinfo_release_content(sinfo);
14916                 return;
14917         }
14918
14919         if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
14920                                  rdev, dev, mac_addr, sinfo) < 0) {
14921                 nlmsg_free(msg);
14922                 return;
14923         }
14924
14925         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14926                                 NL80211_MCGRP_MLME, gfp);
14927 }
14928 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
14929
14930 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
14931                           enum nl80211_connect_failed_reason reason,
14932                           gfp_t gfp)
14933 {
14934         struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
14935         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14936         struct sk_buff *msg;
14937         void *hdr;
14938
14939         msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
14940         if (!msg)
14941                 return;
14942
14943         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
14944         if (!hdr) {
14945                 nlmsg_free(msg);
14946                 return;
14947         }
14948
14949         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14950             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
14951             nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
14952                 goto nla_put_failure;
14953
14954         genlmsg_end(msg, hdr);
14955
14956         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14957                                 NL80211_MCGRP_MLME, gfp);
14958         return;
14959
14960  nla_put_failure:
14961         nlmsg_free(msg);
14962 }
14963 EXPORT_SYMBOL(cfg80211_conn_failed);
14964
14965 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
14966                                        const u8 *addr, gfp_t gfp)
14967 {
14968         struct wireless_dev *wdev = dev->ieee80211_ptr;
14969         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14970         struct sk_buff *msg;
14971         void *hdr;
14972         u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
14973
14974         if (!nlportid)
14975                 return false;
14976
14977         msg = nlmsg_new(100, gfp);
14978         if (!msg)
14979                 return true;
14980
14981         hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14982         if (!hdr) {
14983                 nlmsg_free(msg);
14984                 return true;
14985         }
14986
14987         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14988             nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14989             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
14990                 goto nla_put_failure;
14991
14992         genlmsg_end(msg, hdr);
14993         genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
14994         return true;
14995
14996  nla_put_failure:
14997         nlmsg_free(msg);
14998         return true;
14999 }
15000
15001 bool cfg80211_rx_spurious_frame(struct net_device *dev,
15002                                 const u8 *addr, gfp_t gfp)
15003 {
15004         struct wireless_dev *wdev = dev->ieee80211_ptr;
15005         bool ret;
15006
15007         trace_cfg80211_rx_spurious_frame(dev, addr);
15008
15009         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15010                     wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
15011                 trace_cfg80211_return_bool(false);
15012                 return false;
15013         }
15014         ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
15015                                          addr, gfp);
15016         trace_cfg80211_return_bool(ret);
15017         return ret;
15018 }
15019 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
15020
15021 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
15022                                         const u8 *addr, gfp_t gfp)
15023 {
15024         struct wireless_dev *wdev = dev->ieee80211_ptr;
15025         bool ret;
15026
15027         trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
15028
15029         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15030                     wdev->iftype != NL80211_IFTYPE_P2P_GO &&
15031                     wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
15032                 trace_cfg80211_return_bool(false);
15033                 return false;
15034         }
15035         ret = __nl80211_unexpected_frame(dev,
15036                                          NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
15037                                          addr, gfp);
15038         trace_cfg80211_return_bool(ret);
15039         return ret;
15040 }
15041 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
15042
15043 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
15044                       struct wireless_dev *wdev, u32 nlportid,
15045                       int freq, int sig_dbm,
15046                       const u8 *buf, size_t len, u32 flags, gfp_t gfp)
15047 {
15048         struct net_device *netdev = wdev->netdev;
15049         struct sk_buff *msg;
15050         void *hdr;
15051
15052         msg = nlmsg_new(100 + len, gfp);
15053         if (!msg)
15054                 return -ENOMEM;
15055
15056         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15057         if (!hdr) {
15058                 nlmsg_free(msg);
15059                 return -ENOMEM;
15060         }
15061
15062         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15063             (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15064                                         netdev->ifindex)) ||
15065             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15066                               NL80211_ATTR_PAD) ||
15067             nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
15068             (sig_dbm &&
15069              nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15070             nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15071             (flags &&
15072              nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
15073                 goto nla_put_failure;
15074
15075         genlmsg_end(msg, hdr);
15076
15077         return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15078
15079  nla_put_failure:
15080         nlmsg_free(msg);
15081         return -ENOBUFS;
15082 }
15083
15084 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
15085                              const u8 *buf, size_t len, bool ack, gfp_t gfp)
15086 {
15087         struct wiphy *wiphy = wdev->wiphy;
15088         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15089         struct net_device *netdev = wdev->netdev;
15090         struct sk_buff *msg;
15091         void *hdr;
15092
15093         trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
15094
15095         msg = nlmsg_new(100 + len, gfp);
15096         if (!msg)
15097                 return;
15098
15099         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
15100         if (!hdr) {
15101                 nlmsg_free(msg);
15102                 return;
15103         }
15104
15105         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15106             (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15107                                    netdev->ifindex)) ||
15108             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15109                               NL80211_ATTR_PAD) ||
15110             nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15111             nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15112                               NL80211_ATTR_PAD) ||
15113             (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
15114                 goto nla_put_failure;
15115
15116         genlmsg_end(msg, hdr);
15117
15118         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15119                                 NL80211_MCGRP_MLME, gfp);
15120         return;
15121
15122  nla_put_failure:
15123         nlmsg_free(msg);
15124 }
15125 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
15126
15127 static int __nl80211_rx_control_port(struct net_device *dev,
15128                                      struct sk_buff *skb,
15129                                      bool unencrypted, gfp_t gfp)
15130 {
15131         struct wireless_dev *wdev = dev->ieee80211_ptr;
15132         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15133         struct ethhdr *ehdr = eth_hdr(skb);
15134         const u8 *addr = ehdr->h_source;
15135         u16 proto = be16_to_cpu(skb->protocol);
15136         struct sk_buff *msg;
15137         void *hdr;
15138         struct nlattr *frame;
15139
15140         u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
15141
15142         if (!nlportid)
15143                 return -ENOENT;
15144
15145         msg = nlmsg_new(100 + skb->len, gfp);
15146         if (!msg)
15147                 return -ENOMEM;
15148
15149         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
15150         if (!hdr) {
15151                 nlmsg_free(msg);
15152                 return -ENOBUFS;
15153         }
15154
15155         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15156             nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15157             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15158                               NL80211_ATTR_PAD) ||
15159             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15160             nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
15161             (unencrypted && nla_put_flag(msg,
15162                                          NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
15163                 goto nla_put_failure;
15164
15165         frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
15166         if (!frame)
15167                 goto nla_put_failure;
15168
15169         skb_copy_bits(skb, 0, nla_data(frame), skb->len);
15170         genlmsg_end(msg, hdr);
15171
15172         return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15173
15174  nla_put_failure:
15175         nlmsg_free(msg);
15176         return -ENOBUFS;
15177 }
15178
15179 bool cfg80211_rx_control_port(struct net_device *dev,
15180                               struct sk_buff *skb, bool unencrypted)
15181 {
15182         int ret;
15183
15184         trace_cfg80211_rx_control_port(dev, skb, unencrypted);
15185         ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
15186         trace_cfg80211_return_bool(ret == 0);
15187         return ret == 0;
15188 }
15189 EXPORT_SYMBOL(cfg80211_rx_control_port);
15190
15191 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
15192                                             const char *mac, gfp_t gfp)
15193 {
15194         struct wireless_dev *wdev = dev->ieee80211_ptr;
15195         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15196         struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15197         void **cb;
15198
15199         if (!msg)
15200                 return NULL;
15201
15202         cb = (void **)msg->cb;
15203
15204         cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
15205         if (!cb[0]) {
15206                 nlmsg_free(msg);
15207                 return NULL;
15208         }
15209
15210         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15211             nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15212                 goto nla_put_failure;
15213
15214         if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15215                 goto nla_put_failure;
15216
15217         cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
15218         if (!cb[1])
15219                 goto nla_put_failure;
15220
15221         cb[2] = rdev;
15222
15223         return msg;
15224  nla_put_failure:
15225         nlmsg_free(msg);
15226         return NULL;
15227 }
15228
15229 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
15230 {
15231         void **cb = (void **)msg->cb;
15232         struct cfg80211_registered_device *rdev = cb[2];
15233
15234         nla_nest_end(msg, cb[1]);
15235         genlmsg_end(msg, cb[0]);
15236
15237         memset(msg->cb, 0, sizeof(msg->cb));
15238
15239         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15240                                 NL80211_MCGRP_MLME, gfp);
15241 }
15242
15243 void cfg80211_cqm_rssi_notify(struct net_device *dev,
15244                               enum nl80211_cqm_rssi_threshold_event rssi_event,
15245                               s32 rssi_level, gfp_t gfp)
15246 {
15247         struct sk_buff *msg;
15248         struct wireless_dev *wdev = dev->ieee80211_ptr;
15249         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15250
15251         trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
15252
15253         if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
15254                     rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
15255                 return;
15256
15257         if (wdev->cqm_config) {
15258                 wdev->cqm_config->last_rssi_event_value = rssi_level;
15259
15260                 cfg80211_cqm_rssi_update(rdev, dev);
15261
15262                 if (rssi_level == 0)
15263                         rssi_level = wdev->cqm_config->last_rssi_event_value;
15264         }
15265
15266         msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15267         if (!msg)
15268                 return;
15269
15270         if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
15271                         rssi_event))
15272                 goto nla_put_failure;
15273
15274         if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
15275                                       rssi_level))
15276                 goto nla_put_failure;
15277
15278         cfg80211_send_cqm(msg, gfp);
15279
15280         return;
15281
15282  nla_put_failure:
15283         nlmsg_free(msg);
15284 }
15285 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
15286
15287 void cfg80211_cqm_txe_notify(struct net_device *dev,
15288                              const u8 *peer, u32 num_packets,
15289                              u32 rate, u32 intvl, gfp_t gfp)
15290 {
15291         struct sk_buff *msg;
15292
15293         msg = cfg80211_prepare_cqm(dev, peer, gfp);
15294         if (!msg)
15295                 return;
15296
15297         if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
15298                 goto nla_put_failure;
15299
15300         if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
15301                 goto nla_put_failure;
15302
15303         if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
15304                 goto nla_put_failure;
15305
15306         cfg80211_send_cqm(msg, gfp);
15307         return;
15308
15309  nla_put_failure:
15310         nlmsg_free(msg);
15311 }
15312 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
15313
15314 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
15315                                  const u8 *peer, u32 num_packets, gfp_t gfp)
15316 {
15317         struct sk_buff *msg;
15318
15319         trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
15320
15321         msg = cfg80211_prepare_cqm(dev, peer, gfp);
15322         if (!msg)
15323                 return;
15324
15325         if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
15326                 goto nla_put_failure;
15327
15328         cfg80211_send_cqm(msg, gfp);
15329         return;
15330
15331  nla_put_failure:
15332         nlmsg_free(msg);
15333 }
15334 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
15335
15336 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
15337 {
15338         struct sk_buff *msg;
15339
15340         msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15341         if (!msg)
15342                 return;
15343
15344         if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
15345                 goto nla_put_failure;
15346
15347         cfg80211_send_cqm(msg, gfp);
15348         return;
15349
15350  nla_put_failure:
15351         nlmsg_free(msg);
15352 }
15353 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
15354
15355 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
15356                                      struct net_device *netdev, const u8 *bssid,
15357                                      const u8 *replay_ctr, gfp_t gfp)
15358 {
15359         struct sk_buff *msg;
15360         struct nlattr *rekey_attr;
15361         void *hdr;
15362
15363         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15364         if (!msg)
15365                 return;
15366
15367         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
15368         if (!hdr) {
15369                 nlmsg_free(msg);
15370                 return;
15371         }
15372
15373         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15374             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15375             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15376                 goto nla_put_failure;
15377
15378         rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
15379         if (!rekey_attr)
15380                 goto nla_put_failure;
15381
15382         if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
15383                     NL80211_REPLAY_CTR_LEN, replay_ctr))
15384                 goto nla_put_failure;
15385
15386         nla_nest_end(msg, rekey_attr);
15387
15388         genlmsg_end(msg, hdr);
15389
15390         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15391                                 NL80211_MCGRP_MLME, gfp);
15392         return;
15393
15394  nla_put_failure:
15395         nlmsg_free(msg);
15396 }
15397
15398 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
15399                                const u8 *replay_ctr, gfp_t gfp)
15400 {
15401         struct wireless_dev *wdev = dev->ieee80211_ptr;
15402         struct wiphy *wiphy = wdev->wiphy;
15403         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15404
15405         trace_cfg80211_gtk_rekey_notify(dev, bssid);
15406         nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
15407 }
15408 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
15409
15410 static void
15411 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
15412                                struct net_device *netdev, int index,
15413                                const u8 *bssid, bool preauth, gfp_t gfp)
15414 {
15415         struct sk_buff *msg;
15416         struct nlattr *attr;
15417         void *hdr;
15418
15419         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15420         if (!msg)
15421                 return;
15422
15423         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
15424         if (!hdr) {
15425                 nlmsg_free(msg);
15426                 return;
15427         }
15428
15429         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15430             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15431                 goto nla_put_failure;
15432
15433         attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
15434         if (!attr)
15435                 goto nla_put_failure;
15436
15437         if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
15438             nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
15439             (preauth &&
15440              nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
15441                 goto nla_put_failure;
15442
15443         nla_nest_end(msg, attr);
15444
15445         genlmsg_end(msg, hdr);
15446
15447         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15448                                 NL80211_MCGRP_MLME, gfp);
15449         return;
15450
15451  nla_put_failure:
15452         nlmsg_free(msg);
15453 }
15454
15455 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
15456                                      const u8 *bssid, bool preauth, gfp_t gfp)
15457 {
15458         struct wireless_dev *wdev = dev->ieee80211_ptr;
15459         struct wiphy *wiphy = wdev->wiphy;
15460         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15461
15462         trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
15463         nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
15464 }
15465 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
15466
15467 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
15468                                      struct net_device *netdev,
15469                                      struct cfg80211_chan_def *chandef,
15470                                      gfp_t gfp,
15471                                      enum nl80211_commands notif,
15472                                      u8 count)
15473 {
15474         struct sk_buff *msg;
15475         void *hdr;
15476
15477         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15478         if (!msg)
15479                 return;
15480
15481         hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
15482         if (!hdr) {
15483                 nlmsg_free(msg);
15484                 return;
15485         }
15486
15487         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15488                 goto nla_put_failure;
15489
15490         if (nl80211_send_chandef(msg, chandef))
15491                 goto nla_put_failure;
15492
15493         if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
15494             (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
15495                         goto nla_put_failure;
15496
15497         genlmsg_end(msg, hdr);
15498
15499         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15500                                 NL80211_MCGRP_MLME, gfp);
15501         return;
15502
15503  nla_put_failure:
15504         nlmsg_free(msg);
15505 }
15506
15507 void cfg80211_ch_switch_notify(struct net_device *dev,
15508                                struct cfg80211_chan_def *chandef)
15509 {
15510         struct wireless_dev *wdev = dev->ieee80211_ptr;
15511         struct wiphy *wiphy = wdev->wiphy;
15512         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15513
15514         ASSERT_WDEV_LOCK(wdev);
15515
15516         trace_cfg80211_ch_switch_notify(dev, chandef);
15517
15518         wdev->chandef = *chandef;
15519         wdev->preset_chandef = *chandef;
15520
15521         if ((wdev->iftype == NL80211_IFTYPE_STATION ||
15522              wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
15523             !WARN_ON(!wdev->current_bss))
15524                 wdev->current_bss->pub.channel = chandef->chan;
15525
15526         nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15527                                  NL80211_CMD_CH_SWITCH_NOTIFY, 0);
15528 }
15529 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
15530
15531 void cfg80211_ch_switch_started_notify(struct net_device *dev,
15532                                        struct cfg80211_chan_def *chandef,
15533                                        u8 count)
15534 {
15535         struct wireless_dev *wdev = dev->ieee80211_ptr;
15536         struct wiphy *wiphy = wdev->wiphy;
15537         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15538
15539         trace_cfg80211_ch_switch_started_notify(dev, chandef);
15540
15541         nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15542                                  NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
15543 }
15544 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
15545
15546 void
15547 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
15548                      const struct cfg80211_chan_def *chandef,
15549                      enum nl80211_radar_event event,
15550                      struct net_device *netdev, gfp_t gfp)
15551 {
15552         struct sk_buff *msg;
15553         void *hdr;
15554
15555         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15556         if (!msg)
15557                 return;
15558
15559         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
15560         if (!hdr) {
15561                 nlmsg_free(msg);
15562                 return;
15563         }
15564
15565         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
15566                 goto nla_put_failure;
15567
15568         /* NOP and radar events don't need a netdev parameter */
15569         if (netdev) {
15570                 struct wireless_dev *wdev = netdev->ieee80211_ptr;
15571
15572                 if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15573                     nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15574                                       NL80211_ATTR_PAD))
15575                         goto nla_put_failure;
15576         }
15577
15578         if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
15579                 goto nla_put_failure;
15580
15581         if (nl80211_send_chandef(msg, chandef))
15582                 goto nla_put_failure;
15583
15584         genlmsg_end(msg, hdr);
15585
15586         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15587                                 NL80211_MCGRP_MLME, gfp);
15588         return;
15589
15590  nla_put_failure:
15591         nlmsg_free(msg);
15592 }
15593
15594 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
15595                                        struct sta_opmode_info *sta_opmode,
15596                                        gfp_t gfp)
15597 {
15598         struct sk_buff *msg;
15599         struct wireless_dev *wdev = dev->ieee80211_ptr;
15600         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15601         void *hdr;
15602
15603         if (WARN_ON(!mac))
15604                 return;
15605
15606         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15607         if (!msg)
15608                 return;
15609
15610         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
15611         if (!hdr) {
15612                 nlmsg_free(msg);
15613                 return;
15614         }
15615
15616         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
15617                 goto nla_put_failure;
15618
15619         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15620                 goto nla_put_failure;
15621
15622         if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15623                 goto nla_put_failure;
15624
15625         if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
15626             nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
15627                 goto nla_put_failure;
15628
15629         if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
15630             nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
15631                 goto nla_put_failure;
15632
15633         if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
15634             nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
15635                 goto nla_put_failure;
15636
15637         genlmsg_end(msg, hdr);
15638
15639         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15640                                 NL80211_MCGRP_MLME, gfp);
15641
15642         return;
15643
15644 nla_put_failure:
15645         nlmsg_free(msg);
15646 }
15647 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
15648
15649 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
15650                            u64 cookie, bool acked, s32 ack_signal,
15651                            bool is_valid_ack_signal, gfp_t gfp)
15652 {
15653         struct wireless_dev *wdev = dev->ieee80211_ptr;
15654         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15655         struct sk_buff *msg;
15656         void *hdr;
15657
15658         trace_cfg80211_probe_status(dev, addr, cookie, acked);
15659
15660         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15661
15662         if (!msg)
15663                 return;
15664
15665         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
15666         if (!hdr) {
15667                 nlmsg_free(msg);
15668                 return;
15669         }
15670
15671         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15672             nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15673             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15674             nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15675                               NL80211_ATTR_PAD) ||
15676             (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
15677             (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
15678                                                 ack_signal)))
15679                 goto nla_put_failure;
15680
15681         genlmsg_end(msg, hdr);
15682
15683         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15684                                 NL80211_MCGRP_MLME, gfp);
15685         return;
15686
15687  nla_put_failure:
15688         nlmsg_free(msg);
15689 }
15690 EXPORT_SYMBOL(cfg80211_probe_status);
15691
15692 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
15693                                  const u8 *frame, size_t len,
15694                                  int freq, int sig_dbm)
15695 {
15696         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15697         struct sk_buff *msg;
15698         void *hdr;
15699         struct cfg80211_beacon_registration *reg;
15700
15701         trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
15702
15703         spin_lock_bh(&rdev->beacon_registrations_lock);
15704         list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15705                 msg = nlmsg_new(len + 100, GFP_ATOMIC);
15706                 if (!msg) {
15707                         spin_unlock_bh(&rdev->beacon_registrations_lock);
15708                         return;
15709                 }
15710
15711                 hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15712                 if (!hdr)
15713                         goto nla_put_failure;
15714
15715                 if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15716                     (freq &&
15717                      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
15718                     (sig_dbm &&
15719                      nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15720                     nla_put(msg, NL80211_ATTR_FRAME, len, frame))
15721                         goto nla_put_failure;
15722
15723                 genlmsg_end(msg, hdr);
15724
15725                 genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
15726         }
15727         spin_unlock_bh(&rdev->beacon_registrations_lock);
15728         return;
15729
15730  nla_put_failure:
15731         spin_unlock_bh(&rdev->beacon_registrations_lock);
15732         nlmsg_free(msg);
15733 }
15734 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
15735
15736 #ifdef CONFIG_PM
15737 static int cfg80211_net_detect_results(struct sk_buff *msg,
15738                                        struct cfg80211_wowlan_wakeup *wakeup)
15739 {
15740         struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
15741         struct nlattr *nl_results, *nl_match, *nl_freqs;
15742         int i, j;
15743
15744         nl_results = nla_nest_start(
15745                 msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
15746         if (!nl_results)
15747                 return -EMSGSIZE;
15748
15749         for (i = 0; i < nd->n_matches; i++) {
15750                 struct cfg80211_wowlan_nd_match *match = nd->matches[i];
15751
15752                 nl_match = nla_nest_start(msg, i);
15753                 if (!nl_match)
15754                         break;
15755
15756                 /* The SSID attribute is optional in nl80211, but for
15757                  * simplicity reasons it's always present in the
15758                  * cfg80211 structure.  If a driver can't pass the
15759                  * SSID, that needs to be changed.  A zero length SSID
15760                  * is still a valid SSID (wildcard), so it cannot be
15761                  * used for this purpose.
15762                  */
15763                 if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
15764                             match->ssid.ssid)) {
15765                         nla_nest_cancel(msg, nl_match);
15766                         goto out;
15767                 }
15768
15769                 if (match->n_channels) {
15770                         nl_freqs = nla_nest_start(
15771                                 msg, NL80211_ATTR_SCAN_FREQUENCIES);
15772                         if (!nl_freqs) {
15773                                 nla_nest_cancel(msg, nl_match);
15774                                 goto out;
15775                         }
15776
15777                         for (j = 0; j < match->n_channels; j++) {
15778                                 if (nla_put_u32(msg, j, match->channels[j])) {
15779                                         nla_nest_cancel(msg, nl_freqs);
15780                                         nla_nest_cancel(msg, nl_match);
15781                                         goto out;
15782                                 }
15783                         }
15784
15785                         nla_nest_end(msg, nl_freqs);
15786                 }
15787
15788                 nla_nest_end(msg, nl_match);
15789         }
15790
15791 out:
15792         nla_nest_end(msg, nl_results);
15793         return 0;
15794 }
15795
15796 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
15797                                    struct cfg80211_wowlan_wakeup *wakeup,
15798                                    gfp_t gfp)
15799 {
15800         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15801         struct sk_buff *msg;
15802         void *hdr;
15803         int size = 200;
15804
15805         trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
15806
15807         if (wakeup)
15808                 size += wakeup->packet_present_len;
15809
15810         msg = nlmsg_new(size, gfp);
15811         if (!msg)
15812                 return;
15813
15814         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
15815         if (!hdr)
15816                 goto free_msg;
15817
15818         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15819             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15820                               NL80211_ATTR_PAD))
15821                 goto free_msg;
15822
15823         if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15824                                         wdev->netdev->ifindex))
15825                 goto free_msg;
15826
15827         if (wakeup) {
15828                 struct nlattr *reasons;
15829
15830                 reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
15831                 if (!reasons)
15832                         goto free_msg;
15833
15834                 if (wakeup->disconnect &&
15835                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
15836                         goto free_msg;
15837                 if (wakeup->magic_pkt &&
15838                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
15839                         goto free_msg;
15840                 if (wakeup->gtk_rekey_failure &&
15841                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
15842                         goto free_msg;
15843                 if (wakeup->eap_identity_req &&
15844                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
15845                         goto free_msg;
15846                 if (wakeup->four_way_handshake &&
15847                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
15848                         goto free_msg;
15849                 if (wakeup->rfkill_release &&
15850                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
15851                         goto free_msg;
15852
15853                 if (wakeup->pattern_idx >= 0 &&
15854                     nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
15855                                 wakeup->pattern_idx))
15856                         goto free_msg;
15857
15858                 if (wakeup->tcp_match &&
15859                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
15860                         goto free_msg;
15861
15862                 if (wakeup->tcp_connlost &&
15863                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
15864                         goto free_msg;
15865
15866                 if (wakeup->tcp_nomoretokens &&
15867                     nla_put_flag(msg,
15868                                  NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
15869                         goto free_msg;
15870
15871                 if (wakeup->packet) {
15872                         u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
15873                         u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
15874
15875                         if (!wakeup->packet_80211) {
15876                                 pkt_attr =
15877                                         NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
15878                                 len_attr =
15879                                         NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
15880                         }
15881
15882                         if (wakeup->packet_len &&
15883                             nla_put_u32(msg, len_attr, wakeup->packet_len))
15884                                 goto free_msg;
15885
15886                         if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
15887                                     wakeup->packet))
15888                                 goto free_msg;
15889                 }
15890
15891                 if (wakeup->net_detect &&
15892                     cfg80211_net_detect_results(msg, wakeup))
15893                                 goto free_msg;
15894
15895                 nla_nest_end(msg, reasons);
15896         }
15897
15898         genlmsg_end(msg, hdr);
15899
15900         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15901                                 NL80211_MCGRP_MLME, gfp);
15902         return;
15903
15904  free_msg:
15905         nlmsg_free(msg);
15906 }
15907 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
15908 #endif
15909
15910 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
15911                                 enum nl80211_tdls_operation oper,
15912                                 u16 reason_code, gfp_t gfp)
15913 {
15914         struct wireless_dev *wdev = dev->ieee80211_ptr;
15915         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15916         struct sk_buff *msg;
15917         void *hdr;
15918
15919         trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
15920                                          reason_code);
15921
15922         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15923         if (!msg)
15924                 return;
15925
15926         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
15927         if (!hdr) {
15928                 nlmsg_free(msg);
15929                 return;
15930         }
15931
15932         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15933             nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15934             nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
15935             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
15936             (reason_code > 0 &&
15937              nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
15938                 goto nla_put_failure;
15939
15940         genlmsg_end(msg, hdr);
15941
15942         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15943                                 NL80211_MCGRP_MLME, gfp);
15944         return;
15945
15946  nla_put_failure:
15947         nlmsg_free(msg);
15948 }
15949 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
15950
15951 static int nl80211_netlink_notify(struct notifier_block * nb,
15952                                   unsigned long state,
15953                                   void *_notify)
15954 {
15955         struct netlink_notify *notify = _notify;
15956         struct cfg80211_registered_device *rdev;
15957         struct wireless_dev *wdev;
15958         struct cfg80211_beacon_registration *reg, *tmp;
15959
15960         if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
15961                 return NOTIFY_DONE;
15962
15963         rcu_read_lock();
15964
15965         list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
15966                 struct cfg80211_sched_scan_request *sched_scan_req;
15967
15968                 list_for_each_entry_rcu(sched_scan_req,
15969                                         &rdev->sched_scan_req_list,
15970                                         list) {
15971                         if (sched_scan_req->owner_nlportid == notify->portid) {
15972                                 sched_scan_req->nl_owner_dead = true;
15973                                 schedule_work(&rdev->sched_scan_stop_wk);
15974                         }
15975                 }
15976
15977                 list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
15978                         cfg80211_mlme_unregister_socket(wdev, notify->portid);
15979
15980                         if (wdev->owner_nlportid == notify->portid) {
15981                                 wdev->nl_owner_dead = true;
15982                                 schedule_work(&rdev->destroy_work);
15983                         } else if (wdev->conn_owner_nlportid == notify->portid) {
15984                                 schedule_work(&wdev->disconnect_wk);
15985                         }
15986                 }
15987
15988                 spin_lock_bh(&rdev->beacon_registrations_lock);
15989                 list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
15990                                          list) {
15991                         if (reg->nlportid == notify->portid) {
15992                                 list_del(&reg->list);
15993                                 kfree(reg);
15994                                 break;
15995                         }
15996                 }
15997                 spin_unlock_bh(&rdev->beacon_registrations_lock);
15998         }
15999
16000         rcu_read_unlock();
16001
16002         /*
16003          * It is possible that the user space process that is controlling the
16004          * indoor setting disappeared, so notify the regulatory core.
16005          */
16006         regulatory_netlink_notify(notify->portid);
16007         return NOTIFY_OK;
16008 }
16009
16010 static struct notifier_block nl80211_netlink_notifier = {
16011         .notifier_call = nl80211_netlink_notify,
16012 };
16013
16014 void cfg80211_ft_event(struct net_device *netdev,
16015                        struct cfg80211_ft_event_params *ft_event)
16016 {
16017         struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16018         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16019         struct sk_buff *msg;
16020         void *hdr;
16021
16022         trace_cfg80211_ft_event(wiphy, netdev, ft_event);
16023
16024         if (!ft_event->target_ap)
16025                 return;
16026
16027         msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
16028                         GFP_KERNEL);
16029         if (!msg)
16030                 return;
16031
16032         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
16033         if (!hdr)
16034                 goto out;
16035
16036         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16037             nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16038             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
16039                 goto out;
16040
16041         if (ft_event->ies &&
16042             nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
16043                 goto out;
16044         if (ft_event->ric_ies &&
16045             nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
16046                     ft_event->ric_ies))
16047                 goto out;
16048
16049         genlmsg_end(msg, hdr);
16050
16051         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16052                                 NL80211_MCGRP_MLME, GFP_KERNEL);
16053         return;
16054  out:
16055         nlmsg_free(msg);
16056 }
16057 EXPORT_SYMBOL(cfg80211_ft_event);
16058
16059 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
16060 {
16061         struct cfg80211_registered_device *rdev;
16062         struct sk_buff *msg;
16063         void *hdr;
16064         u32 nlportid;
16065
16066         rdev = wiphy_to_rdev(wdev->wiphy);
16067         if (!rdev->crit_proto_nlportid)
16068                 return;
16069
16070         nlportid = rdev->crit_proto_nlportid;
16071         rdev->crit_proto_nlportid = 0;
16072
16073         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16074         if (!msg)
16075                 return;
16076
16077         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
16078         if (!hdr)
16079                 goto nla_put_failure;
16080
16081         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16082             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16083                               NL80211_ATTR_PAD))
16084                 goto nla_put_failure;
16085
16086         genlmsg_end(msg, hdr);
16087
16088         genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16089         return;
16090
16091  nla_put_failure:
16092         nlmsg_free(msg);
16093 }
16094 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
16095
16096 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
16097 {
16098         struct wiphy *wiphy = wdev->wiphy;
16099         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16100         struct sk_buff *msg;
16101         void *hdr;
16102
16103         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16104         if (!msg)
16105                 return;
16106
16107         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
16108         if (!hdr)
16109                 goto out;
16110
16111         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16112             nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
16113             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16114                               NL80211_ATTR_PAD))
16115                 goto out;
16116
16117         genlmsg_end(msg, hdr);
16118
16119         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
16120                                 NL80211_MCGRP_MLME, GFP_KERNEL);
16121         return;
16122  out:
16123         nlmsg_free(msg);
16124 }
16125
16126 int cfg80211_external_auth_request(struct net_device *dev,
16127                                    struct cfg80211_external_auth_params *params,
16128                                    gfp_t gfp)
16129 {
16130         struct wireless_dev *wdev = dev->ieee80211_ptr;
16131         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16132         struct sk_buff *msg;
16133         void *hdr;
16134
16135         if (!wdev->conn_owner_nlportid)
16136                 return -EINVAL;
16137
16138         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16139         if (!msg)
16140                 return -ENOMEM;
16141
16142         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
16143         if (!hdr)
16144                 goto nla_put_failure;
16145
16146         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16147             nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16148             nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
16149             nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
16150                         params->action) ||
16151             nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
16152             nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
16153                     params->ssid.ssid))
16154                 goto nla_put_failure;
16155
16156         genlmsg_end(msg, hdr);
16157         genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16158                         wdev->conn_owner_nlportid);
16159         return 0;
16160
16161  nla_put_failure:
16162         nlmsg_free(msg);
16163         return -ENOBUFS;
16164 }
16165 EXPORT_SYMBOL(cfg80211_external_auth_request);
16166
16167 /* initialisation/exit functions */
16168
16169 int __init nl80211_init(void)
16170 {
16171         int err;
16172
16173         err = genl_register_family(&nl80211_fam);
16174         if (err)
16175                 return err;
16176
16177         err = netlink_register_notifier(&nl80211_netlink_notifier);
16178         if (err)
16179                 goto err_out;
16180
16181         return 0;
16182  err_out:
16183         genl_unregister_family(&nl80211_fam);
16184         return err;
16185 }
16186
16187 void nl80211_exit(void)
16188 {
16189         netlink_unregister_notifier(&nl80211_netlink_notifier);
16190         genl_unregister_family(&nl80211_fam);
16191 }