Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
[linux-3.10.git] / net / wireless / nl80211.c
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
5  */
6
7 #include <linux/if.h>
8 #include <linux/module.h>
9 #include <linux/err.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/if_ether.h>
13 #include <linux/ieee80211.h>
14 #include <linux/nl80211.h>
15 #include <linux/rtnetlink.h>
16 #include <linux/netlink.h>
17 #include <linux/etherdevice.h>
18 #include <net/net_namespace.h>
19 #include <net/genetlink.h>
20 #include <net/cfg80211.h>
21 #include <net/sock.h>
22 #include "core.h"
23 #include "nl80211.h"
24 #include "reg.h"
25
26 static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type);
27 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
28                                    struct genl_info *info,
29                                    struct cfg80211_crypto_settings *settings,
30                                    int cipher_limit);
31
32 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
33                             struct genl_info *info);
34 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
35                               struct genl_info *info);
36
37 /* the netlink family */
38 static struct genl_family nl80211_fam = {
39         .id = GENL_ID_GENERATE, /* don't bother with a hardcoded ID */
40         .name = "nl80211",      /* have users key off the name instead */
41         .hdrsize = 0,           /* no private header */
42         .version = 1,           /* no particular meaning now */
43         .maxattr = NL80211_ATTR_MAX,
44         .netnsok = true,
45         .pre_doit = nl80211_pre_doit,
46         .post_doit = nl80211_post_doit,
47 };
48
49 /* returns ERR_PTR values */
50 static struct wireless_dev *
51 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
52 {
53         struct cfg80211_registered_device *rdev;
54         struct wireless_dev *result = NULL;
55         bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
56         bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
57         u64 wdev_id;
58         int wiphy_idx = -1;
59         int ifidx = -1;
60
61         assert_cfg80211_lock();
62
63         if (!have_ifidx && !have_wdev_id)
64                 return ERR_PTR(-EINVAL);
65
66         if (have_ifidx)
67                 ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
68         if (have_wdev_id) {
69                 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
70                 wiphy_idx = wdev_id >> 32;
71         }
72
73         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
74                 struct wireless_dev *wdev;
75
76                 if (wiphy_net(&rdev->wiphy) != netns)
77                         continue;
78
79                 if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
80                         continue;
81
82                 mutex_lock(&rdev->devlist_mtx);
83                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
84                         if (have_ifidx && wdev->netdev &&
85                             wdev->netdev->ifindex == ifidx) {
86                                 result = wdev;
87                                 break;
88                         }
89                         if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
90                                 result = wdev;
91                                 break;
92                         }
93                 }
94                 mutex_unlock(&rdev->devlist_mtx);
95
96                 if (result)
97                         break;
98         }
99
100         if (result)
101                 return result;
102         return ERR_PTR(-ENODEV);
103 }
104
105 static struct cfg80211_registered_device *
106 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
107 {
108         struct cfg80211_registered_device *rdev = NULL, *tmp;
109         struct net_device *netdev;
110
111         assert_cfg80211_lock();
112
113         if (!attrs[NL80211_ATTR_WIPHY] &&
114             !attrs[NL80211_ATTR_IFINDEX] &&
115             !attrs[NL80211_ATTR_WDEV])
116                 return ERR_PTR(-EINVAL);
117
118         if (attrs[NL80211_ATTR_WIPHY])
119                 rdev = cfg80211_rdev_by_wiphy_idx(
120                                 nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
121
122         if (attrs[NL80211_ATTR_WDEV]) {
123                 u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
124                 struct wireless_dev *wdev;
125                 bool found = false;
126
127                 tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
128                 if (tmp) {
129                         /* make sure wdev exists */
130                         mutex_lock(&tmp->devlist_mtx);
131                         list_for_each_entry(wdev, &tmp->wdev_list, list) {
132                                 if (wdev->identifier != (u32)wdev_id)
133                                         continue;
134                                 found = true;
135                                 break;
136                         }
137                         mutex_unlock(&tmp->devlist_mtx);
138
139                         if (!found)
140                                 tmp = NULL;
141
142                         if (rdev && tmp != rdev)
143                                 return ERR_PTR(-EINVAL);
144                         rdev = tmp;
145                 }
146         }
147
148         if (attrs[NL80211_ATTR_IFINDEX]) {
149                 int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
150                 netdev = dev_get_by_index(netns, ifindex);
151                 if (netdev) {
152                         if (netdev->ieee80211_ptr)
153                                 tmp = wiphy_to_dev(
154                                                 netdev->ieee80211_ptr->wiphy);
155                         else
156                                 tmp = NULL;
157
158                         dev_put(netdev);
159
160                         /* not wireless device -- return error */
161                         if (!tmp)
162                                 return ERR_PTR(-EINVAL);
163
164                         /* mismatch -- return error */
165                         if (rdev && tmp != rdev)
166                                 return ERR_PTR(-EINVAL);
167
168                         rdev = tmp;
169                 }
170         }
171
172         if (!rdev)
173                 return ERR_PTR(-ENODEV);
174
175         if (netns != wiphy_net(&rdev->wiphy))
176                 return ERR_PTR(-ENODEV);
177
178         return rdev;
179 }
180
181 /*
182  * This function returns a pointer to the driver
183  * that the genl_info item that is passed refers to.
184  * If successful, it returns non-NULL and also locks
185  * the driver's mutex!
186  *
187  * This means that you need to call cfg80211_unlock_rdev()
188  * before being allowed to acquire &cfg80211_mutex!
189  *
190  * This is necessary because we need to lock the global
191  * mutex to get an item off the list safely, and then
192  * we lock the rdev mutex so it doesn't go away under us.
193  *
194  * We don't want to keep cfg80211_mutex locked
195  * for all the time in order to allow requests on
196  * other interfaces to go through at the same time.
197  *
198  * The result of this can be a PTR_ERR and hence must
199  * be checked with IS_ERR() for errors.
200  */
201 static struct cfg80211_registered_device *
202 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
203 {
204         struct cfg80211_registered_device *rdev;
205
206         mutex_lock(&cfg80211_mutex);
207         rdev = __cfg80211_rdev_from_attrs(netns, info->attrs);
208
209         /* if it is not an error we grab the lock on
210          * it to assure it won't be going away while
211          * we operate on it */
212         if (!IS_ERR(rdev))
213                 mutex_lock(&rdev->mtx);
214
215         mutex_unlock(&cfg80211_mutex);
216
217         return rdev;
218 }
219
220 /* policy for the attributes */
221 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
222         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
223         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
224                                       .len = 20-1 },
225         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
226         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
227         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
228         [NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
229         [NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
230         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
231         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
232         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
233
234         [NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
235         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
236         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
237
238         [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
239         [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
240
241         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
242         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
243                                     .len = WLAN_MAX_KEY_LEN },
244         [NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
245         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
246         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
247         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
248         [NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
249
250         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
251         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
252         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
253                                        .len = IEEE80211_MAX_DATA_LEN },
254         [NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
255                                        .len = IEEE80211_MAX_DATA_LEN },
256         [NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
257         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
258         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
259         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
260                                                .len = NL80211_MAX_SUPP_RATES },
261         [NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
262         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
263         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
264         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
265                                    .len = IEEE80211_MAX_MESH_ID_LEN },
266         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
267
268         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
269         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
270
271         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
272         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
273         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
274         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
275                                            .len = NL80211_MAX_SUPP_RATES },
276         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
277
278         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
279         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
280
281         [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
282
283         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
284         [NL80211_ATTR_IE] = { .type = NLA_BINARY,
285                               .len = IEEE80211_MAX_DATA_LEN },
286         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
287         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
288
289         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
290                                 .len = IEEE80211_MAX_SSID_LEN },
291         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
292         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
293         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
294         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
295         [NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
296         [NL80211_ATTR_STA_FLAGS2] = {
297                 .len = sizeof(struct nl80211_sta_flag_update),
298         },
299         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
300         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
301         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
302         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
303         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
304         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
305         [NL80211_ATTR_PID] = { .type = NLA_U32 },
306         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
307         [NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
308                                  .len = WLAN_PMKID_LEN },
309         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
310         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
311         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
312         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
313                                  .len = IEEE80211_MAX_DATA_LEN },
314         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
315         [NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
316         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
317         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
318         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
319         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
320         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
321         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
322         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
323         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
324         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
325         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
326         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
327         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
328         [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
329         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
330         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
331         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
332         [NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
333         [NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
334                                          .len = IEEE80211_MAX_DATA_LEN },
335         [NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
336                                          .len = IEEE80211_MAX_DATA_LEN },
337         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
338         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
339         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
340         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
341         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
342         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
343         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
344         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
345         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
346         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
347                                       .len = IEEE80211_MAX_DATA_LEN },
348         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
349         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
350         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
351                 .len = NL80211_HT_CAPABILITY_LEN
352         },
353         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
354         [NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
355         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
356         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
357         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
358 };
359
360 /* policy for the key attributes */
361 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
362         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
363         [NL80211_KEY_IDX] = { .type = NLA_U8 },
364         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
365         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
366         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
367         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
368         [NL80211_KEY_TYPE] = { .type = NLA_U32 },
369         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
370 };
371
372 /* policy for the key default flags */
373 static const struct nla_policy
374 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
375         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
376         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
377 };
378
379 /* policy for WoWLAN attributes */
380 static const struct nla_policy
381 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
382         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
383         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
384         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
385         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
386         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
387         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
388         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
389         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
390 };
391
392 /* policy for GTK rekey offload attributes */
393 static const struct nla_policy
394 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
395         [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
396         [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
397         [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
398 };
399
400 static const struct nla_policy
401 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
402         [NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
403                                                  .len = IEEE80211_MAX_SSID_LEN },
404         [NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
405 };
406
407 /* ifidx get helper */
408 static int nl80211_get_ifidx(struct netlink_callback *cb)
409 {
410         int res;
411
412         res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
413                           nl80211_fam.attrbuf, nl80211_fam.maxattr,
414                           nl80211_policy);
415         if (res)
416                 return res;
417
418         if (!nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX])
419                 return -EINVAL;
420
421         res = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX]);
422         if (!res)
423                 return -EINVAL;
424         return res;
425 }
426
427 static int nl80211_prepare_netdev_dump(struct sk_buff *skb,
428                                        struct netlink_callback *cb,
429                                        struct cfg80211_registered_device **rdev,
430                                        struct net_device **dev)
431 {
432         int ifidx = cb->args[0];
433         int err;
434
435         if (!ifidx)
436                 ifidx = nl80211_get_ifidx(cb);
437         if (ifidx < 0)
438                 return ifidx;
439
440         cb->args[0] = ifidx;
441
442         rtnl_lock();
443
444         *dev = __dev_get_by_index(sock_net(skb->sk), ifidx);
445         if (!*dev) {
446                 err = -ENODEV;
447                 goto out_rtnl;
448         }
449
450         *rdev = cfg80211_get_dev_from_ifindex(sock_net(skb->sk), ifidx);
451         if (IS_ERR(*rdev)) {
452                 err = PTR_ERR(*rdev);
453                 goto out_rtnl;
454         }
455
456         return 0;
457  out_rtnl:
458         rtnl_unlock();
459         return err;
460 }
461
462 static void nl80211_finish_netdev_dump(struct cfg80211_registered_device *rdev)
463 {
464         cfg80211_unlock_rdev(rdev);
465         rtnl_unlock();
466 }
467
468 /* IE validation */
469 static bool is_valid_ie_attr(const struct nlattr *attr)
470 {
471         const u8 *pos;
472         int len;
473
474         if (!attr)
475                 return true;
476
477         pos = nla_data(attr);
478         len = nla_len(attr);
479
480         while (len) {
481                 u8 elemlen;
482
483                 if (len < 2)
484                         return false;
485                 len -= 2;
486
487                 elemlen = pos[1];
488                 if (elemlen > len)
489                         return false;
490
491                 len -= elemlen;
492                 pos += 2 + elemlen;
493         }
494
495         return true;
496 }
497
498 /* message building helper */
499 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 pid, u32 seq,
500                                    int flags, u8 cmd)
501 {
502         /* since there is no private header just add the generic one */
503         return genlmsg_put(skb, pid, seq, &nl80211_fam, flags, cmd);
504 }
505
506 static int nl80211_msg_put_channel(struct sk_buff *msg,
507                                    struct ieee80211_channel *chan)
508 {
509         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
510                         chan->center_freq))
511                 goto nla_put_failure;
512
513         if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
514             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
515                 goto nla_put_failure;
516         if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
517             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN))
518                 goto nla_put_failure;
519         if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
520             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IBSS))
521                 goto nla_put_failure;
522         if ((chan->flags & IEEE80211_CHAN_RADAR) &&
523             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
524                 goto nla_put_failure;
525
526         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
527                         DBM_TO_MBM(chan->max_power)))
528                 goto nla_put_failure;
529
530         return 0;
531
532  nla_put_failure:
533         return -ENOBUFS;
534 }
535
536 /* netlink command implementations */
537
538 struct key_parse {
539         struct key_params p;
540         int idx;
541         int type;
542         bool def, defmgmt;
543         bool def_uni, def_multi;
544 };
545
546 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
547 {
548         struct nlattr *tb[NL80211_KEY_MAX + 1];
549         int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
550                                    nl80211_key_policy);
551         if (err)
552                 return err;
553
554         k->def = !!tb[NL80211_KEY_DEFAULT];
555         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
556
557         if (k->def) {
558                 k->def_uni = true;
559                 k->def_multi = true;
560         }
561         if (k->defmgmt)
562                 k->def_multi = true;
563
564         if (tb[NL80211_KEY_IDX])
565                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
566
567         if (tb[NL80211_KEY_DATA]) {
568                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
569                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
570         }
571
572         if (tb[NL80211_KEY_SEQ]) {
573                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
574                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
575         }
576
577         if (tb[NL80211_KEY_CIPHER])
578                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
579
580         if (tb[NL80211_KEY_TYPE]) {
581                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
582                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
583                         return -EINVAL;
584         }
585
586         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
587                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
588                 err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
589                                        tb[NL80211_KEY_DEFAULT_TYPES],
590                                        nl80211_key_default_policy);
591                 if (err)
592                         return err;
593
594                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
595                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
596         }
597
598         return 0;
599 }
600
601 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
602 {
603         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
604                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
605                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
606         }
607
608         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
609                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
610                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
611         }
612
613         if (info->attrs[NL80211_ATTR_KEY_IDX])
614                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
615
616         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
617                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
618
619         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
620         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
621
622         if (k->def) {
623                 k->def_uni = true;
624                 k->def_multi = true;
625         }
626         if (k->defmgmt)
627                 k->def_multi = true;
628
629         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
630                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
631                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
632                         return -EINVAL;
633         }
634
635         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
636                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
637                 int err = nla_parse_nested(
638                                 kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
639                                 info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
640                                 nl80211_key_default_policy);
641                 if (err)
642                         return err;
643
644                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
645                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
646         }
647
648         return 0;
649 }
650
651 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
652 {
653         int err;
654
655         memset(k, 0, sizeof(*k));
656         k->idx = -1;
657         k->type = -1;
658
659         if (info->attrs[NL80211_ATTR_KEY])
660                 err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
661         else
662                 err = nl80211_parse_key_old(info, k);
663
664         if (err)
665                 return err;
666
667         if (k->def && k->defmgmt)
668                 return -EINVAL;
669
670         if (k->defmgmt) {
671                 if (k->def_uni || !k->def_multi)
672                         return -EINVAL;
673         }
674
675         if (k->idx != -1) {
676                 if (k->defmgmt) {
677                         if (k->idx < 4 || k->idx > 5)
678                                 return -EINVAL;
679                 } else if (k->def) {
680                         if (k->idx < 0 || k->idx > 3)
681                                 return -EINVAL;
682                 } else {
683                         if (k->idx < 0 || k->idx > 5)
684                                 return -EINVAL;
685                 }
686         }
687
688         return 0;
689 }
690
691 static struct cfg80211_cached_keys *
692 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
693                        struct nlattr *keys)
694 {
695         struct key_parse parse;
696         struct nlattr *key;
697         struct cfg80211_cached_keys *result;
698         int rem, err, def = 0;
699
700         result = kzalloc(sizeof(*result), GFP_KERNEL);
701         if (!result)
702                 return ERR_PTR(-ENOMEM);
703
704         result->def = -1;
705         result->defmgmt = -1;
706
707         nla_for_each_nested(key, keys, rem) {
708                 memset(&parse, 0, sizeof(parse));
709                 parse.idx = -1;
710
711                 err = nl80211_parse_key_new(key, &parse);
712                 if (err)
713                         goto error;
714                 err = -EINVAL;
715                 if (!parse.p.key)
716                         goto error;
717                 if (parse.idx < 0 || parse.idx > 4)
718                         goto error;
719                 if (parse.def) {
720                         if (def)
721                                 goto error;
722                         def = 1;
723                         result->def = parse.idx;
724                         if (!parse.def_uni || !parse.def_multi)
725                                 goto error;
726                 } else if (parse.defmgmt)
727                         goto error;
728                 err = cfg80211_validate_key_settings(rdev, &parse.p,
729                                                      parse.idx, false, NULL);
730                 if (err)
731                         goto error;
732                 result->params[parse.idx].cipher = parse.p.cipher;
733                 result->params[parse.idx].key_len = parse.p.key_len;
734                 result->params[parse.idx].key = result->data[parse.idx];
735                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
736         }
737
738         return result;
739  error:
740         kfree(result);
741         return ERR_PTR(err);
742 }
743
744 static int nl80211_key_allowed(struct wireless_dev *wdev)
745 {
746         ASSERT_WDEV_LOCK(wdev);
747
748         switch (wdev->iftype) {
749         case NL80211_IFTYPE_AP:
750         case NL80211_IFTYPE_AP_VLAN:
751         case NL80211_IFTYPE_P2P_GO:
752         case NL80211_IFTYPE_MESH_POINT:
753                 break;
754         case NL80211_IFTYPE_ADHOC:
755                 if (!wdev->current_bss)
756                         return -ENOLINK;
757                 break;
758         case NL80211_IFTYPE_STATION:
759         case NL80211_IFTYPE_P2P_CLIENT:
760                 if (wdev->sme_state != CFG80211_SME_CONNECTED)
761                         return -ENOLINK;
762                 break;
763         default:
764                 return -EINVAL;
765         }
766
767         return 0;
768 }
769
770 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
771 {
772         struct nlattr *nl_modes = nla_nest_start(msg, attr);
773         int i;
774
775         if (!nl_modes)
776                 goto nla_put_failure;
777
778         i = 0;
779         while (ifmodes) {
780                 if ((ifmodes & 1) && nla_put_flag(msg, i))
781                         goto nla_put_failure;
782                 ifmodes >>= 1;
783                 i++;
784         }
785
786         nla_nest_end(msg, nl_modes);
787         return 0;
788
789 nla_put_failure:
790         return -ENOBUFS;
791 }
792
793 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
794                                           struct sk_buff *msg)
795 {
796         struct nlattr *nl_combis;
797         int i, j;
798
799         nl_combis = nla_nest_start(msg,
800                                 NL80211_ATTR_INTERFACE_COMBINATIONS);
801         if (!nl_combis)
802                 goto nla_put_failure;
803
804         for (i = 0; i < wiphy->n_iface_combinations; i++) {
805                 const struct ieee80211_iface_combination *c;
806                 struct nlattr *nl_combi, *nl_limits;
807
808                 c = &wiphy->iface_combinations[i];
809
810                 nl_combi = nla_nest_start(msg, i + 1);
811                 if (!nl_combi)
812                         goto nla_put_failure;
813
814                 nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
815                 if (!nl_limits)
816                         goto nla_put_failure;
817
818                 for (j = 0; j < c->n_limits; j++) {
819                         struct nlattr *nl_limit;
820
821                         nl_limit = nla_nest_start(msg, j + 1);
822                         if (!nl_limit)
823                                 goto nla_put_failure;
824                         if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
825                                         c->limits[j].max))
826                                 goto nla_put_failure;
827                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
828                                                 c->limits[j].types))
829                                 goto nla_put_failure;
830                         nla_nest_end(msg, nl_limit);
831                 }
832
833                 nla_nest_end(msg, nl_limits);
834
835                 if (c->beacon_int_infra_match &&
836                     nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
837                         goto nla_put_failure;
838                 if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
839                                 c->num_different_channels) ||
840                     nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
841                                 c->max_interfaces))
842                         goto nla_put_failure;
843
844                 nla_nest_end(msg, nl_combi);
845         }
846
847         nla_nest_end(msg, nl_combis);
848
849         return 0;
850 nla_put_failure:
851         return -ENOBUFS;
852 }
853
854 static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
855                               struct cfg80211_registered_device *dev)
856 {
857         void *hdr;
858         struct nlattr *nl_bands, *nl_band;
859         struct nlattr *nl_freqs, *nl_freq;
860         struct nlattr *nl_rates, *nl_rate;
861         struct nlattr *nl_cmds;
862         enum ieee80211_band band;
863         struct ieee80211_channel *chan;
864         struct ieee80211_rate *rate;
865         int i;
866         const struct ieee80211_txrx_stypes *mgmt_stypes =
867                                 dev->wiphy.mgmt_stypes;
868
869         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_WIPHY);
870         if (!hdr)
871                 return -1;
872
873         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx) ||
874             nla_put_string(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy)) ||
875             nla_put_u32(msg, NL80211_ATTR_GENERATION,
876                         cfg80211_rdev_list_generation) ||
877             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
878                        dev->wiphy.retry_short) ||
879             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
880                        dev->wiphy.retry_long) ||
881             nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
882                         dev->wiphy.frag_threshold) ||
883             nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
884                         dev->wiphy.rts_threshold) ||
885             nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
886                        dev->wiphy.coverage_class) ||
887             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
888                        dev->wiphy.max_scan_ssids) ||
889             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
890                        dev->wiphy.max_sched_scan_ssids) ||
891             nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
892                         dev->wiphy.max_scan_ie_len) ||
893             nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
894                         dev->wiphy.max_sched_scan_ie_len) ||
895             nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
896                        dev->wiphy.max_match_sets))
897                 goto nla_put_failure;
898
899         if ((dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
900             nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
901                 goto nla_put_failure;
902         if ((dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
903             nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
904                 goto nla_put_failure;
905         if ((dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
906             nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
907                 goto nla_put_failure;
908         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
909             nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
910                 goto nla_put_failure;
911         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
912             nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
913                 goto nla_put_failure;
914         if ((dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
915             nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
916                 goto nla_put_failure;
917
918         if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
919                     sizeof(u32) * dev->wiphy.n_cipher_suites,
920                     dev->wiphy.cipher_suites))
921                 goto nla_put_failure;
922
923         if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
924                        dev->wiphy.max_num_pmkids))
925                 goto nla_put_failure;
926
927         if ((dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
928             nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
929                 goto nla_put_failure;
930
931         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
932                         dev->wiphy.available_antennas_tx) ||
933             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
934                         dev->wiphy.available_antennas_rx))
935                 goto nla_put_failure;
936
937         if ((dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
938             nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
939                         dev->wiphy.probe_resp_offload))
940                 goto nla_put_failure;
941
942         if ((dev->wiphy.available_antennas_tx ||
943              dev->wiphy.available_antennas_rx) && dev->ops->get_antenna) {
944                 u32 tx_ant = 0, rx_ant = 0;
945                 int res;
946                 res = dev->ops->get_antenna(&dev->wiphy, &tx_ant, &rx_ant);
947                 if (!res) {
948                         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_TX,
949                                         tx_ant) ||
950                             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_RX,
951                                         rx_ant))
952                                 goto nla_put_failure;
953                 }
954         }
955
956         if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
957                                 dev->wiphy.interface_modes))
958                 goto nla_put_failure;
959
960         nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
961         if (!nl_bands)
962                 goto nla_put_failure;
963
964         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
965                 if (!dev->wiphy.bands[band])
966                         continue;
967
968                 nl_band = nla_nest_start(msg, band);
969                 if (!nl_band)
970                         goto nla_put_failure;
971
972                 /* add HT info */
973                 if (dev->wiphy.bands[band]->ht_cap.ht_supported &&
974                     (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
975                              sizeof(dev->wiphy.bands[band]->ht_cap.mcs),
976                              &dev->wiphy.bands[band]->ht_cap.mcs) ||
977                      nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
978                                  dev->wiphy.bands[band]->ht_cap.cap) ||
979                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
980                                 dev->wiphy.bands[band]->ht_cap.ampdu_factor) ||
981                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
982                                 dev->wiphy.bands[band]->ht_cap.ampdu_density)))
983                         goto nla_put_failure;
984
985                 /* add VHT info */
986                 if (dev->wiphy.bands[band]->vht_cap.vht_supported &&
987                     (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
988                              sizeof(dev->wiphy.bands[band]->vht_cap.vht_mcs),
989                              &dev->wiphy.bands[band]->vht_cap.vht_mcs) ||
990                      nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
991                                  dev->wiphy.bands[band]->vht_cap.cap)))
992                         goto nla_put_failure;
993
994                 /* add frequencies */
995                 nl_freqs = nla_nest_start(msg, NL80211_BAND_ATTR_FREQS);
996                 if (!nl_freqs)
997                         goto nla_put_failure;
998
999                 for (i = 0; i < dev->wiphy.bands[band]->n_channels; i++) {
1000                         nl_freq = nla_nest_start(msg, i);
1001                         if (!nl_freq)
1002                                 goto nla_put_failure;
1003
1004                         chan = &dev->wiphy.bands[band]->channels[i];
1005
1006                         if (nl80211_msg_put_channel(msg, chan))
1007                                 goto nla_put_failure;
1008
1009                         nla_nest_end(msg, nl_freq);
1010                 }
1011
1012                 nla_nest_end(msg, nl_freqs);
1013
1014                 /* add bitrates */
1015                 nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1016                 if (!nl_rates)
1017                         goto nla_put_failure;
1018
1019                 for (i = 0; i < dev->wiphy.bands[band]->n_bitrates; i++) {
1020                         nl_rate = nla_nest_start(msg, i);
1021                         if (!nl_rate)
1022                                 goto nla_put_failure;
1023
1024                         rate = &dev->wiphy.bands[band]->bitrates[i];
1025                         if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1026                                         rate->bitrate))
1027                                 goto nla_put_failure;
1028                         if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1029                             nla_put_flag(msg,
1030                                          NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1031                                 goto nla_put_failure;
1032
1033                         nla_nest_end(msg, nl_rate);
1034                 }
1035
1036                 nla_nest_end(msg, nl_rates);
1037
1038                 nla_nest_end(msg, nl_band);
1039         }
1040         nla_nest_end(msg, nl_bands);
1041
1042         nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1043         if (!nl_cmds)
1044                 goto nla_put_failure;
1045
1046         i = 0;
1047 #define CMD(op, n)                                              \
1048          do {                                                   \
1049                 if (dev->ops->op) {                             \
1050                         i++;                                    \
1051                         if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1052                                 goto nla_put_failure;           \
1053                 }                                               \
1054         } while (0)
1055
1056         CMD(add_virtual_intf, NEW_INTERFACE);
1057         CMD(change_virtual_intf, SET_INTERFACE);
1058         CMD(add_key, NEW_KEY);
1059         CMD(start_ap, START_AP);
1060         CMD(add_station, NEW_STATION);
1061         CMD(add_mpath, NEW_MPATH);
1062         CMD(update_mesh_config, SET_MESH_CONFIG);
1063         CMD(change_bss, SET_BSS);
1064         CMD(auth, AUTHENTICATE);
1065         CMD(assoc, ASSOCIATE);
1066         CMD(deauth, DEAUTHENTICATE);
1067         CMD(disassoc, DISASSOCIATE);
1068         CMD(join_ibss, JOIN_IBSS);
1069         CMD(join_mesh, JOIN_MESH);
1070         CMD(set_pmksa, SET_PMKSA);
1071         CMD(del_pmksa, DEL_PMKSA);
1072         CMD(flush_pmksa, FLUSH_PMKSA);
1073         if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1074                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1075         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1076         CMD(mgmt_tx, FRAME);
1077         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1078         if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1079                 i++;
1080                 if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1081                         goto nla_put_failure;
1082         }
1083         if (dev->ops->set_monitor_channel || dev->ops->start_ap ||
1084             dev->ops->join_mesh) {
1085                 i++;
1086                 if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1087                         goto nla_put_failure;
1088         }
1089         CMD(set_wds_peer, SET_WDS_PEER);
1090         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1091                 CMD(tdls_mgmt, TDLS_MGMT);
1092                 CMD(tdls_oper, TDLS_OPER);
1093         }
1094         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1095                 CMD(sched_scan_start, START_SCHED_SCAN);
1096         CMD(probe_client, PROBE_CLIENT);
1097         CMD(set_noack_map, SET_NOACK_MAP);
1098         if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1099                 i++;
1100                 if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1101                         goto nla_put_failure;
1102         }
1103
1104 #ifdef CONFIG_NL80211_TESTMODE
1105         CMD(testmode_cmd, TESTMODE);
1106 #endif
1107
1108 #undef CMD
1109
1110         if (dev->ops->connect || dev->ops->auth) {
1111                 i++;
1112                 if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1113                         goto nla_put_failure;
1114         }
1115
1116         if (dev->ops->disconnect || dev->ops->deauth) {
1117                 i++;
1118                 if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1119                         goto nla_put_failure;
1120         }
1121
1122         nla_nest_end(msg, nl_cmds);
1123
1124         if (dev->ops->remain_on_channel &&
1125             (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1126             nla_put_u32(msg, NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1127                         dev->wiphy.max_remain_on_channel_duration))
1128                 goto nla_put_failure;
1129
1130         if ((dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1131             nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1132                 goto nla_put_failure;
1133
1134         if (mgmt_stypes) {
1135                 u16 stypes;
1136                 struct nlattr *nl_ftypes, *nl_ifs;
1137                 enum nl80211_iftype ift;
1138
1139                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1140                 if (!nl_ifs)
1141                         goto nla_put_failure;
1142
1143                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1144                         nl_ftypes = nla_nest_start(msg, ift);
1145                         if (!nl_ftypes)
1146                                 goto nla_put_failure;
1147                         i = 0;
1148                         stypes = mgmt_stypes[ift].tx;
1149                         while (stypes) {
1150                                 if ((stypes & 1) &&
1151                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1152                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1153                                         goto nla_put_failure;
1154                                 stypes >>= 1;
1155                                 i++;
1156                         }
1157                         nla_nest_end(msg, nl_ftypes);
1158                 }
1159
1160                 nla_nest_end(msg, nl_ifs);
1161
1162                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1163                 if (!nl_ifs)
1164                         goto nla_put_failure;
1165
1166                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1167                         nl_ftypes = nla_nest_start(msg, ift);
1168                         if (!nl_ftypes)
1169                                 goto nla_put_failure;
1170                         i = 0;
1171                         stypes = mgmt_stypes[ift].rx;
1172                         while (stypes) {
1173                                 if ((stypes & 1) &&
1174                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1175                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1176                                         goto nla_put_failure;
1177                                 stypes >>= 1;
1178                                 i++;
1179                         }
1180                         nla_nest_end(msg, nl_ftypes);
1181                 }
1182                 nla_nest_end(msg, nl_ifs);
1183         }
1184
1185 #ifdef CONFIG_PM
1186         if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
1187                 struct nlattr *nl_wowlan;
1188
1189                 nl_wowlan = nla_nest_start(msg,
1190                                 NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1191                 if (!nl_wowlan)
1192                         goto nla_put_failure;
1193
1194                 if (((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY) &&
1195                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1196                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT) &&
1197                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1198                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1199                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1200                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1201                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1202                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1203                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1204                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1205                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1206                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1207                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1208                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1209                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1210                     goto nla_put_failure;
1211                 if (dev->wiphy.wowlan.n_patterns) {
1212                         struct nl80211_wowlan_pattern_support pat = {
1213                                 .max_patterns = dev->wiphy.wowlan.n_patterns,
1214                                 .min_pattern_len =
1215                                         dev->wiphy.wowlan.pattern_min_len,
1216                                 .max_pattern_len =
1217                                         dev->wiphy.wowlan.pattern_max_len,
1218                         };
1219                         if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1220                                     sizeof(pat), &pat))
1221                                 goto nla_put_failure;
1222                 }
1223
1224                 nla_nest_end(msg, nl_wowlan);
1225         }
1226 #endif
1227
1228         if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1229                                 dev->wiphy.software_iftypes))
1230                 goto nla_put_failure;
1231
1232         if (nl80211_put_iface_combinations(&dev->wiphy, msg))
1233                 goto nla_put_failure;
1234
1235         if ((dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1236             nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1237                         dev->wiphy.ap_sme_capa))
1238                 goto nla_put_failure;
1239
1240         if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS,
1241                         dev->wiphy.features))
1242                 goto nla_put_failure;
1243
1244         if (dev->wiphy.ht_capa_mod_mask &&
1245             nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1246                     sizeof(*dev->wiphy.ht_capa_mod_mask),
1247                     dev->wiphy.ht_capa_mod_mask))
1248                 goto nla_put_failure;
1249
1250         return genlmsg_end(msg, hdr);
1251
1252  nla_put_failure:
1253         genlmsg_cancel(msg, hdr);
1254         return -EMSGSIZE;
1255 }
1256
1257 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1258 {
1259         int idx = 0;
1260         int start = cb->args[0];
1261         struct cfg80211_registered_device *dev;
1262
1263         mutex_lock(&cfg80211_mutex);
1264         list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1265                 if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1266                         continue;
1267                 if (++idx <= start)
1268                         continue;
1269                 if (nl80211_send_wiphy(skb, NETLINK_CB(cb->skb).pid,
1270                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
1271                                        dev) < 0) {
1272                         idx--;
1273                         break;
1274                 }
1275         }
1276         mutex_unlock(&cfg80211_mutex);
1277
1278         cb->args[0] = idx;
1279
1280         return skb->len;
1281 }
1282
1283 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1284 {
1285         struct sk_buff *msg;
1286         struct cfg80211_registered_device *dev = info->user_ptr[0];
1287
1288         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1289         if (!msg)
1290                 return -ENOMEM;
1291
1292         if (nl80211_send_wiphy(msg, info->snd_pid, info->snd_seq, 0, dev) < 0) {
1293                 nlmsg_free(msg);
1294                 return -ENOBUFS;
1295         }
1296
1297         return genlmsg_reply(msg, info);
1298 }
1299
1300 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1301         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
1302         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
1303         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
1304         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
1305         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
1306 };
1307
1308 static int parse_txq_params(struct nlattr *tb[],
1309                             struct ieee80211_txq_params *txq_params)
1310 {
1311         if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1312             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1313             !tb[NL80211_TXQ_ATTR_AIFS])
1314                 return -EINVAL;
1315
1316         txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1317         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1318         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1319         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1320         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1321
1322         if (txq_params->ac >= NL80211_NUM_ACS)
1323                 return -EINVAL;
1324
1325         return 0;
1326 }
1327
1328 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1329 {
1330         /*
1331          * You can only set the channel explicitly for WDS interfaces,
1332          * all others have their channel managed via their respective
1333          * "establish a connection" command (connect, join, ...)
1334          *
1335          * For AP/GO and mesh mode, the channel can be set with the
1336          * channel userspace API, but is only stored and passed to the
1337          * low-level driver when the AP starts or the mesh is joined.
1338          * This is for backward compatibility, userspace can also give
1339          * the channel in the start-ap or join-mesh commands instead.
1340          *
1341          * Monitors are special as they are normally slaved to
1342          * whatever else is going on, so they have their own special
1343          * operation to set the monitor channel if possible.
1344          */
1345         return !wdev ||
1346                 wdev->iftype == NL80211_IFTYPE_AP ||
1347                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1348                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
1349                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
1350 }
1351
1352 static bool nl80211_valid_channel_type(struct genl_info *info,
1353                                        enum nl80211_channel_type *channel_type)
1354 {
1355         enum nl80211_channel_type tmp;
1356
1357         if (!info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE])
1358                 return false;
1359
1360         tmp = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1361         if (tmp != NL80211_CHAN_NO_HT &&
1362             tmp != NL80211_CHAN_HT20 &&
1363             tmp != NL80211_CHAN_HT40PLUS &&
1364             tmp != NL80211_CHAN_HT40MINUS)
1365                 return false;
1366
1367         if (channel_type)
1368                 *channel_type = tmp;
1369
1370         return true;
1371 }
1372
1373 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1374                                  struct wireless_dev *wdev,
1375                                  struct genl_info *info)
1376 {
1377         struct ieee80211_channel *channel;
1378         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
1379         u32 freq;
1380         int result;
1381         enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1382
1383         if (wdev)
1384                 iftype = wdev->iftype;
1385
1386         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1387                 return -EINVAL;
1388
1389         if (!nl80211_can_set_dev_channel(wdev))
1390                 return -EOPNOTSUPP;
1391
1392         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
1393             !nl80211_valid_channel_type(info, &channel_type))
1394                 return -EINVAL;
1395
1396         freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1397
1398         mutex_lock(&rdev->devlist_mtx);
1399         switch (iftype) {
1400         case NL80211_IFTYPE_AP:
1401         case NL80211_IFTYPE_P2P_GO:
1402                 if (wdev->beacon_interval) {
1403                         result = -EBUSY;
1404                         break;
1405                 }
1406                 channel = rdev_freq_to_chan(rdev, freq, channel_type);
1407                 if (!channel || !cfg80211_can_beacon_sec_chan(&rdev->wiphy,
1408                                                               channel,
1409                                                               channel_type)) {
1410                         result = -EINVAL;
1411                         break;
1412                 }
1413                 wdev->preset_chan = channel;
1414                 wdev->preset_chantype = channel_type;
1415                 result = 0;
1416                 break;
1417         case NL80211_IFTYPE_MESH_POINT:
1418                 result = cfg80211_set_mesh_freq(rdev, wdev, freq, channel_type);
1419                 break;
1420         case NL80211_IFTYPE_MONITOR:
1421                 result = cfg80211_set_monitor_channel(rdev, freq, channel_type);
1422                 break;
1423         default:
1424                 result = -EINVAL;
1425         }
1426         mutex_unlock(&rdev->devlist_mtx);
1427
1428         return result;
1429 }
1430
1431 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1432 {
1433         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1434         struct net_device *netdev = info->user_ptr[1];
1435
1436         return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1437 }
1438
1439 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1440 {
1441         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1442         struct net_device *dev = info->user_ptr[1];
1443         struct wireless_dev *wdev = dev->ieee80211_ptr;
1444         const u8 *bssid;
1445
1446         if (!info->attrs[NL80211_ATTR_MAC])
1447                 return -EINVAL;
1448
1449         if (netif_running(dev))
1450                 return -EBUSY;
1451
1452         if (!rdev->ops->set_wds_peer)
1453                 return -EOPNOTSUPP;
1454
1455         if (wdev->iftype != NL80211_IFTYPE_WDS)
1456                 return -EOPNOTSUPP;
1457
1458         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1459         return rdev->ops->set_wds_peer(wdev->wiphy, dev, bssid);
1460 }
1461
1462
1463 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1464 {
1465         struct cfg80211_registered_device *rdev;
1466         struct net_device *netdev = NULL;
1467         struct wireless_dev *wdev;
1468         int result = 0, rem_txq_params = 0;
1469         struct nlattr *nl_txq_params;
1470         u32 changed;
1471         u8 retry_short = 0, retry_long = 0;
1472         u32 frag_threshold = 0, rts_threshold = 0;
1473         u8 coverage_class = 0;
1474
1475         /*
1476          * Try to find the wiphy and netdev. Normally this
1477          * function shouldn't need the netdev, but this is
1478          * done for backward compatibility -- previously
1479          * setting the channel was done per wiphy, but now
1480          * it is per netdev. Previous userland like hostapd
1481          * also passed a netdev to set_wiphy, so that it is
1482          * possible to let that go to the right netdev!
1483          */
1484         mutex_lock(&cfg80211_mutex);
1485
1486         if (info->attrs[NL80211_ATTR_IFINDEX]) {
1487                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1488
1489                 netdev = dev_get_by_index(genl_info_net(info), ifindex);
1490                 if (netdev && netdev->ieee80211_ptr) {
1491                         rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1492                         mutex_lock(&rdev->mtx);
1493                 } else
1494                         netdev = NULL;
1495         }
1496
1497         if (!netdev) {
1498                 rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
1499                                                   info->attrs);
1500                 if (IS_ERR(rdev)) {
1501                         mutex_unlock(&cfg80211_mutex);
1502                         return PTR_ERR(rdev);
1503                 }
1504                 wdev = NULL;
1505                 netdev = NULL;
1506                 result = 0;
1507
1508                 mutex_lock(&rdev->mtx);
1509         } else if (nl80211_can_set_dev_channel(netdev->ieee80211_ptr))
1510                 wdev = netdev->ieee80211_ptr;
1511         else
1512                 wdev = NULL;
1513
1514         /*
1515          * end workaround code, by now the rdev is available
1516          * and locked, and wdev may or may not be NULL.
1517          */
1518
1519         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1520                 result = cfg80211_dev_rename(
1521                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1522
1523         mutex_unlock(&cfg80211_mutex);
1524
1525         if (result)
1526                 goto bad_res;
1527
1528         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1529                 struct ieee80211_txq_params txq_params;
1530                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1531
1532                 if (!rdev->ops->set_txq_params) {
1533                         result = -EOPNOTSUPP;
1534                         goto bad_res;
1535                 }
1536
1537                 if (!netdev) {
1538                         result = -EINVAL;
1539                         goto bad_res;
1540                 }
1541
1542                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1543                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1544                         result = -EINVAL;
1545                         goto bad_res;
1546                 }
1547
1548                 if (!netif_running(netdev)) {
1549                         result = -ENETDOWN;
1550                         goto bad_res;
1551                 }
1552
1553                 nla_for_each_nested(nl_txq_params,
1554                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1555                                     rem_txq_params) {
1556                         nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1557                                   nla_data(nl_txq_params),
1558                                   nla_len(nl_txq_params),
1559                                   txq_params_policy);
1560                         result = parse_txq_params(tb, &txq_params);
1561                         if (result)
1562                                 goto bad_res;
1563
1564                         result = rdev->ops->set_txq_params(&rdev->wiphy,
1565                                                            netdev,
1566                                                            &txq_params);
1567                         if (result)
1568                                 goto bad_res;
1569                 }
1570         }
1571
1572         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
1573                 result = __nl80211_set_channel(rdev, wdev, info);
1574                 if (result)
1575                         goto bad_res;
1576         }
1577
1578         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
1579                 enum nl80211_tx_power_setting type;
1580                 int idx, mbm = 0;
1581
1582                 if (!rdev->ops->set_tx_power) {
1583                         result = -EOPNOTSUPP;
1584                         goto bad_res;
1585                 }
1586
1587                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
1588                 type = nla_get_u32(info->attrs[idx]);
1589
1590                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
1591                     (type != NL80211_TX_POWER_AUTOMATIC)) {
1592                         result = -EINVAL;
1593                         goto bad_res;
1594                 }
1595
1596                 if (type != NL80211_TX_POWER_AUTOMATIC) {
1597                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
1598                         mbm = nla_get_u32(info->attrs[idx]);
1599                 }
1600
1601                 result = rdev->ops->set_tx_power(&rdev->wiphy, type, mbm);
1602                 if (result)
1603                         goto bad_res;
1604         }
1605
1606         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
1607             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
1608                 u32 tx_ant, rx_ant;
1609                 if ((!rdev->wiphy.available_antennas_tx &&
1610                      !rdev->wiphy.available_antennas_rx) ||
1611                     !rdev->ops->set_antenna) {
1612                         result = -EOPNOTSUPP;
1613                         goto bad_res;
1614                 }
1615
1616                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
1617                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
1618
1619                 /* reject antenna configurations which don't match the
1620                  * available antenna masks, except for the "all" mask */
1621                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
1622                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
1623                         result = -EINVAL;
1624                         goto bad_res;
1625                 }
1626
1627                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
1628                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
1629
1630                 result = rdev->ops->set_antenna(&rdev->wiphy, tx_ant, rx_ant);
1631                 if (result)
1632                         goto bad_res;
1633         }
1634
1635         changed = 0;
1636
1637         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
1638                 retry_short = nla_get_u8(
1639                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
1640                 if (retry_short == 0) {
1641                         result = -EINVAL;
1642                         goto bad_res;
1643                 }
1644                 changed |= WIPHY_PARAM_RETRY_SHORT;
1645         }
1646
1647         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
1648                 retry_long = nla_get_u8(
1649                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
1650                 if (retry_long == 0) {
1651                         result = -EINVAL;
1652                         goto bad_res;
1653                 }
1654                 changed |= WIPHY_PARAM_RETRY_LONG;
1655         }
1656
1657         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
1658                 frag_threshold = nla_get_u32(
1659                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
1660                 if (frag_threshold < 256) {
1661                         result = -EINVAL;
1662                         goto bad_res;
1663                 }
1664                 if (frag_threshold != (u32) -1) {
1665                         /*
1666                          * Fragments (apart from the last one) are required to
1667                          * have even length. Make the fragmentation code
1668                          * simpler by stripping LSB should someone try to use
1669                          * odd threshold value.
1670                          */
1671                         frag_threshold &= ~0x1;
1672                 }
1673                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
1674         }
1675
1676         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
1677                 rts_threshold = nla_get_u32(
1678                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
1679                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
1680         }
1681
1682         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
1683                 coverage_class = nla_get_u8(
1684                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
1685                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
1686         }
1687
1688         if (changed) {
1689                 u8 old_retry_short, old_retry_long;
1690                 u32 old_frag_threshold, old_rts_threshold;
1691                 u8 old_coverage_class;
1692
1693                 if (!rdev->ops->set_wiphy_params) {
1694                         result = -EOPNOTSUPP;
1695                         goto bad_res;
1696                 }
1697
1698                 old_retry_short = rdev->wiphy.retry_short;
1699                 old_retry_long = rdev->wiphy.retry_long;
1700                 old_frag_threshold = rdev->wiphy.frag_threshold;
1701                 old_rts_threshold = rdev->wiphy.rts_threshold;
1702                 old_coverage_class = rdev->wiphy.coverage_class;
1703
1704                 if (changed & WIPHY_PARAM_RETRY_SHORT)
1705                         rdev->wiphy.retry_short = retry_short;
1706                 if (changed & WIPHY_PARAM_RETRY_LONG)
1707                         rdev->wiphy.retry_long = retry_long;
1708                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
1709                         rdev->wiphy.frag_threshold = frag_threshold;
1710                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
1711                         rdev->wiphy.rts_threshold = rts_threshold;
1712                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
1713                         rdev->wiphy.coverage_class = coverage_class;
1714
1715                 result = rdev->ops->set_wiphy_params(&rdev->wiphy, changed);
1716                 if (result) {
1717                         rdev->wiphy.retry_short = old_retry_short;
1718                         rdev->wiphy.retry_long = old_retry_long;
1719                         rdev->wiphy.frag_threshold = old_frag_threshold;
1720                         rdev->wiphy.rts_threshold = old_rts_threshold;
1721                         rdev->wiphy.coverage_class = old_coverage_class;
1722                 }
1723         }
1724
1725  bad_res:
1726         mutex_unlock(&rdev->mtx);
1727         if (netdev)
1728                 dev_put(netdev);
1729         return result;
1730 }
1731
1732 static inline u64 wdev_id(struct wireless_dev *wdev)
1733 {
1734         return (u64)wdev->identifier |
1735                ((u64)wiphy_to_dev(wdev->wiphy)->wiphy_idx << 32);
1736 }
1737
1738 static int nl80211_send_iface(struct sk_buff *msg, u32 pid, u32 seq, int flags,
1739                               struct cfg80211_registered_device *rdev,
1740                               struct wireless_dev *wdev)
1741 {
1742         struct net_device *dev = wdev->netdev;
1743         void *hdr;
1744
1745         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_INTERFACE);
1746         if (!hdr)
1747                 return -1;
1748
1749         if (dev &&
1750             (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
1751              nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name) ||
1752              nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dev->dev_addr)))
1753                 goto nla_put_failure;
1754
1755         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1756             nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
1757             nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
1758             nla_put_u32(msg, NL80211_ATTR_GENERATION,
1759                         rdev->devlist_generation ^
1760                         (cfg80211_rdev_list_generation << 2)))
1761                 goto nla_put_failure;
1762
1763         if (rdev->ops->get_channel) {
1764                 struct ieee80211_channel *chan;
1765                 enum nl80211_channel_type channel_type;
1766
1767                 chan = rdev->ops->get_channel(&rdev->wiphy, wdev,
1768                                               &channel_type);
1769                 if (chan &&
1770                     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
1771                                  chan->center_freq) ||
1772                      nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
1773                                  channel_type)))
1774                         goto nla_put_failure;
1775         }
1776
1777         return genlmsg_end(msg, hdr);
1778
1779  nla_put_failure:
1780         genlmsg_cancel(msg, hdr);
1781         return -EMSGSIZE;
1782 }
1783
1784 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
1785 {
1786         int wp_idx = 0;
1787         int if_idx = 0;
1788         int wp_start = cb->args[0];
1789         int if_start = cb->args[1];
1790         struct cfg80211_registered_device *rdev;
1791         struct wireless_dev *wdev;
1792
1793         mutex_lock(&cfg80211_mutex);
1794         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1795                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1796                         continue;
1797                 if (wp_idx < wp_start) {
1798                         wp_idx++;
1799                         continue;
1800                 }
1801                 if_idx = 0;
1802
1803                 mutex_lock(&rdev->devlist_mtx);
1804                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
1805                         if (if_idx < if_start) {
1806                                 if_idx++;
1807                                 continue;
1808                         }
1809                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).pid,
1810                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
1811                                                rdev, wdev) < 0) {
1812                                 mutex_unlock(&rdev->devlist_mtx);
1813                                 goto out;
1814                         }
1815                         if_idx++;
1816                 }
1817                 mutex_unlock(&rdev->devlist_mtx);
1818
1819                 wp_idx++;
1820         }
1821  out:
1822         mutex_unlock(&cfg80211_mutex);
1823
1824         cb->args[0] = wp_idx;
1825         cb->args[1] = if_idx;
1826
1827         return skb->len;
1828 }
1829
1830 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
1831 {
1832         struct sk_buff *msg;
1833         struct cfg80211_registered_device *dev = info->user_ptr[0];
1834         struct wireless_dev *wdev = info->user_ptr[1];
1835
1836         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1837         if (!msg)
1838                 return -ENOMEM;
1839
1840         if (nl80211_send_iface(msg, info->snd_pid, info->snd_seq, 0,
1841                                dev, wdev) < 0) {
1842                 nlmsg_free(msg);
1843                 return -ENOBUFS;
1844         }
1845
1846         return genlmsg_reply(msg, info);
1847 }
1848
1849 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
1850         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
1851         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
1852         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
1853         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
1854         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
1855 };
1856
1857 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
1858 {
1859         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
1860         int flag;
1861
1862         *mntrflags = 0;
1863
1864         if (!nla)
1865                 return -EINVAL;
1866
1867         if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
1868                              nla, mntr_flags_policy))
1869                 return -EINVAL;
1870
1871         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
1872                 if (flags[flag])
1873                         *mntrflags |= (1<<flag);
1874
1875         return 0;
1876 }
1877
1878 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
1879                                struct net_device *netdev, u8 use_4addr,
1880                                enum nl80211_iftype iftype)
1881 {
1882         if (!use_4addr) {
1883                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
1884                         return -EBUSY;
1885                 return 0;
1886         }
1887
1888         switch (iftype) {
1889         case NL80211_IFTYPE_AP_VLAN:
1890                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
1891                         return 0;
1892                 break;
1893         case NL80211_IFTYPE_STATION:
1894                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
1895                         return 0;
1896                 break;
1897         default:
1898                 break;
1899         }
1900
1901         return -EOPNOTSUPP;
1902 }
1903
1904 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
1905 {
1906         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1907         struct vif_params params;
1908         int err;
1909         enum nl80211_iftype otype, ntype;
1910         struct net_device *dev = info->user_ptr[1];
1911         u32 _flags, *flags = NULL;
1912         bool change = false;
1913
1914         memset(&params, 0, sizeof(params));
1915
1916         otype = ntype = dev->ieee80211_ptr->iftype;
1917
1918         if (info->attrs[NL80211_ATTR_IFTYPE]) {
1919                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
1920                 if (otype != ntype)
1921                         change = true;
1922                 if (ntype > NL80211_IFTYPE_MAX)
1923                         return -EINVAL;
1924         }
1925
1926         if (info->attrs[NL80211_ATTR_MESH_ID]) {
1927                 struct wireless_dev *wdev = dev->ieee80211_ptr;
1928
1929                 if (ntype != NL80211_IFTYPE_MESH_POINT)
1930                         return -EINVAL;
1931                 if (netif_running(dev))
1932                         return -EBUSY;
1933
1934                 wdev_lock(wdev);
1935                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
1936                              IEEE80211_MAX_MESH_ID_LEN);
1937                 wdev->mesh_id_up_len =
1938                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
1939                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
1940                        wdev->mesh_id_up_len);
1941                 wdev_unlock(wdev);
1942         }
1943
1944         if (info->attrs[NL80211_ATTR_4ADDR]) {
1945                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
1946                 change = true;
1947                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
1948                 if (err)
1949                         return err;
1950         } else {
1951                 params.use_4addr = -1;
1952         }
1953
1954         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
1955                 if (ntype != NL80211_IFTYPE_MONITOR)
1956                         return -EINVAL;
1957                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
1958                                           &_flags);
1959                 if (err)
1960                         return err;
1961
1962                 flags = &_flags;
1963                 change = true;
1964         }
1965
1966         if (change)
1967                 err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
1968         else
1969                 err = 0;
1970
1971         if (!err && params.use_4addr != -1)
1972                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
1973
1974         return err;
1975 }
1976
1977 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
1978 {
1979         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1980         struct vif_params params;
1981         struct wireless_dev *wdev;
1982         struct sk_buff *msg;
1983         int err;
1984         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
1985         u32 flags;
1986
1987         memset(&params, 0, sizeof(params));
1988
1989         if (!info->attrs[NL80211_ATTR_IFNAME])
1990                 return -EINVAL;
1991
1992         if (info->attrs[NL80211_ATTR_IFTYPE]) {
1993                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
1994                 if (type > NL80211_IFTYPE_MAX)
1995                         return -EINVAL;
1996         }
1997
1998         if (!rdev->ops->add_virtual_intf ||
1999             !(rdev->wiphy.interface_modes & (1 << type)))
2000                 return -EOPNOTSUPP;
2001
2002         if (info->attrs[NL80211_ATTR_4ADDR]) {
2003                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2004                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2005                 if (err)
2006                         return err;
2007         }
2008
2009         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2010         if (!msg)
2011                 return -ENOMEM;
2012
2013         err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2014                                   info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2015                                   &flags);
2016         wdev = rdev->ops->add_virtual_intf(&rdev->wiphy,
2017                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2018                 type, err ? NULL : &flags, &params);
2019         if (IS_ERR(wdev)) {
2020                 nlmsg_free(msg);
2021                 return PTR_ERR(wdev);
2022         }
2023
2024         if (type == NL80211_IFTYPE_MESH_POINT &&
2025             info->attrs[NL80211_ATTR_MESH_ID]) {
2026                 wdev_lock(wdev);
2027                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2028                              IEEE80211_MAX_MESH_ID_LEN);
2029                 wdev->mesh_id_up_len =
2030                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2031                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2032                        wdev->mesh_id_up_len);
2033                 wdev_unlock(wdev);
2034         }
2035
2036         if (nl80211_send_iface(msg, info->snd_pid, info->snd_seq, 0,
2037                                rdev, wdev) < 0) {
2038                 nlmsg_free(msg);
2039                 return -ENOBUFS;
2040         }
2041
2042         return genlmsg_reply(msg, info);
2043 }
2044
2045 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2046 {
2047         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2048         struct wireless_dev *wdev = info->user_ptr[1];
2049
2050         if (!rdev->ops->del_virtual_intf)
2051                 return -EOPNOTSUPP;
2052
2053         /*
2054          * If we remove a wireless device without a netdev then clear
2055          * user_ptr[1] so that nl80211_post_doit won't dereference it
2056          * to check if it needs to do dev_put(). Otherwise it crashes
2057          * since the wdev has been freed, unlike with a netdev where
2058          * we need the dev_put() for the netdev to really be freed.
2059          */
2060         if (!wdev->netdev)
2061                 info->user_ptr[1] = NULL;
2062
2063         return rdev->ops->del_virtual_intf(&rdev->wiphy, wdev);
2064 }
2065
2066 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2067 {
2068         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2069         struct net_device *dev = info->user_ptr[1];
2070         u16 noack_map;
2071
2072         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2073                 return -EINVAL;
2074
2075         if (!rdev->ops->set_noack_map)
2076                 return -EOPNOTSUPP;
2077
2078         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2079
2080         return rdev->ops->set_noack_map(&rdev->wiphy, dev, noack_map);
2081 }
2082
2083 struct get_key_cookie {
2084         struct sk_buff *msg;
2085         int error;
2086         int idx;
2087 };
2088
2089 static void get_key_callback(void *c, struct key_params *params)
2090 {
2091         struct nlattr *key;
2092         struct get_key_cookie *cookie = c;
2093
2094         if ((params->key &&
2095              nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2096                      params->key_len, params->key)) ||
2097             (params->seq &&
2098              nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2099                      params->seq_len, params->seq)) ||
2100             (params->cipher &&
2101              nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2102                          params->cipher)))
2103                 goto nla_put_failure;
2104
2105         key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2106         if (!key)
2107                 goto nla_put_failure;
2108
2109         if ((params->key &&
2110              nla_put(cookie->msg, NL80211_KEY_DATA,
2111                      params->key_len, params->key)) ||
2112             (params->seq &&
2113              nla_put(cookie->msg, NL80211_KEY_SEQ,
2114                      params->seq_len, params->seq)) ||
2115             (params->cipher &&
2116              nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2117                          params->cipher)))
2118                 goto nla_put_failure;
2119
2120         if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2121                 goto nla_put_failure;
2122
2123         nla_nest_end(cookie->msg, key);
2124
2125         return;
2126  nla_put_failure:
2127         cookie->error = 1;
2128 }
2129
2130 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2131 {
2132         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2133         int err;
2134         struct net_device *dev = info->user_ptr[1];
2135         u8 key_idx = 0;
2136         const u8 *mac_addr = NULL;
2137         bool pairwise;
2138         struct get_key_cookie cookie = {
2139                 .error = 0,
2140         };
2141         void *hdr;
2142         struct sk_buff *msg;
2143
2144         if (info->attrs[NL80211_ATTR_KEY_IDX])
2145                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2146
2147         if (key_idx > 5)
2148                 return -EINVAL;
2149
2150         if (info->attrs[NL80211_ATTR_MAC])
2151                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2152
2153         pairwise = !!mac_addr;
2154         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2155                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2156                 if (kt >= NUM_NL80211_KEYTYPES)
2157                         return -EINVAL;
2158                 if (kt != NL80211_KEYTYPE_GROUP &&
2159                     kt != NL80211_KEYTYPE_PAIRWISE)
2160                         return -EINVAL;
2161                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2162         }
2163
2164         if (!rdev->ops->get_key)
2165                 return -EOPNOTSUPP;
2166
2167         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2168         if (!msg)
2169                 return -ENOMEM;
2170
2171         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
2172                              NL80211_CMD_NEW_KEY);
2173         if (IS_ERR(hdr))
2174                 return PTR_ERR(hdr);
2175
2176         cookie.msg = msg;
2177         cookie.idx = key_idx;
2178
2179         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2180             nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2181                 goto nla_put_failure;
2182         if (mac_addr &&
2183             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2184                 goto nla_put_failure;
2185
2186         if (pairwise && mac_addr &&
2187             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2188                 return -ENOENT;
2189
2190         err = rdev->ops->get_key(&rdev->wiphy, dev, key_idx, pairwise,
2191                                  mac_addr, &cookie, get_key_callback);
2192
2193         if (err)
2194                 goto free_msg;
2195
2196         if (cookie.error)
2197                 goto nla_put_failure;
2198
2199         genlmsg_end(msg, hdr);
2200         return genlmsg_reply(msg, info);
2201
2202  nla_put_failure:
2203         err = -ENOBUFS;
2204  free_msg:
2205         nlmsg_free(msg);
2206         return err;
2207 }
2208
2209 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2210 {
2211         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2212         struct key_parse key;
2213         int err;
2214         struct net_device *dev = info->user_ptr[1];
2215
2216         err = nl80211_parse_key(info, &key);
2217         if (err)
2218                 return err;
2219
2220         if (key.idx < 0)
2221                 return -EINVAL;
2222
2223         /* only support setting default key */
2224         if (!key.def && !key.defmgmt)
2225                 return -EINVAL;
2226
2227         wdev_lock(dev->ieee80211_ptr);
2228
2229         if (key.def) {
2230                 if (!rdev->ops->set_default_key) {
2231                         err = -EOPNOTSUPP;
2232                         goto out;
2233                 }
2234
2235                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2236                 if (err)
2237                         goto out;
2238
2239                 err = rdev->ops->set_default_key(&rdev->wiphy, dev, key.idx,
2240                                                  key.def_uni, key.def_multi);
2241
2242                 if (err)
2243                         goto out;
2244
2245 #ifdef CONFIG_CFG80211_WEXT
2246                 dev->ieee80211_ptr->wext.default_key = key.idx;
2247 #endif
2248         } else {
2249                 if (key.def_uni || !key.def_multi) {
2250                         err = -EINVAL;
2251                         goto out;
2252                 }
2253
2254                 if (!rdev->ops->set_default_mgmt_key) {
2255                         err = -EOPNOTSUPP;
2256                         goto out;
2257                 }
2258
2259                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2260                 if (err)
2261                         goto out;
2262
2263                 err = rdev->ops->set_default_mgmt_key(&rdev->wiphy,
2264                                                       dev, key.idx);
2265                 if (err)
2266                         goto out;
2267
2268 #ifdef CONFIG_CFG80211_WEXT
2269                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2270 #endif
2271         }
2272
2273  out:
2274         wdev_unlock(dev->ieee80211_ptr);
2275
2276         return err;
2277 }
2278
2279 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2280 {
2281         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2282         int err;
2283         struct net_device *dev = info->user_ptr[1];
2284         struct key_parse key;
2285         const u8 *mac_addr = NULL;
2286
2287         err = nl80211_parse_key(info, &key);
2288         if (err)
2289                 return err;
2290
2291         if (!key.p.key)
2292                 return -EINVAL;
2293
2294         if (info->attrs[NL80211_ATTR_MAC])
2295                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2296
2297         if (key.type == -1) {
2298                 if (mac_addr)
2299                         key.type = NL80211_KEYTYPE_PAIRWISE;
2300                 else
2301                         key.type = NL80211_KEYTYPE_GROUP;
2302         }
2303
2304         /* for now */
2305         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2306             key.type != NL80211_KEYTYPE_GROUP)
2307                 return -EINVAL;
2308
2309         if (!rdev->ops->add_key)
2310                 return -EOPNOTSUPP;
2311
2312         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2313                                            key.type == NL80211_KEYTYPE_PAIRWISE,
2314                                            mac_addr))
2315                 return -EINVAL;
2316
2317         wdev_lock(dev->ieee80211_ptr);
2318         err = nl80211_key_allowed(dev->ieee80211_ptr);
2319         if (!err)
2320                 err = rdev->ops->add_key(&rdev->wiphy, dev, key.idx,
2321                                          key.type == NL80211_KEYTYPE_PAIRWISE,
2322                                          mac_addr, &key.p);
2323         wdev_unlock(dev->ieee80211_ptr);
2324
2325         return err;
2326 }
2327
2328 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2329 {
2330         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2331         int err;
2332         struct net_device *dev = info->user_ptr[1];
2333         u8 *mac_addr = NULL;
2334         struct key_parse key;
2335
2336         err = nl80211_parse_key(info, &key);
2337         if (err)
2338                 return err;
2339
2340         if (info->attrs[NL80211_ATTR_MAC])
2341                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2342
2343         if (key.type == -1) {
2344                 if (mac_addr)
2345                         key.type = NL80211_KEYTYPE_PAIRWISE;
2346                 else
2347                         key.type = NL80211_KEYTYPE_GROUP;
2348         }
2349
2350         /* for now */
2351         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2352             key.type != NL80211_KEYTYPE_GROUP)
2353                 return -EINVAL;
2354
2355         if (!rdev->ops->del_key)
2356                 return -EOPNOTSUPP;
2357
2358         wdev_lock(dev->ieee80211_ptr);
2359         err = nl80211_key_allowed(dev->ieee80211_ptr);
2360
2361         if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2362             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2363                 err = -ENOENT;
2364
2365         if (!err)
2366                 err = rdev->ops->del_key(&rdev->wiphy, dev, key.idx,
2367                                          key.type == NL80211_KEYTYPE_PAIRWISE,
2368                                          mac_addr);
2369
2370 #ifdef CONFIG_CFG80211_WEXT
2371         if (!err) {
2372                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
2373                         dev->ieee80211_ptr->wext.default_key = -1;
2374                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2375                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2376         }
2377 #endif
2378         wdev_unlock(dev->ieee80211_ptr);
2379
2380         return err;
2381 }
2382
2383 static int nl80211_parse_beacon(struct genl_info *info,
2384                                 struct cfg80211_beacon_data *bcn)
2385 {
2386         bool haveinfo = false;
2387
2388         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2389             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2390             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2391             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2392                 return -EINVAL;
2393
2394         memset(bcn, 0, sizeof(*bcn));
2395
2396         if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2397                 bcn->head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2398                 bcn->head_len = nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2399                 if (!bcn->head_len)
2400                         return -EINVAL;
2401                 haveinfo = true;
2402         }
2403
2404         if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2405                 bcn->tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2406                 bcn->tail_len =
2407                     nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2408                 haveinfo = true;
2409         }
2410
2411         if (!haveinfo)
2412                 return -EINVAL;
2413
2414         if (info->attrs[NL80211_ATTR_IE]) {
2415                 bcn->beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
2416                 bcn->beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
2417         }
2418
2419         if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
2420                 bcn->proberesp_ies =
2421                         nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2422                 bcn->proberesp_ies_len =
2423                         nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2424         }
2425
2426         if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
2427                 bcn->assocresp_ies =
2428                         nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2429                 bcn->assocresp_ies_len =
2430                         nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2431         }
2432
2433         if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
2434                 bcn->probe_resp =
2435                         nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
2436                 bcn->probe_resp_len =
2437                         nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
2438         }
2439
2440         return 0;
2441 }
2442
2443 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
2444                                    struct cfg80211_ap_settings *params)
2445 {
2446         struct wireless_dev *wdev;
2447         bool ret = false;
2448
2449         mutex_lock(&rdev->devlist_mtx);
2450
2451         list_for_each_entry(wdev, &rdev->wdev_list, list) {
2452                 if (wdev->iftype != NL80211_IFTYPE_AP &&
2453                     wdev->iftype != NL80211_IFTYPE_P2P_GO)
2454                         continue;
2455
2456                 if (!wdev->preset_chan)
2457                         continue;
2458
2459                 params->channel = wdev->preset_chan;
2460                 params->channel_type = wdev->preset_chantype;
2461                 ret = true;
2462                 break;
2463         }
2464
2465         mutex_unlock(&rdev->devlist_mtx);
2466
2467         return ret;
2468 }
2469
2470 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
2471 {
2472         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2473         struct net_device *dev = info->user_ptr[1];
2474         struct wireless_dev *wdev = dev->ieee80211_ptr;
2475         struct cfg80211_ap_settings params;
2476         int err;
2477
2478         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2479             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2480                 return -EOPNOTSUPP;
2481
2482         if (!rdev->ops->start_ap)
2483                 return -EOPNOTSUPP;
2484
2485         if (wdev->beacon_interval)
2486                 return -EALREADY;
2487
2488         memset(&params, 0, sizeof(params));
2489
2490         /* these are required for START_AP */
2491         if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
2492             !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
2493             !info->attrs[NL80211_ATTR_BEACON_HEAD])
2494                 return -EINVAL;
2495
2496         err = nl80211_parse_beacon(info, &params.beacon);
2497         if (err)
2498                 return err;
2499
2500         params.beacon_interval =
2501                 nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
2502         params.dtim_period =
2503                 nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
2504
2505         err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
2506         if (err)
2507                 return err;
2508
2509         /*
2510          * In theory, some of these attributes should be required here
2511          * but since they were not used when the command was originally
2512          * added, keep them optional for old user space programs to let
2513          * them continue to work with drivers that do not need the
2514          * additional information -- drivers must check!
2515          */
2516         if (info->attrs[NL80211_ATTR_SSID]) {
2517                 params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
2518                 params.ssid_len =
2519                         nla_len(info->attrs[NL80211_ATTR_SSID]);
2520                 if (params.ssid_len == 0 ||
2521                     params.ssid_len > IEEE80211_MAX_SSID_LEN)
2522                         return -EINVAL;
2523         }
2524
2525         if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
2526                 params.hidden_ssid = nla_get_u32(
2527                         info->attrs[NL80211_ATTR_HIDDEN_SSID]);
2528                 if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
2529                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
2530                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
2531                         return -EINVAL;
2532         }
2533
2534         params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
2535
2536         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
2537                 params.auth_type = nla_get_u32(
2538                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
2539                 if (!nl80211_valid_auth_type(params.auth_type))
2540                         return -EINVAL;
2541         } else
2542                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
2543
2544         err = nl80211_crypto_settings(rdev, info, &params.crypto,
2545                                       NL80211_MAX_NR_CIPHER_SUITES);
2546         if (err)
2547                 return err;
2548
2549         if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
2550                 if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
2551                         return -EOPNOTSUPP;
2552                 params.inactivity_timeout = nla_get_u16(
2553                         info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
2554         }
2555
2556         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2557                 enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
2558
2559                 if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
2560                     !nl80211_valid_channel_type(info, &channel_type))
2561                         return -EINVAL;
2562
2563                 params.channel = rdev_freq_to_chan(rdev,
2564                         nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
2565                         channel_type);
2566                 if (!params.channel)
2567                         return -EINVAL;
2568                 params.channel_type = channel_type;
2569         } else if (wdev->preset_chan) {
2570                 params.channel = wdev->preset_chan;
2571                 params.channel_type = wdev->preset_chantype;
2572         } else if (!nl80211_get_ap_channel(rdev, &params))
2573                 return -EINVAL;
2574
2575         if (!cfg80211_can_beacon_sec_chan(&rdev->wiphy, params.channel,
2576                                           params.channel_type))
2577                 return -EINVAL;
2578
2579         mutex_lock(&rdev->devlist_mtx);
2580         err = cfg80211_can_use_chan(rdev, wdev, params.channel,
2581                                     CHAN_MODE_SHARED);
2582         mutex_unlock(&rdev->devlist_mtx);
2583
2584         if (err)
2585                 return err;
2586
2587         err = rdev->ops->start_ap(&rdev->wiphy, dev, &params);
2588         if (!err) {
2589                 wdev->preset_chan = params.channel;
2590                 wdev->preset_chantype = params.channel_type;
2591                 wdev->beacon_interval = params.beacon_interval;
2592                 wdev->channel = params.channel;
2593         }
2594         return err;
2595 }
2596
2597 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
2598 {
2599         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2600         struct net_device *dev = info->user_ptr[1];
2601         struct wireless_dev *wdev = dev->ieee80211_ptr;
2602         struct cfg80211_beacon_data params;
2603         int err;
2604
2605         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2606             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2607                 return -EOPNOTSUPP;
2608
2609         if (!rdev->ops->change_beacon)
2610                 return -EOPNOTSUPP;
2611
2612         if (!wdev->beacon_interval)
2613                 return -EINVAL;
2614
2615         err = nl80211_parse_beacon(info, &params);
2616         if (err)
2617                 return err;
2618
2619         return rdev->ops->change_beacon(&rdev->wiphy, dev, &params);
2620 }
2621
2622 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
2623 {
2624         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2625         struct net_device *dev = info->user_ptr[1];
2626
2627         return cfg80211_stop_ap(rdev, dev);
2628 }
2629
2630 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
2631         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
2632         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
2633         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
2634         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
2635         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
2636         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
2637 };
2638
2639 static int parse_station_flags(struct genl_info *info,
2640                                enum nl80211_iftype iftype,
2641                                struct station_parameters *params)
2642 {
2643         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
2644         struct nlattr *nla;
2645         int flag;
2646
2647         /*
2648          * Try parsing the new attribute first so userspace
2649          * can specify both for older kernels.
2650          */
2651         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
2652         if (nla) {
2653                 struct nl80211_sta_flag_update *sta_flags;
2654
2655                 sta_flags = nla_data(nla);
2656                 params->sta_flags_mask = sta_flags->mask;
2657                 params->sta_flags_set = sta_flags->set;
2658                 if ((params->sta_flags_mask |
2659                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
2660                         return -EINVAL;
2661                 return 0;
2662         }
2663
2664         /* if present, parse the old attribute */
2665
2666         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
2667         if (!nla)
2668                 return 0;
2669
2670         if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
2671                              nla, sta_flags_policy))
2672                 return -EINVAL;
2673
2674         /*
2675          * Only allow certain flags for interface types so that
2676          * other attributes are silently ignored. Remember that
2677          * this is backward compatibility code with old userspace
2678          * and shouldn't be hit in other cases anyway.
2679          */
2680         switch (iftype) {
2681         case NL80211_IFTYPE_AP:
2682         case NL80211_IFTYPE_AP_VLAN:
2683         case NL80211_IFTYPE_P2P_GO:
2684                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2685                                          BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
2686                                          BIT(NL80211_STA_FLAG_WME) |
2687                                          BIT(NL80211_STA_FLAG_MFP);
2688                 break;
2689         case NL80211_IFTYPE_P2P_CLIENT:
2690         case NL80211_IFTYPE_STATION:
2691                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2692                                          BIT(NL80211_STA_FLAG_TDLS_PEER);
2693                 break;
2694         case NL80211_IFTYPE_MESH_POINT:
2695                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
2696                                          BIT(NL80211_STA_FLAG_MFP) |
2697                                          BIT(NL80211_STA_FLAG_AUTHORIZED);
2698         default:
2699                 return -EINVAL;
2700         }
2701
2702         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
2703                 if (flags[flag]) {
2704                         params->sta_flags_set |= (1<<flag);
2705
2706                         /* no longer support new API additions in old API */
2707                         if (flag > NL80211_STA_FLAG_MAX_OLD_API)
2708                                 return -EINVAL;
2709                 }
2710         }
2711
2712         return 0;
2713 }
2714
2715 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
2716                                  int attr)
2717 {
2718         struct nlattr *rate;
2719         u32 bitrate;
2720         u16 bitrate_compat;
2721
2722         rate = nla_nest_start(msg, attr);
2723         if (!rate)
2724                 goto nla_put_failure;
2725
2726         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
2727         bitrate = cfg80211_calculate_bitrate(info);
2728         /* report 16-bit bitrate only if we can */
2729         bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
2730         if ((bitrate > 0 &&
2731              nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate)) ||
2732             (bitrate_compat > 0 &&
2733              nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat)) ||
2734             ((info->flags & RATE_INFO_FLAGS_MCS) &&
2735              nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs)) ||
2736             ((info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH) &&
2737              nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH)) ||
2738             ((info->flags & RATE_INFO_FLAGS_SHORT_GI) &&
2739              nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI)))
2740                 goto nla_put_failure;
2741
2742         nla_nest_end(msg, rate);
2743         return true;
2744
2745 nla_put_failure:
2746         return false;
2747 }
2748
2749 static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
2750                                 int flags,
2751                                 struct cfg80211_registered_device *rdev,
2752                                 struct net_device *dev,
2753                                 const u8 *mac_addr, struct station_info *sinfo)
2754 {
2755         void *hdr;
2756         struct nlattr *sinfoattr, *bss_param;
2757
2758         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_STATION);
2759         if (!hdr)
2760                 return -1;
2761
2762         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2763             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
2764             nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
2765                 goto nla_put_failure;
2766
2767         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
2768         if (!sinfoattr)
2769                 goto nla_put_failure;
2770         if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
2771             nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
2772                         sinfo->connected_time))
2773                 goto nla_put_failure;
2774         if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
2775             nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
2776                         sinfo->inactive_time))
2777                 goto nla_put_failure;
2778         if ((sinfo->filled & STATION_INFO_RX_BYTES) &&
2779             nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
2780                         sinfo->rx_bytes))
2781                 goto nla_put_failure;
2782         if ((sinfo->filled & STATION_INFO_TX_BYTES) &&
2783             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
2784                         sinfo->tx_bytes))
2785                 goto nla_put_failure;
2786         if ((sinfo->filled & STATION_INFO_LLID) &&
2787             nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
2788                 goto nla_put_failure;
2789         if ((sinfo->filled & STATION_INFO_PLID) &&
2790             nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
2791                 goto nla_put_failure;
2792         if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
2793             nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
2794                        sinfo->plink_state))
2795                 goto nla_put_failure;
2796         switch (rdev->wiphy.signal_type) {
2797         case CFG80211_SIGNAL_TYPE_MBM:
2798                 if ((sinfo->filled & STATION_INFO_SIGNAL) &&
2799                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
2800                                sinfo->signal))
2801                         goto nla_put_failure;
2802                 if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
2803                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
2804                                sinfo->signal_avg))
2805                         goto nla_put_failure;
2806                 break;
2807         default:
2808                 break;
2809         }
2810         if (sinfo->filled & STATION_INFO_TX_BITRATE) {
2811                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
2812                                           NL80211_STA_INFO_TX_BITRATE))
2813                         goto nla_put_failure;
2814         }
2815         if (sinfo->filled & STATION_INFO_RX_BITRATE) {
2816                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
2817                                           NL80211_STA_INFO_RX_BITRATE))
2818                         goto nla_put_failure;
2819         }
2820         if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
2821             nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
2822                         sinfo->rx_packets))
2823                 goto nla_put_failure;
2824         if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
2825             nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
2826                         sinfo->tx_packets))
2827                 goto nla_put_failure;
2828         if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
2829             nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
2830                         sinfo->tx_retries))
2831                 goto nla_put_failure;
2832         if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
2833             nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
2834                         sinfo->tx_failed))
2835                 goto nla_put_failure;
2836         if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
2837             nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
2838                         sinfo->beacon_loss_count))
2839                 goto nla_put_failure;
2840         if (sinfo->filled & STATION_INFO_BSS_PARAM) {
2841                 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
2842                 if (!bss_param)
2843                         goto nla_put_failure;
2844
2845                 if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
2846                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
2847                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
2848                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
2849                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
2850                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
2851                     nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
2852                                sinfo->bss_param.dtim_period) ||
2853                     nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
2854                                 sinfo->bss_param.beacon_interval))
2855                         goto nla_put_failure;
2856
2857                 nla_nest_end(msg, bss_param);
2858         }
2859         if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
2860             nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
2861                     sizeof(struct nl80211_sta_flag_update),
2862                     &sinfo->sta_flags))
2863                 goto nla_put_failure;
2864         if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
2865                 nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
2866                             sinfo->t_offset))
2867                 goto nla_put_failure;
2868         nla_nest_end(msg, sinfoattr);
2869
2870         if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
2871             nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
2872                     sinfo->assoc_req_ies))
2873                 goto nla_put_failure;
2874
2875         return genlmsg_end(msg, hdr);
2876
2877  nla_put_failure:
2878         genlmsg_cancel(msg, hdr);
2879         return -EMSGSIZE;
2880 }
2881
2882 static int nl80211_dump_station(struct sk_buff *skb,
2883                                 struct netlink_callback *cb)
2884 {
2885         struct station_info sinfo;
2886         struct cfg80211_registered_device *dev;
2887         struct net_device *netdev;
2888         u8 mac_addr[ETH_ALEN];
2889         int sta_idx = cb->args[1];
2890         int err;
2891
2892         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
2893         if (err)
2894                 return err;
2895
2896         if (!dev->ops->dump_station) {
2897                 err = -EOPNOTSUPP;
2898                 goto out_err;
2899         }
2900
2901         while (1) {
2902                 memset(&sinfo, 0, sizeof(sinfo));
2903                 err = dev->ops->dump_station(&dev->wiphy, netdev, sta_idx,
2904                                              mac_addr, &sinfo);
2905                 if (err == -ENOENT)
2906                         break;
2907                 if (err)
2908                         goto out_err;
2909
2910                 if (nl80211_send_station(skb,
2911                                 NETLINK_CB(cb->skb).pid,
2912                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
2913                                 dev, netdev, mac_addr,
2914                                 &sinfo) < 0)
2915                         goto out;
2916
2917                 sta_idx++;
2918         }
2919
2920
2921  out:
2922         cb->args[1] = sta_idx;
2923         err = skb->len;
2924  out_err:
2925         nl80211_finish_netdev_dump(dev);
2926
2927         return err;
2928 }
2929
2930 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
2931 {
2932         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2933         struct net_device *dev = info->user_ptr[1];
2934         struct station_info sinfo;
2935         struct sk_buff *msg;
2936         u8 *mac_addr = NULL;
2937         int err;
2938
2939         memset(&sinfo, 0, sizeof(sinfo));
2940
2941         if (!info->attrs[NL80211_ATTR_MAC])
2942                 return -EINVAL;
2943
2944         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2945
2946         if (!rdev->ops->get_station)
2947                 return -EOPNOTSUPP;
2948
2949         err = rdev->ops->get_station(&rdev->wiphy, dev, mac_addr, &sinfo);
2950         if (err)
2951                 return err;
2952
2953         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2954         if (!msg)
2955                 return -ENOMEM;
2956
2957         if (nl80211_send_station(msg, info->snd_pid, info->snd_seq, 0,
2958                                  rdev, dev, mac_addr, &sinfo) < 0) {
2959                 nlmsg_free(msg);
2960                 return -ENOBUFS;
2961         }
2962
2963         return genlmsg_reply(msg, info);
2964 }
2965
2966 /*
2967  * Get vlan interface making sure it is running and on the right wiphy.
2968  */
2969 static struct net_device *get_vlan(struct genl_info *info,
2970                                    struct cfg80211_registered_device *rdev)
2971 {
2972         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
2973         struct net_device *v;
2974         int ret;
2975
2976         if (!vlanattr)
2977                 return NULL;
2978
2979         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
2980         if (!v)
2981                 return ERR_PTR(-ENODEV);
2982
2983         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
2984                 ret = -EINVAL;
2985                 goto error;
2986         }
2987
2988         if (!netif_running(v)) {
2989                 ret = -ENETDOWN;
2990                 goto error;
2991         }
2992
2993         return v;
2994  error:
2995         dev_put(v);
2996         return ERR_PTR(ret);
2997 }
2998
2999 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
3000 {
3001         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3002         int err;
3003         struct net_device *dev = info->user_ptr[1];
3004         struct station_parameters params;
3005         u8 *mac_addr = NULL;
3006
3007         memset(&params, 0, sizeof(params));
3008
3009         params.listen_interval = -1;
3010         params.plink_state = -1;
3011
3012         if (info->attrs[NL80211_ATTR_STA_AID])
3013                 return -EINVAL;
3014
3015         if (!info->attrs[NL80211_ATTR_MAC])
3016                 return -EINVAL;
3017
3018         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3019
3020         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
3021                 params.supported_rates =
3022                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3023                 params.supported_rates_len =
3024                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3025         }
3026
3027         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3028                 params.listen_interval =
3029                     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3030
3031         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3032                 params.ht_capa =
3033                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3034
3035         if (!rdev->ops->change_station)
3036                 return -EOPNOTSUPP;
3037
3038         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3039                 return -EINVAL;
3040
3041         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3042                 params.plink_action =
3043                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3044
3045         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
3046                 params.plink_state =
3047                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
3048
3049         switch (dev->ieee80211_ptr->iftype) {
3050         case NL80211_IFTYPE_AP:
3051         case NL80211_IFTYPE_AP_VLAN:
3052         case NL80211_IFTYPE_P2P_GO:
3053                 /* disallow mesh-specific things */
3054                 if (params.plink_action)
3055                         return -EINVAL;
3056
3057                 /* TDLS can't be set, ... */
3058                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3059                         return -EINVAL;
3060                 /*
3061                  * ... but don't bother the driver with it. This works around
3062                  * a hostapd/wpa_supplicant issue -- it always includes the
3063                  * TLDS_PEER flag in the mask even for AP mode.
3064                  */
3065                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3066
3067                 /* accept only the listed bits */
3068                 if (params.sta_flags_mask &
3069                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3070                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3071                                   BIT(NL80211_STA_FLAG_WME) |
3072                                   BIT(NL80211_STA_FLAG_MFP)))
3073                         return -EINVAL;
3074
3075                 /* must be last in here for error handling */
3076                 params.vlan = get_vlan(info, rdev);
3077                 if (IS_ERR(params.vlan))
3078                         return PTR_ERR(params.vlan);
3079                 break;
3080         case NL80211_IFTYPE_P2P_CLIENT:
3081         case NL80211_IFTYPE_STATION:
3082                 /*
3083                  * Don't allow userspace to change the TDLS_PEER flag,
3084                  * but silently ignore attempts to change it since we
3085                  * don't have state here to verify that it doesn't try
3086                  * to change the flag.
3087                  */
3088                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3089                 /* fall through */
3090         case NL80211_IFTYPE_ADHOC:
3091                 /* disallow things sta doesn't support */
3092                 if (params.plink_action)
3093                         return -EINVAL;
3094                 if (params.ht_capa)
3095                         return -EINVAL;
3096                 if (params.listen_interval >= 0)
3097                         return -EINVAL;
3098                 /* reject any changes other than AUTHORIZED */
3099                 if (params.sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3100                         return -EINVAL;
3101                 break;
3102         case NL80211_IFTYPE_MESH_POINT:
3103                 /* disallow things mesh doesn't support */
3104                 if (params.vlan)
3105                         return -EINVAL;
3106                 if (params.ht_capa)
3107                         return -EINVAL;
3108                 if (params.listen_interval >= 0)
3109                         return -EINVAL;
3110                 /*
3111                  * No special handling for TDLS here -- the userspace
3112                  * mesh code doesn't have this bug.
3113                  */
3114                 if (params.sta_flags_mask &
3115                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3116                                   BIT(NL80211_STA_FLAG_MFP) |
3117                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
3118                         return -EINVAL;
3119                 break;
3120         default:
3121                 return -EOPNOTSUPP;
3122         }
3123
3124         /* be aware of params.vlan when changing code here */
3125
3126         err = rdev->ops->change_station(&rdev->wiphy, dev, mac_addr, &params);
3127
3128         if (params.vlan)
3129                 dev_put(params.vlan);
3130
3131         return err;
3132 }
3133
3134 static struct nla_policy
3135 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
3136         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
3137         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
3138 };
3139
3140 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
3141 {
3142         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3143         int err;
3144         struct net_device *dev = info->user_ptr[1];
3145         struct station_parameters params;
3146         u8 *mac_addr = NULL;
3147
3148         memset(&params, 0, sizeof(params));
3149
3150         if (!info->attrs[NL80211_ATTR_MAC])
3151                 return -EINVAL;
3152
3153         if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3154                 return -EINVAL;
3155
3156         if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
3157                 return -EINVAL;
3158
3159         if (!info->attrs[NL80211_ATTR_STA_AID])
3160                 return -EINVAL;
3161
3162         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3163         params.supported_rates =
3164                 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3165         params.supported_rates_len =
3166                 nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3167         params.listen_interval =
3168                 nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3169
3170         params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
3171         if (!params.aid || params.aid > IEEE80211_MAX_AID)
3172                 return -EINVAL;
3173
3174         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3175                 params.ht_capa =
3176                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3177
3178         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3179                 params.plink_action =
3180                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3181
3182         if (!rdev->ops->add_station)
3183                 return -EOPNOTSUPP;
3184
3185         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3186                 return -EINVAL;
3187
3188         switch (dev->ieee80211_ptr->iftype) {
3189         case NL80211_IFTYPE_AP:
3190         case NL80211_IFTYPE_AP_VLAN:
3191         case NL80211_IFTYPE_P2P_GO:
3192                 /* parse WME attributes if sta is WME capable */
3193                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
3194                     (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) &&
3195                     info->attrs[NL80211_ATTR_STA_WME]) {
3196                         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3197                         struct nlattr *nla;
3198
3199                         nla = info->attrs[NL80211_ATTR_STA_WME];
3200                         err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3201                                                nl80211_sta_wme_policy);
3202                         if (err)
3203                                 return err;
3204
3205                         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3206                                 params.uapsd_queues =
3207                                      nla_get_u8(tb[NL80211_STA_WME_UAPSD_QUEUES]);
3208                         if (params.uapsd_queues &
3209                                         ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3210                                 return -EINVAL;
3211
3212                         if (tb[NL80211_STA_WME_MAX_SP])
3213                                 params.max_sp =
3214                                      nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3215
3216                         if (params.max_sp &
3217                                         ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3218                                 return -EINVAL;
3219
3220                         params.sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3221                 }
3222                 /* TDLS peers cannot be added */
3223                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3224                         return -EINVAL;
3225                 /* but don't bother the driver with it */
3226                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3227
3228                 /* must be last in here for error handling */
3229                 params.vlan = get_vlan(info, rdev);
3230                 if (IS_ERR(params.vlan))
3231                         return PTR_ERR(params.vlan);
3232                 break;
3233         case NL80211_IFTYPE_MESH_POINT:
3234                 /* TDLS peers cannot be added */
3235                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3236                         return -EINVAL;
3237                 break;
3238         case NL80211_IFTYPE_STATION:
3239                 /* Only TDLS peers can be added */
3240                 if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3241                         return -EINVAL;
3242                 /* Can only add if TDLS ... */
3243                 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
3244                         return -EOPNOTSUPP;
3245                 /* ... with external setup is supported */
3246                 if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
3247                         return -EOPNOTSUPP;
3248                 break;
3249         default:
3250                 return -EOPNOTSUPP;
3251         }
3252
3253         /* be aware of params.vlan when changing code here */
3254
3255         err = rdev->ops->add_station(&rdev->wiphy, dev, mac_addr, &params);
3256
3257         if (params.vlan)
3258                 dev_put(params.vlan);
3259         return err;
3260 }
3261
3262 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
3263 {
3264         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3265         struct net_device *dev = info->user_ptr[1];
3266         u8 *mac_addr = NULL;
3267
3268         if (info->attrs[NL80211_ATTR_MAC])
3269                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3270
3271         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3272             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
3273             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
3274             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3275                 return -EINVAL;
3276
3277         if (!rdev->ops->del_station)
3278                 return -EOPNOTSUPP;
3279
3280         return rdev->ops->del_station(&rdev->wiphy, dev, mac_addr);
3281 }
3282
3283 static int nl80211_send_mpath(struct sk_buff *msg, u32 pid, u32 seq,
3284                                 int flags, struct net_device *dev,
3285                                 u8 *dst, u8 *next_hop,
3286                                 struct mpath_info *pinfo)
3287 {
3288         void *hdr;
3289         struct nlattr *pinfoattr;
3290
3291         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_STATION);
3292         if (!hdr)
3293                 return -1;
3294
3295         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3296             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
3297             nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
3298             nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
3299                 goto nla_put_failure;
3300
3301         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
3302         if (!pinfoattr)
3303                 goto nla_put_failure;
3304         if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
3305             nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
3306                         pinfo->frame_qlen))
3307                 goto nla_put_failure;
3308         if (((pinfo->filled & MPATH_INFO_SN) &&
3309              nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
3310             ((pinfo->filled & MPATH_INFO_METRIC) &&
3311              nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
3312                          pinfo->metric)) ||
3313             ((pinfo->filled & MPATH_INFO_EXPTIME) &&
3314              nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
3315                          pinfo->exptime)) ||
3316             ((pinfo->filled & MPATH_INFO_FLAGS) &&
3317              nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
3318                         pinfo->flags)) ||
3319             ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
3320              nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
3321                          pinfo->discovery_timeout)) ||
3322             ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
3323              nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
3324                         pinfo->discovery_retries)))
3325                 goto nla_put_failure;
3326
3327         nla_nest_end(msg, pinfoattr);
3328
3329         return genlmsg_end(msg, hdr);
3330
3331  nla_put_failure:
3332         genlmsg_cancel(msg, hdr);
3333         return -EMSGSIZE;
3334 }
3335
3336 static int nl80211_dump_mpath(struct sk_buff *skb,
3337                               struct netlink_callback *cb)
3338 {
3339         struct mpath_info pinfo;
3340         struct cfg80211_registered_device *dev;
3341         struct net_device *netdev;
3342         u8 dst[ETH_ALEN];
3343         u8 next_hop[ETH_ALEN];
3344         int path_idx = cb->args[1];
3345         int err;
3346
3347         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
3348         if (err)
3349                 return err;
3350
3351         if (!dev->ops->dump_mpath) {
3352                 err = -EOPNOTSUPP;
3353                 goto out_err;
3354         }
3355
3356         if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
3357                 err = -EOPNOTSUPP;
3358                 goto out_err;
3359         }
3360
3361         while (1) {
3362                 err = dev->ops->dump_mpath(&dev->wiphy, netdev, path_idx,
3363                                            dst, next_hop, &pinfo);
3364                 if (err == -ENOENT)
3365                         break;
3366                 if (err)
3367                         goto out_err;
3368
3369                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).pid,
3370                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
3371                                        netdev, dst, next_hop,
3372                                        &pinfo) < 0)
3373                         goto out;
3374
3375                 path_idx++;
3376         }
3377
3378
3379  out:
3380         cb->args[1] = path_idx;
3381         err = skb->len;
3382  out_err:
3383         nl80211_finish_netdev_dump(dev);
3384         return err;
3385 }
3386
3387 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
3388 {
3389         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3390         int err;
3391         struct net_device *dev = info->user_ptr[1];
3392         struct mpath_info pinfo;
3393         struct sk_buff *msg;
3394         u8 *dst = NULL;
3395         u8 next_hop[ETH_ALEN];
3396
3397         memset(&pinfo, 0, sizeof(pinfo));
3398
3399         if (!info->attrs[NL80211_ATTR_MAC])
3400                 return -EINVAL;
3401
3402         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3403
3404         if (!rdev->ops->get_mpath)
3405                 return -EOPNOTSUPP;
3406
3407         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3408                 return -EOPNOTSUPP;
3409
3410         err = rdev->ops->get_mpath(&rdev->wiphy, dev, dst, next_hop, &pinfo);
3411         if (err)
3412                 return err;
3413
3414         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3415         if (!msg)
3416                 return -ENOMEM;
3417
3418         if (nl80211_send_mpath(msg, info->snd_pid, info->snd_seq, 0,
3419                                  dev, dst, next_hop, &pinfo) < 0) {
3420                 nlmsg_free(msg);
3421                 return -ENOBUFS;
3422         }
3423
3424         return genlmsg_reply(msg, info);
3425 }
3426
3427 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
3428 {
3429         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3430         struct net_device *dev = info->user_ptr[1];
3431         u8 *dst = NULL;
3432         u8 *next_hop = NULL;
3433
3434         if (!info->attrs[NL80211_ATTR_MAC])
3435                 return -EINVAL;
3436
3437         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3438                 return -EINVAL;
3439
3440         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3441         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3442
3443         if (!rdev->ops->change_mpath)
3444                 return -EOPNOTSUPP;
3445
3446         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3447                 return -EOPNOTSUPP;
3448
3449         return rdev->ops->change_mpath(&rdev->wiphy, dev, dst, next_hop);
3450 }
3451
3452 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
3453 {
3454         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3455         struct net_device *dev = info->user_ptr[1];
3456         u8 *dst = NULL;
3457         u8 *next_hop = NULL;
3458
3459         if (!info->attrs[NL80211_ATTR_MAC])
3460                 return -EINVAL;
3461
3462         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3463                 return -EINVAL;
3464
3465         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3466         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3467
3468         if (!rdev->ops->add_mpath)
3469                 return -EOPNOTSUPP;
3470
3471         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3472                 return -EOPNOTSUPP;
3473
3474         return rdev->ops->add_mpath(&rdev->wiphy, dev, dst, next_hop);
3475 }
3476
3477 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
3478 {
3479         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3480         struct net_device *dev = info->user_ptr[1];
3481         u8 *dst = NULL;
3482
3483         if (info->attrs[NL80211_ATTR_MAC])
3484                 dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3485
3486         if (!rdev->ops->del_mpath)
3487                 return -EOPNOTSUPP;
3488
3489         return rdev->ops->del_mpath(&rdev->wiphy, dev, dst);
3490 }
3491
3492 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
3493 {
3494         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3495         struct net_device *dev = info->user_ptr[1];
3496         struct bss_parameters params;
3497
3498         memset(&params, 0, sizeof(params));
3499         /* default to not changing parameters */
3500         params.use_cts_prot = -1;
3501         params.use_short_preamble = -1;
3502         params.use_short_slot_time = -1;
3503         params.ap_isolate = -1;
3504         params.ht_opmode = -1;
3505
3506         if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
3507                 params.use_cts_prot =
3508                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
3509         if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
3510                 params.use_short_preamble =
3511                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
3512         if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
3513                 params.use_short_slot_time =
3514                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
3515         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
3516                 params.basic_rates =
3517                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3518                 params.basic_rates_len =
3519                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3520         }
3521         if (info->attrs[NL80211_ATTR_AP_ISOLATE])
3522                 params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
3523         if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
3524                 params.ht_opmode =
3525                         nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
3526
3527         if (!rdev->ops->change_bss)
3528                 return -EOPNOTSUPP;
3529
3530         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3531             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3532                 return -EOPNOTSUPP;
3533
3534         return rdev->ops->change_bss(&rdev->wiphy, dev, &params);
3535 }
3536
3537 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
3538         [NL80211_ATTR_REG_RULE_FLAGS]           = { .type = NLA_U32 },
3539         [NL80211_ATTR_FREQ_RANGE_START]         = { .type = NLA_U32 },
3540         [NL80211_ATTR_FREQ_RANGE_END]           = { .type = NLA_U32 },
3541         [NL80211_ATTR_FREQ_RANGE_MAX_BW]        = { .type = NLA_U32 },
3542         [NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]  = { .type = NLA_U32 },
3543         [NL80211_ATTR_POWER_RULE_MAX_EIRP]      = { .type = NLA_U32 },
3544 };
3545
3546 static int parse_reg_rule(struct nlattr *tb[],
3547         struct ieee80211_reg_rule *reg_rule)
3548 {
3549         struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
3550         struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
3551
3552         if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
3553                 return -EINVAL;
3554         if (!tb[NL80211_ATTR_FREQ_RANGE_START])
3555                 return -EINVAL;
3556         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
3557                 return -EINVAL;
3558         if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
3559                 return -EINVAL;
3560         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
3561                 return -EINVAL;
3562
3563         reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
3564
3565         freq_range->start_freq_khz =
3566                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
3567         freq_range->end_freq_khz =
3568                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
3569         freq_range->max_bandwidth_khz =
3570                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
3571
3572         power_rule->max_eirp =
3573                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
3574
3575         if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
3576                 power_rule->max_antenna_gain =
3577                         nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
3578
3579         return 0;
3580 }
3581
3582 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
3583 {
3584         int r;
3585         char *data = NULL;
3586         enum nl80211_user_reg_hint_type user_reg_hint_type;
3587
3588         /*
3589          * You should only get this when cfg80211 hasn't yet initialized
3590          * completely when built-in to the kernel right between the time
3591          * window between nl80211_init() and regulatory_init(), if that is
3592          * even possible.
3593          */
3594         mutex_lock(&cfg80211_mutex);
3595         if (unlikely(!cfg80211_regdomain)) {
3596                 mutex_unlock(&cfg80211_mutex);
3597                 return -EINPROGRESS;
3598         }
3599         mutex_unlock(&cfg80211_mutex);
3600
3601         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
3602                 return -EINVAL;
3603
3604         data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
3605
3606         if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
3607                 user_reg_hint_type =
3608                   nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
3609         else
3610                 user_reg_hint_type = NL80211_USER_REG_HINT_USER;
3611
3612         switch (user_reg_hint_type) {
3613         case NL80211_USER_REG_HINT_USER:
3614         case NL80211_USER_REG_HINT_CELL_BASE:
3615                 break;
3616         default:
3617                 return -EINVAL;
3618         }
3619
3620         r = regulatory_hint_user(data, user_reg_hint_type);
3621
3622         return r;
3623 }
3624
3625 static int nl80211_get_mesh_config(struct sk_buff *skb,
3626                                    struct genl_info *info)
3627 {
3628         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3629         struct net_device *dev = info->user_ptr[1];
3630         struct wireless_dev *wdev = dev->ieee80211_ptr;
3631         struct mesh_config cur_params;
3632         int err = 0;
3633         void *hdr;
3634         struct nlattr *pinfoattr;
3635         struct sk_buff *msg;
3636
3637         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3638                 return -EOPNOTSUPP;
3639
3640         if (!rdev->ops->get_mesh_config)
3641                 return -EOPNOTSUPP;
3642
3643         wdev_lock(wdev);
3644         /* If not connected, get default parameters */
3645         if (!wdev->mesh_id_len)
3646                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
3647         else
3648                 err = rdev->ops->get_mesh_config(&rdev->wiphy, dev,
3649                                                  &cur_params);
3650         wdev_unlock(wdev);
3651
3652         if (err)
3653                 return err;
3654
3655         /* Draw up a netlink message to send back */
3656         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3657         if (!msg)
3658                 return -ENOMEM;
3659         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
3660                              NL80211_CMD_GET_MESH_CONFIG);
3661         if (!hdr)
3662                 goto out;
3663         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
3664         if (!pinfoattr)
3665                 goto nla_put_failure;
3666         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3667             nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
3668                         cur_params.dot11MeshRetryTimeout) ||
3669             nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3670                         cur_params.dot11MeshConfirmTimeout) ||
3671             nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
3672                         cur_params.dot11MeshHoldingTimeout) ||
3673             nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
3674                         cur_params.dot11MeshMaxPeerLinks) ||
3675             nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
3676                        cur_params.dot11MeshMaxRetries) ||
3677             nla_put_u8(msg, NL80211_MESHCONF_TTL,
3678                        cur_params.dot11MeshTTL) ||
3679             nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
3680                        cur_params.element_ttl) ||
3681             nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3682                        cur_params.auto_open_plinks) ||
3683             nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
3684                         cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
3685             nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3686                        cur_params.dot11MeshHWMPmaxPREQretries) ||
3687             nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
3688                         cur_params.path_refresh_time) ||
3689             nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3690                         cur_params.min_discovery_timeout) ||
3691             nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3692                         cur_params.dot11MeshHWMPactivePathTimeout) ||
3693             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3694                         cur_params.dot11MeshHWMPpreqMinInterval) ||
3695             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3696                         cur_params.dot11MeshHWMPperrMinInterval) ||
3697             nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3698                         cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
3699             nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
3700                        cur_params.dot11MeshHWMPRootMode) ||
3701             nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3702                         cur_params.dot11MeshHWMPRannInterval) ||
3703             nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3704                        cur_params.dot11MeshGateAnnouncementProtocol) ||
3705             nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
3706                        cur_params.dot11MeshForwarding) ||
3707             nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
3708                         cur_params.rssi_threshold) ||
3709             nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
3710                         cur_params.ht_opmode) ||
3711             nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
3712                         cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
3713             nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
3714                         cur_params.dot11MeshHWMProotInterval) ||
3715             nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
3716                         cur_params.dot11MeshHWMPconfirmationInterval))
3717                 goto nla_put_failure;
3718         nla_nest_end(msg, pinfoattr);
3719         genlmsg_end(msg, hdr);
3720         return genlmsg_reply(msg, info);
3721
3722  nla_put_failure:
3723         genlmsg_cancel(msg, hdr);
3724  out:
3725         nlmsg_free(msg);
3726         return -ENOBUFS;
3727 }
3728
3729 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
3730         [NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
3731         [NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
3732         [NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
3733         [NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
3734         [NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
3735         [NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
3736         [NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
3737         [NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
3738         [NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
3739         [NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
3740         [NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
3741         [NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
3742         [NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
3743         [NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
3744         [NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
3745         [NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
3746         [NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
3747         [NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
3748         [NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
3749         [NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
3750         [NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
3751         [NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
3752         [NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
3753         [NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
3754         [NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
3755 };
3756
3757 static const struct nla_policy
3758         nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
3759         [NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
3760         [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
3761         [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
3762         [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
3763         [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
3764                                     .len = IEEE80211_MAX_DATA_LEN },
3765         [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
3766 };
3767
3768 static int nl80211_parse_mesh_config(struct genl_info *info,
3769                                      struct mesh_config *cfg,
3770                                      u32 *mask_out)
3771 {
3772         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
3773         u32 mask = 0;
3774
3775 #define FILL_IN_MESH_PARAM_IF_SET(table, cfg, param, mask, attr_num, nla_fn) \
3776 do {\
3777         if (table[attr_num]) {\
3778                 cfg->param = nla_fn(table[attr_num]); \
3779                 mask |= (1 << (attr_num - 1)); \
3780         } \
3781 } while (0);\
3782
3783
3784         if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
3785                 return -EINVAL;
3786         if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
3787                              info->attrs[NL80211_ATTR_MESH_CONFIG],
3788                              nl80211_meshconf_params_policy))
3789                 return -EINVAL;
3790
3791         /* This makes sure that there aren't more than 32 mesh config
3792          * parameters (otherwise our bitfield scheme would not work.) */
3793         BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
3794
3795         /* Fill in the params struct */
3796         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout,
3797                                   mask, NL80211_MESHCONF_RETRY_TIMEOUT,
3798                                   nla_get_u16);
3799         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout,
3800                                   mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3801                                   nla_get_u16);
3802         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout,
3803                                   mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
3804                                   nla_get_u16);
3805         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks,
3806                                   mask, NL80211_MESHCONF_MAX_PEER_LINKS,
3807                                   nla_get_u16);
3808         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries,
3809                                   mask, NL80211_MESHCONF_MAX_RETRIES,
3810                                   nla_get_u8);
3811         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL,
3812                                   mask, NL80211_MESHCONF_TTL, nla_get_u8);
3813         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl,
3814                                   mask, NL80211_MESHCONF_ELEMENT_TTL,
3815                                   nla_get_u8);
3816         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks,
3817                                   mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3818                                   nla_get_u8);
3819         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor, mask,
3820                                   NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
3821                                   nla_get_u32);
3822         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries,
3823                                   mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3824                                   nla_get_u8);
3825         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time,
3826                                   mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
3827                                   nla_get_u32);
3828         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout,
3829                                   mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3830                                   nla_get_u16);
3831         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout, mask,
3832                                   NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3833                                   nla_get_u32);
3834         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
3835                                   mask, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3836                                   nla_get_u16);
3837         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
3838                                   mask, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3839                                   nla_get_u16);
3840         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3841                                   dot11MeshHWMPnetDiameterTraversalTime, mask,
3842                                   NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3843                                   nla_get_u16);
3844         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
3845                                   NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
3846         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
3847                                   NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3848                                   nla_get_u16);
3849         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3850                                   dot11MeshGateAnnouncementProtocol, mask,
3851                                   NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3852                                   nla_get_u8);
3853         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding,
3854                                   mask, NL80211_MESHCONF_FORWARDING,
3855                                   nla_get_u8);
3856         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold,
3857                                   mask, NL80211_MESHCONF_RSSI_THRESHOLD,
3858                                   nla_get_u32);
3859         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode,
3860                                   mask, NL80211_MESHCONF_HT_OPMODE,
3861                                   nla_get_u16);
3862         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
3863                                   mask,
3864                                   NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
3865                                   nla_get_u32);
3866         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval,
3867                                   mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
3868                                   nla_get_u16);
3869         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3870                                   dot11MeshHWMPconfirmationInterval, mask,
3871                                   NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
3872                                   nla_get_u16);
3873         if (mask_out)
3874                 *mask_out = mask;
3875
3876         return 0;
3877
3878 #undef FILL_IN_MESH_PARAM_IF_SET
3879 }
3880
3881 static int nl80211_parse_mesh_setup(struct genl_info *info,
3882                                      struct mesh_setup *setup)
3883 {
3884         struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
3885
3886         if (!info->attrs[NL80211_ATTR_MESH_SETUP])
3887                 return -EINVAL;
3888         if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
3889                              info->attrs[NL80211_ATTR_MESH_SETUP],
3890                              nl80211_mesh_setup_params_policy))
3891                 return -EINVAL;
3892
3893         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
3894                 setup->sync_method =
3895                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
3896                  IEEE80211_SYNC_METHOD_VENDOR :
3897                  IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
3898
3899         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
3900                 setup->path_sel_proto =
3901                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
3902                  IEEE80211_PATH_PROTOCOL_VENDOR :
3903                  IEEE80211_PATH_PROTOCOL_HWMP;
3904
3905         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
3906                 setup->path_metric =
3907                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
3908                  IEEE80211_PATH_METRIC_VENDOR :
3909                  IEEE80211_PATH_METRIC_AIRTIME;
3910
3911
3912         if (tb[NL80211_MESH_SETUP_IE]) {
3913                 struct nlattr *ieattr =
3914                         tb[NL80211_MESH_SETUP_IE];
3915                 if (!is_valid_ie_attr(ieattr))
3916                         return -EINVAL;
3917                 setup->ie = nla_data(ieattr);
3918                 setup->ie_len = nla_len(ieattr);
3919         }
3920         setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
3921         setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
3922
3923         return 0;
3924 }
3925
3926 static int nl80211_update_mesh_config(struct sk_buff *skb,
3927                                       struct genl_info *info)
3928 {
3929         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3930         struct net_device *dev = info->user_ptr[1];
3931         struct wireless_dev *wdev = dev->ieee80211_ptr;
3932         struct mesh_config cfg;
3933         u32 mask;
3934         int err;
3935
3936         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3937                 return -EOPNOTSUPP;
3938
3939         if (!rdev->ops->update_mesh_config)
3940                 return -EOPNOTSUPP;
3941
3942         err = nl80211_parse_mesh_config(info, &cfg, &mask);
3943         if (err)
3944                 return err;
3945
3946         wdev_lock(wdev);
3947         if (!wdev->mesh_id_len)
3948                 err = -ENOLINK;
3949
3950         if (!err)
3951                 err = rdev->ops->update_mesh_config(&rdev->wiphy, dev,
3952                                                     mask, &cfg);
3953
3954         wdev_unlock(wdev);
3955
3956         return err;
3957 }
3958
3959 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
3960 {
3961         struct sk_buff *msg;
3962         void *hdr = NULL;
3963         struct nlattr *nl_reg_rules;
3964         unsigned int i;
3965         int err = -EINVAL;
3966
3967         mutex_lock(&cfg80211_mutex);
3968
3969         if (!cfg80211_regdomain)
3970                 goto out;
3971
3972         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3973         if (!msg) {
3974                 err = -ENOBUFS;
3975                 goto out;
3976         }
3977
3978         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
3979                              NL80211_CMD_GET_REG);
3980         if (!hdr)
3981                 goto put_failure;
3982
3983         if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
3984                            cfg80211_regdomain->alpha2) ||
3985             (cfg80211_regdomain->dfs_region &&
3986              nla_put_u8(msg, NL80211_ATTR_DFS_REGION,
3987                         cfg80211_regdomain->dfs_region)))
3988                 goto nla_put_failure;
3989
3990         if (reg_last_request_cell_base() &&
3991             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
3992                         NL80211_USER_REG_HINT_CELL_BASE))
3993                 goto nla_put_failure;
3994
3995         nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
3996         if (!nl_reg_rules)
3997                 goto nla_put_failure;
3998
3999         for (i = 0; i < cfg80211_regdomain->n_reg_rules; i++) {
4000                 struct nlattr *nl_reg_rule;
4001                 const struct ieee80211_reg_rule *reg_rule;
4002                 const struct ieee80211_freq_range *freq_range;
4003                 const struct ieee80211_power_rule *power_rule;
4004
4005                 reg_rule = &cfg80211_regdomain->reg_rules[i];
4006                 freq_range = &reg_rule->freq_range;
4007                 power_rule = &reg_rule->power_rule;
4008
4009                 nl_reg_rule = nla_nest_start(msg, i);
4010                 if (!nl_reg_rule)
4011                         goto nla_put_failure;
4012
4013                 if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
4014                                 reg_rule->flags) ||
4015                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
4016                                 freq_range->start_freq_khz) ||
4017                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
4018                                 freq_range->end_freq_khz) ||
4019                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
4020                                 freq_range->max_bandwidth_khz) ||
4021                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
4022                                 power_rule->max_antenna_gain) ||
4023                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
4024                                 power_rule->max_eirp))
4025                         goto nla_put_failure;
4026
4027                 nla_nest_end(msg, nl_reg_rule);
4028         }
4029
4030         nla_nest_end(msg, nl_reg_rules);
4031
4032         genlmsg_end(msg, hdr);
4033         err = genlmsg_reply(msg, info);
4034         goto out;
4035
4036 nla_put_failure:
4037         genlmsg_cancel(msg, hdr);
4038 put_failure:
4039         nlmsg_free(msg);
4040         err = -EMSGSIZE;
4041 out:
4042         mutex_unlock(&cfg80211_mutex);
4043         return err;
4044 }
4045
4046 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
4047 {
4048         struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
4049         struct nlattr *nl_reg_rule;
4050         char *alpha2 = NULL;
4051         int rem_reg_rules = 0, r = 0;
4052         u32 num_rules = 0, rule_idx = 0, size_of_regd;
4053         u8 dfs_region = 0;
4054         struct ieee80211_regdomain *rd = NULL;
4055
4056         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4057                 return -EINVAL;
4058
4059         if (!info->attrs[NL80211_ATTR_REG_RULES])
4060                 return -EINVAL;
4061
4062         alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4063
4064         if (info->attrs[NL80211_ATTR_DFS_REGION])
4065                 dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
4066
4067         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4068                         rem_reg_rules) {
4069                 num_rules++;
4070                 if (num_rules > NL80211_MAX_SUPP_REG_RULES)
4071                         return -EINVAL;
4072         }
4073
4074         mutex_lock(&cfg80211_mutex);
4075
4076         if (!reg_is_valid_request(alpha2)) {
4077                 r = -EINVAL;
4078                 goto bad_reg;
4079         }
4080
4081         size_of_regd = sizeof(struct ieee80211_regdomain) +
4082                 (num_rules * sizeof(struct ieee80211_reg_rule));
4083
4084         rd = kzalloc(size_of_regd, GFP_KERNEL);
4085         if (!rd) {
4086                 r = -ENOMEM;
4087                 goto bad_reg;
4088         }
4089
4090         rd->n_reg_rules = num_rules;
4091         rd->alpha2[0] = alpha2[0];
4092         rd->alpha2[1] = alpha2[1];
4093
4094         /*
4095          * Disable DFS master mode if the DFS region was
4096          * not supported or known on this kernel.
4097          */
4098         if (reg_supported_dfs_region(dfs_region))
4099                 rd->dfs_region = dfs_region;
4100
4101         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4102                         rem_reg_rules) {
4103                 nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
4104                         nla_data(nl_reg_rule), nla_len(nl_reg_rule),
4105                         reg_rule_policy);
4106                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
4107                 if (r)
4108                         goto bad_reg;
4109
4110                 rule_idx++;
4111
4112                 if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
4113                         r = -EINVAL;
4114                         goto bad_reg;
4115                 }
4116         }
4117
4118         BUG_ON(rule_idx != num_rules);
4119
4120         r = set_regdom(rd);
4121
4122         mutex_unlock(&cfg80211_mutex);
4123
4124         return r;
4125
4126  bad_reg:
4127         mutex_unlock(&cfg80211_mutex);
4128         kfree(rd);
4129         return r;
4130 }
4131
4132 static int validate_scan_freqs(struct nlattr *freqs)
4133 {
4134         struct nlattr *attr1, *attr2;
4135         int n_channels = 0, tmp1, tmp2;
4136
4137         nla_for_each_nested(attr1, freqs, tmp1) {
4138                 n_channels++;
4139                 /*
4140                  * Some hardware has a limited channel list for
4141                  * scanning, and it is pretty much nonsensical
4142                  * to scan for a channel twice, so disallow that
4143                  * and don't require drivers to check that the
4144                  * channel list they get isn't longer than what
4145                  * they can scan, as long as they can scan all
4146                  * the channels they registered at once.
4147                  */
4148                 nla_for_each_nested(attr2, freqs, tmp2)
4149                         if (attr1 != attr2 &&
4150                             nla_get_u32(attr1) == nla_get_u32(attr2))
4151                                 return 0;
4152         }
4153
4154         return n_channels;
4155 }
4156
4157 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4158 {
4159         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4160         struct wireless_dev *wdev = info->user_ptr[1];
4161         struct cfg80211_scan_request *request;
4162         struct nlattr *attr;
4163         struct wiphy *wiphy;
4164         int err, tmp, n_ssids = 0, n_channels, i;
4165         size_t ie_len;
4166
4167         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4168                 return -EINVAL;
4169
4170         wiphy = &rdev->wiphy;
4171
4172         if (!rdev->ops->scan)
4173                 return -EOPNOTSUPP;
4174
4175         if (rdev->scan_req)
4176                 return -EBUSY;
4177
4178         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4179                 n_channels = validate_scan_freqs(
4180                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4181                 if (!n_channels)
4182                         return -EINVAL;
4183         } else {
4184                 enum ieee80211_band band;
4185                 n_channels = 0;
4186
4187                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4188                         if (wiphy->bands[band])
4189                                 n_channels += wiphy->bands[band]->n_channels;
4190         }
4191
4192         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4193                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
4194                         n_ssids++;
4195
4196         if (n_ssids > wiphy->max_scan_ssids)
4197                 return -EINVAL;
4198
4199         if (info->attrs[NL80211_ATTR_IE])
4200                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4201         else
4202                 ie_len = 0;
4203
4204         if (ie_len > wiphy->max_scan_ie_len)
4205                 return -EINVAL;
4206
4207         request = kzalloc(sizeof(*request)
4208                         + sizeof(*request->ssids) * n_ssids
4209                         + sizeof(*request->channels) * n_channels
4210                         + ie_len, GFP_KERNEL);
4211         if (!request)
4212                 return -ENOMEM;
4213
4214         if (n_ssids)
4215                 request->ssids = (void *)&request->channels[n_channels];
4216         request->n_ssids = n_ssids;
4217         if (ie_len) {
4218                 if (request->ssids)
4219                         request->ie = (void *)(request->ssids + n_ssids);
4220                 else
4221                         request->ie = (void *)(request->channels + n_channels);
4222         }
4223
4224         i = 0;
4225         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4226                 /* user specified, bail out if channel not found */
4227                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
4228                         struct ieee80211_channel *chan;
4229
4230                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4231
4232                         if (!chan) {
4233                                 err = -EINVAL;
4234                                 goto out_free;
4235                         }
4236
4237                         /* ignore disabled channels */
4238                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4239                                 continue;
4240
4241                         request->channels[i] = chan;
4242                         i++;
4243                 }
4244         } else {
4245                 enum ieee80211_band band;
4246
4247                 /* all channels */
4248                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4249                         int j;
4250                         if (!wiphy->bands[band])
4251                                 continue;
4252                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4253                                 struct ieee80211_channel *chan;
4254
4255                                 chan = &wiphy->bands[band]->channels[j];
4256
4257                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4258                                         continue;
4259
4260                                 request->channels[i] = chan;
4261                                 i++;
4262                         }
4263                 }
4264         }
4265
4266         if (!i) {
4267                 err = -EINVAL;
4268                 goto out_free;
4269         }
4270
4271         request->n_channels = i;
4272
4273         i = 0;
4274         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4275                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
4276                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4277                                 err = -EINVAL;
4278                                 goto out_free;
4279                         }
4280                         request->ssids[i].ssid_len = nla_len(attr);
4281                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
4282                         i++;
4283                 }
4284         }
4285
4286         if (info->attrs[NL80211_ATTR_IE]) {
4287                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4288                 memcpy((void *)request->ie,
4289                        nla_data(info->attrs[NL80211_ATTR_IE]),
4290                        request->ie_len);
4291         }
4292
4293         for (i = 0; i < IEEE80211_NUM_BANDS; i++)
4294                 if (wiphy->bands[i])
4295                         request->rates[i] =
4296                                 (1 << wiphy->bands[i]->n_bitrates) - 1;
4297
4298         if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
4299                 nla_for_each_nested(attr,
4300                                     info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
4301                                     tmp) {
4302                         enum ieee80211_band band = nla_type(attr);
4303
4304                         if (band < 0 || band >= IEEE80211_NUM_BANDS) {
4305                                 err = -EINVAL;
4306                                 goto out_free;
4307                         }
4308                         err = ieee80211_get_ratemask(wiphy->bands[band],
4309                                                      nla_data(attr),
4310                                                      nla_len(attr),
4311                                                      &request->rates[band]);
4312                         if (err)
4313                                 goto out_free;
4314                 }
4315         }
4316
4317         request->no_cck =
4318                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
4319
4320         request->wdev = wdev;
4321         request->wiphy = &rdev->wiphy;
4322
4323         rdev->scan_req = request;
4324         err = rdev->ops->scan(&rdev->wiphy, request);
4325
4326         if (!err) {
4327                 nl80211_send_scan_start(rdev, wdev);
4328                 if (wdev->netdev)
4329                         dev_hold(wdev->netdev);
4330         } else {
4331  out_free:
4332                 rdev->scan_req = NULL;
4333                 kfree(request);
4334         }
4335
4336         return err;
4337 }
4338
4339 static int nl80211_start_sched_scan(struct sk_buff *skb,
4340                                     struct genl_info *info)
4341 {
4342         struct cfg80211_sched_scan_request *request;
4343         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4344         struct net_device *dev = info->user_ptr[1];
4345         struct nlattr *attr;
4346         struct wiphy *wiphy;
4347         int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
4348         u32 interval;
4349         enum ieee80211_band band;
4350         size_t ie_len;
4351         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
4352
4353         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4354             !rdev->ops->sched_scan_start)
4355                 return -EOPNOTSUPP;
4356
4357         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4358                 return -EINVAL;
4359
4360         if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
4361                 return -EINVAL;
4362
4363         interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
4364         if (interval == 0)
4365                 return -EINVAL;
4366
4367         wiphy = &rdev->wiphy;
4368
4369         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4370                 n_channels = validate_scan_freqs(
4371                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4372                 if (!n_channels)
4373                         return -EINVAL;
4374         } else {
4375                 n_channels = 0;
4376
4377                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4378                         if (wiphy->bands[band])
4379                                 n_channels += wiphy->bands[band]->n_channels;
4380         }
4381
4382         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4383                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4384                                     tmp)
4385                         n_ssids++;
4386
4387         if (n_ssids > wiphy->max_sched_scan_ssids)
4388                 return -EINVAL;
4389
4390         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
4391                 nla_for_each_nested(attr,
4392                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4393                                     tmp)
4394                         n_match_sets++;
4395
4396         if (n_match_sets > wiphy->max_match_sets)
4397                 return -EINVAL;
4398
4399         if (info->attrs[NL80211_ATTR_IE])
4400                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4401         else
4402                 ie_len = 0;
4403
4404         if (ie_len > wiphy->max_sched_scan_ie_len)
4405                 return -EINVAL;
4406
4407         mutex_lock(&rdev->sched_scan_mtx);
4408
4409         if (rdev->sched_scan_req) {
4410                 err = -EINPROGRESS;
4411                 goto out;
4412         }
4413
4414         request = kzalloc(sizeof(*request)
4415                         + sizeof(*request->ssids) * n_ssids
4416                         + sizeof(*request->match_sets) * n_match_sets
4417                         + sizeof(*request->channels) * n_channels
4418                         + ie_len, GFP_KERNEL);
4419         if (!request) {
4420                 err = -ENOMEM;
4421                 goto out;
4422         }
4423
4424         if (n_ssids)
4425                 request->ssids = (void *)&request->channels[n_channels];
4426         request->n_ssids = n_ssids;
4427         if (ie_len) {
4428                 if (request->ssids)
4429                         request->ie = (void *)(request->ssids + n_ssids);
4430                 else
4431                         request->ie = (void *)(request->channels + n_channels);
4432         }
4433
4434         if (n_match_sets) {
4435                 if (request->ie)
4436                         request->match_sets = (void *)(request->ie + ie_len);
4437                 else if (request->ssids)
4438                         request->match_sets =
4439                                 (void *)(request->ssids + n_ssids);
4440                 else
4441                         request->match_sets =
4442                                 (void *)(request->channels + n_channels);
4443         }
4444         request->n_match_sets = n_match_sets;
4445
4446         i = 0;
4447         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4448                 /* user specified, bail out if channel not found */
4449                 nla_for_each_nested(attr,
4450                                     info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
4451                                     tmp) {
4452                         struct ieee80211_channel *chan;
4453
4454                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4455
4456                         if (!chan) {
4457                                 err = -EINVAL;
4458                                 goto out_free;
4459                         }
4460
4461                         /* ignore disabled channels */
4462                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4463                                 continue;
4464
4465                         request->channels[i] = chan;
4466                         i++;
4467                 }
4468         } else {
4469                 /* all channels */
4470                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4471                         int j;
4472                         if (!wiphy->bands[band])
4473                                 continue;
4474                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4475                                 struct ieee80211_channel *chan;
4476
4477                                 chan = &wiphy->bands[band]->channels[j];
4478
4479                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4480                                         continue;
4481
4482                                 request->channels[i] = chan;
4483                                 i++;
4484                         }
4485                 }
4486         }
4487
4488         if (!i) {
4489                 err = -EINVAL;
4490                 goto out_free;
4491         }
4492
4493         request->n_channels = i;
4494
4495         i = 0;
4496         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4497                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4498                                     tmp) {
4499                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4500                                 err = -EINVAL;
4501                                 goto out_free;
4502                         }
4503                         request->ssids[i].ssid_len = nla_len(attr);
4504                         memcpy(request->ssids[i].ssid, nla_data(attr),
4505                                nla_len(attr));
4506                         i++;
4507                 }
4508         }
4509
4510         i = 0;
4511         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
4512                 nla_for_each_nested(attr,
4513                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4514                                     tmp) {
4515                         struct nlattr *ssid, *rssi;
4516
4517                         nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
4518                                   nla_data(attr), nla_len(attr),
4519                                   nl80211_match_policy);
4520                         ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
4521                         if (ssid) {
4522                                 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
4523                                         err = -EINVAL;
4524                                         goto out_free;
4525                                 }
4526                                 memcpy(request->match_sets[i].ssid.ssid,
4527                                        nla_data(ssid), nla_len(ssid));
4528                                 request->match_sets[i].ssid.ssid_len =
4529                                         nla_len(ssid);
4530                         }
4531                         rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
4532                         if (rssi)
4533                                 request->rssi_thold = nla_get_u32(rssi);
4534                         else
4535                                 request->rssi_thold =
4536                                                    NL80211_SCAN_RSSI_THOLD_OFF;
4537                         i++;
4538                 }
4539         }
4540
4541         if (info->attrs[NL80211_ATTR_IE]) {
4542                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4543                 memcpy((void *)request->ie,
4544                        nla_data(info->attrs[NL80211_ATTR_IE]),
4545                        request->ie_len);
4546         }
4547
4548         request->dev = dev;
4549         request->wiphy = &rdev->wiphy;
4550         request->interval = interval;
4551
4552         err = rdev->ops->sched_scan_start(&rdev->wiphy, dev, request);
4553         if (!err) {
4554                 rdev->sched_scan_req = request;
4555                 nl80211_send_sched_scan(rdev, dev,
4556                                         NL80211_CMD_START_SCHED_SCAN);
4557                 goto out;
4558         }
4559
4560 out_free:
4561         kfree(request);
4562 out:
4563         mutex_unlock(&rdev->sched_scan_mtx);
4564         return err;
4565 }
4566
4567 static int nl80211_stop_sched_scan(struct sk_buff *skb,
4568                                    struct genl_info *info)
4569 {
4570         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4571         int err;
4572
4573         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4574             !rdev->ops->sched_scan_stop)
4575                 return -EOPNOTSUPP;
4576
4577         mutex_lock(&rdev->sched_scan_mtx);
4578         err = __cfg80211_stop_sched_scan(rdev, false);
4579         mutex_unlock(&rdev->sched_scan_mtx);
4580
4581         return err;
4582 }
4583
4584 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
4585                             u32 seq, int flags,
4586                             struct cfg80211_registered_device *rdev,
4587                             struct wireless_dev *wdev,
4588                             struct cfg80211_internal_bss *intbss)
4589 {
4590         struct cfg80211_bss *res = &intbss->pub;
4591         void *hdr;
4592         struct nlattr *bss;
4593
4594         ASSERT_WDEV_LOCK(wdev);
4595
4596         hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).pid, seq, flags,
4597                              NL80211_CMD_NEW_SCAN_RESULTS);
4598         if (!hdr)
4599                 return -1;
4600
4601         genl_dump_check_consistent(cb, hdr, &nl80211_fam);
4602
4603         if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation) ||
4604             nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
4605                 goto nla_put_failure;
4606
4607         bss = nla_nest_start(msg, NL80211_ATTR_BSS);
4608         if (!bss)
4609                 goto nla_put_failure;
4610         if ((!is_zero_ether_addr(res->bssid) &&
4611              nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)) ||
4612             (res->information_elements && res->len_information_elements &&
4613              nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
4614                      res->len_information_elements,
4615                      res->information_elements)) ||
4616             (res->beacon_ies && res->len_beacon_ies &&
4617              res->beacon_ies != res->information_elements &&
4618              nla_put(msg, NL80211_BSS_BEACON_IES,
4619                      res->len_beacon_ies, res->beacon_ies)))
4620                 goto nla_put_failure;
4621         if (res->tsf &&
4622             nla_put_u64(msg, NL80211_BSS_TSF, res->tsf))
4623                 goto nla_put_failure;
4624         if (res->beacon_interval &&
4625             nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
4626                 goto nla_put_failure;
4627         if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
4628             nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
4629             nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
4630                         jiffies_to_msecs(jiffies - intbss->ts)))
4631                 goto nla_put_failure;
4632
4633         switch (rdev->wiphy.signal_type) {
4634         case CFG80211_SIGNAL_TYPE_MBM:
4635                 if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
4636                         goto nla_put_failure;
4637                 break;
4638         case CFG80211_SIGNAL_TYPE_UNSPEC:
4639                 if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
4640                         goto nla_put_failure;
4641                 break;
4642         default:
4643                 break;
4644         }
4645
4646         switch (wdev->iftype) {
4647         case NL80211_IFTYPE_P2P_CLIENT:
4648         case NL80211_IFTYPE_STATION:
4649                 if (intbss == wdev->current_bss &&
4650                     nla_put_u32(msg, NL80211_BSS_STATUS,
4651                                 NL80211_BSS_STATUS_ASSOCIATED))
4652                         goto nla_put_failure;
4653                 break;
4654         case NL80211_IFTYPE_ADHOC:
4655                 if (intbss == wdev->current_bss &&
4656                     nla_put_u32(msg, NL80211_BSS_STATUS,
4657                                 NL80211_BSS_STATUS_IBSS_JOINED))
4658                         goto nla_put_failure;
4659                 break;
4660         default:
4661                 break;
4662         }
4663
4664         nla_nest_end(msg, bss);
4665
4666         return genlmsg_end(msg, hdr);
4667
4668  nla_put_failure:
4669         genlmsg_cancel(msg, hdr);
4670         return -EMSGSIZE;
4671 }
4672
4673 static int nl80211_dump_scan(struct sk_buff *skb,
4674                              struct netlink_callback *cb)
4675 {
4676         struct cfg80211_registered_device *rdev;
4677         struct net_device *dev;
4678         struct cfg80211_internal_bss *scan;
4679         struct wireless_dev *wdev;
4680         int start = cb->args[1], idx = 0;
4681         int err;
4682
4683         err = nl80211_prepare_netdev_dump(skb, cb, &rdev, &dev);
4684         if (err)
4685                 return err;
4686
4687         wdev = dev->ieee80211_ptr;
4688
4689         wdev_lock(wdev);
4690         spin_lock_bh(&rdev->bss_lock);
4691         cfg80211_bss_expire(rdev);
4692
4693         cb->seq = rdev->bss_generation;
4694
4695         list_for_each_entry(scan, &rdev->bss_list, list) {
4696                 if (++idx <= start)
4697                         continue;
4698                 if (nl80211_send_bss(skb, cb,
4699                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4700                                 rdev, wdev, scan) < 0) {
4701                         idx--;
4702                         break;
4703                 }
4704         }
4705
4706         spin_unlock_bh(&rdev->bss_lock);
4707         wdev_unlock(wdev);
4708
4709         cb->args[1] = idx;
4710         nl80211_finish_netdev_dump(rdev);
4711
4712         return skb->len;
4713 }
4714
4715 static int nl80211_send_survey(struct sk_buff *msg, u32 pid, u32 seq,
4716                                 int flags, struct net_device *dev,
4717                                 struct survey_info *survey)
4718 {
4719         void *hdr;
4720         struct nlattr *infoattr;
4721
4722         hdr = nl80211hdr_put(msg, pid, seq, flags,
4723                              NL80211_CMD_NEW_SURVEY_RESULTS);
4724         if (!hdr)
4725                 return -ENOMEM;
4726
4727         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
4728                 goto nla_put_failure;
4729
4730         infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
4731         if (!infoattr)
4732                 goto nla_put_failure;
4733
4734         if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
4735                         survey->channel->center_freq))
4736                 goto nla_put_failure;
4737
4738         if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
4739             nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
4740                 goto nla_put_failure;
4741         if ((survey->filled & SURVEY_INFO_IN_USE) &&
4742             nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
4743                 goto nla_put_failure;
4744         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
4745             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
4746                         survey->channel_time))
4747                 goto nla_put_failure;
4748         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
4749             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
4750                         survey->channel_time_busy))
4751                 goto nla_put_failure;
4752         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
4753             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
4754                         survey->channel_time_ext_busy))
4755                 goto nla_put_failure;
4756         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
4757             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
4758                         survey->channel_time_rx))
4759                 goto nla_put_failure;
4760         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
4761             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
4762                         survey->channel_time_tx))
4763                 goto nla_put_failure;
4764
4765         nla_nest_end(msg, infoattr);
4766
4767         return genlmsg_end(msg, hdr);
4768
4769  nla_put_failure:
4770         genlmsg_cancel(msg, hdr);
4771         return -EMSGSIZE;
4772 }
4773
4774 static int nl80211_dump_survey(struct sk_buff *skb,
4775                         struct netlink_callback *cb)
4776 {
4777         struct survey_info survey;
4778         struct cfg80211_registered_device *dev;
4779         struct net_device *netdev;
4780         int survey_idx = cb->args[1];
4781         int res;
4782
4783         res = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
4784         if (res)
4785                 return res;
4786
4787         if (!dev->ops->dump_survey) {
4788                 res = -EOPNOTSUPP;
4789                 goto out_err;
4790         }
4791
4792         while (1) {
4793                 struct ieee80211_channel *chan;
4794
4795                 res = dev->ops->dump_survey(&dev->wiphy, netdev, survey_idx,
4796                                             &survey);
4797                 if (res == -ENOENT)
4798                         break;
4799                 if (res)
4800                         goto out_err;
4801
4802                 /* Survey without a channel doesn't make sense */
4803                 if (!survey.channel) {
4804                         res = -EINVAL;
4805                         goto out;
4806                 }
4807
4808                 chan = ieee80211_get_channel(&dev->wiphy,
4809                                              survey.channel->center_freq);
4810                 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
4811                         survey_idx++;
4812                         continue;
4813                 }
4814
4815                 if (nl80211_send_survey(skb,
4816                                 NETLINK_CB(cb->skb).pid,
4817                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4818                                 netdev,
4819                                 &survey) < 0)
4820                         goto out;
4821                 survey_idx++;
4822         }
4823
4824  out:
4825         cb->args[1] = survey_idx;
4826         res = skb->len;
4827  out_err:
4828         nl80211_finish_netdev_dump(dev);
4829         return res;
4830 }
4831
4832 static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type)
4833 {
4834         return auth_type <= NL80211_AUTHTYPE_MAX;
4835 }
4836
4837 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
4838 {
4839         return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
4840                                   NL80211_WPA_VERSION_2));
4841 }
4842
4843 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
4844 {
4845         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4846         struct net_device *dev = info->user_ptr[1];
4847         struct ieee80211_channel *chan;
4848         const u8 *bssid, *ssid, *ie = NULL;
4849         int err, ssid_len, ie_len = 0;
4850         enum nl80211_auth_type auth_type;
4851         struct key_parse key;
4852         bool local_state_change;
4853
4854         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4855                 return -EINVAL;
4856
4857         if (!info->attrs[NL80211_ATTR_MAC])
4858                 return -EINVAL;
4859
4860         if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
4861                 return -EINVAL;
4862
4863         if (!info->attrs[NL80211_ATTR_SSID])
4864                 return -EINVAL;
4865
4866         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
4867                 return -EINVAL;
4868
4869         err = nl80211_parse_key(info, &key);
4870         if (err)
4871                 return err;
4872
4873         if (key.idx >= 0) {
4874                 if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
4875                         return -EINVAL;
4876                 if (!key.p.key || !key.p.key_len)
4877                         return -EINVAL;
4878                 if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
4879                      key.p.key_len != WLAN_KEY_LEN_WEP40) &&
4880                     (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
4881                      key.p.key_len != WLAN_KEY_LEN_WEP104))
4882                         return -EINVAL;
4883                 if (key.idx > 4)
4884                         return -EINVAL;
4885         } else {
4886                 key.p.key_len = 0;
4887                 key.p.key = NULL;
4888         }
4889
4890         if (key.idx >= 0) {
4891                 int i;
4892                 bool ok = false;
4893                 for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
4894                         if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
4895                                 ok = true;
4896                                 break;
4897                         }
4898                 }
4899                 if (!ok)
4900                         return -EINVAL;
4901         }
4902
4903         if (!rdev->ops->auth)
4904                 return -EOPNOTSUPP;
4905
4906         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
4907             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
4908                 return -EOPNOTSUPP;
4909
4910         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4911         chan = ieee80211_get_channel(&rdev->wiphy,
4912                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
4913         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
4914                 return -EINVAL;
4915
4916         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4917         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
4918
4919         if (info->attrs[NL80211_ATTR_IE]) {
4920                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
4921                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4922         }
4923
4924         auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
4925         if (!nl80211_valid_auth_type(auth_type))
4926                 return -EINVAL;
4927
4928         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
4929
4930         /*
4931          * Since we no longer track auth state, ignore
4932          * requests to only change local state.
4933          */
4934         if (local_state_change)
4935                 return 0;
4936
4937         return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
4938                                   ssid, ssid_len, ie, ie_len,
4939                                   key.p.key, key.p.key_len, key.idx);
4940 }
4941
4942 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
4943                                    struct genl_info *info,
4944                                    struct cfg80211_crypto_settings *settings,
4945                                    int cipher_limit)
4946 {
4947         memset(settings, 0, sizeof(*settings));
4948
4949         settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
4950
4951         if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
4952                 u16 proto;
4953                 proto = nla_get_u16(
4954                         info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
4955                 settings->control_port_ethertype = cpu_to_be16(proto);
4956                 if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
4957                     proto != ETH_P_PAE)
4958                         return -EINVAL;
4959                 if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
4960                         settings->control_port_no_encrypt = true;
4961         } else
4962                 settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
4963
4964         if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
4965                 void *data;
4966                 int len, i;
4967
4968                 data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
4969                 len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
4970                 settings->n_ciphers_pairwise = len / sizeof(u32);
4971
4972                 if (len % sizeof(u32))
4973                         return -EINVAL;
4974
4975                 if (settings->n_ciphers_pairwise > cipher_limit)
4976                         return -EINVAL;
4977
4978                 memcpy(settings->ciphers_pairwise, data, len);
4979
4980                 for (i = 0; i < settings->n_ciphers_pairwise; i++)
4981                         if (!cfg80211_supported_cipher_suite(
4982                                         &rdev->wiphy,
4983                                         settings->ciphers_pairwise[i]))
4984                                 return -EINVAL;
4985         }
4986
4987         if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
4988                 settings->cipher_group =
4989                         nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
4990                 if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
4991                                                      settings->cipher_group))
4992                         return -EINVAL;
4993         }
4994
4995         if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
4996                 settings->wpa_versions =
4997                         nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
4998                 if (!nl80211_valid_wpa_versions(settings->wpa_versions))
4999                         return -EINVAL;
5000         }
5001
5002         if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
5003                 void *data;
5004                 int len;
5005
5006                 data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
5007                 len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
5008                 settings->n_akm_suites = len / sizeof(u32);
5009
5010                 if (len % sizeof(u32))
5011                         return -EINVAL;
5012
5013                 if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
5014                         return -EINVAL;
5015
5016                 memcpy(settings->akm_suites, data, len);
5017         }
5018
5019         return 0;
5020 }
5021
5022 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
5023 {
5024         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5025         struct net_device *dev = info->user_ptr[1];
5026         struct cfg80211_crypto_settings crypto;
5027         struct ieee80211_channel *chan;
5028         const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
5029         int err, ssid_len, ie_len = 0;
5030         bool use_mfp = false;
5031         u32 flags = 0;
5032         struct ieee80211_ht_cap *ht_capa = NULL;
5033         struct ieee80211_ht_cap *ht_capa_mask = NULL;
5034
5035         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5036                 return -EINVAL;
5037
5038         if (!info->attrs[NL80211_ATTR_MAC] ||
5039             !info->attrs[NL80211_ATTR_SSID] ||
5040             !info->attrs[NL80211_ATTR_WIPHY_FREQ])
5041                 return -EINVAL;
5042
5043         if (!rdev->ops->assoc)
5044                 return -EOPNOTSUPP;
5045
5046         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5047             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5048                 return -EOPNOTSUPP;
5049
5050         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5051
5052         chan = ieee80211_get_channel(&rdev->wiphy,
5053                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5054         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5055                 return -EINVAL;
5056
5057         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5058         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5059
5060         if (info->attrs[NL80211_ATTR_IE]) {
5061                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5062                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5063         }
5064
5065         if (info->attrs[NL80211_ATTR_USE_MFP]) {
5066                 enum nl80211_mfp mfp =
5067                         nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
5068                 if (mfp == NL80211_MFP_REQUIRED)
5069                         use_mfp = true;
5070                 else if (mfp != NL80211_MFP_NO)
5071                         return -EINVAL;
5072         }
5073
5074         if (info->attrs[NL80211_ATTR_PREV_BSSID])
5075                 prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
5076
5077         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5078                 flags |= ASSOC_REQ_DISABLE_HT;
5079
5080         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5081                 ht_capa_mask =
5082                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]);
5083
5084         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5085                 if (!ht_capa_mask)
5086                         return -EINVAL;
5087                 ht_capa = nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5088         }
5089
5090         err = nl80211_crypto_settings(rdev, info, &crypto, 1);
5091         if (!err)
5092                 err = cfg80211_mlme_assoc(rdev, dev, chan, bssid, prev_bssid,
5093                                           ssid, ssid_len, ie, ie_len, use_mfp,
5094                                           &crypto, flags, ht_capa,
5095                                           ht_capa_mask);
5096
5097         return err;
5098 }
5099
5100 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
5101 {
5102         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5103         struct net_device *dev = info->user_ptr[1];
5104         const u8 *ie = NULL, *bssid;
5105         int ie_len = 0;
5106         u16 reason_code;
5107         bool local_state_change;
5108
5109         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5110                 return -EINVAL;
5111
5112         if (!info->attrs[NL80211_ATTR_MAC])
5113                 return -EINVAL;
5114
5115         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5116                 return -EINVAL;
5117
5118         if (!rdev->ops->deauth)
5119                 return -EOPNOTSUPP;
5120
5121         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5122             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5123                 return -EOPNOTSUPP;
5124
5125         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5126
5127         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5128         if (reason_code == 0) {
5129                 /* Reason Code 0 is reserved */
5130                 return -EINVAL;
5131         }
5132
5133         if (info->attrs[NL80211_ATTR_IE]) {
5134                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5135                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5136         }
5137
5138         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5139
5140         return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
5141                                     local_state_change);
5142 }
5143
5144 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
5145 {
5146         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5147         struct net_device *dev = info->user_ptr[1];
5148         const u8 *ie = NULL, *bssid;
5149         int ie_len = 0;
5150         u16 reason_code;
5151         bool local_state_change;
5152
5153         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5154                 return -EINVAL;
5155
5156         if (!info->attrs[NL80211_ATTR_MAC])
5157                 return -EINVAL;
5158
5159         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5160                 return -EINVAL;
5161
5162         if (!rdev->ops->disassoc)
5163                 return -EOPNOTSUPP;
5164
5165         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5166             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5167                 return -EOPNOTSUPP;
5168
5169         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5170
5171         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5172         if (reason_code == 0) {
5173                 /* Reason Code 0 is reserved */
5174                 return -EINVAL;
5175         }
5176
5177         if (info->attrs[NL80211_ATTR_IE]) {
5178                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5179                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5180         }
5181
5182         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5183
5184         return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
5185                                       local_state_change);
5186 }
5187
5188 static bool
5189 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
5190                          int mcast_rate[IEEE80211_NUM_BANDS],
5191                          int rateval)
5192 {
5193         struct wiphy *wiphy = &rdev->wiphy;
5194         bool found = false;
5195         int band, i;
5196
5197         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5198                 struct ieee80211_supported_band *sband;
5199
5200                 sband = wiphy->bands[band];
5201                 if (!sband)
5202                         continue;
5203
5204                 for (i = 0; i < sband->n_bitrates; i++) {
5205                         if (sband->bitrates[i].bitrate == rateval) {
5206                                 mcast_rate[band] = i + 1;
5207                                 found = true;
5208                                 break;
5209                         }
5210                 }
5211         }
5212
5213         return found;
5214 }
5215
5216 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
5217 {
5218         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5219         struct net_device *dev = info->user_ptr[1];
5220         struct cfg80211_ibss_params ibss;
5221         struct wiphy *wiphy;
5222         struct cfg80211_cached_keys *connkeys = NULL;
5223         int err;
5224
5225         memset(&ibss, 0, sizeof(ibss));
5226
5227         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5228                 return -EINVAL;
5229
5230         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5231             !info->attrs[NL80211_ATTR_SSID] ||
5232             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5233                 return -EINVAL;
5234
5235         ibss.beacon_interval = 100;
5236
5237         if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
5238                 ibss.beacon_interval =
5239                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5240                 if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
5241                         return -EINVAL;
5242         }
5243
5244         if (!rdev->ops->join_ibss)
5245                 return -EOPNOTSUPP;
5246
5247         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5248                 return -EOPNOTSUPP;
5249
5250         wiphy = &rdev->wiphy;
5251
5252         if (info->attrs[NL80211_ATTR_MAC]) {
5253                 ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5254
5255                 if (!is_valid_ether_addr(ibss.bssid))
5256                         return -EINVAL;
5257         }
5258         ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5259         ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5260
5261         if (info->attrs[NL80211_ATTR_IE]) {
5262                 ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5263                 ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5264         }
5265
5266         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
5267                 enum nl80211_channel_type channel_type;
5268
5269                 if (!nl80211_valid_channel_type(info, &channel_type))
5270                         return -EINVAL;
5271
5272                 if (channel_type != NL80211_CHAN_NO_HT &&
5273                     !(wiphy->features & NL80211_FEATURE_HT_IBSS))
5274                         return -EINVAL;
5275
5276                 ibss.channel_type = channel_type;
5277         } else {
5278                 ibss.channel_type = NL80211_CHAN_NO_HT;
5279         }
5280
5281         ibss.channel = rdev_freq_to_chan(rdev,
5282                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
5283                 ibss.channel_type);
5284         if (!ibss.channel ||
5285             ibss.channel->flags & IEEE80211_CHAN_NO_IBSS ||
5286             ibss.channel->flags & IEEE80211_CHAN_DISABLED)
5287                 return -EINVAL;
5288
5289         /* Both channels should be able to initiate communication */
5290         if ((ibss.channel_type == NL80211_CHAN_HT40PLUS ||
5291              ibss.channel_type == NL80211_CHAN_HT40MINUS) &&
5292             !cfg80211_can_beacon_sec_chan(&rdev->wiphy, ibss.channel,
5293                                           ibss.channel_type))
5294                 return -EINVAL;
5295
5296         ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
5297         ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5298
5299         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5300                 u8 *rates =
5301                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5302                 int n_rates =
5303                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5304                 struct ieee80211_supported_band *sband =
5305                         wiphy->bands[ibss.channel->band];
5306
5307                 err = ieee80211_get_ratemask(sband, rates, n_rates,
5308                                              &ibss.basic_rates);
5309                 if (err)
5310                         return err;
5311         }
5312
5313         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
5314             !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
5315                         nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
5316                 return -EINVAL;
5317
5318         if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5319                 connkeys = nl80211_parse_connkeys(rdev,
5320                                         info->attrs[NL80211_ATTR_KEYS]);
5321                 if (IS_ERR(connkeys))
5322                         return PTR_ERR(connkeys);
5323         }
5324
5325         ibss.control_port =
5326                 nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
5327
5328         err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
5329         if (err)
5330                 kfree(connkeys);
5331         return err;
5332 }
5333
5334 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
5335 {
5336         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5337         struct net_device *dev = info->user_ptr[1];
5338
5339         if (!rdev->ops->leave_ibss)
5340                 return -EOPNOTSUPP;
5341
5342         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5343                 return -EOPNOTSUPP;
5344
5345         return cfg80211_leave_ibss(rdev, dev, false);
5346 }
5347
5348 #ifdef CONFIG_NL80211_TESTMODE
5349 static struct genl_multicast_group nl80211_testmode_mcgrp = {
5350         .name = "testmode",
5351 };
5352
5353 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
5354 {
5355         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5356         int err;
5357
5358         if (!info->attrs[NL80211_ATTR_TESTDATA])
5359                 return -EINVAL;
5360
5361         err = -EOPNOTSUPP;
5362         if (rdev->ops->testmode_cmd) {
5363                 rdev->testmode_info = info;
5364                 err = rdev->ops->testmode_cmd(&rdev->wiphy,
5365                                 nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
5366                                 nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
5367                 rdev->testmode_info = NULL;
5368         }
5369
5370         return err;
5371 }
5372
5373 static int nl80211_testmode_dump(struct sk_buff *skb,
5374                                  struct netlink_callback *cb)
5375 {
5376         struct cfg80211_registered_device *rdev;
5377         int err;
5378         long phy_idx;
5379         void *data = NULL;
5380         int data_len = 0;
5381
5382         if (cb->args[0]) {
5383                 /*
5384                  * 0 is a valid index, but not valid for args[0],
5385                  * so we need to offset by 1.
5386                  */
5387                 phy_idx = cb->args[0] - 1;
5388         } else {
5389                 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
5390                                   nl80211_fam.attrbuf, nl80211_fam.maxattr,
5391                                   nl80211_policy);
5392                 if (err)
5393                         return err;
5394
5395                 mutex_lock(&cfg80211_mutex);
5396                 rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
5397                                                   nl80211_fam.attrbuf);
5398                 if (IS_ERR(rdev)) {
5399                         mutex_unlock(&cfg80211_mutex);
5400                         return PTR_ERR(rdev);
5401                 }
5402                 phy_idx = rdev->wiphy_idx;
5403                 rdev = NULL;
5404                 mutex_unlock(&cfg80211_mutex);
5405
5406                 if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
5407                         cb->args[1] =
5408                                 (long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
5409         }
5410
5411         if (cb->args[1]) {
5412                 data = nla_data((void *)cb->args[1]);
5413                 data_len = nla_len((void *)cb->args[1]);
5414         }
5415
5416         mutex_lock(&cfg80211_mutex);
5417         rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
5418         if (!rdev) {
5419                 mutex_unlock(&cfg80211_mutex);
5420                 return -ENOENT;
5421         }
5422         cfg80211_lock_rdev(rdev);
5423         mutex_unlock(&cfg80211_mutex);
5424
5425         if (!rdev->ops->testmode_dump) {
5426                 err = -EOPNOTSUPP;
5427                 goto out_err;
5428         }
5429
5430         while (1) {
5431                 void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).pid,
5432                                            cb->nlh->nlmsg_seq, NLM_F_MULTI,
5433                                            NL80211_CMD_TESTMODE);
5434                 struct nlattr *tmdata;
5435
5436                 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
5437                         genlmsg_cancel(skb, hdr);
5438                         break;
5439                 }
5440
5441                 tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
5442                 if (!tmdata) {
5443                         genlmsg_cancel(skb, hdr);
5444                         break;
5445                 }
5446                 err = rdev->ops->testmode_dump(&rdev->wiphy, skb, cb,
5447                                                data, data_len);
5448                 nla_nest_end(skb, tmdata);
5449
5450                 if (err == -ENOBUFS || err == -ENOENT) {
5451                         genlmsg_cancel(skb, hdr);
5452                         break;
5453                 } else if (err) {
5454                         genlmsg_cancel(skb, hdr);
5455                         goto out_err;
5456                 }
5457
5458                 genlmsg_end(skb, hdr);
5459         }
5460
5461         err = skb->len;
5462         /* see above */
5463         cb->args[0] = phy_idx + 1;
5464  out_err:
5465         cfg80211_unlock_rdev(rdev);
5466         return err;
5467 }
5468
5469 static struct sk_buff *
5470 __cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev,
5471                               int approxlen, u32 pid, u32 seq, gfp_t gfp)
5472 {
5473         struct sk_buff *skb;
5474         void *hdr;
5475         struct nlattr *data;
5476
5477         skb = nlmsg_new(approxlen + 100, gfp);
5478         if (!skb)
5479                 return NULL;
5480
5481         hdr = nl80211hdr_put(skb, pid, seq, 0, NL80211_CMD_TESTMODE);
5482         if (!hdr) {
5483                 kfree_skb(skb);
5484                 return NULL;
5485         }
5486
5487         if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
5488                 goto nla_put_failure;
5489         data = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
5490
5491         ((void **)skb->cb)[0] = rdev;
5492         ((void **)skb->cb)[1] = hdr;
5493         ((void **)skb->cb)[2] = data;
5494
5495         return skb;
5496
5497  nla_put_failure:
5498         kfree_skb(skb);
5499         return NULL;
5500 }
5501
5502 struct sk_buff *cfg80211_testmode_alloc_reply_skb(struct wiphy *wiphy,
5503                                                   int approxlen)
5504 {
5505         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
5506
5507         if (WARN_ON(!rdev->testmode_info))
5508                 return NULL;
5509
5510         return __cfg80211_testmode_alloc_skb(rdev, approxlen,
5511                                 rdev->testmode_info->snd_pid,
5512                                 rdev->testmode_info->snd_seq,
5513                                 GFP_KERNEL);
5514 }
5515 EXPORT_SYMBOL(cfg80211_testmode_alloc_reply_skb);
5516
5517 int cfg80211_testmode_reply(struct sk_buff *skb)
5518 {
5519         struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
5520         void *hdr = ((void **)skb->cb)[1];
5521         struct nlattr *data = ((void **)skb->cb)[2];
5522
5523         if (WARN_ON(!rdev->testmode_info)) {
5524                 kfree_skb(skb);
5525                 return -EINVAL;
5526         }
5527
5528         nla_nest_end(skb, data);
5529         genlmsg_end(skb, hdr);
5530         return genlmsg_reply(skb, rdev->testmode_info);
5531 }
5532 EXPORT_SYMBOL(cfg80211_testmode_reply);
5533
5534 struct sk_buff *cfg80211_testmode_alloc_event_skb(struct wiphy *wiphy,
5535                                                   int approxlen, gfp_t gfp)
5536 {
5537         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
5538
5539         return __cfg80211_testmode_alloc_skb(rdev, approxlen, 0, 0, gfp);
5540 }
5541 EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
5542
5543 void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
5544 {
5545         void *hdr = ((void **)skb->cb)[1];
5546         struct nlattr *data = ((void **)skb->cb)[2];
5547
5548         nla_nest_end(skb, data);
5549         genlmsg_end(skb, hdr);
5550         genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
5551 }
5552 EXPORT_SYMBOL(cfg80211_testmode_event);
5553 #endif
5554
5555 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
5556 {
5557         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5558         struct net_device *dev = info->user_ptr[1];
5559         struct cfg80211_connect_params connect;
5560         struct wiphy *wiphy;
5561         struct cfg80211_cached_keys *connkeys = NULL;
5562         int err;
5563
5564         memset(&connect, 0, sizeof(connect));
5565
5566         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5567                 return -EINVAL;
5568
5569         if (!info->attrs[NL80211_ATTR_SSID] ||
5570             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5571                 return -EINVAL;
5572
5573         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5574                 connect.auth_type =
5575                         nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5576                 if (!nl80211_valid_auth_type(connect.auth_type))
5577                         return -EINVAL;
5578         } else
5579                 connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5580
5581         connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
5582
5583         err = nl80211_crypto_settings(rdev, info, &connect.crypto,
5584                                       NL80211_MAX_NR_CIPHER_SUITES);
5585         if (err)
5586                 return err;
5587
5588         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5589             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5590                 return -EOPNOTSUPP;
5591
5592         wiphy = &rdev->wiphy;
5593
5594         connect.bg_scan_period = -1;
5595         if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
5596                 (wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
5597                 connect.bg_scan_period =
5598                         nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
5599         }
5600
5601         if (info->attrs[NL80211_ATTR_MAC])
5602                 connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5603         connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5604         connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5605
5606         if (info->attrs[NL80211_ATTR_IE]) {
5607                 connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5608                 connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5609         }
5610
5611         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5612                 connect.channel =
5613                         ieee80211_get_channel(wiphy,
5614                             nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5615                 if (!connect.channel ||
5616                     connect.channel->flags & IEEE80211_CHAN_DISABLED)
5617                         return -EINVAL;
5618         }
5619
5620         if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5621                 connkeys = nl80211_parse_connkeys(rdev,
5622                                         info->attrs[NL80211_ATTR_KEYS]);
5623                 if (IS_ERR(connkeys))
5624                         return PTR_ERR(connkeys);
5625         }
5626
5627         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5628                 connect.flags |= ASSOC_REQ_DISABLE_HT;
5629
5630         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5631                 memcpy(&connect.ht_capa_mask,
5632                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
5633                        sizeof(connect.ht_capa_mask));
5634
5635         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5636                 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5637                         return -EINVAL;
5638                 memcpy(&connect.ht_capa,
5639                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
5640                        sizeof(connect.ht_capa));
5641         }
5642
5643         err = cfg80211_connect(rdev, dev, &connect, connkeys);
5644         if (err)
5645                 kfree(connkeys);
5646         return err;
5647 }
5648
5649 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
5650 {
5651         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5652         struct net_device *dev = info->user_ptr[1];
5653         u16 reason;
5654
5655         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5656                 reason = WLAN_REASON_DEAUTH_LEAVING;
5657         else
5658                 reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5659
5660         if (reason == 0)
5661                 return -EINVAL;
5662
5663         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5664             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5665                 return -EOPNOTSUPP;
5666
5667         return cfg80211_disconnect(rdev, dev, reason, true);
5668 }
5669
5670 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
5671 {
5672         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5673         struct net *net;
5674         int err;
5675         u32 pid;
5676
5677         if (!info->attrs[NL80211_ATTR_PID])
5678                 return -EINVAL;
5679
5680         pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
5681
5682         net = get_net_ns_by_pid(pid);
5683         if (IS_ERR(net))
5684                 return PTR_ERR(net);
5685
5686         err = 0;
5687
5688         /* check if anything to do */
5689         if (!net_eq(wiphy_net(&rdev->wiphy), net))
5690                 err = cfg80211_switch_netns(rdev, net);
5691
5692         put_net(net);
5693         return err;
5694 }
5695
5696 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
5697 {
5698         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5699         int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
5700                         struct cfg80211_pmksa *pmksa) = NULL;
5701         struct net_device *dev = info->user_ptr[1];
5702         struct cfg80211_pmksa pmksa;
5703
5704         memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
5705
5706         if (!info->attrs[NL80211_ATTR_MAC])
5707                 return -EINVAL;
5708
5709         if (!info->attrs[NL80211_ATTR_PMKID])
5710                 return -EINVAL;
5711
5712         pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
5713         pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5714
5715         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5716             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5717                 return -EOPNOTSUPP;
5718
5719         switch (info->genlhdr->cmd) {
5720         case NL80211_CMD_SET_PMKSA:
5721                 rdev_ops = rdev->ops->set_pmksa;
5722                 break;
5723         case NL80211_CMD_DEL_PMKSA:
5724                 rdev_ops = rdev->ops->del_pmksa;
5725                 break;
5726         default:
5727                 WARN_ON(1);
5728                 break;
5729         }
5730
5731         if (!rdev_ops)
5732                 return -EOPNOTSUPP;
5733
5734         return rdev_ops(&rdev->wiphy, dev, &pmksa);
5735 }
5736
5737 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
5738 {
5739         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5740         struct net_device *dev = info->user_ptr[1];
5741
5742         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5743             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5744                 return -EOPNOTSUPP;
5745
5746         if (!rdev->ops->flush_pmksa)
5747                 return -EOPNOTSUPP;
5748
5749         return rdev->ops->flush_pmksa(&rdev->wiphy, dev);
5750 }
5751
5752 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
5753 {
5754         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5755         struct net_device *dev = info->user_ptr[1];
5756         u8 action_code, dialog_token;
5757         u16 status_code;
5758         u8 *peer;
5759
5760         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
5761             !rdev->ops->tdls_mgmt)
5762                 return -EOPNOTSUPP;
5763
5764         if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
5765             !info->attrs[NL80211_ATTR_STATUS_CODE] ||
5766             !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
5767             !info->attrs[NL80211_ATTR_IE] ||
5768             !info->attrs[NL80211_ATTR_MAC])
5769                 return -EINVAL;
5770
5771         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
5772         action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
5773         status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
5774         dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
5775
5776         return rdev->ops->tdls_mgmt(&rdev->wiphy, dev, peer, action_code,
5777                                     dialog_token, status_code,
5778                                     nla_data(info->attrs[NL80211_ATTR_IE]),
5779                                     nla_len(info->attrs[NL80211_ATTR_IE]));
5780 }
5781
5782 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
5783 {
5784         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5785         struct net_device *dev = info->user_ptr[1];
5786         enum nl80211_tdls_operation operation;
5787         u8 *peer;
5788
5789         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
5790             !rdev->ops->tdls_oper)
5791                 return -EOPNOTSUPP;
5792
5793         if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
5794             !info->attrs[NL80211_ATTR_MAC])
5795                 return -EINVAL;
5796
5797         operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
5798         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
5799
5800         return rdev->ops->tdls_oper(&rdev->wiphy, dev, peer, operation);
5801 }
5802
5803 static int nl80211_remain_on_channel(struct sk_buff *skb,
5804                                      struct genl_info *info)
5805 {
5806         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5807         struct wireless_dev *wdev = info->user_ptr[1];
5808         struct ieee80211_channel *chan;
5809         struct sk_buff *msg;
5810         void *hdr;
5811         u64 cookie;
5812         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
5813         u32 freq, duration;
5814         int err;
5815
5816         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5817             !info->attrs[NL80211_ATTR_DURATION])
5818                 return -EINVAL;
5819
5820         duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
5821
5822         if (!rdev->ops->remain_on_channel ||
5823             !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
5824                 return -EOPNOTSUPP;
5825
5826         /*
5827          * We should be on that channel for at least a minimum amount of
5828          * time (10ms) but no longer than the driver supports.
5829          */
5830         if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
5831             duration > rdev->wiphy.max_remain_on_channel_duration)
5832                 return -EINVAL;
5833
5834         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
5835             !nl80211_valid_channel_type(info, &channel_type))
5836                 return -EINVAL;
5837
5838         freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
5839         chan = rdev_freq_to_chan(rdev, freq, channel_type);
5840         if (chan == NULL)
5841                 return -EINVAL;
5842
5843         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5844         if (!msg)
5845        &