9b0a3b8fd20a890f38209c69e43733b221bb18d5
[linux-3.10.git] / net / wireless / nl80211.c
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
5  */
6
7 #include <linux/if.h>
8 #include <linux/module.h>
9 #include <linux/err.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/if_ether.h>
13 #include <linux/ieee80211.h>
14 #include <linux/nl80211.h>
15 #include <linux/rtnetlink.h>
16 #include <linux/netlink.h>
17 #include <linux/etherdevice.h>
18 #include <net/net_namespace.h>
19 #include <net/genetlink.h>
20 #include <net/cfg80211.h>
21 #include <net/sock.h>
22 #include "core.h"
23 #include "nl80211.h"
24 #include "reg.h"
25 #include "rdev-ops.h"
26
27 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
28                                    struct genl_info *info,
29                                    struct cfg80211_crypto_settings *settings,
30                                    int cipher_limit);
31
32 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
33                             struct genl_info *info);
34 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
35                               struct genl_info *info);
36
37 /* the netlink family */
38 static struct genl_family nl80211_fam = {
39         .id = GENL_ID_GENERATE, /* don't bother with a hardcoded ID */
40         .name = "nl80211",      /* have users key off the name instead */
41         .hdrsize = 0,           /* no private header */
42         .version = 1,           /* no particular meaning now */
43         .maxattr = NL80211_ATTR_MAX,
44         .netnsok = true,
45         .pre_doit = nl80211_pre_doit,
46         .post_doit = nl80211_post_doit,
47 };
48
49 /* returns ERR_PTR values */
50 static struct wireless_dev *
51 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
52 {
53         struct cfg80211_registered_device *rdev;
54         struct wireless_dev *result = NULL;
55         bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
56         bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
57         u64 wdev_id;
58         int wiphy_idx = -1;
59         int ifidx = -1;
60
61         assert_cfg80211_lock();
62
63         if (!have_ifidx && !have_wdev_id)
64                 return ERR_PTR(-EINVAL);
65
66         if (have_ifidx)
67                 ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
68         if (have_wdev_id) {
69                 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
70                 wiphy_idx = wdev_id >> 32;
71         }
72
73         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
74                 struct wireless_dev *wdev;
75
76                 if (wiphy_net(&rdev->wiphy) != netns)
77                         continue;
78
79                 if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
80                         continue;
81
82                 mutex_lock(&rdev->devlist_mtx);
83                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
84                         if (have_ifidx && wdev->netdev &&
85                             wdev->netdev->ifindex == ifidx) {
86                                 result = wdev;
87                                 break;
88                         }
89                         if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
90                                 result = wdev;
91                                 break;
92                         }
93                 }
94                 mutex_unlock(&rdev->devlist_mtx);
95
96                 if (result)
97                         break;
98         }
99
100         if (result)
101                 return result;
102         return ERR_PTR(-ENODEV);
103 }
104
105 static struct cfg80211_registered_device *
106 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
107 {
108         struct cfg80211_registered_device *rdev = NULL, *tmp;
109         struct net_device *netdev;
110
111         assert_cfg80211_lock();
112
113         if (!attrs[NL80211_ATTR_WIPHY] &&
114             !attrs[NL80211_ATTR_IFINDEX] &&
115             !attrs[NL80211_ATTR_WDEV])
116                 return ERR_PTR(-EINVAL);
117
118         if (attrs[NL80211_ATTR_WIPHY])
119                 rdev = cfg80211_rdev_by_wiphy_idx(
120                                 nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
121
122         if (attrs[NL80211_ATTR_WDEV]) {
123                 u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
124                 struct wireless_dev *wdev;
125                 bool found = false;
126
127                 tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
128                 if (tmp) {
129                         /* make sure wdev exists */
130                         mutex_lock(&tmp->devlist_mtx);
131                         list_for_each_entry(wdev, &tmp->wdev_list, list) {
132                                 if (wdev->identifier != (u32)wdev_id)
133                                         continue;
134                                 found = true;
135                                 break;
136                         }
137                         mutex_unlock(&tmp->devlist_mtx);
138
139                         if (!found)
140                                 tmp = NULL;
141
142                         if (rdev && tmp != rdev)
143                                 return ERR_PTR(-EINVAL);
144                         rdev = tmp;
145                 }
146         }
147
148         if (attrs[NL80211_ATTR_IFINDEX]) {
149                 int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
150                 netdev = dev_get_by_index(netns, ifindex);
151                 if (netdev) {
152                         if (netdev->ieee80211_ptr)
153                                 tmp = wiphy_to_dev(
154                                                 netdev->ieee80211_ptr->wiphy);
155                         else
156                                 tmp = NULL;
157
158                         dev_put(netdev);
159
160                         /* not wireless device -- return error */
161                         if (!tmp)
162                                 return ERR_PTR(-EINVAL);
163
164                         /* mismatch -- return error */
165                         if (rdev && tmp != rdev)
166                                 return ERR_PTR(-EINVAL);
167
168                         rdev = tmp;
169                 }
170         }
171
172         if (!rdev)
173                 return ERR_PTR(-ENODEV);
174
175         if (netns != wiphy_net(&rdev->wiphy))
176                 return ERR_PTR(-ENODEV);
177
178         return rdev;
179 }
180
181 /*
182  * This function returns a pointer to the driver
183  * that the genl_info item that is passed refers to.
184  * If successful, it returns non-NULL and also locks
185  * the driver's mutex!
186  *
187  * This means that you need to call cfg80211_unlock_rdev()
188  * before being allowed to acquire &cfg80211_mutex!
189  *
190  * This is necessary because we need to lock the global
191  * mutex to get an item off the list safely, and then
192  * we lock the rdev mutex so it doesn't go away under us.
193  *
194  * We don't want to keep cfg80211_mutex locked
195  * for all the time in order to allow requests on
196  * other interfaces to go through at the same time.
197  *
198  * The result of this can be a PTR_ERR and hence must
199  * be checked with IS_ERR() for errors.
200  */
201 static struct cfg80211_registered_device *
202 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
203 {
204         struct cfg80211_registered_device *rdev;
205
206         mutex_lock(&cfg80211_mutex);
207         rdev = __cfg80211_rdev_from_attrs(netns, info->attrs);
208
209         /* if it is not an error we grab the lock on
210          * it to assure it won't be going away while
211          * we operate on it */
212         if (!IS_ERR(rdev))
213                 mutex_lock(&rdev->mtx);
214
215         mutex_unlock(&cfg80211_mutex);
216
217         return rdev;
218 }
219
220 /* policy for the attributes */
221 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
222         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
223         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
224                                       .len = 20-1 },
225         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
226         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
227         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
228         [NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
229         [NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
230         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
231         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
232         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
233
234         [NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
235         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
236         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
237
238         [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
239         [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
240
241         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
242         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
243                                     .len = WLAN_MAX_KEY_LEN },
244         [NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
245         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
246         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
247         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
248         [NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
249
250         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
251         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
252         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
253                                        .len = IEEE80211_MAX_DATA_LEN },
254         [NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
255                                        .len = IEEE80211_MAX_DATA_LEN },
256         [NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
257         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
258         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
259         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
260                                                .len = NL80211_MAX_SUPP_RATES },
261         [NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
262         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
263         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
264         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
265                                    .len = IEEE80211_MAX_MESH_ID_LEN },
266         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
267
268         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
269         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
270
271         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
272         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
273         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
274         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
275                                            .len = NL80211_MAX_SUPP_RATES },
276         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
277
278         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
279         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
280
281         [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
282
283         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
284         [NL80211_ATTR_IE] = { .type = NLA_BINARY,
285                               .len = IEEE80211_MAX_DATA_LEN },
286         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
287         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
288
289         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
290                                 .len = IEEE80211_MAX_SSID_LEN },
291         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
292         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
293         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
294         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
295         [NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
296         [NL80211_ATTR_STA_FLAGS2] = {
297                 .len = sizeof(struct nl80211_sta_flag_update),
298         },
299         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
300         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
301         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
302         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
303         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
304         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
305         [NL80211_ATTR_PID] = { .type = NLA_U32 },
306         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
307         [NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
308                                  .len = WLAN_PMKID_LEN },
309         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
310         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
311         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
312         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
313                                  .len = IEEE80211_MAX_DATA_LEN },
314         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
315         [NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
316         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
317         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
318         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
319         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
320         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
321         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
322         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
323         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
324         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
325         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
326         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
327         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
328         [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
329         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
330         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
331         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
332         [NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
333         [NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
334                                          .len = IEEE80211_MAX_DATA_LEN },
335         [NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
336                                          .len = IEEE80211_MAX_DATA_LEN },
337         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
338         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
339         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
340         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
341         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
342         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
343         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
344         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
345         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
346         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
347                                       .len = IEEE80211_MAX_DATA_LEN },
348         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
349         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
350         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
351                 .len = NL80211_HT_CAPABILITY_LEN
352         },
353         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
354         [NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
355         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
356         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
357         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
358         [NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
359         [NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
360         [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
361 };
362
363 /* policy for the key attributes */
364 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
365         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
366         [NL80211_KEY_IDX] = { .type = NLA_U8 },
367         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
368         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
369         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
370         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
371         [NL80211_KEY_TYPE] = { .type = NLA_U32 },
372         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
373 };
374
375 /* policy for the key default flags */
376 static const struct nla_policy
377 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
378         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
379         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
380 };
381
382 /* policy for WoWLAN attributes */
383 static const struct nla_policy
384 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
385         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
386         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
387         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
388         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
389         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
390         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
391         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
392         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
393 };
394
395 /* policy for GTK rekey offload attributes */
396 static const struct nla_policy
397 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
398         [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
399         [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
400         [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
401 };
402
403 static const struct nla_policy
404 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
405         [NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
406                                                  .len = IEEE80211_MAX_SSID_LEN },
407         [NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
408 };
409
410 /* ifidx get helper */
411 static int nl80211_get_ifidx(struct netlink_callback *cb)
412 {
413         int res;
414
415         res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
416                           nl80211_fam.attrbuf, nl80211_fam.maxattr,
417                           nl80211_policy);
418         if (res)
419                 return res;
420
421         if (!nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX])
422                 return -EINVAL;
423
424         res = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX]);
425         if (!res)
426                 return -EINVAL;
427         return res;
428 }
429
430 static int nl80211_prepare_netdev_dump(struct sk_buff *skb,
431                                        struct netlink_callback *cb,
432                                        struct cfg80211_registered_device **rdev,
433                                        struct net_device **dev)
434 {
435         int ifidx = cb->args[0];
436         int err;
437
438         if (!ifidx)
439                 ifidx = nl80211_get_ifidx(cb);
440         if (ifidx < 0)
441                 return ifidx;
442
443         cb->args[0] = ifidx;
444
445         rtnl_lock();
446
447         *dev = __dev_get_by_index(sock_net(skb->sk), ifidx);
448         if (!*dev) {
449                 err = -ENODEV;
450                 goto out_rtnl;
451         }
452
453         *rdev = cfg80211_get_dev_from_ifindex(sock_net(skb->sk), ifidx);
454         if (IS_ERR(*rdev)) {
455                 err = PTR_ERR(*rdev);
456                 goto out_rtnl;
457         }
458
459         return 0;
460  out_rtnl:
461         rtnl_unlock();
462         return err;
463 }
464
465 static void nl80211_finish_netdev_dump(struct cfg80211_registered_device *rdev)
466 {
467         cfg80211_unlock_rdev(rdev);
468         rtnl_unlock();
469 }
470
471 /* IE validation */
472 static bool is_valid_ie_attr(const struct nlattr *attr)
473 {
474         const u8 *pos;
475         int len;
476
477         if (!attr)
478                 return true;
479
480         pos = nla_data(attr);
481         len = nla_len(attr);
482
483         while (len) {
484                 u8 elemlen;
485
486                 if (len < 2)
487                         return false;
488                 len -= 2;
489
490                 elemlen = pos[1];
491                 if (elemlen > len)
492                         return false;
493
494                 len -= elemlen;
495                 pos += 2 + elemlen;
496         }
497
498         return true;
499 }
500
501 /* message building helper */
502 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
503                                    int flags, u8 cmd)
504 {
505         /* since there is no private header just add the generic one */
506         return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
507 }
508
509 static int nl80211_msg_put_channel(struct sk_buff *msg,
510                                    struct ieee80211_channel *chan)
511 {
512         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
513                         chan->center_freq))
514                 goto nla_put_failure;
515
516         if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
517             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
518                 goto nla_put_failure;
519         if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
520             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN))
521                 goto nla_put_failure;
522         if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
523             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IBSS))
524                 goto nla_put_failure;
525         if ((chan->flags & IEEE80211_CHAN_RADAR) &&
526             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
527                 goto nla_put_failure;
528
529         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
530                         DBM_TO_MBM(chan->max_power)))
531                 goto nla_put_failure;
532
533         return 0;
534
535  nla_put_failure:
536         return -ENOBUFS;
537 }
538
539 /* netlink command implementations */
540
541 struct key_parse {
542         struct key_params p;
543         int idx;
544         int type;
545         bool def, defmgmt;
546         bool def_uni, def_multi;
547 };
548
549 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
550 {
551         struct nlattr *tb[NL80211_KEY_MAX + 1];
552         int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
553                                    nl80211_key_policy);
554         if (err)
555                 return err;
556
557         k->def = !!tb[NL80211_KEY_DEFAULT];
558         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
559
560         if (k->def) {
561                 k->def_uni = true;
562                 k->def_multi = true;
563         }
564         if (k->defmgmt)
565                 k->def_multi = true;
566
567         if (tb[NL80211_KEY_IDX])
568                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
569
570         if (tb[NL80211_KEY_DATA]) {
571                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
572                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
573         }
574
575         if (tb[NL80211_KEY_SEQ]) {
576                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
577                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
578         }
579
580         if (tb[NL80211_KEY_CIPHER])
581                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
582
583         if (tb[NL80211_KEY_TYPE]) {
584                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
585                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
586                         return -EINVAL;
587         }
588
589         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
590                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
591                 err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
592                                        tb[NL80211_KEY_DEFAULT_TYPES],
593                                        nl80211_key_default_policy);
594                 if (err)
595                         return err;
596
597                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
598                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
599         }
600
601         return 0;
602 }
603
604 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
605 {
606         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
607                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
608                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
609         }
610
611         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
612                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
613                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
614         }
615
616         if (info->attrs[NL80211_ATTR_KEY_IDX])
617                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
618
619         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
620                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
621
622         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
623         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
624
625         if (k->def) {
626                 k->def_uni = true;
627                 k->def_multi = true;
628         }
629         if (k->defmgmt)
630                 k->def_multi = true;
631
632         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
633                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
634                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
635                         return -EINVAL;
636         }
637
638         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
639                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
640                 int err = nla_parse_nested(
641                                 kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
642                                 info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
643                                 nl80211_key_default_policy);
644                 if (err)
645                         return err;
646
647                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
648                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
649         }
650
651         return 0;
652 }
653
654 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
655 {
656         int err;
657
658         memset(k, 0, sizeof(*k));
659         k->idx = -1;
660         k->type = -1;
661
662         if (info->attrs[NL80211_ATTR_KEY])
663                 err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
664         else
665                 err = nl80211_parse_key_old(info, k);
666
667         if (err)
668                 return err;
669
670         if (k->def && k->defmgmt)
671                 return -EINVAL;
672
673         if (k->defmgmt) {
674                 if (k->def_uni || !k->def_multi)
675                         return -EINVAL;
676         }
677
678         if (k->idx != -1) {
679                 if (k->defmgmt) {
680                         if (k->idx < 4 || k->idx > 5)
681                                 return -EINVAL;
682                 } else if (k->def) {
683                         if (k->idx < 0 || k->idx > 3)
684                                 return -EINVAL;
685                 } else {
686                         if (k->idx < 0 || k->idx > 5)
687                                 return -EINVAL;
688                 }
689         }
690
691         return 0;
692 }
693
694 static struct cfg80211_cached_keys *
695 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
696                        struct nlattr *keys, bool *no_ht)
697 {
698         struct key_parse parse;
699         struct nlattr *key;
700         struct cfg80211_cached_keys *result;
701         int rem, err, def = 0;
702
703         result = kzalloc(sizeof(*result), GFP_KERNEL);
704         if (!result)
705                 return ERR_PTR(-ENOMEM);
706
707         result->def = -1;
708         result->defmgmt = -1;
709
710         nla_for_each_nested(key, keys, rem) {
711                 memset(&parse, 0, sizeof(parse));
712                 parse.idx = -1;
713
714                 err = nl80211_parse_key_new(key, &parse);
715                 if (err)
716                         goto error;
717                 err = -EINVAL;
718                 if (!parse.p.key)
719                         goto error;
720                 if (parse.idx < 0 || parse.idx > 4)
721                         goto error;
722                 if (parse.def) {
723                         if (def)
724                                 goto error;
725                         def = 1;
726                         result->def = parse.idx;
727                         if (!parse.def_uni || !parse.def_multi)
728                                 goto error;
729                 } else if (parse.defmgmt)
730                         goto error;
731                 err = cfg80211_validate_key_settings(rdev, &parse.p,
732                                                      parse.idx, false, NULL);
733                 if (err)
734                         goto error;
735                 result->params[parse.idx].cipher = parse.p.cipher;
736                 result->params[parse.idx].key_len = parse.p.key_len;
737                 result->params[parse.idx].key = result->data[parse.idx];
738                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
739
740                 if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
741                     parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
742                         if (no_ht)
743                                 *no_ht = true;
744                 }
745         }
746
747         return result;
748  error:
749         kfree(result);
750         return ERR_PTR(err);
751 }
752
753 static int nl80211_key_allowed(struct wireless_dev *wdev)
754 {
755         ASSERT_WDEV_LOCK(wdev);
756
757         switch (wdev->iftype) {
758         case NL80211_IFTYPE_AP:
759         case NL80211_IFTYPE_AP_VLAN:
760         case NL80211_IFTYPE_P2P_GO:
761         case NL80211_IFTYPE_MESH_POINT:
762                 break;
763         case NL80211_IFTYPE_ADHOC:
764                 if (!wdev->current_bss)
765                         return -ENOLINK;
766                 break;
767         case NL80211_IFTYPE_STATION:
768         case NL80211_IFTYPE_P2P_CLIENT:
769                 if (wdev->sme_state != CFG80211_SME_CONNECTED)
770                         return -ENOLINK;
771                 break;
772         default:
773                 return -EINVAL;
774         }
775
776         return 0;
777 }
778
779 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
780 {
781         struct nlattr *nl_modes = nla_nest_start(msg, attr);
782         int i;
783
784         if (!nl_modes)
785                 goto nla_put_failure;
786
787         i = 0;
788         while (ifmodes) {
789                 if ((ifmodes & 1) && nla_put_flag(msg, i))
790                         goto nla_put_failure;
791                 ifmodes >>= 1;
792                 i++;
793         }
794
795         nla_nest_end(msg, nl_modes);
796         return 0;
797
798 nla_put_failure:
799         return -ENOBUFS;
800 }
801
802 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
803                                           struct sk_buff *msg)
804 {
805         struct nlattr *nl_combis;
806         int i, j;
807
808         nl_combis = nla_nest_start(msg,
809                                 NL80211_ATTR_INTERFACE_COMBINATIONS);
810         if (!nl_combis)
811                 goto nla_put_failure;
812
813         for (i = 0; i < wiphy->n_iface_combinations; i++) {
814                 const struct ieee80211_iface_combination *c;
815                 struct nlattr *nl_combi, *nl_limits;
816
817                 c = &wiphy->iface_combinations[i];
818
819                 nl_combi = nla_nest_start(msg, i + 1);
820                 if (!nl_combi)
821                         goto nla_put_failure;
822
823                 nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
824                 if (!nl_limits)
825                         goto nla_put_failure;
826
827                 for (j = 0; j < c->n_limits; j++) {
828                         struct nlattr *nl_limit;
829
830                         nl_limit = nla_nest_start(msg, j + 1);
831                         if (!nl_limit)
832                                 goto nla_put_failure;
833                         if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
834                                         c->limits[j].max))
835                                 goto nla_put_failure;
836                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
837                                                 c->limits[j].types))
838                                 goto nla_put_failure;
839                         nla_nest_end(msg, nl_limit);
840                 }
841
842                 nla_nest_end(msg, nl_limits);
843
844                 if (c->beacon_int_infra_match &&
845                     nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
846                         goto nla_put_failure;
847                 if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
848                                 c->num_different_channels) ||
849                     nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
850                                 c->max_interfaces))
851                         goto nla_put_failure;
852
853                 nla_nest_end(msg, nl_combi);
854         }
855
856         nla_nest_end(msg, nl_combis);
857
858         return 0;
859 nla_put_failure:
860         return -ENOBUFS;
861 }
862
863 static int nl80211_send_wiphy(struct sk_buff *msg, u32 portid, u32 seq, int flags,
864                               struct cfg80211_registered_device *dev)
865 {
866         void *hdr;
867         struct nlattr *nl_bands, *nl_band;
868         struct nlattr *nl_freqs, *nl_freq;
869         struct nlattr *nl_rates, *nl_rate;
870         struct nlattr *nl_cmds;
871         enum ieee80211_band band;
872         struct ieee80211_channel *chan;
873         struct ieee80211_rate *rate;
874         int i;
875         const struct ieee80211_txrx_stypes *mgmt_stypes =
876                                 dev->wiphy.mgmt_stypes;
877
878         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_WIPHY);
879         if (!hdr)
880                 return -1;
881
882         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx) ||
883             nla_put_string(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy)) ||
884             nla_put_u32(msg, NL80211_ATTR_GENERATION,
885                         cfg80211_rdev_list_generation) ||
886             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
887                        dev->wiphy.retry_short) ||
888             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
889                        dev->wiphy.retry_long) ||
890             nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
891                         dev->wiphy.frag_threshold) ||
892             nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
893                         dev->wiphy.rts_threshold) ||
894             nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
895                        dev->wiphy.coverage_class) ||
896             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
897                        dev->wiphy.max_scan_ssids) ||
898             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
899                        dev->wiphy.max_sched_scan_ssids) ||
900             nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
901                         dev->wiphy.max_scan_ie_len) ||
902             nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
903                         dev->wiphy.max_sched_scan_ie_len) ||
904             nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
905                        dev->wiphy.max_match_sets))
906                 goto nla_put_failure;
907
908         if ((dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
909             nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
910                 goto nla_put_failure;
911         if ((dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
912             nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
913                 goto nla_put_failure;
914         if ((dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
915             nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
916                 goto nla_put_failure;
917         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
918             nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
919                 goto nla_put_failure;
920         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
921             nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
922                 goto nla_put_failure;
923         if ((dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
924             nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
925                 goto nla_put_failure;
926
927         if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
928                     sizeof(u32) * dev->wiphy.n_cipher_suites,
929                     dev->wiphy.cipher_suites))
930                 goto nla_put_failure;
931
932         if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
933                        dev->wiphy.max_num_pmkids))
934                 goto nla_put_failure;
935
936         if ((dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
937             nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
938                 goto nla_put_failure;
939
940         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
941                         dev->wiphy.available_antennas_tx) ||
942             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
943                         dev->wiphy.available_antennas_rx))
944                 goto nla_put_failure;
945
946         if ((dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
947             nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
948                         dev->wiphy.probe_resp_offload))
949                 goto nla_put_failure;
950
951         if ((dev->wiphy.available_antennas_tx ||
952              dev->wiphy.available_antennas_rx) && dev->ops->get_antenna) {
953                 u32 tx_ant = 0, rx_ant = 0;
954                 int res;
955                 res = rdev_get_antenna(dev, &tx_ant, &rx_ant);
956                 if (!res) {
957                         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_TX,
958                                         tx_ant) ||
959                             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_RX,
960                                         rx_ant))
961                                 goto nla_put_failure;
962                 }
963         }
964
965         if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
966                                 dev->wiphy.interface_modes))
967                 goto nla_put_failure;
968
969         nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
970         if (!nl_bands)
971                 goto nla_put_failure;
972
973         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
974                 if (!dev->wiphy.bands[band])
975                         continue;
976
977                 nl_band = nla_nest_start(msg, band);
978                 if (!nl_band)
979                         goto nla_put_failure;
980
981                 /* add HT info */
982                 if (dev->wiphy.bands[band]->ht_cap.ht_supported &&
983                     (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
984                              sizeof(dev->wiphy.bands[band]->ht_cap.mcs),
985                              &dev->wiphy.bands[band]->ht_cap.mcs) ||
986                      nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
987                                  dev->wiphy.bands[band]->ht_cap.cap) ||
988                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
989                                 dev->wiphy.bands[band]->ht_cap.ampdu_factor) ||
990                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
991                                 dev->wiphy.bands[band]->ht_cap.ampdu_density)))
992                         goto nla_put_failure;
993
994                 /* add VHT info */
995                 if (dev->wiphy.bands[band]->vht_cap.vht_supported &&
996                     (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
997                              sizeof(dev->wiphy.bands[band]->vht_cap.vht_mcs),
998                              &dev->wiphy.bands[band]->vht_cap.vht_mcs) ||
999                      nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1000                                  dev->wiphy.bands[band]->vht_cap.cap)))
1001                         goto nla_put_failure;
1002
1003                 /* add frequencies */
1004                 nl_freqs = nla_nest_start(msg, NL80211_BAND_ATTR_FREQS);
1005                 if (!nl_freqs)
1006                         goto nla_put_failure;
1007
1008                 for (i = 0; i < dev->wiphy.bands[band]->n_channels; i++) {
1009                         nl_freq = nla_nest_start(msg, i);
1010                         if (!nl_freq)
1011                                 goto nla_put_failure;
1012
1013                         chan = &dev->wiphy.bands[band]->channels[i];
1014
1015                         if (nl80211_msg_put_channel(msg, chan))
1016                                 goto nla_put_failure;
1017
1018                         nla_nest_end(msg, nl_freq);
1019                 }
1020
1021                 nla_nest_end(msg, nl_freqs);
1022
1023                 /* add bitrates */
1024                 nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1025                 if (!nl_rates)
1026                         goto nla_put_failure;
1027
1028                 for (i = 0; i < dev->wiphy.bands[band]->n_bitrates; i++) {
1029                         nl_rate = nla_nest_start(msg, i);
1030                         if (!nl_rate)
1031                                 goto nla_put_failure;
1032
1033                         rate = &dev->wiphy.bands[band]->bitrates[i];
1034                         if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1035                                         rate->bitrate))
1036                                 goto nla_put_failure;
1037                         if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1038                             nla_put_flag(msg,
1039                                          NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1040                                 goto nla_put_failure;
1041
1042                         nla_nest_end(msg, nl_rate);
1043                 }
1044
1045                 nla_nest_end(msg, nl_rates);
1046
1047                 nla_nest_end(msg, nl_band);
1048         }
1049         nla_nest_end(msg, nl_bands);
1050
1051         nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1052         if (!nl_cmds)
1053                 goto nla_put_failure;
1054
1055         i = 0;
1056 #define CMD(op, n)                                              \
1057          do {                                                   \
1058                 if (dev->ops->op) {                             \
1059                         i++;                                    \
1060                         if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1061                                 goto nla_put_failure;           \
1062                 }                                               \
1063         } while (0)
1064
1065         CMD(add_virtual_intf, NEW_INTERFACE);
1066         CMD(change_virtual_intf, SET_INTERFACE);
1067         CMD(add_key, NEW_KEY);
1068         CMD(start_ap, START_AP);
1069         CMD(add_station, NEW_STATION);
1070         CMD(add_mpath, NEW_MPATH);
1071         CMD(update_mesh_config, SET_MESH_CONFIG);
1072         CMD(change_bss, SET_BSS);
1073         CMD(auth, AUTHENTICATE);
1074         CMD(assoc, ASSOCIATE);
1075         CMD(deauth, DEAUTHENTICATE);
1076         CMD(disassoc, DISASSOCIATE);
1077         CMD(join_ibss, JOIN_IBSS);
1078         CMD(join_mesh, JOIN_MESH);
1079         CMD(set_pmksa, SET_PMKSA);
1080         CMD(del_pmksa, DEL_PMKSA);
1081         CMD(flush_pmksa, FLUSH_PMKSA);
1082         if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1083                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1084         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1085         CMD(mgmt_tx, FRAME);
1086         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1087         if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1088                 i++;
1089                 if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1090                         goto nla_put_failure;
1091         }
1092         if (dev->ops->set_monitor_channel || dev->ops->start_ap ||
1093             dev->ops->join_mesh) {
1094                 i++;
1095                 if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1096                         goto nla_put_failure;
1097         }
1098         CMD(set_wds_peer, SET_WDS_PEER);
1099         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1100                 CMD(tdls_mgmt, TDLS_MGMT);
1101                 CMD(tdls_oper, TDLS_OPER);
1102         }
1103         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1104                 CMD(sched_scan_start, START_SCHED_SCAN);
1105         CMD(probe_client, PROBE_CLIENT);
1106         CMD(set_noack_map, SET_NOACK_MAP);
1107         if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1108                 i++;
1109                 if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1110                         goto nla_put_failure;
1111         }
1112         CMD(start_p2p_device, START_P2P_DEVICE);
1113         CMD(set_mcast_rate, SET_MCAST_RATE);
1114
1115 #ifdef CONFIG_NL80211_TESTMODE
1116         CMD(testmode_cmd, TESTMODE);
1117 #endif
1118
1119 #undef CMD
1120
1121         if (dev->ops->connect || dev->ops->auth) {
1122                 i++;
1123                 if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1124                         goto nla_put_failure;
1125         }
1126
1127         if (dev->ops->disconnect || dev->ops->deauth) {
1128                 i++;
1129                 if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1130                         goto nla_put_failure;
1131         }
1132
1133         nla_nest_end(msg, nl_cmds);
1134
1135         if (dev->ops->remain_on_channel &&
1136             (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1137             nla_put_u32(msg, NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1138                         dev->wiphy.max_remain_on_channel_duration))
1139                 goto nla_put_failure;
1140
1141         if ((dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1142             nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1143                 goto nla_put_failure;
1144
1145         if (mgmt_stypes) {
1146                 u16 stypes;
1147                 struct nlattr *nl_ftypes, *nl_ifs;
1148                 enum nl80211_iftype ift;
1149
1150                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1151                 if (!nl_ifs)
1152                         goto nla_put_failure;
1153
1154                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1155                         nl_ftypes = nla_nest_start(msg, ift);
1156                         if (!nl_ftypes)
1157                                 goto nla_put_failure;
1158                         i = 0;
1159                         stypes = mgmt_stypes[ift].tx;
1160                         while (stypes) {
1161                                 if ((stypes & 1) &&
1162                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1163                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1164                                         goto nla_put_failure;
1165                                 stypes >>= 1;
1166                                 i++;
1167                         }
1168                         nla_nest_end(msg, nl_ftypes);
1169                 }
1170
1171                 nla_nest_end(msg, nl_ifs);
1172
1173                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1174                 if (!nl_ifs)
1175                         goto nla_put_failure;
1176
1177                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1178                         nl_ftypes = nla_nest_start(msg, ift);
1179                         if (!nl_ftypes)
1180                                 goto nla_put_failure;
1181                         i = 0;
1182                         stypes = mgmt_stypes[ift].rx;
1183                         while (stypes) {
1184                                 if ((stypes & 1) &&
1185                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1186                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1187                                         goto nla_put_failure;
1188                                 stypes >>= 1;
1189                                 i++;
1190                         }
1191                         nla_nest_end(msg, nl_ftypes);
1192                 }
1193                 nla_nest_end(msg, nl_ifs);
1194         }
1195
1196 #ifdef CONFIG_PM
1197         if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
1198                 struct nlattr *nl_wowlan;
1199
1200                 nl_wowlan = nla_nest_start(msg,
1201                                 NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1202                 if (!nl_wowlan)
1203                         goto nla_put_failure;
1204
1205                 if (((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY) &&
1206                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1207                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT) &&
1208                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1209                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1210                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1211                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1212                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1213                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1214                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1215                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1216                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1217                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1218                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1219                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1220                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1221                     goto nla_put_failure;
1222                 if (dev->wiphy.wowlan.n_patterns) {
1223                         struct nl80211_wowlan_pattern_support pat = {
1224                                 .max_patterns = dev->wiphy.wowlan.n_patterns,
1225                                 .min_pattern_len =
1226                                         dev->wiphy.wowlan.pattern_min_len,
1227                                 .max_pattern_len =
1228                                         dev->wiphy.wowlan.pattern_max_len,
1229                         };
1230                         if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1231                                     sizeof(pat), &pat))
1232                                 goto nla_put_failure;
1233                 }
1234
1235                 nla_nest_end(msg, nl_wowlan);
1236         }
1237 #endif
1238
1239         if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1240                                 dev->wiphy.software_iftypes))
1241                 goto nla_put_failure;
1242
1243         if (nl80211_put_iface_combinations(&dev->wiphy, msg))
1244                 goto nla_put_failure;
1245
1246         if ((dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1247             nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1248                         dev->wiphy.ap_sme_capa))
1249                 goto nla_put_failure;
1250
1251         if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS,
1252                         dev->wiphy.features))
1253                 goto nla_put_failure;
1254
1255         if (dev->wiphy.ht_capa_mod_mask &&
1256             nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1257                     sizeof(*dev->wiphy.ht_capa_mod_mask),
1258                     dev->wiphy.ht_capa_mod_mask))
1259                 goto nla_put_failure;
1260
1261         return genlmsg_end(msg, hdr);
1262
1263  nla_put_failure:
1264         genlmsg_cancel(msg, hdr);
1265         return -EMSGSIZE;
1266 }
1267
1268 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1269 {
1270         int idx = 0;
1271         int start = cb->args[0];
1272         struct cfg80211_registered_device *dev;
1273
1274         mutex_lock(&cfg80211_mutex);
1275         list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1276                 if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1277                         continue;
1278                 if (++idx <= start)
1279                         continue;
1280                 if (nl80211_send_wiphy(skb, NETLINK_CB(cb->skb).portid,
1281                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
1282                                        dev) < 0) {
1283                         idx--;
1284                         break;
1285                 }
1286         }
1287         mutex_unlock(&cfg80211_mutex);
1288
1289         cb->args[0] = idx;
1290
1291         return skb->len;
1292 }
1293
1294 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1295 {
1296         struct sk_buff *msg;
1297         struct cfg80211_registered_device *dev = info->user_ptr[0];
1298
1299         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1300         if (!msg)
1301                 return -ENOMEM;
1302
1303         if (nl80211_send_wiphy(msg, info->snd_portid, info->snd_seq, 0, dev) < 0) {
1304                 nlmsg_free(msg);
1305                 return -ENOBUFS;
1306         }
1307
1308         return genlmsg_reply(msg, info);
1309 }
1310
1311 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1312         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
1313         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
1314         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
1315         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
1316         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
1317 };
1318
1319 static int parse_txq_params(struct nlattr *tb[],
1320                             struct ieee80211_txq_params *txq_params)
1321 {
1322         if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1323             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1324             !tb[NL80211_TXQ_ATTR_AIFS])
1325                 return -EINVAL;
1326
1327         txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1328         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1329         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1330         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1331         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1332
1333         if (txq_params->ac >= NL80211_NUM_ACS)
1334                 return -EINVAL;
1335
1336         return 0;
1337 }
1338
1339 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1340 {
1341         /*
1342          * You can only set the channel explicitly for WDS interfaces,
1343          * all others have their channel managed via their respective
1344          * "establish a connection" command (connect, join, ...)
1345          *
1346          * For AP/GO and mesh mode, the channel can be set with the
1347          * channel userspace API, but is only stored and passed to the
1348          * low-level driver when the AP starts or the mesh is joined.
1349          * This is for backward compatibility, userspace can also give
1350          * the channel in the start-ap or join-mesh commands instead.
1351          *
1352          * Monitors are special as they are normally slaved to
1353          * whatever else is going on, so they have their own special
1354          * operation to set the monitor channel if possible.
1355          */
1356         return !wdev ||
1357                 wdev->iftype == NL80211_IFTYPE_AP ||
1358                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1359                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
1360                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
1361 }
1362
1363 static bool nl80211_valid_channel_type(struct genl_info *info,
1364                                        enum nl80211_channel_type *channel_type)
1365 {
1366         enum nl80211_channel_type tmp;
1367
1368         if (!info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE])
1369                 return false;
1370
1371         tmp = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1372         if (tmp != NL80211_CHAN_NO_HT &&
1373             tmp != NL80211_CHAN_HT20 &&
1374             tmp != NL80211_CHAN_HT40PLUS &&
1375             tmp != NL80211_CHAN_HT40MINUS)
1376                 return false;
1377
1378         if (channel_type)
1379                 *channel_type = tmp;
1380
1381         return true;
1382 }
1383
1384 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1385                                  struct wireless_dev *wdev,
1386                                  struct genl_info *info)
1387 {
1388         struct ieee80211_channel *channel;
1389         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
1390         u32 freq;
1391         int result;
1392         enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1393
1394         if (wdev)
1395                 iftype = wdev->iftype;
1396
1397         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1398                 return -EINVAL;
1399
1400         if (!nl80211_can_set_dev_channel(wdev))
1401                 return -EOPNOTSUPP;
1402
1403         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
1404             !nl80211_valid_channel_type(info, &channel_type))
1405                 return -EINVAL;
1406
1407         freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1408
1409         mutex_lock(&rdev->devlist_mtx);
1410         switch (iftype) {
1411         case NL80211_IFTYPE_AP:
1412         case NL80211_IFTYPE_P2P_GO:
1413                 if (wdev->beacon_interval) {
1414                         result = -EBUSY;
1415                         break;
1416                 }
1417                 channel = rdev_freq_to_chan(rdev, freq, channel_type);
1418                 if (!channel || !cfg80211_can_beacon_sec_chan(&rdev->wiphy,
1419                                                               channel,
1420                                                               channel_type)) {
1421                         result = -EINVAL;
1422                         break;
1423                 }
1424                 wdev->preset_chan = channel;
1425                 wdev->preset_chantype = channel_type;
1426                 result = 0;
1427                 break;
1428         case NL80211_IFTYPE_MESH_POINT:
1429                 result = cfg80211_set_mesh_freq(rdev, wdev, freq, channel_type);
1430                 break;
1431         case NL80211_IFTYPE_MONITOR:
1432                 result = cfg80211_set_monitor_channel(rdev, freq, channel_type);
1433                 break;
1434         default:
1435                 result = -EINVAL;
1436         }
1437         mutex_unlock(&rdev->devlist_mtx);
1438
1439         return result;
1440 }
1441
1442 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1443 {
1444         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1445         struct net_device *netdev = info->user_ptr[1];
1446
1447         return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1448 }
1449
1450 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1451 {
1452         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1453         struct net_device *dev = info->user_ptr[1];
1454         struct wireless_dev *wdev = dev->ieee80211_ptr;
1455         const u8 *bssid;
1456
1457         if (!info->attrs[NL80211_ATTR_MAC])
1458                 return -EINVAL;
1459
1460         if (netif_running(dev))
1461                 return -EBUSY;
1462
1463         if (!rdev->ops->set_wds_peer)
1464                 return -EOPNOTSUPP;
1465
1466         if (wdev->iftype != NL80211_IFTYPE_WDS)
1467                 return -EOPNOTSUPP;
1468
1469         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1470         return rdev_set_wds_peer(rdev, dev, bssid);
1471 }
1472
1473
1474 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1475 {
1476         struct cfg80211_registered_device *rdev;
1477         struct net_device *netdev = NULL;
1478         struct wireless_dev *wdev;
1479         int result = 0, rem_txq_params = 0;
1480         struct nlattr *nl_txq_params;
1481         u32 changed;
1482         u8 retry_short = 0, retry_long = 0;
1483         u32 frag_threshold = 0, rts_threshold = 0;
1484         u8 coverage_class = 0;
1485
1486         /*
1487          * Try to find the wiphy and netdev. Normally this
1488          * function shouldn't need the netdev, but this is
1489          * done for backward compatibility -- previously
1490          * setting the channel was done per wiphy, but now
1491          * it is per netdev. Previous userland like hostapd
1492          * also passed a netdev to set_wiphy, so that it is
1493          * possible to let that go to the right netdev!
1494          */
1495         mutex_lock(&cfg80211_mutex);
1496
1497         if (info->attrs[NL80211_ATTR_IFINDEX]) {
1498                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1499
1500                 netdev = dev_get_by_index(genl_info_net(info), ifindex);
1501                 if (netdev && netdev->ieee80211_ptr) {
1502                         rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1503                         mutex_lock(&rdev->mtx);
1504                 } else
1505                         netdev = NULL;
1506         }
1507
1508         if (!netdev) {
1509                 rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
1510                                                   info->attrs);
1511                 if (IS_ERR(rdev)) {
1512                         mutex_unlock(&cfg80211_mutex);
1513                         return PTR_ERR(rdev);
1514                 }
1515                 wdev = NULL;
1516                 netdev = NULL;
1517                 result = 0;
1518
1519                 mutex_lock(&rdev->mtx);
1520         } else
1521                 wdev = netdev->ieee80211_ptr;
1522
1523         /*
1524          * end workaround code, by now the rdev is available
1525          * and locked, and wdev may or may not be NULL.
1526          */
1527
1528         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1529                 result = cfg80211_dev_rename(
1530                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1531
1532         mutex_unlock(&cfg80211_mutex);
1533
1534         if (result)
1535                 goto bad_res;
1536
1537         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1538                 struct ieee80211_txq_params txq_params;
1539                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1540
1541                 if (!rdev->ops->set_txq_params) {
1542                         result = -EOPNOTSUPP;
1543                         goto bad_res;
1544                 }
1545
1546                 if (!netdev) {
1547                         result = -EINVAL;
1548                         goto bad_res;
1549                 }
1550
1551                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1552                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1553                         result = -EINVAL;
1554                         goto bad_res;
1555                 }
1556
1557                 if (!netif_running(netdev)) {
1558                         result = -ENETDOWN;
1559                         goto bad_res;
1560                 }
1561
1562                 nla_for_each_nested(nl_txq_params,
1563                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1564                                     rem_txq_params) {
1565                         nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1566                                   nla_data(nl_txq_params),
1567                                   nla_len(nl_txq_params),
1568                                   txq_params_policy);
1569                         result = parse_txq_params(tb, &txq_params);
1570                         if (result)
1571                                 goto bad_res;
1572
1573                         result = rdev_set_txq_params(rdev, netdev,
1574                                                      &txq_params);
1575                         if (result)
1576                                 goto bad_res;
1577                 }
1578         }
1579
1580         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
1581                 result = __nl80211_set_channel(rdev,
1582                                 nl80211_can_set_dev_channel(wdev) ? wdev : NULL,
1583                                 info);
1584                 if (result)
1585                         goto bad_res;
1586         }
1587
1588         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
1589                 struct wireless_dev *txp_wdev = wdev;
1590                 enum nl80211_tx_power_setting type;
1591                 int idx, mbm = 0;
1592
1593                 if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
1594                         txp_wdev = NULL;
1595
1596                 if (!rdev->ops->set_tx_power) {
1597                         result = -EOPNOTSUPP;
1598                         goto bad_res;
1599                 }
1600
1601                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
1602                 type = nla_get_u32(info->attrs[idx]);
1603
1604                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
1605                     (type != NL80211_TX_POWER_AUTOMATIC)) {
1606                         result = -EINVAL;
1607                         goto bad_res;
1608                 }
1609
1610                 if (type != NL80211_TX_POWER_AUTOMATIC) {
1611                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
1612                         mbm = nla_get_u32(info->attrs[idx]);
1613                 }
1614
1615                 result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
1616                 if (result)
1617                         goto bad_res;
1618         }
1619
1620         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
1621             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
1622                 u32 tx_ant, rx_ant;
1623                 if ((!rdev->wiphy.available_antennas_tx &&
1624                      !rdev->wiphy.available_antennas_rx) ||
1625                     !rdev->ops->set_antenna) {
1626                         result = -EOPNOTSUPP;
1627                         goto bad_res;
1628                 }
1629
1630                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
1631                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
1632
1633                 /* reject antenna configurations which don't match the
1634                  * available antenna masks, except for the "all" mask */
1635                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
1636                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
1637                         result = -EINVAL;
1638                         goto bad_res;
1639                 }
1640
1641                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
1642                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
1643
1644                 result = rdev_set_antenna(rdev, tx_ant, rx_ant);
1645                 if (result)
1646                         goto bad_res;
1647         }
1648
1649         changed = 0;
1650
1651         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
1652                 retry_short = nla_get_u8(
1653                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
1654                 if (retry_short == 0) {
1655                         result = -EINVAL;
1656                         goto bad_res;
1657                 }
1658                 changed |= WIPHY_PARAM_RETRY_SHORT;
1659         }
1660
1661         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
1662                 retry_long = nla_get_u8(
1663                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
1664                 if (retry_long == 0) {
1665                         result = -EINVAL;
1666                         goto bad_res;
1667                 }
1668                 changed |= WIPHY_PARAM_RETRY_LONG;
1669         }
1670
1671         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
1672                 frag_threshold = nla_get_u32(
1673                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
1674                 if (frag_threshold < 256) {
1675                         result = -EINVAL;
1676                         goto bad_res;
1677                 }
1678                 if (frag_threshold != (u32) -1) {
1679                         /*
1680                          * Fragments (apart from the last one) are required to
1681                          * have even length. Make the fragmentation code
1682                          * simpler by stripping LSB should someone try to use
1683                          * odd threshold value.
1684                          */
1685                         frag_threshold &= ~0x1;
1686                 }
1687                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
1688         }
1689
1690         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
1691                 rts_threshold = nla_get_u32(
1692                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
1693                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
1694         }
1695
1696         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
1697                 coverage_class = nla_get_u8(
1698                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
1699                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
1700         }
1701
1702         if (changed) {
1703                 u8 old_retry_short, old_retry_long;
1704                 u32 old_frag_threshold, old_rts_threshold;
1705                 u8 old_coverage_class;
1706
1707                 if (!rdev->ops->set_wiphy_params) {
1708                         result = -EOPNOTSUPP;
1709                         goto bad_res;
1710                 }
1711
1712                 old_retry_short = rdev->wiphy.retry_short;
1713                 old_retry_long = rdev->wiphy.retry_long;
1714                 old_frag_threshold = rdev->wiphy.frag_threshold;
1715                 old_rts_threshold = rdev->wiphy.rts_threshold;
1716                 old_coverage_class = rdev->wiphy.coverage_class;
1717
1718                 if (changed & WIPHY_PARAM_RETRY_SHORT)
1719                         rdev->wiphy.retry_short = retry_short;
1720                 if (changed & WIPHY_PARAM_RETRY_LONG)
1721                         rdev->wiphy.retry_long = retry_long;
1722                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
1723                         rdev->wiphy.frag_threshold = frag_threshold;
1724                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
1725                         rdev->wiphy.rts_threshold = rts_threshold;
1726                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
1727                         rdev->wiphy.coverage_class = coverage_class;
1728
1729                 result = rdev_set_wiphy_params(rdev, changed);
1730                 if (result) {
1731                         rdev->wiphy.retry_short = old_retry_short;
1732                         rdev->wiphy.retry_long = old_retry_long;
1733                         rdev->wiphy.frag_threshold = old_frag_threshold;
1734                         rdev->wiphy.rts_threshold = old_rts_threshold;
1735                         rdev->wiphy.coverage_class = old_coverage_class;
1736                 }
1737         }
1738
1739  bad_res:
1740         mutex_unlock(&rdev->mtx);
1741         if (netdev)
1742                 dev_put(netdev);
1743         return result;
1744 }
1745
1746 static inline u64 wdev_id(struct wireless_dev *wdev)
1747 {
1748         return (u64)wdev->identifier |
1749                ((u64)wiphy_to_dev(wdev->wiphy)->wiphy_idx << 32);
1750 }
1751
1752 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
1753                               struct cfg80211_registered_device *rdev,
1754                               struct wireless_dev *wdev)
1755 {
1756         struct net_device *dev = wdev->netdev;
1757         void *hdr;
1758
1759         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
1760         if (!hdr)
1761                 return -1;
1762
1763         if (dev &&
1764             (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
1765              nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
1766                 goto nla_put_failure;
1767
1768         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1769             nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
1770             nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
1771             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
1772             nla_put_u32(msg, NL80211_ATTR_GENERATION,
1773                         rdev->devlist_generation ^
1774                         (cfg80211_rdev_list_generation << 2)))
1775                 goto nla_put_failure;
1776
1777         if (rdev->ops->get_channel) {
1778                 struct ieee80211_channel *chan;
1779                 enum nl80211_channel_type channel_type;
1780
1781                 chan = rdev_get_channel(rdev, wdev, &channel_type);
1782                 if (chan &&
1783                     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
1784                                  chan->center_freq) ||
1785                      nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
1786                                  channel_type)))
1787                         goto nla_put_failure;
1788         }
1789
1790         return genlmsg_end(msg, hdr);
1791
1792  nla_put_failure:
1793         genlmsg_cancel(msg, hdr);
1794         return -EMSGSIZE;
1795 }
1796
1797 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
1798 {
1799         int wp_idx = 0;
1800         int if_idx = 0;
1801         int wp_start = cb->args[0];
1802         int if_start = cb->args[1];
1803         struct cfg80211_registered_device *rdev;
1804         struct wireless_dev *wdev;
1805
1806         mutex_lock(&cfg80211_mutex);
1807         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1808                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1809                         continue;
1810                 if (wp_idx < wp_start) {
1811                         wp_idx++;
1812                         continue;
1813                 }
1814                 if_idx = 0;
1815
1816                 mutex_lock(&rdev->devlist_mtx);
1817                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
1818                         if (if_idx < if_start) {
1819                                 if_idx++;
1820                                 continue;
1821                         }
1822                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
1823                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
1824                                                rdev, wdev) < 0) {
1825                                 mutex_unlock(&rdev->devlist_mtx);
1826                                 goto out;
1827                         }
1828                         if_idx++;
1829                 }
1830                 mutex_unlock(&rdev->devlist_mtx);
1831
1832                 wp_idx++;
1833         }
1834  out:
1835         mutex_unlock(&cfg80211_mutex);
1836
1837         cb->args[0] = wp_idx;
1838         cb->args[1] = if_idx;
1839
1840         return skb->len;
1841 }
1842
1843 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
1844 {
1845         struct sk_buff *msg;
1846         struct cfg80211_registered_device *dev = info->user_ptr[0];
1847         struct wireless_dev *wdev = info->user_ptr[1];
1848
1849         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1850         if (!msg)
1851                 return -ENOMEM;
1852
1853         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
1854                                dev, wdev) < 0) {
1855                 nlmsg_free(msg);
1856                 return -ENOBUFS;
1857         }
1858
1859         return genlmsg_reply(msg, info);
1860 }
1861
1862 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
1863         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
1864         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
1865         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
1866         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
1867         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
1868 };
1869
1870 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
1871 {
1872         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
1873         int flag;
1874
1875         *mntrflags = 0;
1876
1877         if (!nla)
1878                 return -EINVAL;
1879
1880         if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
1881                              nla, mntr_flags_policy))
1882                 return -EINVAL;
1883
1884         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
1885                 if (flags[flag])
1886                         *mntrflags |= (1<<flag);
1887
1888         return 0;
1889 }
1890
1891 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
1892                                struct net_device *netdev, u8 use_4addr,
1893                                enum nl80211_iftype iftype)
1894 {
1895         if (!use_4addr) {
1896                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
1897                         return -EBUSY;
1898                 return 0;
1899         }
1900
1901         switch (iftype) {
1902         case NL80211_IFTYPE_AP_VLAN:
1903                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
1904                         return 0;
1905                 break;
1906         case NL80211_IFTYPE_STATION:
1907                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
1908                         return 0;
1909                 break;
1910         default:
1911                 break;
1912         }
1913
1914         return -EOPNOTSUPP;
1915 }
1916
1917 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
1918 {
1919         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1920         struct vif_params params;
1921         int err;
1922         enum nl80211_iftype otype, ntype;
1923         struct net_device *dev = info->user_ptr[1];
1924         u32 _flags, *flags = NULL;
1925         bool change = false;
1926
1927         memset(&params, 0, sizeof(params));
1928
1929         otype = ntype = dev->ieee80211_ptr->iftype;
1930
1931         if (info->attrs[NL80211_ATTR_IFTYPE]) {
1932                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
1933                 if (otype != ntype)
1934                         change = true;
1935                 if (ntype > NL80211_IFTYPE_MAX)
1936                         return -EINVAL;
1937         }
1938
1939         if (info->attrs[NL80211_ATTR_MESH_ID]) {
1940                 struct wireless_dev *wdev = dev->ieee80211_ptr;
1941
1942                 if (ntype != NL80211_IFTYPE_MESH_POINT)
1943                         return -EINVAL;
1944                 if (netif_running(dev))
1945                         return -EBUSY;
1946
1947                 wdev_lock(wdev);
1948                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
1949                              IEEE80211_MAX_MESH_ID_LEN);
1950                 wdev->mesh_id_up_len =
1951                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
1952                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
1953                        wdev->mesh_id_up_len);
1954                 wdev_unlock(wdev);
1955         }
1956
1957         if (info->attrs[NL80211_ATTR_4ADDR]) {
1958                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
1959                 change = true;
1960                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
1961                 if (err)
1962                         return err;
1963         } else {
1964                 params.use_4addr = -1;
1965         }
1966
1967         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
1968                 if (ntype != NL80211_IFTYPE_MONITOR)
1969                         return -EINVAL;
1970                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
1971                                           &_flags);
1972                 if (err)
1973                         return err;
1974
1975                 flags = &_flags;
1976                 change = true;
1977         }
1978
1979         if (change)
1980                 err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
1981         else
1982                 err = 0;
1983
1984         if (!err && params.use_4addr != -1)
1985                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
1986
1987         return err;
1988 }
1989
1990 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
1991 {
1992         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1993         struct vif_params params;
1994         struct wireless_dev *wdev;
1995         struct sk_buff *msg;
1996         int err;
1997         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
1998         u32 flags;
1999
2000         memset(&params, 0, sizeof(params));
2001
2002         if (!info->attrs[NL80211_ATTR_IFNAME])
2003                 return -EINVAL;
2004
2005         if (info->attrs[NL80211_ATTR_IFTYPE]) {
2006                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2007                 if (type > NL80211_IFTYPE_MAX)
2008                         return -EINVAL;
2009         }
2010
2011         if (!rdev->ops->add_virtual_intf ||
2012             !(rdev->wiphy.interface_modes & (1 << type)))
2013                 return -EOPNOTSUPP;
2014
2015         if (info->attrs[NL80211_ATTR_4ADDR]) {
2016                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2017                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2018                 if (err)
2019                         return err;
2020         }
2021
2022         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2023         if (!msg)
2024                 return -ENOMEM;
2025
2026         err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2027                                   info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2028                                   &flags);
2029         wdev = rdev_add_virtual_intf(rdev,
2030                                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2031                                 type, err ? NULL : &flags, &params);
2032         if (IS_ERR(wdev)) {
2033                 nlmsg_free(msg);
2034                 return PTR_ERR(wdev);
2035         }
2036
2037         switch (type) {
2038         case NL80211_IFTYPE_MESH_POINT:
2039                 if (!info->attrs[NL80211_ATTR_MESH_ID])
2040                         break;
2041                 wdev_lock(wdev);
2042                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2043                              IEEE80211_MAX_MESH_ID_LEN);
2044                 wdev->mesh_id_up_len =
2045                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2046                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2047                        wdev->mesh_id_up_len);
2048                 wdev_unlock(wdev);
2049                 break;
2050         case NL80211_IFTYPE_P2P_DEVICE:
2051                 /*
2052                  * P2P Device doesn't have a netdev, so doesn't go
2053                  * through the netdev notifier and must be added here
2054                  */
2055                 mutex_init(&wdev->mtx);
2056                 INIT_LIST_HEAD(&wdev->event_list);
2057                 spin_lock_init(&wdev->event_lock);
2058                 INIT_LIST_HEAD(&wdev->mgmt_registrations);
2059                 spin_lock_init(&wdev->mgmt_registrations_lock);
2060
2061                 mutex_lock(&rdev->devlist_mtx);
2062                 wdev->identifier = ++rdev->wdev_id;
2063                 list_add_rcu(&wdev->list, &rdev->wdev_list);
2064                 rdev->devlist_generation++;
2065                 mutex_unlock(&rdev->devlist_mtx);
2066                 break;
2067         default:
2068                 break;
2069         }
2070
2071         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2072                                rdev, wdev) < 0) {
2073                 nlmsg_free(msg);
2074                 return -ENOBUFS;
2075         }
2076
2077         return genlmsg_reply(msg, info);
2078 }
2079
2080 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2081 {
2082         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2083         struct wireless_dev *wdev = info->user_ptr[1];
2084
2085         if (!rdev->ops->del_virtual_intf)
2086                 return -EOPNOTSUPP;
2087
2088         /*
2089          * If we remove a wireless device without a netdev then clear
2090          * user_ptr[1] so that nl80211_post_doit won't dereference it
2091          * to check if it needs to do dev_put(). Otherwise it crashes
2092          * since the wdev has been freed, unlike with a netdev where
2093          * we need the dev_put() for the netdev to really be freed.
2094          */
2095         if (!wdev->netdev)
2096                 info->user_ptr[1] = NULL;
2097
2098         return rdev_del_virtual_intf(rdev, wdev);
2099 }
2100
2101 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2102 {
2103         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2104         struct net_device *dev = info->user_ptr[1];
2105         u16 noack_map;
2106
2107         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2108                 return -EINVAL;
2109
2110         if (!rdev->ops->set_noack_map)
2111                 return -EOPNOTSUPP;
2112
2113         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2114
2115         return rdev_set_noack_map(rdev, dev, noack_map);
2116 }
2117
2118 struct get_key_cookie {
2119         struct sk_buff *msg;
2120         int error;
2121         int idx;
2122 };
2123
2124 static void get_key_callback(void *c, struct key_params *params)
2125 {
2126         struct nlattr *key;
2127         struct get_key_cookie *cookie = c;
2128
2129         if ((params->key &&
2130              nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2131                      params->key_len, params->key)) ||
2132             (params->seq &&
2133              nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2134                      params->seq_len, params->seq)) ||
2135             (params->cipher &&
2136              nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2137                          params->cipher)))
2138                 goto nla_put_failure;
2139
2140         key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2141         if (!key)
2142                 goto nla_put_failure;
2143
2144         if ((params->key &&
2145              nla_put(cookie->msg, NL80211_KEY_DATA,
2146                      params->key_len, params->key)) ||
2147             (params->seq &&
2148              nla_put(cookie->msg, NL80211_KEY_SEQ,
2149                      params->seq_len, params->seq)) ||
2150             (params->cipher &&
2151              nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2152                          params->cipher)))
2153                 goto nla_put_failure;
2154
2155         if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2156                 goto nla_put_failure;
2157
2158         nla_nest_end(cookie->msg, key);
2159
2160         return;
2161  nla_put_failure:
2162         cookie->error = 1;
2163 }
2164
2165 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2166 {
2167         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2168         int err;
2169         struct net_device *dev = info->user_ptr[1];
2170         u8 key_idx = 0;
2171         const u8 *mac_addr = NULL;
2172         bool pairwise;
2173         struct get_key_cookie cookie = {
2174                 .error = 0,
2175         };
2176         void *hdr;
2177         struct sk_buff *msg;
2178
2179         if (info->attrs[NL80211_ATTR_KEY_IDX])
2180                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2181
2182         if (key_idx > 5)
2183                 return -EINVAL;
2184
2185         if (info->attrs[NL80211_ATTR_MAC])
2186                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2187
2188         pairwise = !!mac_addr;
2189         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2190                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2191                 if (kt >= NUM_NL80211_KEYTYPES)
2192                         return -EINVAL;
2193                 if (kt != NL80211_KEYTYPE_GROUP &&
2194                     kt != NL80211_KEYTYPE_PAIRWISE)
2195                         return -EINVAL;
2196                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2197         }
2198
2199         if (!rdev->ops->get_key)
2200                 return -EOPNOTSUPP;
2201
2202         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2203         if (!msg)
2204                 return -ENOMEM;
2205
2206         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2207                              NL80211_CMD_NEW_KEY);
2208         if (IS_ERR(hdr))
2209                 return PTR_ERR(hdr);
2210
2211         cookie.msg = msg;
2212         cookie.idx = key_idx;
2213
2214         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2215             nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2216                 goto nla_put_failure;
2217         if (mac_addr &&
2218             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2219                 goto nla_put_failure;
2220
2221         if (pairwise && mac_addr &&
2222             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2223                 return -ENOENT;
2224
2225         err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2226                            get_key_callback);
2227
2228         if (err)
2229                 goto free_msg;
2230
2231         if (cookie.error)
2232                 goto nla_put_failure;
2233
2234         genlmsg_end(msg, hdr);
2235         return genlmsg_reply(msg, info);
2236
2237  nla_put_failure:
2238         err = -ENOBUFS;
2239  free_msg:
2240         nlmsg_free(msg);
2241         return err;
2242 }
2243
2244 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2245 {
2246         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2247         struct key_parse key;
2248         int err;
2249         struct net_device *dev = info->user_ptr[1];
2250
2251         err = nl80211_parse_key(info, &key);
2252         if (err)
2253                 return err;
2254
2255         if (key.idx < 0)
2256                 return -EINVAL;
2257
2258         /* only support setting default key */
2259         if (!key.def && !key.defmgmt)
2260                 return -EINVAL;
2261
2262         wdev_lock(dev->ieee80211_ptr);
2263
2264         if (key.def) {
2265                 if (!rdev->ops->set_default_key) {
2266                         err = -EOPNOTSUPP;
2267                         goto out;
2268                 }
2269
2270                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2271                 if (err)
2272                         goto out;
2273
2274                 err = rdev_set_default_key(rdev, dev, key.idx,
2275                                                  key.def_uni, key.def_multi);
2276
2277                 if (err)
2278                         goto out;
2279
2280 #ifdef CONFIG_CFG80211_WEXT
2281                 dev->ieee80211_ptr->wext.default_key = key.idx;
2282 #endif
2283         } else {
2284                 if (key.def_uni || !key.def_multi) {
2285                         err = -EINVAL;
2286                         goto out;
2287                 }
2288
2289                 if (!rdev->ops->set_default_mgmt_key) {
2290                         err = -EOPNOTSUPP;
2291                         goto out;
2292                 }
2293
2294                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2295                 if (err)
2296                         goto out;
2297
2298                 err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2299                 if (err)
2300                         goto out;
2301
2302 #ifdef CONFIG_CFG80211_WEXT
2303                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2304 #endif
2305         }
2306
2307  out:
2308         wdev_unlock(dev->ieee80211_ptr);
2309
2310         return err;
2311 }
2312
2313 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2314 {
2315         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2316         int err;
2317         struct net_device *dev = info->user_ptr[1];
2318         struct key_parse key;
2319         const u8 *mac_addr = NULL;
2320
2321         err = nl80211_parse_key(info, &key);
2322         if (err)
2323                 return err;
2324
2325         if (!key.p.key)
2326                 return -EINVAL;
2327
2328         if (info->attrs[NL80211_ATTR_MAC])
2329                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2330
2331         if (key.type == -1) {
2332                 if (mac_addr)
2333                         key.type = NL80211_KEYTYPE_PAIRWISE;
2334                 else
2335                         key.type = NL80211_KEYTYPE_GROUP;
2336         }
2337
2338         /* for now */
2339         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2340             key.type != NL80211_KEYTYPE_GROUP)
2341                 return -EINVAL;
2342
2343         if (!rdev->ops->add_key)
2344                 return -EOPNOTSUPP;
2345
2346         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2347                                            key.type == NL80211_KEYTYPE_PAIRWISE,
2348                                            mac_addr))
2349                 return -EINVAL;
2350
2351         wdev_lock(dev->ieee80211_ptr);
2352         err = nl80211_key_allowed(dev->ieee80211_ptr);
2353         if (!err)
2354                 err = rdev_add_key(rdev, dev, key.idx,
2355                                    key.type == NL80211_KEYTYPE_PAIRWISE,
2356                                     mac_addr, &key.p);
2357         wdev_unlock(dev->ieee80211_ptr);
2358
2359         return err;
2360 }
2361
2362 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2363 {
2364         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2365         int err;
2366         struct net_device *dev = info->user_ptr[1];
2367         u8 *mac_addr = NULL;
2368         struct key_parse key;
2369
2370         err = nl80211_parse_key(info, &key);
2371         if (err)
2372                 return err;
2373
2374         if (info->attrs[NL80211_ATTR_MAC])
2375                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2376
2377         if (key.type == -1) {
2378                 if (mac_addr)
2379                         key.type = NL80211_KEYTYPE_PAIRWISE;
2380                 else
2381                         key.type = NL80211_KEYTYPE_GROUP;
2382         }
2383
2384         /* for now */
2385         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2386             key.type != NL80211_KEYTYPE_GROUP)
2387                 return -EINVAL;
2388
2389         if (!rdev->ops->del_key)
2390                 return -EOPNOTSUPP;
2391
2392         wdev_lock(dev->ieee80211_ptr);
2393         err = nl80211_key_allowed(dev->ieee80211_ptr);
2394
2395         if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2396             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2397                 err = -ENOENT;
2398
2399         if (!err)
2400                 err = rdev_del_key(rdev, dev, key.idx,
2401                                    key.type == NL80211_KEYTYPE_PAIRWISE,
2402                                    mac_addr);
2403
2404 #ifdef CONFIG_CFG80211_WEXT
2405         if (!err) {
2406                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
2407                         dev->ieee80211_ptr->wext.default_key = -1;
2408                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2409                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2410         }
2411 #endif
2412         wdev_unlock(dev->ieee80211_ptr);
2413
2414         return err;
2415 }
2416
2417 static int nl80211_parse_beacon(struct genl_info *info,
2418                                 struct cfg80211_beacon_data *bcn)
2419 {
2420         bool haveinfo = false;
2421
2422         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2423             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2424             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2425             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2426                 return -EINVAL;
2427
2428         memset(bcn, 0, sizeof(*bcn));
2429
2430         if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2431                 bcn->head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2432                 bcn->head_len = nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2433                 if (!bcn->head_len)
2434                         return -EINVAL;
2435                 haveinfo = true;
2436         }
2437
2438         if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2439                 bcn->tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2440                 bcn->tail_len =
2441                     nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2442                 haveinfo = true;
2443         }
2444
2445         if (!haveinfo)
2446                 return -EINVAL;
2447
2448         if (info->attrs[NL80211_ATTR_IE]) {
2449                 bcn->beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
2450                 bcn->beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
2451         }
2452
2453         if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
2454                 bcn->proberesp_ies =
2455                         nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2456                 bcn->proberesp_ies_len =
2457                         nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2458         }
2459
2460         if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
2461                 bcn->assocresp_ies =
2462                         nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2463                 bcn->assocresp_ies_len =
2464                         nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2465         }
2466
2467         if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
2468                 bcn->probe_resp =
2469                         nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
2470                 bcn->probe_resp_len =
2471                         nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
2472         }
2473
2474         return 0;
2475 }
2476
2477 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
2478                                    struct cfg80211_ap_settings *params)
2479 {
2480         struct wireless_dev *wdev;
2481         bool ret = false;
2482
2483         mutex_lock(&rdev->devlist_mtx);
2484
2485         list_for_each_entry(wdev, &rdev->wdev_list, list) {
2486                 if (wdev->iftype != NL80211_IFTYPE_AP &&
2487                     wdev->iftype != NL80211_IFTYPE_P2P_GO)
2488                         continue;
2489
2490                 if (!wdev->preset_chan)
2491                         continue;
2492
2493                 params->channel = wdev->preset_chan;
2494                 params->channel_type = wdev->preset_chantype;
2495                 ret = true;
2496                 break;
2497         }
2498
2499         mutex_unlock(&rdev->devlist_mtx);
2500
2501         return ret;
2502 }
2503
2504 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
2505                                     enum nl80211_auth_type auth_type,
2506                                     enum nl80211_commands cmd)
2507 {
2508         if (auth_type > NL80211_AUTHTYPE_MAX)
2509                 return false;
2510
2511         switch (cmd) {
2512         case NL80211_CMD_AUTHENTICATE:
2513                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
2514                     auth_type == NL80211_AUTHTYPE_SAE)
2515                         return false;
2516                 return true;
2517         case NL80211_CMD_CONNECT:
2518         case NL80211_CMD_START_AP:
2519                 /* SAE not supported yet */
2520                 if (auth_type == NL80211_AUTHTYPE_SAE)
2521                         return false;
2522                 return true;
2523         default:
2524                 return false;
2525         }
2526 }
2527
2528 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
2529 {
2530         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2531         struct net_device *dev = info->user_ptr[1];
2532         struct wireless_dev *wdev = dev->ieee80211_ptr;
2533         struct cfg80211_ap_settings params;
2534         int err;
2535
2536         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2537             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2538                 return -EOPNOTSUPP;
2539
2540         if (!rdev->ops->start_ap)
2541                 return -EOPNOTSUPP;
2542
2543         if (wdev->beacon_interval)
2544                 return -EALREADY;
2545
2546         memset(&params, 0, sizeof(params));
2547
2548         /* these are required for START_AP */
2549         if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
2550             !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
2551             !info->attrs[NL80211_ATTR_BEACON_HEAD])
2552                 return -EINVAL;
2553
2554         err = nl80211_parse_beacon(info, &params.beacon);
2555         if (err)
2556                 return err;
2557
2558         params.beacon_interval =
2559                 nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
2560         params.dtim_period =
2561                 nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
2562
2563         err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
2564         if (err)
2565                 return err;
2566
2567         /*
2568          * In theory, some of these attributes should be required here
2569          * but since they were not used when the command was originally
2570          * added, keep them optional for old user space programs to let
2571          * them continue to work with drivers that do not need the
2572          * additional information -- drivers must check!
2573          */
2574         if (info->attrs[NL80211_ATTR_SSID]) {
2575                 params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
2576                 params.ssid_len =
2577                         nla_len(info->attrs[NL80211_ATTR_SSID]);
2578                 if (params.ssid_len == 0 ||
2579                     params.ssid_len > IEEE80211_MAX_SSID_LEN)
2580                         return -EINVAL;
2581         }
2582
2583         if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
2584                 params.hidden_ssid = nla_get_u32(
2585                         info->attrs[NL80211_ATTR_HIDDEN_SSID]);
2586                 if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
2587                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
2588                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
2589                         return -EINVAL;
2590         }
2591
2592         params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
2593
2594         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
2595                 params.auth_type = nla_get_u32(
2596                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
2597                 if (!nl80211_valid_auth_type(rdev, params.auth_type,
2598                                              NL80211_CMD_START_AP))
2599                         return -EINVAL;
2600         } else
2601                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
2602
2603         err = nl80211_crypto_settings(rdev, info, &params.crypto,
2604                                       NL80211_MAX_NR_CIPHER_SUITES);
2605         if (err)
2606                 return err;
2607
2608         if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
2609                 if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
2610                         return -EOPNOTSUPP;
2611                 params.inactivity_timeout = nla_get_u16(
2612                         info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
2613         }
2614
2615         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2616                 enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
2617
2618                 if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
2619                     !nl80211_valid_channel_type(info, &channel_type))
2620                         return -EINVAL;
2621
2622                 params.channel = rdev_freq_to_chan(rdev,
2623                         nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
2624                         channel_type);
2625                 if (!params.channel)
2626                         return -EINVAL;
2627                 params.channel_type = channel_type;
2628         } else if (wdev->preset_chan) {
2629                 params.channel = wdev->preset_chan;
2630                 params.channel_type = wdev->preset_chantype;
2631         } else if (!nl80211_get_ap_channel(rdev, &params))
2632                 return -EINVAL;
2633
2634         if (!cfg80211_can_beacon_sec_chan(&rdev->wiphy, params.channel,
2635                                           params.channel_type))
2636                 return -EINVAL;
2637
2638         mutex_lock(&rdev->devlist_mtx);
2639         err = cfg80211_can_use_chan(rdev, wdev, params.channel,
2640                                     CHAN_MODE_SHARED);
2641         mutex_unlock(&rdev->devlist_mtx);
2642
2643         if (err)
2644                 return err;
2645
2646         err = rdev_start_ap(rdev, dev, &params);
2647         if (!err) {
2648                 wdev->preset_chan = params.channel;
2649                 wdev->preset_chantype = params.channel_type;
2650                 wdev->beacon_interval = params.beacon_interval;
2651                 wdev->channel = params.channel;
2652         }
2653         return err;
2654 }
2655
2656 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
2657 {
2658         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2659         struct net_device *dev = info->user_ptr[1];
2660         struct wireless_dev *wdev = dev->ieee80211_ptr;
2661         struct cfg80211_beacon_data params;
2662         int err;
2663
2664         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2665             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2666                 return -EOPNOTSUPP;
2667
2668         if (!rdev->ops->change_beacon)
2669                 return -EOPNOTSUPP;
2670
2671         if (!wdev->beacon_interval)
2672                 return -EINVAL;
2673
2674         err = nl80211_parse_beacon(info, &params);
2675         if (err)
2676                 return err;
2677
2678         return rdev_change_beacon(rdev, dev, &params);
2679 }
2680
2681 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
2682 {
2683         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2684         struct net_device *dev = info->user_ptr[1];
2685
2686         return cfg80211_stop_ap(rdev, dev);
2687 }
2688
2689 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
2690         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
2691         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
2692         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
2693         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
2694         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
2695         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
2696 };
2697
2698 static int parse_station_flags(struct genl_info *info,
2699                                enum nl80211_iftype iftype,
2700                                struct station_parameters *params)
2701 {
2702         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
2703         struct nlattr *nla;
2704         int flag;
2705
2706         /*
2707          * Try parsing the new attribute first so userspace
2708          * can specify both for older kernels.
2709          */
2710         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
2711         if (nla) {
2712                 struct nl80211_sta_flag_update *sta_flags;
2713
2714                 sta_flags = nla_data(nla);
2715                 params->sta_flags_mask = sta_flags->mask;
2716                 params->sta_flags_set = sta_flags->set;
2717                 if ((params->sta_flags_mask |
2718                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
2719                         return -EINVAL;
2720                 return 0;
2721         }
2722
2723         /* if present, parse the old attribute */
2724
2725         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
2726         if (!nla)
2727                 return 0;
2728
2729         if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
2730                              nla, sta_flags_policy))
2731                 return -EINVAL;
2732
2733         /*
2734          * Only allow certain flags for interface types so that
2735          * other attributes are silently ignored. Remember that
2736          * this is backward compatibility code with old userspace
2737          * and shouldn't be hit in other cases anyway.
2738          */
2739         switch (iftype) {
2740         case NL80211_IFTYPE_AP:
2741         case NL80211_IFTYPE_AP_VLAN:
2742         case NL80211_IFTYPE_P2P_GO:
2743                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2744                                          BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
2745                                          BIT(NL80211_STA_FLAG_WME) |
2746                                          BIT(NL80211_STA_FLAG_MFP);
2747                 break;
2748         case NL80211_IFTYPE_P2P_CLIENT:
2749         case NL80211_IFTYPE_STATION:
2750                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2751                                          BIT(NL80211_STA_FLAG_TDLS_PEER);
2752                 break;
2753         case NL80211_IFTYPE_MESH_POINT:
2754                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
2755                                          BIT(NL80211_STA_FLAG_MFP) |
2756                                          BIT(NL80211_STA_FLAG_AUTHORIZED);
2757         default:
2758                 return -EINVAL;
2759         }
2760
2761         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
2762                 if (flags[flag]) {
2763                         params->sta_flags_set |= (1<<flag);
2764
2765                         /* no longer support new API additions in old API */
2766                         if (flag > NL80211_STA_FLAG_MAX_OLD_API)
2767                                 return -EINVAL;
2768                 }
2769         }
2770
2771         return 0;
2772 }
2773
2774 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
2775                                  int attr)
2776 {
2777         struct nlattr *rate;
2778         u32 bitrate;
2779         u16 bitrate_compat;
2780
2781         rate = nla_nest_start(msg, attr);
2782         if (!rate)
2783                 goto nla_put_failure;
2784
2785         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
2786         bitrate = cfg80211_calculate_bitrate(info);
2787         /* report 16-bit bitrate only if we can */
2788         bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
2789         if ((bitrate > 0 &&
2790              nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate)) ||
2791             (bitrate_compat > 0 &&
2792              nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat)) ||
2793             ((info->flags & RATE_INFO_FLAGS_MCS) &&
2794              nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs)) ||
2795             ((info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH) &&
2796              nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH)) ||
2797             ((info->flags & RATE_INFO_FLAGS_SHORT_GI) &&
2798              nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI)))
2799                 goto nla_put_failure;
2800
2801         nla_nest_end(msg, rate);
2802         return true;
2803
2804 nla_put_failure:
2805         return false;
2806 }
2807
2808 static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
2809                                 int flags,
2810                                 struct cfg80211_registered_device *rdev,
2811                                 struct net_device *dev,
2812                                 const u8 *mac_addr, struct station_info *sinfo)
2813 {
2814         void *hdr;
2815         struct nlattr *sinfoattr, *bss_param;
2816
2817         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
2818         if (!hdr)
2819                 return -1;
2820
2821         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2822             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
2823             nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
2824                 goto nla_put_failure;
2825
2826         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
2827         if (!sinfoattr)
2828                 goto nla_put_failure;
2829         if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
2830             nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
2831                         sinfo->connected_time))
2832                 goto nla_put_failure;
2833         if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
2834             nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
2835                         sinfo->inactive_time))
2836                 goto nla_put_failure;
2837         if ((sinfo->filled & STATION_INFO_RX_BYTES) &&
2838             nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
2839                         sinfo->rx_bytes))
2840                 goto nla_put_failure;
2841         if ((sinfo->filled & STATION_INFO_TX_BYTES) &&
2842             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
2843                         sinfo->tx_bytes))
2844                 goto nla_put_failure;
2845         if ((sinfo->filled & STATION_INFO_LLID) &&
2846             nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
2847                 goto nla_put_failure;
2848         if ((sinfo->filled & STATION_INFO_PLID) &&
2849             nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
2850                 goto nla_put_failure;
2851         if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
2852             nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
2853                        sinfo->plink_state))
2854                 goto nla_put_failure;
2855         switch (rdev->wiphy.signal_type) {
2856         case CFG80211_SIGNAL_TYPE_MBM:
2857                 if ((sinfo->filled & STATION_INFO_SIGNAL) &&
2858                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
2859                                sinfo->signal))
2860                         goto nla_put_failure;
2861                 if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
2862                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
2863                                sinfo->signal_avg))
2864                         goto nla_put_failure;
2865                 break;
2866         default:
2867                 break;
2868         }
2869         if (sinfo->filled & STATION_INFO_TX_BITRATE) {
2870                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
2871                                           NL80211_STA_INFO_TX_BITRATE))
2872                         goto nla_put_failure;
2873         }
2874         if (sinfo->filled & STATION_INFO_RX_BITRATE) {
2875                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
2876                                           NL80211_STA_INFO_RX_BITRATE))
2877                         goto nla_put_failure;
2878         }
2879         if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
2880             nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
2881                         sinfo->rx_packets))
2882                 goto nla_put_failure;
2883         if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
2884             nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
2885                         sinfo->tx_packets))
2886                 goto nla_put_failure;
2887         if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
2888             nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
2889                         sinfo->tx_retries))
2890                 goto nla_put_failure;
2891         if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
2892             nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
2893                         sinfo->tx_failed))
2894                 goto nla_put_failure;
2895         if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
2896             nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
2897                         sinfo->beacon_loss_count))
2898                 goto nla_put_failure;
2899         if (sinfo->filled & STATION_INFO_BSS_PARAM) {
2900                 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
2901                 if (!bss_param)
2902                         goto nla_put_failure;
2903
2904                 if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
2905                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
2906                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
2907                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
2908                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
2909                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
2910                     nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
2911                                sinfo->bss_param.dtim_period) ||
2912                     nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
2913                                 sinfo->bss_param.beacon_interval))
2914                         goto nla_put_failure;
2915
2916                 nla_nest_end(msg, bss_param);
2917         }
2918         if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
2919             nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
2920                     sizeof(struct nl80211_sta_flag_update),
2921                     &sinfo->sta_flags))
2922                 goto nla_put_failure;
2923         if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
2924                 nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
2925                             sinfo->t_offset))
2926                 goto nla_put_failure;
2927         nla_nest_end(msg, sinfoattr);
2928
2929         if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
2930             nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
2931                     sinfo->assoc_req_ies))
2932                 goto nla_put_failure;
2933
2934         return genlmsg_end(msg, hdr);
2935
2936  nla_put_failure:
2937         genlmsg_cancel(msg, hdr);
2938         return -EMSGSIZE;
2939 }
2940
2941 static int nl80211_dump_station(struct sk_buff *skb,
2942                                 struct netlink_callback *cb)
2943 {
2944         struct station_info sinfo;
2945         struct cfg80211_registered_device *dev;
2946         struct net_device *netdev;
2947         u8 mac_addr[ETH_ALEN];
2948         int sta_idx = cb->args[1];
2949         int err;
2950
2951         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
2952         if (err)
2953                 return err;
2954
2955         if (!dev->ops->dump_station) {
2956                 err = -EOPNOTSUPP;
2957                 goto out_err;
2958         }
2959
2960         while (1) {
2961                 memset(&sinfo, 0, sizeof(sinfo));
2962                 err = rdev_dump_station(dev, netdev, sta_idx,
2963                                         mac_addr, &sinfo);
2964                 if (err == -ENOENT)
2965                         break;
2966                 if (err)
2967                         goto out_err;
2968
2969                 if (nl80211_send_station(skb,
2970                                 NETLINK_CB(cb->skb).portid,
2971                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
2972                                 dev, netdev, mac_addr,
2973                                 &sinfo) < 0)
2974                         goto out;
2975
2976                 sta_idx++;
2977         }
2978
2979
2980  out:
2981         cb->args[1] = sta_idx;
2982         err = skb->len;
2983  out_err:
2984         nl80211_finish_netdev_dump(dev);
2985
2986         return err;
2987 }
2988
2989 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
2990 {
2991         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2992         struct net_device *dev = info->user_ptr[1];
2993         struct station_info sinfo;
2994         struct sk_buff *msg;
2995         u8 *mac_addr = NULL;
2996         int err;
2997
2998         memset(&sinfo, 0, sizeof(sinfo));
2999
3000         if (!info->attrs[NL80211_ATTR_MAC])
3001                 return -EINVAL;
3002
3003         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3004
3005         if (!rdev->ops->get_station)
3006                 return -EOPNOTSUPP;
3007
3008         err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3009         if (err)
3010                 return err;
3011
3012         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3013         if (!msg)
3014                 return -ENOMEM;
3015
3016         if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3017                                  rdev, dev, mac_addr, &sinfo) < 0) {
3018                 nlmsg_free(msg);
3019                 return -ENOBUFS;
3020         }
3021
3022         return genlmsg_reply(msg, info);
3023 }
3024
3025 /*
3026  * Get vlan interface making sure it is running and on the right wiphy.
3027  */
3028 static struct net_device *get_vlan(struct genl_info *info,
3029                                    struct cfg80211_registered_device *rdev)
3030 {
3031         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3032         struct net_device *v;
3033         int ret;
3034
3035         if (!vlanattr)
3036                 return NULL;
3037
3038         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3039         if (!v)
3040                 return ERR_PTR(-ENODEV);
3041
3042         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
3043                 ret = -EINVAL;
3044                 goto error;
3045         }
3046
3047         if (!netif_running(v)) {
3048                 ret = -ENETDOWN;
3049                 goto error;
3050         }
3051
3052         return v;
3053  error:
3054         dev_put(v);
3055         return ERR_PTR(ret);
3056 }
3057
3058 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
3059 {
3060         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3061         int err;
3062         struct net_device *dev = info->user_ptr[1];
3063         struct station_parameters params;
3064         u8 *mac_addr = NULL;
3065
3066         memset(&params, 0, sizeof(params));
3067
3068         params.listen_interval = -1;
3069         params.plink_state = -1;
3070
3071         if (info->attrs[NL80211_ATTR_STA_AID])
3072                 return -EINVAL;
3073
3074         if (!info->attrs[NL80211_ATTR_MAC])
3075                 return -EINVAL;
3076
3077         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3078
3079         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
3080                 params.supported_rates =
3081                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3082                 params.supported_rates_len =
3083                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3084         }
3085
3086         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3087                 params.listen_interval =
3088                     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3089
3090         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3091                 params.ht_capa =
3092                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3093
3094         if (!rdev->ops->change_station)
3095                 return -EOPNOTSUPP;
3096
3097         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3098                 return -EINVAL;
3099
3100         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3101                 params.plink_action =
3102                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3103
3104         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
3105                 params.plink_state =
3106                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
3107
3108         switch (dev->ieee80211_ptr->iftype) {
3109         case NL80211_IFTYPE_AP:
3110         case NL80211_IFTYPE_AP_VLAN:
3111         case NL80211_IFTYPE_P2P_GO:
3112                 /* disallow mesh-specific things */
3113                 if (params.plink_action)
3114                         return -EINVAL;
3115
3116                 /* TDLS can't be set, ... */
3117                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3118                         return -EINVAL;
3119                 /*
3120                  * ... but don't bother the driver with it. This works around
3121                  * a hostapd/wpa_supplicant issue -- it always includes the
3122                  * TLDS_PEER flag in the mask even for AP mode.
3123                  */
3124                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3125
3126                 /* accept only the listed bits */
3127                 if (params.sta_flags_mask &
3128                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3129                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3130                                   BIT(NL80211_STA_FLAG_WME) |
3131                                   BIT(NL80211_STA_FLAG_MFP)))
3132                         return -EINVAL;
3133
3134                 /* must be last in here for error handling */
3135                 params.vlan = get_vlan(info, rdev);
3136                 if (IS_ERR(params.vlan))
3137                         return PTR_ERR(params.vlan);
3138                 break;
3139         case NL80211_IFTYPE_P2P_CLIENT:
3140         case NL80211_IFTYPE_STATION:
3141                 /*
3142                  * Don't allow userspace to change the TDLS_PEER flag,
3143                  * but silently ignore attempts to change it since we
3144                  * don't have state here to verify that it doesn't try
3145                  * to change the flag.
3146                  */
3147                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3148                 /* fall through */
3149         case NL80211_IFTYPE_ADHOC:
3150                 /* disallow things sta doesn't support */
3151                 if (params.plink_action)
3152                         return -EINVAL;
3153                 if (params.ht_capa)
3154                         return -EINVAL;
3155                 if (params.listen_interval >= 0)
3156                         return -EINVAL;
3157                 /* reject any changes other than AUTHORIZED */
3158                 if (params.sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3159                         return -EINVAL;
3160                 break;
3161         case NL80211_IFTYPE_MESH_POINT:
3162                 /* disallow things mesh doesn't support */
3163                 if (params.vlan)
3164                         return -EINVAL;
3165                 if (params.ht_capa)
3166                         return -EINVAL;
3167                 if (params.listen_interval >= 0)
3168                         return -EINVAL;
3169                 /*
3170                  * No special handling for TDLS here -- the userspace
3171                  * mesh code doesn't have this bug.
3172                  */
3173                 if (params.sta_flags_mask &
3174                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3175                                   BIT(NL80211_STA_FLAG_MFP) |
3176                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
3177                         return -EINVAL;
3178                 break;
3179         default:
3180                 return -EOPNOTSUPP;
3181         }
3182
3183         /* be aware of params.vlan when changing code here */
3184
3185         err = rdev_change_station(rdev, dev, mac_addr, &params);
3186
3187         if (params.vlan)
3188                 dev_put(params.vlan);
3189
3190         return err;
3191 }
3192
3193 static struct nla_policy
3194 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
3195         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
3196         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
3197 };
3198
3199 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
3200 {
3201         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3202         int err;
3203         struct net_device *dev = info->user_ptr[1];
3204         struct station_parameters params;
3205         u8 *mac_addr = NULL;
3206
3207         memset(&params, 0, sizeof(params));
3208
3209         if (!info->attrs[NL80211_ATTR_MAC])
3210                 return -EINVAL;
3211
3212         if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3213                 return -EINVAL;
3214
3215         if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
3216                 return -EINVAL;
3217
3218         if (!info->attrs[NL80211_ATTR_STA_AID])
3219                 return -EINVAL;
3220
3221         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3222         params.supported_rates =
3223                 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3224         params.supported_rates_len =
3225                 nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3226         params.listen_interval =
3227                 nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3228
3229         params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
3230         if (!params.aid || params.aid > IEEE80211_MAX_AID)
3231                 return -EINVAL;
3232
3233         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3234                 params.ht_capa =
3235                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3236
3237         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3238                 params.vht_capa =
3239                         nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
3240
3241         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3242                 params.plink_action =
3243                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3244
3245         if (!rdev->ops->add_station)
3246                 return -EOPNOTSUPP;
3247
3248         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3249                 return -EINVAL;
3250
3251         switch (dev->ieee80211_ptr->iftype) {
3252         case NL80211_IFTYPE_AP:
3253         case NL80211_IFTYPE_AP_VLAN:
3254         case NL80211_IFTYPE_P2P_GO:
3255                 /* parse WME attributes if sta is WME capable */
3256                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
3257                     (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) &&
3258                     info->attrs[NL80211_ATTR_STA_WME]) {
3259                         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3260                         struct nlattr *nla;
3261
3262                         nla = info->attrs[NL80211_ATTR_STA_WME];
3263                         err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3264                                                nl80211_sta_wme_policy);
3265                         if (err)
3266                                 return err;
3267
3268                         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3269                                 params.uapsd_queues =
3270                                      nla_get_u8(tb[NL80211_STA_WME_UAPSD_QUEUES]);
3271                         if (params.uapsd_queues &
3272                                         ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3273                                 return -EINVAL;
3274
3275                         if (tb[NL80211_STA_WME_MAX_SP])
3276                                 params.max_sp =
3277                                      nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3278
3279                         if (params.max_sp &
3280                                         ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3281                                 return -EINVAL;
3282
3283                         params.sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3284                 }
3285                 /* TDLS peers cannot be added */
3286                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3287                         return -EINVAL;
3288                 /* but don't bother the driver with it */
3289                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3290
3291                 /* must be last in here for error handling */
3292                 params.vlan = get_vlan(info, rdev);
3293                 if (IS_ERR(params.vlan))
3294                         return PTR_ERR(params.vlan);
3295                 break;
3296         case NL80211_IFTYPE_MESH_POINT:
3297                 /* TDLS peers cannot be added */
3298                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3299                         return -EINVAL;
3300                 break;
3301         case NL80211_IFTYPE_STATION:
3302                 /* Only TDLS peers can be added */
3303                 if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3304                         return -EINVAL;
3305                 /* Can only add if TDLS ... */
3306                 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
3307                         return -EOPNOTSUPP;
3308                 /* ... with external setup is supported */
3309                 if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
3310                         return -EOPNOTSUPP;
3311                 break;
3312         default:
3313                 return -EOPNOTSUPP;
3314         }
3315
3316         /* be aware of params.vlan when changing code here */
3317
3318         err = rdev_add_station(rdev, dev, mac_addr, &params);
3319
3320         if (params.vlan)
3321                 dev_put(params.vlan);
3322         return err;
3323 }
3324
3325 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
3326 {
3327         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3328         struct net_device *dev = info->user_ptr[1];
3329         u8 *mac_addr = NULL;
3330
3331         if (info->attrs[NL80211_ATTR_MAC])
3332                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3333
3334         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3335             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
3336             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
3337             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3338                 return -EINVAL;
3339
3340         if (!rdev->ops->del_station)
3341                 return -EOPNOTSUPP;
3342
3343         return rdev_del_station(rdev, dev, mac_addr);
3344 }
3345
3346 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
3347                                 int flags, struct net_device *dev,
3348                                 u8 *dst, u8 *next_hop,
3349                                 struct mpath_info *pinfo)
3350 {
3351         void *hdr;
3352         struct nlattr *pinfoattr;
3353
3354         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3355         if (!hdr)
3356                 return -1;
3357
3358         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3359             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
3360             nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
3361             nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
3362                 goto nla_put_failure;
3363
3364         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
3365         if (!pinfoattr)
3366                 goto nla_put_failure;
3367         if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
3368             nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
3369                         pinfo->frame_qlen))
3370                 goto nla_put_failure;
3371         if (((pinfo->filled & MPATH_INFO_SN) &&
3372              nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
3373             ((pinfo->filled & MPATH_INFO_METRIC) &&
3374              nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
3375                          pinfo->metric)) ||
3376             ((pinfo->filled & MPATH_INFO_EXPTIME) &&
3377              nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
3378                          pinfo->exptime)) ||
3379             ((pinfo->filled & MPATH_INFO_FLAGS) &&
3380              nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
3381                         pinfo->flags)) ||
3382             ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
3383              nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
3384                          pinfo->discovery_timeout)) ||
3385             ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
3386              nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
3387                         pinfo->discovery_retries)))
3388                 goto nla_put_failure;
3389
3390         nla_nest_end(msg, pinfoattr);
3391
3392         return genlmsg_end(msg, hdr);
3393
3394  nla_put_failure:
3395         genlmsg_cancel(msg, hdr);
3396         return -EMSGSIZE;
3397 }
3398
3399 static int nl80211_dump_mpath(struct sk_buff *skb,
3400                               struct netlink_callback *cb)
3401 {
3402         struct mpath_info pinfo;
3403         struct cfg80211_registered_device *dev;
3404         struct net_device *netdev;
3405         u8 dst[ETH_ALEN];
3406         u8 next_hop[ETH_ALEN];
3407         int path_idx = cb->args[1];
3408         int err;
3409
3410         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
3411         if (err)
3412                 return err;
3413
3414         if (!dev->ops->dump_mpath) {
3415                 err = -EOPNOTSUPP;
3416                 goto out_err;
3417         }
3418
3419         if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
3420                 err = -EOPNOTSUPP;
3421                 goto out_err;
3422         }
3423
3424         while (1) {
3425                 err = rdev_dump_mpath(dev, netdev, path_idx, dst, next_hop,
3426                                       &pinfo);
3427                 if (err == -ENOENT)
3428                         break;
3429                 if (err)
3430                         goto out_err;
3431
3432                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
3433                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
3434                                        netdev, dst, next_hop,
3435                                        &pinfo) < 0)
3436                         goto out;
3437
3438                 path_idx++;
3439         }
3440
3441
3442  out:
3443         cb->args[1] = path_idx;
3444         err = skb->len;
3445  out_err:
3446         nl80211_finish_netdev_dump(dev);
3447         return err;
3448 }
3449
3450 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
3451 {
3452         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3453         int err;
3454         struct net_device *dev = info->user_ptr[1];
3455         struct mpath_info pinfo;
3456         struct sk_buff *msg;
3457         u8 *dst = NULL;
3458         u8 next_hop[ETH_ALEN];
3459
3460         memset(&pinfo, 0, sizeof(pinfo));
3461
3462         if (!info->attrs[NL80211_ATTR_MAC])
3463                 return -EINVAL;
3464
3465         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3466
3467         if (!rdev->ops->get_mpath)
3468                 return -EOPNOTSUPP;
3469
3470         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3471                 return -EOPNOTSUPP;
3472
3473         err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
3474         if (err)
3475                 return err;
3476
3477         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3478         if (!msg)
3479                 return -ENOMEM;
3480
3481         if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
3482                                  dev, dst, next_hop, &pinfo) < 0) {
3483                 nlmsg_free(msg);
3484                 return -ENOBUFS;
3485         }
3486
3487         return genlmsg_reply(msg, info);
3488 }
3489
3490 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
3491 {
3492         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3493         struct net_device *dev = info->user_ptr[1];
3494         u8 *dst = NULL;
3495         u8 *next_hop = NULL;
3496
3497         if (!info->attrs[NL80211_ATTR_MAC])
3498                 return -EINVAL;
3499
3500         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3501                 return -EINVAL;
3502
3503         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3504         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3505
3506         if (!rdev->ops->change_mpath)
3507                 return -EOPNOTSUPP;
3508
3509         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3510                 return -EOPNOTSUPP;
3511
3512         return rdev_change_mpath(rdev, dev, dst, next_hop);
3513 }
3514
3515 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
3516 {
3517         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3518         struct net_device *dev = info->user_ptr[1];
3519         u8 *dst = NULL;
3520         u8 *next_hop = NULL;
3521
3522         if (!info->attrs[NL80211_ATTR_MAC])
3523                 return -EINVAL;
3524
3525         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3526                 return -EINVAL;
3527
3528         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3529         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3530
3531         if (!rdev->ops->add_mpath)
3532                 return -EOPNOTSUPP;
3533
3534         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3535                 return -EOPNOTSUPP;
3536
3537         return rdev_add_mpath(rdev, dev, dst, next_hop);
3538 }
3539
3540 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
3541 {
3542         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3543         struct net_device *dev = info->user_ptr[1];
3544         u8 *dst = NULL;
3545
3546         if (info->attrs[NL80211_ATTR_MAC])
3547                 dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3548
3549         if (!rdev->ops->del_mpath)
3550                 return -EOPNOTSUPP;
3551
3552         return rdev_del_mpath(rdev, dev, dst);
3553 }
3554
3555 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
3556 {
3557         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3558         struct net_device *dev = info->user_ptr[1];
3559         struct bss_parameters params;
3560
3561         memset(&params, 0, sizeof(params));
3562         /* default to not changing parameters */
3563         params.use_cts_prot = -1;
3564         params.use_short_preamble = -1;
3565         params.use_short_slot_time = -1;
3566         params.ap_isolate = -1;
3567         params.ht_opmode = -1;
3568
3569         if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
3570                 params.use_cts_prot =
3571                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
3572         if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
3573                 params.use_short_preamble =
3574                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
3575         if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
3576                 params.use_short_slot_time =
3577                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
3578         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
3579                 params.basic_rates =
3580                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3581                 params.basic_rates_len =
3582                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3583         }
3584         if (info->attrs[NL80211_ATTR_AP_ISOLATE])
3585                 params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
3586         if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
3587                 params.ht_opmode =
3588                         nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
3589
3590         if (!rdev->ops->change_bss)
3591                 return -EOPNOTSUPP;
3592
3593         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3594             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3595                 return -EOPNOTSUPP;
3596
3597         return rdev_change_bss(rdev, dev, &params);
3598 }
3599
3600 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
3601         [NL80211_ATTR_REG_RULE_FLAGS]           = { .type = NLA_U32 },
3602         [NL80211_ATTR_FREQ_RANGE_START]         = { .type = NLA_U32 },
3603         [NL80211_ATTR_FREQ_RANGE_END]           = { .type = NLA_U32 },
3604         [NL80211_ATTR_FREQ_RANGE_MAX_BW]        = { .type = NLA_U32 },
3605         [NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]  = { .type = NLA_U32 },
3606         [NL80211_ATTR_POWER_RULE_MAX_EIRP]      = { .type = NLA_U32 },
3607 };
3608
3609 static int parse_reg_rule(struct nlattr *tb[],
3610         struct ieee80211_reg_rule *reg_rule)
3611 {
3612         struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
3613         struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
3614
3615         if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
3616                 return -EINVAL;
3617         if (!tb[NL80211_ATTR_FREQ_RANGE_START])
3618                 return -EINVAL;
3619         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
3620                 return -EINVAL;
3621         if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
3622                 return -EINVAL;
3623         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
3624                 return -EINVAL;
3625
3626         reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
3627
3628         freq_range->start_freq_khz =
3629                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
3630         freq_range->end_freq_khz =
3631                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
3632         freq_range->max_bandwidth_khz =
3633                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
3634
3635         power_rule->max_eirp =
3636                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
3637
3638         if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
3639                 power_rule->max_antenna_gain =
3640                         nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
3641
3642         return 0;
3643 }
3644
3645 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
3646 {
3647         int r;
3648         char *data = NULL;
3649         enum nl80211_user_reg_hint_type user_reg_hint_type;
3650
3651         /*
3652          * You should only get this when cfg80211 hasn't yet initialized
3653          * completely when built-in to the kernel right between the time
3654          * window between nl80211_init() and regulatory_init(), if that is
3655          * even possible.
3656          */
3657         mutex_lock(&cfg80211_mutex);
3658         if (unlikely(!cfg80211_regdomain)) {
3659                 mutex_unlock(&cfg80211_mutex);
3660                 return -EINPROGRESS;
3661         }
3662         mutex_unlock(&cfg80211_mutex);
3663
3664         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
3665                 return -EINVAL;
3666
3667         data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
3668
3669         if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
3670                 user_reg_hint_type =
3671                   nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
3672         else
3673                 user_reg_hint_type = NL80211_USER_REG_HINT_USER;
3674
3675         switch (user_reg_hint_type) {
3676         case NL80211_USER_REG_HINT_USER:
3677         case NL80211_USER_REG_HINT_CELL_BASE:
3678                 break;
3679         default:
3680                 return -EINVAL;
3681         }
3682
3683         r = regulatory_hint_user(data, user_reg_hint_type);
3684
3685         return r;
3686 }
3687
3688 static int nl80211_get_mesh_config(struct sk_buff *skb,
3689                                    struct genl_info *info)
3690 {
3691         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3692         struct net_device *dev = info->user_ptr[1];
3693         struct wireless_dev *wdev = dev->ieee80211_ptr;
3694         struct mesh_config cur_params;
3695         int err = 0;
3696         void *hdr;
3697         struct nlattr *pinfoattr;
3698         struct sk_buff *msg;
3699
3700         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3701                 return -EOPNOTSUPP;
3702
3703         if (!rdev->ops->get_mesh_config)
3704                 return -EOPNOTSUPP;
3705
3706         wdev_lock(wdev);
3707         /* If not connected, get default parameters */
3708         if (!wdev->mesh_id_len)
3709                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
3710         else
3711                 err = rdev_get_mesh_config(rdev, dev, &cur_params);
3712         wdev_unlock(wdev);
3713
3714         if (err)
3715                 return err;
3716
3717         /* Draw up a netlink message to send back */
3718         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3719         if (!msg)
3720                 return -ENOMEM;
3721         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3722                              NL80211_CMD_GET_MESH_CONFIG);
3723         if (!hdr)
3724                 goto out;
3725         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
3726         if (!pinfoattr)
3727                 goto nla_put_failure;
3728         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3729             nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
3730                         cur_params.dot11MeshRetryTimeout) ||
3731             nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3732                         cur_params.dot11MeshConfirmTimeout) ||
3733             nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
3734                         cur_params.dot11MeshHoldingTimeout) ||
3735             nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
3736                         cur_params.dot11MeshMaxPeerLinks) ||
3737             nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
3738                        cur_params.dot11MeshMaxRetries) ||
3739             nla_put_u8(msg, NL80211_MESHCONF_TTL,
3740                        cur_params.dot11MeshTTL) ||
3741             nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
3742                        cur_params.element_ttl) ||
3743             nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3744                        cur_params.auto_open_plinks) ||
3745             nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
3746                         cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
3747             nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3748                        cur_params.dot11MeshHWMPmaxPREQretries) ||
3749             nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
3750                         cur_params.path_refresh_time) ||
3751             nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3752                         cur_params.min_discovery_timeout) ||
3753             nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3754                         cur_params.dot11MeshHWMPactivePathTimeout) ||
3755             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3756                         cur_params.dot11MeshHWMPpreqMinInterval) ||
3757             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3758                         cur_params.dot11MeshHWMPperrMinInterval) ||
3759             nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3760                         cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
3761             nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
3762                        cur_params.dot11MeshHWMPRootMode) ||
3763             nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3764                         cur_params.dot11MeshHWMPRannInterval) ||
3765             nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3766                        cur_params.dot11MeshGateAnnouncementProtocol) ||
3767             nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
3768                        cur_params.dot11MeshForwarding) ||
3769             nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
3770                         cur_params.rssi_threshold) ||
3771             nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
3772                         cur_params.ht_opmode) ||
3773             nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
3774                         cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
3775             nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
3776                         cur_params.dot11MeshHWMProotInterval) ||
3777             nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
3778                         cur_params.dot11MeshHWMPconfirmationInterval))
3779                 goto nla_put_failure;
3780         nla_nest_end(msg, pinfoattr);
3781         genlmsg_end(msg, hdr);
3782         return genlmsg_reply(msg, info);
3783
3784  nla_put_failure:
3785         genlmsg_cancel(msg, hdr);
3786  out:
3787         nlmsg_free(msg);
3788         return -ENOBUFS;
3789 }
3790
3791 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
3792         [NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
3793         [NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
3794         [NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
3795         [NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
3796         [NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
3797         [NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
3798         [NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
3799         [NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
3800         [NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
3801         [NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
3802         [NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
3803         [NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
3804         [NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
3805         [NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
3806         [NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
3807         [NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
3808         [NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
3809         [NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
3810         [NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
3811         [NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
3812         [NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
3813         [NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
3814         [NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
3815         [NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
3816         [NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
3817 };
3818
3819 static const struct nla_policy
3820         nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
3821         [NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
3822         [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
3823         [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
3824         [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
3825         [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
3826                                     .len = IEEE80211_MAX_DATA_LEN },
3827         [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
3828 };
3829
3830 static int nl80211_parse_mesh_config(struct genl_info *info,
3831                                      struct mesh_config *cfg,
3832                                      u32 *mask_out)
3833 {
3834         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
3835         u32 mask = 0;
3836
3837 #define FILL_IN_MESH_PARAM_IF_SET(table, cfg, param, mask, attr_num, nla_fn) \
3838 do {\
3839         if (table[attr_num]) {\
3840                 cfg->param = nla_fn(table[attr_num]); \
3841                 mask |= (1 << (attr_num - 1)); \
3842         } \
3843 } while (0);\
3844
3845
3846         if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
3847                 return -EINVAL;
3848         if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
3849                              info->attrs[NL80211_ATTR_MESH_CONFIG],
3850                              nl80211_meshconf_params_policy))
3851                 return -EINVAL;
3852
3853         /* This makes sure that there aren't more than 32 mesh config
3854          * parameters (otherwise our bitfield scheme would not work.) */
3855         BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
3856
3857         /* Fill in the params struct */
3858         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout,
3859                                   mask, NL80211_MESHCONF_RETRY_TIMEOUT,
3860                                   nla_get_u16);
3861         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout,
3862                                   mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3863                                   nla_get_u16);
3864         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout,
3865                                   mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
3866                                   nla_get_u16);
3867         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks,
3868                                   mask, NL80211_MESHCONF_MAX_PEER_LINKS,
3869                                   nla_get_u16);
3870         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries,
3871                                   mask, NL80211_MESHCONF_MAX_RETRIES,
3872                                   nla_get_u8);
3873         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL,
3874                                   mask, NL80211_MESHCONF_TTL, nla_get_u8);
3875         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl,
3876                                   mask, NL80211_MESHCONF_ELEMENT_TTL,
3877                                   nla_get_u8);
3878         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks,
3879                                   mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3880                                   nla_get_u8);
3881         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor, mask,
3882                                   NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
3883                                   nla_get_u32);
3884         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries,
3885                                   mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3886                                   nla_get_u8);
3887         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time,
3888                                   mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
3889                                   nla_get_u32);
3890         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout,
3891                                   mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3892                                   nla_get_u16);
3893         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout, mask,
3894                                   NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3895                                   nla_get_u32);
3896         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
3897                                   mask, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3898                                   nla_get_u16);
3899         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
3900                                   mask, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3901                                   nla_get_u16);
3902         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3903                                   dot11MeshHWMPnetDiameterTraversalTime, mask,
3904                                   NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3905                                   nla_get_u16);
3906         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
3907                                   NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
3908         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
3909                                   NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3910                                   nla_get_u16);
3911         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3912                                   dot11MeshGateAnnouncementProtocol, mask,
3913                                   NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3914                                   nla_get_u8);
3915         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding,
3916                                   mask, NL80211_MESHCONF_FORWARDING,
3917                                   nla_get_u8);
3918         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold,
3919                                   mask, NL80211_MESHCONF_RSSI_THRESHOLD,
3920                                   nla_get_u32);
3921         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode,
3922                                   mask, NL80211_MESHCONF_HT_OPMODE,
3923                                   nla_get_u16);
3924         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
3925                                   mask,
3926                                   NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
3927                                   nla_get_u32);
3928         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval,
3929                                   mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
3930                                   nla_get_u16);
3931         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3932                                   dot11MeshHWMPconfirmationInterval, mask,
3933                                   NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
3934                                   nla_get_u16);
3935         if (mask_out)
3936                 *mask_out = mask;
3937
3938         return 0;
3939
3940 #undef FILL_IN_MESH_PARAM_IF_SET
3941 }
3942
3943 static int nl80211_parse_mesh_setup(struct genl_info *info,
3944                                      struct mesh_setup *setup)
3945 {
3946         struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
3947
3948         if (!info->attrs[NL80211_ATTR_MESH_SETUP])
3949                 return -EINVAL;
3950         if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
3951                              info->attrs[NL80211_ATTR_MESH_SETUP],
3952                              nl80211_mesh_setup_params_policy))
3953                 return -EINVAL;
3954
3955         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
3956                 setup->sync_method =
3957                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
3958                  IEEE80211_SYNC_METHOD_VENDOR :
3959                  IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
3960
3961         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
3962                 setup->path_sel_proto =
3963                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
3964                  IEEE80211_PATH_PROTOCOL_VENDOR :
3965                  IEEE80211_PATH_PROTOCOL_HWMP;
3966
3967         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
3968                 setup->path_metric =
3969                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
3970                  IEEE80211_PATH_METRIC_VENDOR :
3971                  IEEE80211_PATH_METRIC_AIRTIME;
3972
3973
3974         if (tb[NL80211_MESH_SETUP_IE]) {
3975                 struct nlattr *ieattr =
3976                         tb[NL80211_MESH_SETUP_IE];
3977                 if (!is_valid_ie_attr(ieattr))
3978                         return -EINVAL;
3979                 setup->ie = nla_data(ieattr);
3980                 setup->ie_len = nla_len(ieattr);
3981         }
3982         setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
3983         setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
3984
3985         return 0;
3986 }
3987
3988 static int nl80211_update_mesh_config(struct sk_buff *skb,
3989                                       struct genl_info *info)
3990 {
3991         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3992         struct net_device *dev = info->user_ptr[1];
3993         struct wireless_dev *wdev = dev->ieee80211_ptr;
3994         struct mesh_config cfg;
3995         u32 mask;
3996         int err;
3997
3998         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3999                 return -EOPNOTSUPP;
4000
4001         if (!rdev->ops->update_mesh_config)
4002                 return -EOPNOTSUPP;
4003
4004         err = nl80211_parse_mesh_config(info, &cfg, &mask);
4005         if (err)
4006                 return err;
4007
4008         wdev_lock(wdev);
4009         if (!wdev->mesh_id_len)
4010                 err = -ENOLINK;
4011
4012         if (!err)
4013                 err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
4014
4015         wdev_unlock(wdev);
4016
4017         return err;
4018 }
4019
4020 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
4021 {
4022         struct sk_buff *msg;
4023         void *hdr = NULL;
4024         struct nlattr *nl_reg_rules;
4025         unsigned int i;
4026         int err = -EINVAL;
4027
4028         mutex_lock(&cfg80211_mutex);
4029
4030         if (!cfg80211_regdomain)
4031                 goto out;
4032
4033         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4034         if (!msg) {
4035                 err = -ENOBUFS;
4036                 goto out;
4037         }
4038
4039         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4040                              NL80211_CMD_GET_REG);
4041         if (!hdr)
4042                 goto put_failure;
4043
4044         if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
4045                            cfg80211_regdomain->alpha2) ||
4046             (cfg80211_regdomain->dfs_region &&
4047              nla_put_u8(msg, NL80211_ATTR_DFS_REGION,
4048                         cfg80211_regdomain->dfs_region)))
4049                 goto nla_put_failure;
4050
4051         if (reg_last_request_cell_base() &&
4052             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
4053                         NL80211_USER_REG_HINT_CELL_BASE))
4054                 goto nla_put_failure;
4055
4056         nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
4057         if (!nl_reg_rules)
4058                 goto nla_put_failure;
4059
4060         for (i = 0; i < cfg80211_regdomain->n_reg_rules; i++) {
4061                 struct nlattr *nl_reg_rule;
4062                 const struct ieee80211_reg_rule *reg_rule;
4063                 const struct ieee80211_freq_range *freq_range;
4064                 const struct ieee80211_power_rule *power_rule;
4065
4066                 reg_rule = &cfg80211_regdomain->reg_rules[i];
4067                 freq_range = &reg_rule->freq_range;
4068                 power_rule = &reg_rule->power_rule;
4069
4070                 nl_reg_rule = nla_nest_start(msg, i);
4071                 if (!nl_reg_rule)
4072                         goto nla_put_failure;
4073
4074                 if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
4075                                 reg_rule->flags) ||
4076                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
4077                                 freq_range->start_freq_khz) ||
4078                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
4079                                 freq_range->end_freq_khz) ||
4080                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
4081                                 freq_range->max_bandwidth_khz) ||
4082                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
4083                                 power_rule->max_antenna_gain) ||
4084                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
4085                                 power_rule->max_eirp))
4086                         goto nla_put_failure;
4087
4088                 nla_nest_end(msg, nl_reg_rule);
4089         }
4090
4091         nla_nest_end(msg, nl_reg_rules);
4092
4093         genlmsg_end(msg, hdr);
4094         err = genlmsg_reply(msg, info);
4095         goto out;
4096
4097 nla_put_failure:
4098         genlmsg_cancel(msg, hdr);
4099 put_failure:
4100         nlmsg_free(msg);
4101         err = -EMSGSIZE;
4102 out:
4103         mutex_unlock(&cfg80211_mutex);
4104         return err;
4105 }
4106
4107 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
4108 {
4109         struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
4110         struct nlattr *nl_reg_rule;
4111         char *alpha2 = NULL;
4112         int rem_reg_rules = 0, r = 0;
4113         u32 num_rules = 0, rule_idx = 0, size_of_regd;
4114         u8 dfs_region = 0;
4115         struct ieee80211_regdomain *rd = NULL;
4116
4117         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4118                 return -EINVAL;
4119
4120         if (!info->attrs[NL80211_ATTR_REG_RULES])
4121                 return -EINVAL;
4122
4123         alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4124
4125         if (info->attrs[NL80211_ATTR_DFS_REGION])
4126                 dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
4127
4128         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4129                         rem_reg_rules) {
4130                 num_rules++;
4131                 if (num_rules > NL80211_MAX_SUPP_REG_RULES)
4132                         return -EINVAL;
4133         }
4134
4135         mutex_lock(&cfg80211_mutex);
4136
4137         if (!reg_is_valid_request(alpha2)) {
4138                 r = -EINVAL;
4139                 goto bad_reg;
4140         }
4141
4142         size_of_regd = sizeof(struct ieee80211_regdomain) +
4143                 (num_rules * sizeof(struct ieee80211_reg_rule));
4144
4145         rd = kzalloc(size_of_regd, GFP_KERNEL);
4146         if (!rd) {
4147                 r = -ENOMEM;
4148                 goto bad_reg;
4149         }
4150
4151         rd->n_reg_rules = num_rules;
4152         rd->alpha2[0] = alpha2[0];
4153         rd->alpha2[1] = alpha2[1];
4154
4155         /*
4156          * Disable DFS master mode if the DFS region was
4157          * not supported or known on this kernel.
4158          */
4159         if (reg_supported_dfs_region(dfs_region))
4160                 rd->dfs_region = dfs_region;
4161
4162         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4163                         rem_reg_rules) {
4164                 nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
4165                         nla_data(nl_reg_rule), nla_len(nl_reg_rule),
4166                         reg_rule_policy);
4167                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
4168                 if (r)
4169                         goto bad_reg;
4170
4171                 rule_idx++;
4172
4173                 if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
4174                         r = -EINVAL;
4175                         goto bad_reg;
4176                 }
4177         }
4178
4179         BUG_ON(rule_idx != num_rules);
4180
4181         r = set_regdom(rd);
4182
4183         mutex_unlock(&cfg80211_mutex);
4184
4185         return r;
4186
4187  bad_reg:
4188         mutex_unlock(&cfg80211_mutex);
4189         kfree(rd);
4190         return r;
4191 }
4192
4193 static int validate_scan_freqs(struct nlattr *freqs)
4194 {
4195         struct nlattr *attr1, *attr2;
4196         int n_channels = 0, tmp1, tmp2;
4197
4198         nla_for_each_nested(attr1, freqs, tmp1) {
4199                 n_channels++;
4200                 /*
4201                  * Some hardware has a limited channel list for
4202                  * scanning, and it is pretty much nonsensical
4203                  * to scan for a channel twice, so disallow that
4204                  * and don't require drivers to check that the
4205                  * channel list they get isn't longer than what
4206                  * they can scan, as long as they can scan all
4207                  * the channels they registered at once.
4208                  */
4209                 nla_for_each_nested(attr2, freqs, tmp2)
4210                         if (attr1 != attr2 &&
4211                             nla_get_u32(attr1) == nla_get_u32(attr2))
4212                                 return 0;
4213         }
4214
4215         return n_channels;
4216 }
4217
4218 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4219 {
4220         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4221         struct wireless_dev *wdev = info->user_ptr[1];
4222         struct cfg80211_scan_request *request;
4223         struct nlattr *attr;
4224         struct wiphy *wiphy;
4225         int err, tmp, n_ssids = 0, n_channels, i;
4226         size_t ie_len;
4227
4228         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4229                 return -EINVAL;
4230
4231         wiphy = &rdev->wiphy;
4232
4233         if (!rdev->ops->scan)
4234                 return -EOPNOTSUPP;
4235
4236         if (rdev->scan_req)
4237                 return -EBUSY;
4238
4239         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4240                 n_channels = validate_scan_freqs(
4241                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4242                 if (!n_channels)
4243                         return -EINVAL;
4244         } else {
4245                 enum ieee80211_band band;
4246                 n_channels = 0;
4247
4248                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4249                         if (wiphy->bands[band])
4250                                 n_channels += wiphy->bands[band]->n_channels;
4251         }
4252
4253         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4254                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
4255                         n_ssids++;
4256
4257         if (n_ssids > wiphy->max_scan_ssids)
4258                 return -EINVAL;
4259
4260         if (info->attrs[NL80211_ATTR_IE])
4261                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4262         else
4263                 ie_len = 0;
4264
4265         if (ie_len > wiphy->max_scan_ie_len)
4266                 return -EINVAL;
4267
4268         request = kzalloc(sizeof(*request)
4269                         + sizeof(*request->ssids) * n_ssids
4270                         + sizeof(*request->channels) * n_channels
4271                         + ie_len, GFP_KERNEL);
4272         if (!request)
4273                 return -ENOMEM;
4274
4275         if (n_ssids)
4276                 request->ssids = (void *)&request->channels[n_channels];
4277         request->n_ssids = n_ssids;
4278         if (ie_len) {
4279                 if (request->ssids)
4280                         request->ie = (void *)(request->ssids + n_ssids);
4281                 else
4282                         request->ie = (void *)(request->channels + n_channels);
4283         }
4284
4285         i = 0;
4286         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4287                 /* user specified, bail out if channel not found */
4288                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
4289                         struct ieee80211_channel *chan;
4290
4291                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4292
4293                         if (!chan) {
4294                                 err = -EINVAL;
4295                                 goto out_free;
4296                         }
4297
4298                         /* ignore disabled channels */
4299                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4300                                 continue;
4301
4302                         request->channels[i] = chan;
4303                         i++;
4304                 }
4305         } else {
4306                 enum ieee80211_band band;
4307
4308                 /* all channels */
4309                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4310                         int j;
4311                         if (!wiphy->bands[band])
4312                                 continue;
4313                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4314                                 struct ieee80211_channel *chan;
4315
4316                                 chan = &wiphy->bands[band]->channels[j];
4317
4318                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4319                                         continue;
4320
4321                                 request->channels[i] = chan;
4322                                 i++;
4323                         }
4324                 }
4325         }
4326
4327         if (!i) {
4328                 err = -EINVAL;
4329                 goto out_free;
4330         }
4331
4332         request->n_channels = i;
4333
4334         i = 0;
4335         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4336                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
4337                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4338                                 err = -EINVAL;
4339                                 goto out_free;
4340                         }
4341                         request->ssids[i].ssid_len = nla_len(attr);
4342                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
4343                         i++;
4344                 }
4345         }
4346
4347         if (info->attrs[NL80211_ATTR_IE]) {
4348                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4349                 memcpy((void *)request->ie,
4350                        nla_data(info->attrs[NL80211_ATTR_IE]),
4351                        request->ie_len);
4352         }
4353
4354         for (i = 0; i < IEEE80211_NUM_BANDS; i++)
4355                 if (wiphy->bands[i])
4356                         request->rates[i] =
4357                                 (1 << wiphy->bands[i]->n_bitrates) - 1;
4358
4359         if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
4360                 nla_for_each_nested(attr,
4361                                     info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
4362                                     tmp) {
4363                         enum ieee80211_band band = nla_type(attr);
4364
4365                         if (band < 0 || band >= IEEE80211_NUM_BANDS) {
4366                                 err = -EINVAL;
4367                                 goto out_free;
4368                         }
4369                         err = ieee80211_get_ratemask(wiphy->bands[band],
4370                                                      nla_data(attr),
4371                                                      nla_len(attr),
4372                                                      &request->rates[band]);
4373                         if (err)
4374                                 goto out_free;
4375                 }
4376         }
4377
4378         if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
4379                 request->flags = nla_get_u32(
4380                         info->attrs[NL80211_ATTR_SCAN_FLAGS]);
4381                 if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
4382                      !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
4383                     ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
4384                      !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
4385                         err = -EOPNOTSUPP;
4386                         goto out_free;
4387                 }
4388         }
4389
4390         request->no_cck =
4391                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
4392
4393         request->wdev = wdev;
4394         request->wiphy = &rdev->wiphy;
4395         request->scan_start = jiffies;
4396
4397         rdev->scan_req = request;
4398         err = rdev_scan(rdev, request);
4399
4400         if (!err) {
4401                 nl80211_send_scan_start(rdev, wdev);
4402                 if (wdev->netdev)
4403                         dev_hold(wdev->netdev);
4404         } else {
4405  out_free:
4406                 rdev->scan_req = NULL;
4407                 kfree(request);
4408         }
4409
4410         return err;
4411 }
4412
4413 static int nl80211_start_sched_scan(struct sk_buff *skb,
4414                                     struct genl_info *info)
4415 {
4416         struct cfg80211_sched_scan_request *request;
4417         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4418         struct net_device *dev = info->user_ptr[1];
4419         struct nlattr *attr;
4420         struct wiphy *wiphy;
4421         int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
4422         u32 interval;
4423         enum ieee80211_band band;
4424         size_t ie_len;
4425         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
4426
4427         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4428             !rdev->ops->sched_scan_start)
4429                 return -EOPNOTSUPP;
4430
4431         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4432                 return -EINVAL;
4433
4434         if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
4435                 return -EINVAL;
4436
4437         interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
4438         if (interval == 0)
4439                 return -EINVAL;
4440
4441         wiphy = &rdev->wiphy;
4442
4443         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4444                 n_channels = validate_scan_freqs(
4445                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4446                 if (!n_channels)
4447                         return -EINVAL;
4448         } else {
4449                 n_channels = 0;
4450
4451                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4452                         if (wiphy->bands[band])
4453                                 n_channels += wiphy->bands[band]->n_channels;
4454         }
4455
4456         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4457                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4458                                     tmp)
4459                         n_ssids++;
4460
4461         if (n_ssids > wiphy->max_sched_scan_ssids)
4462                 return -EINVAL;
4463
4464         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
4465                 nla_for_each_nested(attr,
4466                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4467                                     tmp)
4468                         n_match_sets++;
4469
4470         if (n_match_sets > wiphy->max_match_sets)
4471                 return -EINVAL;
4472
4473         if (info->attrs[NL80211_ATTR_IE])
4474                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4475         else
4476                 ie_len = 0;
4477
4478         if (ie_len > wiphy->max_sched_scan_ie_len)
4479                 return -EINVAL;
4480
4481         mutex_lock(&rdev->sched_scan_mtx);
4482
4483         if (rdev->sched_scan_req) {
4484                 err = -EINPROGRESS;
4485                 goto out;
4486         }
4487
4488         request = kzalloc(sizeof(*request)
4489                         + sizeof(*request->ssids) * n_ssids
4490                         + sizeof(*request->match_sets) * n_match_sets
4491                         + sizeof(*request->channels) * n_channels
4492                         + ie_len, GFP_KERNEL);
4493         if (!request) {
4494                 err = -ENOMEM;
4495                 goto out;
4496         }
4497
4498         if (n_ssids)
4499                 request->ssids = (void *)&request->channels[n_channels];
4500         request->n_ssids = n_ssids;
4501         if (ie_len) {
4502                 if (request->ssids)
4503                         request->ie = (void *)(request->ssids + n_ssids);
4504                 else
4505                         request->ie = (void *)(request->channels + n_channels);
4506         }
4507
4508         if (n_match_sets) {
4509                 if (request->ie)
4510                         request->match_sets = (void *)(request->ie + ie_len);
4511                 else if (request->ssids)
4512                         request->match_sets =
4513                                 (void *)(request->ssids + n_ssids);
4514                 else
4515                         request->match_sets =
4516                                 (void *)(request->channels + n_channels);
4517         }
4518         request->n_match_sets = n_match_sets;
4519
4520         i = 0;
4521         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4522                 /* user specified, bail out if channel not found */
4523                 nla_for_each_nested(attr,
4524                                     info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
4525                                     tmp) {
4526                         struct ieee80211_channel *chan;
4527
4528                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4529
4530                         if (!chan) {
4531                                 err = -EINVAL;
4532                                 goto out_free;
4533                         }
4534
4535                         /* ignore disabled channels */
4536                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4537                                 continue;
4538
4539                         request->channels[i] = chan;
4540                         i++;
4541                 }
4542         } else {
4543                 /* all channels */
4544                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4545                         int j;
4546                         if (!wiphy->bands[band])
4547                                 continue;
4548                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4549                                 struct ieee80211_channel *chan;
4550
4551                                 chan = &wiphy->bands[band]->channels[j];
4552
4553                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4554                                         continue;
4555
4556                                 request->channels[i] = chan;
4557                                 i++;
4558                         }
4559                 }
4560         }
4561
4562         if (!i) {
4563                 err = -EINVAL;
4564                 goto out_free;
4565         }
4566
4567         request->n_channels = i;
4568
4569         i = 0;
4570         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4571                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4572                                     tmp) {
4573                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4574                                 err = -EINVAL;
4575                                 goto out_free;
4576                         }
4577                         request->ssids[i].ssid_len = nla_len(attr);
4578                         memcpy(request->ssids[i].ssid, nla_data(attr),
4579                                nla_len(attr));
4580                         i++;
4581                 }
4582         }
4583
4584         i = 0;
4585         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
4586                 nla_for_each_nested(attr,
4587                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4588                                     tmp) {
4589                         struct nlattr *ssid, *rssi;
4590
4591                         nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
4592                                   nla_data(attr), nla_len(attr),
4593                                   nl80211_match_policy);
4594                         ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
4595                         if (ssid) {
4596                                 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
4597                                         err = -EINVAL;
4598                                         goto out_free;
4599                                 }
4600                                 memcpy(request->match_sets[i].ssid.ssid,
4601                                        nla_data(ssid), nla_len(ssid));
4602                                 request->match_sets[i].ssid.ssid_len =
4603                                         nla_len(ssid);
4604                         }
4605                         rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
4606                         if (rssi)
4607                                 request->rssi_thold = nla_get_u32(rssi);
4608                         else
4609                                 request->rssi_thold =
4610                                                    NL80211_SCAN_RSSI_THOLD_OFF;
4611                         i++;
4612                 }
4613         }
4614
4615         if (info->attrs[NL80211_ATTR_IE]) {
4616                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4617                 memcpy((void *)request->ie,
4618                        nla_data(info->attrs[NL80211_ATTR_IE]),
4619                        request->ie_len);
4620         }
4621
4622         if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
4623                 request->flags = nla_get_u32(
4624                         info->attrs[NL80211_ATTR_SCAN_FLAGS]);
4625                 if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
4626                      !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
4627                     ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
4628                      !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
4629                         err = -EOPNOTSUPP;
4630                         goto out_free;
4631                 }
4632         }
4633
4634         request->dev = dev;
4635         request->wiphy = &rdev->wiphy;
4636         request->interval = interval;
4637         request->scan_start = jiffies;
4638
4639         err = rdev_sched_scan_start(rdev, dev, request);
4640         if (!err) {
4641                 rdev->sched_scan_req = request;
4642                 nl80211_send_sched_scan(rdev, dev,
4643                                         NL80211_CMD_START_SCHED_SCAN);
4644                 goto out;
4645         }
4646
4647 out_free:
4648         kfree(request);
4649 out:
4650         mutex_unlock(&rdev->sched_scan_mtx);
4651         return err;
4652 }
4653
4654 static int nl80211_stop_sched_scan(struct sk_buff *skb,
4655                                    struct genl_info *info)
4656 {
4657         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4658         int err;
4659
4660         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4661             !rdev->ops->sched_scan_stop)
4662                 return -EOPNOTSUPP;
4663
4664         mutex_lock(&rdev->sched_scan_mtx);
4665         err = __cfg80211_stop_sched_scan(rdev, false);
4666         mutex_unlock(&rdev->sched_scan_mtx);
4667
4668         return err;
4669 }
4670
4671 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
4672                             u32 seq, int flags,
4673                             struct cfg80211_registered_device *rdev,
4674                             struct wireless_dev *wdev,
4675                             struct cfg80211_internal_bss *intbss)
4676 {
4677         struct cfg80211_bss *res = &intbss->pub;
4678         void *hdr;
4679         struct nlattr *bss;
4680
4681         ASSERT_WDEV_LOCK(wdev);
4682
4683         hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
4684                              NL80211_CMD_NEW_SCAN_RESULTS);
4685         if (!hdr)
4686                 return -1;
4687
4688         genl_dump_check_consistent(cb, hdr, &nl80211_fam);
4689
4690         if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation) ||
4691             nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
4692                 goto nla_put_failure;
4693
4694         bss = nla_nest_start(msg, NL80211_ATTR_BSS);
4695         if (!bss)
4696                 goto nla_put_failure;
4697         if ((!is_zero_ether_addr(res->bssid) &&
4698              nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)) ||
4699             (res->information_elements && res->len_information_elements &&
4700              nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
4701                      res->len_information_elements,
4702                      res->information_elements)) ||
4703             (res->beacon_ies && res->len_beacon_ies &&
4704              res->beacon_ies != res->information_elements &&
4705              nla_put(msg, NL80211_BSS_BEACON_IES,
4706                      res->len_beacon_ies, res->beacon_ies)))
4707                 goto nla_put_failure;
4708         if (res->tsf &&
4709             nla_put_u64(msg, NL80211_BSS_TSF, res->tsf))
4710                 goto nla_put_failure;
4711         if (res->beacon_interval &&
4712             nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
4713                 goto nla_put_failure;
4714         if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
4715             nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
4716             nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
4717                         jiffies_to_msecs(jiffies - intbss->ts)))
4718                 goto nla_put_failure;
4719
4720         switch (rdev->wiphy.signal_type) {
4721         case CFG80211_SIGNAL_TYPE_MBM:
4722                 if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
4723                         goto nla_put_failure;
4724                 break;
4725         case CFG80211_SIGNAL_TYPE_UNSPEC:
4726                 if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
4727                         goto nla_put_failure;
4728                 break;
4729         default:
4730                 break;
4731         }
4732
4733         switch (wdev->iftype) {
4734         case NL80211_IFTYPE_P2P_CLIENT:
4735         case NL80211_IFTYPE_STATION:
4736                 if (intbss == wdev->current_bss &&
4737                     nla_put_u32(msg, NL80211_BSS_STATUS,
4738                                 NL80211_BSS_STATUS_ASSOCIATED))
4739                         goto nla_put_failure;
4740                 break;
4741         case NL80211_IFTYPE_ADHOC:
4742                 if (intbss == wdev->current_bss &&
4743                     nla_put_u32(msg, NL80211_BSS_STATUS,
4744                                 NL80211_BSS_STATUS_IBSS_JOINED))
4745                         goto nla_put_failure;
4746                 break;
4747         default:
4748                 break;
4749         }
4750
4751         nla_nest_end(msg, bss);
4752
4753         return genlmsg_end(msg, hdr);
4754
4755  nla_put_failure:
4756         genlmsg_cancel(msg, hdr);
4757         return -EMSGSIZE;
4758 }
4759
4760 static int nl80211_dump_scan(struct sk_buff *skb,
4761                              struct netlink_callback *cb)
4762 {
4763         struct cfg80211_registered_device *rdev;
4764         struct net_device *dev;
4765         struct cfg80211_internal_bss *scan;
4766         struct wireless_dev *wdev;
4767         int start = cb->args[1], idx = 0;
4768         int err;
4769
4770         err = nl80211_prepare_netdev_dump(skb, cb, &rdev, &dev);
4771         if (err)
4772                 return err;
4773
4774         wdev = dev->ieee80211_ptr;
4775
4776         wdev_lock(wdev);
4777         spin_lock_bh(&rdev->bss_lock);
4778         cfg80211_bss_expire(rdev);
4779
4780         cb->seq = rdev->bss_generation;
4781
4782         list_for_each_entry(scan, &rdev->bss_list, list) {
4783                 if (++idx <= start)
4784                         continue;
4785                 if (nl80211_send_bss(skb, cb,
4786                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4787                                 rdev, wdev, scan) < 0) {
4788                         idx--;
4789                         break;
4790                 }
4791         }
4792
4793         spin_unlock_bh(&rdev->bss_lock);
4794         wdev_unlock(wdev);
4795
4796         cb->args[1] = idx;
4797         nl80211_finish_netdev_dump(rdev);
4798
4799         return skb->len;
4800 }
4801
4802 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
4803                                 int flags, struct net_device *dev,
4804                                 struct survey_info *survey)
4805 {
4806         void *hdr;
4807         struct nlattr *infoattr;
4808
4809         hdr = nl80211hdr_put(msg, portid, seq, flags,
4810                              NL80211_CMD_NEW_SURVEY_RESULTS);
4811         if (!hdr)
4812                 return -ENOMEM;
4813
4814         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
4815                 goto nla_put_failure;
4816
4817         infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
4818         if (!infoattr)
4819                 goto nla_put_failure;
4820
4821         if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
4822                         survey->channel->center_freq))
4823                 goto nla_put_failure;
4824
4825         if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
4826             nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
4827                 goto nla_put_failure;
4828         if ((survey->filled & SURVEY_INFO_IN_USE) &&
4829             nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
4830                 goto nla_put_failure;
4831         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
4832             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
4833                         survey->channel_time))
4834                 goto nla_put_failure;
4835         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
4836             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
4837                         survey->channel_time_busy))
4838                 goto nla_put_failure;
4839         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
4840             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
4841                         survey->channel_time_ext_busy))
4842                 goto nla_put_failure;
4843         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
4844             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
4845                         survey->channel_time_rx))
4846                 goto nla_put_failure;
4847         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
4848             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
4849                         survey->channel_time_tx))
4850                 goto nla_put_failure;
4851
4852         nla_nest_end(msg, infoattr);
4853
4854         return genlmsg_end(msg, hdr);
4855
4856  nla_put_failure:
4857         genlmsg_cancel(msg, hdr);
4858         return -EMSGSIZE;
4859 }
4860
4861 static int nl80211_dump_survey(struct sk_buff *skb,
4862                         struct netlink_callback *cb)
4863 {
4864         struct survey_info survey;
4865         struct cfg80211_registered_device *dev;
4866         struct net_device *netdev;
4867         int survey_idx = cb->args[1];
4868         int res;
4869
4870         res = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
4871         if (res)
4872                 return res;
4873
4874         if (!dev->ops->dump_survey) {
4875                 res = -EOPNOTSUPP;
4876                 goto out_err;
4877         }
4878
4879         while (1) {
4880                 struct ieee80211_channel *chan;
4881
4882                 res = rdev_dump_survey(dev, netdev, survey_idx, &survey);
4883                 if (res == -ENOENT)
4884                         break;
4885                 if (res)
4886                         goto out_err;
4887
4888                 /* Survey without a channel doesn't make sense */
4889                 if (!survey.channel) {
4890                         res = -EINVAL;
4891                         goto out;
4892                 }
4893
4894                 chan = ieee80211_get_channel(&dev->wiphy,
4895                                              survey.channel->center_freq);
4896                 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
4897                         survey_idx++;
4898                         continue;
4899                 }
4900
4901                 if (nl80211_send_survey(skb,
4902                                 NETLINK_CB(cb->skb).portid,
4903                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4904                                 netdev,
4905                                 &survey) < 0)
4906                         goto out;
4907                 survey_idx++;
4908         }
4909
4910  out:
4911         cb->args[1] = survey_idx;
4912         res = skb->len;
4913  out_err:
4914         nl80211_finish_netdev_dump(dev);
4915         return res;
4916 }
4917
4918 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
4919 {
4920         return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
4921                                   NL80211_WPA_VERSION_2));
4922 }
4923
4924 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
4925 {
4926         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4927         struct net_device *dev = info->user_ptr[1];
4928         struct ieee80211_channel *chan;
4929         const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
4930         int err, ssid_len, ie_len = 0, sae_data_len = 0;
4931         enum nl80211_auth_type auth_type;
4932         struct key_parse key;
4933         bool local_state_change;
4934
4935         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4936                 return -EINVAL;
4937
4938         if (!info->attrs[NL80211_ATTR_MAC])
4939                 return -EINVAL;
4940
4941         if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
4942                 return -EINVAL;
4943
4944         if (!info->attrs[NL80211_ATTR_SSID])
4945                 return -EINVAL;
4946
4947         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
4948                 return -EINVAL;
4949
4950         err = nl80211_parse_key(info, &key);
4951         if (err)
4952                 return err;
4953
4954         if (key.idx >= 0) {
4955                 if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
4956                         return -EINVAL;
4957                 if (!key.p.key || !key.p.key_len)
4958                         return -EINVAL;
4959                 if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
4960                      key.p.key_len != WLAN_KEY_LEN_WEP40) &&
4961                     (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
4962                      key.p.key_len != WLAN_KEY_LEN_WEP104))
4963                         return -EINVAL;
4964                 if (key.idx > 4)
4965                         return -EINVAL;
4966         } else {
4967                 key.p.key_len = 0;
4968                 key.p.key = NULL;
4969         }
4970
4971         if (key.idx >= 0) {
4972                 int i;
4973                 bool ok = false;
4974                 for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
4975                         if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
4976                                 ok = true;
4977                                 break;
4978                         }
4979                 }
4980                 if (!ok)
4981                         return -EINVAL;
4982         }
4983
4984         if (!rdev->ops->auth)
4985                 return -EOPNOTSUPP;
4986
4987         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
4988             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
4989                 return -EOPNOTSUPP;
4990
4991         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4992         chan = ieee80211_get_channel(&rdev->wiphy,
4993                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
4994         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
4995                 return -EINVAL;
4996
4997         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4998         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
4999
5000         if (info->attrs[NL80211_ATTR_IE]) {
5001                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5002                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5003         }
5004
5005         auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5006         if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
5007                 return -EINVAL;
5008
5009         if (auth_type == NL80211_AUTHTYPE_SAE &&
5010             !info->attrs[NL80211_ATTR_SAE_DATA])
5011                 return -EINVAL;
5012
5013         if (info->attrs[NL80211_ATTR_SAE_DATA]) {
5014                 if (auth_type != NL80211_AUTHTYPE_SAE)
5015                         return -EINVAL;
5016                 sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
5017                 sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
5018                 /* need to include at least Auth Transaction and Status Code */
5019                 if (sae_data_len < 4)
5020                         return -EINVAL;
5021         }
5022
5023         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5024
5025         /*
5026          * Since we no longer track auth state, ignore
5027          * requests to only change local state.
5028          */
5029         if (local_state_change)
5030                 return 0;
5031
5032         return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
5033                                   ssid, ssid_len, ie, ie_len,
5034                                   key.p.key, key.p.key_len, key.idx,
5035                                   sae_data, sae_data_len);
5036 }
5037
5038 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
5039                                    struct genl_info *info,
5040                                    struct cfg80211_crypto_settings *settings,
5041                                    int cipher_limit)
5042 {
5043         memset(settings, 0, sizeof(*settings));
5044
5045         settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
5046
5047         if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
5048                 u16 proto;
5049                 proto = nla_get_u16(
5050                         info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
5051                 settings->control_port_ethertype = cpu_to_be16(proto);
5052                 if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
5053                     proto != ETH_P_PAE)
5054                         return -EINVAL;
5055                 if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
5056                         settings->control_port_no_encrypt = true;
5057         } else
5058                 settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
5059
5060         if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
5061                 void *data;
5062                 int len, i;
5063
5064                 data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5065                 len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5066                 settings->n_ciphers_pairwise = len / sizeof(u32);
5067
5068                 if (len % sizeof(u32))
5069                         return -EINVAL;
5070
5071                 if (settings->n_ciphers_pairwise > cipher_limit)
5072                         return -EINVAL;
5073
5074                 memcpy(settings->ciphers_pairwise, data, len);
5075
5076                 for (i = 0; i < settings->n_ciphers_pairwise; i++)
5077                         if (!cfg80211_supported_cipher_suite(
5078                                         &rdev->wiphy,
5079                                         settings->ciphers_pairwise[i]))
5080                                 return -EINVAL;
5081         }
5082
5083         if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
5084                 settings->cipher_group =
5085                         nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
5086                 if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
5087                                                      settings->cipher_group))
5088                         return -EINVAL;
5089         }
5090
5091         if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
5092                 settings->wpa_versions =
5093                         nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
5094                 if (!nl80211_valid_wpa_versions(settings->wpa_versions))
5095                         return -EINVAL;
5096         }
5097
5098         if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
5099                 void *data;
5100                 int len;
5101
5102                 data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
5103                 len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
5104                 settings->n_akm_suites = len / sizeof(u32);
5105
5106                 if (len % sizeof(u32))
5107                         return -EINVAL;
5108
5109                 if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
5110                         return -EINVAL;
5111
5112                 memcpy(settings->akm_suites, data, len);
5113         }
5114
5115         return 0;
5116 }
5117
5118 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
5119 {
5120         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5121         struct net_device *dev = info->user_ptr[1];
5122         struct cfg80211_crypto_settings crypto;
5123         struct ieee80211_channel *chan;
5124         const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
5125         int err, ssid_len, ie_len = 0;
5126         bool use_mfp = false;
5127         u32 flags = 0;
5128         struct ieee80211_ht_cap *ht_capa = NULL;
5129         struct ieee80211_ht_cap *ht_capa_mask = NULL;
5130
5131         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5132                 return -EINVAL;
5133
5134         if (!info->attrs[NL80211_ATTR_MAC] ||
5135             !info->attrs[NL80211_ATTR_SSID] ||
5136             !info->attrs[NL80211_ATTR_WIPHY_FREQ])
5137                 return -EINVAL;
5138
5139         if (!rdev->ops->assoc)
5140                 return -EOPNOTSUPP;
5141
5142         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5143             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5144                 return -EOPNOTSUPP;
5145
5146         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5147
5148         chan = ieee80211_get_channel(&rdev->wiphy,
5149                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5150         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5151                 return -EINVAL;
5152
5153         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5154         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5155
5156         if (info->attrs[NL80211_ATTR_IE]) {
5157                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5158                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5159         }
5160
5161         if (info->attrs[NL80211_ATTR_USE_MFP]) {
5162                 enum nl80211_mfp mfp =
5163                         nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
5164                 if (mfp == NL80211_MFP_REQUIRED)
5165                         use_mfp = true;
5166                 else if (mfp != NL80211_MFP_NO)
5167                         return -EINVAL;
5168         }
5169
5170         if (info->attrs[NL80211_ATTR_PREV_BSSID])
5171                 prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
5172
5173         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5174                 flags |= ASSOC_REQ_DISABLE_HT;
5175
5176         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5177                 ht_capa_mask =
5178                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]);
5179
5180         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5181                 if (!ht_capa_mask)
5182                         return -EINVAL;
5183                 ht_capa = nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5184         }
5185
5186         err = nl80211_crypto_settings(rdev, info, &crypto, 1);
5187         if (!err)
5188                 err = cfg80211_mlme_assoc(rdev, dev, chan, bssid, prev_bssid,
5189                                           ssid, ssid_len, ie, ie_len, use_mfp,
5190                                           &crypto, flags, ht_capa,
5191                                           ht_capa_mask);
5192
5193         return err;
5194 }
5195
5196 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
5197 {
5198         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5199         struct net_device *dev = info->user_ptr[1];
5200         const u8 *ie = NULL, *bssid;
5201         int ie_len = 0;
5202         u16 reason_code;
5203         bool local_state_change;
5204
5205         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5206                 return -EINVAL;
5207
5208         if (!info->attrs[NL80211_ATTR_MAC])
5209                 return -EINVAL;
5210
5211         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5212                 return -EINVAL;
5213
5214         if (!rdev->ops->deauth)
5215                 return -EOPNOTSUPP;
5216
5217         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5218             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5219                 return -EOPNOTSUPP;
5220
5221         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5222
5223         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5224         if (reason_code == 0) {
5225                 /* Reason Code 0 is reserved */
5226                 return -EINVAL;
5227         }
5228
5229         if (info->attrs[NL80211_ATTR_IE]) {
5230                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5231                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5232         }
5233
5234         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5235
5236         return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
5237                                     local_state_change);
5238 }
5239
5240 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
5241 {
5242         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5243         struct net_device *dev = info->user_ptr[1];
5244         const u8 *ie = NULL, *bssid;
5245         int ie_len = 0;
5246         u16 reason_code;
5247         bool local_state_change;
5248
5249         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5250                 return -EINVAL;
5251
5252         if (!info->attrs[NL80211_ATTR_MAC])
5253                 return -EINVAL;
5254
5255         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5256                 return -EINVAL;
5257
5258         if (!rdev->ops->disassoc)
5259                 return -EOPNOTSUPP;
5260
5261         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5262             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5263                 return -EOPNOTSUPP;
5264
5265         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5266
5267         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5268         if (reason_code == 0) {
5269                 /* Reason Code 0 is reserved */
5270                 return -EINVAL;
5271         }
5272
5273         if (info->attrs[NL80211_ATTR_IE]) {
5274                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5275                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5276         }
5277
5278         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5279
5280         return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
5281                                       local_state_change);
5282 }
5283
5284 static bool
5285 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
5286                          int mcast_rate[IEEE80211_NUM_BANDS],
5287                          int rateval)
5288 {
5289         struct wiphy *wiphy = &rdev->wiphy;
5290         bool found = false;
5291         int band, i;
5292
5293         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5294                 struct ieee80211_supported_band *sband;
5295
5296                 sband = wiphy->bands[band];
5297                 if (!sband)
5298                         continue;
5299
5300                 for (i = 0; i < sband->n_bitrates; i++) {
5301                         if (sband->bitrates[i].bitrate == rateval) {
5302                                 mcast_rate[band] = i + 1;
5303                                 found = true;
5304                                 break;
5305                         }
5306                 }
5307         }
5308
5309         return found;
5310 }
5311
5312 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
5313 {
5314         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5315         struct net_device *dev = info->user_ptr[1];
5316         struct cfg80211_ibss_params ibss;
5317         struct wiphy *wiphy;
5318         struct cfg80211_cached_keys *connkeys = NULL;
5319         int err;
5320
5321         memset(&ibss, 0, sizeof(ibss));
5322
5323         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5324                 return -EINVAL;
5325
5326         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5327             !info->attrs[NL80211_ATTR_SSID] ||
5328             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5329                 return -EINVAL;
5330
5331         ibss.beacon_interval = 100;
5332
5333         if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
5334                 ibss.beacon_interval =
5335                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5336                 if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
5337                         return -EINVAL;
5338         }
5339
5340         if (!rdev->ops->join_ibss)
5341                 return -EOPNOTSUPP;
5342
5343         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5344                 return -EOPNOTSUPP;
5345
5346         wiphy = &rdev->wiphy;
5347
5348         if (info->attrs[NL80211_ATTR_MAC]) {
5349                 ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5350
5351                 if (!is_valid_ether_addr(ibss.bssid))
5352                         return -EINVAL;
5353         }
5354         ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5355         ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5356
5357         if (info->attrs[NL80211_ATTR_IE]) {
5358                 ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5359                 ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5360         }
5361
5362         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
5363                 enum nl80211_channel_type channel_type;
5364
5365                 if (!nl80211_valid_channel_type(info, &channel_type))
5366                         return -EINVAL;
5367
5368                 if (channel_type != NL80211_CHAN_NO_HT &&
5369                     !(wiphy->features & NL80211_FEATURE_HT_IBSS))
5370                         return -EINVAL;
5371
5372                 ibss.channel_type = channel_type;
5373         } else {
5374                 ibss.channel_type = NL80211_CHAN_NO_HT;
5375         }
5376
5377         ibss.channel = rdev_freq_to_chan(rdev,
5378                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
5379                 ibss.channel_type);
5380         if (!ibss.channel ||
5381             ibss.channel->flags & IEEE80211_CHAN_NO_IBSS ||
5382             ibss.channel->flags & IEEE80211_CHAN_DISABLED)
5383                 return -EINVAL;
5384
5385         /* Both channels should be able to initiate communication */
5386         if ((ibss.channel_type == NL80211_CHAN_HT40PLUS ||
5387              ibss.channel_type == NL80211_CHAN_HT40MINUS) &&
5388             !cfg80211_can_beacon_sec_chan(&rdev->wiphy, ibss.channel,
5389                                           ibss.channel_type))
5390                 return -EINVAL;
5391
5392         ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
5393         ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5394
5395         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5396                 u8 *rates =
5397                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5398                 int n_rates =
5399                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5400                 struct ieee80211_supported_band *sband =
5401                         wiphy->bands[ibss.channel->band];
5402
5403                 err = ieee80211_get_ratemask(sband, rates, n_rates,
5404                                              &ibss.basic_rates);
5405                 if (err)
5406                         return err;
5407         }
5408
5409         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
5410             !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
5411                         nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
5412                 return -EINVAL;
5413
5414         if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5415                 bool no_ht = false;
5416
5417                 connkeys = nl80211_parse_connkeys(rdev,
5418                                           info->attrs[NL80211_ATTR_KEYS],
5419                                           &no_ht);
5420                 if (IS_ERR(connkeys))
5421                         return PTR_ERR(connkeys);
5422
5423                 if ((ibss.channel_type != NL80211_CHAN_NO_HT) && no_ht) {
5424                         kfree(connkeys);
5425                         return -EINVAL;
5426                 }
5427         }
5428
5429         ibss.control_port =
5430                 nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
5431
5432         err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
5433         if (err)
5434                 kfree(connkeys);
5435         return err;
5436 }
5437
5438 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
5439 {
5440         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5441         struct net_device *dev = info->user_ptr[1];
5442
5443         if (!rdev->ops->leave_ibss)
5444                 return -EOPNOTSUPP;
5445
5446         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5447                 return -EOPNOTSUPP;
5448
5449         return cfg80211_leave_ibss(rdev, dev, false);
5450 }
5451
5452 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
5453 {
5454         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5455         struct net_device *dev = info->user_ptr[1];
5456         int mcast_rate[IEEE80211_NUM_BANDS];
5457         u32 nla_rate;
5458         int err;
5459
5460         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
5461             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5462                 return -EOPNOTSUPP;
5463
5464         if (!rdev->ops->set_mcast_rate)
5465                 return -EOPNOTSUPP;
5466
5467         memset(mcast_rate, 0, sizeof(mcast_rate));
5468
5469         if (!info->attrs[NL80211_ATTR_MCAST_RATE])
5470                 return -EINVAL;
5471
5472         nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
5473         if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
5474                 return -EINVAL;
5475
5476         err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
5477
5478         return err;
5479 }
5480
5481
5482 #ifdef CONFIG_NL80211_TESTMODE
5483 static struct genl_multicast_group nl80211_testmode_mcgrp = {
5484         .name = "testmode",
5485 };
5486
5487 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
5488 {
5489         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5490         int err;
5491
5492         if (!info->attrs[NL80211_ATTR_TESTDATA])
5493                 return -EINVAL;
5494
5495         err = -EOPNOTSUPP;
5496         if (rdev->ops->testmode_cmd) {
5497                 rdev->testmode_info = info;
5498                 err = rdev_testmode_cmd(rdev,
5499                                 nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
5500                                 nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
5501                 rdev->testmode_info = NULL;
5502         }
5503
5504         return err;
5505 }
5506
5507 static int nl80211_testmode_dump(struct sk_buff *skb,
5508                                  struct netlink_callback *cb)
5509 {
5510         struct cfg80211_registered_device *rdev;
5511         int err;
5512         long phy_idx;
5513         void *data = NULL;
5514         int data_len = 0;
5515
5516         if (cb->args[0]) {
5517                 /*
5518                  * 0 is a valid index, but not valid for args[0],
5519                  * so we need to offset by 1.
5520                  */
5521                 phy_idx = cb->args[0] - 1;
5522         } else {
5523                 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
5524                                   nl80211_fam.attrbuf, nl80211_fam.maxattr,
5525                                   nl80211_policy);
5526                 if (err)
5527                         return err;
5528
5529                 mutex_lock(&cfg80211_mutex);
5530                 rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
5531                                                   nl80211_fam.attrbuf);
5532                 if (IS_ERR(rdev)) {
5533                         mutex_unlock(&cfg80211_mutex);
5534                         return PTR_ERR(rdev);
5535                 }
5536                 phy_idx = rdev->wiphy_idx;
5537                 rdev = NULL;
5538                 mutex_unlock(&cfg80211_mutex);
5539
5540                 if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
5541                         cb->args[1] =
5542                                 (long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
5543         }
5544
5545         if (cb->args[1]) {
5546                 data = nla_data((void *)cb->args[1]);
5547                 data_len = nla_len((void *)cb->args[1]);
5548         }
5549
5550         mutex_lock(&cfg80211_mutex);
5551         rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
5552         if (!rdev) {
5553                 mutex_unlock(&cfg80211_mutex);
5554                 return -ENOENT;
5555         }
5556         cfg80211_lock_rdev(rdev);
5557         mutex_unlock(&cfg80211_mutex);
5558
5559         if (!rdev->ops->testmode_dump) {
5560                 err = -EOPNOTSUPP;
5561                 goto out_err;
5562         }
5563
5564         while (1) {
5565                 void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
5566                                            cb->nlh->nlmsg_seq, NLM_F_MULTI,
5567                                            NL80211_CMD_TESTMODE);
5568                 struct nlattr *tmdata;
5569
5570                 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
5571                         genlmsg_cancel(skb, hdr);
5572                         break;
5573                 }
5574
5575                 tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
5576                 if (!tmdata) {
5577                         genlmsg_cancel(skb, hdr);
5578                         break;
5579                 }
5580                 err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
5581                 nla_nest_end(skb, tmdata);
5582
5583                 if (err == -ENOBUFS || err == -ENOENT) {
5584                         genlmsg_cancel(skb, hdr);
5585                         break;
5586                 } else if (err) {
5587                         genlmsg_cancel(skb, hdr);
5588                         goto out_err;
5589                 }
5590
5591                 genlmsg_end(skb, hdr);
5592         }
5593
5594         err = skb->len;
5595         /* see above */
5596         cb->args[0] = phy_idx + 1;
5597  out_err:
5598         cfg80211_unlock_rdev(rdev);
5599         return err;
5600 }
5601
5602 static struct sk_buff *
5603 __cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev,
5604                               int approxlen, u32 portid, u32 seq, gfp_t gfp)
5605 {
5606         struct sk_buff *skb;
5607         void *hdr;
5608         struct nlattr *data;
5609
5610         skb = nlmsg_new(approxlen + 100, gfp);
5611         if (!skb)
5612                 return NULL;
5613
5614         hdr = nl80211hdr_put(skb, portid, seq, 0, NL80211_CMD_TESTMODE);
5615         if (!hdr) {
5616                 kfree_skb(skb);
5617                 return NULL;
5618         }
5619
5620         if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
5621                 goto nla_put_failure;
5622         data = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
5623
5624         ((void **)skb->cb)[0] = rdev;
5625         ((void **)skb->cb)[1] = hdr;
5626         ((void **)skb->cb)[2] = data;
5627
5628         return skb;
5629
5630  nla_put_failure:
5631         kfree_skb(skb);
5632         return NULL;
5633 }
5634
5635 struct sk_buff *cfg80211_testmode_alloc_reply_skb(struct wiphy *wiphy,
5636                                                   int approxlen)
5637 {
5638         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
5639
5640         if (WARN_ON(!rdev->testmode_info))
5641                 return NULL;
5642
5643         return __cfg80211_testmode_alloc_skb(rdev, approxlen,
5644                                 rdev->testmode_info->snd_portid,
5645                                 rdev->testmode_info->snd_seq,
5646                                 GFP_KERNEL);
5647 }
5648 EXPORT_SYMBOL(cfg80211_testmode_alloc_reply_skb);
5649
5650 int cfg80211_testmode_reply(struct sk_buff *skb)
5651 {
5652         struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
5653         void *hdr = ((void **)skb->cb)[1];
5654         struct nlattr *data = ((void **)skb->cb)[2];
5655
5656         if (WARN_ON(!rdev->testmode_info)) {
5657                 kfree_skb(skb);
5658                 return -EINVAL;
5659         }
5660
5661         nla_nest_end(skb, data);
5662         genlmsg_end(skb, hdr);
5663         return genlmsg_reply(skb, rdev->testmode_info);
5664 }
5665 EXPORT_SYMBOL(cfg80211_testmode_reply);
5666
5667 struct sk_buff *cfg80211_testmode_alloc_event_skb(struct wiphy *wiphy,
5668                                                   int approxlen, gfp_t gfp)
5669 {
5670         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
5671
5672         return __cfg80211_testmode_alloc_skb(rdev, approxlen, 0, 0, gfp);
5673 }
5674 EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
5675
5676 void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
5677 {
5678         void *hdr = ((void **)skb->cb)[1];
5679         struct nlattr *data = ((void **)skb->cb)[2];
5680
5681         nla_nest_end(skb, data);
5682         genlmsg_end(skb, hdr);
5683         genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
5684 }
5685 EXPORT_SYMBOL(cfg80211_testmode_event);
5686 #endif
5687
5688 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
5689 {
5690         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5691         struct net_device *dev = info->user_ptr[1];
5692         struct cfg80211_connect_params connect;
5693         struct wiphy *wiphy;
5694         struct cfg80211_cached_keys *connkeys = NULL;
5695         int err;
5696
5697         memset(&connect, 0, sizeof(connect));
5698
5699         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5700                 return -EINVAL;
5701
5702         if (!info->attrs[NL80211_ATTR_SSID] ||
5703             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5704                 return -EINVAL;
5705
5706         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5707                 connect.auth_type =
5708                         nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5709                 if (!nl80211_valid_auth_type(rdev, connect.auth_type,
5710                                              NL80211_CMD_CONNECT))
5711                         return -EINVAL;
5712         } else
5713                 connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5714
5715         connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
5716
5717         err = nl80211_crypto_settings(rdev, info, &connect.crypto,
5718                                       NL80211_MAX_NR_CIPHER_SUITES);
5719         if (err)
5720                 return err;
5721
5722         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5723             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5724                 return -EOPNOTSUPP;
5725
5726         wiphy = &rdev->wiphy;
5727
5728         connect.bg_scan_period = -1;
5729         if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
5730                 (wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
5731                 connect.bg_scan_period =
5732                         nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
5733         }
5734
5735         if (info->attrs[NL80211_ATTR_MAC])
5736                 connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5737         connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5738         connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5739
5740         if (info->attrs[NL80211_ATTR_IE]) {
5741                 connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5742                 connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5743         }
5744
5745         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5746                 connect.channel =
5747                         ieee80211_get_channel(wiphy,
5748                             nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5749                 if (!connect.channel ||
5750                     connect.channel->flags & IEEE80211_CHAN_DISABLED)
5751                         return -EINVAL;
5752         }
5753
5754         if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5755                 connkeys = nl80211_parse_connkeys(rdev,
5756                                           info->attrs[NL80211_ATTR_KEYS], NULL);
5757                 if (IS_ERR(connkeys))
5758                         return PTR_ERR(connkeys);
5759         }
5760
5761         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5762                 connect.flags |= ASSOC_REQ_DISABLE_HT;
5763
5764         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5765                 memcpy(&connect.ht_capa_mask,
5766                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
5767                        sizeof(connect.ht_capa_mask));
5768
5769         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5770                 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
5771                         kfree(connkeys);
5772                         return -EINVAL;
5773                 }
5774                 memcpy(&connect.ht_capa,
5775                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
5776                        sizeof(connect.ht_capa));
5777         }
5778
5779         err = cfg80211_connect(rdev, dev, &connect, connkeys);
5780         if (err)
5781                 kfree(connkeys);
5782         return err;
5783 }
5784
5785 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
5786 {
5787         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5788         struct net_device *dev = info->user_ptr[1];
5789         u16 reason;
5790
5791         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5792                 reason = WLAN_REASON_DEAUTH_LEAVING;
5793         else
5794                 reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5795
5796         if (reason == 0)
5797                 return -EINVAL;
5798
5799         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5800             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5801                 return -EOPNOTSUPP;
5802
5803         return cfg80211_disconnect(rdev, dev, reason, true);
5804 }
5805
5806 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
5807 {
5808         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5809         struct net *net;
5810         int err;
5811         u32 pid;
5812
5813         if (!info->attrs[NL80211_ATTR_PID])
5814                 return -EINVAL;
5815
5816         pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
5817
5818         net = get_net_ns_by_pid(pid);
5819         if (IS_ERR(net))
5820                 return PTR_ERR(net);
5821
5822         err = 0;
5823
5824         /* check if anything to do */
5825         if (!net_eq(wiphy_net(&rdev->wiphy), net))
5826                 err = cfg80211_switch_netns(rdev, net);
5827
5828         put_net(net);
5829         return err;
5830 }
5831
5832 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
5833 {
5834         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5835         int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
5836                         struct cfg80211_pmksa *pmksa) = NULL;
5837