Merge remote-tracking branch 'mac80211/master' into mac80211-next
[linux-3.10.git] / net / wireless / nl80211.c
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
5  */
6
7 #include <linux/if.h>
8 #include <linux/module.h>
9 #include <linux/err.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/if_ether.h>
13 #include <linux/ieee80211.h>
14 #include <linux/nl80211.h>
15 #include <linux/rtnetlink.h>
16 #include <linux/netlink.h>
17 #include <linux/etherdevice.h>
18 #include <net/net_namespace.h>
19 #include <net/genetlink.h>
20 #include <net/cfg80211.h>
21 #include <net/sock.h>
22 #include "core.h"
23 #include "nl80211.h"
24 #include "reg.h"
25
26 static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type);
27 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
28                                    struct genl_info *info,
29                                    struct cfg80211_crypto_settings *settings,
30                                    int cipher_limit);
31
32 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
33                             struct genl_info *info);
34 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
35                               struct genl_info *info);
36
37 /* the netlink family */
38 static struct genl_family nl80211_fam = {
39         .id = GENL_ID_GENERATE, /* don't bother with a hardcoded ID */
40         .name = "nl80211",      /* have users key off the name instead */
41         .hdrsize = 0,           /* no private header */
42         .version = 1,           /* no particular meaning now */
43         .maxattr = NL80211_ATTR_MAX,
44         .netnsok = true,
45         .pre_doit = nl80211_pre_doit,
46         .post_doit = nl80211_post_doit,
47 };
48
49 /* returns ERR_PTR values */
50 static struct wireless_dev *
51 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
52 {
53         struct cfg80211_registered_device *rdev;
54         struct wireless_dev *result = NULL;
55         bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
56         bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
57         u64 wdev_id;
58         int wiphy_idx = -1;
59         int ifidx = -1;
60
61         assert_cfg80211_lock();
62
63         if (!have_ifidx && !have_wdev_id)
64                 return ERR_PTR(-EINVAL);
65
66         if (have_ifidx)
67                 ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
68         if (have_wdev_id) {
69                 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
70                 wiphy_idx = wdev_id >> 32;
71         }
72
73         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
74                 struct wireless_dev *wdev;
75
76                 if (wiphy_net(&rdev->wiphy) != netns)
77                         continue;
78
79                 if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
80                         continue;
81
82                 mutex_lock(&rdev->devlist_mtx);
83                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
84                         if (have_ifidx && wdev->netdev &&
85                             wdev->netdev->ifindex == ifidx) {
86                                 result = wdev;
87                                 break;
88                         }
89                         if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
90                                 result = wdev;
91                                 break;
92                         }
93                 }
94                 mutex_unlock(&rdev->devlist_mtx);
95
96                 if (result)
97                         break;
98         }
99
100         if (result)
101                 return result;
102         return ERR_PTR(-ENODEV);
103 }
104
105 static struct cfg80211_registered_device *
106 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
107 {
108         struct cfg80211_registered_device *rdev = NULL, *tmp;
109         struct net_device *netdev;
110
111         assert_cfg80211_lock();
112
113         if (!attrs[NL80211_ATTR_WIPHY] &&
114             !attrs[NL80211_ATTR_IFINDEX] &&
115             !attrs[NL80211_ATTR_WDEV])
116                 return ERR_PTR(-EINVAL);
117
118         if (attrs[NL80211_ATTR_WIPHY])
119                 rdev = cfg80211_rdev_by_wiphy_idx(
120                                 nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
121
122         if (attrs[NL80211_ATTR_WDEV]) {
123                 u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
124                 struct wireless_dev *wdev;
125                 bool found = false;
126
127                 tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
128                 if (tmp) {
129                         /* make sure wdev exists */
130                         mutex_lock(&tmp->devlist_mtx);
131                         list_for_each_entry(wdev, &tmp->wdev_list, list) {
132                                 if (wdev->identifier != (u32)wdev_id)
133                                         continue;
134                                 found = true;
135                                 break;
136                         }
137                         mutex_unlock(&tmp->devlist_mtx);
138
139                         if (!found)
140                                 tmp = NULL;
141
142                         if (rdev && tmp != rdev)
143                                 return ERR_PTR(-EINVAL);
144                         rdev = tmp;
145                 }
146         }
147
148         if (attrs[NL80211_ATTR_IFINDEX]) {
149                 int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
150                 netdev = dev_get_by_index(netns, ifindex);
151                 if (netdev) {
152                         if (netdev->ieee80211_ptr)
153                                 tmp = wiphy_to_dev(
154                                                 netdev->ieee80211_ptr->wiphy);
155                         else
156                                 tmp = NULL;
157
158                         dev_put(netdev);
159
160                         /* not wireless device -- return error */
161                         if (!tmp)
162                                 return ERR_PTR(-EINVAL);
163
164                         /* mismatch -- return error */
165                         if (rdev && tmp != rdev)
166                                 return ERR_PTR(-EINVAL);
167
168                         rdev = tmp;
169                 }
170         }
171
172         if (!rdev)
173                 return ERR_PTR(-ENODEV);
174
175         if (netns != wiphy_net(&rdev->wiphy))
176                 return ERR_PTR(-ENODEV);
177
178         return rdev;
179 }
180
181 /*
182  * This function returns a pointer to the driver
183  * that the genl_info item that is passed refers to.
184  * If successful, it returns non-NULL and also locks
185  * the driver's mutex!
186  *
187  * This means that you need to call cfg80211_unlock_rdev()
188  * before being allowed to acquire &cfg80211_mutex!
189  *
190  * This is necessary because we need to lock the global
191  * mutex to get an item off the list safely, and then
192  * we lock the rdev mutex so it doesn't go away under us.
193  *
194  * We don't want to keep cfg80211_mutex locked
195  * for all the time in order to allow requests on
196  * other interfaces to go through at the same time.
197  *
198  * The result of this can be a PTR_ERR and hence must
199  * be checked with IS_ERR() for errors.
200  */
201 static struct cfg80211_registered_device *
202 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
203 {
204         struct cfg80211_registered_device *rdev;
205
206         mutex_lock(&cfg80211_mutex);
207         rdev = __cfg80211_rdev_from_attrs(netns, info->attrs);
208
209         /* if it is not an error we grab the lock on
210          * it to assure it won't be going away while
211          * we operate on it */
212         if (!IS_ERR(rdev))
213                 mutex_lock(&rdev->mtx);
214
215         mutex_unlock(&cfg80211_mutex);
216
217         return rdev;
218 }
219
220 /* policy for the attributes */
221 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
222         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
223         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
224                                       .len = 20-1 },
225         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
226         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
227         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
228         [NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
229         [NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
230         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
231         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
232         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
233
234         [NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
235         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
236         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
237
238         [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
239         [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
240
241         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
242         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
243                                     .len = WLAN_MAX_KEY_LEN },
244         [NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
245         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
246         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
247         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
248         [NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
249
250         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
251         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
252         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
253                                        .len = IEEE80211_MAX_DATA_LEN },
254         [NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
255                                        .len = IEEE80211_MAX_DATA_LEN },
256         [NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
257         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
258         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
259         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
260                                                .len = NL80211_MAX_SUPP_RATES },
261         [NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
262         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
263         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
264         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
265                                    .len = IEEE80211_MAX_MESH_ID_LEN },
266         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
267
268         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
269         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
270
271         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
272         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
273         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
274         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
275                                            .len = NL80211_MAX_SUPP_RATES },
276         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
277
278         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
279         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
280
281         [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
282
283         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
284         [NL80211_ATTR_IE] = { .type = NLA_BINARY,
285                               .len = IEEE80211_MAX_DATA_LEN },
286         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
287         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
288
289         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
290                                 .len = IEEE80211_MAX_SSID_LEN },
291         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
292         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
293         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
294         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
295         [NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
296         [NL80211_ATTR_STA_FLAGS2] = {
297                 .len = sizeof(struct nl80211_sta_flag_update),
298         },
299         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
300         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
301         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
302         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
303         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
304         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
305         [NL80211_ATTR_PID] = { .type = NLA_U32 },
306         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
307         [NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
308                                  .len = WLAN_PMKID_LEN },
309         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
310         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
311         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
312         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
313                                  .len = IEEE80211_MAX_DATA_LEN },
314         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
315         [NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
316         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
317         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
318         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
319         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
320         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
321         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
322         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
323         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
324         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
325         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
326         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
327         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
328         [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
329         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
330         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
331         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
332         [NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
333         [NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
334                                          .len = IEEE80211_MAX_DATA_LEN },
335         [NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
336                                          .len = IEEE80211_MAX_DATA_LEN },
337         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
338         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
339         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
340         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
341         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
342         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
343         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
344         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
345         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
346         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
347                                       .len = IEEE80211_MAX_DATA_LEN },
348         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
349         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
350         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
351                 .len = NL80211_HT_CAPABILITY_LEN
352         },
353         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
354         [NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
355         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
356         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
357         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
358 };
359
360 /* policy for the key attributes */
361 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
362         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
363         [NL80211_KEY_IDX] = { .type = NLA_U8 },
364         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
365         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
366         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
367         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
368         [NL80211_KEY_TYPE] = { .type = NLA_U32 },
369         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
370 };
371
372 /* policy for the key default flags */
373 static const struct nla_policy
374 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
375         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
376         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
377 };
378
379 /* policy for WoWLAN attributes */
380 static const struct nla_policy
381 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
382         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
383         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
384         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
385         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
386         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
387         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
388         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
389         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
390 };
391
392 /* policy for GTK rekey offload attributes */
393 static const struct nla_policy
394 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
395         [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
396         [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
397         [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
398 };
399
400 static const struct nla_policy
401 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
402         [NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
403                                                  .len = IEEE80211_MAX_SSID_LEN },
404         [NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
405 };
406
407 /* ifidx get helper */
408 static int nl80211_get_ifidx(struct netlink_callback *cb)
409 {
410         int res;
411
412         res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
413                           nl80211_fam.attrbuf, nl80211_fam.maxattr,
414                           nl80211_policy);
415         if (res)
416                 return res;
417
418         if (!nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX])
419                 return -EINVAL;
420
421         res = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX]);
422         if (!res)
423                 return -EINVAL;
424         return res;
425 }
426
427 static int nl80211_prepare_netdev_dump(struct sk_buff *skb,
428                                        struct netlink_callback *cb,
429                                        struct cfg80211_registered_device **rdev,
430                                        struct net_device **dev)
431 {
432         int ifidx = cb->args[0];
433         int err;
434
435         if (!ifidx)
436                 ifidx = nl80211_get_ifidx(cb);
437         if (ifidx < 0)
438                 return ifidx;
439
440         cb->args[0] = ifidx;
441
442         rtnl_lock();
443
444         *dev = __dev_get_by_index(sock_net(skb->sk), ifidx);
445         if (!*dev) {
446                 err = -ENODEV;
447                 goto out_rtnl;
448         }
449
450         *rdev = cfg80211_get_dev_from_ifindex(sock_net(skb->sk), ifidx);
451         if (IS_ERR(*rdev)) {
452                 err = PTR_ERR(*rdev);
453                 goto out_rtnl;
454         }
455
456         return 0;
457  out_rtnl:
458         rtnl_unlock();
459         return err;
460 }
461
462 static void nl80211_finish_netdev_dump(struct cfg80211_registered_device *rdev)
463 {
464         cfg80211_unlock_rdev(rdev);
465         rtnl_unlock();
466 }
467
468 /* IE validation */
469 static bool is_valid_ie_attr(const struct nlattr *attr)
470 {
471         const u8 *pos;
472         int len;
473
474         if (!attr)
475                 return true;
476
477         pos = nla_data(attr);
478         len = nla_len(attr);
479
480         while (len) {
481                 u8 elemlen;
482
483                 if (len < 2)
484                         return false;
485                 len -= 2;
486
487                 elemlen = pos[1];
488                 if (elemlen > len)
489                         return false;
490
491                 len -= elemlen;
492                 pos += 2 + elemlen;
493         }
494
495         return true;
496 }
497
498 /* message building helper */
499 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 pid, u32 seq,
500                                    int flags, u8 cmd)
501 {
502         /* since there is no private header just add the generic one */
503         return genlmsg_put(skb, pid, seq, &nl80211_fam, flags, cmd);
504 }
505
506 static int nl80211_msg_put_channel(struct sk_buff *msg,
507                                    struct ieee80211_channel *chan)
508 {
509         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
510                         chan->center_freq))
511                 goto nla_put_failure;
512
513         if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
514             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
515                 goto nla_put_failure;
516         if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
517             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN))
518                 goto nla_put_failure;
519         if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
520             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IBSS))
521                 goto nla_put_failure;
522         if ((chan->flags & IEEE80211_CHAN_RADAR) &&
523             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
524                 goto nla_put_failure;
525
526         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
527                         DBM_TO_MBM(chan->max_power)))
528                 goto nla_put_failure;
529
530         return 0;
531
532  nla_put_failure:
533         return -ENOBUFS;
534 }
535
536 /* netlink command implementations */
537
538 struct key_parse {
539         struct key_params p;
540         int idx;
541         int type;
542         bool def, defmgmt;
543         bool def_uni, def_multi;
544 };
545
546 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
547 {
548         struct nlattr *tb[NL80211_KEY_MAX + 1];
549         int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
550                                    nl80211_key_policy);
551         if (err)
552                 return err;
553
554         k->def = !!tb[NL80211_KEY_DEFAULT];
555         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
556
557         if (k->def) {
558                 k->def_uni = true;
559                 k->def_multi = true;
560         }
561         if (k->defmgmt)
562                 k->def_multi = true;
563
564         if (tb[NL80211_KEY_IDX])
565                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
566
567         if (tb[NL80211_KEY_DATA]) {
568                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
569                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
570         }
571
572         if (tb[NL80211_KEY_SEQ]) {
573                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
574                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
575         }
576
577         if (tb[NL80211_KEY_CIPHER])
578                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
579
580         if (tb[NL80211_KEY_TYPE]) {
581                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
582                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
583                         return -EINVAL;
584         }
585
586         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
587                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
588                 err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
589                                        tb[NL80211_KEY_DEFAULT_TYPES],
590                                        nl80211_key_default_policy);
591                 if (err)
592                         return err;
593
594                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
595                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
596         }
597
598         return 0;
599 }
600
601 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
602 {
603         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
604                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
605                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
606         }
607
608         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
609                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
610                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
611         }
612
613         if (info->attrs[NL80211_ATTR_KEY_IDX])
614                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
615
616         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
617                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
618
619         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
620         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
621
622         if (k->def) {
623                 k->def_uni = true;
624                 k->def_multi = true;
625         }
626         if (k->defmgmt)
627                 k->def_multi = true;
628
629         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
630                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
631                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
632                         return -EINVAL;
633         }
634
635         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
636                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
637                 int err = nla_parse_nested(
638                                 kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
639                                 info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
640                                 nl80211_key_default_policy);
641                 if (err)
642                         return err;
643
644                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
645                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
646         }
647
648         return 0;
649 }
650
651 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
652 {
653         int err;
654
655         memset(k, 0, sizeof(*k));
656         k->idx = -1;
657         k->type = -1;
658
659         if (info->attrs[NL80211_ATTR_KEY])
660                 err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
661         else
662                 err = nl80211_parse_key_old(info, k);
663
664         if (err)
665                 return err;
666
667         if (k->def && k->defmgmt)
668                 return -EINVAL;
669
670         if (k->defmgmt) {
671                 if (k->def_uni || !k->def_multi)
672                         return -EINVAL;
673         }
674
675         if (k->idx != -1) {
676                 if (k->defmgmt) {
677                         if (k->idx < 4 || k->idx > 5)
678                                 return -EINVAL;
679                 } else if (k->def) {
680                         if (k->idx < 0 || k->idx > 3)
681                                 return -EINVAL;
682                 } else {
683                         if (k->idx < 0 || k->idx > 5)
684                                 return -EINVAL;
685                 }
686         }
687
688         return 0;
689 }
690
691 static struct cfg80211_cached_keys *
692 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
693                        struct nlattr *keys)
694 {
695         struct key_parse parse;
696         struct nlattr *key;
697         struct cfg80211_cached_keys *result;
698         int rem, err, def = 0;
699
700         result = kzalloc(sizeof(*result), GFP_KERNEL);
701         if (!result)
702                 return ERR_PTR(-ENOMEM);
703
704         result->def = -1;
705         result->defmgmt = -1;
706
707         nla_for_each_nested(key, keys, rem) {
708                 memset(&parse, 0, sizeof(parse));
709                 parse.idx = -1;
710
711                 err = nl80211_parse_key_new(key, &parse);
712                 if (err)
713                         goto error;
714                 err = -EINVAL;
715                 if (!parse.p.key)
716                         goto error;
717                 if (parse.idx < 0 || parse.idx > 4)
718                         goto error;
719                 if (parse.def) {
720                         if (def)
721                                 goto error;
722                         def = 1;
723                         result->def = parse.idx;
724                         if (!parse.def_uni || !parse.def_multi)
725                                 goto error;
726                 } else if (parse.defmgmt)
727                         goto error;
728                 err = cfg80211_validate_key_settings(rdev, &parse.p,
729                                                      parse.idx, false, NULL);
730                 if (err)
731                         goto error;
732                 result->params[parse.idx].cipher = parse.p.cipher;
733                 result->params[parse.idx].key_len = parse.p.key_len;
734                 result->params[parse.idx].key = result->data[parse.idx];
735                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
736         }
737
738         return result;
739  error:
740         kfree(result);
741         return ERR_PTR(err);
742 }
743
744 static int nl80211_key_allowed(struct wireless_dev *wdev)
745 {
746         ASSERT_WDEV_LOCK(wdev);
747
748         switch (wdev->iftype) {
749         case NL80211_IFTYPE_AP:
750         case NL80211_IFTYPE_AP_VLAN:
751         case NL80211_IFTYPE_P2P_GO:
752         case NL80211_IFTYPE_MESH_POINT:
753                 break;
754         case NL80211_IFTYPE_ADHOC:
755                 if (!wdev->current_bss)
756                         return -ENOLINK;
757                 break;
758         case NL80211_IFTYPE_STATION:
759         case NL80211_IFTYPE_P2P_CLIENT:
760                 if (wdev->sme_state != CFG80211_SME_CONNECTED)
761                         return -ENOLINK;
762                 break;
763         default:
764                 return -EINVAL;
765         }
766
767         return 0;
768 }
769
770 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
771 {
772         struct nlattr *nl_modes = nla_nest_start(msg, attr);
773         int i;
774
775         if (!nl_modes)
776                 goto nla_put_failure;
777
778         i = 0;
779         while (ifmodes) {
780                 if ((ifmodes & 1) && nla_put_flag(msg, i))
781                         goto nla_put_failure;
782                 ifmodes >>= 1;
783                 i++;
784         }
785
786         nla_nest_end(msg, nl_modes);
787         return 0;
788
789 nla_put_failure:
790         return -ENOBUFS;
791 }
792
793 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
794                                           struct sk_buff *msg)
795 {
796         struct nlattr *nl_combis;
797         int i, j;
798
799         nl_combis = nla_nest_start(msg,
800                                 NL80211_ATTR_INTERFACE_COMBINATIONS);
801         if (!nl_combis)
802                 goto nla_put_failure;
803
804         for (i = 0; i < wiphy->n_iface_combinations; i++) {
805                 const struct ieee80211_iface_combination *c;
806                 struct nlattr *nl_combi, *nl_limits;
807
808                 c = &wiphy->iface_combinations[i];
809
810                 nl_combi = nla_nest_start(msg, i + 1);
811                 if (!nl_combi)
812                         goto nla_put_failure;
813
814                 nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
815                 if (!nl_limits)
816                         goto nla_put_failure;
817
818                 for (j = 0; j < c->n_limits; j++) {
819                         struct nlattr *nl_limit;
820
821                         nl_limit = nla_nest_start(msg, j + 1);
822                         if (!nl_limit)
823                                 goto nla_put_failure;
824                         if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
825                                         c->limits[j].max))
826                                 goto nla_put_failure;
827                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
828                                                 c->limits[j].types))
829                                 goto nla_put_failure;
830                         nla_nest_end(msg, nl_limit);
831                 }
832
833                 nla_nest_end(msg, nl_limits);
834
835                 if (c->beacon_int_infra_match &&
836                     nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
837                         goto nla_put_failure;
838                 if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
839                                 c->num_different_channels) ||
840                     nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
841                                 c->max_interfaces))
842                         goto nla_put_failure;
843
844                 nla_nest_end(msg, nl_combi);
845         }
846
847         nla_nest_end(msg, nl_combis);
848
849         return 0;
850 nla_put_failure:
851         return -ENOBUFS;
852 }
853
854 static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
855                               struct cfg80211_registered_device *dev)
856 {
857         void *hdr;
858         struct nlattr *nl_bands, *nl_band;
859         struct nlattr *nl_freqs, *nl_freq;
860         struct nlattr *nl_rates, *nl_rate;
861         struct nlattr *nl_cmds;
862         enum ieee80211_band band;
863         struct ieee80211_channel *chan;
864         struct ieee80211_rate *rate;
865         int i;
866         const struct ieee80211_txrx_stypes *mgmt_stypes =
867                                 dev->wiphy.mgmt_stypes;
868
869         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_WIPHY);
870         if (!hdr)
871                 return -1;
872
873         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx) ||
874             nla_put_string(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy)) ||
875             nla_put_u32(msg, NL80211_ATTR_GENERATION,
876                         cfg80211_rdev_list_generation) ||
877             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
878                        dev->wiphy.retry_short) ||
879             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
880                        dev->wiphy.retry_long) ||
881             nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
882                         dev->wiphy.frag_threshold) ||
883             nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
884                         dev->wiphy.rts_threshold) ||
885             nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
886                        dev->wiphy.coverage_class) ||
887             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
888                        dev->wiphy.max_scan_ssids) ||
889             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
890                        dev->wiphy.max_sched_scan_ssids) ||
891             nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
892                         dev->wiphy.max_scan_ie_len) ||
893             nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
894                         dev->wiphy.max_sched_scan_ie_len) ||
895             nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
896                        dev->wiphy.max_match_sets))
897                 goto nla_put_failure;
898
899         if ((dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
900             nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
901                 goto nla_put_failure;
902         if ((dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
903             nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
904                 goto nla_put_failure;
905         if ((dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
906             nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
907                 goto nla_put_failure;
908         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
909             nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
910                 goto nla_put_failure;
911         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
912             nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
913                 goto nla_put_failure;
914         if ((dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
915             nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
916                 goto nla_put_failure;
917
918         if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
919                     sizeof(u32) * dev->wiphy.n_cipher_suites,
920                     dev->wiphy.cipher_suites))
921                 goto nla_put_failure;
922
923         if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
924                        dev->wiphy.max_num_pmkids))
925                 goto nla_put_failure;
926
927         if ((dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
928             nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
929                 goto nla_put_failure;
930
931         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
932                         dev->wiphy.available_antennas_tx) ||
933             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
934                         dev->wiphy.available_antennas_rx))
935                 goto nla_put_failure;
936
937         if ((dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
938             nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
939                         dev->wiphy.probe_resp_offload))
940                 goto nla_put_failure;
941
942         if ((dev->wiphy.available_antennas_tx ||
943              dev->wiphy.available_antennas_rx) && dev->ops->get_antenna) {
944                 u32 tx_ant = 0, rx_ant = 0;
945                 int res;
946                 res = dev->ops->get_antenna(&dev->wiphy, &tx_ant, &rx_ant);
947                 if (!res) {
948                         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_TX,
949                                         tx_ant) ||
950                             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_RX,
951                                         rx_ant))
952                                 goto nla_put_failure;
953                 }
954         }
955
956         if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
957                                 dev->wiphy.interface_modes))
958                 goto nla_put_failure;
959
960         nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
961         if (!nl_bands)
962                 goto nla_put_failure;
963
964         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
965                 if (!dev->wiphy.bands[band])
966                         continue;
967
968                 nl_band = nla_nest_start(msg, band);
969                 if (!nl_band)
970                         goto nla_put_failure;
971
972                 /* add HT info */
973                 if (dev->wiphy.bands[band]->ht_cap.ht_supported &&
974                     (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
975                              sizeof(dev->wiphy.bands[band]->ht_cap.mcs),
976                              &dev->wiphy.bands[band]->ht_cap.mcs) ||
977                      nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
978                                  dev->wiphy.bands[band]->ht_cap.cap) ||
979                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
980                                 dev->wiphy.bands[band]->ht_cap.ampdu_factor) ||
981                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
982                                 dev->wiphy.bands[band]->ht_cap.ampdu_density)))
983                         goto nla_put_failure;
984
985                 /* add VHT info */
986                 if (dev->wiphy.bands[band]->vht_cap.vht_supported &&
987                     (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
988                              sizeof(dev->wiphy.bands[band]->vht_cap.vht_mcs),
989                              &dev->wiphy.bands[band]->vht_cap.vht_mcs) ||
990                      nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
991                                  dev->wiphy.bands[band]->vht_cap.cap)))
992                         goto nla_put_failure;
993
994                 /* add frequencies */
995                 nl_freqs = nla_nest_start(msg, NL80211_BAND_ATTR_FREQS);
996                 if (!nl_freqs)
997                         goto nla_put_failure;
998
999                 for (i = 0; i < dev->wiphy.bands[band]->n_channels; i++) {
1000                         nl_freq = nla_nest_start(msg, i);
1001                         if (!nl_freq)
1002                                 goto nla_put_failure;
1003
1004                         chan = &dev->wiphy.bands[band]->channels[i];
1005
1006                         if (nl80211_msg_put_channel(msg, chan))
1007                                 goto nla_put_failure;
1008
1009                         nla_nest_end(msg, nl_freq);
1010                 }
1011
1012                 nla_nest_end(msg, nl_freqs);
1013
1014                 /* add bitrates */
1015                 nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1016                 if (!nl_rates)
1017                         goto nla_put_failure;
1018
1019                 for (i = 0; i < dev->wiphy.bands[band]->n_bitrates; i++) {
1020                         nl_rate = nla_nest_start(msg, i);
1021                         if (!nl_rate)
1022                                 goto nla_put_failure;
1023
1024                         rate = &dev->wiphy.bands[band]->bitrates[i];
1025                         if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1026                                         rate->bitrate))
1027                                 goto nla_put_failure;
1028                         if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1029                             nla_put_flag(msg,
1030                                          NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1031                                 goto nla_put_failure;
1032
1033                         nla_nest_end(msg, nl_rate);
1034                 }
1035
1036                 nla_nest_end(msg, nl_rates);
1037
1038                 nla_nest_end(msg, nl_band);
1039         }
1040         nla_nest_end(msg, nl_bands);
1041
1042         nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1043         if (!nl_cmds)
1044                 goto nla_put_failure;
1045
1046         i = 0;
1047 #define CMD(op, n)                                              \
1048          do {                                                   \
1049                 if (dev->ops->op) {                             \
1050                         i++;                                    \
1051                         if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1052                                 goto nla_put_failure;           \
1053                 }                                               \
1054         } while (0)
1055
1056         CMD(add_virtual_intf, NEW_INTERFACE);
1057         CMD(change_virtual_intf, SET_INTERFACE);
1058         CMD(add_key, NEW_KEY);
1059         CMD(start_ap, START_AP);
1060         CMD(add_station, NEW_STATION);
1061         CMD(add_mpath, NEW_MPATH);
1062         CMD(update_mesh_config, SET_MESH_CONFIG);
1063         CMD(change_bss, SET_BSS);
1064         CMD(auth, AUTHENTICATE);
1065         CMD(assoc, ASSOCIATE);
1066         CMD(deauth, DEAUTHENTICATE);
1067         CMD(disassoc, DISASSOCIATE);
1068         CMD(join_ibss, JOIN_IBSS);
1069         CMD(join_mesh, JOIN_MESH);
1070         CMD(set_pmksa, SET_PMKSA);
1071         CMD(del_pmksa, DEL_PMKSA);
1072         CMD(flush_pmksa, FLUSH_PMKSA);
1073         if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1074                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1075         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1076         CMD(mgmt_tx, FRAME);
1077         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1078         if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1079                 i++;
1080                 if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1081                         goto nla_put_failure;
1082         }
1083         if (dev->ops->set_monitor_channel || dev->ops->start_ap ||
1084             dev->ops->join_mesh) {
1085                 i++;
1086                 if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1087                         goto nla_put_failure;
1088         }
1089         CMD(set_wds_peer, SET_WDS_PEER);
1090         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1091                 CMD(tdls_mgmt, TDLS_MGMT);
1092                 CMD(tdls_oper, TDLS_OPER);
1093         }
1094         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1095                 CMD(sched_scan_start, START_SCHED_SCAN);
1096         CMD(probe_client, PROBE_CLIENT);
1097         CMD(set_noack_map, SET_NOACK_MAP);
1098         if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1099                 i++;
1100                 if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1101                         goto nla_put_failure;
1102         }
1103         CMD(start_p2p_device, START_P2P_DEVICE);
1104
1105 #ifdef CONFIG_NL80211_TESTMODE
1106         CMD(testmode_cmd, TESTMODE);
1107 #endif
1108
1109 #undef CMD
1110
1111         if (dev->ops->connect || dev->ops->auth) {
1112                 i++;
1113                 if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1114                         goto nla_put_failure;
1115         }
1116
1117         if (dev->ops->disconnect || dev->ops->deauth) {
1118                 i++;
1119                 if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1120                         goto nla_put_failure;
1121         }
1122
1123         nla_nest_end(msg, nl_cmds);
1124
1125         if (dev->ops->remain_on_channel &&
1126             (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1127             nla_put_u32(msg, NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1128                         dev->wiphy.max_remain_on_channel_duration))
1129                 goto nla_put_failure;
1130
1131         if ((dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1132             nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1133                 goto nla_put_failure;
1134
1135         if (mgmt_stypes) {
1136                 u16 stypes;
1137                 struct nlattr *nl_ftypes, *nl_ifs;
1138                 enum nl80211_iftype ift;
1139
1140                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1141                 if (!nl_ifs)
1142                         goto nla_put_failure;
1143
1144                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1145                         nl_ftypes = nla_nest_start(msg, ift);
1146                         if (!nl_ftypes)
1147                                 goto nla_put_failure;
1148                         i = 0;
1149                         stypes = mgmt_stypes[ift].tx;
1150                         while (stypes) {
1151                                 if ((stypes & 1) &&
1152                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1153                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1154                                         goto nla_put_failure;
1155                                 stypes >>= 1;
1156                                 i++;
1157                         }
1158                         nla_nest_end(msg, nl_ftypes);
1159                 }
1160
1161                 nla_nest_end(msg, nl_ifs);
1162
1163                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1164                 if (!nl_ifs)
1165                         goto nla_put_failure;
1166
1167                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1168                         nl_ftypes = nla_nest_start(msg, ift);
1169                         if (!nl_ftypes)
1170                                 goto nla_put_failure;
1171                         i = 0;
1172                         stypes = mgmt_stypes[ift].rx;
1173                         while (stypes) {
1174                                 if ((stypes & 1) &&
1175                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1176                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1177                                         goto nla_put_failure;
1178                                 stypes >>= 1;
1179                                 i++;
1180                         }
1181                         nla_nest_end(msg, nl_ftypes);
1182                 }
1183                 nla_nest_end(msg, nl_ifs);
1184         }
1185
1186 #ifdef CONFIG_PM
1187         if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
1188                 struct nlattr *nl_wowlan;
1189
1190                 nl_wowlan = nla_nest_start(msg,
1191                                 NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1192                 if (!nl_wowlan)
1193                         goto nla_put_failure;
1194
1195                 if (((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY) &&
1196                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1197                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT) &&
1198                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1199                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1200                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1201                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1202                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1203                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1204                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1205                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1206                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1207                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1208                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1209                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1210                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1211                     goto nla_put_failure;
1212                 if (dev->wiphy.wowlan.n_patterns) {
1213                         struct nl80211_wowlan_pattern_support pat = {
1214                                 .max_patterns = dev->wiphy.wowlan.n_patterns,
1215                                 .min_pattern_len =
1216                                         dev->wiphy.wowlan.pattern_min_len,
1217                                 .max_pattern_len =
1218                                         dev->wiphy.wowlan.pattern_max_len,
1219                         };
1220                         if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1221                                     sizeof(pat), &pat))
1222                                 goto nla_put_failure;
1223                 }
1224
1225                 nla_nest_end(msg, nl_wowlan);
1226         }
1227 #endif
1228
1229         if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1230                                 dev->wiphy.software_iftypes))
1231                 goto nla_put_failure;
1232
1233         if (nl80211_put_iface_combinations(&dev->wiphy, msg))
1234                 goto nla_put_failure;
1235
1236         if ((dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1237             nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1238                         dev->wiphy.ap_sme_capa))
1239                 goto nla_put_failure;
1240
1241         if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS,
1242                         dev->wiphy.features))
1243                 goto nla_put_failure;
1244
1245         if (dev->wiphy.ht_capa_mod_mask &&
1246             nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1247                     sizeof(*dev->wiphy.ht_capa_mod_mask),
1248                     dev->wiphy.ht_capa_mod_mask))
1249                 goto nla_put_failure;
1250
1251         return genlmsg_end(msg, hdr);
1252
1253  nla_put_failure:
1254         genlmsg_cancel(msg, hdr);
1255         return -EMSGSIZE;
1256 }
1257
1258 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1259 {
1260         int idx = 0;
1261         int start = cb->args[0];
1262         struct cfg80211_registered_device *dev;
1263
1264         mutex_lock(&cfg80211_mutex);
1265         list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1266                 if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1267                         continue;
1268                 if (++idx <= start)
1269                         continue;
1270                 if (nl80211_send_wiphy(skb, NETLINK_CB(cb->skb).pid,
1271                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
1272                                        dev) < 0) {
1273                         idx--;
1274                         break;
1275                 }
1276         }
1277         mutex_unlock(&cfg80211_mutex);
1278
1279         cb->args[0] = idx;
1280
1281         return skb->len;
1282 }
1283
1284 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1285 {
1286         struct sk_buff *msg;
1287         struct cfg80211_registered_device *dev = info->user_ptr[0];
1288
1289         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1290         if (!msg)
1291                 return -ENOMEM;
1292
1293         if (nl80211_send_wiphy(msg, info->snd_pid, info->snd_seq, 0, dev) < 0) {
1294                 nlmsg_free(msg);
1295                 return -ENOBUFS;
1296         }
1297
1298         return genlmsg_reply(msg, info);
1299 }
1300
1301 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1302         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
1303         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
1304         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
1305         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
1306         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
1307 };
1308
1309 static int parse_txq_params(struct nlattr *tb[],
1310                             struct ieee80211_txq_params *txq_params)
1311 {
1312         if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1313             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1314             !tb[NL80211_TXQ_ATTR_AIFS])
1315                 return -EINVAL;
1316
1317         txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1318         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1319         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1320         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1321         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1322
1323         if (txq_params->ac >= NL80211_NUM_ACS)
1324                 return -EINVAL;
1325
1326         return 0;
1327 }
1328
1329 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1330 {
1331         /*
1332          * You can only set the channel explicitly for WDS interfaces,
1333          * all others have their channel managed via their respective
1334          * "establish a connection" command (connect, join, ...)
1335          *
1336          * For AP/GO and mesh mode, the channel can be set with the
1337          * channel userspace API, but is only stored and passed to the
1338          * low-level driver when the AP starts or the mesh is joined.
1339          * This is for backward compatibility, userspace can also give
1340          * the channel in the start-ap or join-mesh commands instead.
1341          *
1342          * Monitors are special as they are normally slaved to
1343          * whatever else is going on, so they have their own special
1344          * operation to set the monitor channel if possible.
1345          */
1346         return !wdev ||
1347                 wdev->iftype == NL80211_IFTYPE_AP ||
1348                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1349                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
1350                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
1351 }
1352
1353 static bool nl80211_valid_channel_type(struct genl_info *info,
1354                                        enum nl80211_channel_type *channel_type)
1355 {
1356         enum nl80211_channel_type tmp;
1357
1358         if (!info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE])
1359                 return false;
1360
1361         tmp = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1362         if (tmp != NL80211_CHAN_NO_HT &&
1363             tmp != NL80211_CHAN_HT20 &&
1364             tmp != NL80211_CHAN_HT40PLUS &&
1365             tmp != NL80211_CHAN_HT40MINUS)
1366                 return false;
1367
1368         if (channel_type)
1369                 *channel_type = tmp;
1370
1371         return true;
1372 }
1373
1374 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1375                                  struct wireless_dev *wdev,
1376                                  struct genl_info *info)
1377 {
1378         struct ieee80211_channel *channel;
1379         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
1380         u32 freq;
1381         int result;
1382         enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1383
1384         if (wdev)
1385                 iftype = wdev->iftype;
1386
1387         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1388                 return -EINVAL;
1389
1390         if (!nl80211_can_set_dev_channel(wdev))
1391                 return -EOPNOTSUPP;
1392
1393         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
1394             !nl80211_valid_channel_type(info, &channel_type))
1395                 return -EINVAL;
1396
1397         freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1398
1399         mutex_lock(&rdev->devlist_mtx);
1400         switch (iftype) {
1401         case NL80211_IFTYPE_AP:
1402         case NL80211_IFTYPE_P2P_GO:
1403                 if (wdev->beacon_interval) {
1404                         result = -EBUSY;
1405                         break;
1406                 }
1407                 channel = rdev_freq_to_chan(rdev, freq, channel_type);
1408                 if (!channel || !cfg80211_can_beacon_sec_chan(&rdev->wiphy,
1409                                                               channel,
1410                                                               channel_type)) {
1411                         result = -EINVAL;
1412                         break;
1413                 }
1414                 wdev->preset_chan = channel;
1415                 wdev->preset_chantype = channel_type;
1416                 result = 0;
1417                 break;
1418         case NL80211_IFTYPE_MESH_POINT:
1419                 result = cfg80211_set_mesh_freq(rdev, wdev, freq, channel_type);
1420                 break;
1421         case NL80211_IFTYPE_MONITOR:
1422                 result = cfg80211_set_monitor_channel(rdev, freq, channel_type);
1423                 break;
1424         default:
1425                 result = -EINVAL;
1426         }
1427         mutex_unlock(&rdev->devlist_mtx);
1428
1429         return result;
1430 }
1431
1432 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1433 {
1434         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1435         struct net_device *netdev = info->user_ptr[1];
1436
1437         return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1438 }
1439
1440 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1441 {
1442         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1443         struct net_device *dev = info->user_ptr[1];
1444         struct wireless_dev *wdev = dev->ieee80211_ptr;
1445         const u8 *bssid;
1446
1447         if (!info->attrs[NL80211_ATTR_MAC])
1448                 return -EINVAL;
1449
1450         if (netif_running(dev))
1451                 return -EBUSY;
1452
1453         if (!rdev->ops->set_wds_peer)
1454                 return -EOPNOTSUPP;
1455
1456         if (wdev->iftype != NL80211_IFTYPE_WDS)
1457                 return -EOPNOTSUPP;
1458
1459         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1460         return rdev->ops->set_wds_peer(wdev->wiphy, dev, bssid);
1461 }
1462
1463
1464 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1465 {
1466         struct cfg80211_registered_device *rdev;
1467         struct net_device *netdev = NULL;
1468         struct wireless_dev *wdev;
1469         int result = 0, rem_txq_params = 0;
1470         struct nlattr *nl_txq_params;
1471         u32 changed;
1472         u8 retry_short = 0, retry_long = 0;
1473         u32 frag_threshold = 0, rts_threshold = 0;
1474         u8 coverage_class = 0;
1475
1476         /*
1477          * Try to find the wiphy and netdev. Normally this
1478          * function shouldn't need the netdev, but this is
1479          * done for backward compatibility -- previously
1480          * setting the channel was done per wiphy, but now
1481          * it is per netdev. Previous userland like hostapd
1482          * also passed a netdev to set_wiphy, so that it is
1483          * possible to let that go to the right netdev!
1484          */
1485         mutex_lock(&cfg80211_mutex);
1486
1487         if (info->attrs[NL80211_ATTR_IFINDEX]) {
1488                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1489
1490                 netdev = dev_get_by_index(genl_info_net(info), ifindex);
1491                 if (netdev && netdev->ieee80211_ptr) {
1492                         rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1493                         mutex_lock(&rdev->mtx);
1494                 } else
1495                         netdev = NULL;
1496         }
1497
1498         if (!netdev) {
1499                 rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
1500                                                   info->attrs);
1501                 if (IS_ERR(rdev)) {
1502                         mutex_unlock(&cfg80211_mutex);
1503                         return PTR_ERR(rdev);
1504                 }
1505                 wdev = NULL;
1506                 netdev = NULL;
1507                 result = 0;
1508
1509                 mutex_lock(&rdev->mtx);
1510         } else if (nl80211_can_set_dev_channel(netdev->ieee80211_ptr))
1511                 wdev = netdev->ieee80211_ptr;
1512         else
1513                 wdev = NULL;
1514
1515         /*
1516          * end workaround code, by now the rdev is available
1517          * and locked, and wdev may or may not be NULL.
1518          */
1519
1520         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1521                 result = cfg80211_dev_rename(
1522                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1523
1524         mutex_unlock(&cfg80211_mutex);
1525
1526         if (result)
1527                 goto bad_res;
1528
1529         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1530                 struct ieee80211_txq_params txq_params;
1531                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1532
1533                 if (!rdev->ops->set_txq_params) {
1534                         result = -EOPNOTSUPP;
1535                         goto bad_res;
1536                 }
1537
1538                 if (!netdev) {
1539                         result = -EINVAL;
1540                         goto bad_res;
1541                 }
1542
1543                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1544                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1545                         result = -EINVAL;
1546                         goto bad_res;
1547                 }
1548
1549                 if (!netif_running(netdev)) {
1550                         result = -ENETDOWN;
1551                         goto bad_res;
1552                 }
1553
1554                 nla_for_each_nested(nl_txq_params,
1555                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1556                                     rem_txq_params) {
1557                         nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1558                                   nla_data(nl_txq_params),
1559                                   nla_len(nl_txq_params),
1560                                   txq_params_policy);
1561                         result = parse_txq_params(tb, &txq_params);
1562                         if (result)
1563                                 goto bad_res;
1564
1565                         result = rdev->ops->set_txq_params(&rdev->wiphy,
1566                                                            netdev,
1567                                                            &txq_params);
1568                         if (result)
1569                                 goto bad_res;
1570                 }
1571         }
1572
1573         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
1574                 result = __nl80211_set_channel(rdev, wdev, info);
1575                 if (result)
1576                         goto bad_res;
1577         }
1578
1579         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
1580                 enum nl80211_tx_power_setting type;
1581                 int idx, mbm = 0;
1582
1583                 if (!rdev->ops->set_tx_power) {
1584                         result = -EOPNOTSUPP;
1585                         goto bad_res;
1586                 }
1587
1588                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
1589                 type = nla_get_u32(info->attrs[idx]);
1590
1591                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
1592                     (type != NL80211_TX_POWER_AUTOMATIC)) {
1593                         result = -EINVAL;
1594                         goto bad_res;
1595                 }
1596
1597                 if (type != NL80211_TX_POWER_AUTOMATIC) {
1598                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
1599                         mbm = nla_get_u32(info->attrs[idx]);
1600                 }
1601
1602                 result = rdev->ops->set_tx_power(&rdev->wiphy, type, mbm);
1603                 if (result)
1604                         goto bad_res;
1605         }
1606
1607         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
1608             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
1609                 u32 tx_ant, rx_ant;
1610                 if ((!rdev->wiphy.available_antennas_tx &&
1611                      !rdev->wiphy.available_antennas_rx) ||
1612                     !rdev->ops->set_antenna) {
1613                         result = -EOPNOTSUPP;
1614                         goto bad_res;
1615                 }
1616
1617                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
1618                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
1619
1620                 /* reject antenna configurations which don't match the
1621                  * available antenna masks, except for the "all" mask */
1622                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
1623                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
1624                         result = -EINVAL;
1625                         goto bad_res;
1626                 }
1627
1628                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
1629                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
1630
1631                 result = rdev->ops->set_antenna(&rdev->wiphy, tx_ant, rx_ant);
1632                 if (result)
1633                         goto bad_res;
1634         }
1635
1636         changed = 0;
1637
1638         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
1639                 retry_short = nla_get_u8(
1640                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
1641                 if (retry_short == 0) {
1642                         result = -EINVAL;
1643                         goto bad_res;
1644                 }
1645                 changed |= WIPHY_PARAM_RETRY_SHORT;
1646         }
1647
1648         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
1649                 retry_long = nla_get_u8(
1650                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
1651                 if (retry_long == 0) {
1652                         result = -EINVAL;
1653                         goto bad_res;
1654                 }
1655                 changed |= WIPHY_PARAM_RETRY_LONG;
1656         }
1657
1658         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
1659                 frag_threshold = nla_get_u32(
1660                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
1661                 if (frag_threshold < 256) {
1662                         result = -EINVAL;
1663                         goto bad_res;
1664                 }
1665                 if (frag_threshold != (u32) -1) {
1666                         /*
1667                          * Fragments (apart from the last one) are required to
1668                          * have even length. Make the fragmentation code
1669                          * simpler by stripping LSB should someone try to use
1670                          * odd threshold value.
1671                          */
1672                         frag_threshold &= ~0x1;
1673                 }
1674                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
1675         }
1676
1677         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
1678                 rts_threshold = nla_get_u32(
1679                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
1680                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
1681         }
1682
1683         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
1684                 coverage_class = nla_get_u8(
1685                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
1686                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
1687         }
1688
1689         if (changed) {
1690                 u8 old_retry_short, old_retry_long;
1691                 u32 old_frag_threshold, old_rts_threshold;
1692                 u8 old_coverage_class;
1693
1694                 if (!rdev->ops->set_wiphy_params) {
1695                         result = -EOPNOTSUPP;
1696                         goto bad_res;
1697                 }
1698
1699                 old_retry_short = rdev->wiphy.retry_short;
1700                 old_retry_long = rdev->wiphy.retry_long;
1701                 old_frag_threshold = rdev->wiphy.frag_threshold;
1702                 old_rts_threshold = rdev->wiphy.rts_threshold;
1703                 old_coverage_class = rdev->wiphy.coverage_class;
1704
1705                 if (changed & WIPHY_PARAM_RETRY_SHORT)
1706                         rdev->wiphy.retry_short = retry_short;
1707                 if (changed & WIPHY_PARAM_RETRY_LONG)
1708                         rdev->wiphy.retry_long = retry_long;
1709                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
1710                         rdev->wiphy.frag_threshold = frag_threshold;
1711                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
1712                         rdev->wiphy.rts_threshold = rts_threshold;
1713                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
1714                         rdev->wiphy.coverage_class = coverage_class;
1715
1716                 result = rdev->ops->set_wiphy_params(&rdev->wiphy, changed);
1717                 if (result) {
1718                         rdev->wiphy.retry_short = old_retry_short;
1719                         rdev->wiphy.retry_long = old_retry_long;
1720                         rdev->wiphy.frag_threshold = old_frag_threshold;
1721                         rdev->wiphy.rts_threshold = old_rts_threshold;
1722                         rdev->wiphy.coverage_class = old_coverage_class;
1723                 }
1724         }
1725
1726  bad_res:
1727         mutex_unlock(&rdev->mtx);
1728         if (netdev)
1729                 dev_put(netdev);
1730         return result;
1731 }
1732
1733 static inline u64 wdev_id(struct wireless_dev *wdev)
1734 {
1735         return (u64)wdev->identifier |
1736                ((u64)wiphy_to_dev(wdev->wiphy)->wiphy_idx << 32);
1737 }
1738
1739 static int nl80211_send_iface(struct sk_buff *msg, u32 pid, u32 seq, int flags,
1740                               struct cfg80211_registered_device *rdev,
1741                               struct wireless_dev *wdev)
1742 {
1743         struct net_device *dev = wdev->netdev;
1744         void *hdr;
1745
1746         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_INTERFACE);
1747         if (!hdr)
1748                 return -1;
1749
1750         if (dev &&
1751             (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
1752              nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
1753                 goto nla_put_failure;
1754
1755         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1756             nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
1757             nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
1758             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
1759             nla_put_u32(msg, NL80211_ATTR_GENERATION,
1760                         rdev->devlist_generation ^
1761                         (cfg80211_rdev_list_generation << 2)))
1762                 goto nla_put_failure;
1763
1764         if (rdev->ops->get_channel) {
1765                 struct ieee80211_channel *chan;
1766                 enum nl80211_channel_type channel_type;
1767
1768                 chan = rdev->ops->get_channel(&rdev->wiphy, wdev,
1769                                               &channel_type);
1770                 if (chan &&
1771                     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
1772                                  chan->center_freq) ||
1773                      nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
1774                                  channel_type)))
1775                         goto nla_put_failure;
1776         }
1777
1778         return genlmsg_end(msg, hdr);
1779
1780  nla_put_failure:
1781         genlmsg_cancel(msg, hdr);
1782         return -EMSGSIZE;
1783 }
1784
1785 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
1786 {
1787         int wp_idx = 0;
1788         int if_idx = 0;
1789         int wp_start = cb->args[0];
1790         int if_start = cb->args[1];
1791         struct cfg80211_registered_device *rdev;
1792         struct wireless_dev *wdev;
1793
1794         mutex_lock(&cfg80211_mutex);
1795         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1796                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1797                         continue;
1798                 if (wp_idx < wp_start) {
1799                         wp_idx++;
1800                         continue;
1801                 }
1802                 if_idx = 0;
1803
1804                 mutex_lock(&rdev->devlist_mtx);
1805                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
1806                         if (if_idx < if_start) {
1807                                 if_idx++;
1808                                 continue;
1809                         }
1810                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).pid,
1811                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
1812                                                rdev, wdev) < 0) {
1813                                 mutex_unlock(&rdev->devlist_mtx);
1814                                 goto out;
1815                         }
1816                         if_idx++;
1817                 }
1818                 mutex_unlock(&rdev->devlist_mtx);
1819
1820                 wp_idx++;
1821         }
1822  out:
1823         mutex_unlock(&cfg80211_mutex);
1824
1825         cb->args[0] = wp_idx;
1826         cb->args[1] = if_idx;
1827
1828         return skb->len;
1829 }
1830
1831 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
1832 {
1833         struct sk_buff *msg;
1834         struct cfg80211_registered_device *dev = info->user_ptr[0];
1835         struct wireless_dev *wdev = info->user_ptr[1];
1836
1837         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1838         if (!msg)
1839                 return -ENOMEM;
1840
1841         if (nl80211_send_iface(msg, info->snd_pid, info->snd_seq, 0,
1842                                dev, wdev) < 0) {
1843                 nlmsg_free(msg);
1844                 return -ENOBUFS;
1845         }
1846
1847         return genlmsg_reply(msg, info);
1848 }
1849
1850 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
1851         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
1852         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
1853         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
1854         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
1855         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
1856 };
1857
1858 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
1859 {
1860         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
1861         int flag;
1862
1863         *mntrflags = 0;
1864
1865         if (!nla)
1866                 return -EINVAL;
1867
1868         if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
1869                              nla, mntr_flags_policy))
1870                 return -EINVAL;
1871
1872         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
1873                 if (flags[flag])
1874                         *mntrflags |= (1<<flag);
1875
1876         return 0;
1877 }
1878
1879 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
1880                                struct net_device *netdev, u8 use_4addr,
1881                                enum nl80211_iftype iftype)
1882 {
1883         if (!use_4addr) {
1884                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
1885                         return -EBUSY;
1886                 return 0;
1887         }
1888
1889         switch (iftype) {
1890         case NL80211_IFTYPE_AP_VLAN:
1891                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
1892                         return 0;
1893                 break;
1894         case NL80211_IFTYPE_STATION:
1895                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
1896                         return 0;
1897                 break;
1898         default:
1899                 break;
1900         }
1901
1902         return -EOPNOTSUPP;
1903 }
1904
1905 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
1906 {
1907         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1908         struct vif_params params;
1909         int err;
1910         enum nl80211_iftype otype, ntype;
1911         struct net_device *dev = info->user_ptr[1];
1912         u32 _flags, *flags = NULL;
1913         bool change = false;
1914
1915         memset(&params, 0, sizeof(params));
1916
1917         otype = ntype = dev->ieee80211_ptr->iftype;
1918
1919         if (info->attrs[NL80211_ATTR_IFTYPE]) {
1920                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
1921                 if (otype != ntype)
1922                         change = true;
1923                 if (ntype > NL80211_IFTYPE_MAX)
1924                         return -EINVAL;
1925         }
1926
1927         if (info->attrs[NL80211_ATTR_MESH_ID]) {
1928                 struct wireless_dev *wdev = dev->ieee80211_ptr;
1929
1930                 if (ntype != NL80211_IFTYPE_MESH_POINT)
1931                         return -EINVAL;
1932                 if (netif_running(dev))
1933                         return -EBUSY;
1934
1935                 wdev_lock(wdev);
1936                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
1937                              IEEE80211_MAX_MESH_ID_LEN);
1938                 wdev->mesh_id_up_len =
1939                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
1940                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
1941                        wdev->mesh_id_up_len);
1942                 wdev_unlock(wdev);
1943         }
1944
1945         if (info->attrs[NL80211_ATTR_4ADDR]) {
1946                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
1947                 change = true;
1948                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
1949                 if (err)
1950                         return err;
1951         } else {
1952                 params.use_4addr = -1;
1953         }
1954
1955         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
1956                 if (ntype != NL80211_IFTYPE_MONITOR)
1957                         return -EINVAL;
1958                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
1959                                           &_flags);
1960                 if (err)
1961                         return err;
1962
1963                 flags = &_flags;
1964                 change = true;
1965         }
1966
1967         if (change)
1968                 err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
1969         else
1970                 err = 0;
1971
1972         if (!err && params.use_4addr != -1)
1973                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
1974
1975         return err;
1976 }
1977
1978 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
1979 {
1980         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1981         struct vif_params params;
1982         struct wireless_dev *wdev;
1983         struct sk_buff *msg;
1984         int err;
1985         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
1986         u32 flags;
1987
1988         memset(&params, 0, sizeof(params));
1989
1990         if (!info->attrs[NL80211_ATTR_IFNAME])
1991                 return -EINVAL;
1992
1993         if (info->attrs[NL80211_ATTR_IFTYPE]) {
1994                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
1995                 if (type > NL80211_IFTYPE_MAX)
1996                         return -EINVAL;
1997         }
1998
1999         if (!rdev->ops->add_virtual_intf ||
2000             !(rdev->wiphy.interface_modes & (1 << type)))
2001                 return -EOPNOTSUPP;
2002
2003         if (info->attrs[NL80211_ATTR_4ADDR]) {
2004                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2005                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2006                 if (err)
2007                         return err;
2008         }
2009
2010         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2011         if (!msg)
2012                 return -ENOMEM;
2013
2014         err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2015                                   info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2016                                   &flags);
2017         wdev = rdev->ops->add_virtual_intf(&rdev->wiphy,
2018                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2019                 type, err ? NULL : &flags, &params);
2020         if (IS_ERR(wdev)) {
2021                 nlmsg_free(msg);
2022                 return PTR_ERR(wdev);
2023         }
2024
2025         switch (type) {
2026         case NL80211_IFTYPE_MESH_POINT:
2027                 if (!info->attrs[NL80211_ATTR_MESH_ID])
2028                         break;
2029                 wdev_lock(wdev);
2030                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2031                              IEEE80211_MAX_MESH_ID_LEN);
2032                 wdev->mesh_id_up_len =
2033                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2034                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2035                        wdev->mesh_id_up_len);
2036                 wdev_unlock(wdev);
2037                 break;
2038         case NL80211_IFTYPE_P2P_DEVICE:
2039                 /*
2040                  * P2P Device doesn't have a netdev, so doesn't go
2041                  * through the netdev notifier and must be added here
2042                  */
2043                 mutex_init(&wdev->mtx);
2044                 INIT_LIST_HEAD(&wdev->event_list);
2045                 spin_lock_init(&wdev->event_lock);
2046                 INIT_LIST_HEAD(&wdev->mgmt_registrations);
2047                 spin_lock_init(&wdev->mgmt_registrations_lock);
2048
2049                 mutex_lock(&rdev->devlist_mtx);
2050                 wdev->identifier = ++rdev->wdev_id;
2051                 list_add_rcu(&wdev->list, &rdev->wdev_list);
2052                 rdev->devlist_generation++;
2053                 mutex_unlock(&rdev->devlist_mtx);
2054                 break;
2055         default:
2056                 break;
2057         }
2058
2059         if (nl80211_send_iface(msg, info->snd_pid, info->snd_seq, 0,
2060                                rdev, wdev) < 0) {
2061                 nlmsg_free(msg);
2062                 return -ENOBUFS;
2063         }
2064
2065         return genlmsg_reply(msg, info);
2066 }
2067
2068 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2069 {
2070         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2071         struct wireless_dev *wdev = info->user_ptr[1];
2072
2073         if (!rdev->ops->del_virtual_intf)
2074                 return -EOPNOTSUPP;
2075
2076         /*
2077          * If we remove a wireless device without a netdev then clear
2078          * user_ptr[1] so that nl80211_post_doit won't dereference it
2079          * to check if it needs to do dev_put(). Otherwise it crashes
2080          * since the wdev has been freed, unlike with a netdev where
2081          * we need the dev_put() for the netdev to really be freed.
2082          */
2083         if (!wdev->netdev)
2084                 info->user_ptr[1] = NULL;
2085
2086         return rdev->ops->del_virtual_intf(&rdev->wiphy, wdev);
2087 }
2088
2089 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2090 {
2091         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2092         struct net_device *dev = info->user_ptr[1];
2093         u16 noack_map;
2094
2095         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2096                 return -EINVAL;
2097
2098         if (!rdev->ops->set_noack_map)
2099                 return -EOPNOTSUPP;
2100
2101         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2102
2103         return rdev->ops->set_noack_map(&rdev->wiphy, dev, noack_map);
2104 }
2105
2106 struct get_key_cookie {
2107         struct sk_buff *msg;
2108         int error;
2109         int idx;
2110 };
2111
2112 static void get_key_callback(void *c, struct key_params *params)
2113 {
2114         struct nlattr *key;
2115         struct get_key_cookie *cookie = c;
2116
2117         if ((params->key &&
2118              nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2119                      params->key_len, params->key)) ||
2120             (params->seq &&
2121              nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2122                      params->seq_len, params->seq)) ||
2123             (params->cipher &&
2124              nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2125                          params->cipher)))
2126                 goto nla_put_failure;
2127
2128         key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2129         if (!key)
2130                 goto nla_put_failure;
2131
2132         if ((params->key &&
2133              nla_put(cookie->msg, NL80211_KEY_DATA,
2134                      params->key_len, params->key)) ||
2135             (params->seq &&
2136              nla_put(cookie->msg, NL80211_KEY_SEQ,
2137                      params->seq_len, params->seq)) ||
2138             (params->cipher &&
2139              nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2140                          params->cipher)))
2141                 goto nla_put_failure;
2142
2143         if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2144                 goto nla_put_failure;
2145
2146         nla_nest_end(cookie->msg, key);
2147
2148         return;
2149  nla_put_failure:
2150         cookie->error = 1;
2151 }
2152
2153 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2154 {
2155         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2156         int err;
2157         struct net_device *dev = info->user_ptr[1];
2158         u8 key_idx = 0;
2159         const u8 *mac_addr = NULL;
2160         bool pairwise;
2161         struct get_key_cookie cookie = {
2162                 .error = 0,
2163         };
2164         void *hdr;
2165         struct sk_buff *msg;
2166
2167         if (info->attrs[NL80211_ATTR_KEY_IDX])
2168                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2169
2170         if (key_idx > 5)
2171                 return -EINVAL;
2172
2173         if (info->attrs[NL80211_ATTR_MAC])
2174                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2175
2176         pairwise = !!mac_addr;
2177         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2178                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2179                 if (kt >= NUM_NL80211_KEYTYPES)
2180                         return -EINVAL;
2181                 if (kt != NL80211_KEYTYPE_GROUP &&
2182                     kt != NL80211_KEYTYPE_PAIRWISE)
2183                         return -EINVAL;
2184                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2185         }
2186
2187         if (!rdev->ops->get_key)
2188                 return -EOPNOTSUPP;
2189
2190         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2191         if (!msg)
2192                 return -ENOMEM;
2193
2194         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
2195                              NL80211_CMD_NEW_KEY);
2196         if (IS_ERR(hdr))
2197                 return PTR_ERR(hdr);
2198
2199         cookie.msg = msg;
2200         cookie.idx = key_idx;
2201
2202         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2203             nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2204                 goto nla_put_failure;
2205         if (mac_addr &&
2206             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2207                 goto nla_put_failure;
2208
2209         if (pairwise && mac_addr &&
2210             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2211                 return -ENOENT;
2212
2213         err = rdev->ops->get_key(&rdev->wiphy, dev, key_idx, pairwise,
2214                                  mac_addr, &cookie, get_key_callback);
2215
2216         if (err)
2217                 goto free_msg;
2218
2219         if (cookie.error)
2220                 goto nla_put_failure;
2221
2222         genlmsg_end(msg, hdr);
2223         return genlmsg_reply(msg, info);
2224
2225  nla_put_failure:
2226         err = -ENOBUFS;
2227  free_msg:
2228         nlmsg_free(msg);
2229         return err;
2230 }
2231
2232 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2233 {
2234         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2235         struct key_parse key;
2236         int err;
2237         struct net_device *dev = info->user_ptr[1];
2238
2239         err = nl80211_parse_key(info, &key);
2240         if (err)
2241                 return err;
2242
2243         if (key.idx < 0)
2244                 return -EINVAL;
2245
2246         /* only support setting default key */
2247         if (!key.def && !key.defmgmt)
2248                 return -EINVAL;
2249
2250         wdev_lock(dev->ieee80211_ptr);
2251
2252         if (key.def) {
2253                 if (!rdev->ops->set_default_key) {
2254                         err = -EOPNOTSUPP;
2255                         goto out;
2256                 }
2257
2258                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2259                 if (err)
2260                         goto out;
2261
2262                 err = rdev->ops->set_default_key(&rdev->wiphy, dev, key.idx,
2263                                                  key.def_uni, key.def_multi);
2264
2265                 if (err)
2266                         goto out;
2267
2268 #ifdef CONFIG_CFG80211_WEXT
2269                 dev->ieee80211_ptr->wext.default_key = key.idx;
2270 #endif
2271         } else {
2272                 if (key.def_uni || !key.def_multi) {
2273                         err = -EINVAL;
2274                         goto out;
2275                 }
2276
2277                 if (!rdev->ops->set_default_mgmt_key) {
2278                         err = -EOPNOTSUPP;
2279                         goto out;
2280                 }
2281
2282                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2283                 if (err)
2284                         goto out;
2285
2286                 err = rdev->ops->set_default_mgmt_key(&rdev->wiphy,
2287                                                       dev, key.idx);
2288                 if (err)
2289                         goto out;
2290
2291 #ifdef CONFIG_CFG80211_WEXT
2292                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2293 #endif
2294         }
2295
2296  out:
2297         wdev_unlock(dev->ieee80211_ptr);
2298
2299         return err;
2300 }
2301
2302 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2303 {
2304         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2305         int err;
2306         struct net_device *dev = info->user_ptr[1];
2307         struct key_parse key;
2308         const u8 *mac_addr = NULL;
2309
2310         err = nl80211_parse_key(info, &key);
2311         if (err)
2312                 return err;
2313
2314         if (!key.p.key)
2315                 return -EINVAL;
2316
2317         if (info->attrs[NL80211_ATTR_MAC])
2318                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2319
2320         if (key.type == -1) {
2321                 if (mac_addr)
2322                         key.type = NL80211_KEYTYPE_PAIRWISE;
2323                 else
2324                         key.type = NL80211_KEYTYPE_GROUP;
2325         }
2326
2327         /* for now */
2328         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2329             key.type != NL80211_KEYTYPE_GROUP)
2330                 return -EINVAL;
2331
2332         if (!rdev->ops->add_key)
2333                 return -EOPNOTSUPP;
2334
2335         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2336                                            key.type == NL80211_KEYTYPE_PAIRWISE,
2337                                            mac_addr))
2338                 return -EINVAL;
2339
2340         wdev_lock(dev->ieee80211_ptr);
2341         err = nl80211_key_allowed(dev->ieee80211_ptr);
2342         if (!err)
2343                 err = rdev->ops->add_key(&rdev->wiphy, dev, key.idx,
2344                                          key.type == NL80211_KEYTYPE_PAIRWISE,
2345                                          mac_addr, &key.p);
2346         wdev_unlock(dev->ieee80211_ptr);
2347
2348         return err;
2349 }
2350
2351 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2352 {
2353         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2354         int err;
2355         struct net_device *dev = info->user_ptr[1];
2356         u8 *mac_addr = NULL;
2357         struct key_parse key;
2358
2359         err = nl80211_parse_key(info, &key);
2360         if (err)
2361                 return err;
2362
2363         if (info->attrs[NL80211_ATTR_MAC])
2364                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2365
2366         if (key.type == -1) {
2367                 if (mac_addr)
2368                         key.type = NL80211_KEYTYPE_PAIRWISE;
2369                 else
2370                         key.type = NL80211_KEYTYPE_GROUP;
2371         }
2372
2373         /* for now */
2374         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2375             key.type != NL80211_KEYTYPE_GROUP)
2376                 return -EINVAL;
2377
2378         if (!rdev->ops->del_key)
2379                 return -EOPNOTSUPP;
2380
2381         wdev_lock(dev->ieee80211_ptr);
2382         err = nl80211_key_allowed(dev->ieee80211_ptr);
2383
2384         if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2385             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2386                 err = -ENOENT;
2387
2388         if (!err)
2389                 err = rdev->ops->del_key(&rdev->wiphy, dev, key.idx,
2390                                          key.type == NL80211_KEYTYPE_PAIRWISE,
2391                                          mac_addr);
2392
2393 #ifdef CONFIG_CFG80211_WEXT
2394         if (!err) {
2395                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
2396                         dev->ieee80211_ptr->wext.default_key = -1;
2397                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2398                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2399         }
2400 #endif
2401         wdev_unlock(dev->ieee80211_ptr);
2402
2403         return err;
2404 }
2405
2406 static int nl80211_parse_beacon(struct genl_info *info,
2407                                 struct cfg80211_beacon_data *bcn)
2408 {
2409         bool haveinfo = false;
2410
2411         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2412             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2413             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2414             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2415                 return -EINVAL;
2416
2417         memset(bcn, 0, sizeof(*bcn));
2418
2419         if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2420                 bcn->head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2421                 bcn->head_len = nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2422                 if (!bcn->head_len)
2423                         return -EINVAL;
2424                 haveinfo = true;
2425         }
2426
2427         if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2428                 bcn->tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2429                 bcn->tail_len =
2430                     nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2431                 haveinfo = true;
2432         }
2433
2434         if (!haveinfo)
2435                 return -EINVAL;
2436
2437         if (info->attrs[NL80211_ATTR_IE]) {
2438                 bcn->beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
2439                 bcn->beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
2440         }
2441
2442         if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
2443                 bcn->proberesp_ies =
2444                         nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2445                 bcn->proberesp_ies_len =
2446                         nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2447         }
2448
2449         if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
2450                 bcn->assocresp_ies =
2451                         nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2452                 bcn->assocresp_ies_len =
2453                         nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2454         }
2455
2456         if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
2457                 bcn->probe_resp =
2458                         nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
2459                 bcn->probe_resp_len =
2460                         nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
2461         }
2462
2463         return 0;
2464 }
2465
2466 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
2467                                    struct cfg80211_ap_settings *params)
2468 {
2469         struct wireless_dev *wdev;
2470         bool ret = false;
2471
2472         mutex_lock(&rdev->devlist_mtx);
2473
2474         list_for_each_entry(wdev, &rdev->wdev_list, list) {
2475                 if (wdev->iftype != NL80211_IFTYPE_AP &&
2476                     wdev->iftype != NL80211_IFTYPE_P2P_GO)
2477                         continue;
2478
2479                 if (!wdev->preset_chan)
2480                         continue;
2481
2482                 params->channel = wdev->preset_chan;
2483                 params->channel_type = wdev->preset_chantype;
2484                 ret = true;
2485                 break;
2486         }
2487
2488         mutex_unlock(&rdev->devlist_mtx);
2489
2490         return ret;
2491 }
2492
2493 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
2494 {
2495         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2496         struct net_device *dev = info->user_ptr[1];
2497         struct wireless_dev *wdev = dev->ieee80211_ptr;
2498         struct cfg80211_ap_settings params;
2499         int err;
2500
2501         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2502             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2503                 return -EOPNOTSUPP;
2504
2505         if (!rdev->ops->start_ap)
2506                 return -EOPNOTSUPP;
2507
2508         if (wdev->beacon_interval)
2509                 return -EALREADY;
2510
2511         memset(&params, 0, sizeof(params));
2512
2513         /* these are required for START_AP */
2514         if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
2515             !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
2516             !info->attrs[NL80211_ATTR_BEACON_HEAD])
2517                 return -EINVAL;
2518
2519         err = nl80211_parse_beacon(info, &params.beacon);
2520         if (err)
2521                 return err;
2522
2523         params.beacon_interval =
2524                 nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
2525         params.dtim_period =
2526                 nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
2527
2528         err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
2529         if (err)
2530                 return err;
2531
2532         /*
2533          * In theory, some of these attributes should be required here
2534          * but since they were not used when the command was originally
2535          * added, keep them optional for old user space programs to let
2536          * them continue to work with drivers that do not need the
2537          * additional information -- drivers must check!
2538          */
2539         if (info->attrs[NL80211_ATTR_SSID]) {
2540                 params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
2541                 params.ssid_len =
2542                         nla_len(info->attrs[NL80211_ATTR_SSID]);
2543                 if (params.ssid_len == 0 ||
2544                     params.ssid_len > IEEE80211_MAX_SSID_LEN)
2545                         return -EINVAL;
2546         }
2547
2548         if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
2549                 params.hidden_ssid = nla_get_u32(
2550                         info->attrs[NL80211_ATTR_HIDDEN_SSID]);
2551                 if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
2552                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
2553                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
2554                         return -EINVAL;
2555         }
2556
2557         params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
2558
2559         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
2560                 params.auth_type = nla_get_u32(
2561                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
2562                 if (!nl80211_valid_auth_type(params.auth_type))
2563                         return -EINVAL;
2564         } else
2565                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
2566
2567         err = nl80211_crypto_settings(rdev, info, &params.crypto,
2568                                       NL80211_MAX_NR_CIPHER_SUITES);
2569         if (err)
2570                 return err;
2571
2572         if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
2573                 if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
2574                         return -EOPNOTSUPP;
2575                 params.inactivity_timeout = nla_get_u16(
2576                         info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
2577         }
2578
2579         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2580                 enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
2581
2582                 if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
2583                     !nl80211_valid_channel_type(info, &channel_type))
2584                         return -EINVAL;
2585
2586                 params.channel = rdev_freq_to_chan(rdev,
2587                         nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
2588                         channel_type);
2589                 if (!params.channel)
2590                         return -EINVAL;
2591                 params.channel_type = channel_type;
2592         } else if (wdev->preset_chan) {
2593                 params.channel = wdev->preset_chan;
2594                 params.channel_type = wdev->preset_chantype;
2595         } else if (!nl80211_get_ap_channel(rdev, &params))
2596                 return -EINVAL;
2597
2598         if (!cfg80211_can_beacon_sec_chan(&rdev->wiphy, params.channel,
2599                                           params.channel_type))
2600                 return -EINVAL;
2601
2602         mutex_lock(&rdev->devlist_mtx);
2603         err = cfg80211_can_use_chan(rdev, wdev, params.channel,
2604                                     CHAN_MODE_SHARED);
2605         mutex_unlock(&rdev->devlist_mtx);
2606
2607         if (err)
2608                 return err;
2609
2610         err = rdev->ops->start_ap(&rdev->wiphy, dev, &params);
2611         if (!err) {
2612                 wdev->preset_chan = params.channel;
2613                 wdev->preset_chantype = params.channel_type;
2614                 wdev->beacon_interval = params.beacon_interval;
2615                 wdev->channel = params.channel;
2616         }
2617         return err;
2618 }
2619
2620 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
2621 {
2622         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2623         struct net_device *dev = info->user_ptr[1];
2624         struct wireless_dev *wdev = dev->ieee80211_ptr;
2625         struct cfg80211_beacon_data params;
2626         int err;
2627
2628         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2629             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2630                 return -EOPNOTSUPP;
2631
2632         if (!rdev->ops->change_beacon)
2633                 return -EOPNOTSUPP;
2634
2635         if (!wdev->beacon_interval)
2636                 return -EINVAL;
2637
2638         err = nl80211_parse_beacon(info, &params);
2639         if (err)
2640                 return err;
2641
2642         return rdev->ops->change_beacon(&rdev->wiphy, dev, &params);
2643 }
2644
2645 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
2646 {
2647         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2648         struct net_device *dev = info->user_ptr[1];
2649
2650         return cfg80211_stop_ap(rdev, dev);
2651 }
2652
2653 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
2654         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
2655         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
2656         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
2657         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
2658         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
2659         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
2660 };
2661
2662 static int parse_station_flags(struct genl_info *info,
2663                                enum nl80211_iftype iftype,
2664                                struct station_parameters *params)
2665 {
2666         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
2667         struct nlattr *nla;
2668         int flag;
2669
2670         /*
2671          * Try parsing the new attribute first so userspace
2672          * can specify both for older kernels.
2673          */
2674         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
2675         if (nla) {
2676                 struct nl80211_sta_flag_update *sta_flags;
2677
2678                 sta_flags = nla_data(nla);
2679                 params->sta_flags_mask = sta_flags->mask;
2680                 params->sta_flags_set = sta_flags->set;
2681                 if ((params->sta_flags_mask |
2682                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
2683                         return -EINVAL;
2684                 return 0;
2685         }
2686
2687         /* if present, parse the old attribute */
2688
2689         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
2690         if (!nla)
2691                 return 0;
2692
2693         if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
2694                              nla, sta_flags_policy))
2695                 return -EINVAL;
2696
2697         /*
2698          * Only allow certain flags for interface types so that
2699          * other attributes are silently ignored. Remember that
2700          * this is backward compatibility code with old userspace
2701          * and shouldn't be hit in other cases anyway.
2702          */
2703         switch (iftype) {
2704         case NL80211_IFTYPE_AP:
2705         case NL80211_IFTYPE_AP_VLAN:
2706         case NL80211_IFTYPE_P2P_GO:
2707                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2708                                          BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
2709                                          BIT(NL80211_STA_FLAG_WME) |
2710                                          BIT(NL80211_STA_FLAG_MFP);
2711                 break;
2712         case NL80211_IFTYPE_P2P_CLIENT:
2713         case NL80211_IFTYPE_STATION:
2714                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2715                                          BIT(NL80211_STA_FLAG_TDLS_PEER);
2716                 break;
2717         case NL80211_IFTYPE_MESH_POINT:
2718                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
2719                                          BIT(NL80211_STA_FLAG_MFP) |
2720                                          BIT(NL80211_STA_FLAG_AUTHORIZED);
2721         default:
2722                 return -EINVAL;
2723         }
2724
2725         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
2726                 if (flags[flag]) {
2727                         params->sta_flags_set |= (1<<flag);
2728
2729                         /* no longer support new API additions in old API */
2730                         if (flag > NL80211_STA_FLAG_MAX_OLD_API)
2731                                 return -EINVAL;
2732                 }
2733         }
2734
2735         return 0;
2736 }
2737
2738 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
2739                                  int attr)
2740 {
2741         struct nlattr *rate;
2742         u32 bitrate;
2743         u16 bitrate_compat;
2744
2745         rate = nla_nest_start(msg, attr);
2746         if (!rate)
2747                 goto nla_put_failure;
2748
2749         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
2750         bitrate = cfg80211_calculate_bitrate(info);
2751         /* report 16-bit bitrate only if we can */
2752         bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
2753         if ((bitrate > 0 &&
2754              nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate)) ||
2755             (bitrate_compat > 0 &&
2756              nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat)) ||
2757             ((info->flags & RATE_INFO_FLAGS_MCS) &&
2758              nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs)) ||
2759             ((info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH) &&
2760              nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH)) ||
2761             ((info->flags & RATE_INFO_FLAGS_SHORT_GI) &&
2762              nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI)))
2763                 goto nla_put_failure;
2764
2765         nla_nest_end(msg, rate);
2766         return true;
2767
2768 nla_put_failure:
2769         return false;
2770 }
2771
2772 static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
2773                                 int flags,
2774                                 struct cfg80211_registered_device *rdev,
2775                                 struct net_device *dev,
2776                                 const u8 *mac_addr, struct station_info *sinfo)
2777 {
2778         void *hdr;
2779         struct nlattr *sinfoattr, *bss_param;
2780
2781         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_STATION);
2782         if (!hdr)
2783                 return -1;
2784
2785         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2786             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
2787             nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
2788                 goto nla_put_failure;
2789
2790         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
2791         if (!sinfoattr)
2792                 goto nla_put_failure;
2793         if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
2794             nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
2795                         sinfo->connected_time))
2796                 goto nla_put_failure;
2797         if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
2798             nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
2799                         sinfo->inactive_time))
2800                 goto nla_put_failure;
2801         if ((sinfo->filled & STATION_INFO_RX_BYTES) &&
2802             nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
2803                         sinfo->rx_bytes))
2804                 goto nla_put_failure;
2805         if ((sinfo->filled & STATION_INFO_TX_BYTES) &&
2806             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
2807                         sinfo->tx_bytes))
2808                 goto nla_put_failure;
2809         if ((sinfo->filled & STATION_INFO_LLID) &&
2810             nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
2811                 goto nla_put_failure;
2812         if ((sinfo->filled & STATION_INFO_PLID) &&
2813             nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
2814                 goto nla_put_failure;
2815         if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
2816             nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
2817                        sinfo->plink_state))
2818                 goto nla_put_failure;
2819         switch (rdev->wiphy.signal_type) {
2820         case CFG80211_SIGNAL_TYPE_MBM:
2821                 if ((sinfo->filled & STATION_INFO_SIGNAL) &&
2822                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
2823                                sinfo->signal))
2824                         goto nla_put_failure;
2825                 if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
2826                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
2827                                sinfo->signal_avg))
2828                         goto nla_put_failure;
2829                 break;
2830         default:
2831                 break;
2832         }
2833         if (sinfo->filled & STATION_INFO_TX_BITRATE) {
2834                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
2835                                           NL80211_STA_INFO_TX_BITRATE))
2836                         goto nla_put_failure;
2837         }
2838         if (sinfo->filled & STATION_INFO_RX_BITRATE) {
2839                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
2840                                           NL80211_STA_INFO_RX_BITRATE))
2841                         goto nla_put_failure;
2842         }
2843         if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
2844             nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
2845                         sinfo->rx_packets))
2846                 goto nla_put_failure;
2847         if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
2848             nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
2849                         sinfo->tx_packets))
2850                 goto nla_put_failure;
2851         if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
2852             nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
2853                         sinfo->tx_retries))
2854                 goto nla_put_failure;
2855         if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
2856             nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
2857                         sinfo->tx_failed))
2858                 goto nla_put_failure;
2859         if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
2860             nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
2861                         sinfo->beacon_loss_count))
2862                 goto nla_put_failure;
2863         if (sinfo->filled & STATION_INFO_BSS_PARAM) {
2864                 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
2865                 if (!bss_param)
2866                         goto nla_put_failure;
2867
2868                 if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
2869                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
2870                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
2871                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
2872                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
2873                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
2874                     nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
2875                                sinfo->bss_param.dtim_period) ||
2876                     nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
2877                                 sinfo->bss_param.beacon_interval))
2878                         goto nla_put_failure;
2879
2880                 nla_nest_end(msg, bss_param);
2881         }
2882         if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
2883             nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
2884                     sizeof(struct nl80211_sta_flag_update),
2885                     &sinfo->sta_flags))
2886                 goto nla_put_failure;
2887         if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
2888                 nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
2889                             sinfo->t_offset))
2890                 goto nla_put_failure;
2891         nla_nest_end(msg, sinfoattr);
2892
2893         if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
2894             nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
2895                     sinfo->assoc_req_ies))
2896                 goto nla_put_failure;
2897
2898         return genlmsg_end(msg, hdr);
2899
2900  nla_put_failure:
2901         genlmsg_cancel(msg, hdr);
2902         return -EMSGSIZE;
2903 }
2904
2905 static int nl80211_dump_station(struct sk_buff *skb,
2906                                 struct netlink_callback *cb)
2907 {
2908         struct station_info sinfo;
2909         struct cfg80211_registered_device *dev;
2910         struct net_device *netdev;
2911         u8 mac_addr[ETH_ALEN];
2912         int sta_idx = cb->args[1];
2913         int err;
2914
2915         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
2916         if (err)
2917                 return err;
2918
2919         if (!dev->ops->dump_station) {
2920                 err = -EOPNOTSUPP;
2921                 goto out_err;
2922         }
2923
2924         while (1) {
2925                 memset(&sinfo, 0, sizeof(sinfo));
2926                 err = dev->ops->dump_station(&dev->wiphy, netdev, sta_idx,
2927                                              mac_addr, &sinfo);
2928                 if (err == -ENOENT)
2929                         break;
2930                 if (err)
2931                         goto out_err;
2932
2933                 if (nl80211_send_station(skb,
2934                                 NETLINK_CB(cb->skb).pid,
2935                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
2936                                 dev, netdev, mac_addr,
2937                                 &sinfo) < 0)
2938                         goto out;
2939
2940                 sta_idx++;
2941         }
2942
2943
2944  out:
2945         cb->args[1] = sta_idx;
2946         err = skb->len;
2947  out_err:
2948         nl80211_finish_netdev_dump(dev);
2949
2950         return err;
2951 }
2952
2953 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
2954 {
2955         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2956         struct net_device *dev = info->user_ptr[1];
2957         struct station_info sinfo;
2958         struct sk_buff *msg;
2959         u8 *mac_addr = NULL;
2960         int err;
2961
2962         memset(&sinfo, 0, sizeof(sinfo));
2963
2964         if (!info->attrs[NL80211_ATTR_MAC])
2965                 return -EINVAL;
2966
2967         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2968
2969         if (!rdev->ops->get_station)
2970                 return -EOPNOTSUPP;
2971
2972         err = rdev->ops->get_station(&rdev->wiphy, dev, mac_addr, &sinfo);
2973         if (err)
2974                 return err;
2975
2976         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2977         if (!msg)
2978                 return -ENOMEM;
2979
2980         if (nl80211_send_station(msg, info->snd_pid, info->snd_seq, 0,
2981                                  rdev, dev, mac_addr, &sinfo) < 0) {
2982                 nlmsg_free(msg);
2983                 return -ENOBUFS;
2984         }
2985
2986         return genlmsg_reply(msg, info);
2987 }
2988
2989 /*
2990  * Get vlan interface making sure it is running and on the right wiphy.
2991  */
2992 static struct net_device *get_vlan(struct genl_info *info,
2993                                    struct cfg80211_registered_device *rdev)
2994 {
2995         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
2996         struct net_device *v;
2997         int ret;
2998
2999         if (!vlanattr)
3000                 return NULL;
3001
3002         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3003         if (!v)
3004                 return ERR_PTR(-ENODEV);
3005
3006         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
3007                 ret = -EINVAL;
3008                 goto error;
3009         }
3010
3011         if (!netif_running(v)) {
3012                 ret = -ENETDOWN;
3013                 goto error;
3014         }
3015
3016         return v;
3017  error:
3018         dev_put(v);
3019         return ERR_PTR(ret);
3020 }
3021
3022 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
3023 {
3024         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3025         int err;
3026         struct net_device *dev = info->user_ptr[1];
3027         struct station_parameters params;
3028         u8 *mac_addr = NULL;
3029
3030         memset(&params, 0, sizeof(params));
3031
3032         params.listen_interval = -1;
3033         params.plink_state = -1;
3034
3035         if (info->attrs[NL80211_ATTR_STA_AID])
3036                 return -EINVAL;
3037
3038         if (!info->attrs[NL80211_ATTR_MAC])
3039                 return -EINVAL;
3040
3041         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3042
3043         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
3044                 params.supported_rates =
3045                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3046                 params.supported_rates_len =
3047                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3048         }
3049
3050         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3051                 params.listen_interval =
3052                     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3053
3054         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3055                 params.ht_capa =
3056                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3057
3058         if (!rdev->ops->change_station)
3059                 return -EOPNOTSUPP;
3060
3061         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3062                 return -EINVAL;
3063
3064         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3065                 params.plink_action =
3066                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3067
3068         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
3069                 params.plink_state =
3070                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
3071
3072         switch (dev->ieee80211_ptr->iftype) {
3073         case NL80211_IFTYPE_AP:
3074         case NL80211_IFTYPE_AP_VLAN:
3075         case NL80211_IFTYPE_P2P_GO:
3076                 /* disallow mesh-specific things */
3077                 if (params.plink_action)
3078                         return -EINVAL;
3079
3080                 /* TDLS can't be set, ... */
3081                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3082                         return -EINVAL;
3083                 /*
3084                  * ... but don't bother the driver with it. This works around
3085                  * a hostapd/wpa_supplicant issue -- it always includes the
3086                  * TLDS_PEER flag in the mask even for AP mode.
3087                  */
3088                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3089
3090                 /* accept only the listed bits */
3091                 if (params.sta_flags_mask &
3092                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3093                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3094                                   BIT(NL80211_STA_FLAG_WME) |
3095                                   BIT(NL80211_STA_FLAG_MFP)))
3096                         return -EINVAL;
3097
3098                 /* must be last in here for error handling */
3099                 params.vlan = get_vlan(info, rdev);
3100                 if (IS_ERR(params.vlan))
3101                         return PTR_ERR(params.vlan);
3102                 break;
3103         case NL80211_IFTYPE_P2P_CLIENT:
3104         case NL80211_IFTYPE_STATION:
3105                 /*
3106                  * Don't allow userspace to change the TDLS_PEER flag,
3107                  * but silently ignore attempts to change it since we
3108                  * don't have state here to verify that it doesn't try
3109                  * to change the flag.
3110                  */
3111                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3112                 /* fall through */
3113         case NL80211_IFTYPE_ADHOC:
3114                 /* disallow things sta doesn't support */
3115                 if (params.plink_action)
3116                         return -EINVAL;
3117                 if (params.ht_capa)
3118                         return -EINVAL;
3119                 if (params.listen_interval >= 0)
3120                         return -EINVAL;
3121                 /* reject any changes other than AUTHORIZED */
3122                 if (params.sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3123                         return -EINVAL;
3124                 break;
3125         case NL80211_IFTYPE_MESH_POINT:
3126                 /* disallow things mesh doesn't support */
3127                 if (params.vlan)
3128                         return -EINVAL;
3129                 if (params.ht_capa)
3130                         return -EINVAL;
3131                 if (params.listen_interval >= 0)
3132                         return -EINVAL;
3133                 /*
3134                  * No special handling for TDLS here -- the userspace
3135                  * mesh code doesn't have this bug.
3136                  */
3137                 if (params.sta_flags_mask &
3138                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3139                                   BIT(NL80211_STA_FLAG_MFP) |
3140                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
3141                         return -EINVAL;
3142                 break;
3143         default:
3144                 return -EOPNOTSUPP;
3145         }
3146
3147         /* be aware of params.vlan when changing code here */
3148
3149         err = rdev->ops->change_station(&rdev->wiphy, dev, mac_addr, &params);
3150
3151         if (params.vlan)
3152                 dev_put(params.vlan);
3153
3154         return err;
3155 }
3156
3157 static struct nla_policy
3158 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
3159         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
3160         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
3161 };
3162
3163 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
3164 {
3165         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3166         int err;
3167         struct net_device *dev = info->user_ptr[1];
3168         struct station_parameters params;
3169         u8 *mac_addr = NULL;
3170
3171         memset(&params, 0, sizeof(params));
3172
3173         if (!info->attrs[NL80211_ATTR_MAC])
3174                 return -EINVAL;
3175
3176         if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3177                 return -EINVAL;
3178
3179         if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
3180                 return -EINVAL;
3181
3182         if (!info->attrs[NL80211_ATTR_STA_AID])
3183                 return -EINVAL;
3184
3185         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3186         params.supported_rates =
3187                 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3188         params.supported_rates_len =
3189                 nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3190         params.listen_interval =
3191                 nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3192
3193         params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
3194         if (!params.aid || params.aid > IEEE80211_MAX_AID)
3195                 return -EINVAL;
3196
3197         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3198                 params.ht_capa =
3199                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3200
3201         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3202                 params.plink_action =
3203                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3204
3205         if (!rdev->ops->add_station)
3206                 return -EOPNOTSUPP;
3207
3208         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3209                 return -EINVAL;
3210
3211         switch (dev->ieee80211_ptr->iftype) {
3212         case NL80211_IFTYPE_AP:
3213         case NL80211_IFTYPE_AP_VLAN:
3214         case NL80211_IFTYPE_P2P_GO:
3215                 /* parse WME attributes if sta is WME capable */
3216                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
3217                     (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) &&
3218                     info->attrs[NL80211_ATTR_STA_WME]) {
3219                         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3220                         struct nlattr *nla;
3221
3222                         nla = info->attrs[NL80211_ATTR_STA_WME];
3223                         err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3224                                                nl80211_sta_wme_policy);
3225                         if (err)
3226                                 return err;
3227
3228                         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3229                                 params.uapsd_queues =
3230                                      nla_get_u8(tb[NL80211_STA_WME_UAPSD_QUEUES]);
3231                         if (params.uapsd_queues &
3232                                         ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3233                                 return -EINVAL;
3234
3235                         if (tb[NL80211_STA_WME_MAX_SP])
3236                                 params.max_sp =
3237                                      nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3238
3239                         if (params.max_sp &
3240                                         ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3241                                 return -EINVAL;
3242
3243                         params.sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3244                 }
3245                 /* TDLS peers cannot be added */
3246                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3247                         return -EINVAL;
3248                 /* but don't bother the driver with it */
3249                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3250
3251                 /* must be last in here for error handling */
3252                 params.vlan = get_vlan(info, rdev);
3253                 if (IS_ERR(params.vlan))
3254                         return PTR_ERR(params.vlan);
3255                 break;
3256         case NL80211_IFTYPE_MESH_POINT:
3257                 /* TDLS peers cannot be added */
3258                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3259                         return -EINVAL;
3260                 break;
3261         case NL80211_IFTYPE_STATION:
3262                 /* Only TDLS peers can be added */
3263                 if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3264                         return -EINVAL;
3265                 /* Can only add if TDLS ... */
3266                 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
3267                         return -EOPNOTSUPP;
3268                 /* ... with external setup is supported */
3269                 if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
3270                         return -EOPNOTSUPP;
3271                 break;
3272         default:
3273                 return -EOPNOTSUPP;
3274         }
3275
3276         /* be aware of params.vlan when changing code here */
3277
3278         err = rdev->ops->add_station(&rdev->wiphy, dev, mac_addr, &params);
3279
3280         if (params.vlan)
3281                 dev_put(params.vlan);
3282         return err;
3283 }
3284
3285 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
3286 {
3287         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3288         struct net_device *dev = info->user_ptr[1];
3289         u8 *mac_addr = NULL;
3290
3291         if (info->attrs[NL80211_ATTR_MAC])
3292                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3293
3294         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3295             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
3296             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
3297             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3298                 return -EINVAL;
3299
3300         if (!rdev->ops->del_station)
3301                 return -EOPNOTSUPP;
3302
3303         return rdev->ops->del_station(&rdev->wiphy, dev, mac_addr);
3304 }
3305
3306 static int nl80211_send_mpath(struct sk_buff *msg, u32 pid, u32 seq,
3307                                 int flags, struct net_device *dev,
3308                                 u8 *dst, u8 *next_hop,
3309                                 struct mpath_info *pinfo)
3310 {
3311         void *hdr;
3312         struct nlattr *pinfoattr;
3313
3314         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_STATION);
3315         if (!hdr)
3316                 return -1;
3317
3318         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3319             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
3320             nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
3321             nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
3322                 goto nla_put_failure;
3323
3324         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
3325         if (!pinfoattr)
3326                 goto nla_put_failure;
3327         if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
3328             nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
3329                         pinfo->frame_qlen))
3330                 goto nla_put_failure;
3331         if (((pinfo->filled & MPATH_INFO_SN) &&
3332              nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
3333             ((pinfo->filled & MPATH_INFO_METRIC) &&
3334              nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
3335                          pinfo->metric)) ||
3336             ((pinfo->filled & MPATH_INFO_EXPTIME) &&
3337              nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
3338                          pinfo->exptime)) ||
3339             ((pinfo->filled & MPATH_INFO_FLAGS) &&
3340              nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
3341                         pinfo->flags)) ||
3342             ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
3343              nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
3344                          pinfo->discovery_timeout)) ||
3345             ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
3346              nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
3347                         pinfo->discovery_retries)))
3348                 goto nla_put_failure;
3349
3350         nla_nest_end(msg, pinfoattr);
3351
3352         return genlmsg_end(msg, hdr);
3353
3354  nla_put_failure:
3355         genlmsg_cancel(msg, hdr);
3356         return -EMSGSIZE;
3357 }
3358
3359 static int nl80211_dump_mpath(struct sk_buff *skb,
3360                               struct netlink_callback *cb)
3361 {
3362         struct mpath_info pinfo;
3363         struct cfg80211_registered_device *dev;
3364         struct net_device *netdev;
3365         u8 dst[ETH_ALEN];
3366         u8 next_hop[ETH_ALEN];
3367         int path_idx = cb->args[1];
3368         int err;
3369
3370         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
3371         if (err)
3372                 return err;
3373
3374         if (!dev->ops->dump_mpath) {
3375                 err = -EOPNOTSUPP;
3376                 goto out_err;
3377         }
3378
3379         if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
3380                 err = -EOPNOTSUPP;
3381                 goto out_err;
3382         }
3383
3384         while (1) {
3385                 err = dev->ops->dump_mpath(&dev->wiphy, netdev, path_idx,
3386                                            dst, next_hop, &pinfo);
3387                 if (err == -ENOENT)
3388                         break;
3389                 if (err)
3390                         goto out_err;
3391
3392                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).pid,
3393                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
3394                                        netdev, dst, next_hop,
3395                                        &pinfo) < 0)
3396                         goto out;
3397
3398                 path_idx++;
3399         }
3400
3401
3402  out:
3403         cb->args[1] = path_idx;
3404         err = skb->len;
3405  out_err:
3406         nl80211_finish_netdev_dump(dev);
3407         return err;
3408 }
3409
3410 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
3411 {
3412         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3413         int err;
3414         struct net_device *dev = info->user_ptr[1];
3415         struct mpath_info pinfo;
3416         struct sk_buff *msg;
3417         u8 *dst = NULL;
3418         u8 next_hop[ETH_ALEN];
3419
3420         memset(&pinfo, 0, sizeof(pinfo));
3421
3422         if (!info->attrs[NL80211_ATTR_MAC])
3423                 return -EINVAL;
3424
3425         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3426
3427         if (!rdev->ops->get_mpath)
3428                 return -EOPNOTSUPP;
3429
3430         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3431                 return -EOPNOTSUPP;
3432
3433         err = rdev->ops->get_mpath(&rdev->wiphy, dev, dst, next_hop, &pinfo);
3434         if (err)
3435                 return err;
3436
3437         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3438         if (!msg)
3439                 return -ENOMEM;
3440
3441         if (nl80211_send_mpath(msg, info->snd_pid, info->snd_seq, 0,
3442                                  dev, dst, next_hop, &pinfo) < 0) {
3443                 nlmsg_free(msg);
3444                 return -ENOBUFS;
3445         }
3446
3447         return genlmsg_reply(msg, info);
3448 }
3449
3450 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
3451 {
3452         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3453         struct net_device *dev = info->user_ptr[1];
3454         u8 *dst = NULL;
3455         u8 *next_hop = NULL;
3456
3457         if (!info->attrs[NL80211_ATTR_MAC])
3458                 return -EINVAL;
3459
3460         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3461                 return -EINVAL;
3462
3463         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3464         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3465
3466         if (!rdev->ops->change_mpath)
3467                 return -EOPNOTSUPP;
3468
3469         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3470                 return -EOPNOTSUPP;
3471
3472         return rdev->ops->change_mpath(&rdev->wiphy, dev, dst, next_hop);
3473 }
3474
3475 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
3476 {
3477         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3478         struct net_device *dev = info->user_ptr[1];
3479         u8 *dst = NULL;
3480         u8 *next_hop = NULL;
3481
3482         if (!info->attrs[NL80211_ATTR_MAC])
3483                 return -EINVAL;
3484
3485         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3486                 return -EINVAL;
3487
3488         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3489         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3490
3491         if (!rdev->ops->add_mpath)
3492                 return -EOPNOTSUPP;
3493
3494         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3495                 return -EOPNOTSUPP;
3496
3497         return rdev->ops->add_mpath(&rdev->wiphy, dev, dst, next_hop);
3498 }
3499
3500 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
3501 {
3502         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3503         struct net_device *dev = info->user_ptr[1];
3504         u8 *dst = NULL;
3505
3506         if (info->attrs[NL80211_ATTR_MAC])
3507                 dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3508
3509         if (!rdev->ops->del_mpath)
3510                 return -EOPNOTSUPP;
3511
3512         return rdev->ops->del_mpath(&rdev->wiphy, dev, dst);
3513 }
3514
3515 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
3516 {
3517         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3518         struct net_device *dev = info->user_ptr[1];
3519         struct bss_parameters params;
3520
3521         memset(&params, 0, sizeof(params));
3522         /* default to not changing parameters */
3523         params.use_cts_prot = -1;
3524         params.use_short_preamble = -1;
3525         params.use_short_slot_time = -1;
3526         params.ap_isolate = -1;
3527         params.ht_opmode = -1;
3528
3529         if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
3530                 params.use_cts_prot =
3531                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
3532         if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
3533                 params.use_short_preamble =
3534                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
3535         if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
3536                 params.use_short_slot_time =
3537                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
3538         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
3539                 params.basic_rates =
3540                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3541                 params.basic_rates_len =
3542                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3543         }
3544         if (info->attrs[NL80211_ATTR_AP_ISOLATE])
3545                 params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
3546         if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
3547                 params.ht_opmode =
3548                         nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
3549
3550         if (!rdev->ops->change_bss)
3551                 return -EOPNOTSUPP;
3552
3553         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3554             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3555                 return -EOPNOTSUPP;
3556
3557         return rdev->ops->change_bss(&rdev->wiphy, dev, &params);
3558 }
3559
3560 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
3561         [NL80211_ATTR_REG_RULE_FLAGS]           = { .type = NLA_U32 },
3562         [NL80211_ATTR_FREQ_RANGE_START]         = { .type = NLA_U32 },
3563         [NL80211_ATTR_FREQ_RANGE_END]           = { .type = NLA_U32 },
3564         [NL80211_ATTR_FREQ_RANGE_MAX_BW]        = { .type = NLA_U32 },
3565         [NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]  = { .type = NLA_U32 },
3566         [NL80211_ATTR_POWER_RULE_MAX_EIRP]      = { .type = NLA_U32 },
3567 };
3568
3569 static int parse_reg_rule(struct nlattr *tb[],
3570         struct ieee80211_reg_rule *reg_rule)
3571 {
3572         struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
3573         struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
3574
3575         if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
3576                 return -EINVAL;
3577         if (!tb[NL80211_ATTR_FREQ_RANGE_START])
3578                 return -EINVAL;
3579         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
3580                 return -EINVAL;
3581         if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
3582                 return -EINVAL;
3583         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
3584                 return -EINVAL;
3585
3586         reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
3587
3588         freq_range->start_freq_khz =
3589                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
3590         freq_range->end_freq_khz =
3591                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
3592         freq_range->max_bandwidth_khz =
3593                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
3594
3595         power_rule->max_eirp =
3596                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
3597
3598         if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
3599                 power_rule->max_antenna_gain =
3600                         nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
3601
3602         return 0;
3603 }
3604
3605 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
3606 {
3607         int r;
3608         char *data = NULL;
3609         enum nl80211_user_reg_hint_type user_reg_hint_type;
3610
3611         /*
3612          * You should only get this when cfg80211 hasn't yet initialized
3613          * completely when built-in to the kernel right between the time
3614          * window between nl80211_init() and regulatory_init(), if that is
3615          * even possible.
3616          */
3617         mutex_lock(&cfg80211_mutex);
3618         if (unlikely(!cfg80211_regdomain)) {
3619                 mutex_unlock(&cfg80211_mutex);
3620                 return -EINPROGRESS;
3621         }
3622         mutex_unlock(&cfg80211_mutex);
3623
3624         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
3625                 return -EINVAL;
3626
3627         data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
3628
3629         if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
3630                 user_reg_hint_type =
3631                   nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
3632         else
3633                 user_reg_hint_type = NL80211_USER_REG_HINT_USER;
3634
3635         switch (user_reg_hint_type) {
3636         case NL80211_USER_REG_HINT_USER:
3637         case NL80211_USER_REG_HINT_CELL_BASE:
3638                 break;
3639         default:
3640                 return -EINVAL;
3641         }
3642
3643         r = regulatory_hint_user(data, user_reg_hint_type);
3644
3645         return r;
3646 }
3647
3648 static int nl80211_get_mesh_config(struct sk_buff *skb,
3649                                    struct genl_info *info)
3650 {
3651         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3652         struct net_device *dev = info->user_ptr[1];
3653         struct wireless_dev *wdev = dev->ieee80211_ptr;
3654         struct mesh_config cur_params;
3655         int err = 0;
3656         void *hdr;
3657         struct nlattr *pinfoattr;
3658         struct sk_buff *msg;
3659
3660         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3661                 return -EOPNOTSUPP;
3662
3663         if (!rdev->ops->get_mesh_config)
3664                 return -EOPNOTSUPP;
3665
3666         wdev_lock(wdev);
3667         /* If not connected, get default parameters */
3668         if (!wdev->mesh_id_len)
3669                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
3670         else
3671                 err = rdev->ops->get_mesh_config(&rdev->wiphy, dev,
3672                                                  &cur_params);
3673         wdev_unlock(wdev);
3674
3675         if (err)
3676                 return err;
3677
3678         /* Draw up a netlink message to send back */
3679         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3680         if (!msg)
3681                 return -ENOMEM;
3682         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
3683                              NL80211_CMD_GET_MESH_CONFIG);
3684         if (!hdr)
3685                 goto out;
3686         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
3687         if (!pinfoattr)
3688                 goto nla_put_failure;
3689         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3690             nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
3691                         cur_params.dot11MeshRetryTimeout) ||
3692             nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3693                         cur_params.dot11MeshConfirmTimeout) ||
3694             nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
3695                         cur_params.dot11MeshHoldingTimeout) ||
3696             nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
3697                         cur_params.dot11MeshMaxPeerLinks) ||
3698             nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
3699                        cur_params.dot11MeshMaxRetries) ||
3700             nla_put_u8(msg, NL80211_MESHCONF_TTL,
3701                        cur_params.dot11MeshTTL) ||
3702             nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
3703                        cur_params.element_ttl) ||
3704             nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3705                        cur_params.auto_open_plinks) ||
3706             nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
3707                         cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
3708             nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3709                        cur_params.dot11MeshHWMPmaxPREQretries) ||
3710             nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
3711                         cur_params.path_refresh_time) ||
3712             nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3713                         cur_params.min_discovery_timeout) ||
3714             nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3715                         cur_params.dot11MeshHWMPactivePathTimeout) ||
3716             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3717                         cur_params.dot11MeshHWMPpreqMinInterval) ||
3718             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3719                         cur_params.dot11MeshHWMPperrMinInterval) ||
3720             nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3721                         cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
3722             nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
3723                        cur_params.dot11MeshHWMPRootMode) ||
3724             nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3725                         cur_params.dot11MeshHWMPRannInterval) ||
3726             nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3727                        cur_params.dot11MeshGateAnnouncementProtocol) ||
3728             nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
3729                        cur_params.dot11MeshForwarding) ||
3730             nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
3731                         cur_params.rssi_threshold) ||
3732             nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
3733                         cur_params.ht_opmode) ||
3734             nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
3735                         cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
3736             nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
3737                         cur_params.dot11MeshHWMProotInterval) ||
3738             nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
3739                         cur_params.dot11MeshHWMPconfirmationInterval))
3740                 goto nla_put_failure;
3741         nla_nest_end(msg, pinfoattr);
3742         genlmsg_end(msg, hdr);
3743         return genlmsg_reply(msg, info);
3744
3745  nla_put_failure:
3746         genlmsg_cancel(msg, hdr);
3747  out:
3748         nlmsg_free(msg);
3749         return -ENOBUFS;
3750 }
3751
3752 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
3753         [NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
3754         [NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
3755         [NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
3756         [NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
3757         [NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
3758         [NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
3759         [NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
3760         [NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
3761         [NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
3762         [NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
3763         [NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
3764         [NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
3765         [NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
3766         [NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
3767         [NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
3768         [NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
3769         [NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
3770         [NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
3771         [NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
3772         [NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
3773         [NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
3774         [NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
3775         [NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
3776         [NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
3777         [NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
3778 };
3779
3780 static const struct nla_policy
3781         nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
3782         [NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
3783         [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
3784         [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
3785         [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
3786         [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
3787                                     .len = IEEE80211_MAX_DATA_LEN },
3788         [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
3789 };
3790
3791 static int nl80211_parse_mesh_config(struct genl_info *info,
3792                                      struct mesh_config *cfg,
3793                                      u32 *mask_out)
3794 {
3795         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
3796         u32 mask = 0;
3797
3798 #define FILL_IN_MESH_PARAM_IF_SET(table, cfg, param, mask, attr_num, nla_fn) \
3799 do {\
3800         if (table[attr_num]) {\
3801                 cfg->param = nla_fn(table[attr_num]); \
3802                 mask |= (1 << (attr_num - 1)); \
3803         } \
3804 } while (0);\
3805
3806
3807         if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
3808                 return -EINVAL;
3809         if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
3810                              info->attrs[NL80211_ATTR_MESH_CONFIG],
3811                              nl80211_meshconf_params_policy))
3812                 return -EINVAL;
3813
3814         /* This makes sure that there aren't more than 32 mesh config
3815          * parameters (otherwise our bitfield scheme would not work.) */
3816         BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
3817
3818         /* Fill in the params struct */
3819         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout,
3820                                   mask, NL80211_MESHCONF_RETRY_TIMEOUT,
3821                                   nla_get_u16);
3822         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout,
3823                                   mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3824                                   nla_get_u16);
3825         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout,
3826                                   mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
3827                                   nla_get_u16);
3828         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks,
3829                                   mask, NL80211_MESHCONF_MAX_PEER_LINKS,
3830                                   nla_get_u16);
3831         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries,
3832                                   mask, NL80211_MESHCONF_MAX_RETRIES,
3833                                   nla_get_u8);
3834         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL,
3835                                   mask, NL80211_MESHCONF_TTL, nla_get_u8);
3836         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl,
3837                                   mask, NL80211_MESHCONF_ELEMENT_TTL,
3838                                   nla_get_u8);
3839         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks,
3840                                   mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3841                                   nla_get_u8);
3842         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor, mask,
3843                                   NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
3844                                   nla_get_u32);
3845         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries,
3846                                   mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3847                                   nla_get_u8);
3848         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time,
3849                                   mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
3850                                   nla_get_u32);
3851         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout,
3852                                   mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3853                                   nla_get_u16);
3854         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout, mask,
3855                                   NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3856                                   nla_get_u32);
3857         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
3858                                   mask, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3859                                   nla_get_u16);
3860         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
3861                                   mask, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3862                                   nla_get_u16);
3863         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3864                                   dot11MeshHWMPnetDiameterTraversalTime, mask,
3865                                   NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3866                                   nla_get_u16);
3867         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
3868                                   NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
3869         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
3870                                   NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3871                                   nla_get_u16);
3872         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3873                                   dot11MeshGateAnnouncementProtocol, mask,
3874                                   NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3875                                   nla_get_u8);
3876         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding,
3877                                   mask, NL80211_MESHCONF_FORWARDING,
3878                                   nla_get_u8);
3879         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold,
3880                                   mask, NL80211_MESHCONF_RSSI_THRESHOLD,
3881                                   nla_get_u32);
3882         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode,
3883                                   mask, NL80211_MESHCONF_HT_OPMODE,
3884                                   nla_get_u16);
3885         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
3886                                   mask,
3887                                   NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
3888                                   nla_get_u32);
3889         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval,
3890                                   mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
3891                                   nla_get_u16);
3892         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3893                                   dot11MeshHWMPconfirmationInterval, mask,
3894                                   NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
3895                                   nla_get_u16);
3896         if (mask_out)
3897                 *mask_out = mask;
3898
3899         return 0;
3900
3901 #undef FILL_IN_MESH_PARAM_IF_SET
3902 }
3903
3904 static int nl80211_parse_mesh_setup(struct genl_info *info,
3905                                      struct mesh_setup *setup)
3906 {
3907         struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
3908
3909         if (!info->attrs[NL80211_ATTR_MESH_SETUP])
3910                 return -EINVAL;
3911         if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
3912                              info->attrs[NL80211_ATTR_MESH_SETUP],
3913                              nl80211_mesh_setup_params_policy))
3914                 return -EINVAL;
3915
3916         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
3917                 setup->sync_method =
3918                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
3919                  IEEE80211_SYNC_METHOD_VENDOR :
3920                  IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
3921
3922         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
3923                 setup->path_sel_proto =
3924                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
3925                  IEEE80211_PATH_PROTOCOL_VENDOR :
3926                  IEEE80211_PATH_PROTOCOL_HWMP;
3927
3928         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
3929                 setup->path_metric =
3930                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
3931                  IEEE80211_PATH_METRIC_VENDOR :
3932                  IEEE80211_PATH_METRIC_AIRTIME;
3933
3934
3935         if (tb[NL80211_MESH_SETUP_IE]) {
3936                 struct nlattr *ieattr =
3937                         tb[NL80211_MESH_SETUP_IE];
3938                 if (!is_valid_ie_attr(ieattr))
3939                         return -EINVAL;
3940                 setup->ie = nla_data(ieattr);
3941                 setup->ie_len = nla_len(ieattr);
3942         }
3943         setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
3944         setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
3945
3946         return 0;
3947 }
3948
3949 static int nl80211_update_mesh_config(struct sk_buff *skb,
3950                                       struct genl_info *info)
3951 {
3952         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3953         struct net_device *dev = info->user_ptr[1];
3954         struct wireless_dev *wdev = dev->ieee80211_ptr;
3955         struct mesh_config cfg;
3956         u32 mask;
3957         int err;
3958
3959         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3960                 return -EOPNOTSUPP;
3961
3962         if (!rdev->ops->update_mesh_config)
3963                 return -EOPNOTSUPP;
3964
3965         err = nl80211_parse_mesh_config(info, &cfg, &mask);
3966         if (err)
3967                 return err;
3968
3969         wdev_lock(wdev);
3970         if (!wdev->mesh_id_len)
3971                 err = -ENOLINK;
3972
3973         if (!err)
3974                 err = rdev->ops->update_mesh_config(&rdev->wiphy, dev,
3975                                                     mask, &cfg);
3976
3977         wdev_unlock(wdev);
3978
3979         return err;
3980 }
3981
3982 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
3983 {
3984         struct sk_buff *msg;
3985         void *hdr = NULL;
3986         struct nlattr *nl_reg_rules;
3987         unsigned int i;
3988         int err = -EINVAL;
3989
3990         mutex_lock(&cfg80211_mutex);
3991
3992         if (!cfg80211_regdomain)
3993                 goto out;
3994
3995         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3996         if (!msg) {
3997                 err = -ENOBUFS;
3998                 goto out;
3999         }
4000
4001         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
4002                              NL80211_CMD_GET_REG);
4003         if (!hdr)
4004                 goto put_failure;
4005
4006         if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
4007                            cfg80211_regdomain->alpha2) ||
4008             (cfg80211_regdomain->dfs_region &&
4009              nla_put_u8(msg, NL80211_ATTR_DFS_REGION,
4010                         cfg80211_regdomain->dfs_region)))
4011                 goto nla_put_failure;
4012
4013         if (reg_last_request_cell_base() &&
4014             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
4015                         NL80211_USER_REG_HINT_CELL_BASE))
4016                 goto nla_put_failure;
4017
4018         nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
4019         if (!nl_reg_rules)
4020                 goto nla_put_failure;
4021
4022         for (i = 0; i < cfg80211_regdomain->n_reg_rules; i++) {
4023                 struct nlattr *nl_reg_rule;
4024                 const struct ieee80211_reg_rule *reg_rule;
4025                 const struct ieee80211_freq_range *freq_range;
4026                 const struct ieee80211_power_rule *power_rule;
4027
4028                 reg_rule = &cfg80211_regdomain->reg_rules[i];
4029                 freq_range = &reg_rule->freq_range;
4030                 power_rule = &reg_rule->power_rule;
4031
4032                 nl_reg_rule = nla_nest_start(msg, i);
4033                 if (!nl_reg_rule)
4034                         goto nla_put_failure;
4035
4036                 if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
4037                                 reg_rule->flags) ||
4038                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
4039                                 freq_range->start_freq_khz) ||
4040                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
4041                                 freq_range->end_freq_khz) ||
4042                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
4043                                 freq_range->max_bandwidth_khz) ||
4044                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
4045                                 power_rule->max_antenna_gain) ||
4046                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
4047                                 power_rule->max_eirp))
4048                         goto nla_put_failure;
4049
4050                 nla_nest_end(msg, nl_reg_rule);
4051         }
4052
4053         nla_nest_end(msg, nl_reg_rules);
4054
4055         genlmsg_end(msg, hdr);
4056         err = genlmsg_reply(msg, info);
4057         goto out;
4058
4059 nla_put_failure:
4060         genlmsg_cancel(msg, hdr);
4061 put_failure:
4062         nlmsg_free(msg);
4063         err = -EMSGSIZE;
4064 out:
4065         mutex_unlock(&cfg80211_mutex);
4066         return err;
4067 }
4068
4069 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
4070 {
4071         struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
4072         struct nlattr *nl_reg_rule;
4073         char *alpha2 = NULL;
4074         int rem_reg_rules = 0, r = 0;
4075         u32 num_rules = 0, rule_idx = 0, size_of_regd;
4076         u8 dfs_region = 0;
4077         struct ieee80211_regdomain *rd = NULL;
4078
4079         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4080                 return -EINVAL;
4081
4082         if (!info->attrs[NL80211_ATTR_REG_RULES])
4083                 return -EINVAL;
4084
4085         alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4086
4087         if (info->attrs[NL80211_ATTR_DFS_REGION])
4088                 dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
4089
4090         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4091                         rem_reg_rules) {
4092                 num_rules++;
4093                 if (num_rules > NL80211_MAX_SUPP_REG_RULES)
4094                         return -EINVAL;
4095         }
4096
4097         mutex_lock(&cfg80211_mutex);
4098
4099         if (!reg_is_valid_request(alpha2)) {
4100                 r = -EINVAL;
4101                 goto bad_reg;
4102         }
4103
4104         size_of_regd = sizeof(struct ieee80211_regdomain) +
4105                 (num_rules * sizeof(struct ieee80211_reg_rule));
4106
4107         rd = kzalloc(size_of_regd, GFP_KERNEL);
4108         if (!rd) {
4109                 r = -ENOMEM;
4110                 goto bad_reg;
4111         }
4112
4113         rd->n_reg_rules = num_rules;
4114         rd->alpha2[0] = alpha2[0];
4115         rd->alpha2[1] = alpha2[1];
4116
4117         /*
4118          * Disable DFS master mode if the DFS region was
4119          * not supported or known on this kernel.
4120          */
4121         if (reg_supported_dfs_region(dfs_region))
4122                 rd->dfs_region = dfs_region;
4123
4124         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4125                         rem_reg_rules) {
4126                 nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
4127                         nla_data(nl_reg_rule), nla_len(nl_reg_rule),
4128                         reg_rule_policy);
4129                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
4130                 if (r)
4131                         goto bad_reg;
4132
4133                 rule_idx++;
4134
4135                 if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
4136                         r = -EINVAL;
4137                         goto bad_reg;
4138                 }
4139         }
4140
4141         BUG_ON(rule_idx != num_rules);
4142
4143         r = set_regdom(rd);
4144
4145         mutex_unlock(&cfg80211_mutex);
4146
4147         return r;
4148
4149  bad_reg:
4150         mutex_unlock(&cfg80211_mutex);
4151         kfree(rd);
4152         return r;
4153 }
4154
4155 static int validate_scan_freqs(struct nlattr *freqs)
4156 {
4157         struct nlattr *attr1, *attr2;
4158         int n_channels = 0, tmp1, tmp2;
4159
4160         nla_for_each_nested(attr1, freqs, tmp1) {
4161                 n_channels++;
4162                 /*
4163                  * Some hardware has a limited channel list for
4164                  * scanning, and it is pretty much nonsensical
4165                  * to scan for a channel twice, so disallow that
4166                  * and don't require drivers to check that the
4167                  * channel list they get isn't longer than what
4168                  * they can scan, as long as they can scan all
4169                  * the channels they registered at once.
4170                  */
4171                 nla_for_each_nested(attr2, freqs, tmp2)
4172                         if (attr1 != attr2 &&
4173                             nla_get_u32(attr1) == nla_get_u32(attr2))
4174                                 return 0;
4175         }
4176
4177         return n_channels;
4178 }
4179
4180 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4181 {
4182         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4183         struct wireless_dev *wdev = info->user_ptr[1];
4184         struct cfg80211_scan_request *request;
4185         struct nlattr *attr;
4186         struct wiphy *wiphy;
4187         int err, tmp, n_ssids = 0, n_channels, i;
4188         size_t ie_len;
4189
4190         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4191                 return -EINVAL;
4192
4193         wiphy = &rdev->wiphy;
4194
4195         if (!rdev->ops->scan)
4196                 return -EOPNOTSUPP;
4197
4198         if (rdev->scan_req)
4199                 return -EBUSY;
4200
4201         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4202                 n_channels = validate_scan_freqs(
4203                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4204                 if (!n_channels)
4205                         return -EINVAL;
4206         } else {
4207                 enum ieee80211_band band;
4208                 n_channels = 0;
4209
4210                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4211                         if (wiphy->bands[band])
4212                                 n_channels += wiphy->bands[band]->n_channels;
4213         }
4214
4215         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4216                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
4217                         n_ssids++;
4218
4219         if (n_ssids > wiphy->max_scan_ssids)
4220                 return -EINVAL;
4221
4222         if (info->attrs[NL80211_ATTR_IE])
4223                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4224         else
4225                 ie_len = 0;
4226
4227         if (ie_len > wiphy->max_scan_ie_len)
4228                 return -EINVAL;
4229
4230         request = kzalloc(sizeof(*request)
4231                         + sizeof(*request->ssids) * n_ssids
4232                         + sizeof(*request->channels) * n_channels
4233                         + ie_len, GFP_KERNEL);
4234         if (!request)
4235                 return -ENOMEM;
4236
4237         if (n_ssids)
4238                 request->ssids = (void *)&request->channels[n_channels];
4239         request->n_ssids = n_ssids;
4240         if (ie_len) {
4241                 if (request->ssids)
4242                         request->ie = (void *)(request->ssids + n_ssids);
4243                 else
4244                         request->ie = (void *)(request->channels + n_channels);
4245         }
4246
4247         i = 0;
4248         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4249                 /* user specified, bail out if channel not found */
4250                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
4251                         struct ieee80211_channel *chan;
4252
4253                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4254
4255                         if (!chan) {
4256                                 err = -EINVAL;
4257                                 goto out_free;
4258                         }
4259
4260                         /* ignore disabled channels */
4261                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4262                                 continue;
4263
4264                         request->channels[i] = chan;
4265                         i++;
4266                 }
4267         } else {
4268                 enum ieee80211_band band;
4269
4270                 /* all channels */
4271                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4272                         int j;
4273                         if (!wiphy->bands[band])
4274                                 continue;
4275                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4276                                 struct ieee80211_channel *chan;
4277
4278                                 chan = &wiphy->bands[band]->channels[j];
4279
4280                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4281                                         continue;
4282
4283                                 request->channels[i] = chan;
4284                                 i++;
4285                         }
4286                 }
4287         }
4288
4289         if (!i) {
4290                 err = -EINVAL;
4291                 goto out_free;
4292         }
4293
4294         request->n_channels = i;
4295
4296         i = 0;
4297         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4298                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
4299                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4300                                 err = -EINVAL;
4301                                 goto out_free;
4302                         }
4303                         request->ssids[i].ssid_len = nla_len(attr);
4304                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
4305                         i++;
4306                 }
4307         }
4308
4309         if (info->attrs[NL80211_ATTR_IE]) {
4310                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4311                 memcpy((void *)request->ie,
4312                        nla_data(info->attrs[NL80211_ATTR_IE]),
4313                        request->ie_len);
4314         }
4315
4316         for (i = 0; i < IEEE80211_NUM_BANDS; i++)
4317                 if (wiphy->bands[i])
4318                         request->rates[i] =
4319                                 (1 << wiphy->bands[i]->n_bitrates) - 1;
4320
4321         if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
4322                 nla_for_each_nested(attr,
4323                                     info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
4324                                     tmp) {
4325                         enum ieee80211_band band = nla_type(attr);
4326
4327                         if (band < 0 || band >= IEEE80211_NUM_BANDS) {
4328                                 err = -EINVAL;
4329                                 goto out_free;
4330                         }
4331                         err = ieee80211_get_ratemask(wiphy->bands[band],
4332                                                      nla_data(attr),
4333                                                      nla_len(attr),
4334                                                      &request->rates[band]);
4335                         if (err)
4336                                 goto out_free;
4337                 }
4338         }
4339
4340         request->no_cck =
4341                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
4342
4343         request->wdev = wdev;
4344         request->wiphy = &rdev->wiphy;
4345
4346         rdev->scan_req = request;
4347         err = rdev->ops->scan(&rdev->wiphy, request);
4348
4349         if (!err) {
4350                 nl80211_send_scan_start(rdev, wdev);
4351                 if (wdev->netdev)
4352                         dev_hold(wdev->netdev);
4353         } else {
4354  out_free:
4355                 rdev->scan_req = NULL;
4356                 kfree(request);
4357         }
4358
4359         return err;
4360 }
4361
4362 static int nl80211_start_sched_scan(struct sk_buff *skb,
4363                                     struct genl_info *info)
4364 {
4365         struct cfg80211_sched_scan_request *request;
4366         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4367         struct net_device *dev = info->user_ptr[1];
4368         struct nlattr *attr;
4369         struct wiphy *wiphy;
4370         int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
4371         u32 interval;
4372         enum ieee80211_band band;
4373         size_t ie_len;
4374         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
4375
4376         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4377             !rdev->ops->sched_scan_start)
4378                 return -EOPNOTSUPP;
4379
4380         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4381                 return -EINVAL;
4382
4383         if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
4384                 return -EINVAL;
4385
4386         interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
4387         if (interval == 0)
4388                 return -EINVAL;
4389
4390         wiphy = &rdev->wiphy;
4391
4392         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4393                 n_channels = validate_scan_freqs(
4394                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4395                 if (!n_channels)
4396                         return -EINVAL;
4397         } else {
4398                 n_channels = 0;
4399
4400                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4401                         if (wiphy->bands[band])
4402                                 n_channels += wiphy->bands[band]->n_channels;
4403         }
4404
4405         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4406                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4407                                     tmp)
4408                         n_ssids++;
4409
4410         if (n_ssids > wiphy->max_sched_scan_ssids)
4411                 return -EINVAL;
4412
4413         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
4414                 nla_for_each_nested(attr,
4415                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4416                                     tmp)
4417                         n_match_sets++;
4418
4419         if (n_match_sets > wiphy->max_match_sets)
4420                 return -EINVAL;
4421
4422         if (info->attrs[NL80211_ATTR_IE])
4423                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4424         else
4425                 ie_len = 0;
4426
4427         if (ie_len > wiphy->max_sched_scan_ie_len)
4428                 return -EINVAL;
4429
4430         mutex_lock(&rdev->sched_scan_mtx);
4431
4432         if (rdev->sched_scan_req) {
4433                 err = -EINPROGRESS;
4434                 goto out;
4435         }
4436
4437         request = kzalloc(sizeof(*request)
4438                         + sizeof(*request->ssids) * n_ssids
4439                         + sizeof(*request->match_sets) * n_match_sets
4440                         + sizeof(*request->channels) * n_channels
4441                         + ie_len, GFP_KERNEL);
4442         if (!request) {
4443                 err = -ENOMEM;
4444                 goto out;
4445         }
4446
4447         if (n_ssids)
4448                 request->ssids = (void *)&request->channels[n_channels];
4449         request->n_ssids = n_ssids;
4450         if (ie_len) {
4451                 if (request->ssids)
4452                         request->ie = (void *)(request->ssids + n_ssids);
4453                 else
4454                         request->ie = (void *)(request->channels + n_channels);
4455         }
4456
4457         if (n_match_sets) {
4458                 if (request->ie)
4459                         request->match_sets = (void *)(request->ie + ie_len);
4460                 else if (request->ssids)
4461                         request->match_sets =
4462                                 (void *)(request->ssids + n_ssids);
4463                 else
4464                         request->match_sets =
4465                                 (void *)(request->channels + n_channels);
4466         }
4467         request->n_match_sets = n_match_sets;
4468
4469         i = 0;
4470         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4471                 /* user specified, bail out if channel not found */
4472                 nla_for_each_nested(attr,
4473                                     info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
4474                                     tmp) {
4475                         struct ieee80211_channel *chan;
4476
4477                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4478
4479                         if (!chan) {
4480                                 err = -EINVAL;
4481                                 goto out_free;
4482                         }
4483
4484                         /* ignore disabled channels */
4485                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4486                                 continue;
4487
4488                         request->channels[i] = chan;
4489                         i++;
4490                 }
4491         } else {
4492                 /* all channels */
4493                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4494                         int j;
4495                         if (!wiphy->bands[band])
4496                                 continue;
4497                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4498                                 struct ieee80211_channel *chan;
4499
4500                                 chan = &wiphy->bands[band]->channels[j];
4501
4502                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4503                                         continue;
4504
4505                                 request->channels[i] = chan;
4506                                 i++;
4507                         }
4508                 }
4509         }
4510
4511         if (!i) {
4512                 err = -EINVAL;
4513                 goto out_free;
4514         }
4515
4516         request->n_channels = i;
4517
4518         i = 0;
4519         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4520                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4521                                     tmp) {
4522                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4523                                 err = -EINVAL;
4524                                 goto out_free;
4525                         }
4526                         request->ssids[i].ssid_len = nla_len(attr);
4527                         memcpy(request->ssids[i].ssid, nla_data(attr),
4528                                nla_len(attr));
4529                         i++;
4530                 }
4531         }
4532
4533         i = 0;
4534         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
4535                 nla_for_each_nested(attr,
4536                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4537                                     tmp) {
4538                         struct nlattr *ssid, *rssi;
4539
4540                         nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
4541                                   nla_data(attr), nla_len(attr),
4542                                   nl80211_match_policy);
4543                         ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
4544                         if (ssid) {
4545                                 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
4546                                         err = -EINVAL;
4547                                         goto out_free;
4548                                 }
4549                                 memcpy(request->match_sets[i].ssid.ssid,
4550                                        nla_data(ssid), nla_len(ssid));
4551                                 request->match_sets[i].ssid.ssid_len =
4552                                         nla_len(ssid);
4553                         }
4554                         rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
4555                         if (rssi)
4556                                 request->rssi_thold = nla_get_u32(rssi);
4557                         else
4558                                 request->rssi_thold =
4559                                                    NL80211_SCAN_RSSI_THOLD_OFF;
4560                         i++;
4561                 }
4562         }
4563
4564         if (info->attrs[NL80211_ATTR_IE]) {
4565                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4566                 memcpy((void *)request->ie,
4567                        nla_data(info->attrs[NL80211_ATTR_IE]),
4568                        request->ie_len);
4569         }
4570
4571         request->dev = dev;
4572         request->wiphy = &rdev->wiphy;
4573         request->interval = interval;
4574
4575         err = rdev->ops->sched_scan_start(&rdev->wiphy, dev, request);
4576         if (!err) {
4577                 rdev->sched_scan_req = request;
4578                 nl80211_send_sched_scan(rdev, dev,
4579                                         NL80211_CMD_START_SCHED_SCAN);
4580                 goto out;
4581         }
4582
4583 out_free:
4584         kfree(request);
4585 out:
4586         mutex_unlock(&rdev->sched_scan_mtx);
4587         return err;
4588 }
4589
4590 static int nl80211_stop_sched_scan(struct sk_buff *skb,
4591                                    struct genl_info *info)
4592 {
4593         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4594         int err;
4595
4596         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4597             !rdev->ops->sched_scan_stop)
4598                 return -EOPNOTSUPP;
4599
4600         mutex_lock(&rdev->sched_scan_mtx);
4601         err = __cfg80211_stop_sched_scan(rdev, false);
4602         mutex_unlock(&rdev->sched_scan_mtx);
4603
4604         return err;
4605 }
4606
4607 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
4608                             u32 seq, int flags,
4609                             struct cfg80211_registered_device *rdev,
4610                             struct wireless_dev *wdev,
4611                             struct cfg80211_internal_bss *intbss)
4612 {
4613         struct cfg80211_bss *res = &intbss->pub;
4614         void *hdr;
4615         struct nlattr *bss;
4616
4617         ASSERT_WDEV_LOCK(wdev);
4618
4619         hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).pid, seq, flags,
4620                              NL80211_CMD_NEW_SCAN_RESULTS);
4621         if (!hdr)
4622                 return -1;
4623
4624         genl_dump_check_consistent(cb, hdr, &nl80211_fam);
4625
4626         if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation) ||
4627             nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
4628                 goto nla_put_failure;
4629
4630         bss = nla_nest_start(msg, NL80211_ATTR_BSS);
4631         if (!bss)
4632                 goto nla_put_failure;
4633         if ((!is_zero_ether_addr(res->bssid) &&
4634              nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)) ||
4635             (res->information_elements && res->len_information_elements &&
4636              nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
4637                      res->len_information_elements,
4638                      res->information_elements)) ||
4639             (res->beacon_ies && res->len_beacon_ies &&
4640              res->beacon_ies != res->information_elements &&
4641              nla_put(msg, NL80211_BSS_BEACON_IES,
4642                      res->len_beacon_ies, res->beacon_ies)))
4643                 goto nla_put_failure;
4644         if (res->tsf &&
4645             nla_put_u64(msg, NL80211_BSS_TSF, res->tsf))
4646                 goto nla_put_failure;
4647         if (res->beacon_interval &&
4648             nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
4649                 goto nla_put_failure;
4650         if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
4651             nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
4652             nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
4653                         jiffies_to_msecs(jiffies - intbss->ts)))
4654                 goto nla_put_failure;
4655
4656         switch (rdev->wiphy.signal_type) {
4657         case CFG80211_SIGNAL_TYPE_MBM:
4658                 if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
4659                         goto nla_put_failure;
4660                 break;
4661         case CFG80211_SIGNAL_TYPE_UNSPEC:
4662                 if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
4663                         goto nla_put_failure;
4664                 break;
4665         default:
4666                 break;
4667         }
4668
4669         switch (wdev->iftype) {
4670         case NL80211_IFTYPE_P2P_CLIENT:
4671         case NL80211_IFTYPE_STATION:
4672                 if (intbss == wdev->current_bss &&
4673                     nla_put_u32(msg, NL80211_BSS_STATUS,
4674                                 NL80211_BSS_STATUS_ASSOCIATED))
4675                         goto nla_put_failure;
4676                 break;
4677         case NL80211_IFTYPE_ADHOC:
4678                 if (intbss == wdev->current_bss &&
4679                     nla_put_u32(msg, NL80211_BSS_STATUS,
4680                                 NL80211_BSS_STATUS_IBSS_JOINED))
4681                         goto nla_put_failure;
4682                 break;
4683         default:
4684                 break;
4685         }
4686
4687         nla_nest_end(msg, bss);
4688
4689         return genlmsg_end(msg, hdr);
4690
4691  nla_put_failure:
4692         genlmsg_cancel(msg, hdr);
4693         return -EMSGSIZE;
4694 }
4695
4696 static int nl80211_dump_scan(struct sk_buff *skb,
4697                              struct netlink_callback *cb)
4698 {
4699         struct cfg80211_registered_device *rdev;
4700         struct net_device *dev;
4701         struct cfg80211_internal_bss *scan;
4702         struct wireless_dev *wdev;
4703         int start = cb->args[1], idx = 0;
4704         int err;
4705
4706         err = nl80211_prepare_netdev_dump(skb, cb, &rdev, &dev);
4707         if (err)
4708                 return err;
4709
4710         wdev = dev->ieee80211_ptr;
4711
4712         wdev_lock(wdev);
4713         spin_lock_bh(&rdev->bss_lock);
4714         cfg80211_bss_expire(rdev);
4715
4716         cb->seq = rdev->bss_generation;
4717
4718         list_for_each_entry(scan, &rdev->bss_list, list) {
4719                 if (++idx <= start)
4720                         continue;
4721                 if (nl80211_send_bss(skb, cb,
4722                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4723                                 rdev, wdev, scan) < 0) {
4724                         idx--;
4725                         break;
4726                 }
4727         }
4728
4729         spin_unlock_bh(&rdev->bss_lock);
4730         wdev_unlock(wdev);
4731
4732         cb->args[1] = idx;
4733         nl80211_finish_netdev_dump(rdev);
4734
4735         return skb->len;
4736 }
4737
4738 static int nl80211_send_survey(struct sk_buff *msg, u32 pid, u32 seq,
4739                                 int flags, struct net_device *dev,
4740                                 struct survey_info *survey)
4741 {
4742         void *hdr;
4743         struct nlattr *infoattr;
4744
4745         hdr = nl80211hdr_put(msg, pid, seq, flags,
4746                              NL80211_CMD_NEW_SURVEY_RESULTS);
4747         if (!hdr)
4748                 return -ENOMEM;
4749
4750         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
4751                 goto nla_put_failure;
4752
4753         infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
4754         if (!infoattr)
4755                 goto nla_put_failure;
4756
4757         if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
4758                         survey->channel->center_freq))
4759                 goto nla_put_failure;
4760
4761         if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
4762             nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
4763                 goto nla_put_failure;
4764         if ((survey->filled & SURVEY_INFO_IN_USE) &&
4765             nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
4766                 goto nla_put_failure;
4767         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
4768             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
4769                         survey->channel_time))
4770                 goto nla_put_failure;
4771         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
4772             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
4773                         survey->channel_time_busy))
4774                 goto nla_put_failure;
4775         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
4776             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
4777                         survey->channel_time_ext_busy))
4778                 goto nla_put_failure;
4779         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
4780             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
4781                         survey->channel_time_rx))
4782                 goto nla_put_failure;
4783         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
4784             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
4785                         survey->channel_time_tx))
4786                 goto nla_put_failure;
4787
4788         nla_nest_end(msg, infoattr);
4789
4790         return genlmsg_end(msg, hdr);
4791
4792  nla_put_failure:
4793         genlmsg_cancel(msg, hdr);
4794         return -EMSGSIZE;
4795 }
4796
4797 static int nl80211_dump_survey(struct sk_buff *skb,
4798                         struct netlink_callback *cb)
4799 {
4800         struct survey_info survey;
4801         struct cfg80211_registered_device *dev;
4802         struct net_device *netdev;
4803         int survey_idx = cb->args[1];
4804         int res;
4805
4806         res = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
4807         if (res)
4808                 return res;
4809
4810         if (!dev->ops->dump_survey) {
4811                 res = -EOPNOTSUPP;
4812                 goto out_err;
4813         }
4814
4815         while (1) {
4816                 struct ieee80211_channel *chan;
4817
4818                 res = dev->ops->dump_survey(&dev->wiphy, netdev, survey_idx,
4819                                             &survey);
4820                 if (res == -ENOENT)
4821                         break;
4822                 if (res)
4823                         goto out_err;
4824
4825                 /* Survey without a channel doesn't make sense */
4826                 if (!survey.channel) {
4827                         res = -EINVAL;
4828                         goto out;
4829                 }
4830
4831                 chan = ieee80211_get_channel(&dev->wiphy,
4832                                              survey.channel->center_freq);
4833                 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
4834                         survey_idx++;
4835                         continue;
4836                 }
4837
4838                 if (nl80211_send_survey(skb,
4839                                 NETLINK_CB(cb->skb).pid,
4840                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4841                                 netdev,
4842                                 &survey) < 0)
4843                         goto out;
4844                 survey_idx++;
4845         }
4846
4847  out:
4848         cb->args[1] = survey_idx;
4849         res = skb->len;
4850  out_err:
4851         nl80211_finish_netdev_dump(dev);
4852         return res;
4853 }
4854
4855 static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type)
4856 {
4857         return auth_type <= NL80211_AUTHTYPE_MAX;
4858 }
4859
4860 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
4861 {
4862         return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
4863                                   NL80211_WPA_VERSION_2));
4864 }
4865
4866 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
4867 {
4868         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4869         struct net_device *dev = info->user_ptr[1];
4870         struct ieee80211_channel *chan;
4871         const u8 *bssid, *ssid, *ie = NULL;
4872         int err, ssid_len, ie_len = 0;
4873         enum nl80211_auth_type auth_type;
4874         struct key_parse key;
4875         bool local_state_change;
4876
4877         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4878                 return -EINVAL;
4879
4880         if (!info->attrs[NL80211_ATTR_MAC])
4881                 return -EINVAL;
4882
4883         if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
4884                 return -EINVAL;
4885
4886         if (!info->attrs[NL80211_ATTR_SSID])
4887                 return -EINVAL;
4888
4889         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
4890                 return -EINVAL;
4891
4892         err = nl80211_parse_key(info, &key);
4893         if (err)
4894                 return err;
4895
4896         if (key.idx >= 0) {
4897                 if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
4898                         return -EINVAL;
4899                 if (!key.p.key || !key.p.key_len)
4900                         return -EINVAL;
4901                 if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
4902                      key.p.key_len != WLAN_KEY_LEN_WEP40) &&
4903                     (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
4904                      key.p.key_len != WLAN_KEY_LEN_WEP104))
4905                         return -EINVAL;
4906                 if (key.idx > 4)
4907                         return -EINVAL;
4908         } else {
4909                 key.p.key_len = 0;
4910                 key.p.key = NULL;
4911         }
4912
4913         if (key.idx >= 0) {
4914                 int i;
4915                 bool ok = false;
4916                 for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
4917                         if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
4918                                 ok = true;
4919                                 break;
4920                         }
4921                 }
4922                 if (!ok)
4923                         return -EINVAL;
4924         }
4925
4926         if (!rdev->ops->auth)
4927                 return -EOPNOTSUPP;
4928
4929         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
4930             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
4931                 return -EOPNOTSUPP;
4932
4933         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4934         chan = ieee80211_get_channel(&rdev->wiphy,
4935                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
4936         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
4937                 return -EINVAL;
4938
4939         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4940         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
4941
4942         if (info->attrs[NL80211_ATTR_IE]) {
4943                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
4944                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4945         }
4946
4947         auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
4948         if (!nl80211_valid_auth_type(auth_type))
4949                 return -EINVAL;
4950
4951         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
4952
4953         /*
4954          * Since we no longer track auth state, ignore
4955          * requests to only change local state.
4956          */
4957         if (local_state_change)
4958                 return 0;
4959
4960         return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
4961                                   ssid, ssid_len, ie, ie_len,
4962                                   key.p.key, key.p.key_len, key.idx);
4963 }
4964
4965 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
4966                                    struct genl_info *info,
4967                                    struct cfg80211_crypto_settings *settings,
4968                                    int cipher_limit)
4969 {
4970         memset(settings, 0, sizeof(*settings));
4971
4972         settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
4973
4974         if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
4975                 u16 proto;
4976                 proto = nla_get_u16(
4977                         info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
4978                 settings->control_port_ethertype = cpu_to_be16(proto);
4979                 if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
4980                     proto != ETH_P_PAE)
4981                         return -EINVAL;
4982                 if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
4983                         settings->control_port_no_encrypt = true;
4984         } else
4985                 settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
4986
4987         if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
4988                 void *data;
4989                 int len, i;
4990
4991                 data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
4992                 len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
4993                 settings->n_ciphers_pairwise = len / sizeof(u32);
4994
4995                 if (len % sizeof(u32))
4996                         return -EINVAL;
4997
4998                 if (settings->n_ciphers_pairwise > cipher_limit)
4999                         return -EINVAL;
5000
5001                 memcpy(settings->ciphers_pairwise, data, len);
5002
5003                 for (i = 0; i < settings->n_ciphers_pairwise; i++)
5004                         if (!cfg80211_supported_cipher_suite(
5005                                         &rdev->wiphy,
5006                                         settings->ciphers_pairwise[i]))
5007                                 return -EINVAL;
5008         }
5009
5010         if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
5011                 settings->cipher_group =
5012                         nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
5013                 if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
5014                                                      settings->cipher_group))
5015                         return -EINVAL;
5016         }
5017
5018         if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
5019                 settings->wpa_versions =
5020                         nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
5021                 if (!nl80211_valid_wpa_versions(settings->wpa_versions))
5022                         return -EINVAL;
5023         }
5024
5025         if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
5026                 void *data;
5027                 int len;
5028
5029                 data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
5030                 len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
5031                 settings->n_akm_suites = len / sizeof(u32);
5032
5033                 if (len % sizeof(u32))
5034                         return -EINVAL;
5035
5036                 if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
5037                         return -EINVAL;
5038
5039                 memcpy(settings->akm_suites, data, len);
5040         }
5041
5042         return 0;
5043 }
5044
5045 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
5046 {
5047         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5048         struct net_device *dev = info->user_ptr[1];
5049         struct cfg80211_crypto_settings crypto;
5050         struct ieee80211_channel *chan;
5051         const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
5052         int err, ssid_len, ie_len = 0;
5053         bool use_mfp = false;
5054         u32 flags = 0;
5055         struct ieee80211_ht_cap *ht_capa = NULL;
5056         struct ieee80211_ht_cap *ht_capa_mask = NULL;
5057
5058         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5059                 return -EINVAL;
5060
5061         if (!info->attrs[NL80211_ATTR_MAC] ||
5062             !info->attrs[NL80211_ATTR_SSID] ||
5063             !info->attrs[NL80211_ATTR_WIPHY_FREQ])
5064                 return -EINVAL;
5065
5066         if (!rdev->ops->assoc)
5067                 return -EOPNOTSUPP;
5068
5069         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5070             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5071                 return -EOPNOTSUPP;
5072
5073         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5074
5075         chan = ieee80211_get_channel(&rdev->wiphy,
5076                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5077         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5078                 return -EINVAL;
5079
5080         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5081         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5082
5083         if (info->attrs[NL80211_ATTR_IE]) {
5084                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5085                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5086         }
5087
5088         if (info->attrs[NL80211_ATTR_USE_MFP]) {
5089                 enum nl80211_mfp mfp =
5090                         nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
5091                 if (mfp == NL80211_MFP_REQUIRED)
5092                         use_mfp = true;
5093                 else if (mfp != NL80211_MFP_NO)
5094                         return -EINVAL;
5095         }
5096
5097         if (info->attrs[NL80211_ATTR_PREV_BSSID])
5098                 prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
5099
5100         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5101                 flags |= ASSOC_REQ_DISABLE_HT;
5102
5103         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5104                 ht_capa_mask =
5105                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]);
5106
5107         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5108                 if (!ht_capa_mask)
5109                         return -EINVAL;
5110                 ht_capa = nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5111         }
5112
5113         err = nl80211_crypto_settings(rdev, info, &crypto, 1);
5114         if (!err)
5115                 err = cfg80211_mlme_assoc(rdev, dev, chan, bssid, prev_bssid,
5116                                           ssid, ssid_len, ie, ie_len, use_mfp,
5117                                           &crypto, flags, ht_capa,
5118                                           ht_capa_mask);
5119
5120         return err;
5121 }
5122
5123 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
5124 {
5125         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5126         struct net_device *dev = info->user_ptr[1];
5127         const u8 *ie = NULL, *bssid;
5128         int ie_len = 0;
5129         u16 reason_code;
5130         bool local_state_change;
5131
5132         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5133                 return -EINVAL;
5134
5135         if (!info->attrs[NL80211_ATTR_MAC])
5136                 return -EINVAL;
5137
5138         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5139                 return -EINVAL;
5140
5141         if (!rdev->ops->deauth)
5142                 return -EOPNOTSUPP;
5143
5144         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5145             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5146                 return -EOPNOTSUPP;
5147
5148         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5149
5150         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5151         if (reason_code == 0) {
5152                 /* Reason Code 0 is reserved */
5153                 return -EINVAL;
5154         }
5155
5156         if (info->attrs[NL80211_ATTR_IE]) {
5157                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5158                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5159         }
5160
5161         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5162
5163         return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
5164                                     local_state_change);
5165 }
5166
5167 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
5168 {
5169         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5170         struct net_device *dev = info->user_ptr[1];
5171         const u8 *ie = NULL, *bssid;
5172         int ie_len = 0;
5173         u16 reason_code;
5174         bool local_state_change;
5175
5176         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5177                 return -EINVAL;
5178
5179         if (!info->attrs[NL80211_ATTR_MAC])
5180                 return -EINVAL;
5181
5182         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5183                 return -EINVAL;
5184
5185         if (!rdev->ops->disassoc)
5186                 return -EOPNOTSUPP;
5187
5188         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5189             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5190                 return -EOPNOTSUPP;
5191
5192         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5193
5194         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5195         if (reason_code == 0) {
5196                 /* Reason Code 0 is reserved */
5197                 return -EINVAL;
5198         }
5199
5200         if (info->attrs[NL80211_ATTR_IE]) {
5201                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5202                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5203         }
5204
5205         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5206
5207         return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
5208                                       local_state_change);
5209 }
5210
5211 static bool
5212 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
5213                          int mcast_rate[IEEE80211_NUM_BANDS],
5214                          int rateval)
5215 {
5216         struct wiphy *wiphy = &rdev->wiphy;
5217         bool found = false;
5218         int band, i;
5219
5220         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5221                 struct ieee80211_supported_band *sband;
5222
5223                 sband = wiphy->bands[band];
5224                 if (!sband)
5225                         continue;
5226
5227                 for (i = 0; i < sband->n_bitrates; i++) {
5228                         if (sband->bitrates[i].bitrate == rateval) {
5229                                 mcast_rate[band] = i + 1;
5230                                 found = true;
5231                                 break;
5232                         }
5233                 }
5234         }
5235
5236         return found;
5237 }
5238
5239 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
5240 {
5241         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5242         struct net_device *dev = info->user_ptr[1];
5243         struct cfg80211_ibss_params ibss;
5244         struct wiphy *wiphy;
5245         struct cfg80211_cached_keys *connkeys = NULL;
5246         int err;
5247
5248         memset(&ibss, 0, sizeof(ibss));
5249
5250         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5251                 return -EINVAL;
5252
5253         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5254             !info->attrs[NL80211_ATTR_SSID] ||
5255             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5256                 return -EINVAL;
5257
5258         ibss.beacon_interval = 100;
5259
5260         if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
5261                 ibss.beacon_interval =
5262                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5263                 if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
5264                         return -EINVAL;
5265         }
5266
5267         if (!rdev->ops->join_ibss)
5268                 return -EOPNOTSUPP;
5269
5270         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5271                 return -EOPNOTSUPP;
5272
5273         wiphy = &rdev->wiphy;
5274
5275         if (info->attrs[NL80211_ATTR_MAC]) {
5276                 ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5277
5278                 if (!is_valid_ether_addr(ibss.bssid))
5279                         return -EINVAL;
5280         }
5281         ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5282         ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5283
5284         if (info->attrs[NL80211_ATTR_IE]) {
5285                 ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5286                 ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5287         }
5288
5289         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
5290                 enum nl80211_channel_type channel_type;
5291
5292                 if (!nl80211_valid_channel_type(info, &channel_type))
5293                         return -EINVAL;
5294
5295                 if (channel_type != NL80211_CHAN_NO_HT &&
5296                     !(wiphy->features & NL80211_FEATURE_HT_IBSS))
5297                         return -EINVAL;
5298
5299                 ibss.channel_type = channel_type;
5300         } else {
5301                 ibss.channel_type = NL80211_CHAN_NO_HT;
5302         }
5303
5304         ibss.channel = rdev_freq_to_chan(rdev,
5305                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
5306                 ibss.channel_type);
5307         if (!ibss.channel ||
5308             ibss.channel->flags & IEEE80211_CHAN_NO_IBSS ||
5309             ibss.channel->flags & IEEE80211_CHAN_DISABLED)
5310                 return -EINVAL;
5311
5312         /* Both channels should be able to initiate communication */
5313         if ((ibss.channel_type == NL80211_CHAN_HT40PLUS ||
5314              ibss.channel_type == NL80211_CHAN_HT40MINUS) &&
5315             !cfg80211_can_beacon_sec_chan(&rdev->wiphy, ibss.channel,
5316                                           ibss.channel_type))
5317                 return -EINVAL;
5318
5319         ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
5320         ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5321
5322         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5323                 u8 *rates =
5324                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5325                 int n_rates =
5326                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5327                 struct ieee80211_supported_band *sband =
5328                         wiphy->bands[ibss.channel->band];
5329
5330                 err = ieee80211_get_ratemask(sband, rates, n_rates,
5331                                              &ibss.basic_rates);
5332                 if (err)
5333                         return err;
5334         }
5335
5336         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
5337             !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
5338                         nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
5339                 return -EINVAL;
5340
5341         if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5342                 connkeys = nl80211_parse_connkeys(rdev,
5343                                         info->attrs[NL80211_ATTR_KEYS]);
5344                 if (IS_ERR(connkeys))
5345                         return PTR_ERR(connkeys);
5346         }
5347
5348         ibss.control_port =
5349                 nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
5350
5351         err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
5352         if (err)
5353                 kfree(connkeys);
5354         return err;
5355 }
5356
5357 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
5358 {
5359         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5360         struct net_device *dev = info->user_ptr[1];
5361
5362         if (!rdev->ops->leave_ibss)
5363                 return -EOPNOTSUPP;
5364
5365         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5366                 return -EOPNOTSUPP;
5367
5368         return cfg80211_leave_ibss(rdev, dev, false);
5369 }
5370
5371 #ifdef CONFIG_NL80211_TESTMODE
5372 static struct genl_multicast_group nl80211_testmode_mcgrp = {
5373         .name = "testmode",
5374 };
5375
5376 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
5377 {
5378         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5379         int err;
5380
5381         if (!info->attrs[NL80211_ATTR_TESTDATA])
5382                 return -EINVAL;
5383
5384         err = -EOPNOTSUPP;
5385         if (rdev->ops->testmode_cmd) {
5386                 rdev->testmode_info = info;
5387                 err = rdev->ops->testmode_cmd(&rdev->wiphy,
5388                                 nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
5389                                 nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
5390                 rdev->testmode_info = NULL;
5391         }
5392
5393         return err;
5394 }
5395
5396 static int nl80211_testmode_dump(struct sk_buff *skb,
5397                                  struct netlink_callback *cb)
5398 {
5399         struct cfg80211_registered_device *rdev;
5400         int err;
5401         long phy_idx;
5402         void *data = NULL;
5403         int data_len = 0;
5404
5405         if (cb->args[0]) {
5406                 /*
5407                  * 0 is a valid index, but not valid for args[0],
5408                  * so we need to offset by 1.
5409                  */
5410                 phy_idx = cb->args[0] - 1;
5411         } else {
5412                 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
5413                                   nl80211_fam.attrbuf, nl80211_fam.maxattr,
5414                                   nl80211_policy);
5415                 if (err)
5416                         return err;
5417
5418                 mutex_lock(&cfg80211_mutex);
5419                 rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
5420                                                   nl80211_fam.attrbuf);
5421                 if (IS_ERR(rdev)) {
5422                         mutex_unlock(&cfg80211_mutex);
5423                         return PTR_ERR(rdev);
5424                 }
5425                 phy_idx = rdev->wiphy_idx;
5426                 rdev = NULL;
5427                 mutex_unlock(&cfg80211_mutex);
5428
5429                 if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
5430                         cb->args[1] =
5431                                 (long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
5432         }
5433
5434         if (cb->args[1]) {
5435                 data = nla_data((void *)cb->args[1]);
5436                 data_len = nla_len((void *)cb->args[1]);
5437         }
5438
5439         mutex_lock(&cfg80211_mutex);
5440         rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
5441         if (!rdev) {
5442                 mutex_unlock(&cfg80211_mutex);
5443                 return -ENOENT;
5444         }
5445         cfg80211_lock_rdev(rdev);
5446         mutex_unlock(&cfg80211_mutex);
5447
5448         if (!rdev->ops->testmode_dump) {
5449                 err = -EOPNOTSUPP;
5450                 goto out_err;
5451         }
5452
5453         while (1) {
5454                 void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).pid,
5455                                            cb->nlh->nlmsg_seq, NLM_F_MULTI,
5456                                            NL80211_CMD_TESTMODE);
5457                 struct nlattr *tmdata;
5458
5459                 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
5460                         genlmsg_cancel(skb, hdr);
5461                         break;
5462                 }
5463
5464                 tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
5465                 if (!tmdata) {
5466                         genlmsg_cancel(skb, hdr);
5467                         break;
5468                 }
5469                 err = rdev->ops->testmode_dump(&rdev->wiphy, skb, cb,
5470                                                data, data_len);
5471                 nla_nest_end(skb, tmdata);
5472
5473                 if (err == -ENOBUFS || err == -ENOENT) {
5474                         genlmsg_cancel(skb, hdr);
5475                         break;
5476                 } else if (err) {
5477                         genlmsg_cancel(skb, hdr);
5478                         goto out_err;
5479                 }
5480
5481                 genlmsg_end(skb, hdr);
5482         }
5483
5484         err = skb->len;
5485         /* see above */
5486         cb->args[0] = phy_idx + 1;
5487  out_err:
5488         cfg80211_unlock_rdev(rdev);
5489         return err;
5490 }
5491
5492 static struct sk_buff *
5493 __cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev,
5494                               int approxlen, u32 pid, u32 seq, gfp_t gfp)
5495 {
5496         struct sk_buff *skb;
5497         void *hdr;
5498         struct nlattr *data;
5499
5500         skb = nlmsg_new(approxlen + 100, gfp);
5501         if (!skb)
5502                 return NULL;
5503
5504         hdr = nl80211hdr_put(skb, pid, seq, 0, NL80211_CMD_TESTMODE);
5505         if (!hdr) {
5506                 kfree_skb(skb);
5507                 return NULL;
5508         }
5509
5510         if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
5511                 goto nla_put_failure;
5512         data = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
5513
5514         ((void **)skb->cb)[0] = rdev;
5515         ((void **)skb->cb)[1] = hdr;
5516         ((void **)skb->cb)[2] = data;
5517
5518         return skb;
5519
5520  nla_put_failure:
5521         kfree_skb(skb);
5522         return NULL;
5523 }
5524
5525 struct sk_buff *cfg80211_testmode_alloc_reply_skb(struct wiphy *wiphy,
5526                                                   int approxlen)
5527 {
5528         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
5529
5530         if (WARN_ON(!rdev->testmode_info))
5531                 return NULL;
5532
5533         return __cfg80211_testmode_alloc_skb(rdev, approxlen,
5534                                 rdev->testmode_info->snd_pid,
5535                                 rdev->testmode_info->snd_seq,
5536                                 GFP_KERNEL);
5537 }
5538 EXPORT_SYMBOL(cfg80211_testmode_alloc_reply_skb);
5539
5540 int cfg80211_testmode_reply(struct sk_buff *skb)
5541 {
5542         struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
5543         void *hdr = ((void **)skb->cb)[1];
5544         struct nlattr *data = ((void **)skb->cb)[2];
5545
5546         if (WARN_ON(!rdev->testmode_info)) {
5547                 kfree_skb(skb);
5548                 return -EINVAL;
5549         }
5550
5551         nla_nest_end(skb, data);
5552         genlmsg_end(skb, hdr);
5553         return genlmsg_reply(skb, rdev->testmode_info);
5554 }
5555 EXPORT_SYMBOL(cfg80211_testmode_reply);
5556
5557 struct sk_buff *cfg80211_testmode_alloc_event_skb(struct wiphy *wiphy,
5558                                                   int approxlen, gfp_t gfp)
5559 {
5560         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
5561
5562         return __cfg80211_testmode_alloc_skb(rdev, approxlen, 0, 0, gfp);
5563 }
5564 EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
5565
5566 void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
5567 {
5568         void *hdr = ((void **)skb->cb)[1];
5569         struct nlattr *data = ((void **)skb->cb)[2];
5570
5571         nla_nest_end(skb, data);
5572         genlmsg_end(skb, hdr);
5573         genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
5574 }
5575 EXPORT_SYMBOL(cfg80211_testmode_event);
5576 #endif
5577
5578 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
5579 {
5580         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5581         struct net_device *dev = info->user_ptr[1];
5582         struct cfg80211_connect_params connect;
5583         struct wiphy *wiphy;
5584         struct cfg80211_cached_keys *connkeys = NULL;
5585         int err;
5586
5587         memset(&connect, 0, sizeof(connect));
5588
5589         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5590                 return -EINVAL;
5591
5592         if (!info->attrs[NL80211_ATTR_SSID] ||
5593             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5594                 return -EINVAL;
5595
5596         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5597                 connect.auth_type =
5598                         nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5599                 if (!nl80211_valid_auth_type(connect.auth_type))
5600                         return -EINVAL;
5601         } else
5602                 connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5603
5604         connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
5605
5606         err = nl80211_crypto_settings(rdev, info, &connect.crypto,
5607                                       NL80211_MAX_NR_CIPHER_SUITES);
5608         if (err)
5609                 return err;
5610
5611         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5612             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5613                 return -EOPNOTSUPP;
5614
5615         wiphy = &rdev->wiphy;
5616
5617         connect.bg_scan_period = -1;
5618         if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
5619                 (wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
5620                 connect.bg_scan_period =
5621                         nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
5622         }
5623
5624         if (info->attrs[NL80211_ATTR_MAC])
5625                 connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5626         connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5627         connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5628
5629         if (info->attrs[NL80211_ATTR_IE]) {
5630                 connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5631                 connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5632         }
5633
5634         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5635                 connect.channel =
5636                         ieee80211_get_channel(wiphy,
5637                             nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5638                 if (!connect.channel ||
5639                     connect.channel->flags & IEEE80211_CHAN_DISABLED)
5640                         return -EINVAL;
5641         }
5642
5643         if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5644                 connkeys = nl80211_parse_connkeys(rdev,
5645                                         info->attrs[NL80211_ATTR_KEYS]);
5646                 if (IS_ERR(connkeys))
5647                         return PTR_ERR(connkeys);
5648         }
5649
5650         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5651                 connect.flags |= ASSOC_REQ_DISABLE_HT;
5652
5653         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5654                 memcpy(&connect.ht_capa_mask,
5655                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
5656                        sizeof(connect.ht_capa_mask));
5657
5658         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5659                 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
5660                         kfree(connkeys);
5661                         return -EINVAL;
5662                 }
5663                 memcpy(&connect.ht_capa,
5664                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
5665                        sizeof(connect.ht_capa));
5666         }
5667
5668         err = cfg80211_connect(rdev, dev, &connect, connkeys);
5669         if (err)
5670                 kfree(connkeys);
5671         return err;
5672 }
5673
5674 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
5675 {
5676         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5677         struct net_device *dev = info->user_ptr[1];
5678         u16 reason;
5679
5680         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5681                 reason = WLAN_REASON_DEAUTH_LEAVING;
5682         else
5683                 reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5684
5685         if (reason == 0)
5686                 return -EINVAL;
5687
5688         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5689             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5690                 return -EOPNOTSUPP;
5691
5692         return cfg80211_disconnect(rdev, dev, reason, true);
5693 }
5694
5695 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
5696 {
5697         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5698         struct net *net;
5699         int err;
5700         u32 pid;
5701
5702         if (!info->attrs[NL80211_ATTR_PID])
5703                 return -EINVAL;
5704
5705         pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
5706
5707         net = get_net_ns_by_pid(pid);
5708         if (IS_ERR(net))
5709                 return PTR_ERR(net);
5710
5711         err = 0;
5712
5713         /* check if anything to do */
5714         if (!net_eq(wiphy_net(&rdev->wiphy), net))
5715                 err = cfg80211_switch_netns(rdev, net);
5716
5717         put_net(net);
5718         return err;
5719 }
5720
5721 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
5722 {
5723         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5724         int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
5725                         struct cfg80211_pmksa *pmksa) = NULL;
5726         struct net_device *dev = info->user_ptr[1];
5727         struct cfg80211_pmksa pmksa;
5728
5729         memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
5730
5731         if (!info->attrs[NL80211_ATTR_MAC])
5732                 return -EINVAL;
5733
5734         if (!info->attrs[NL80211_ATTR_PMKID])
5735                 return -EINVAL;
5736
5737         pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
5738         pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5739
5740         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5741             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5742                 return -EOPNOTSUPP;
5743
5744         switch (info->genlhdr->cmd) {
5745         case NL80211_CMD_SET_PMKSA:
5746                 rdev_ops = rdev->ops->set_pmksa;
5747                 break;
5748         case NL80211_CMD_DEL_PMKSA:
5749                 rdev_ops = rdev->ops->del_pmksa;
5750                 break;
5751         default:
5752                 WARN_ON(1);
5753                 break;
5754         }
5755
5756         if (!rdev_ops)
5757                 return -EOPNOTSUPP;
5758
5759         return rdev_ops(&rdev->wiphy, dev, &pmksa);
5760 }
5761
5762 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
5763 {
5764         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5765         struct net_device *dev = info->user_ptr[1];
5766
5767         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5768             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5769                 return -EOPNOTSUPP;
5770
5771         if (!rdev->ops->flush_pmksa)
5772                 return -EOPNOTSUPP;
5773
5774         return rdev->ops->flush_pmksa(&rdev->wiphy, dev);
5775 }
5776
5777 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
5778 {
5779         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5780         struct net_device *dev = info->user_ptr[1];
5781         u8 action_code, dialog_token;
5782         u16 status_code;
5783         u8 *peer;
5784
5785         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
5786             !rdev->ops->tdls_mgmt)
5787                 return -EOPNOTSUPP;
5788
5789         if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
5790             !info->attrs[NL80211_ATTR_STATUS_CODE] ||
5791             !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
5792             !info->attrs[NL80211_ATTR_IE] ||
5793             !info->attrs[NL80211_ATTR_MAC])
5794                 return -EINVAL;
5795
5796         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
5797         action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
5798         status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
5799         dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
5800
5801         return rdev->ops->tdls_mgmt(&rdev->wiphy, dev, peer, action_code,
5802                                     dialog_token, status_code,
5803                                     nla_data(info->attrs[NL80211_ATTR_IE]),
5804                                     nla_len(info->attrs[NL80211_ATTR_IE]));
5805 }
5806
5807 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
5808 {
5809         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5810         struct net_device *dev = info->user_ptr[1];
5811         enum nl80211_tdls_operation operation;
5812         u8 *peer;
5813
5814         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
5815             !rdev->ops->tdls_oper)
5816                 return -EOPNOTSUPP;
5817
5818         if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
5819             !info->attrs[NL80211_ATTR_MAC])
5820                 return -EINVAL;
5821
5822         operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
5823         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
5824
5825         return rdev->ops->tdls_oper(&rdev->wiphy, dev, peer, operation);
5826 }
5827
5828 static int nl80211_remain_on_channel(struct sk_buff *skb,
5829                                      struct genl_info *info)
5830 {
5831         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5832         struct wireless_dev *wdev = info->user_ptr[1];
5833         struct ieee80211_channel *chan;
5834         struct sk_buff *msg;
5835         void *hdr;
5836         u64 cookie;
5837         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
5838         u32 freq, duration;
5839         int err;
5840