cfg80211: validate nl80211 station handling better
[linux-3.10.git] / net / wireless / nl80211.c
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
5  */
6
7 #include <linux/if.h>
8 #include <linux/module.h>
9 #include <linux/err.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/if_ether.h>
13 #include <linux/ieee80211.h>
14 #include <linux/nl80211.h>
15 #include <linux/rtnetlink.h>
16 #include <linux/netlink.h>
17 #include <linux/etherdevice.h>
18 #include <net/net_namespace.h>
19 #include <net/genetlink.h>
20 #include <net/cfg80211.h>
21 #include <net/sock.h>
22 #include "core.h"
23 #include "nl80211.h"
24 #include "reg.h"
25
26 static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type);
27 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
28                                    struct genl_info *info,
29                                    struct cfg80211_crypto_settings *settings,
30                                    int cipher_limit);
31
32 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
33                             struct genl_info *info);
34 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
35                               struct genl_info *info);
36
37 /* the netlink family */
38 static struct genl_family nl80211_fam = {
39         .id = GENL_ID_GENERATE, /* don't bother with a hardcoded ID */
40         .name = "nl80211",      /* have users key off the name instead */
41         .hdrsize = 0,           /* no private header */
42         .version = 1,           /* no particular meaning now */
43         .maxattr = NL80211_ATTR_MAX,
44         .netnsok = true,
45         .pre_doit = nl80211_pre_doit,
46         .post_doit = nl80211_post_doit,
47 };
48
49 /* internal helper: get rdev and dev */
50 static int get_rdev_dev_by_ifindex(struct net *netns, struct nlattr **attrs,
51                                    struct cfg80211_registered_device **rdev,
52                                    struct net_device **dev)
53 {
54         int ifindex;
55
56         if (!attrs[NL80211_ATTR_IFINDEX])
57                 return -EINVAL;
58
59         ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
60         *dev = dev_get_by_index(netns, ifindex);
61         if (!*dev)
62                 return -ENODEV;
63
64         *rdev = cfg80211_get_dev_from_ifindex(netns, ifindex);
65         if (IS_ERR(*rdev)) {
66                 dev_put(*dev);
67                 return PTR_ERR(*rdev);
68         }
69
70         return 0;
71 }
72
73 /* policy for the attributes */
74 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
75         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
76         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
77                                       .len = 20-1 },
78         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
79         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
80         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
81         [NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
82         [NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
83         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
84         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
85         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
86
87         [NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
88         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
89         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
90
91         [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
92         [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
93
94         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
95         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
96                                     .len = WLAN_MAX_KEY_LEN },
97         [NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
98         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
99         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
100         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
101         [NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
102
103         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
104         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
105         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
106                                        .len = IEEE80211_MAX_DATA_LEN },
107         [NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
108                                        .len = IEEE80211_MAX_DATA_LEN },
109         [NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
110         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
111         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
112         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
113                                                .len = NL80211_MAX_SUPP_RATES },
114         [NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
115         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
116         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
117         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
118                                 .len = IEEE80211_MAX_MESH_ID_LEN },
119         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
120
121         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
122         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
123
124         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
125         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
126         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
127         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
128                                            .len = NL80211_MAX_SUPP_RATES },
129         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
130
131         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
132         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
133
134         [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
135
136         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
137         [NL80211_ATTR_IE] = { .type = NLA_BINARY,
138                               .len = IEEE80211_MAX_DATA_LEN },
139         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
140         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
141
142         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
143                                 .len = IEEE80211_MAX_SSID_LEN },
144         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
145         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
146         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
147         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
148         [NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
149         [NL80211_ATTR_STA_FLAGS2] = {
150                 .len = sizeof(struct nl80211_sta_flag_update),
151         },
152         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
153         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
154         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
155         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
156         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
157         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
158         [NL80211_ATTR_PID] = { .type = NLA_U32 },
159         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
160         [NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
161                                  .len = WLAN_PMKID_LEN },
162         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
163         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
164         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
165         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
166                                  .len = IEEE80211_MAX_DATA_LEN },
167         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
168         [NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
169         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
170         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
171         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
172         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
173         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
174         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
175         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
176         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
177         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
178         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
179         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
180         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
181         [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
182         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
183         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
184         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
185         [NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
186         [NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
187                                          .len = IEEE80211_MAX_DATA_LEN },
188         [NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
189                                          .len = IEEE80211_MAX_DATA_LEN },
190         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
191         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
192         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
193         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
194         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
195         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
196         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
197         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
198         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
199         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
200                                       .len = IEEE80211_MAX_DATA_LEN },
201         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
202         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
203         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
204                 .len = NL80211_HT_CAPABILITY_LEN
205         },
206         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
207 };
208
209 /* policy for the key attributes */
210 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
211         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
212         [NL80211_KEY_IDX] = { .type = NLA_U8 },
213         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
214         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
215         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
216         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
217         [NL80211_KEY_TYPE] = { .type = NLA_U32 },
218         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
219 };
220
221 /* policy for the key default flags */
222 static const struct nla_policy
223 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
224         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
225         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
226 };
227
228 /* policy for WoWLAN attributes */
229 static const struct nla_policy
230 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
231         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
232         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
233         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
234         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
235         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
236         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
237         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
238         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
239 };
240
241 /* policy for GTK rekey offload attributes */
242 static const struct nla_policy
243 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
244         [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
245         [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
246         [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
247 };
248
249 static const struct nla_policy
250 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
251         [NL80211_ATTR_SCHED_SCAN_MATCH_SSID] = { .type = NLA_BINARY,
252                                                  .len = IEEE80211_MAX_SSID_LEN },
253 };
254
255 /* ifidx get helper */
256 static int nl80211_get_ifidx(struct netlink_callback *cb)
257 {
258         int res;
259
260         res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
261                           nl80211_fam.attrbuf, nl80211_fam.maxattr,
262                           nl80211_policy);
263         if (res)
264                 return res;
265
266         if (!nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX])
267                 return -EINVAL;
268
269         res = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX]);
270         if (!res)
271                 return -EINVAL;
272         return res;
273 }
274
275 static int nl80211_prepare_netdev_dump(struct sk_buff *skb,
276                                        struct netlink_callback *cb,
277                                        struct cfg80211_registered_device **rdev,
278                                        struct net_device **dev)
279 {
280         int ifidx = cb->args[0];
281         int err;
282
283         if (!ifidx)
284                 ifidx = nl80211_get_ifidx(cb);
285         if (ifidx < 0)
286                 return ifidx;
287
288         cb->args[0] = ifidx;
289
290         rtnl_lock();
291
292         *dev = __dev_get_by_index(sock_net(skb->sk), ifidx);
293         if (!*dev) {
294                 err = -ENODEV;
295                 goto out_rtnl;
296         }
297
298         *rdev = cfg80211_get_dev_from_ifindex(sock_net(skb->sk), ifidx);
299         if (IS_ERR(*rdev)) {
300                 err = PTR_ERR(*rdev);
301                 goto out_rtnl;
302         }
303
304         return 0;
305  out_rtnl:
306         rtnl_unlock();
307         return err;
308 }
309
310 static void nl80211_finish_netdev_dump(struct cfg80211_registered_device *rdev)
311 {
312         cfg80211_unlock_rdev(rdev);
313         rtnl_unlock();
314 }
315
316 /* IE validation */
317 static bool is_valid_ie_attr(const struct nlattr *attr)
318 {
319         const u8 *pos;
320         int len;
321
322         if (!attr)
323                 return true;
324
325         pos = nla_data(attr);
326         len = nla_len(attr);
327
328         while (len) {
329                 u8 elemlen;
330
331                 if (len < 2)
332                         return false;
333                 len -= 2;
334
335                 elemlen = pos[1];
336                 if (elemlen > len)
337                         return false;
338
339                 len -= elemlen;
340                 pos += 2 + elemlen;
341         }
342
343         return true;
344 }
345
346 /* message building helper */
347 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 pid, u32 seq,
348                                    int flags, u8 cmd)
349 {
350         /* since there is no private header just add the generic one */
351         return genlmsg_put(skb, pid, seq, &nl80211_fam, flags, cmd);
352 }
353
354 static int nl80211_msg_put_channel(struct sk_buff *msg,
355                                    struct ieee80211_channel *chan)
356 {
357         NLA_PUT_U32(msg, NL80211_FREQUENCY_ATTR_FREQ,
358                     chan->center_freq);
359
360         if (chan->flags & IEEE80211_CHAN_DISABLED)
361                 NLA_PUT_FLAG(msg, NL80211_FREQUENCY_ATTR_DISABLED);
362         if (chan->flags & IEEE80211_CHAN_PASSIVE_SCAN)
363                 NLA_PUT_FLAG(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN);
364         if (chan->flags & IEEE80211_CHAN_NO_IBSS)
365                 NLA_PUT_FLAG(msg, NL80211_FREQUENCY_ATTR_NO_IBSS);
366         if (chan->flags & IEEE80211_CHAN_RADAR)
367                 NLA_PUT_FLAG(msg, NL80211_FREQUENCY_ATTR_RADAR);
368
369         NLA_PUT_U32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
370                     DBM_TO_MBM(chan->max_power));
371
372         return 0;
373
374  nla_put_failure:
375         return -ENOBUFS;
376 }
377
378 /* netlink command implementations */
379
380 struct key_parse {
381         struct key_params p;
382         int idx;
383         int type;
384         bool def, defmgmt;
385         bool def_uni, def_multi;
386 };
387
388 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
389 {
390         struct nlattr *tb[NL80211_KEY_MAX + 1];
391         int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
392                                    nl80211_key_policy);
393         if (err)
394                 return err;
395
396         k->def = !!tb[NL80211_KEY_DEFAULT];
397         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
398
399         if (k->def) {
400                 k->def_uni = true;
401                 k->def_multi = true;
402         }
403         if (k->defmgmt)
404                 k->def_multi = true;
405
406         if (tb[NL80211_KEY_IDX])
407                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
408
409         if (tb[NL80211_KEY_DATA]) {
410                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
411                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
412         }
413
414         if (tb[NL80211_KEY_SEQ]) {
415                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
416                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
417         }
418
419         if (tb[NL80211_KEY_CIPHER])
420                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
421
422         if (tb[NL80211_KEY_TYPE]) {
423                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
424                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
425                         return -EINVAL;
426         }
427
428         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
429                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
430                 int err = nla_parse_nested(kdt,
431                                            NUM_NL80211_KEY_DEFAULT_TYPES - 1,
432                                            tb[NL80211_KEY_DEFAULT_TYPES],
433                                            nl80211_key_default_policy);
434                 if (err)
435                         return err;
436
437                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
438                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
439         }
440
441         return 0;
442 }
443
444 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
445 {
446         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
447                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
448                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
449         }
450
451         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
452                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
453                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
454         }
455
456         if (info->attrs[NL80211_ATTR_KEY_IDX])
457                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
458
459         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
460                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
461
462         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
463         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
464
465         if (k->def) {
466                 k->def_uni = true;
467                 k->def_multi = true;
468         }
469         if (k->defmgmt)
470                 k->def_multi = true;
471
472         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
473                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
474                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
475                         return -EINVAL;
476         }
477
478         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
479                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
480                 int err = nla_parse_nested(
481                                 kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
482                                 info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
483                                 nl80211_key_default_policy);
484                 if (err)
485                         return err;
486
487                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
488                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
489         }
490
491         return 0;
492 }
493
494 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
495 {
496         int err;
497
498         memset(k, 0, sizeof(*k));
499         k->idx = -1;
500         k->type = -1;
501
502         if (info->attrs[NL80211_ATTR_KEY])
503                 err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
504         else
505                 err = nl80211_parse_key_old(info, k);
506
507         if (err)
508                 return err;
509
510         if (k->def && k->defmgmt)
511                 return -EINVAL;
512
513         if (k->defmgmt) {
514                 if (k->def_uni || !k->def_multi)
515                         return -EINVAL;
516         }
517
518         if (k->idx != -1) {
519                 if (k->defmgmt) {
520                         if (k->idx < 4 || k->idx > 5)
521                                 return -EINVAL;
522                 } else if (k->def) {
523                         if (k->idx < 0 || k->idx > 3)
524                                 return -EINVAL;
525                 } else {
526                         if (k->idx < 0 || k->idx > 5)
527                                 return -EINVAL;
528                 }
529         }
530
531         return 0;
532 }
533
534 static struct cfg80211_cached_keys *
535 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
536                        struct nlattr *keys)
537 {
538         struct key_parse parse;
539         struct nlattr *key;
540         struct cfg80211_cached_keys *result;
541         int rem, err, def = 0;
542
543         result = kzalloc(sizeof(*result), GFP_KERNEL);
544         if (!result)
545                 return ERR_PTR(-ENOMEM);
546
547         result->def = -1;
548         result->defmgmt = -1;
549
550         nla_for_each_nested(key, keys, rem) {
551                 memset(&parse, 0, sizeof(parse));
552                 parse.idx = -1;
553
554                 err = nl80211_parse_key_new(key, &parse);
555                 if (err)
556                         goto error;
557                 err = -EINVAL;
558                 if (!parse.p.key)
559                         goto error;
560                 if (parse.idx < 0 || parse.idx > 4)
561                         goto error;
562                 if (parse.def) {
563                         if (def)
564                                 goto error;
565                         def = 1;
566                         result->def = parse.idx;
567                         if (!parse.def_uni || !parse.def_multi)
568                                 goto error;
569                 } else if (parse.defmgmt)
570                         goto error;
571                 err = cfg80211_validate_key_settings(rdev, &parse.p,
572                                                      parse.idx, false, NULL);
573                 if (err)
574                         goto error;
575                 result->params[parse.idx].cipher = parse.p.cipher;
576                 result->params[parse.idx].key_len = parse.p.key_len;
577                 result->params[parse.idx].key = result->data[parse.idx];
578                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
579         }
580
581         return result;
582  error:
583         kfree(result);
584         return ERR_PTR(err);
585 }
586
587 static int nl80211_key_allowed(struct wireless_dev *wdev)
588 {
589         ASSERT_WDEV_LOCK(wdev);
590
591         switch (wdev->iftype) {
592         case NL80211_IFTYPE_AP:
593         case NL80211_IFTYPE_AP_VLAN:
594         case NL80211_IFTYPE_P2P_GO:
595         case NL80211_IFTYPE_MESH_POINT:
596                 break;
597         case NL80211_IFTYPE_ADHOC:
598                 if (!wdev->current_bss)
599                         return -ENOLINK;
600                 break;
601         case NL80211_IFTYPE_STATION:
602         case NL80211_IFTYPE_P2P_CLIENT:
603                 if (wdev->sme_state != CFG80211_SME_CONNECTED)
604                         return -ENOLINK;
605                 break;
606         default:
607                 return -EINVAL;
608         }
609
610         return 0;
611 }
612
613 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
614 {
615         struct nlattr *nl_modes = nla_nest_start(msg, attr);
616         int i;
617
618         if (!nl_modes)
619                 goto nla_put_failure;
620
621         i = 0;
622         while (ifmodes) {
623                 if (ifmodes & 1)
624                         NLA_PUT_FLAG(msg, i);
625                 ifmodes >>= 1;
626                 i++;
627         }
628
629         nla_nest_end(msg, nl_modes);
630         return 0;
631
632 nla_put_failure:
633         return -ENOBUFS;
634 }
635
636 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
637                                           struct sk_buff *msg)
638 {
639         struct nlattr *nl_combis;
640         int i, j;
641
642         nl_combis = nla_nest_start(msg,
643                                 NL80211_ATTR_INTERFACE_COMBINATIONS);
644         if (!nl_combis)
645                 goto nla_put_failure;
646
647         for (i = 0; i < wiphy->n_iface_combinations; i++) {
648                 const struct ieee80211_iface_combination *c;
649                 struct nlattr *nl_combi, *nl_limits;
650
651                 c = &wiphy->iface_combinations[i];
652
653                 nl_combi = nla_nest_start(msg, i + 1);
654                 if (!nl_combi)
655                         goto nla_put_failure;
656
657                 nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
658                 if (!nl_limits)
659                         goto nla_put_failure;
660
661                 for (j = 0; j < c->n_limits; j++) {
662                         struct nlattr *nl_limit;
663
664                         nl_limit = nla_nest_start(msg, j + 1);
665                         if (!nl_limit)
666                                 goto nla_put_failure;
667                         NLA_PUT_U32(msg, NL80211_IFACE_LIMIT_MAX,
668                                     c->limits[j].max);
669                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
670                                                 c->limits[j].types))
671                                 goto nla_put_failure;
672                         nla_nest_end(msg, nl_limit);
673                 }
674
675                 nla_nest_end(msg, nl_limits);
676
677                 if (c->beacon_int_infra_match)
678                         NLA_PUT_FLAG(msg,
679                                 NL80211_IFACE_COMB_STA_AP_BI_MATCH);
680                 NLA_PUT_U32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
681                             c->num_different_channels);
682                 NLA_PUT_U32(msg, NL80211_IFACE_COMB_MAXNUM,
683                             c->max_interfaces);
684
685                 nla_nest_end(msg, nl_combi);
686         }
687
688         nla_nest_end(msg, nl_combis);
689
690         return 0;
691 nla_put_failure:
692         return -ENOBUFS;
693 }
694
695 static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
696                               struct cfg80211_registered_device *dev)
697 {
698         void *hdr;
699         struct nlattr *nl_bands, *nl_band;
700         struct nlattr *nl_freqs, *nl_freq;
701         struct nlattr *nl_rates, *nl_rate;
702         struct nlattr *nl_cmds;
703         enum ieee80211_band band;
704         struct ieee80211_channel *chan;
705         struct ieee80211_rate *rate;
706         int i;
707         const struct ieee80211_txrx_stypes *mgmt_stypes =
708                                 dev->wiphy.mgmt_stypes;
709
710         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_WIPHY);
711         if (!hdr)
712                 return -1;
713
714         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx);
715         NLA_PUT_STRING(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy));
716
717         NLA_PUT_U32(msg, NL80211_ATTR_GENERATION,
718                     cfg80211_rdev_list_generation);
719
720         NLA_PUT_U8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
721                    dev->wiphy.retry_short);
722         NLA_PUT_U8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
723                    dev->wiphy.retry_long);
724         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
725                     dev->wiphy.frag_threshold);
726         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
727                     dev->wiphy.rts_threshold);
728         NLA_PUT_U8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
729                     dev->wiphy.coverage_class);
730         NLA_PUT_U8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
731                    dev->wiphy.max_scan_ssids);
732         NLA_PUT_U8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
733                    dev->wiphy.max_sched_scan_ssids);
734         NLA_PUT_U16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
735                     dev->wiphy.max_scan_ie_len);
736         NLA_PUT_U16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
737                     dev->wiphy.max_sched_scan_ie_len);
738         NLA_PUT_U8(msg, NL80211_ATTR_MAX_MATCH_SETS,
739                    dev->wiphy.max_match_sets);
740
741         if (dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)
742                 NLA_PUT_FLAG(msg, NL80211_ATTR_SUPPORT_IBSS_RSN);
743         if (dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH)
744                 NLA_PUT_FLAG(msg, NL80211_ATTR_SUPPORT_MESH_AUTH);
745         if (dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD)
746                 NLA_PUT_FLAG(msg, NL80211_ATTR_SUPPORT_AP_UAPSD);
747         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)
748                 NLA_PUT_FLAG(msg, NL80211_ATTR_ROAM_SUPPORT);
749         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS)
750                 NLA_PUT_FLAG(msg, NL80211_ATTR_TDLS_SUPPORT);
751         if (dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP)
752                 NLA_PUT_FLAG(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP);
753
754         NLA_PUT(msg, NL80211_ATTR_CIPHER_SUITES,
755                 sizeof(u32) * dev->wiphy.n_cipher_suites,
756                 dev->wiphy.cipher_suites);
757
758         NLA_PUT_U8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
759                    dev->wiphy.max_num_pmkids);
760
761         if (dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL)
762                 NLA_PUT_FLAG(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE);
763
764         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
765                     dev->wiphy.available_antennas_tx);
766         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
767                     dev->wiphy.available_antennas_rx);
768
769         if (dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD)
770                 NLA_PUT_U32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
771                             dev->wiphy.probe_resp_offload);
772
773         if ((dev->wiphy.available_antennas_tx ||
774              dev->wiphy.available_antennas_rx) && dev->ops->get_antenna) {
775                 u32 tx_ant = 0, rx_ant = 0;
776                 int res;
777                 res = dev->ops->get_antenna(&dev->wiphy, &tx_ant, &rx_ant);
778                 if (!res) {
779                         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY_ANTENNA_TX, tx_ant);
780                         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY_ANTENNA_RX, rx_ant);
781                 }
782         }
783
784         if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
785                                 dev->wiphy.interface_modes))
786                 goto nla_put_failure;
787
788         nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
789         if (!nl_bands)
790                 goto nla_put_failure;
791
792         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
793                 if (!dev->wiphy.bands[band])
794                         continue;
795
796                 nl_band = nla_nest_start(msg, band);
797                 if (!nl_band)
798                         goto nla_put_failure;
799
800                 /* add HT info */
801                 if (dev->wiphy.bands[band]->ht_cap.ht_supported) {
802                         NLA_PUT(msg, NL80211_BAND_ATTR_HT_MCS_SET,
803                                 sizeof(dev->wiphy.bands[band]->ht_cap.mcs),
804                                 &dev->wiphy.bands[band]->ht_cap.mcs);
805                         NLA_PUT_U16(msg, NL80211_BAND_ATTR_HT_CAPA,
806                                 dev->wiphy.bands[band]->ht_cap.cap);
807                         NLA_PUT_U8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
808                                 dev->wiphy.bands[band]->ht_cap.ampdu_factor);
809                         NLA_PUT_U8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
810                                 dev->wiphy.bands[band]->ht_cap.ampdu_density);
811                 }
812
813                 /* add frequencies */
814                 nl_freqs = nla_nest_start(msg, NL80211_BAND_ATTR_FREQS);
815                 if (!nl_freqs)
816                         goto nla_put_failure;
817
818                 for (i = 0; i < dev->wiphy.bands[band]->n_channels; i++) {
819                         nl_freq = nla_nest_start(msg, i);
820                         if (!nl_freq)
821                                 goto nla_put_failure;
822
823                         chan = &dev->wiphy.bands[band]->channels[i];
824
825                         if (nl80211_msg_put_channel(msg, chan))
826                                 goto nla_put_failure;
827
828                         nla_nest_end(msg, nl_freq);
829                 }
830
831                 nla_nest_end(msg, nl_freqs);
832
833                 /* add bitrates */
834                 nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
835                 if (!nl_rates)
836                         goto nla_put_failure;
837
838                 for (i = 0; i < dev->wiphy.bands[band]->n_bitrates; i++) {
839                         nl_rate = nla_nest_start(msg, i);
840                         if (!nl_rate)
841                                 goto nla_put_failure;
842
843                         rate = &dev->wiphy.bands[band]->bitrates[i];
844                         NLA_PUT_U32(msg, NL80211_BITRATE_ATTR_RATE,
845                                     rate->bitrate);
846                         if (rate->flags & IEEE80211_RATE_SHORT_PREAMBLE)
847                                 NLA_PUT_FLAG(msg,
848                                         NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE);
849
850                         nla_nest_end(msg, nl_rate);
851                 }
852
853                 nla_nest_end(msg, nl_rates);
854
855                 nla_nest_end(msg, nl_band);
856         }
857         nla_nest_end(msg, nl_bands);
858
859         nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
860         if (!nl_cmds)
861                 goto nla_put_failure;
862
863         i = 0;
864 #define CMD(op, n)                                              \
865          do {                                                   \
866                 if (dev->ops->op) {                             \
867                         i++;                                    \
868                         NLA_PUT_U32(msg, i, NL80211_CMD_ ## n); \
869                 }                                               \
870         } while (0)
871
872         CMD(add_virtual_intf, NEW_INTERFACE);
873         CMD(change_virtual_intf, SET_INTERFACE);
874         CMD(add_key, NEW_KEY);
875         CMD(add_beacon, NEW_BEACON);
876         CMD(add_station, NEW_STATION);
877         CMD(add_mpath, NEW_MPATH);
878         CMD(update_mesh_config, SET_MESH_CONFIG);
879         CMD(change_bss, SET_BSS);
880         CMD(auth, AUTHENTICATE);
881         CMD(assoc, ASSOCIATE);
882         CMD(deauth, DEAUTHENTICATE);
883         CMD(disassoc, DISASSOCIATE);
884         CMD(join_ibss, JOIN_IBSS);
885         CMD(join_mesh, JOIN_MESH);
886         CMD(set_pmksa, SET_PMKSA);
887         CMD(del_pmksa, DEL_PMKSA);
888         CMD(flush_pmksa, FLUSH_PMKSA);
889         if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
890                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
891         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
892         CMD(mgmt_tx, FRAME);
893         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
894         if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
895                 i++;
896                 NLA_PUT_U32(msg, i, NL80211_CMD_SET_WIPHY_NETNS);
897         }
898         CMD(set_channel, SET_CHANNEL);
899         CMD(set_wds_peer, SET_WDS_PEER);
900         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
901                 CMD(tdls_mgmt, TDLS_MGMT);
902                 CMD(tdls_oper, TDLS_OPER);
903         }
904         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
905                 CMD(sched_scan_start, START_SCHED_SCAN);
906         CMD(probe_client, PROBE_CLIENT);
907         CMD(set_noack_map, SET_NOACK_MAP);
908         if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
909                 i++;
910                 NLA_PUT_U32(msg, i, NL80211_CMD_REGISTER_BEACONS);
911         }
912
913 #ifdef CONFIG_NL80211_TESTMODE
914         CMD(testmode_cmd, TESTMODE);
915 #endif
916
917 #undef CMD
918
919         if (dev->ops->connect || dev->ops->auth) {
920                 i++;
921                 NLA_PUT_U32(msg, i, NL80211_CMD_CONNECT);
922         }
923
924         if (dev->ops->disconnect || dev->ops->deauth) {
925                 i++;
926                 NLA_PUT_U32(msg, i, NL80211_CMD_DISCONNECT);
927         }
928
929         nla_nest_end(msg, nl_cmds);
930
931         if (dev->ops->remain_on_channel &&
932             dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
933                 NLA_PUT_U32(msg, NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
934                             dev->wiphy.max_remain_on_channel_duration);
935
936         if (dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX)
937                 NLA_PUT_FLAG(msg, NL80211_ATTR_OFFCHANNEL_TX_OK);
938
939         if (mgmt_stypes) {
940                 u16 stypes;
941                 struct nlattr *nl_ftypes, *nl_ifs;
942                 enum nl80211_iftype ift;
943
944                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
945                 if (!nl_ifs)
946                         goto nla_put_failure;
947
948                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
949                         nl_ftypes = nla_nest_start(msg, ift);
950                         if (!nl_ftypes)
951                                 goto nla_put_failure;
952                         i = 0;
953                         stypes = mgmt_stypes[ift].tx;
954                         while (stypes) {
955                                 if (stypes & 1)
956                                         NLA_PUT_U16(msg, NL80211_ATTR_FRAME_TYPE,
957                                                     (i << 4) | IEEE80211_FTYPE_MGMT);
958                                 stypes >>= 1;
959                                 i++;
960                         }
961                         nla_nest_end(msg, nl_ftypes);
962                 }
963
964                 nla_nest_end(msg, nl_ifs);
965
966                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
967                 if (!nl_ifs)
968                         goto nla_put_failure;
969
970                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
971                         nl_ftypes = nla_nest_start(msg, ift);
972                         if (!nl_ftypes)
973                                 goto nla_put_failure;
974                         i = 0;
975                         stypes = mgmt_stypes[ift].rx;
976                         while (stypes) {
977                                 if (stypes & 1)
978                                         NLA_PUT_U16(msg, NL80211_ATTR_FRAME_TYPE,
979                                                     (i << 4) | IEEE80211_FTYPE_MGMT);
980                                 stypes >>= 1;
981                                 i++;
982                         }
983                         nla_nest_end(msg, nl_ftypes);
984                 }
985                 nla_nest_end(msg, nl_ifs);
986         }
987
988         if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
989                 struct nlattr *nl_wowlan;
990
991                 nl_wowlan = nla_nest_start(msg,
992                                 NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
993                 if (!nl_wowlan)
994                         goto nla_put_failure;
995
996                 if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY)
997                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_ANY);
998                 if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT)
999                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_DISCONNECT);
1000                 if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT)
1001                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT);
1002                 if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY)
1003                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED);
1004                 if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE)
1005                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE);
1006                 if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ)
1007                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST);
1008                 if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE)
1009                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE);
1010                 if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE)
1011                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE);
1012                 if (dev->wiphy.wowlan.n_patterns) {
1013                         struct nl80211_wowlan_pattern_support pat = {
1014                                 .max_patterns = dev->wiphy.wowlan.n_patterns,
1015                                 .min_pattern_len =
1016                                         dev->wiphy.wowlan.pattern_min_len,
1017                                 .max_pattern_len =
1018                                         dev->wiphy.wowlan.pattern_max_len,
1019                         };
1020                         NLA_PUT(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1021                                 sizeof(pat), &pat);
1022                 }
1023
1024                 nla_nest_end(msg, nl_wowlan);
1025         }
1026
1027         if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1028                                 dev->wiphy.software_iftypes))
1029                 goto nla_put_failure;
1030
1031         if (nl80211_put_iface_combinations(&dev->wiphy, msg))
1032                 goto nla_put_failure;
1033
1034         if (dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME)
1035                 NLA_PUT_U32(msg, NL80211_ATTR_DEVICE_AP_SME,
1036                             dev->wiphy.ap_sme_capa);
1037
1038         NLA_PUT_U32(msg, NL80211_ATTR_FEATURE_FLAGS, dev->wiphy.features);
1039
1040         if (dev->wiphy.ht_capa_mod_mask)
1041                 NLA_PUT(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1042                         sizeof(*dev->wiphy.ht_capa_mod_mask),
1043                         dev->wiphy.ht_capa_mod_mask);
1044
1045         return genlmsg_end(msg, hdr);
1046
1047  nla_put_failure:
1048         genlmsg_cancel(msg, hdr);
1049         return -EMSGSIZE;
1050 }
1051
1052 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1053 {
1054         int idx = 0;
1055         int start = cb->args[0];
1056         struct cfg80211_registered_device *dev;
1057
1058         mutex_lock(&cfg80211_mutex);
1059         list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1060                 if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1061                         continue;
1062                 if (++idx <= start)
1063                         continue;
1064                 if (nl80211_send_wiphy(skb, NETLINK_CB(cb->skb).pid,
1065                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
1066                                        dev) < 0) {
1067                         idx--;
1068                         break;
1069                 }
1070         }
1071         mutex_unlock(&cfg80211_mutex);
1072
1073         cb->args[0] = idx;
1074
1075         return skb->len;
1076 }
1077
1078 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1079 {
1080         struct sk_buff *msg;
1081         struct cfg80211_registered_device *dev = info->user_ptr[0];
1082
1083         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1084         if (!msg)
1085                 return -ENOMEM;
1086
1087         if (nl80211_send_wiphy(msg, info->snd_pid, info->snd_seq, 0, dev) < 0) {
1088                 nlmsg_free(msg);
1089                 return -ENOBUFS;
1090         }
1091
1092         return genlmsg_reply(msg, info);
1093 }
1094
1095 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1096         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
1097         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
1098         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
1099         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
1100         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
1101 };
1102
1103 static int parse_txq_params(struct nlattr *tb[],
1104                             struct ieee80211_txq_params *txq_params)
1105 {
1106         if (!tb[NL80211_TXQ_ATTR_QUEUE] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1107             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1108             !tb[NL80211_TXQ_ATTR_AIFS])
1109                 return -EINVAL;
1110
1111         txq_params->queue = nla_get_u8(tb[NL80211_TXQ_ATTR_QUEUE]);
1112         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1113         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1114         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1115         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1116
1117         return 0;
1118 }
1119
1120 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1121 {
1122         /*
1123          * You can only set the channel explicitly for AP, mesh
1124          * and WDS type interfaces; all others have their channel
1125          * managed via their respective "establish a connection"
1126          * command (connect, join, ...)
1127          *
1128          * Monitors are special as they are normally slaved to
1129          * whatever else is going on, so they behave as though
1130          * you tried setting the wiphy channel itself.
1131          */
1132         return !wdev ||
1133                 wdev->iftype == NL80211_IFTYPE_AP ||
1134                 wdev->iftype == NL80211_IFTYPE_WDS ||
1135                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1136                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
1137                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
1138 }
1139
1140 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1141                                  struct wireless_dev *wdev,
1142                                  struct genl_info *info)
1143 {
1144         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
1145         u32 freq;
1146         int result;
1147
1148         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1149                 return -EINVAL;
1150
1151         if (!nl80211_can_set_dev_channel(wdev))
1152                 return -EOPNOTSUPP;
1153
1154         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1155                 channel_type = nla_get_u32(info->attrs[
1156                                    NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1157                 if (channel_type != NL80211_CHAN_NO_HT &&
1158                     channel_type != NL80211_CHAN_HT20 &&
1159                     channel_type != NL80211_CHAN_HT40PLUS &&
1160                     channel_type != NL80211_CHAN_HT40MINUS)
1161                         return -EINVAL;
1162         }
1163
1164         freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1165
1166         mutex_lock(&rdev->devlist_mtx);
1167         if (wdev) {
1168                 wdev_lock(wdev);
1169                 result = cfg80211_set_freq(rdev, wdev, freq, channel_type);
1170                 wdev_unlock(wdev);
1171         } else {
1172                 result = cfg80211_set_freq(rdev, NULL, freq, channel_type);
1173         }
1174         mutex_unlock(&rdev->devlist_mtx);
1175
1176         return result;
1177 }
1178
1179 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1180 {
1181         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1182         struct net_device *netdev = info->user_ptr[1];
1183
1184         return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1185 }
1186
1187 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1188 {
1189         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1190         struct net_device *dev = info->user_ptr[1];
1191         struct wireless_dev *wdev = dev->ieee80211_ptr;
1192         const u8 *bssid;
1193
1194         if (!info->attrs[NL80211_ATTR_MAC])
1195                 return -EINVAL;
1196
1197         if (netif_running(dev))
1198                 return -EBUSY;
1199
1200         if (!rdev->ops->set_wds_peer)
1201                 return -EOPNOTSUPP;
1202
1203         if (wdev->iftype != NL80211_IFTYPE_WDS)
1204                 return -EOPNOTSUPP;
1205
1206         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1207         return rdev->ops->set_wds_peer(wdev->wiphy, dev, bssid);
1208 }
1209
1210
1211 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1212 {
1213         struct cfg80211_registered_device *rdev;
1214         struct net_device *netdev = NULL;
1215         struct wireless_dev *wdev;
1216         int result = 0, rem_txq_params = 0;
1217         struct nlattr *nl_txq_params;
1218         u32 changed;
1219         u8 retry_short = 0, retry_long = 0;
1220         u32 frag_threshold = 0, rts_threshold = 0;
1221         u8 coverage_class = 0;
1222
1223         /*
1224          * Try to find the wiphy and netdev. Normally this
1225          * function shouldn't need the netdev, but this is
1226          * done for backward compatibility -- previously
1227          * setting the channel was done per wiphy, but now
1228          * it is per netdev. Previous userland like hostapd
1229          * also passed a netdev to set_wiphy, so that it is
1230          * possible to let that go to the right netdev!
1231          */
1232         mutex_lock(&cfg80211_mutex);
1233
1234         if (info->attrs[NL80211_ATTR_IFINDEX]) {
1235                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1236
1237                 netdev = dev_get_by_index(genl_info_net(info), ifindex);
1238                 if (netdev && netdev->ieee80211_ptr) {
1239                         rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1240                         mutex_lock(&rdev->mtx);
1241                 } else
1242                         netdev = NULL;
1243         }
1244
1245         if (!netdev) {
1246                 rdev = __cfg80211_rdev_from_info(info);
1247                 if (IS_ERR(rdev)) {
1248                         mutex_unlock(&cfg80211_mutex);
1249                         return PTR_ERR(rdev);
1250                 }
1251                 wdev = NULL;
1252                 netdev = NULL;
1253                 result = 0;
1254
1255                 mutex_lock(&rdev->mtx);
1256         } else if (netif_running(netdev) &&
1257                    nl80211_can_set_dev_channel(netdev->ieee80211_ptr))
1258                 wdev = netdev->ieee80211_ptr;
1259         else
1260                 wdev = NULL;
1261
1262         /*
1263          * end workaround code, by now the rdev is available
1264          * and locked, and wdev may or may not be NULL.
1265          */
1266
1267         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1268                 result = cfg80211_dev_rename(
1269                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1270
1271         mutex_unlock(&cfg80211_mutex);
1272
1273         if (result)
1274                 goto bad_res;
1275
1276         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1277                 struct ieee80211_txq_params txq_params;
1278                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1279
1280                 if (!rdev->ops->set_txq_params) {
1281                         result = -EOPNOTSUPP;
1282                         goto bad_res;
1283                 }
1284
1285                 if (!netdev) {
1286                         result = -EINVAL;
1287                         goto bad_res;
1288                 }
1289
1290                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1291                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1292                         result = -EINVAL;
1293                         goto bad_res;
1294                 }
1295
1296                 nla_for_each_nested(nl_txq_params,
1297                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1298                                     rem_txq_params) {
1299                         nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1300                                   nla_data(nl_txq_params),
1301                                   nla_len(nl_txq_params),
1302                                   txq_params_policy);
1303                         result = parse_txq_params(tb, &txq_params);
1304                         if (result)
1305                                 goto bad_res;
1306
1307                         result = rdev->ops->set_txq_params(&rdev->wiphy,
1308                                                            netdev,
1309                                                            &txq_params);
1310                         if (result)
1311                                 goto bad_res;
1312                 }
1313         }
1314
1315         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
1316                 result = __nl80211_set_channel(rdev, wdev, info);
1317                 if (result)
1318                         goto bad_res;
1319         }
1320
1321         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
1322                 enum nl80211_tx_power_setting type;
1323                 int idx, mbm = 0;
1324
1325                 if (!rdev->ops->set_tx_power) {
1326                         result = -EOPNOTSUPP;
1327                         goto bad_res;
1328                 }
1329
1330                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
1331                 type = nla_get_u32(info->attrs[idx]);
1332
1333                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
1334                     (type != NL80211_TX_POWER_AUTOMATIC)) {
1335                         result = -EINVAL;
1336                         goto bad_res;
1337                 }
1338
1339                 if (type != NL80211_TX_POWER_AUTOMATIC) {
1340                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
1341                         mbm = nla_get_u32(info->attrs[idx]);
1342                 }
1343
1344                 result = rdev->ops->set_tx_power(&rdev->wiphy, type, mbm);
1345                 if (result)
1346                         goto bad_res;
1347         }
1348
1349         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
1350             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
1351                 u32 tx_ant, rx_ant;
1352                 if ((!rdev->wiphy.available_antennas_tx &&
1353                      !rdev->wiphy.available_antennas_rx) ||
1354                     !rdev->ops->set_antenna) {
1355                         result = -EOPNOTSUPP;
1356                         goto bad_res;
1357                 }
1358
1359                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
1360                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
1361
1362                 /* reject antenna configurations which don't match the
1363                  * available antenna masks, except for the "all" mask */
1364                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
1365                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
1366                         result = -EINVAL;
1367                         goto bad_res;
1368                 }
1369
1370                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
1371                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
1372
1373                 result = rdev->ops->set_antenna(&rdev->wiphy, tx_ant, rx_ant);
1374                 if (result)
1375                         goto bad_res;
1376         }
1377
1378         changed = 0;
1379
1380         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
1381                 retry_short = nla_get_u8(
1382                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
1383                 if (retry_short == 0) {
1384                         result = -EINVAL;
1385                         goto bad_res;
1386                 }
1387                 changed |= WIPHY_PARAM_RETRY_SHORT;
1388         }
1389
1390         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
1391                 retry_long = nla_get_u8(
1392                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
1393                 if (retry_long == 0) {
1394                         result = -EINVAL;
1395                         goto bad_res;
1396                 }
1397                 changed |= WIPHY_PARAM_RETRY_LONG;
1398         }
1399
1400         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
1401                 frag_threshold = nla_get_u32(
1402                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
1403                 if (frag_threshold < 256) {
1404                         result = -EINVAL;
1405                         goto bad_res;
1406                 }
1407                 if (frag_threshold != (u32) -1) {
1408                         /*
1409                          * Fragments (apart from the last one) are required to
1410                          * have even length. Make the fragmentation code
1411                          * simpler by stripping LSB should someone try to use
1412                          * odd threshold value.
1413                          */
1414                         frag_threshold &= ~0x1;
1415                 }
1416                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
1417         }
1418
1419         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
1420                 rts_threshold = nla_get_u32(
1421                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
1422                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
1423         }
1424
1425         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
1426                 coverage_class = nla_get_u8(
1427                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
1428                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
1429         }
1430
1431         if (changed) {
1432                 u8 old_retry_short, old_retry_long;
1433                 u32 old_frag_threshold, old_rts_threshold;
1434                 u8 old_coverage_class;
1435
1436                 if (!rdev->ops->set_wiphy_params) {
1437                         result = -EOPNOTSUPP;
1438                         goto bad_res;
1439                 }
1440
1441                 old_retry_short = rdev->wiphy.retry_short;
1442                 old_retry_long = rdev->wiphy.retry_long;
1443                 old_frag_threshold = rdev->wiphy.frag_threshold;
1444                 old_rts_threshold = rdev->wiphy.rts_threshold;
1445                 old_coverage_class = rdev->wiphy.coverage_class;
1446
1447                 if (changed & WIPHY_PARAM_RETRY_SHORT)
1448                         rdev->wiphy.retry_short = retry_short;
1449                 if (changed & WIPHY_PARAM_RETRY_LONG)
1450                         rdev->wiphy.retry_long = retry_long;
1451                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
1452                         rdev->wiphy.frag_threshold = frag_threshold;
1453                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
1454                         rdev->wiphy.rts_threshold = rts_threshold;
1455                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
1456                         rdev->wiphy.coverage_class = coverage_class;
1457
1458                 result = rdev->ops->set_wiphy_params(&rdev->wiphy, changed);
1459                 if (result) {
1460                         rdev->wiphy.retry_short = old_retry_short;
1461                         rdev->wiphy.retry_long = old_retry_long;
1462                         rdev->wiphy.frag_threshold = old_frag_threshold;
1463                         rdev->wiphy.rts_threshold = old_rts_threshold;
1464                         rdev->wiphy.coverage_class = old_coverage_class;
1465                 }
1466         }
1467
1468  bad_res:
1469         mutex_unlock(&rdev->mtx);
1470         if (netdev)
1471                 dev_put(netdev);
1472         return result;
1473 }
1474
1475
1476 static int nl80211_send_iface(struct sk_buff *msg, u32 pid, u32 seq, int flags,
1477                               struct cfg80211_registered_device *rdev,
1478                               struct net_device *dev)
1479 {
1480         void *hdr;
1481
1482         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_INTERFACE);
1483         if (!hdr)
1484                 return -1;
1485
1486         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
1487         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
1488         NLA_PUT_STRING(msg, NL80211_ATTR_IFNAME, dev->name);
1489         NLA_PUT_U32(msg, NL80211_ATTR_IFTYPE, dev->ieee80211_ptr->iftype);
1490
1491         NLA_PUT_U32(msg, NL80211_ATTR_GENERATION,
1492                     rdev->devlist_generation ^
1493                         (cfg80211_rdev_list_generation << 2));
1494
1495         return genlmsg_end(msg, hdr);
1496
1497  nla_put_failure:
1498         genlmsg_cancel(msg, hdr);
1499         return -EMSGSIZE;
1500 }
1501
1502 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
1503 {
1504         int wp_idx = 0;
1505         int if_idx = 0;
1506         int wp_start = cb->args[0];
1507         int if_start = cb->args[1];
1508         struct cfg80211_registered_device *rdev;
1509         struct wireless_dev *wdev;
1510
1511         mutex_lock(&cfg80211_mutex);
1512         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1513                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1514                         continue;
1515                 if (wp_idx < wp_start) {
1516                         wp_idx++;
1517                         continue;
1518                 }
1519                 if_idx = 0;
1520
1521                 mutex_lock(&rdev->devlist_mtx);
1522                 list_for_each_entry(wdev, &rdev->netdev_list, list) {
1523                         if (if_idx < if_start) {
1524                                 if_idx++;
1525                                 continue;
1526                         }
1527                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).pid,
1528                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
1529                                                rdev, wdev->netdev) < 0) {
1530                                 mutex_unlock(&rdev->devlist_mtx);
1531                                 goto out;
1532                         }
1533                         if_idx++;
1534                 }
1535                 mutex_unlock(&rdev->devlist_mtx);
1536
1537                 wp_idx++;
1538         }
1539  out:
1540         mutex_unlock(&cfg80211_mutex);
1541
1542         cb->args[0] = wp_idx;
1543         cb->args[1] = if_idx;
1544
1545         return skb->len;
1546 }
1547
1548 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
1549 {
1550         struct sk_buff *msg;
1551         struct cfg80211_registered_device *dev = info->user_ptr[0];
1552         struct net_device *netdev = info->user_ptr[1];
1553
1554         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1555         if (!msg)
1556                 return -ENOMEM;
1557
1558         if (nl80211_send_iface(msg, info->snd_pid, info->snd_seq, 0,
1559                                dev, netdev) < 0) {
1560                 nlmsg_free(msg);
1561                 return -ENOBUFS;
1562         }
1563
1564         return genlmsg_reply(msg, info);
1565 }
1566
1567 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
1568         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
1569         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
1570         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
1571         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
1572         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
1573 };
1574
1575 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
1576 {
1577         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
1578         int flag;
1579
1580         *mntrflags = 0;
1581
1582         if (!nla)
1583                 return -EINVAL;
1584
1585         if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
1586                              nla, mntr_flags_policy))
1587                 return -EINVAL;
1588
1589         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
1590                 if (flags[flag])
1591                         *mntrflags |= (1<<flag);
1592
1593         return 0;
1594 }
1595
1596 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
1597                                struct net_device *netdev, u8 use_4addr,
1598                                enum nl80211_iftype iftype)
1599 {
1600         if (!use_4addr) {
1601                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
1602                         return -EBUSY;
1603                 return 0;
1604         }
1605
1606         switch (iftype) {
1607         case NL80211_IFTYPE_AP_VLAN:
1608                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
1609                         return 0;
1610                 break;
1611         case NL80211_IFTYPE_STATION:
1612                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
1613                         return 0;
1614                 break;
1615         default:
1616                 break;
1617         }
1618
1619         return -EOPNOTSUPP;
1620 }
1621
1622 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
1623 {
1624         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1625         struct vif_params params;
1626         int err;
1627         enum nl80211_iftype otype, ntype;
1628         struct net_device *dev = info->user_ptr[1];
1629         u32 _flags, *flags = NULL;
1630         bool change = false;
1631
1632         memset(&params, 0, sizeof(params));
1633
1634         otype = ntype = dev->ieee80211_ptr->iftype;
1635
1636         if (info->attrs[NL80211_ATTR_IFTYPE]) {
1637                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
1638                 if (otype != ntype)
1639                         change = true;
1640                 if (ntype > NL80211_IFTYPE_MAX)
1641                         return -EINVAL;
1642         }
1643
1644         if (info->attrs[NL80211_ATTR_MESH_ID]) {
1645                 struct wireless_dev *wdev = dev->ieee80211_ptr;
1646
1647                 if (ntype != NL80211_IFTYPE_MESH_POINT)
1648                         return -EINVAL;
1649                 if (netif_running(dev))
1650                         return -EBUSY;
1651
1652                 wdev_lock(wdev);
1653                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
1654                              IEEE80211_MAX_MESH_ID_LEN);
1655                 wdev->mesh_id_up_len =
1656                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
1657                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
1658                        wdev->mesh_id_up_len);
1659                 wdev_unlock(wdev);
1660         }
1661
1662         if (info->attrs[NL80211_ATTR_4ADDR]) {
1663                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
1664                 change = true;
1665                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
1666                 if (err)
1667                         return err;
1668         } else {
1669                 params.use_4addr = -1;
1670         }
1671
1672         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
1673                 if (ntype != NL80211_IFTYPE_MONITOR)
1674                         return -EINVAL;
1675                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
1676                                           &_flags);
1677                 if (err)
1678                         return err;
1679
1680                 flags = &_flags;
1681                 change = true;
1682         }
1683
1684         if (change)
1685                 err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
1686         else
1687                 err = 0;
1688
1689         if (!err && params.use_4addr != -1)
1690                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
1691
1692         return err;
1693 }
1694
1695 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
1696 {
1697         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1698         struct vif_params params;
1699         struct net_device *dev;
1700         int err;
1701         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
1702         u32 flags;
1703
1704         memset(&params, 0, sizeof(params));
1705
1706         if (!info->attrs[NL80211_ATTR_IFNAME])
1707                 return -EINVAL;
1708
1709         if (info->attrs[NL80211_ATTR_IFTYPE]) {
1710                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
1711                 if (type > NL80211_IFTYPE_MAX)
1712                         return -EINVAL;
1713         }
1714
1715         if (!rdev->ops->add_virtual_intf ||
1716             !(rdev->wiphy.interface_modes & (1 << type)))
1717                 return -EOPNOTSUPP;
1718
1719         if (info->attrs[NL80211_ATTR_4ADDR]) {
1720                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
1721                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
1722                 if (err)
1723                         return err;
1724         }
1725
1726         err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
1727                                   info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
1728                                   &flags);
1729         dev = rdev->ops->add_virtual_intf(&rdev->wiphy,
1730                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
1731                 type, err ? NULL : &flags, &params);
1732         if (IS_ERR(dev))
1733                 return PTR_ERR(dev);
1734
1735         if (type == NL80211_IFTYPE_MESH_POINT &&
1736             info->attrs[NL80211_ATTR_MESH_ID]) {
1737                 struct wireless_dev *wdev = dev->ieee80211_ptr;
1738
1739                 wdev_lock(wdev);
1740                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
1741                              IEEE80211_MAX_MESH_ID_LEN);
1742                 wdev->mesh_id_up_len =
1743                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
1744                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
1745                        wdev->mesh_id_up_len);
1746                 wdev_unlock(wdev);
1747         }
1748
1749         return 0;
1750 }
1751
1752 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
1753 {
1754         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1755         struct net_device *dev = info->user_ptr[1];
1756
1757         if (!rdev->ops->del_virtual_intf)
1758                 return -EOPNOTSUPP;
1759
1760         return rdev->ops->del_virtual_intf(&rdev->wiphy, dev);
1761 }
1762
1763 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
1764 {
1765         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1766         struct net_device *dev = info->user_ptr[1];
1767         u16 noack_map;
1768
1769         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
1770                 return -EINVAL;
1771
1772         if (!rdev->ops->set_noack_map)
1773                 return -EOPNOTSUPP;
1774
1775         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
1776
1777         return rdev->ops->set_noack_map(&rdev->wiphy, dev, noack_map);
1778 }
1779
1780 struct get_key_cookie {
1781         struct sk_buff *msg;
1782         int error;
1783         int idx;
1784 };
1785
1786 static void get_key_callback(void *c, struct key_params *params)
1787 {
1788         struct nlattr *key;
1789         struct get_key_cookie *cookie = c;
1790
1791         if (params->key)
1792                 NLA_PUT(cookie->msg, NL80211_ATTR_KEY_DATA,
1793                         params->key_len, params->key);
1794
1795         if (params->seq)
1796                 NLA_PUT(cookie->msg, NL80211_ATTR_KEY_SEQ,
1797                         params->seq_len, params->seq);
1798
1799         if (params->cipher)
1800                 NLA_PUT_U32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
1801                             params->cipher);
1802
1803         key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
1804         if (!key)
1805                 goto nla_put_failure;
1806
1807         if (params->key)
1808                 NLA_PUT(cookie->msg, NL80211_KEY_DATA,
1809                         params->key_len, params->key);
1810
1811         if (params->seq)
1812                 NLA_PUT(cookie->msg, NL80211_KEY_SEQ,
1813                         params->seq_len, params->seq);
1814
1815         if (params->cipher)
1816                 NLA_PUT_U32(cookie->msg, NL80211_KEY_CIPHER,
1817                             params->cipher);
1818
1819         NLA_PUT_U8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx);
1820
1821         nla_nest_end(cookie->msg, key);
1822
1823         return;
1824  nla_put_failure:
1825         cookie->error = 1;
1826 }
1827
1828 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
1829 {
1830         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1831         int err;
1832         struct net_device *dev = info->user_ptr[1];
1833         u8 key_idx = 0;
1834         const u8 *mac_addr = NULL;
1835         bool pairwise;
1836         struct get_key_cookie cookie = {
1837                 .error = 0,
1838         };
1839         void *hdr;
1840         struct sk_buff *msg;
1841
1842         if (info->attrs[NL80211_ATTR_KEY_IDX])
1843                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1844
1845         if (key_idx > 5)
1846                 return -EINVAL;
1847
1848         if (info->attrs[NL80211_ATTR_MAC])
1849                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
1850
1851         pairwise = !!mac_addr;
1852         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
1853                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1854                 if (kt >= NUM_NL80211_KEYTYPES)
1855                         return -EINVAL;
1856                 if (kt != NL80211_KEYTYPE_GROUP &&
1857                     kt != NL80211_KEYTYPE_PAIRWISE)
1858                         return -EINVAL;
1859                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
1860         }
1861
1862         if (!rdev->ops->get_key)
1863                 return -EOPNOTSUPP;
1864
1865         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1866         if (!msg)
1867                 return -ENOMEM;
1868
1869         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
1870                              NL80211_CMD_NEW_KEY);
1871         if (IS_ERR(hdr))
1872                 return PTR_ERR(hdr);
1873
1874         cookie.msg = msg;
1875         cookie.idx = key_idx;
1876
1877         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
1878         NLA_PUT_U8(msg, NL80211_ATTR_KEY_IDX, key_idx);
1879         if (mac_addr)
1880                 NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr);
1881
1882         if (pairwise && mac_addr &&
1883             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
1884                 return -ENOENT;
1885
1886         err = rdev->ops->get_key(&rdev->wiphy, dev, key_idx, pairwise,
1887                                  mac_addr, &cookie, get_key_callback);
1888
1889         if (err)
1890                 goto free_msg;
1891
1892         if (cookie.error)
1893                 goto nla_put_failure;
1894
1895         genlmsg_end(msg, hdr);
1896         return genlmsg_reply(msg, info);
1897
1898  nla_put_failure:
1899         err = -ENOBUFS;
1900  free_msg:
1901         nlmsg_free(msg);
1902         return err;
1903 }
1904
1905 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
1906 {
1907         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1908         struct key_parse key;
1909         int err;
1910         struct net_device *dev = info->user_ptr[1];
1911
1912         err = nl80211_parse_key(info, &key);
1913         if (err)
1914                 return err;
1915
1916         if (key.idx < 0)
1917                 return -EINVAL;
1918
1919         /* only support setting default key */
1920         if (!key.def && !key.defmgmt)
1921                 return -EINVAL;
1922
1923         wdev_lock(dev->ieee80211_ptr);
1924
1925         if (key.def) {
1926                 if (!rdev->ops->set_default_key) {
1927                         err = -EOPNOTSUPP;
1928                         goto out;
1929                 }
1930
1931                 err = nl80211_key_allowed(dev->ieee80211_ptr);
1932                 if (err)
1933                         goto out;
1934
1935                 err = rdev->ops->set_default_key(&rdev->wiphy, dev, key.idx,
1936                                                  key.def_uni, key.def_multi);
1937
1938                 if (err)
1939                         goto out;
1940
1941 #ifdef CONFIG_CFG80211_WEXT
1942                 dev->ieee80211_ptr->wext.default_key = key.idx;
1943 #endif
1944         } else {
1945                 if (key.def_uni || !key.def_multi) {
1946                         err = -EINVAL;
1947                         goto out;
1948                 }
1949
1950                 if (!rdev->ops->set_default_mgmt_key) {
1951                         err = -EOPNOTSUPP;
1952                         goto out;
1953                 }
1954
1955                 err = nl80211_key_allowed(dev->ieee80211_ptr);
1956                 if (err)
1957                         goto out;
1958
1959                 err = rdev->ops->set_default_mgmt_key(&rdev->wiphy,
1960                                                       dev, key.idx);
1961                 if (err)
1962                         goto out;
1963
1964 #ifdef CONFIG_CFG80211_WEXT
1965                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
1966 #endif
1967         }
1968
1969  out:
1970         wdev_unlock(dev->ieee80211_ptr);
1971
1972         return err;
1973 }
1974
1975 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
1976 {
1977         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1978         int err;
1979         struct net_device *dev = info->user_ptr[1];
1980         struct key_parse key;
1981         const u8 *mac_addr = NULL;
1982
1983         err = nl80211_parse_key(info, &key);
1984         if (err)
1985                 return err;
1986
1987         if (!key.p.key)
1988                 return -EINVAL;
1989
1990         if (info->attrs[NL80211_ATTR_MAC])
1991                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
1992
1993         if (key.type == -1) {
1994                 if (mac_addr)
1995                         key.type = NL80211_KEYTYPE_PAIRWISE;
1996                 else
1997                         key.type = NL80211_KEYTYPE_GROUP;
1998         }
1999
2000         /* for now */
2001         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2002             key.type != NL80211_KEYTYPE_GROUP)
2003                 return -EINVAL;
2004
2005         if (!rdev->ops->add_key)
2006                 return -EOPNOTSUPP;
2007
2008         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2009                                            key.type == NL80211_KEYTYPE_PAIRWISE,
2010                                            mac_addr))
2011                 return -EINVAL;
2012
2013         wdev_lock(dev->ieee80211_ptr);
2014         err = nl80211_key_allowed(dev->ieee80211_ptr);
2015         if (!err)
2016                 err = rdev->ops->add_key(&rdev->wiphy, dev, key.idx,
2017                                          key.type == NL80211_KEYTYPE_PAIRWISE,
2018                                          mac_addr, &key.p);
2019         wdev_unlock(dev->ieee80211_ptr);
2020
2021         return err;
2022 }
2023
2024 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2025 {
2026         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2027         int err;
2028         struct net_device *dev = info->user_ptr[1];
2029         u8 *mac_addr = NULL;
2030         struct key_parse key;
2031
2032         err = nl80211_parse_key(info, &key);
2033         if (err)
2034                 return err;
2035
2036         if (info->attrs[NL80211_ATTR_MAC])
2037                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2038
2039         if (key.type == -1) {
2040                 if (mac_addr)
2041                         key.type = NL80211_KEYTYPE_PAIRWISE;
2042                 else
2043                         key.type = NL80211_KEYTYPE_GROUP;
2044         }
2045
2046         /* for now */
2047         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2048             key.type != NL80211_KEYTYPE_GROUP)
2049                 return -EINVAL;
2050
2051         if (!rdev->ops->del_key)
2052                 return -EOPNOTSUPP;
2053
2054         wdev_lock(dev->ieee80211_ptr);
2055         err = nl80211_key_allowed(dev->ieee80211_ptr);
2056
2057         if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2058             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2059                 err = -ENOENT;
2060
2061         if (!err)
2062                 err = rdev->ops->del_key(&rdev->wiphy, dev, key.idx,
2063                                          key.type == NL80211_KEYTYPE_PAIRWISE,
2064                                          mac_addr);
2065
2066 #ifdef CONFIG_CFG80211_WEXT
2067         if (!err) {
2068                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
2069                         dev->ieee80211_ptr->wext.default_key = -1;
2070                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2071                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2072         }
2073 #endif
2074         wdev_unlock(dev->ieee80211_ptr);
2075
2076         return err;
2077 }
2078
2079 static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
2080 {
2081         int (*call)(struct wiphy *wiphy, struct net_device *dev,
2082                     struct beacon_parameters *info);
2083         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2084         struct net_device *dev = info->user_ptr[1];
2085         struct wireless_dev *wdev = dev->ieee80211_ptr;
2086         struct beacon_parameters params;
2087         int haveinfo = 0, err;
2088
2089         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2090             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2091             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2092             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2093                 return -EINVAL;
2094
2095         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2096             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2097                 return -EOPNOTSUPP;
2098
2099         memset(&params, 0, sizeof(params));
2100
2101         switch (info->genlhdr->cmd) {
2102         case NL80211_CMD_NEW_BEACON:
2103                 /* these are required for NEW_BEACON */
2104                 if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
2105                     !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
2106                     !info->attrs[NL80211_ATTR_BEACON_HEAD])
2107                         return -EINVAL;
2108
2109                 params.interval =
2110                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
2111                 params.dtim_period =
2112                         nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
2113
2114                 err = cfg80211_validate_beacon_int(rdev, params.interval);
2115                 if (err)
2116                         return err;
2117
2118                 /*
2119                  * In theory, some of these attributes could be required for
2120                  * NEW_BEACON, but since they were not used when the command was
2121                  * originally added, keep them optional for old user space
2122                  * programs to work with drivers that do not need the additional
2123                  * information.
2124                  */
2125                 if (info->attrs[NL80211_ATTR_SSID]) {
2126                         params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
2127                         params.ssid_len =
2128                                 nla_len(info->attrs[NL80211_ATTR_SSID]);
2129                         if (params.ssid_len == 0 ||
2130                             params.ssid_len > IEEE80211_MAX_SSID_LEN)
2131                                 return -EINVAL;
2132                 }
2133
2134                 if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
2135                         params.hidden_ssid = nla_get_u32(
2136                                 info->attrs[NL80211_ATTR_HIDDEN_SSID]);
2137                         if (params.hidden_ssid !=
2138                             NL80211_HIDDEN_SSID_NOT_IN_USE &&
2139                             params.hidden_ssid !=
2140                             NL80211_HIDDEN_SSID_ZERO_LEN &&
2141                             params.hidden_ssid !=
2142                             NL80211_HIDDEN_SSID_ZERO_CONTENTS)
2143                                 return -EINVAL;
2144                 }
2145
2146                 params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
2147
2148                 if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
2149                         params.auth_type = nla_get_u32(
2150                                 info->attrs[NL80211_ATTR_AUTH_TYPE]);
2151                         if (!nl80211_valid_auth_type(params.auth_type))
2152                                 return -EINVAL;
2153                 } else
2154                         params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
2155
2156                 err = nl80211_crypto_settings(rdev, info, &params.crypto,
2157                                               NL80211_MAX_NR_CIPHER_SUITES);
2158                 if (err)
2159                         return err;
2160
2161                 call = rdev->ops->add_beacon;
2162                 break;
2163         case NL80211_CMD_SET_BEACON:
2164                 call = rdev->ops->set_beacon;
2165                 break;
2166         default:
2167                 WARN_ON(1);
2168                 return -EOPNOTSUPP;
2169         }
2170
2171         if (!call)
2172                 return -EOPNOTSUPP;
2173
2174         if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2175                 params.head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2176                 params.head_len =
2177                     nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2178                 haveinfo = 1;
2179         }
2180
2181         if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2182                 params.tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2183                 params.tail_len =
2184                     nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2185                 haveinfo = 1;
2186         }
2187
2188         if (!haveinfo)
2189                 return -EINVAL;
2190
2191         if (info->attrs[NL80211_ATTR_IE]) {
2192                 params.beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
2193                 params.beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
2194         }
2195
2196         if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
2197                 params.proberesp_ies =
2198                         nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2199                 params.proberesp_ies_len =
2200                         nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2201         }
2202
2203         if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
2204                 params.assocresp_ies =
2205                         nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2206                 params.assocresp_ies_len =
2207                         nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2208         }
2209
2210         if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
2211                 params.probe_resp =
2212                         nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
2213                 params.probe_resp_len =
2214                         nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
2215         }
2216
2217         err = call(&rdev->wiphy, dev, &params);
2218         if (!err && params.interval)
2219                 wdev->beacon_interval = params.interval;
2220         return err;
2221 }
2222
2223 static int nl80211_del_beacon(struct sk_buff *skb, struct genl_info *info)
2224 {
2225         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2226         struct net_device *dev = info->user_ptr[1];
2227         struct wireless_dev *wdev = dev->ieee80211_ptr;
2228         int err;
2229
2230         if (!rdev->ops->del_beacon)
2231                 return -EOPNOTSUPP;
2232
2233         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2234             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2235                 return -EOPNOTSUPP;
2236
2237         err = rdev->ops->del_beacon(&rdev->wiphy, dev);
2238         if (!err)
2239                 wdev->beacon_interval = 0;
2240         return err;
2241 }
2242
2243 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
2244         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
2245         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
2246         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
2247         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
2248         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
2249         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
2250 };
2251
2252 static int parse_station_flags(struct genl_info *info,
2253                                struct station_parameters *params)
2254 {
2255         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
2256         struct nlattr *nla;
2257         int flag;
2258
2259         /*
2260          * Try parsing the new attribute first so userspace
2261          * can specify both for older kernels.
2262          */
2263         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
2264         if (nla) {
2265                 struct nl80211_sta_flag_update *sta_flags;
2266
2267                 sta_flags = nla_data(nla);
2268                 params->sta_flags_mask = sta_flags->mask;
2269                 params->sta_flags_set = sta_flags->set;
2270                 if ((params->sta_flags_mask |
2271                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
2272                         return -EINVAL;
2273                 return 0;
2274         }
2275
2276         /* if present, parse the old attribute */
2277
2278         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
2279         if (!nla)
2280                 return 0;
2281
2282         if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
2283                              nla, sta_flags_policy))
2284                 return -EINVAL;
2285
2286         params->sta_flags_mask = (1 << __NL80211_STA_FLAG_AFTER_LAST) - 1;
2287         params->sta_flags_mask &= ~1;
2288
2289         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++)
2290                 if (flags[flag])
2291                         params->sta_flags_set |= (1<<flag);
2292
2293         return 0;
2294 }
2295
2296 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
2297                                  int attr)
2298 {
2299         struct nlattr *rate;
2300         u16 bitrate;
2301
2302         rate = nla_nest_start(msg, attr);
2303         if (!rate)
2304                 goto nla_put_failure;
2305
2306         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
2307         bitrate = cfg80211_calculate_bitrate(info);
2308         if (bitrate > 0)
2309                 NLA_PUT_U16(msg, NL80211_RATE_INFO_BITRATE, bitrate);
2310
2311         if (info->flags & RATE_INFO_FLAGS_MCS)
2312                 NLA_PUT_U8(msg, NL80211_RATE_INFO_MCS, info->mcs);
2313         if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH)
2314                 NLA_PUT_FLAG(msg, NL80211_RATE_INFO_40_MHZ_WIDTH);
2315         if (info->flags & RATE_INFO_FLAGS_SHORT_GI)
2316                 NLA_PUT_FLAG(msg, NL80211_RATE_INFO_SHORT_GI);
2317
2318         nla_nest_end(msg, rate);
2319         return true;
2320
2321 nla_put_failure:
2322         return false;
2323 }
2324
2325 static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
2326                                 int flags, struct net_device *dev,
2327                                 const u8 *mac_addr, struct station_info *sinfo)
2328 {
2329         void *hdr;
2330         struct nlattr *sinfoattr, *bss_param;
2331
2332         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_STATION);
2333         if (!hdr)
2334                 return -1;
2335
2336         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
2337         NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr);
2338
2339         NLA_PUT_U32(msg, NL80211_ATTR_GENERATION, sinfo->generation);
2340
2341         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
2342         if (!sinfoattr)
2343                 goto nla_put_failure;
2344         if (sinfo->filled & STATION_INFO_CONNECTED_TIME)
2345                 NLA_PUT_U32(msg, NL80211_STA_INFO_CONNECTED_TIME,
2346                             sinfo->connected_time);
2347         if (sinfo->filled & STATION_INFO_INACTIVE_TIME)
2348                 NLA_PUT_U32(msg, NL80211_STA_INFO_INACTIVE_TIME,
2349                             sinfo->inactive_time);
2350         if (sinfo->filled & STATION_INFO_RX_BYTES)
2351                 NLA_PUT_U32(msg, NL80211_STA_INFO_RX_BYTES,
2352                             sinfo->rx_bytes);
2353         if (sinfo->filled & STATION_INFO_TX_BYTES)
2354                 NLA_PUT_U32(msg, NL80211_STA_INFO_TX_BYTES,
2355                             sinfo->tx_bytes);
2356         if (sinfo->filled & STATION_INFO_LLID)
2357                 NLA_PUT_U16(msg, NL80211_STA_INFO_LLID,
2358                             sinfo->llid);
2359         if (sinfo->filled & STATION_INFO_PLID)
2360                 NLA_PUT_U16(msg, NL80211_STA_INFO_PLID,
2361                             sinfo->plid);
2362         if (sinfo->filled & STATION_INFO_PLINK_STATE)
2363                 NLA_PUT_U8(msg, NL80211_STA_INFO_PLINK_STATE,
2364                             sinfo->plink_state);
2365         if (sinfo->filled & STATION_INFO_SIGNAL)
2366                 NLA_PUT_U8(msg, NL80211_STA_INFO_SIGNAL,
2367                            sinfo->signal);
2368         if (sinfo->filled & STATION_INFO_SIGNAL_AVG)
2369                 NLA_PUT_U8(msg, NL80211_STA_INFO_SIGNAL_AVG,
2370                            sinfo->signal_avg);
2371         if (sinfo->filled & STATION_INFO_TX_BITRATE) {
2372                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
2373                                           NL80211_STA_INFO_TX_BITRATE))
2374                         goto nla_put_failure;
2375         }
2376         if (sinfo->filled & STATION_INFO_RX_BITRATE) {
2377                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
2378                                           NL80211_STA_INFO_RX_BITRATE))
2379                         goto nla_put_failure;
2380         }
2381         if (sinfo->filled & STATION_INFO_RX_PACKETS)
2382                 NLA_PUT_U32(msg, NL80211_STA_INFO_RX_PACKETS,
2383                             sinfo->rx_packets);
2384         if (sinfo->filled & STATION_INFO_TX_PACKETS)
2385                 NLA_PUT_U32(msg, NL80211_STA_INFO_TX_PACKETS,
2386                             sinfo->tx_packets);
2387         if (sinfo->filled & STATION_INFO_TX_RETRIES)
2388                 NLA_PUT_U32(msg, NL80211_STA_INFO_TX_RETRIES,
2389                             sinfo->tx_retries);
2390         if (sinfo->filled & STATION_INFO_TX_FAILED)
2391                 NLA_PUT_U32(msg, NL80211_STA_INFO_TX_FAILED,
2392                             sinfo->tx_failed);
2393         if (sinfo->filled & STATION_INFO_BSS_PARAM) {
2394                 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
2395                 if (!bss_param)
2396                         goto nla_put_failure;
2397
2398                 if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT)
2399                         NLA_PUT_FLAG(msg, NL80211_STA_BSS_PARAM_CTS_PROT);
2400                 if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE)
2401                         NLA_PUT_FLAG(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE);
2402                 if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME)
2403                         NLA_PUT_FLAG(msg,
2404                                      NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME);
2405                 NLA_PUT_U8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
2406                            sinfo->bss_param.dtim_period);
2407                 NLA_PUT_U16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
2408                             sinfo->bss_param.beacon_interval);
2409
2410                 nla_nest_end(msg, bss_param);
2411         }
2412         if (sinfo->filled & STATION_INFO_STA_FLAGS)
2413                 NLA_PUT(msg, NL80211_STA_INFO_STA_FLAGS,
2414                         sizeof(struct nl80211_sta_flag_update),
2415                         &sinfo->sta_flags);
2416         nla_nest_end(msg, sinfoattr);
2417
2418         if (sinfo->filled & STATION_INFO_ASSOC_REQ_IES)
2419                 NLA_PUT(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
2420                         sinfo->assoc_req_ies);
2421
2422         return genlmsg_end(msg, hdr);
2423
2424  nla_put_failure:
2425         genlmsg_cancel(msg, hdr);
2426         return -EMSGSIZE;
2427 }
2428
2429 static int nl80211_dump_station(struct sk_buff *skb,
2430                                 struct netlink_callback *cb)
2431 {
2432         struct station_info sinfo;
2433         struct cfg80211_registered_device *dev;
2434         struct net_device *netdev;
2435         u8 mac_addr[ETH_ALEN];
2436         int sta_idx = cb->args[1];
2437         int err;
2438
2439         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
2440         if (err)
2441                 return err;
2442
2443         if (!dev->ops->dump_station) {
2444                 err = -EOPNOTSUPP;
2445                 goto out_err;
2446         }
2447
2448         while (1) {
2449                 memset(&sinfo, 0, sizeof(sinfo));
2450                 err = dev->ops->dump_station(&dev->wiphy, netdev, sta_idx,
2451                                              mac_addr, &sinfo);
2452                 if (err == -ENOENT)
2453                         break;
2454                 if (err)
2455                         goto out_err;
2456
2457                 if (nl80211_send_station(skb,
2458                                 NETLINK_CB(cb->skb).pid,
2459                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
2460                                 netdev, mac_addr,
2461                                 &sinfo) < 0)
2462                         goto out;
2463
2464                 sta_idx++;
2465         }
2466
2467
2468  out:
2469         cb->args[1] = sta_idx;
2470         err = skb->len;
2471  out_err:
2472         nl80211_finish_netdev_dump(dev);
2473
2474         return err;
2475 }
2476
2477 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
2478 {
2479         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2480         struct net_device *dev = info->user_ptr[1];
2481         struct station_info sinfo;
2482         struct sk_buff *msg;
2483         u8 *mac_addr = NULL;
2484         int err;
2485
2486         memset(&sinfo, 0, sizeof(sinfo));
2487
2488         if (!info->attrs[NL80211_ATTR_MAC])
2489                 return -EINVAL;
2490
2491         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2492
2493         if (!rdev->ops->get_station)
2494                 return -EOPNOTSUPP;
2495
2496         err = rdev->ops->get_station(&rdev->wiphy, dev, mac_addr, &sinfo);
2497         if (err)
2498                 return err;
2499
2500         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2501         if (!msg)
2502                 return -ENOMEM;
2503
2504         if (nl80211_send_station(msg, info->snd_pid, info->snd_seq, 0,
2505                                  dev, mac_addr, &sinfo) < 0) {
2506                 nlmsg_free(msg);
2507                 return -ENOBUFS;
2508         }
2509
2510         return genlmsg_reply(msg, info);
2511 }
2512
2513 /*
2514  * Get vlan interface making sure it is running and on the right wiphy.
2515  */
2516 static struct net_device *get_vlan(struct genl_info *info,
2517                                    struct cfg80211_registered_device *rdev)
2518 {
2519         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
2520         struct net_device *v;
2521         int ret;
2522
2523         if (!vlanattr)
2524                 return NULL;
2525
2526         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
2527         if (!v)
2528                 return ERR_PTR(-ENODEV);
2529
2530         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
2531                 ret = -EINVAL;
2532                 goto error;
2533         }
2534
2535         if (!netif_running(v)) {
2536                 ret = -ENETDOWN;
2537                 goto error;
2538         }
2539
2540         return v;
2541  error:
2542         dev_put(v);
2543         return ERR_PTR(ret);
2544 }
2545
2546 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
2547 {
2548         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2549         int err;
2550         struct net_device *dev = info->user_ptr[1];
2551         struct station_parameters params;
2552         u8 *mac_addr = NULL;
2553
2554         memset(&params, 0, sizeof(params));
2555
2556         params.listen_interval = -1;
2557         params.plink_state = -1;
2558
2559         if (info->attrs[NL80211_ATTR_STA_AID])
2560                 return -EINVAL;
2561
2562         if (!info->attrs[NL80211_ATTR_MAC])
2563                 return -EINVAL;
2564
2565         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2566
2567         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
2568                 params.supported_rates =
2569                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
2570                 params.supported_rates_len =
2571                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
2572         }
2573
2574         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
2575                 params.listen_interval =
2576                     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
2577
2578         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
2579                 params.ht_capa =
2580                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
2581
2582         if (!rdev->ops->change_station)
2583                 return -EOPNOTSUPP;
2584
2585         if (parse_station_flags(info, &params))
2586                 return -EINVAL;
2587
2588         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
2589                 params.plink_action =
2590                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
2591
2592         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
2593                 params.plink_state =
2594                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
2595
2596         switch (dev->ieee80211_ptr->iftype) {
2597         case NL80211_IFTYPE_AP:
2598         case NL80211_IFTYPE_AP_VLAN:
2599         case NL80211_IFTYPE_P2P_GO:
2600                 /* disallow mesh-specific things */
2601                 if (params.plink_action)
2602                         return -EINVAL;
2603
2604                 /* TDLS can't be set, ... */
2605                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
2606                         return -EINVAL;
2607                 /*
2608                  * ... but don't bother the driver with it. This works around
2609                  * a hostapd/wpa_supplicant issue -- it always includes the
2610                  * TLDS_PEER flag in the mask even for AP mode.
2611                  */
2612                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
2613
2614                 /* accept only the listed bits */
2615                 if (params.sta_flags_mask &
2616                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
2617                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
2618                                   BIT(NL80211_STA_FLAG_WME) |
2619                                   BIT(NL80211_STA_FLAG_MFP)))
2620                         return -EINVAL;
2621
2622                 /* must be last in here for error handling */
2623                 params.vlan = get_vlan(info, rdev);
2624                 if (IS_ERR(params.vlan))
2625                         return PTR_ERR(params.vlan);
2626                 break;
2627         case NL80211_IFTYPE_P2P_CLIENT:
2628         case NL80211_IFTYPE_STATION:
2629                 /* disallow things sta doesn't support */
2630                 if (params.plink_action)
2631                         return -EINVAL;
2632                 if (params.ht_capa)
2633                         return -EINVAL;
2634                 if (params.listen_interval >= 0)
2635                         return -EINVAL;
2636                 /*
2637                  * Don't allow userspace to change the TDLS_PEER flag,
2638                  * but silently ignore attempts to change it since we
2639                  * don't have state here to verify that it doesn't try
2640                  * to change the flag.
2641                  */
2642                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
2643
2644                 /* reject any changes other than AUTHORIZED */
2645                 if (params.sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
2646                         return -EINVAL;
2647                 break;
2648         case NL80211_IFTYPE_MESH_POINT:
2649                 /* disallow things mesh doesn't support */
2650                 if (params.vlan)
2651                         return -EINVAL;
2652                 if (params.ht_capa)
2653                         return -EINVAL;
2654                 if (params.listen_interval >= 0)
2655                         return -EINVAL;
2656                 /*
2657                  * No special handling for TDLS here -- the userspace
2658                  * mesh code doesn't have this bug.
2659                  */
2660                 if (params.sta_flags_mask &
2661                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
2662                                   BIT(NL80211_STA_FLAG_MFP) |
2663                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
2664                         return -EINVAL;
2665                 break;
2666         default:
2667                 return -EOPNOTSUPP;
2668         }
2669
2670         /* be aware of params.vlan when changing code here */
2671
2672         err = rdev->ops->change_station(&rdev->wiphy, dev, mac_addr, &params);
2673
2674         if (params.vlan)
2675                 dev_put(params.vlan);
2676
2677         return err;
2678 }
2679
2680 static struct nla_policy
2681 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
2682         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
2683         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
2684 };
2685
2686 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
2687 {
2688         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2689         int err;
2690         struct net_device *dev = info->user_ptr[1];
2691         struct station_parameters params;
2692         u8 *mac_addr = NULL;
2693
2694         memset(&params, 0, sizeof(params));
2695
2696         if (!info->attrs[NL80211_ATTR_MAC])
2697                 return -EINVAL;
2698
2699         if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
2700                 return -EINVAL;
2701
2702         if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
2703                 return -EINVAL;
2704
2705         if (!info->attrs[NL80211_ATTR_STA_AID])
2706                 return -EINVAL;
2707
2708         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2709         params.supported_rates =
2710                 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
2711         params.supported_rates_len =
2712                 nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
2713         params.listen_interval =
2714                 nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
2715
2716         params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
2717         if (!params.aid || params.aid > IEEE80211_MAX_AID)
2718                 return -EINVAL;
2719
2720         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
2721                 params.ht_capa =
2722                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
2723
2724         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
2725                 params.plink_action =
2726                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
2727
2728         if (!rdev->ops->add_station)
2729                 return -EOPNOTSUPP;
2730
2731         if (parse_station_flags(info, &params))
2732                 return -EINVAL;
2733
2734         switch (dev->ieee80211_ptr->iftype) {
2735         case NL80211_IFTYPE_AP:
2736         case NL80211_IFTYPE_AP_VLAN:
2737         case NL80211_IFTYPE_P2P_GO:
2738                 /* parse WME attributes if sta is WME capable */
2739                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2740                     (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) &&
2741                     info->attrs[NL80211_ATTR_STA_WME]) {
2742                         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
2743                         struct nlattr *nla;
2744
2745                         nla = info->attrs[NL80211_ATTR_STA_WME];
2746                         err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
2747                                                nl80211_sta_wme_policy);
2748                         if (err)
2749                                 return err;
2750
2751                         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
2752                                 params.uapsd_queues =
2753                                      nla_get_u8(tb[NL80211_STA_WME_UAPSD_QUEUES]);
2754                         if (params.uapsd_queues &
2755                                         ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
2756                                 return -EINVAL;
2757
2758                         if (tb[NL80211_STA_WME_MAX_SP])
2759                                 params.max_sp =
2760                                      nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
2761
2762                         if (params.max_sp &
2763                                         ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
2764                                 return -EINVAL;
2765
2766                         params.sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
2767                 }
2768                 /* TDLS peers cannot be added */
2769                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
2770                         return -EINVAL;
2771                 /* but don't bother the driver with it */
2772                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
2773
2774                 /* must be last in here for error handling */
2775                 params.vlan = get_vlan(info, rdev);
2776                 if (IS_ERR(params.vlan))
2777                         return PTR_ERR(params.vlan);
2778                 break;
2779         case NL80211_IFTYPE_MESH_POINT:
2780                 /* TDLS peers cannot be added */
2781                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
2782                         return -EINVAL;
2783                 break;
2784         case NL80211_IFTYPE_STATION:
2785                 /* Only TDLS peers can be added */
2786                 if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
2787                         return -EINVAL;
2788                 /* Can only add if TDLS ... */
2789                 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
2790                         return -EOPNOTSUPP;
2791                 /* ... with external setup is supported */
2792                 if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
2793                         return -EOPNOTSUPP;
2794                 break;
2795         default:
2796                 return -EOPNOTSUPP;
2797         }
2798
2799         /* be aware of params.vlan when changing code here */
2800
2801         err = rdev->ops->add_station(&rdev->wiphy, dev, mac_addr, &params);
2802
2803         if (params.vlan)
2804                 dev_put(params.vlan);
2805         return err;
2806 }
2807
2808 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
2809 {
2810         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2811         struct net_device *dev = info->user_ptr[1];
2812         u8 *mac_addr = NULL;
2813
2814         if (info->attrs[NL80211_ATTR_MAC])
2815                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2816
2817         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2818             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
2819             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
2820             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2821                 return -EINVAL;
2822
2823         if (!rdev->ops->del_station)
2824                 return -EOPNOTSUPP;
2825
2826         return rdev->ops->del_station(&rdev->wiphy, dev, mac_addr);
2827 }
2828
2829 static int nl80211_send_mpath(struct sk_buff *msg, u32 pid, u32 seq,
2830                                 int flags, struct net_device *dev,
2831                                 u8 *dst, u8 *next_hop,
2832                                 struct mpath_info *pinfo)
2833 {
2834         void *hdr;
2835         struct nlattr *pinfoattr;
2836
2837         hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_STATION);
2838         if (!hdr)
2839                 return -1;
2840
2841         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
2842         NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, dst);
2843         NLA_PUT(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop);
2844
2845         NLA_PUT_U32(msg, NL80211_ATTR_GENERATION, pinfo->generation);
2846
2847         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
2848         if (!pinfoattr)
2849                 goto nla_put_failure;
2850         if (pinfo->filled & MPATH_INFO_FRAME_QLEN)
2851                 NLA_PUT_U32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
2852                             pinfo->frame_qlen);
2853         if (pinfo->filled & MPATH_INFO_SN)
2854                 NLA_PUT_U32(msg, NL80211_MPATH_INFO_SN,
2855                             pinfo->sn);
2856         if (pinfo->filled & MPATH_INFO_METRIC)
2857                 NLA_PUT_U32(msg, NL80211_MPATH_INFO_METRIC,
2858                             pinfo->metric);
2859         if (pinfo->filled & MPATH_INFO_EXPTIME)
2860                 NLA_PUT_U32(msg, NL80211_MPATH_INFO_EXPTIME,
2861                             pinfo->exptime);
2862         if (pinfo->filled & MPATH_INFO_FLAGS)
2863                 NLA_PUT_U8(msg, NL80211_MPATH_INFO_FLAGS,
2864                             pinfo->flags);
2865         if (pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT)
2866                 NLA_PUT_U32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
2867                             pinfo->discovery_timeout);
2868         if (pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES)
2869                 NLA_PUT_U8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
2870                             pinfo->discovery_retries);
2871
2872         nla_nest_end(msg, pinfoattr);
2873
2874         return genlmsg_end(msg, hdr);
2875
2876  nla_put_failure:
2877         genlmsg_cancel(msg, hdr);
2878         return -EMSGSIZE;
2879 }
2880
2881 static int nl80211_dump_mpath(struct sk_buff *skb,
2882                               struct netlink_callback *cb)
2883 {
2884         struct mpath_info pinfo;
2885         struct cfg80211_registered_device *dev;
2886         struct net_device *netdev;
2887         u8 dst[ETH_ALEN];
2888         u8 next_hop[ETH_ALEN];
2889         int path_idx = cb->args[1];
2890         int err;
2891
2892         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
2893         if (err)
2894                 return err;
2895
2896         if (!dev->ops->dump_mpath) {
2897                 err = -EOPNOTSUPP;
2898                 goto out_err;
2899         }
2900
2901         if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
2902                 err = -EOPNOTSUPP;
2903                 goto out_err;
2904         }
2905
2906         while (1) {
2907                 err = dev->ops->dump_mpath(&dev->wiphy, netdev, path_idx,
2908                                            dst, next_hop, &pinfo);
2909                 if (err == -ENOENT)
2910                         break;
2911                 if (err)
2912                         goto out_err;
2913
2914                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).pid,
2915                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
2916                                        netdev, dst, next_hop,
2917                                        &pinfo) < 0)
2918                         goto out;
2919
2920                 path_idx++;
2921         }
2922
2923
2924  out:
2925         cb->args[1] = path_idx;
2926         err = skb->len;
2927  out_err:
2928         nl80211_finish_netdev_dump(dev);
2929         return err;
2930 }
2931
2932 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
2933 {
2934         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2935         int err;
2936         struct net_device *dev = info->user_ptr[1];
2937         struct mpath_info pinfo;
2938         struct sk_buff *msg;
2939         u8 *dst = NULL;
2940         u8 next_hop[ETH_ALEN];
2941
2942         memset(&pinfo, 0, sizeof(pinfo));
2943
2944         if (!info->attrs[NL80211_ATTR_MAC])
2945                 return -EINVAL;
2946
2947         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
2948
2949         if (!rdev->ops->get_mpath)
2950                 return -EOPNOTSUPP;
2951
2952         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
2953                 return -EOPNOTSUPP;
2954
2955         err = rdev->ops->get_mpath(&rdev->wiphy, dev, dst, next_hop, &pinfo);
2956         if (err)
2957                 return err;
2958
2959         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2960         if (!msg)
2961                 return -ENOMEM;
2962
2963         if (nl80211_send_mpath(msg, info->snd_pid, info->snd_seq, 0,
2964                                  dev, dst, next_hop, &pinfo) < 0) {
2965                 nlmsg_free(msg);
2966                 return -ENOBUFS;
2967         }
2968
2969         return genlmsg_reply(msg, info);
2970 }
2971
2972 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
2973 {
2974         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2975         struct net_device *dev = info->user_ptr[1];
2976         u8 *dst = NULL;
2977         u8 *next_hop = NULL;
2978
2979         if (!info->attrs[NL80211_ATTR_MAC])
2980                 return -EINVAL;
2981
2982         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
2983                 return -EINVAL;
2984
2985         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
2986         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
2987
2988         if (!rdev->ops->change_mpath)
2989                 return -EOPNOTSUPP;
2990
2991         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
2992                 return -EOPNOTSUPP;
2993
2994         return rdev->ops->change_mpath(&rdev->wiphy, dev, dst, next_hop);
2995 }
2996
2997 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
2998 {
2999         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3000         struct net_device *dev = info->user_ptr[1];
3001         u8 *dst = NULL;
3002         u8 *next_hop = NULL;
3003
3004         if (!info->attrs[NL80211_ATTR_MAC])
3005                 return -EINVAL;
3006
3007         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3008                 return -EINVAL;
3009
3010         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3011         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3012
3013         if (!rdev->ops->add_mpath)
3014                 return -EOPNOTSUPP;
3015
3016         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3017                 return -EOPNOTSUPP;
3018
3019         return rdev->ops->add_mpath(&rdev->wiphy, dev, dst, next_hop);
3020 }
3021
3022 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
3023 {
3024         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3025         struct net_device *dev = info->user_ptr[1];
3026         u8 *dst = NULL;
3027
3028         if (info->attrs[NL80211_ATTR_MAC])
3029                 dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3030
3031         if (!rdev->ops->del_mpath)
3032                 return -EOPNOTSUPP;
3033
3034         return rdev->ops->del_mpath(&rdev->wiphy, dev, dst);
3035 }
3036
3037 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
3038 {
3039         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3040         struct net_device *dev = info->user_ptr[1];
3041         struct bss_parameters params;
3042
3043         memset(&params, 0, sizeof(params));
3044         /* default to not changing parameters */
3045         params.use_cts_prot = -1;
3046         params.use_short_preamble = -1;
3047         params.use_short_slot_time = -1;
3048         params.ap_isolate = -1;
3049         params.ht_opmode = -1;
3050
3051         if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
3052                 params.use_cts_prot =
3053                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
3054         if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
3055                 params.use_short_preamble =
3056                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
3057         if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
3058                 params.use_short_slot_time =
3059                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
3060         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
3061                 params.basic_rates =
3062                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3063                 params.basic_rates_len =
3064                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3065         }
3066         if (info->attrs[NL80211_ATTR_AP_ISOLATE])
3067                 params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
3068         if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
3069                 params.ht_opmode =
3070                         nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
3071
3072         if (!rdev->ops->change_bss)
3073                 return -EOPNOTSUPP;
3074
3075         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3076             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3077                 return -EOPNOTSUPP;
3078
3079         return rdev->ops->change_bss(&rdev->wiphy, dev, &params);
3080 }
3081
3082 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
3083         [NL80211_ATTR_REG_RULE_FLAGS]           = { .type = NLA_U32 },
3084         [NL80211_ATTR_FREQ_RANGE_START]         = { .type = NLA_U32 },
3085         [NL80211_ATTR_FREQ_RANGE_END]           = { .type = NLA_U32 },
3086         [NL80211_ATTR_FREQ_RANGE_MAX_BW]        = { .type = NLA_U32 },
3087         [NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]  = { .type = NLA_U32 },
3088         [NL80211_ATTR_POWER_RULE_MAX_EIRP]      = { .type = NLA_U32 },
3089 };
3090
3091 static int parse_reg_rule(struct nlattr *tb[],
3092         struct ieee80211_reg_rule *reg_rule)
3093 {
3094         struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
3095         struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
3096
3097         if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
3098                 return -EINVAL;
3099         if (!tb[NL80211_ATTR_FREQ_RANGE_START])
3100                 return -EINVAL;
3101         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
3102                 return -EINVAL;
3103         if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
3104                 return -EINVAL;
3105         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
3106                 return -EINVAL;
3107
3108         reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
3109
3110         freq_range->start_freq_khz =
3111                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
3112         freq_range->end_freq_khz =
3113                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
3114         freq_range->max_bandwidth_khz =
3115                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
3116
3117         power_rule->max_eirp =
3118                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
3119
3120         if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
3121                 power_rule->max_antenna_gain =
3122                         nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
3123
3124         return 0;
3125 }
3126
3127 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
3128 {
3129         int r;
3130         char *data = NULL;
3131
3132         /*
3133          * You should only get this when cfg80211 hasn't yet initialized
3134          * completely when built-in to the kernel right between the time
3135          * window between nl80211_init() and regulatory_init(), if that is
3136          * even possible.
3137          */
3138         mutex_lock(&cfg80211_mutex);
3139         if (unlikely(!cfg80211_regdomain)) {
3140                 mutex_unlock(&cfg80211_mutex);
3141                 return -EINPROGRESS;
3142         }
3143         mutex_unlock(&cfg80211_mutex);
3144
3145         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
3146                 return -EINVAL;
3147
3148         data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
3149
3150         r = regulatory_hint_user(data);
3151
3152         return r;
3153 }
3154
3155 static int nl80211_get_mesh_config(struct sk_buff *skb,
3156                                    struct genl_info *info)
3157 {
3158         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3159         struct net_device *dev = info->user_ptr[1];
3160         struct wireless_dev *wdev = dev->ieee80211_ptr;
3161         struct mesh_config cur_params;
3162         int err = 0;
3163         void *hdr;
3164         struct nlattr *pinfoattr;
3165         struct sk_buff *msg;
3166
3167         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3168                 return -EOPNOTSUPP;
3169
3170         if (!rdev->ops->get_mesh_config)
3171                 return -EOPNOTSUPP;
3172
3173         wdev_lock(wdev);
3174         /* If not connected, get default parameters */
3175         if (!wdev->mesh_id_len)
3176                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
3177         else
3178                 err = rdev->ops->get_mesh_config(&rdev->wiphy, dev,
3179                                                  &cur_params);
3180         wdev_unlock(wdev);
3181
3182         if (err)
3183                 return err;
3184
3185         /* Draw up a netlink message to send back */
3186         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3187         if (!msg)
3188                 return -ENOMEM;
3189         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
3190                              NL80211_CMD_GET_MESH_CONFIG);
3191         if (!hdr)
3192                 goto out;
3193         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
3194         if (!pinfoattr)
3195                 goto nla_put_failure;
3196         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
3197         NLA_PUT_U16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
3198                         cur_params.dot11MeshRetryTimeout);
3199         NLA_PUT_U16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3200                         cur_params.dot11MeshConfirmTimeout);
3201         NLA_PUT_U16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
3202                         cur_params.dot11MeshHoldingTimeout);
3203         NLA_PUT_U16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
3204                         cur_params.dot11MeshMaxPeerLinks);
3205         NLA_PUT_U8(msg, NL80211_MESHCONF_MAX_RETRIES,
3206                         cur_params.dot11MeshMaxRetries);
3207         NLA_PUT_U8(msg, NL80211_MESHCONF_TTL,
3208                         cur_params.dot11MeshTTL);
3209         NLA_PUT_U8(msg, NL80211_MESHCONF_ELEMENT_TTL,
3210                         cur_params.element_ttl);
3211         NLA_PUT_U8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3212                         cur_params.auto_open_plinks);
3213         NLA_PUT_U8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3214                         cur_params.dot11MeshHWMPmaxPREQretries);
3215         NLA_PUT_U32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
3216                         cur_params.path_refresh_time);
3217         NLA_PUT_U16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3218                         cur_params.min_discovery_timeout);
3219         NLA_PUT_U32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3220                         cur_params.dot11MeshHWMPactivePathTimeout);
3221         NLA_PUT_U16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3222                         cur_params.dot11MeshHWMPpreqMinInterval);
3223         NLA_PUT_U16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3224                         cur_params.dot11MeshHWMPperrMinInterval);
3225         NLA_PUT_U16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3226                         cur_params.dot11MeshHWMPnetDiameterTraversalTime);
3227         NLA_PUT_U8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
3228                         cur_params.dot11MeshHWMPRootMode);
3229         NLA_PUT_U16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3230                         cur_params.dot11MeshHWMPRannInterval);
3231         NLA_PUT_U8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3232                         cur_params.dot11MeshGateAnnouncementProtocol);
3233         nla_nest_end(msg, pinfoattr);
3234         genlmsg_end(msg, hdr);
3235         return genlmsg_reply(msg, info);
3236
3237  nla_put_failure:
3238         genlmsg_cancel(msg, hdr);
3239  out:
3240         nlmsg_free(msg);
3241         return -ENOBUFS;
3242 }
3243
3244 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
3245         [NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
3246         [NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
3247         [NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
3248         [NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
3249         [NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
3250         [NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
3251         [NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
3252         [NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
3253
3254         [NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
3255         [NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
3256         [NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
3257         [NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
3258         [NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
3259         [NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
3260         [NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
3261         [NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
3262         [NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
3263         [NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
3264 };
3265
3266 static const struct nla_policy
3267         nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
3268         [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
3269         [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
3270         [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
3271         [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
3272                 .len = IEEE80211_MAX_DATA_LEN },
3273         [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
3274 };
3275
3276 static int nl80211_parse_mesh_config(struct genl_info *info,
3277                                      struct mesh_config *cfg,
3278                                      u32 *mask_out)
3279 {
3280         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
3281         u32 mask = 0;
3282
3283 #define FILL_IN_MESH_PARAM_IF_SET(table, cfg, param, mask, attr_num, nla_fn) \
3284 do {\
3285         if (table[attr_num]) {\
3286                 cfg->param = nla_fn(table[attr_num]); \
3287                 mask |= (1 << (attr_num - 1)); \
3288         } \
3289 } while (0);\
3290
3291
3292         if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
3293                 return -EINVAL;
3294         if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
3295                              info->attrs[NL80211_ATTR_MESH_CONFIG],
3296                              nl80211_meshconf_params_policy))
3297                 return -EINVAL;
3298
3299         /* This makes sure that there aren't more than 32 mesh config
3300          * parameters (otherwise our bitfield scheme would not work.) */
3301         BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
3302
3303         /* Fill in the params struct */
3304         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout,
3305                         mask, NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
3306         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout,
3307                         mask, NL80211_MESHCONF_CONFIRM_TIMEOUT, nla_get_u16);
3308         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout,
3309                         mask, NL80211_MESHCONF_HOLDING_TIMEOUT, nla_get_u16);
3310         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks,
3311                         mask, NL80211_MESHCONF_MAX_PEER_LINKS, nla_get_u16);
3312         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries,
3313                         mask, NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
3314         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL,
3315                         mask, NL80211_MESHCONF_TTL, nla_get_u8);
3316         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl,
3317                         mask, NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
3318         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks,
3319                         mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS, nla_get_u8);
3320         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries,
3321                         mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3322                         nla_get_u8);
3323         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time,
3324                         mask, NL80211_MESHCONF_PATH_REFRESH_TIME, nla_get_u32);
3325         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout,
3326                         mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3327                         nla_get_u16);
3328         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
3329                         mask, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3330                         nla_get_u32);
3331         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
3332                         mask, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3333                         nla_get_u16);
3334         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
3335                         mask, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3336                         nla_get_u16);
3337         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3338                         dot11MeshHWMPnetDiameterTraversalTime,
3339                         mask, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3340                         nla_get_u16);
3341         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3342                         dot11MeshHWMPRootMode, mask,
3343                         NL80211_MESHCONF_HWMP_ROOTMODE,
3344                         nla_get_u8);
3345         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3346                         dot11MeshHWMPRannInterval, mask,
3347                         NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3348                         nla_get_u16);
3349         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3350                         dot11MeshGateAnnouncementProtocol, mask,
3351                         NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3352                         nla_get_u8);
3353         if (mask_out)
3354                 *mask_out = mask;
3355
3356         return 0;
3357
3358 #undef FILL_IN_MESH_PARAM_IF_SET
3359 }
3360
3361 static int nl80211_parse_mesh_setup(struct genl_info *info,
3362                                      struct mesh_setup *setup)
3363 {
3364         struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
3365
3366         if (!info->attrs[NL80211_ATTR_MESH_SETUP])
3367                 return -EINVAL;
3368         if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
3369                              info->attrs[NL80211_ATTR_MESH_SETUP],
3370                              nl80211_mesh_setup_params_policy))
3371                 return -EINVAL;
3372
3373         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
3374                 setup->path_sel_proto =
3375                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
3376                  IEEE80211_PATH_PROTOCOL_VENDOR :
3377                  IEEE80211_PATH_PROTOCOL_HWMP;
3378
3379         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
3380                 setup->path_metric =
3381                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
3382                  IEEE80211_PATH_METRIC_VENDOR :
3383                  IEEE80211_PATH_METRIC_AIRTIME;
3384
3385
3386         if (tb[NL80211_MESH_SETUP_IE]) {
3387                 struct nlattr *ieattr =
3388                         tb[NL80211_MESH_SETUP_IE];
3389                 if (!is_valid_ie_attr(ieattr))
3390                         return -EINVAL;
3391                 setup->ie = nla_data(ieattr);
3392                 setup->ie_len = nla_len(ieattr);
3393         }
3394         setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
3395         setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
3396
3397         return 0;
3398 }
3399
3400 static int nl80211_update_mesh_config(struct sk_buff *skb,
3401                                       struct genl_info *info)
3402 {
3403         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3404         struct net_device *dev = info->user_ptr[1];
3405         struct wireless_dev *wdev = dev->ieee80211_ptr;
3406         struct mesh_config cfg;
3407         u32 mask;
3408         int err;
3409
3410         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3411                 return -EOPNOTSUPP;
3412
3413         if (!rdev->ops->update_mesh_config)
3414                 return -EOPNOTSUPP;
3415
3416         err = nl80211_parse_mesh_config(info, &cfg, &mask);
3417         if (err)
3418                 return err;
3419
3420         wdev_lock(wdev);
3421         if (!wdev->mesh_id_len)
3422                 err = -ENOLINK;
3423
3424         if (!err)
3425                 err = rdev->ops->update_mesh_config(&rdev->wiphy, dev,
3426                                                     mask, &cfg);
3427
3428         wdev_unlock(wdev);
3429
3430         return err;
3431 }
3432
3433 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
3434 {
3435         struct sk_buff *msg;
3436         void *hdr = NULL;
3437         struct nlattr *nl_reg_rules;
3438         unsigned int i;
3439         int err = -EINVAL;
3440
3441         mutex_lock(&cfg80211_mutex);
3442
3443         if (!cfg80211_regdomain)
3444                 goto out;
3445
3446         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3447         if (!msg) {
3448                 err = -ENOBUFS;
3449                 goto out;
3450         }
3451
3452         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
3453                              NL80211_CMD_GET_REG);
3454         if (!hdr)
3455                 goto put_failure;
3456
3457         NLA_PUT_STRING(msg, NL80211_ATTR_REG_ALPHA2,
3458                 cfg80211_regdomain->alpha2);
3459         if (cfg80211_regdomain->dfs_region)
3460                 NLA_PUT_U8(msg, NL80211_ATTR_DFS_REGION,
3461                            cfg80211_regdomain->dfs_region);
3462
3463         nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
3464         if (!nl_reg_rules)
3465                 goto nla_put_failure;
3466
3467         for (i = 0; i < cfg80211_regdomain->n_reg_rules; i++) {
3468                 struct nlattr *nl_reg_rule;
3469                 const struct ieee80211_reg_rule *reg_rule;
3470                 const struct ieee80211_freq_range *freq_range;
3471                 const struct ieee80211_power_rule *power_rule;
3472
3473                 reg_rule = &cfg80211_regdomain->reg_rules[i];
3474                 freq_range = &reg_rule->freq_range;
3475                 power_rule = &reg_rule->power_rule;
3476
3477                 nl_reg_rule = nla_nest_start(msg, i);
3478                 if (!nl_reg_rule)
3479                         goto nla_put_failure;
3480
3481                 NLA_PUT_U32(msg, NL80211_ATTR_REG_RULE_FLAGS,
3482                         reg_rule->flags);
3483                 NLA_PUT_U32(msg, NL80211_ATTR_FREQ_RANGE_START,
3484                         freq_range->start_freq_khz);
3485                 NLA_PUT_U32(msg, NL80211_ATTR_FREQ_RANGE_END,
3486                         freq_range->end_freq_khz);
3487                 NLA_PUT_U32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
3488                         freq_range->max_bandwidth_khz);
3489                 NLA_PUT_U32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
3490                         power_rule->max_antenna_gain);
3491                 NLA_PUT_U32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
3492                         power_rule->max_eirp);
3493
3494                 nla_nest_end(msg, nl_reg_rule);
3495         }
3496
3497         nla_nest_end(msg, nl_reg_rules);
3498
3499         genlmsg_end(msg, hdr);
3500         err = genlmsg_reply(msg, info);
3501         goto out;
3502
3503 nla_put_failure:
3504         genlmsg_cancel(msg, hdr);
3505 put_failure:
3506         nlmsg_free(msg);
3507         err = -EMSGSIZE;
3508 out:
3509         mutex_unlock(&cfg80211_mutex);
3510         return err;
3511 }
3512
3513 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
3514 {
3515         struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
3516         struct nlattr *nl_reg_rule;
3517         char *alpha2 = NULL;
3518         int rem_reg_rules = 0, r = 0;
3519         u32 num_rules = 0, rule_idx = 0, size_of_regd;
3520         u8 dfs_region = 0;
3521         struct ieee80211_regdomain *rd = NULL;
3522
3523         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
3524                 return -EINVAL;
3525
3526         if (!info->attrs[NL80211_ATTR_REG_RULES])
3527                 return -EINVAL;
3528
3529         alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
3530
3531         if (info->attrs[NL80211_ATTR_DFS_REGION])
3532                 dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
3533
3534         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
3535                         rem_reg_rules) {
3536                 num_rules++;
3537                 if (num_rules > NL80211_MAX_SUPP_REG_RULES)
3538                         return -EINVAL;
3539         }
3540
3541         mutex_lock(&cfg80211_mutex);
3542
3543         if (!reg_is_valid_request(alpha2)) {
3544                 r = -EINVAL;
3545                 goto bad_reg;
3546         }
3547
3548         size_of_regd = sizeof(struct ieee80211_regdomain) +
3549                 (num_rules * sizeof(struct ieee80211_reg_rule));
3550
3551         rd = kzalloc(size_of_regd, GFP_KERNEL);
3552         if (!rd) {
3553                 r = -ENOMEM;
3554                 goto bad_reg;
3555         }
3556
3557         rd->n_reg_rules = num_rules;
3558         rd->alpha2[0] = alpha2[0];
3559         rd->alpha2[1] = alpha2[1];
3560
3561         /*
3562          * Disable DFS master mode if the DFS region was
3563          * not supported or known on this kernel.
3564          */
3565         if (reg_supported_dfs_region(dfs_region))
3566                 rd->dfs_region = dfs_region;
3567
3568         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
3569                         rem_reg_rules) {
3570                 nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
3571                         nla_data(nl_reg_rule), nla_len(nl_reg_rule),
3572                         reg_rule_policy);
3573                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
3574                 if (r)
3575                         goto bad_reg;
3576
3577                 rule_idx++;
3578
3579                 if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
3580                         r = -EINVAL;
3581                         goto bad_reg;
3582                 }
3583         }
3584
3585         BUG_ON(rule_idx != num_rules);
3586
3587         r = set_regdom(rd);
3588
3589         mutex_unlock(&cfg80211_mutex);
3590
3591         return r;
3592
3593  bad_reg:
3594         mutex_unlock(&cfg80211_mutex);
3595         kfree(rd);
3596         return r;
3597 }
3598
3599 static int validate_scan_freqs(struct nlattr *freqs)
3600 {
3601         struct nlattr *attr1, *attr2;
3602         int n_channels = 0, tmp1, tmp2;
3603
3604         nla_for_each_nested(attr1, freqs, tmp1) {
3605                 n_channels++;
3606                 /*
3607                  * Some hardware has a limited channel list for
3608                  * scanning, and it is pretty much nonsensical
3609                  * to scan for a channel twice, so disallow that
3610                  * and don't require drivers to check that the
3611                  * channel list they get isn't longer than what
3612                  * they can scan, as long as they can scan all
3613                  * the channels they registered at once.
3614                  */
3615                 nla_for_each_nested(attr2, freqs, tmp2)
3616                         if (attr1 != attr2 &&
3617                             nla_get_u32(attr1) == nla_get_u32(attr2))
3618                                 return 0;
3619         }
3620
3621         return n_channels;
3622 }
3623
3624 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
3625 {
3626         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3627         struct net_device *dev = info->user_ptr[1];
3628         struct cfg80211_scan_request *request;
3629         struct nlattr *attr;
3630         struct wiphy *wiphy;
3631         int err, tmp, n_ssids = 0, n_channels, i;
3632         size_t ie_len;
3633
3634         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
3635                 return -EINVAL;
3636
3637         wiphy = &rdev->wiphy;
3638
3639         if (!rdev->ops->scan)
3640                 return -EOPNOTSUPP;
3641
3642         if (rdev->scan_req)
3643                 return -EBUSY;
3644
3645         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
3646                 n_channels = validate_scan_freqs(
3647                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
3648                 if (!n_channels)
3649                         return -EINVAL;
3650         } else {
3651                 enum ieee80211_band band;
3652                 n_channels = 0;
3653
3654                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
3655                         if (wiphy->bands[band])
3656                                 n_channels += wiphy->bands[band]->n_channels;
3657         }
3658
3659         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
3660                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
3661                         n_ssids++;
3662
3663         if (n_ssids > wiphy->max_scan_ssids)
3664                 return -EINVAL;
3665
3666         if (info->attrs[NL80211_ATTR_IE])
3667                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
3668         else
3669                 ie_len = 0;
3670
3671         if (ie_len > wiphy->max_scan_ie_len)
3672                 return -EINVAL;
3673
3674         request = kzalloc(sizeof(*request)
3675                         + sizeof(*request->ssids) * n_ssids
3676                         + sizeof(*request->channels) * n_channels
3677                         + ie_len, GFP_KERNEL);
3678         if (!request)
3679                 return -ENOMEM;
3680
3681         if (n_ssids)
3682                 request->ssids = (void *)&request->channels[n_channels];
3683         request->n_ssids = n_ssids;
3684         if (ie_len) {
3685                 if (request->ssids)
3686                         request->ie = (void *)(request->ssids + n_ssids);
3687                 else
3688                         request->ie = (void *)(request->channels + n_channels);
3689         }
3690
3691         i = 0;
3692         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
3693                 /* user specified, bail out if channel not found */
3694                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
3695                         struct ieee80211_channel *chan;
3696
3697                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
3698
3699                         if (!chan) {
3700                                 err = -EINVAL;
3701                                 goto out_free;
3702                         }
3703
3704                         /* ignore disabled channels */
3705                         if (chan->flags & IEEE80211_CHAN_DISABLED)
3706                                 continue;
3707
3708                         request->channels[i] = chan;
3709                         i++;
3710                 }
3711         } else {
3712                 enum ieee80211_band band;
3713
3714                 /* all channels */
3715                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
3716                         int j;
3717                         if (!wiphy->bands[band])
3718                                 continue;
3719                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
3720                                 struct ieee80211_channel *chan;
3721
3722                                 chan = &wiphy->bands[band]->channels[j];
3723
3724                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
3725                                         continue;
3726
3727                                 request->channels[i] = chan;
3728                                 i++;
3729                         }
3730                 }
3731         }
3732
3733         if (!i) {
3734                 err = -EINVAL;
3735                 goto out_free;
3736         }
3737
3738         request->n_channels = i;
3739
3740         i = 0;
3741         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
3742                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
3743                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
3744                                 err = -EINVAL;
3745                                 goto out_free;
3746                         }
3747                         request->ssids[i].ssid_len = nla_len(attr);
3748                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
3749                         i++;
3750                 }
3751         }
3752
3753         if (info->attrs[NL80211_ATTR_IE]) {
3754                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
3755                 memcpy((void *)request->ie,
3756                        nla_data(info->attrs[NL80211_ATTR_IE]),
3757                        request->ie_len);
3758         }
3759
3760         for (i = 0; i < IEEE80211_NUM_BANDS; i++)
3761                 if (wiphy->bands[i])
3762                         request->rates[i] =
3763                                 (1 << wiphy->bands[i]->n_bitrates) - 1;
3764
3765         if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
3766                 nla_for_each_nested(attr,
3767                                     info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
3768                                     tmp) {
3769                         enum ieee80211_band band = nla_type(attr);
3770
3771                         if (band < 0 || band >= IEEE80211_NUM_BANDS) {
3772                                 err = -EINVAL;
3773                                 goto out_free;
3774                         }
3775                         err = ieee80211_get_ratemask(wiphy->bands[band],
3776                                                      nla_data(attr),
3777                                                      nla_len(attr),
3778                                                      &request->rates[band]);
3779                         if (err)
3780                                 goto out_free;
3781                 }
3782         }
3783
3784         request->no_cck =
3785                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
3786
3787         request->dev = dev;
3788         request->wiphy = &rdev->wiphy;
3789
3790         rdev->scan_req = request;
3791         err = rdev->ops->scan(&rdev->wiphy, dev, request);
3792
3793         if (!err) {
3794                 nl80211_send_scan_start(rdev, dev);
3795                 dev_hold(dev);
3796         } else {
3797  out_free:
3798                 rdev->scan_req = NULL;
3799                 kfree(request);
3800         }
3801
3802         return err;
3803 }
3804
3805 static int nl80211_start_sched_scan(struct sk_buff *skb,
3806                                     struct genl_info *info)
3807 {
3808         struct cfg80211_sched_scan_request *request;
3809         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3810         struct net_device *dev = info->user_ptr[1];
3811         struct nlattr *attr;
3812         struct wiphy *wiphy;
3813         int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
3814         u32 interval;
3815         enum ieee80211_band band;
3816         size_t ie_len;
3817         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
3818
3819         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
3820             !rdev->ops->sched_scan_start)
3821                 return -EOPNOTSUPP;
3822
3823         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
3824                 return -EINVAL;
3825
3826         if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
3827                 return -EINVAL;
3828
3829         interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
3830         if (interval == 0)
3831                 return -EINVAL;
3832
3833         wiphy = &rdev->wiphy;
3834
3835         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
3836                 n_channels = validate_scan_freqs(
3837                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
3838                 if (!n_channels)
3839                         return -EINVAL;
3840         } else {
3841                 n_channels = 0;
3842
3843                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
3844                         if (wiphy->bands[band])
3845                                 n_channels += wiphy->bands[band]->n_channels;
3846         }
3847
3848         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
3849                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
3850                                     tmp)
3851                         n_ssids++;
3852
3853         if (n_ssids > wiphy->max_sched_scan_ssids)
3854                 return -EINVAL;
3855
3856         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
3857                 nla_for_each_nested(attr,
3858                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
3859                                     tmp)
3860                         n_match_sets++;
3861
3862         if (n_match_sets > wiphy->max_match_sets)
3863                 return -EINVAL;
3864
3865         if (info->attrs[NL80211_ATTR_IE])
3866                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
3867         else
3868                 ie_len = 0;
3869
3870         if (ie_len > wiphy->max_sched_scan_ie_len)
3871                 return -EINVAL;
3872
3873         mutex_lock(&rdev->sched_scan_mtx);
3874
3875         if (rdev->sched_scan_req) {
3876                 err = -EINPROGRESS;
3877                 goto out;
3878         }
3879
3880         request = kzalloc(sizeof(*request)
3881                         + sizeof(*request->ssids) * n_ssids
3882                         + sizeof(*request->match_sets) * n_match_sets
3883                         + sizeof(*request->channels) * n_channels
3884                         + ie_len, GFP_KERNEL);
3885         if (!request) {
3886                 err = -ENOMEM;
3887                 goto out;
3888         }
3889
3890         if (n_ssids)
3891                 request->ssids = (void *)&request->channels[n_channels];
3892         request->n_ssids = n_ssids;
3893         if (ie_len) {
3894                 if (request->ssids)
3895                         request->ie = (void *)(request->ssids + n_ssids);
3896                 else
3897                         request->ie = (void *)(request->channels + n_channels);
3898         }
3899
3900         if (n_match_sets) {
3901                 if (request->ie)
3902                         request->match_sets = (void *)(request->ie + ie_len);
3903                 else if (request->ssids)
3904                         request->match_sets =
3905                                 (void *)(request->ssids + n_ssids);
3906                 else
3907                         request->match_sets =
3908                                 (void *)(request->channels + n_channels);
3909         }
3910         request->n_match_sets = n_match_sets;
3911
3912         i = 0;
3913         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
3914                 /* user specified, bail out if channel not found */
3915                 nla_for_each_nested(attr,
3916                                     info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
3917                                     tmp) {
3918                         struct ieee80211_channel *chan;
3919
3920                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
3921
3922                         if (!chan) {
3923                                 err = -EINVAL;
3924                                 goto out_free;
3925                         }
3926
3927                         /* ignore disabled channels */
3928                         if (chan->flags & IEEE80211_CHAN_DISABLED)
3929                                 continue;
3930
3931                         request->channels[i] = chan;
3932                         i++;
3933                 }
3934         } else {
3935                 /* all channels */
3936                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
3937                         int j;
3938                         if (!wiphy->bands[band])
3939                                 continue;
3940                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
3941                                 struct ieee80211_channel *chan;
3942
3943                                 chan = &wiphy->bands[band]->channels[j];
3944
3945                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
3946                                         continue;
3947
3948                                 request->channels[i] = chan;
3949                                 i++;
3950                         }
3951                 }
3952         }
3953
3954         if (!i) {
3955                 err = -EINVAL;
3956                 goto out_free;
3957         }
3958
3959         request->n_channels = i;
3960
3961         i = 0;
3962         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
3963                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
3964                                     tmp) {
3965                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
3966                                 err = -EINVAL;
3967                                 goto out_free;
3968                         }
3969                         request->ssids[i].ssid_len = nla_len(attr);
3970                         memcpy(request->ssids[i].ssid, nla_data(attr),
3971                                nla_len(attr));
3972                         i++;
3973                 }
3974         }
3975
3976         i = 0;
3977         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
3978                 nla_for_each_nested(attr,
3979                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
3980                                     tmp) {
3981                         struct nlattr *ssid;
3982
3983                         nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
3984                                   nla_data(attr), nla_len(attr),
3985                                   nl80211_match_policy);
3986                         ssid = tb[NL80211_ATTR_SCHED_SCAN_MATCH_SSID];
3987                         if (ssid) {
3988                                 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
3989                                         err = -EINVAL;
3990                                         goto out_free;
3991                                 }
3992                                 memcpy(request->match_sets[i].ssid.ssid,
3993                                        nla_data(ssid), nla_len(ssid));
3994                                 request->match_sets[i].ssid.ssid_len =
3995                                         nla_len(ssid);
3996                         }
3997                         i++;
3998                 }
3999         }
4000
4001         if (info->attrs[NL80211_ATTR_IE]) {
4002                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4003                 memcpy((void *)request->ie,
4004                        nla_data(info->attrs[NL80211_ATTR_IE]),
4005                        request->ie_len);
4006         }
4007
4008         request->dev = dev;
4009         request->wiphy = &rdev->wiphy;
4010         request->interval = interval;
4011
4012         err = rdev->ops->sched_scan_start(&rdev->wiphy, dev, request);
4013         if (!err) {
4014                 rdev->sched_scan_req = request;
4015                 nl80211_send_sched_scan(rdev, dev,
4016                                         NL80211_CMD_START_SCHED_SCAN);
4017                 goto out;
4018         }
4019
4020 out_free:
4021         kfree(request);
4022 out:
4023         mutex_unlock(&rdev->sched_scan_mtx);
4024         return err;
4025 }
4026
4027 static int nl80211_stop_sched_scan(struct sk_buff *skb,
4028                                    struct genl_info *info)
4029 {
4030         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4031         int err;
4032
4033         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4034             !rdev->ops->sched_scan_stop)
4035                 return -EOPNOTSUPP;
4036
4037         mutex_lock(&rdev->sched_scan_mtx);
4038         err = __cfg80211_stop_sched_scan(rdev, false);
4039         mutex_unlock(&rdev->sched_scan_mtx);
4040
4041         return err;
4042 }
4043
4044 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
4045                             u32 seq, int flags,
4046                             struct cfg80211_registered_device *rdev,
4047                             struct wireless_dev *wdev,
4048                             struct cfg80211_internal_bss *intbss)
4049 {
4050         struct cfg80211_bss *res = &intbss->pub;
4051         void *hdr;
4052         struct nlattr *bss;
4053         int i;
4054
4055         ASSERT_WDEV_LOCK(wdev);
4056
4057         hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).pid, seq, flags,
4058                              NL80211_CMD_NEW_SCAN_RESULTS);
4059         if (!hdr)
4060                 return -1;
4061
4062         genl_dump_check_consistent(cb, hdr, &nl80211_fam);
4063
4064         NLA_PUT_U32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation);
4065         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex);
4066
4067         bss = nla_nest_start(msg, NL80211_ATTR_BSS);
4068         if (!bss)
4069                 goto nla_put_failure;
4070         if (!is_zero_ether_addr(res->bssid))
4071                 NLA_PUT(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid);
4072         if (res->information_elements && res->len_information_elements)
4073                 NLA_PUT(msg, NL80211_BSS_INFORMATION_ELEMENTS,
4074                         res->len_information_elements,
4075                         res->information_elements);
4076         if (res->beacon_ies && res->len_beacon_ies &&
4077             res->beacon_ies != res->information_elements)
4078                 NLA_PUT(msg, NL80211_BSS_BEACON_IES,
4079                         res->len_beacon_ies, res->beacon_ies);
4080         if (res->tsf)
4081                 NLA_PUT_U64(msg, NL80211_BSS_TSF, res->tsf);
4082         if (res->beacon_interval)
4083                 NLA_PUT_U16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval);
4084         NLA_PUT_U16(msg, NL80211_BSS_CAPABILITY, res->capability);
4085         NLA_PUT_U32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq);
4086         NLA_PUT_U32(msg, NL80211_BSS_SEEN_MS_AGO,
4087                 jiffies_to_msecs(jiffies - intbss->ts));
4088
4089         switch (rdev->wiphy.signal_type) {
4090         case CFG80211_SIGNAL_TYPE_MBM:
4091                 NLA_PUT_U32(msg, NL80211_BSS_SIGNAL_MBM, res->signal);
4092                 break;
4093         case CFG80211_SIGNAL_TYPE_UNSPEC:
4094                 NLA_PUT_U8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal);
4095                 break;
4096         default:
4097                 break;
4098         }
4099
4100         switch (wdev->iftype) {
4101         case NL80211_IFTYPE_P2P_CLIENT:
4102         case NL80211_IFTYPE_STATION:
4103                 if (intbss == wdev->current_bss)
4104                         NLA_PUT_U32(msg, NL80211_BSS_STATUS,
4105                                     NL80211_BSS_STATUS_ASSOCIATED);
4106                 else for (i = 0; i < MAX_AUTH_BSSES; i++) {
4107                         if (intbss != wdev->auth_bsses[i])
4108                                 continue;
4109                         NLA_PUT_U32(msg, NL80211_BSS_STATUS,
4110                                     NL80211_BSS_STATUS_AUTHENTICATED);
4111                         break;
4112                 }
4113                 break;
4114         case NL80211_IFTYPE_ADHOC:
4115                 if (intbss == wdev->current_bss)
4116                         NLA_PUT_U32(msg, NL80211_BSS_STATUS,
4117                                     NL80211_BSS_STATUS_IBSS_JOINED);
4118                 break;
4119         default:
4120                 break;
4121         }
4122
4123         nla_nest_end(msg, bss);
4124
4125         return genlmsg_end(msg, hdr);
4126
4127  nla_put_failure:
4128         genlmsg_cancel(msg, hdr);
4129         return -EMSGSIZE;
4130 }
4131
4132 static int nl80211_dump_scan(struct sk_buff *skb,
4133                              struct netlink_callback *cb)
4134 {
4135         struct cfg80211_registered_device *rdev;
4136         struct net_device *dev;
4137         struct cfg80211_internal_bss *scan;
4138         struct wireless_dev *wdev;
4139         int start = cb->args[1], idx = 0;
4140         int err;
4141
4142         err = nl80211_prepare_netdev_dump(skb, cb, &rdev, &dev);
4143         if (err)
4144                 return err;
4145
4146         wdev = dev->ieee80211_ptr;
4147
4148         wdev_lock(wdev);
4149         spin_lock_bh(&rdev->bss_lock);
4150         cfg80211_bss_expire(rdev);
4151
4152         cb->seq = rdev->bss_generation;
4153
4154         list_for_each_entry(scan, &rdev->bss_list, list) {
4155                 if (++idx <= start)
4156                         continue;
4157                 if (nl80211_send_bss(skb, cb,
4158                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4159                                 rdev, wdev, scan) < 0) {
4160                         idx--;
4161                         break;
4162                 }
4163         }
4164
4165         spin_unlock_bh(&rdev->bss_lock);
4166         wdev_unlock(wdev);
4167
4168         cb->args[1] = idx;
4169         nl80211_finish_netdev_dump(rdev);
4170
4171         return skb->len;
4172 }
4173
4174 static int nl80211_send_survey(struct sk_buff *msg, u32 pid, u32 seq,
4175                                 int flags, struct net_device *dev,
4176                                 struct survey_info *survey)
4177 {
4178         void *hdr;
4179         struct nlattr *infoattr;
4180
4181         hdr = nl80211hdr_put(msg, pid, seq, flags,
4182                              NL80211_CMD_NEW_SURVEY_RESULTS);
4183         if (!hdr)
4184                 return -ENOMEM;
4185
4186         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
4187
4188         infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
4189         if (!infoattr)
4190                 goto nla_put_failure;
4191
4192         NLA_PUT_U32(msg, NL80211_SURVEY_INFO_FREQUENCY,
4193                     survey->channel->center_freq);
4194         if (survey->filled & SURVEY_INFO_NOISE_DBM)
4195                 NLA_PUT_U8(msg, NL80211_SURVEY_INFO_NOISE,
4196                             survey->noise);
4197         if (survey->filled & SURVEY_INFO_IN_USE)
4198                 NLA_PUT_FLAG(msg, NL80211_SURVEY_INFO_IN_USE);
4199         if (survey->filled & SURVEY_INFO_CHANNEL_TIME)
4200                 NLA_PUT_U64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
4201                             survey->channel_time);
4202         if (survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY)
4203                 NLA_PUT_U64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
4204                             survey->channel_time_busy);
4205         if (survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY)
4206                 NLA_PUT_U64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
4207                             survey->channel_time_ext_busy);
4208         if (survey->filled & SURVEY_INFO_CHANNEL_TIME_RX)
4209                 NLA_PUT_U64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
4210                             survey->channel_time_rx);
4211         if (survey->filled & SURVEY_INFO_CHANNEL_TIME_TX)
4212                 NLA_PUT_U64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
4213                             survey->channel_time_tx);
4214
4215         nla_nest_end(msg, infoattr);
4216
4217         return genlmsg_end(msg, hdr);
4218
4219  nla_put_failure:
4220         genlmsg_cancel(msg, hdr);
4221         return -EMSGSIZE;
4222 }
4223
4224 static int nl80211_dump_survey(struct sk_buff *skb,
4225                         struct netlink_callback *cb)
4226 {
4227         struct survey_info survey;
4228         struct cfg80211_registered_device *dev;
4229         struct net_device *netdev;
4230         int survey_idx = cb->args[1];
4231         int res;
4232
4233         res = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
4234         if (res)
4235                 return res;
4236
4237         if (!dev->ops->dump_survey) {
4238                 res = -EOPNOTSUPP;
4239                 goto out_err;
4240         }
4241
4242         while (1) {
4243                 struct ieee80211_channel *chan;
4244
4245                 res = dev->ops->dump_survey(&dev->wiphy, netdev, survey_idx,
4246                                             &survey);
4247                 if (res == -ENOENT)
4248                         break;
4249                 if (res)
4250                         goto out_err;
4251
4252                 /* Survey without a channel doesn't make sense */
4253                 if (!survey.channel) {
4254                         res = -EINVAL;
4255                         goto out;
4256                 }
4257
4258                 chan = ieee80211_get_channel(&dev->wiphy,
4259                                              survey.channel->center_freq);
4260                 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
4261                         survey_idx++;
4262                         continue;
4263                 }
4264
4265                 if (nl80211_send_survey(skb,
4266                                 NETLINK_CB(cb->skb).pid,
4267                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4268                                 netdev,
4269                                 &survey) < 0)
4270                         goto out;
4271                 survey_idx++;
4272         }
4273
4274  out:
4275         cb->args[1] = survey_idx;
4276         res = skb->len;
4277  out_err:
4278         nl80211_finish_netdev_dump(dev);
4279         return res;
4280 }
4281
4282 static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type)
4283 {
4284         return auth_type <= NL80211_AUTHTYPE_MAX;
4285 }
4286
4287 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
4288 {
4289         return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
4290                                   NL80211_WPA_VERSION_2));
4291 }
4292
4293 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
4294 {
4295         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4296         struct net_device *dev = info->user_ptr[1];
4297         struct ieee80211_channel *chan;
4298         const u8 *bssid, *ssid, *ie = NULL;
4299         int err, ssid_len, ie_len = 0;
4300         enum nl80211_auth_type auth_type;
4301         struct key_parse key;
4302         bool local_state_change;
4303
4304         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4305                 return -EINVAL;
4306
4307         if (!info->attrs[NL80211_ATTR_MAC])
4308                 return -EINVAL;
4309
4310         if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
4311                 return -EINVAL;
4312
4313         if (!info->attrs[NL80211_ATTR_SSID])
4314                 return -EINVAL;
4315
4316         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
4317                 return -EINVAL;
4318
4319         err = nl80211_parse_key(info, &key);
4320         if (err)
4321                 return err;
4322
4323         if (key.idx >= 0) {
4324                 if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
4325                         return -EINVAL;
4326                 if (!key.p.key || !key.p.key_len)
4327                         return -EINVAL;
4328                 if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
4329                      key.p.key_len != WLAN_KEY_LEN_WEP40) &&
4330                     (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
4331                      key.p.key_len != WLAN_KEY_LEN_WEP104))
4332                         return -EINVAL;
4333                 if (key.idx > 4)
4334                         return -EINVAL;
4335         } else {
4336                 key.p.key_len = 0;
4337                 key.p.key = NULL;
4338         }
4339
4340         if (key.idx >= 0) {
4341                 int i;
4342                 bool ok = false;
4343                 for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
4344                         if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
4345                                 ok = true;
4346                                 break;
4347                         }
4348                 }
4349                 if (!ok)
4350                         return -EINVAL;
4351         }
4352
4353         if (!rdev->ops->auth)
4354                 return -EOPNOTSUPP;
4355
4356         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
4357             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
4358                 return -EOPNOTSUPP;
4359
4360         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4361         chan = ieee80211_get_channel(&rdev->wiphy,
4362                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
4363         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
4364                 return -EINVAL;
4365
4366         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4367         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
4368
4369         if (info->attrs[NL80211_ATTR_IE]) {
4370                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
4371                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4372         }
4373
4374         auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
4375         if (!nl80211_valid_auth_type(auth_type))
4376                 return -EINVAL;
4377
4378         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
4379
4380         return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
4381                                   ssid, ssid_len, ie, ie_len,
4382                                   key.p.key, key.p.key_len, key.idx,
4383                                   local_state_change);
4384 }
4385
4386 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
4387                                    struct genl_info *info,
4388                                    struct cfg80211_crypto_settings *settings,
4389                                    int cipher_limit)
4390 {
4391         memset(settings, 0, sizeof(*settings));
4392
4393         settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
4394
4395         if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
4396                 u16 proto;
4397                 proto = nla_get_u16(
4398                         info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
4399                 settings->control_port_ethertype = cpu_to_be16(proto);
4400                 if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
4401                     proto != ETH_P_PAE)
4402                         return -EINVAL;
4403                 if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
4404                         settings->control_port_no_encrypt = true;
4405         } else
4406                 settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
4407
4408         if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
4409                 void *data;
4410                 int len, i;
4411
4412                 data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
4413                 len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
4414                 settings->n_ciphers_pairwise = len / sizeof(u32);
4415
4416                 if (len % sizeof(u32))
4417                         return -EINVAL;
4418
4419                 if (settings->n_ciphers_pairwise > cipher_limit)
4420                         return -EINVAL;
4421
4422                 memcpy(settings->ciphers_pairwise, data, len);
4423
4424                 for (i = 0; i < settings->n_ciphers_pairwise; i++)
4425                         if (!cfg80211_supported_cipher_suite(
4426                                         &rdev->wiphy,
4427                                         settings->ciphers_pairwise[i]))
4428                                 return -EINVAL;
4429         }
4430
4431         if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
4432                 settings->cipher_group =
4433                         nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
4434                 if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
4435                                                      settings->cipher_group))
4436                         return -EINVAL;
4437         }
4438
4439         if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
4440                 settings->wpa_versions =
4441                         nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
4442                 if (!nl80211_valid_wpa_versions(settings->wpa_versions))
4443                         return -EINVAL;
4444         }
4445
4446         if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
4447                 void *data;
4448                 int len;
4449
4450                 data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
4451                 len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
4452                 settings->n_akm_suites = len / sizeof(u32);
4453
4454                 if (len % sizeof(u32))
4455                         return -EINVAL;
4456
4457                 if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
4458                         return -EINVAL;
4459
4460                 memcpy(settings->akm_suites, data, len);
4461         }
4462
4463         return 0;
4464 }
4465
4466 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
4467 {
4468         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4469         struct net_device *dev = info->user_ptr[1];
4470         struct cfg80211_crypto_settings crypto;
4471         struct ieee80211_channel *chan;
4472         const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
4473         int err, ssid_len, ie_len = 0;
4474         bool use_mfp = false;
4475         u32 flags = 0;
4476         struct ieee80211_ht_cap *ht_capa = NULL;
4477         struct ieee80211_ht_cap *ht_capa_mask = NULL;
4478
4479         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4480                 return -EINVAL;
4481
4482         if (!info->attrs[NL80211_ATTR_MAC] ||
4483             !info->attrs[NL80211_ATTR_SSID] ||
4484             !info->attrs[NL80211_ATTR_WIPHY_FREQ])
4485                 return -EINVAL;
4486
4487         if (!rdev->ops->assoc)
4488                 return -EOPNOTSUPP;
4489
4490         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
4491             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
4492                 return -EOPNOTSUPP;
4493
4494         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4495
4496         chan = ieee80211_get_channel(&rdev->wiphy,
4497                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
4498         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
4499                 return -EINVAL;
4500
4501         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4502         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
4503
4504         if (info->attrs[NL80211_ATTR_IE]) {
4505                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
4506                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4507         }
4508
4509         if (info->attrs[NL80211_ATTR_USE_MFP]) {
4510                 enum nl80211_mfp mfp =
4511                         nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
4512                 if (mfp == NL80211_MFP_REQUIRED)
4513                         use_mfp = true;
4514                 else if (mfp != NL80211_MFP_NO)
4515                         return -EINVAL;
4516         }
4517
4518         if (info->attrs[NL80211_ATTR_PREV_BSSID])
4519                 prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
4520
4521         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
4522                 flags |= ASSOC_REQ_DISABLE_HT;
4523
4524         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
4525                 ht_capa_mask =
4526                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]);
4527
4528         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
4529                 if (!ht_capa_mask)
4530                         return -EINVAL;
4531                 ht_capa = nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4532         }
4533
4534         err = nl80211_crypto_settings(rdev, info, &crypto, 1);
4535         if (!err)
4536                 err = cfg80211_mlme_assoc(rdev, dev, chan, bssid, prev_bssid,
4537                                           ssid, ssid_len, ie, ie_len, use_mfp,
4538                                           &crypto, flags, ht_capa,
4539                                           ht_capa_mask);
4540
4541         return err;
4542 }
4543
4544 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
4545 {
4546         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4547         struct net_device *dev = info->user_ptr[1];
4548         const u8 *ie = NULL, *bssid;
4549         int ie_len = 0;
4550         u16 reason_code;
4551         bool local_state_change;
4552
4553         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4554                 return -EINVAL;
4555
4556         if (!info->attrs[NL80211_ATTR_MAC])
4557                 return -EINVAL;
4558
4559         if (!info->attrs[NL80211_ATTR_REASON_CODE])
4560                 return -EINVAL;
4561
4562         if (!rdev->ops->deauth)
4563                 return -EOPNOTSUPP;
4564
4565         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
4566             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
4567                 return -EOPNOTSUPP;
4568
4569         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4570
4571         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
4572         if (reason_code == 0) {
4573                 /* Reason Code 0 is reserved */
4574                 return -EINVAL;
4575         }
4576
4577         if (info->attrs[NL80211_ATTR_IE]) {
4578                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
4579                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4580         }
4581
4582         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
4583
4584         return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
4585                                     local_state_change);
4586 }
4587
4588 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
4589 {
4590         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4591         struct net_device *dev = info->user_ptr[1];
4592         const u8 *ie = NULL, *bssid;
4593         int ie_len = 0;
4594         u16 reason_code;
4595         bool local_state_change;
4596
4597         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4598                 return -EINVAL;
4599
4600         if (!info->attrs[NL80211_ATTR_MAC])
4601                 return -EINVAL;
4602
4603         if (!info->attrs[NL80211_ATTR_REASON_CODE])
4604                 return -EINVAL;
4605
4606         if (!rdev->ops->disassoc)
4607                 return -EOPNOTSUPP;
4608
4609         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
4610             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
4611                 return -EOPNOTSUPP;
4612
4613         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4614
4615         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
4616         if (reason_code == 0) {
4617                 /* Reason Code 0 is reserved */
4618                 return -EINVAL;
4619         }
4620
4621         if (info->attrs[NL80211_ATTR_IE]) {
4622                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
4623                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4624         }
4625
4626         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
4627
4628         return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
4629                                       local_state_change);
4630 }
4631
4632 static bool
4633 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
4634                          int mcast_rate[IEEE80211_NUM_BANDS],
4635                          int rateval)
4636 {
4637         struct wiphy *wiphy = &rdev->wiphy;
4638         bool found = false;
4639         int band, i;
4640
4641         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4642                 struct ieee80211_supported_band *sband;
4643
4644                 sband = wiphy->bands[band];
4645                 if (!sband)
4646                         continue;
4647
4648                 for (i = 0; i < sband->n_bitrates; i++) {
4649                         if (sband->bitrates[i].bitrate == rateval) {
4650                                 mcast_rate[band] = i + 1;
4651                                 found = true;
4652                                 break;
4653                         }
4654                 }
4655         }
4656
4657         return found;
4658 }
4659
4660 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
4661 {
4662         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4663         struct net_device *dev = info->user_ptr[1];
4664         struct cfg80211_ibss_params ibss;
4665         struct wiphy *wiphy;
4666         struct cfg80211_cached_keys *connkeys = NULL;
4667         int err;
4668
4669         memset(&ibss, 0, sizeof(ibss));
4670
4671         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4672                 return -EINVAL;
4673
4674         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
4675             !info->attrs[NL80211_ATTR_SSID] ||
4676             !nla_len(info->attrs[NL80211_ATTR_SSID]))
4677                 return -EINVAL;
4678
4679         ibss.beacon_interval = 100;
4680
4681         if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
4682                 ibss.beacon_interval =
4683                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4684                 if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
4685                         return -EINVAL;
4686         }
4687
4688         if (!rdev->ops->join_ibss)
4689                 return -EOPNOTSUPP;
4690
4691         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
4692                 return -EOPNOTSUPP;
4693
4694         wiphy = &rdev->wiphy;
4695
4696         if (info->attrs[NL80211_ATTR_MAC]) {
4697                 ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4698
4699                 if (!is_valid_ether_addr(ibss.bssid))
4700                         return -EINVAL;
4701         }
4702         ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4703         ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
4704
4705         if (info->attrs[NL80211_ATTR_IE]) {
4706                 ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
4707                 ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4708         }
4709
4710         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
4711                 enum nl80211_channel_type channel_type;
4712
4713                 channel_type = nla_get_u32(
4714                                 info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
4715                 if (channel_type != NL80211_CHAN_NO_HT &&
4716                     channel_type != NL80211_CHAN_HT20 &&
4717                     channel_type != NL80211_CHAN_HT40MINUS &&
4718                     channel_type != NL80211_CHAN_HT40PLUS)
4719                         return -EINVAL;
4720
4721                 if (channel_type != NL80211_CHAN_NO_HT &&
4722                     !(wiphy->features & NL80211_FEATURE_HT_IBSS))
4723                         return -EINVAL;
4724
4725                 ibss.channel_type = channel_type;
4726         } else {
4727                 ibss.channel_type = NL80211_CHAN_NO_HT;
4728         }
4729
4730         ibss.channel = rdev_freq_to_chan(rdev,
4731                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
4732                 ibss.channel_type);
4733         if (!ibss.channel ||
4734             ibss.channel->flags & IEEE80211_CHAN_NO_IBSS ||
4735             ibss.channel->flags & IEEE80211_CHAN_DISABLED)
4736                 return -EINVAL;
4737
4738         /* Both channels should be able to initiate communication */
4739         if ((ibss.channel_type == NL80211_CHAN_HT40PLUS ||
4740              ibss.channel_type == NL80211_CHAN_HT40MINUS) &&
4741             !cfg80211_can_beacon_sec_chan(&rdev->wiphy, ibss.channel,
4742                                           ibss.channel_type))
4743                 return -EINVAL;
4744
4745         ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
4746         ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4747
4748         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4749                 u8 *rates =
4750                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4751                 int n_rates =
4752                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4753                 struct ieee80211_supported_band *sband =
4754                         wiphy->bands[ibss.channel->band];
4755                 int err;
4756
4757                 err = ieee80211_get_ratemask(sband, rates, n_rates,
4758                                              &ibss.basic_rates);
4759                 if (err)
4760                         return err;
4761         }
4762
4763         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
4764             !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
4765                         nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
4766                 return -EINVAL;
4767
4768         if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
4769                 connkeys = nl80211_parse_connkeys(rdev,
4770                                         info->attrs[NL80211_ATTR_KEYS]);
4771                 if (IS_ERR(connkeys))
4772                         return PTR_ERR(connkeys);
4773         }
4774
4775         err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
4776         if (err)
4777                 kfree(connkeys);
4778         return err;
4779 }
4780
4781 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
4782 {
4783         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4784         struct net_device *dev = info->user_ptr[1];
4785
4786         if (!rdev->ops->leave_ibss)
4787                 return -EOPNOTSUPP;
4788
4789         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
4790                 return -EOPNOTSUPP;
4791
4792         return cfg80211_leave_ibss(rdev, dev, false);
4793 }
4794
4795 #ifdef CONFIG_NL80211_TESTMODE
4796 static struct genl_multicast_group nl80211_testmode_mcgrp = {
4797         .name = "testmode",
4798 };
4799
4800 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
4801 {
4802         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4803         int err;
4804
4805         if (!info->attrs[NL80211_ATTR_TESTDATA])
4806                 return -EINVAL;
4807
4808         err = -EOPNOTSUPP;
4809         if (rdev->ops->testmode_cmd) {
4810                 rdev->testmode_info = info;
4811                 err = rdev->ops->testmode_cmd(&rdev->wiphy,
4812                                 nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
4813                                 nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
4814                 rdev->testmode_info = NULL;
4815         }
4816
4817         return err;
4818 }
4819
4820 static int nl80211_testmode_dump(struct sk_buff *skb,
4821                                  struct netlink_callback *cb)
4822 {
4823         struct cfg80211_registered_device *rdev;
4824         int err;
4825         long phy_idx;
4826         void *data = NULL;
4827         int data_len = 0;
4828
4829         if (cb->args[0]) {
4830                 /*
4831                  * 0 is a valid index, but not valid for args[0],
4832                  * so we need to offset by 1.
4833                  */
4834                 phy_idx = cb->args[0] - 1;
4835         } else {
4836                 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
4837                                   nl80211_fam.attrbuf, nl80211_fam.maxattr,
4838                                   nl80211_policy);
4839                 if (err)
4840                         return err;
4841                 if (nl80211_fam.attrbuf[NL80211_ATTR_WIPHY]) {
4842                         phy_idx = nla_get_u32(
4843                                 nl80211_fam.attrbuf[NL80211_ATTR_WIPHY]);
4844                 } else {
4845                         struct net_device *netdev;
4846
4847                         err = get_rdev_dev_by_ifindex(sock_net(skb->sk),
4848                                                       nl80211_fam.attrbuf,
4849                                                       &rdev, &netdev);
4850                         if (err)
4851                                 return err;
4852                         dev_put(netdev);
4853                         phy_idx = rdev->wiphy_idx;
4854                         cfg80211_unlock_rdev(rdev);
4855                 }
4856                 if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
4857                         cb->args[1] =
4858                                 (long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
4859         }
4860
4861         if (cb->args[1]) {
4862                 data = nla_data((void *)cb->args[1]);
4863                 data_len = nla_len((void *)cb->args[1]);
4864         }
4865
4866         mutex_lock(&cfg80211_mutex);
4867         rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
4868         if (!rdev) {
4869                 mutex_unlock(&cfg80211_mutex);
4870                 return -ENOENT;
4871         }
4872         cfg80211_lock_rdev(rdev);
4873         mutex_unlock(&cfg80211_mutex);
4874
4875         if (!rdev->ops->testmode_dump) {
4876                 err = -EOPNOTSUPP;
4877                 goto out_err;
4878         }
4879
4880         while (1) {
4881                 void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).pid,
4882                                            cb->nlh->nlmsg_seq, NLM_F_MULTI,
4883                                            NL80211_CMD_TESTMODE);
4884                 struct nlattr *tmdata;
4885
4886                 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx) < 0) {
4887                         genlmsg_cancel(skb, hdr);
4888                         break;
4889                 }
4890
4891                 tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
4892                 if (!tmdata) {
4893                         genlmsg_cancel(skb, hdr);
4894                         break;
4895                 }
4896                 err = rdev->ops->testmode_dump(&rdev->wiphy, skb, cb,
4897                                                data, data_len);
4898                 nla_nest_end(skb, tmdata);
4899
4900                 if (err == -ENOBUFS || err == -ENOENT) {
4901                         genlmsg_cancel(skb, hdr);
4902                         break;
4903                 } else if (err) {
4904                         genlmsg_cancel(skb, hdr);
4905                         goto out_err;
4906                 }
4907
4908                 genlmsg_end(skb, hdr);
4909         }
4910
4911         err = skb->len;
4912         /* see above */
4913         cb->args[0] = phy_idx + 1;
4914  out_err:
4915         cfg80211_unlock_rdev(rdev);
4916         return err;
4917 }
4918
4919 static struct sk_buff *
4920 __cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev,
4921                               int approxlen, u32 pid, u32 seq, gfp_t gfp)
4922 {
4923         struct sk_buff *skb;
4924         void *hdr;
4925         struct nlattr *data;
4926
4927         skb = nlmsg_new(approxlen + 100, gfp);
4928         if (!skb)
4929                 return NULL;
4930
4931         hdr = nl80211hdr_put(skb, pid, seq, 0, NL80211_CMD_TESTMODE);
4932         if (!hdr) {
4933                 kfree_skb(skb);
4934                 return NULL;
4935         }
4936
4937         NLA_PUT_U32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
4938         data = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
4939
4940         ((void **)skb->cb)[0] = rdev;
4941         ((void **)skb->cb)[1] = hdr;
4942         ((void **)skb->cb)[2] = data;
4943
4944         return skb;
4945
4946  nla_put_failure:
4947         kfree_skb(skb);
4948         return NULL;
4949 }
4950
4951 struct sk_buff *cfg80211_testmode_alloc_reply_skb(struct wiphy *wiphy,
4952                                                   int approxlen)
4953 {
4954         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
4955
4956         if (WARN_ON(!rdev->testmode_info))
4957                 return NULL;
4958
4959         return __cfg80211_testmode_alloc_skb(rdev, approxlen,
4960                                 rdev->testmode_info->snd_pid,
4961                                 rdev->testmode_info->snd_seq,
4962                                 GFP_KERNEL);
4963 }
4964 EXPORT_SYMBOL(cfg80211_testmode_alloc_reply_skb);
4965
4966 int cfg80211_testmode_reply(struct sk_buff *skb)
4967 {
4968         struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
4969         void *hdr = ((void **)skb->cb)[1];
4970         struct nlattr *data = ((void **)skb->cb)[2];
4971
4972         if (WARN_ON(!rdev->testmode_info)) {
4973                 kfree_skb(skb);
4974                 return -EINVAL;
4975         }
4976
4977         nla_nest_end(skb, data);
4978         genlmsg_end(skb, hdr);
4979         return genlmsg_reply(skb, rdev->testmode_info);
4980 }
4981 EXPORT_SYMBOL(cfg80211_testmode_reply);
4982
4983 struct sk_buff *cfg80211_testmode_alloc_event_skb(struct wiphy *wiphy,
4984                                                   int approxlen, gfp_t gfp)
4985 {
4986         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
4987
4988         return __cfg80211_testmode_alloc_skb(rdev, approxlen, 0, 0, gfp);
4989 }
4990 EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
4991
4992 void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
4993 {
4994         void *hdr = ((void **)skb->cb)[1];
4995         struct nlattr *data = ((void **)skb->cb)[2];
4996
4997         nla_nest_end(skb, data);
4998         genlmsg_end(skb, hdr);
4999         genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
5000 }
5001 EXPORT_SYMBOL(cfg80211_testmode_event);
5002 #endif
5003
5004 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
5005 {
5006         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5007         struct net_device *dev = info->user_ptr[1];
5008         struct cfg80211_connect_params connect;
5009         struct wiphy *wiphy;
5010         struct cfg80211_cached_keys *connkeys = NULL;
5011         int err;
5012
5013         memset(&connect, 0, sizeof(connect));
5014
5015         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5016                 return -EINVAL;
5017
5018         if (!info->attrs[NL80211_ATTR_SSID] ||
5019             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5020                 return -EINVAL;
5021
5022         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5023                 connect.auth_type =
5024                         nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5025                 if (!nl80211_valid_auth_type(connect.auth_type))
5026                         return -EINVAL;
5027         } else
5028                 connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5029
5030         connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
5031
5032         err = nl80211_crypto_settings(rdev, info, &connect.crypto,
5033                                       NL80211_MAX_NR_CIPHER_SUITES);
5034         if (err)
5035                 return err;
5036
5037         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5038             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5039                 return -EOPNOTSUPP;
5040
5041         wiphy = &rdev->wiphy;
5042
5043         if (info->attrs[NL80211_ATTR_MAC])
5044                 connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5045         connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5046         connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5047
5048         if (info->attrs[NL80211_ATTR_IE]) {
5049                 connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5050                 connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5051         }
5052
5053         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5054                 connect.channel =
5055                         ieee80211_get_channel(wiphy,
5056                             nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5057                 if (!connect.channel ||
5058                     connect.channel->flags & IEEE80211_CHAN_DISABLED)
5059                         return -EINVAL;
5060         }
5061
5062         if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5063                 connkeys = nl80211_parse_connkeys(rdev,
5064                                         info->attrs[NL80211_ATTR_KEYS]);
5065                 if (IS_ERR(connkeys))
5066                         return PTR_ERR(connkeys);
5067         }
5068
5069         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5070                 connect.flags |= ASSOC_REQ_DISABLE_HT;
5071
5072         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5073                 memcpy(&connect.ht_capa_mask,
5074                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
5075                        sizeof(connect.ht_capa_mask));
5076
5077         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5078                 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5079                         return -EINVAL;
5080                 memcpy(&connect.ht_capa,
5081                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
5082                        sizeof(connect.ht_capa));
5083         }
5084
5085         err = cfg80211_connect(rdev, dev, &connect, connkeys);
5086         if (err)
5087                 kfree(connkeys);
5088         return err;
5089 }
5090
5091 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
5092 {
5093         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5094         struct net_device *dev = info->user_ptr[1];
5095         u16 reason;
5096
5097         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5098                 reason = WLAN_REASON_DEAUTH_LEAVING;
5099         else
5100                 reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5101
5102         if (reason == 0)
5103                 return -EINVAL;
5104
5105         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5106             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5107                 return -EOPNOTSUPP;
5108
5109         return cfg80211_disconnect(rdev, dev, reason, true);
5110 }
5111
5112 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
5113 {
5114         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5115         struct net *net;
5116         int err;
5117         u32 pid;
5118
5119         if (!info->attrs[NL80211_ATTR_PID])
5120                 return -EINVAL;
5121
5122         pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
5123
5124         net = get_net_ns_by_pid(pid);
5125         if (IS_ERR(net))
5126                 return PTR_ERR(net);
5127
5128         err = 0;
5129
5130         /* check if anything to do */
5131         if (!net_eq(wiphy_net(&rdev->wiphy), net))
5132                 err = cfg80211_switch_netns(rdev, net);
5133
5134         put_net(net);
5135         return err;
5136 }
5137
5138 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
5139 {
5140         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5141         int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
5142                         struct cfg80211_pmksa *pmksa) = NULL;
5143         struct net_device *dev = info->user_ptr[1];
5144         struct cfg80211_pmksa pmksa;
5145
5146         memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
5147
5148         if (!info->attrs[NL80211_ATTR_MAC])
5149                 return -EINVAL;
5150
5151         if (!info->attrs[NL80211_ATTR_PMKID])
5152                 return -EINVAL;
5153
5154         pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
5155         pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5156
5157         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5158             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5159                 return -EOPNOTSUPP;
5160
5161         switch (info->genlhdr->cmd) {
5162         case NL80211_CMD_SET_PMKSA:
5163                 rdev_ops = rdev->ops->set_pmksa;
5164                 break;
5165         case NL80211_CMD_DEL_PMKSA:
5166                 rdev_ops = rdev->ops->del_pmksa;
5167                 break;
5168         default:
5169                 WARN_ON(1);
5170                 break;
5171         }
5172
5173         if (!rdev_ops)
5174                 return -EOPNOTSUPP;
5175
5176         return rdev_ops(&rdev->wiphy, dev, &pmksa);
5177 }
5178
5179 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
5180 {
5181         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5182         struct net_device *dev = info->user_ptr[1];
5183
5184         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5185             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5186                 return -EOPNOTSUPP;
5187
5188         if (!rdev->ops->flush_pmksa)
5189                 return -EOPNOTSUPP;
5190
5191         return rdev->ops->flush_pmksa(&rdev->wiphy, dev);
5192 }
5193
5194 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
5195 {
5196         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5197         struct net_device *dev = info->user_ptr[1];
5198         u8 action_code, dialog_token;
5199         u16 status_code;
5200         u8 *peer;
5201
5202         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
5203             !rdev->ops->tdls_mgmt)
5204                 return -EOPNOTSUPP;
5205
5206         if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
5207             !info->attrs[NL80211_ATTR_STATUS_CODE] ||
5208             !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
5209             !info->attrs[NL80211_ATTR_IE] ||
5210             !info->attrs[NL80211_ATTR_MAC])
5211                 return -EINVAL;
5212
5213         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
5214         action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
5215         status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
5216         dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
5217
5218         return rdev->ops->tdls_mgmt(&rdev->wiphy, dev, peer, action_code,
5219                                     dialog_token, status_code,
5220                                     nla_data(info->attrs[NL80211_ATTR_IE]),
5221                                     nla_len(info->attrs[NL80211_ATTR_IE]));
5222 }
5223
5224 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
5225 {
5226         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5227         struct net_device *dev = info->user_ptr[1];
5228         enum nl80211_tdls_operation operation;
5229         u8 *peer;
5230
5231         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
5232             !rdev->ops->tdls_oper)
5233                 return -EOPNOTSUPP;
5234
5235         if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
5236             !info->attrs[NL80211_ATTR_MAC])
5237                 return -EINVAL;
5238
5239         operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
5240         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
5241
5242         return rdev->ops->tdls_oper(&rdev->wiphy, dev, peer, operation);
5243 }
5244
5245 static int nl80211_remain_on_channel(struct sk_buff *skb,
5246                                      struct genl_info *info)
5247 {
5248         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5249         struct net_device *dev = info->user_ptr[1];
5250         struct ieee80211_channel *chan;
5251         struct sk_buff *msg;
5252         void *hdr;
5253         u64 cookie;
5254         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
5255         u32 freq, duration;
5256         int err;
5257
5258         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5259             !info->attrs[NL80211_ATTR_DURATION])
5260                 return -EINVAL;
5261
5262         duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
5263
5264         /*
5265          * We should be on that channel for at least one jiffie,
5266          * and more than 5 seconds seems excessive.
5267          */
5268         if (!duration || !msecs_to_jiffies(duration) ||
5269             duration > rdev->wiphy.max_remain_on_channel_duration)
5270                 return -EINVAL;
5271
5272         if (!rdev->ops->remain_on_channel ||
5273             !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
5274                 return -EOPNOTSUPP;
5275
5276         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
5277                 channel_type = nla_get_u32(
5278                         info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
5279                 if (channel_type != NL80211_CHAN_NO_HT &&
5280                     channel_type != NL80211_CHAN_HT20 &&
5281                     channel_type != NL80211_CHAN_HT40PLUS &&
5282                     channel_type != NL80211_CHAN_HT40MINUS)
5283                         return -EINVAL;
5284         }
5285
5286         freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
5287         chan = rdev_freq_to_chan(rdev, freq, channel_type);
5288         if (chan == NULL)
5289                 return -EINVAL;
5290
5291         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5292         if (!msg)
5293                 return -ENOMEM;
5294
5295         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
5296                              NL80211_CMD_REMAIN_ON_CHANNEL);
5297
5298         if (IS_ERR(hdr)) {
5299                 err = PTR_ERR(hdr);
5300                 goto free_msg;
5301         }
5302
5303         err = rdev->ops->remain_on_channel(&rdev->wiphy, dev, chan,
5304                                            channel_type, duration, &cookie);
5305
5306         if (err)
5307                 goto free_msg;
5308
5309         NLA_PUT_U64(msg, NL80211_ATTR_COOKIE, cookie);
5310
5311         genlmsg_end(msg, hdr);
5312
5313         return genlmsg_reply(msg, info);
5314
5315  nla_put_failure:
5316         err = -ENOBUFS;
5317  free_msg:
5318         nlmsg_free(msg);
5319         return err;
5320 }
5321
5322 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
5323                                             struct genl_info *info)
5324 {
5325         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5326         struct net_device *dev = info->user_ptr[1];
5327         u64 cookie;
5328
5329         if (!info->attrs[NL80211_ATTR_COOKIE])
5330                 return -EINVAL;
5331
5332         if (!rdev->ops->cancel_remain_on_channel)
5333                 return -EOPNOTSUPP;
5334
5335         cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
5336
5337         return rdev->ops->cancel_remain_on_channel(&rdev->wiphy, dev, cookie);
5338 }
5339
5340 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5341                            u8 *rates, u8 rates_len)
5342 {
5343         u8 i;
5344         u32 mask = 0;
5345
5346         for (i = 0; i < rates_len; i++) {
5347                 int rate = (rates[i] & 0x7f) * 5;
5348                 int ridx;
5349                 for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5350                         struct ieee80211_rate *srate =
5351                                 &sband->bitrates[ridx];
5352                         if (rate == srate->bitrate) {
5353                                 mask |= 1 << ridx;
5354                                 break;
5355                         }
5356                 }
5357                 if (ridx == sband->n_bitrates)
5358                         return 0; /* rate not found */
5359         }
5360
5361         return mask;
5362 }
5363
5364 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
5365         [NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
5366                                     .len = NL80211_MAX_SUPP_RATES },
5367 };
5368
5369 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
5370                                        struct genl_info *info)
5371 {
5372         struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5373         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5374         struct cfg80211_bitrate_mask mask;
5375         int rem, i;
5376         struct net_device *dev = info->user_ptr[1];
5377         struct nlattr *tx_rates;
5378         struct ieee80211_supported_band *sband;
5379
5380         if (info->attrs[NL80211_ATTR_TX_RATES] == NULL)
5381                 return -EINVAL;
5382
5383         if (!rdev->ops->set_bitrate_mask)
5384                 return -EOPNOTSUPP;
5385
5386         memset(&mask, 0, sizeof(mask));
5387         /* Default to all rates enabled */
5388         for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
5389                 sband = rdev->wiphy.bands[i];
5390                 mask.control[i].legacy =
5391                         sband ? (1 << sband->n_bitrates) - 1 : 0;
5392         }
5393
5394         /*
5395          * The nested attribute uses enum nl80211_band as the index. This maps
5396          * directly to the enum ieee80211_band values used in cfg80211.
5397          */
5398         nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
5399         {
5400                 enum ieee80211_band band = nla_type(tx_rates);
5401                 if (band < 0 || band >= IEEE80211_NUM_BANDS)
5402                         return -EINVAL;
5403                 sband = rdev->wiphy.bands[band];
5404                 if (sband == NULL)
5405                         return -EINVAL;
5406                 nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
5407                           nla_len(tx_rates), nl80211_txattr_policy);
5408                 if (tb[NL80211_TXRATE_LEGACY]) {
5409                         mask.control[band].legacy = rateset_to_mask(
5410                                 sband,
5411                                 nla_data(tb[NL80211_TXRATE_LEGACY]),
5412                                 nla_len(tb[NL80211_TXRATE_LEGACY]));
5413                         if (mask.control[band].legacy == 0)
5414                                 return -EINVAL;
5415                 }
5416         }
5417
5418         return rdev->ops->set_bitrate_mask(&rdev->wiphy, dev, NULL, &mask);
5419 }
5420
5421 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
5422 {
5423         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5424         struct net_device *dev = info->user_ptr[1];
5425         u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
5426
5427         if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
5428                 return -EINVAL;
5429
5430         if (info->attrs[NL80211_ATTR_FRAME_TYPE])
5431                 frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
5432
5433         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5434             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
5435             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
5436             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5437             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5438             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5439             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5440                 return -EOPNOTSUPP;
5441
5442         /* not much point in registering if we can't reply */
5443         if (!rdev->ops->mgmt_tx)
5444                 return -EOPNOTSUPP;
5445
5446         return cfg80211_mlme_register_mgmt(dev->ieee80211_ptr, info->snd_pid,
5447                         frame_type,
5448                         nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
5449                         nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
5450 }
5451
5452 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
5453 {
5454         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5455         struct net_device *dev = info->user_ptr[1];
5456         struct ieee80211_channel *chan;
5457         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
5458         bool channel_type_valid = false;
5459         u32 freq;
5460         int err;
5461         void *hdr = NULL;
5462         u64 cookie;
5463         struct sk_buff *msg = NULL;
5464         unsigned int wait = 0;
5465         bool offchan, no_cck, dont_wait_for_ack;
5466
5467         dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
5468
5469         if (!info->attrs[NL80211_ATTR_FRAME] ||
5470             !info->attrs[NL80211_ATTR_WIPHY_FREQ])
5471                 return -EINVAL;
5472
5473         if (!rdev->ops->mgmt_tx)
5474                 return -EOPNOTSUPP;
5475
5476         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5477             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
5478             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
5479             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5480             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5481             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5482             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5483                 return -EOPNOTSUPP;
5484
5485         if (info->attrs[NL80211_ATTR_DURATION]) {
5486                 if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
5487                         return -EINVAL;
5488                 wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
5489         }
5490
5491         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
5492                 channel_type = nla_get_u32(
5493                         info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
5494                 if (channel_type != NL80211_CHAN_NO_HT &&
5495                     channel_type != NL80211_CHAN_HT20 &&
5496                     channel_type != NL80211_CHAN_HT40PLUS &&
5497                     channel_type != NL80211_CHAN_HT40MINUS)
5498                         return -EINVAL;
5499                 channel_type_valid = true;
5500         }
5501
5502         offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
5503
5504         if (offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
5505                 return -EINVAL;
5506
5507         no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5508
5509         freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
5510         chan = rdev_freq_to_chan(rdev, freq, channel_type);
5511         if (chan == NULL)
5512                 return -EINVAL;
5513
5514         if (!dont_wait_for_ack) {
5515                 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5516                 if (!msg)
5517                         return -ENOMEM;
5518
5519                 hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
5520                                      NL80211_CMD_FRAME);
5521
5522                 if (IS_ERR(hdr)) {
5523                         err = PTR_ERR(hdr);
5524                         goto free_msg;
5525                 }
5526         }
5527
5528         err = cfg80211_mlme_mgmt_tx(rdev, dev, chan, offchan, channel_type,
5529                                     channel_type_valid, wait,
5530                                     nla_data(info->attrs[NL80211_ATTR_FRAME]),
5531                                     nla_len(info->attrs[NL80211_ATTR_FRAME]),
5532                                     no_cck, dont_wait_for_ack, &cookie);
5533         if (err)
5534                 goto free_msg;
5535
5536         if (msg) {
5537                 NLA_PUT_U64(msg, NL80211_ATTR_COOKIE, cookie);
5538
5539                 genlmsg_end(msg, hdr);
5540                 return genlmsg_reply(msg, info);
5541         }
5542
5543         return 0;
5544
5545  nla_put_failure:
5546         err = -ENOBUFS;
5547  free_msg:
5548         nlmsg_free(msg);
5549         return err;
5550 }
5551
5552 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
5553 {
5554         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5555         struct net_device *dev = info->user_ptr[1];
5556         u64 cookie;
5557
5558         if (!info->attrs[NL80211_ATTR_COOKIE])
5559                 return -EINVAL;
5560
5561         if (!rdev->ops->mgmt_tx_cancel_wait)
5562                 return -EOPNOTSUPP;
5563
5564         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5565             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
5566             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
5567             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5568             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5569             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5570                 return -EOPNOTSUPP;
5571
5572         cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
5573
5574         return rdev->ops->mgmt_tx_cancel_wait(&rdev->wiphy, dev, cookie);
5575 }
5576
5577 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
5578 {
5579         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5580         struct wireless_dev *wdev;
5581         struct net_device *dev = info->user_ptr[1];
5582         u8 ps_state;
5583         bool state;
5584         int err;
5585
5586         if (!info->attrs[NL80211_ATTR_PS_STATE])
5587                 return -EINVAL;
5588
5589         ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
5590
5591         if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
5592                 return -EINVAL;
5593
5594         wdev = dev->ieee80211_ptr;
5595
5596         if (!rdev->ops->set_power_mgmt)
5597                 return -EOPNOTSUPP;
5598
5599         state = (ps_state == NL80211_PS_ENABLED) ? true : false;
5600
5601         if (state == wdev->ps)
5602                 return 0;
5603
5604         err = rdev->ops->set_power_mgmt(wdev->wiphy, dev, state,
5605                                         wdev->ps_timeout);
5606         if (!err)
5607                 wdev->ps = state;
5608         return err;
5609 }
5610
5611 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
5612 {
5613         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5614         enum nl80211_ps_state ps_state;
5615         struct wireless_dev *wdev;
5616         struct net_device *dev = info->user_ptr[1];
5617         struct sk_buff *msg;
5618         void *hdr;
5619         int err;
5620
5621         wdev = dev->ieee80211_ptr;
5622
5623         if (!rdev->ops->set_power_mgmt)
5624                 return -EOPNOTSUPP;
5625
5626         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5627         if (!msg)
5628                 return -ENOMEM;
5629
5630         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
5631                              NL80211_CMD_GET_POWER_SAVE);
5632         if (!hdr) {
5633                 err = -ENOBUFS;
5634                 goto free_msg;
5635         }
5636
5637         if (wdev->ps)
5638                 ps_state = NL80211_PS_ENABLED;
5639         else
5640                 ps_state = NL80211_PS_DISABLED;
5641
5642         NLA_PUT_U32(msg, NL80211_ATTR_PS_STATE, ps_state);
5643
5644         genlmsg_end(msg, hdr);
5645         return genlmsg_reply(msg, info);
5646
5647  nla_put_failure:
5648         err = -ENOBUFS;
5649  free_msg:
5650         nlmsg_free(msg);
5651         return err;
5652 }
5653
5654 static struct nla_policy
5655 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] __read_mostly = {
5656         [NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
5657         [NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
5658         [NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
5659 };
5660
5661 static int nl80211_set_cqm_rssi(struct genl_info *info,
5662                                 s32 threshold, u32 hysteresis)
5663 {
5664         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5665         struct wireless_dev *wdev;
5666         struct net_device *dev = info->user_ptr[1];
5667
5668         if (threshold > 0)
5669                 return -EINVAL;
5670
5671         wdev = dev->ieee80211_ptr;
5672
5673         if (!rdev->ops->set_cqm_rssi_config)
5674                 return -EOPNOTSUPP;
5675
5676         if (wdev->iftype != NL80211_IFTYPE_STATION &&
5677             wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
5678                 return -EOPNOTSUPP;
5679
5680         return rdev->ops->set_cqm_rssi_config(wdev->wiphy, dev,
5681                                               threshold, hysteresis);
5682 }
5683
5684 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
5685 {
5686         struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
5687         struct nlattr *cqm;
5688         int err;
5689
5690         cqm = info->attrs[NL80211_ATTR_CQM];
5691         if (!cqm) {
5692                 err = -EINVAL;
5693                 goto out;
5694         }
5695
5696         err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
5697                                nl80211_attr_cqm_policy);
5698         if (err)
5699                 goto out;
5700
5701         if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
5702             attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
5703                 s32 threshold;
5704                 u32 hysteresis;
5705                 threshold = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
5706                 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
5707                 err = nl80211_set_cqm_rssi(info, threshold, hysteresis);
5708         } else
5709                 err = -EINVAL;
5710
5711 out:
5712         return err;
5713 }
5714
5715 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
5716 {
5717         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5718         struct net_device *dev = info->user_ptr[1];
5719         struct mesh_config cfg;
5720         struct mesh_setup setup;
5721         int err;
5722
5723         /* start with default */
5724         memcpy(&cfg, &default_mesh_config, sizeof(cfg));
5725         memcpy(&setup, &default_mesh_setup, sizeof(setup));
5726
5727         if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
5728                 /* and parse parameters if given */
5729                 err = nl80211_parse_mesh_config(info, &cfg, NULL);
5730                 if (err)
5731                         return err;
5732         }
5733
5734         if (!info->attrs[NL80211_ATTR_MESH_ID] ||
5735             !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
5736                 return -EINVAL;
5737
5738         setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
5739         setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
5740
5741         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
5742             !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
5743                             nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
5744                         return -EINVAL;
5745
5746         if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
5747                 /* parse additional setup parameters if given */
5748                 err = nl80211_parse_mesh_setup(info, &setup);
5749                 if (err)
5750                         return err;
5751         }
5752
5753         return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
5754 }
5755
5756 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
5757 {
5758         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5759         struct net_device *dev = info->user_ptr[1];
5760
5761         return cfg80211_leave_mesh(rdev, dev);
5762 }
5763
5764 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
5765 {
5766         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5767         struct sk_buff *msg;
5768         void *hdr;
5769
5770         if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns)
5771                 return -EOPNOTSUPP;
5772
5773         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5774         if (!msg)
5775                 return -ENOMEM;
5776
5777         hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
5778                              NL80211_CMD_GET_WOWLAN);
5779         if (!hdr)
5780                 goto nla_put_failure;
5781
5782         if (rdev->wowlan) {
5783                 struct nlattr *nl_wowlan;
5784
5785                 nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
5786                 if (!nl_wowlan)
5787                         goto nla_put_failure;
5788
5789                 if (rdev->wowlan->any)
5790                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_ANY);
5791                 if (rdev->wowlan->disconnect)
5792                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_DISCONNECT);
5793                 if (rdev->wowlan->magic_pkt)
5794                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT);
5795                 if (rdev->wowlan->gtk_rekey_failure)
5796                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE);
5797                 if (rdev->wowlan->eap_identity_req)
5798                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST);
5799                 if (rdev->wowlan->four_way_handshake)
5800                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE);
5801                 if (rdev->wowlan->rfkill_release)
5802                         NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE);
5803                 if (rdev->wowlan->n_patterns) {
5804                         struct nlattr *nl_pats, *nl_pat;
5805                         int i, pat_len;
5806
5807                         nl_pats = nla_nest_start(msg,
5808                                         NL80211_WOWLAN_TRIG_PKT_PATTERN);
5809                         if (!nl_pats)
5810                                 goto nla_put_failure;
5811
5812                         for (i = 0; i < rdev->wowlan->n_patterns; i++) {
5813                                 nl_pat = nla_nest_start(msg, i + 1);
5814                                 if (!nl_pat)
5815                                         goto nla_put_failure;
5816                                 pat_len = rdev->wowlan->patterns[i].pattern_len;
5817                                 NLA_PUT(msg, NL80211_WOWLAN_PKTPAT_MASK,
5818                                         DIV_ROUND_UP(pat_len, 8),
5819                                         rdev->wowlan->patterns[i].mask);
5820                                 NLA_PUT(msg, NL80211_WOWLAN_PKTPAT_PATTERN,
5821                                         pat_len,
5822                                         rdev->wowlan->patterns[i].pattern);
5823                                 nla_nest_end(msg, nl_pat);
5824                         }
5825                         nla_nest_end(msg, nl_pats);
5826                 }
5827
5828                 nla_nest_end(msg, nl_wowlan);
5829         }
5830
5831         genlmsg_end(msg, hdr);
5832         return genlmsg_reply(msg, info);
5833
5834 nla_put_failure:
5835         nlmsg_free(msg);
5836         return -ENOBUFS;
5837 }
5838
5839 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
5840 {
5841         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5842         struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
5843         struct cfg80211_wowlan no_triggers = {};
5844         struct cfg80211_wowlan new_triggers = {};
5845         struct wiphy_wowlan_support *wowlan = &rdev->wiphy.wowlan;
5846         int err, i;
5847
5848         if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns)
5849                 return -EOPNOTSUPP;
5850
5851         if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS])
5852                 goto no_triggers;
5853
5854         err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
5855                         nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
5856                         nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
5857                         nl80211_wowlan_policy);
5858         if (err)
5859                 return err;
5860
5861         if (tb[NL80211_WOWLAN_TRIG_ANY]) {
5862                 if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
5863                         return -EINVAL;
5864                 new_triggers.any = true;
5865         }
5866
5867         if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
5868                 if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
5869                         return -EINVAL;
5870                 new_triggers.disconnect = true;
5871         }
5872
5873         if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
5874                 if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
5875                         return -EINVAL;
5876                 new_triggers.magic_pkt = true;
5877         }
5878
5879         if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
5880                 return -EINVAL;
5881
5882         if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
5883                 if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
5884                         return -EINVAL;
5885                 new_triggers.gtk_rekey_failure = true;
5886         }
5887
5888         if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
5889                 if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
5890                         return -EINVAL;
5891                 new_triggers.eap_identity_req = true;
5892         }
5893
5894         if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
5895                 if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
5896                         return -EINVAL;
5897                 new_triggers.four_way_handshake = true;
5898         }
5899
5900         if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
5901                 if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
5902                         return -EINVAL;
5903                 new_triggers.rfkill_release = true;
5904         }
5905
5906         if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
5907                 struct nlattr *pat;
5908                 int n_patterns = 0;
5909                 int rem, pat_len, mask_len;
5910                 struct nlattr *pat_tb[NUM_NL80211_WOWLAN_PKTPAT];
5911
5912                 nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
5913                                     rem)
5914                         n_patterns++;
5915                 if (n_patterns > wowlan->n_patterns)
5916                         return -EINVAL;
5917
5918                 new_triggers.patterns = kcalloc(n_patterns,
5919                                                 sizeof(new_triggers.patterns[0]),
5920                                                 GFP_KERNEL);
5921                 if (!new_triggers.patterns)
5922