cc0fad30b8c9de64b9967bb28751f7b2534b53ed
[linux-3.10.git] / net / wireless / nl80211.c
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
5  */
6
7 #include <linux/if.h>
8 #include <linux/module.h>
9 #include <linux/err.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/if_ether.h>
13 #include <linux/ieee80211.h>
14 #include <linux/nl80211.h>
15 #include <linux/rtnetlink.h>
16 #include <linux/netlink.h>
17 #include <linux/etherdevice.h>
18 #include <net/net_namespace.h>
19 #include <net/genetlink.h>
20 #include <net/cfg80211.h>
21 #include <net/sock.h>
22 #include "core.h"
23 #include "nl80211.h"
24 #include "reg.h"
25 #include "rdev-ops.h"
26
27 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
28                                    struct genl_info *info,
29                                    struct cfg80211_crypto_settings *settings,
30                                    int cipher_limit);
31
32 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
33                             struct genl_info *info);
34 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
35                               struct genl_info *info);
36
37 /* the netlink family */
38 static struct genl_family nl80211_fam = {
39         .id = GENL_ID_GENERATE, /* don't bother with a hardcoded ID */
40         .name = "nl80211",      /* have users key off the name instead */
41         .hdrsize = 0,           /* no private header */
42         .version = 1,           /* no particular meaning now */
43         .maxattr = NL80211_ATTR_MAX,
44         .netnsok = true,
45         .pre_doit = nl80211_pre_doit,
46         .post_doit = nl80211_post_doit,
47 };
48
49 /* returns ERR_PTR values */
50 static struct wireless_dev *
51 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
52 {
53         struct cfg80211_registered_device *rdev;
54         struct wireless_dev *result = NULL;
55         bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
56         bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
57         u64 wdev_id;
58         int wiphy_idx = -1;
59         int ifidx = -1;
60
61         assert_cfg80211_lock();
62
63         if (!have_ifidx && !have_wdev_id)
64                 return ERR_PTR(-EINVAL);
65
66         if (have_ifidx)
67                 ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
68         if (have_wdev_id) {
69                 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
70                 wiphy_idx = wdev_id >> 32;
71         }
72
73         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
74                 struct wireless_dev *wdev;
75
76                 if (wiphy_net(&rdev->wiphy) != netns)
77                         continue;
78
79                 if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
80                         continue;
81
82                 mutex_lock(&rdev->devlist_mtx);
83                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
84                         if (have_ifidx && wdev->netdev &&
85                             wdev->netdev->ifindex == ifidx) {
86                                 result = wdev;
87                                 break;
88                         }
89                         if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
90                                 result = wdev;
91                                 break;
92                         }
93                 }
94                 mutex_unlock(&rdev->devlist_mtx);
95
96                 if (result)
97                         break;
98         }
99
100         if (result)
101                 return result;
102         return ERR_PTR(-ENODEV);
103 }
104
105 static struct cfg80211_registered_device *
106 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
107 {
108         struct cfg80211_registered_device *rdev = NULL, *tmp;
109         struct net_device *netdev;
110
111         assert_cfg80211_lock();
112
113         if (!attrs[NL80211_ATTR_WIPHY] &&
114             !attrs[NL80211_ATTR_IFINDEX] &&
115             !attrs[NL80211_ATTR_WDEV])
116                 return ERR_PTR(-EINVAL);
117
118         if (attrs[NL80211_ATTR_WIPHY])
119                 rdev = cfg80211_rdev_by_wiphy_idx(
120                                 nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
121
122         if (attrs[NL80211_ATTR_WDEV]) {
123                 u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
124                 struct wireless_dev *wdev;
125                 bool found = false;
126
127                 tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
128                 if (tmp) {
129                         /* make sure wdev exists */
130                         mutex_lock(&tmp->devlist_mtx);
131                         list_for_each_entry(wdev, &tmp->wdev_list, list) {
132                                 if (wdev->identifier != (u32)wdev_id)
133                                         continue;
134                                 found = true;
135                                 break;
136                         }
137                         mutex_unlock(&tmp->devlist_mtx);
138
139                         if (!found)
140                                 tmp = NULL;
141
142                         if (rdev && tmp != rdev)
143                                 return ERR_PTR(-EINVAL);
144                         rdev = tmp;
145                 }
146         }
147
148         if (attrs[NL80211_ATTR_IFINDEX]) {
149                 int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
150                 netdev = dev_get_by_index(netns, ifindex);
151                 if (netdev) {
152                         if (netdev->ieee80211_ptr)
153                                 tmp = wiphy_to_dev(
154                                                 netdev->ieee80211_ptr->wiphy);
155                         else
156                                 tmp = NULL;
157
158                         dev_put(netdev);
159
160                         /* not wireless device -- return error */
161                         if (!tmp)
162                                 return ERR_PTR(-EINVAL);
163
164                         /* mismatch -- return error */
165                         if (rdev && tmp != rdev)
166                                 return ERR_PTR(-EINVAL);
167
168                         rdev = tmp;
169                 }
170         }
171
172         if (!rdev)
173                 return ERR_PTR(-ENODEV);
174
175         if (netns != wiphy_net(&rdev->wiphy))
176                 return ERR_PTR(-ENODEV);
177
178         return rdev;
179 }
180
181 /*
182  * This function returns a pointer to the driver
183  * that the genl_info item that is passed refers to.
184  * If successful, it returns non-NULL and also locks
185  * the driver's mutex!
186  *
187  * This means that you need to call cfg80211_unlock_rdev()
188  * before being allowed to acquire &cfg80211_mutex!
189  *
190  * This is necessary because we need to lock the global
191  * mutex to get an item off the list safely, and then
192  * we lock the rdev mutex so it doesn't go away under us.
193  *
194  * We don't want to keep cfg80211_mutex locked
195  * for all the time in order to allow requests on
196  * other interfaces to go through at the same time.
197  *
198  * The result of this can be a PTR_ERR and hence must
199  * be checked with IS_ERR() for errors.
200  */
201 static struct cfg80211_registered_device *
202 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
203 {
204         struct cfg80211_registered_device *rdev;
205
206         mutex_lock(&cfg80211_mutex);
207         rdev = __cfg80211_rdev_from_attrs(netns, info->attrs);
208
209         /* if it is not an error we grab the lock on
210          * it to assure it won't be going away while
211          * we operate on it */
212         if (!IS_ERR(rdev))
213                 mutex_lock(&rdev->mtx);
214
215         mutex_unlock(&cfg80211_mutex);
216
217         return rdev;
218 }
219
220 /* policy for the attributes */
221 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
222         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
223         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
224                                       .len = 20-1 },
225         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
226
227         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
228         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
229         [NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
230         [NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
231         [NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
232
233         [NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
234         [NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
235         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
236         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
237         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
238
239         [NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
240         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
241         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
242
243         [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
244         [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
245
246         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
247         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
248                                     .len = WLAN_MAX_KEY_LEN },
249         [NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
250         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
251         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
252         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
253         [NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
254
255         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
256         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
257         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
258                                        .len = IEEE80211_MAX_DATA_LEN },
259         [NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
260                                        .len = IEEE80211_MAX_DATA_LEN },
261         [NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
262         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
263         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
264         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
265                                                .len = NL80211_MAX_SUPP_RATES },
266         [NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
267         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
268         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
269         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
270                                    .len = IEEE80211_MAX_MESH_ID_LEN },
271         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
272
273         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
274         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
275
276         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
277         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
278         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
279         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
280                                            .len = NL80211_MAX_SUPP_RATES },
281         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
282
283         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
284         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
285
286         [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
287
288         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
289         [NL80211_ATTR_IE] = { .type = NLA_BINARY,
290                               .len = IEEE80211_MAX_DATA_LEN },
291         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
292         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
293
294         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
295                                 .len = IEEE80211_MAX_SSID_LEN },
296         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
297         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
298         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
299         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
300         [NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
301         [NL80211_ATTR_STA_FLAGS2] = {
302                 .len = sizeof(struct nl80211_sta_flag_update),
303         },
304         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
305         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
306         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
307         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
308         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
309         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
310         [NL80211_ATTR_PID] = { .type = NLA_U32 },
311         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
312         [NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
313                                  .len = WLAN_PMKID_LEN },
314         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
315         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
316         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
317         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
318                                  .len = IEEE80211_MAX_DATA_LEN },
319         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
320         [NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
321         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
322         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
323         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
324         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
325         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
326         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
327         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
328         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
329         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
330         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
331         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
332         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
333         [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
334         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
335         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
336         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
337         [NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
338         [NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
339                                          .len = IEEE80211_MAX_DATA_LEN },
340         [NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
341                                          .len = IEEE80211_MAX_DATA_LEN },
342         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
343         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
344         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
345         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
346         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
347         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
348         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
349         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
350         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
351         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
352                                       .len = IEEE80211_MAX_DATA_LEN },
353         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
354         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
355         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
356                 .len = NL80211_HT_CAPABILITY_LEN
357         },
358         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
359         [NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
360         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
361         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
362         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
363         [NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
364         [NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
365         [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
366         [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
367         [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
368         [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
369         [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
370 };
371
372 /* policy for the key attributes */
373 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
374         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
375         [NL80211_KEY_IDX] = { .type = NLA_U8 },
376         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
377         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
378         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
379         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
380         [NL80211_KEY_TYPE] = { .type = NLA_U32 },
381         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
382 };
383
384 /* policy for the key default flags */
385 static const struct nla_policy
386 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
387         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
388         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
389 };
390
391 /* policy for WoWLAN attributes */
392 static const struct nla_policy
393 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
394         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
395         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
396         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
397         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
398         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
399         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
400         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
401         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
402 };
403
404 /* policy for GTK rekey offload attributes */
405 static const struct nla_policy
406 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
407         [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
408         [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
409         [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
410 };
411
412 static const struct nla_policy
413 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
414         [NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
415                                                  .len = IEEE80211_MAX_SSID_LEN },
416         [NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
417 };
418
419 /* ifidx get helper */
420 static int nl80211_get_ifidx(struct netlink_callback *cb)
421 {
422         int res;
423
424         res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
425                           nl80211_fam.attrbuf, nl80211_fam.maxattr,
426                           nl80211_policy);
427         if (res)
428                 return res;
429
430         if (!nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX])
431                 return -EINVAL;
432
433         res = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX]);
434         if (!res)
435                 return -EINVAL;
436         return res;
437 }
438
439 static int nl80211_prepare_netdev_dump(struct sk_buff *skb,
440                                        struct netlink_callback *cb,
441                                        struct cfg80211_registered_device **rdev,
442                                        struct net_device **dev)
443 {
444         int ifidx = cb->args[0];
445         int err;
446
447         if (!ifidx)
448                 ifidx = nl80211_get_ifidx(cb);
449         if (ifidx < 0)
450                 return ifidx;
451
452         cb->args[0] = ifidx;
453
454         rtnl_lock();
455
456         *dev = __dev_get_by_index(sock_net(skb->sk), ifidx);
457         if (!*dev) {
458                 err = -ENODEV;
459                 goto out_rtnl;
460         }
461
462         *rdev = cfg80211_get_dev_from_ifindex(sock_net(skb->sk), ifidx);
463         if (IS_ERR(*rdev)) {
464                 err = PTR_ERR(*rdev);
465                 goto out_rtnl;
466         }
467
468         return 0;
469  out_rtnl:
470         rtnl_unlock();
471         return err;
472 }
473
474 static void nl80211_finish_netdev_dump(struct cfg80211_registered_device *rdev)
475 {
476         cfg80211_unlock_rdev(rdev);
477         rtnl_unlock();
478 }
479
480 /* IE validation */
481 static bool is_valid_ie_attr(const struct nlattr *attr)
482 {
483         const u8 *pos;
484         int len;
485
486         if (!attr)
487                 return true;
488
489         pos = nla_data(attr);
490         len = nla_len(attr);
491
492         while (len) {
493                 u8 elemlen;
494
495                 if (len < 2)
496                         return false;
497                 len -= 2;
498
499                 elemlen = pos[1];
500                 if (elemlen > len)
501                         return false;
502
503                 len -= elemlen;
504                 pos += 2 + elemlen;
505         }
506
507         return true;
508 }
509
510 /* message building helper */
511 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
512                                    int flags, u8 cmd)
513 {
514         /* since there is no private header just add the generic one */
515         return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
516 }
517
518 static int nl80211_msg_put_channel(struct sk_buff *msg,
519                                    struct ieee80211_channel *chan)
520 {
521         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
522                         chan->center_freq))
523                 goto nla_put_failure;
524
525         if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
526             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
527                 goto nla_put_failure;
528         if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
529             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN))
530                 goto nla_put_failure;
531         if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
532             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IBSS))
533                 goto nla_put_failure;
534         if ((chan->flags & IEEE80211_CHAN_RADAR) &&
535             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
536                 goto nla_put_failure;
537
538         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
539                         DBM_TO_MBM(chan->max_power)))
540                 goto nla_put_failure;
541
542         return 0;
543
544  nla_put_failure:
545         return -ENOBUFS;
546 }
547
548 /* netlink command implementations */
549
550 struct key_parse {
551         struct key_params p;
552         int idx;
553         int type;
554         bool def, defmgmt;
555         bool def_uni, def_multi;
556 };
557
558 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
559 {
560         struct nlattr *tb[NL80211_KEY_MAX + 1];
561         int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
562                                    nl80211_key_policy);
563         if (err)
564                 return err;
565
566         k->def = !!tb[NL80211_KEY_DEFAULT];
567         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
568
569         if (k->def) {
570                 k->def_uni = true;
571                 k->def_multi = true;
572         }
573         if (k->defmgmt)
574                 k->def_multi = true;
575
576         if (tb[NL80211_KEY_IDX])
577                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
578
579         if (tb[NL80211_KEY_DATA]) {
580                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
581                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
582         }
583
584         if (tb[NL80211_KEY_SEQ]) {
585                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
586                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
587         }
588
589         if (tb[NL80211_KEY_CIPHER])
590                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
591
592         if (tb[NL80211_KEY_TYPE]) {
593                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
594                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
595                         return -EINVAL;
596         }
597
598         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
599                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
600                 err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
601                                        tb[NL80211_KEY_DEFAULT_TYPES],
602                                        nl80211_key_default_policy);
603                 if (err)
604                         return err;
605
606                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
607                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
608         }
609
610         return 0;
611 }
612
613 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
614 {
615         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
616                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
617                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
618         }
619
620         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
621                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
622                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
623         }
624
625         if (info->attrs[NL80211_ATTR_KEY_IDX])
626                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
627
628         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
629                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
630
631         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
632         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
633
634         if (k->def) {
635                 k->def_uni = true;
636                 k->def_multi = true;
637         }
638         if (k->defmgmt)
639                 k->def_multi = true;
640
641         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
642                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
643                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
644                         return -EINVAL;
645         }
646
647         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
648                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
649                 int err = nla_parse_nested(
650                                 kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
651                                 info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
652                                 nl80211_key_default_policy);
653                 if (err)
654                         return err;
655
656                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
657                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
658         }
659
660         return 0;
661 }
662
663 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
664 {
665         int err;
666
667         memset(k, 0, sizeof(*k));
668         k->idx = -1;
669         k->type = -1;
670
671         if (info->attrs[NL80211_ATTR_KEY])
672                 err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
673         else
674                 err = nl80211_parse_key_old(info, k);
675
676         if (err)
677                 return err;
678
679         if (k->def && k->defmgmt)
680                 return -EINVAL;
681
682         if (k->defmgmt) {
683                 if (k->def_uni || !k->def_multi)
684                         return -EINVAL;
685         }
686
687         if (k->idx != -1) {
688                 if (k->defmgmt) {
689                         if (k->idx < 4 || k->idx > 5)
690                                 return -EINVAL;
691                 } else if (k->def) {
692                         if (k->idx < 0 || k->idx > 3)
693                                 return -EINVAL;
694                 } else {
695                         if (k->idx < 0 || k->idx > 5)
696                                 return -EINVAL;
697                 }
698         }
699
700         return 0;
701 }
702
703 static struct cfg80211_cached_keys *
704 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
705                        struct nlattr *keys, bool *no_ht)
706 {
707         struct key_parse parse;
708         struct nlattr *key;
709         struct cfg80211_cached_keys *result;
710         int rem, err, def = 0;
711
712         result = kzalloc(sizeof(*result), GFP_KERNEL);
713         if (!result)
714                 return ERR_PTR(-ENOMEM);
715
716         result->def = -1;
717         result->defmgmt = -1;
718
719         nla_for_each_nested(key, keys, rem) {
720                 memset(&parse, 0, sizeof(parse));
721                 parse.idx = -1;
722
723                 err = nl80211_parse_key_new(key, &parse);
724                 if (err)
725                         goto error;
726                 err = -EINVAL;
727                 if (!parse.p.key)
728                         goto error;
729                 if (parse.idx < 0 || parse.idx > 4)
730                         goto error;
731                 if (parse.def) {
732                         if (def)
733                                 goto error;
734                         def = 1;
735                         result->def = parse.idx;
736                         if (!parse.def_uni || !parse.def_multi)
737                                 goto error;
738                 } else if (parse.defmgmt)
739                         goto error;
740                 err = cfg80211_validate_key_settings(rdev, &parse.p,
741                                                      parse.idx, false, NULL);
742                 if (err)
743                         goto error;
744                 result->params[parse.idx].cipher = parse.p.cipher;
745                 result->params[parse.idx].key_len = parse.p.key_len;
746                 result->params[parse.idx].key = result->data[parse.idx];
747                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
748
749                 if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
750                     parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
751                         if (no_ht)
752                                 *no_ht = true;
753                 }
754         }
755
756         return result;
757  error:
758         kfree(result);
759         return ERR_PTR(err);
760 }
761
762 static int nl80211_key_allowed(struct wireless_dev *wdev)
763 {
764         ASSERT_WDEV_LOCK(wdev);
765
766         switch (wdev->iftype) {
767         case NL80211_IFTYPE_AP:
768         case NL80211_IFTYPE_AP_VLAN:
769         case NL80211_IFTYPE_P2P_GO:
770         case NL80211_IFTYPE_MESH_POINT:
771                 break;
772         case NL80211_IFTYPE_ADHOC:
773                 if (!wdev->current_bss)
774                         return -ENOLINK;
775                 break;
776         case NL80211_IFTYPE_STATION:
777         case NL80211_IFTYPE_P2P_CLIENT:
778                 if (wdev->sme_state != CFG80211_SME_CONNECTED)
779                         return -ENOLINK;
780                 break;
781         default:
782                 return -EINVAL;
783         }
784
785         return 0;
786 }
787
788 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
789 {
790         struct nlattr *nl_modes = nla_nest_start(msg, attr);
791         int i;
792
793         if (!nl_modes)
794                 goto nla_put_failure;
795
796         i = 0;
797         while (ifmodes) {
798                 if ((ifmodes & 1) && nla_put_flag(msg, i))
799                         goto nla_put_failure;
800                 ifmodes >>= 1;
801                 i++;
802         }
803
804         nla_nest_end(msg, nl_modes);
805         return 0;
806
807 nla_put_failure:
808         return -ENOBUFS;
809 }
810
811 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
812                                           struct sk_buff *msg)
813 {
814         struct nlattr *nl_combis;
815         int i, j;
816
817         nl_combis = nla_nest_start(msg,
818                                 NL80211_ATTR_INTERFACE_COMBINATIONS);
819         if (!nl_combis)
820                 goto nla_put_failure;
821
822         for (i = 0; i < wiphy->n_iface_combinations; i++) {
823                 const struct ieee80211_iface_combination *c;
824                 struct nlattr *nl_combi, *nl_limits;
825
826                 c = &wiphy->iface_combinations[i];
827
828                 nl_combi = nla_nest_start(msg, i + 1);
829                 if (!nl_combi)
830                         goto nla_put_failure;
831
832                 nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
833                 if (!nl_limits)
834                         goto nla_put_failure;
835
836                 for (j = 0; j < c->n_limits; j++) {
837                         struct nlattr *nl_limit;
838
839                         nl_limit = nla_nest_start(msg, j + 1);
840                         if (!nl_limit)
841                                 goto nla_put_failure;
842                         if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
843                                         c->limits[j].max))
844                                 goto nla_put_failure;
845                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
846                                                 c->limits[j].types))
847                                 goto nla_put_failure;
848                         nla_nest_end(msg, nl_limit);
849                 }
850
851                 nla_nest_end(msg, nl_limits);
852
853                 if (c->beacon_int_infra_match &&
854                     nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
855                         goto nla_put_failure;
856                 if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
857                                 c->num_different_channels) ||
858                     nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
859                                 c->max_interfaces))
860                         goto nla_put_failure;
861                 if (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
862                                 c->radar_detect_widths))
863                         goto nla_put_failure;
864
865                 nla_nest_end(msg, nl_combi);
866         }
867
868         nla_nest_end(msg, nl_combis);
869
870         return 0;
871 nla_put_failure:
872         return -ENOBUFS;
873 }
874
875 static int nl80211_send_wiphy(struct sk_buff *msg, u32 portid, u32 seq, int flags,
876                               struct cfg80211_registered_device *dev)
877 {
878         void *hdr;
879         struct nlattr *nl_bands, *nl_band;
880         struct nlattr *nl_freqs, *nl_freq;
881         struct nlattr *nl_rates, *nl_rate;
882         struct nlattr *nl_cmds;
883         enum ieee80211_band band;
884         struct ieee80211_channel *chan;
885         struct ieee80211_rate *rate;
886         int i;
887         const struct ieee80211_txrx_stypes *mgmt_stypes =
888                                 dev->wiphy.mgmt_stypes;
889
890         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_WIPHY);
891         if (!hdr)
892                 return -1;
893
894         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx) ||
895             nla_put_string(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy)) ||
896             nla_put_u32(msg, NL80211_ATTR_GENERATION,
897                         cfg80211_rdev_list_generation) ||
898             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
899                        dev->wiphy.retry_short) ||
900             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
901                        dev->wiphy.retry_long) ||
902             nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
903                         dev->wiphy.frag_threshold) ||
904             nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
905                         dev->wiphy.rts_threshold) ||
906             nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
907                        dev->wiphy.coverage_class) ||
908             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
909                        dev->wiphy.max_scan_ssids) ||
910             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
911                        dev->wiphy.max_sched_scan_ssids) ||
912             nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
913                         dev->wiphy.max_scan_ie_len) ||
914             nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
915                         dev->wiphy.max_sched_scan_ie_len) ||
916             nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
917                        dev->wiphy.max_match_sets))
918                 goto nla_put_failure;
919
920         if ((dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
921             nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
922                 goto nla_put_failure;
923         if ((dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
924             nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
925                 goto nla_put_failure;
926         if ((dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
927             nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
928                 goto nla_put_failure;
929         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
930             nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
931                 goto nla_put_failure;
932         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
933             nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
934                 goto nla_put_failure;
935         if ((dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
936             nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
937                 goto nla_put_failure;
938
939         if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
940                     sizeof(u32) * dev->wiphy.n_cipher_suites,
941                     dev->wiphy.cipher_suites))
942                 goto nla_put_failure;
943
944         if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
945                        dev->wiphy.max_num_pmkids))
946                 goto nla_put_failure;
947
948         if ((dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
949             nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
950                 goto nla_put_failure;
951
952         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
953                         dev->wiphy.available_antennas_tx) ||
954             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
955                         dev->wiphy.available_antennas_rx))
956                 goto nla_put_failure;
957
958         if ((dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
959             nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
960                         dev->wiphy.probe_resp_offload))
961                 goto nla_put_failure;
962
963         if ((dev->wiphy.available_antennas_tx ||
964              dev->wiphy.available_antennas_rx) && dev->ops->get_antenna) {
965                 u32 tx_ant = 0, rx_ant = 0;
966                 int res;
967                 res = rdev_get_antenna(dev, &tx_ant, &rx_ant);
968                 if (!res) {
969                         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_TX,
970                                         tx_ant) ||
971                             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_RX,
972                                         rx_ant))
973                                 goto nla_put_failure;
974                 }
975         }
976
977         if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
978                                 dev->wiphy.interface_modes))
979                 goto nla_put_failure;
980
981         nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
982         if (!nl_bands)
983                 goto nla_put_failure;
984
985         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
986                 if (!dev->wiphy.bands[band])
987                         continue;
988
989                 nl_band = nla_nest_start(msg, band);
990                 if (!nl_band)
991                         goto nla_put_failure;
992
993                 /* add HT info */
994                 if (dev->wiphy.bands[band]->ht_cap.ht_supported &&
995                     (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
996                              sizeof(dev->wiphy.bands[band]->ht_cap.mcs),
997                              &dev->wiphy.bands[band]->ht_cap.mcs) ||
998                      nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
999                                  dev->wiphy.bands[band]->ht_cap.cap) ||
1000                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1001                                 dev->wiphy.bands[band]->ht_cap.ampdu_factor) ||
1002                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1003                                 dev->wiphy.bands[band]->ht_cap.ampdu_density)))
1004                         goto nla_put_failure;
1005
1006                 /* add VHT info */
1007                 if (dev->wiphy.bands[band]->vht_cap.vht_supported &&
1008                     (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1009                              sizeof(dev->wiphy.bands[band]->vht_cap.vht_mcs),
1010                              &dev->wiphy.bands[band]->vht_cap.vht_mcs) ||
1011                      nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1012                                  dev->wiphy.bands[band]->vht_cap.cap)))
1013                         goto nla_put_failure;
1014
1015                 /* add frequencies */
1016                 nl_freqs = nla_nest_start(msg, NL80211_BAND_ATTR_FREQS);
1017                 if (!nl_freqs)
1018                         goto nla_put_failure;
1019
1020                 for (i = 0; i < dev->wiphy.bands[band]->n_channels; i++) {
1021                         nl_freq = nla_nest_start(msg, i);
1022                         if (!nl_freq)
1023                                 goto nla_put_failure;
1024
1025                         chan = &dev->wiphy.bands[band]->channels[i];
1026
1027                         if (nl80211_msg_put_channel(msg, chan))
1028                                 goto nla_put_failure;
1029
1030                         nla_nest_end(msg, nl_freq);
1031                 }
1032
1033                 nla_nest_end(msg, nl_freqs);
1034
1035                 /* add bitrates */
1036                 nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1037                 if (!nl_rates)
1038                         goto nla_put_failure;
1039
1040                 for (i = 0; i < dev->wiphy.bands[band]->n_bitrates; i++) {
1041                         nl_rate = nla_nest_start(msg, i);
1042                         if (!nl_rate)
1043                                 goto nla_put_failure;
1044
1045                         rate = &dev->wiphy.bands[band]->bitrates[i];
1046                         if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1047                                         rate->bitrate))
1048                                 goto nla_put_failure;
1049                         if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1050                             nla_put_flag(msg,
1051                                          NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1052                                 goto nla_put_failure;
1053
1054                         nla_nest_end(msg, nl_rate);
1055                 }
1056
1057                 nla_nest_end(msg, nl_rates);
1058
1059                 nla_nest_end(msg, nl_band);
1060         }
1061         nla_nest_end(msg, nl_bands);
1062
1063         nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1064         if (!nl_cmds)
1065                 goto nla_put_failure;
1066
1067         i = 0;
1068 #define CMD(op, n)                                              \
1069          do {                                                   \
1070                 if (dev->ops->op) {                             \
1071                         i++;                                    \
1072                         if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1073                                 goto nla_put_failure;           \
1074                 }                                               \
1075         } while (0)
1076
1077         CMD(add_virtual_intf, NEW_INTERFACE);
1078         CMD(change_virtual_intf, SET_INTERFACE);
1079         CMD(add_key, NEW_KEY);
1080         CMD(start_ap, START_AP);
1081         CMD(add_station, NEW_STATION);
1082         CMD(add_mpath, NEW_MPATH);
1083         CMD(update_mesh_config, SET_MESH_CONFIG);
1084         CMD(change_bss, SET_BSS);
1085         CMD(auth, AUTHENTICATE);
1086         CMD(assoc, ASSOCIATE);
1087         CMD(deauth, DEAUTHENTICATE);
1088         CMD(disassoc, DISASSOCIATE);
1089         CMD(join_ibss, JOIN_IBSS);
1090         CMD(join_mesh, JOIN_MESH);
1091         CMD(set_pmksa, SET_PMKSA);
1092         CMD(del_pmksa, DEL_PMKSA);
1093         CMD(flush_pmksa, FLUSH_PMKSA);
1094         if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1095                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1096         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1097         CMD(mgmt_tx, FRAME);
1098         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1099         if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1100                 i++;
1101                 if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1102                         goto nla_put_failure;
1103         }
1104         if (dev->ops->set_monitor_channel || dev->ops->start_ap ||
1105             dev->ops->join_mesh) {
1106                 i++;
1107                 if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1108                         goto nla_put_failure;
1109         }
1110         CMD(set_wds_peer, SET_WDS_PEER);
1111         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1112                 CMD(tdls_mgmt, TDLS_MGMT);
1113                 CMD(tdls_oper, TDLS_OPER);
1114         }
1115         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1116                 CMD(sched_scan_start, START_SCHED_SCAN);
1117         CMD(probe_client, PROBE_CLIENT);
1118         CMD(set_noack_map, SET_NOACK_MAP);
1119         if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1120                 i++;
1121                 if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1122                         goto nla_put_failure;
1123         }
1124         CMD(start_p2p_device, START_P2P_DEVICE);
1125         CMD(set_mcast_rate, SET_MCAST_RATE);
1126
1127 #ifdef CONFIG_NL80211_TESTMODE
1128         CMD(testmode_cmd, TESTMODE);
1129 #endif
1130
1131 #undef CMD
1132
1133         if (dev->ops->connect || dev->ops->auth) {
1134                 i++;
1135                 if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1136                         goto nla_put_failure;
1137         }
1138
1139         if (dev->ops->disconnect || dev->ops->deauth) {
1140                 i++;
1141                 if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1142                         goto nla_put_failure;
1143         }
1144
1145         nla_nest_end(msg, nl_cmds);
1146
1147         if (dev->ops->remain_on_channel &&
1148             (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1149             nla_put_u32(msg, NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1150                         dev->wiphy.max_remain_on_channel_duration))
1151                 goto nla_put_failure;
1152
1153         if ((dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1154             nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1155                 goto nla_put_failure;
1156
1157         if (mgmt_stypes) {
1158                 u16 stypes;
1159                 struct nlattr *nl_ftypes, *nl_ifs;
1160                 enum nl80211_iftype ift;
1161
1162                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1163                 if (!nl_ifs)
1164                         goto nla_put_failure;
1165
1166                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1167                         nl_ftypes = nla_nest_start(msg, ift);
1168                         if (!nl_ftypes)
1169                                 goto nla_put_failure;
1170                         i = 0;
1171                         stypes = mgmt_stypes[ift].tx;
1172                         while (stypes) {
1173                                 if ((stypes & 1) &&
1174                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1175                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1176                                         goto nla_put_failure;
1177                                 stypes >>= 1;
1178                                 i++;
1179                         }
1180                         nla_nest_end(msg, nl_ftypes);
1181                 }
1182
1183                 nla_nest_end(msg, nl_ifs);
1184
1185                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1186                 if (!nl_ifs)
1187                         goto nla_put_failure;
1188
1189                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1190                         nl_ftypes = nla_nest_start(msg, ift);
1191                         if (!nl_ftypes)
1192                                 goto nla_put_failure;
1193                         i = 0;
1194                         stypes = mgmt_stypes[ift].rx;
1195                         while (stypes) {
1196                                 if ((stypes & 1) &&
1197                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1198                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1199                                         goto nla_put_failure;
1200                                 stypes >>= 1;
1201                                 i++;
1202                         }
1203                         nla_nest_end(msg, nl_ftypes);
1204                 }
1205                 nla_nest_end(msg, nl_ifs);
1206         }
1207
1208 #ifdef CONFIG_PM
1209         if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
1210                 struct nlattr *nl_wowlan;
1211
1212                 nl_wowlan = nla_nest_start(msg,
1213                                 NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1214                 if (!nl_wowlan)
1215                         goto nla_put_failure;
1216
1217                 if (((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY) &&
1218                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1219                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT) &&
1220                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1221                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1222                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1223                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1224                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1225                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1226                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1227                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1228                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1229                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1230                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1231                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1232                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1233                     goto nla_put_failure;
1234                 if (dev->wiphy.wowlan.n_patterns) {
1235                         struct nl80211_wowlan_pattern_support pat = {
1236                                 .max_patterns = dev->wiphy.wowlan.n_patterns,
1237                                 .min_pattern_len =
1238                                         dev->wiphy.wowlan.pattern_min_len,
1239                                 .max_pattern_len =
1240                                         dev->wiphy.wowlan.pattern_max_len,
1241                                 .max_pkt_offset =
1242                                         dev->wiphy.wowlan.max_pkt_offset,
1243                         };
1244                         if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1245                                     sizeof(pat), &pat))
1246                                 goto nla_put_failure;
1247                 }
1248
1249                 nla_nest_end(msg, nl_wowlan);
1250         }
1251 #endif
1252
1253         if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1254                                 dev->wiphy.software_iftypes))
1255                 goto nla_put_failure;
1256
1257         if (nl80211_put_iface_combinations(&dev->wiphy, msg))
1258                 goto nla_put_failure;
1259
1260         if ((dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1261             nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1262                         dev->wiphy.ap_sme_capa))
1263                 goto nla_put_failure;
1264
1265         if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS,
1266                         dev->wiphy.features))
1267                 goto nla_put_failure;
1268
1269         if (dev->wiphy.ht_capa_mod_mask &&
1270             nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1271                     sizeof(*dev->wiphy.ht_capa_mod_mask),
1272                     dev->wiphy.ht_capa_mod_mask))
1273                 goto nla_put_failure;
1274
1275         if (dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1276             dev->wiphy.max_acl_mac_addrs &&
1277             nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1278                         dev->wiphy.max_acl_mac_addrs))
1279                 goto nla_put_failure;
1280
1281         return genlmsg_end(msg, hdr);
1282
1283  nla_put_failure:
1284         genlmsg_cancel(msg, hdr);
1285         return -EMSGSIZE;
1286 }
1287
1288 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1289 {
1290         int idx = 0;
1291         int start = cb->args[0];
1292         struct cfg80211_registered_device *dev;
1293
1294         mutex_lock(&cfg80211_mutex);
1295         list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1296                 if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1297                         continue;
1298                 if (++idx <= start)
1299                         continue;
1300                 if (nl80211_send_wiphy(skb, NETLINK_CB(cb->skb).portid,
1301                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
1302                                        dev) < 0) {
1303                         idx--;
1304                         break;
1305                 }
1306         }
1307         mutex_unlock(&cfg80211_mutex);
1308
1309         cb->args[0] = idx;
1310
1311         return skb->len;
1312 }
1313
1314 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1315 {
1316         struct sk_buff *msg;
1317         struct cfg80211_registered_device *dev = info->user_ptr[0];
1318
1319         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1320         if (!msg)
1321                 return -ENOMEM;
1322
1323         if (nl80211_send_wiphy(msg, info->snd_portid, info->snd_seq, 0, dev) < 0) {
1324                 nlmsg_free(msg);
1325                 return -ENOBUFS;
1326         }
1327
1328         return genlmsg_reply(msg, info);
1329 }
1330
1331 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1332         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
1333         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
1334         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
1335         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
1336         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
1337 };
1338
1339 static int parse_txq_params(struct nlattr *tb[],
1340                             struct ieee80211_txq_params *txq_params)
1341 {
1342         if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1343             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1344             !tb[NL80211_TXQ_ATTR_AIFS])
1345                 return -EINVAL;
1346
1347         txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1348         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1349         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1350         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1351         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1352
1353         if (txq_params->ac >= NL80211_NUM_ACS)
1354                 return -EINVAL;
1355
1356         return 0;
1357 }
1358
1359 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1360 {
1361         /*
1362          * You can only set the channel explicitly for WDS interfaces,
1363          * all others have their channel managed via their respective
1364          * "establish a connection" command (connect, join, ...)
1365          *
1366          * For AP/GO and mesh mode, the channel can be set with the
1367          * channel userspace API, but is only stored and passed to the
1368          * low-level driver when the AP starts or the mesh is joined.
1369          * This is for backward compatibility, userspace can also give
1370          * the channel in the start-ap or join-mesh commands instead.
1371          *
1372          * Monitors are special as they are normally slaved to
1373          * whatever else is going on, so they have their own special
1374          * operation to set the monitor channel if possible.
1375          */
1376         return !wdev ||
1377                 wdev->iftype == NL80211_IFTYPE_AP ||
1378                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1379                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
1380                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
1381 }
1382
1383 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1384                                  struct genl_info *info,
1385                                  struct cfg80211_chan_def *chandef)
1386 {
1387         u32 control_freq;
1388
1389         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1390                 return -EINVAL;
1391
1392         control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1393
1394         chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1395         chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1396         chandef->center_freq1 = control_freq;
1397         chandef->center_freq2 = 0;
1398
1399         /* Primary channel not allowed */
1400         if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1401                 return -EINVAL;
1402
1403         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1404                 enum nl80211_channel_type chantype;
1405
1406                 chantype = nla_get_u32(
1407                                 info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1408
1409                 switch (chantype) {
1410                 case NL80211_CHAN_NO_HT:
1411                 case NL80211_CHAN_HT20:
1412                 case NL80211_CHAN_HT40PLUS:
1413                 case NL80211_CHAN_HT40MINUS:
1414                         cfg80211_chandef_create(chandef, chandef->chan,
1415                                                 chantype);
1416                         break;
1417                 default:
1418                         return -EINVAL;
1419                 }
1420         } else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1421                 chandef->width =
1422                         nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1423                 if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1424                         chandef->center_freq1 =
1425                                 nla_get_u32(
1426                                         info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1427                 if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1428                         chandef->center_freq2 =
1429                                 nla_get_u32(
1430                                         info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1431         }
1432
1433         if (!cfg80211_chandef_valid(chandef))
1434                 return -EINVAL;
1435
1436         if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1437                                      IEEE80211_CHAN_DISABLED))
1438                 return -EINVAL;
1439
1440         return 0;
1441 }
1442
1443 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1444                                  struct wireless_dev *wdev,
1445                                  struct genl_info *info)
1446 {
1447         struct cfg80211_chan_def chandef;
1448         int result;
1449         enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1450
1451         if (wdev)
1452                 iftype = wdev->iftype;
1453
1454         if (!nl80211_can_set_dev_channel(wdev))
1455                 return -EOPNOTSUPP;
1456
1457         result = nl80211_parse_chandef(rdev, info, &chandef);
1458         if (result)
1459                 return result;
1460
1461         mutex_lock(&rdev->devlist_mtx);
1462         switch (iftype) {
1463         case NL80211_IFTYPE_AP:
1464         case NL80211_IFTYPE_P2P_GO:
1465                 if (wdev->beacon_interval) {
1466                         result = -EBUSY;
1467                         break;
1468                 }
1469                 if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef)) {
1470                         result = -EINVAL;
1471                         break;
1472                 }
1473                 wdev->preset_chandef = chandef;
1474                 result = 0;
1475                 break;
1476         case NL80211_IFTYPE_MESH_POINT:
1477                 result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
1478                 break;
1479         case NL80211_IFTYPE_MONITOR:
1480                 result = cfg80211_set_monitor_channel(rdev, &chandef);
1481                 break;
1482         default:
1483                 result = -EINVAL;
1484         }
1485         mutex_unlock(&rdev->devlist_mtx);
1486
1487         return result;
1488 }
1489
1490 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1491 {
1492         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1493         struct net_device *netdev = info->user_ptr[1];
1494
1495         return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1496 }
1497
1498 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1499 {
1500         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1501         struct net_device *dev = info->user_ptr[1];
1502         struct wireless_dev *wdev = dev->ieee80211_ptr;
1503         const u8 *bssid;
1504
1505         if (!info->attrs[NL80211_ATTR_MAC])
1506                 return -EINVAL;
1507
1508         if (netif_running(dev))
1509                 return -EBUSY;
1510
1511         if (!rdev->ops->set_wds_peer)
1512                 return -EOPNOTSUPP;
1513
1514         if (wdev->iftype != NL80211_IFTYPE_WDS)
1515                 return -EOPNOTSUPP;
1516
1517         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1518         return rdev_set_wds_peer(rdev, dev, bssid);
1519 }
1520
1521
1522 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1523 {
1524         struct cfg80211_registered_device *rdev;
1525         struct net_device *netdev = NULL;
1526         struct wireless_dev *wdev;
1527         int result = 0, rem_txq_params = 0;
1528         struct nlattr *nl_txq_params;
1529         u32 changed;
1530         u8 retry_short = 0, retry_long = 0;
1531         u32 frag_threshold = 0, rts_threshold = 0;
1532         u8 coverage_class = 0;
1533
1534         /*
1535          * Try to find the wiphy and netdev. Normally this
1536          * function shouldn't need the netdev, but this is
1537          * done for backward compatibility -- previously
1538          * setting the channel was done per wiphy, but now
1539          * it is per netdev. Previous userland like hostapd
1540          * also passed a netdev to set_wiphy, so that it is
1541          * possible to let that go to the right netdev!
1542          */
1543         mutex_lock(&cfg80211_mutex);
1544
1545         if (info->attrs[NL80211_ATTR_IFINDEX]) {
1546                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1547
1548                 netdev = dev_get_by_index(genl_info_net(info), ifindex);
1549                 if (netdev && netdev->ieee80211_ptr) {
1550                         rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1551                         mutex_lock(&rdev->mtx);
1552                 } else
1553                         netdev = NULL;
1554         }
1555
1556         if (!netdev) {
1557                 rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
1558                                                   info->attrs);
1559                 if (IS_ERR(rdev)) {
1560                         mutex_unlock(&cfg80211_mutex);
1561                         return PTR_ERR(rdev);
1562                 }
1563                 wdev = NULL;
1564                 netdev = NULL;
1565                 result = 0;
1566
1567                 mutex_lock(&rdev->mtx);
1568         } else
1569                 wdev = netdev->ieee80211_ptr;
1570
1571         /*
1572          * end workaround code, by now the rdev is available
1573          * and locked, and wdev may or may not be NULL.
1574          */
1575
1576         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1577                 result = cfg80211_dev_rename(
1578                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1579
1580         mutex_unlock(&cfg80211_mutex);
1581
1582         if (result)
1583                 goto bad_res;
1584
1585         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1586                 struct ieee80211_txq_params txq_params;
1587                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1588
1589                 if (!rdev->ops->set_txq_params) {
1590                         result = -EOPNOTSUPP;
1591                         goto bad_res;
1592                 }
1593
1594                 if (!netdev) {
1595                         result = -EINVAL;
1596                         goto bad_res;
1597                 }
1598
1599                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1600                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1601                         result = -EINVAL;
1602                         goto bad_res;
1603                 }
1604
1605                 if (!netif_running(netdev)) {
1606                         result = -ENETDOWN;
1607                         goto bad_res;
1608                 }
1609
1610                 nla_for_each_nested(nl_txq_params,
1611                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1612                                     rem_txq_params) {
1613                         nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1614                                   nla_data(nl_txq_params),
1615                                   nla_len(nl_txq_params),
1616                                   txq_params_policy);
1617                         result = parse_txq_params(tb, &txq_params);
1618                         if (result)
1619                                 goto bad_res;
1620
1621                         result = rdev_set_txq_params(rdev, netdev,
1622                                                      &txq_params);
1623                         if (result)
1624                                 goto bad_res;
1625                 }
1626         }
1627
1628         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
1629                 result = __nl80211_set_channel(rdev,
1630                                 nl80211_can_set_dev_channel(wdev) ? wdev : NULL,
1631                                 info);
1632                 if (result)
1633                         goto bad_res;
1634         }
1635
1636         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
1637                 struct wireless_dev *txp_wdev = wdev;
1638                 enum nl80211_tx_power_setting type;
1639                 int idx, mbm = 0;
1640
1641                 if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
1642                         txp_wdev = NULL;
1643
1644                 if (!rdev->ops->set_tx_power) {
1645                         result = -EOPNOTSUPP;
1646                         goto bad_res;
1647                 }
1648
1649                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
1650                 type = nla_get_u32(info->attrs[idx]);
1651
1652                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
1653                     (type != NL80211_TX_POWER_AUTOMATIC)) {
1654                         result = -EINVAL;
1655                         goto bad_res;
1656                 }
1657
1658                 if (type != NL80211_TX_POWER_AUTOMATIC) {
1659                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
1660                         mbm = nla_get_u32(info->attrs[idx]);
1661                 }
1662
1663                 result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
1664                 if (result)
1665                         goto bad_res;
1666         }
1667
1668         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
1669             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
1670                 u32 tx_ant, rx_ant;
1671                 if ((!rdev->wiphy.available_antennas_tx &&
1672                      !rdev->wiphy.available_antennas_rx) ||
1673                     !rdev->ops->set_antenna) {
1674                         result = -EOPNOTSUPP;
1675                         goto bad_res;
1676                 }
1677
1678                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
1679                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
1680
1681                 /* reject antenna configurations which don't match the
1682                  * available antenna masks, except for the "all" mask */
1683                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
1684                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
1685                         result = -EINVAL;
1686                         goto bad_res;
1687                 }
1688
1689                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
1690                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
1691
1692                 result = rdev_set_antenna(rdev, tx_ant, rx_ant);
1693                 if (result)
1694                         goto bad_res;
1695         }
1696
1697         changed = 0;
1698
1699         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
1700                 retry_short = nla_get_u8(
1701                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
1702                 if (retry_short == 0) {
1703                         result = -EINVAL;
1704                         goto bad_res;
1705                 }
1706                 changed |= WIPHY_PARAM_RETRY_SHORT;
1707         }
1708
1709         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
1710                 retry_long = nla_get_u8(
1711                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
1712                 if (retry_long == 0) {
1713                         result = -EINVAL;
1714                         goto bad_res;
1715                 }
1716                 changed |= WIPHY_PARAM_RETRY_LONG;
1717         }
1718
1719         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
1720                 frag_threshold = nla_get_u32(
1721                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
1722                 if (frag_threshold < 256) {
1723                         result = -EINVAL;
1724                         goto bad_res;
1725                 }
1726                 if (frag_threshold != (u32) -1) {
1727                         /*
1728                          * Fragments (apart from the last one) are required to
1729                          * have even length. Make the fragmentation code
1730                          * simpler by stripping LSB should someone try to use
1731                          * odd threshold value.
1732                          */
1733                         frag_threshold &= ~0x1;
1734                 }
1735                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
1736         }
1737
1738         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
1739                 rts_threshold = nla_get_u32(
1740                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
1741                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
1742         }
1743
1744         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
1745                 coverage_class = nla_get_u8(
1746                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
1747                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
1748         }
1749
1750         if (changed) {
1751                 u8 old_retry_short, old_retry_long;
1752                 u32 old_frag_threshold, old_rts_threshold;
1753                 u8 old_coverage_class;
1754
1755                 if (!rdev->ops->set_wiphy_params) {
1756                         result = -EOPNOTSUPP;
1757                         goto bad_res;
1758                 }
1759
1760                 old_retry_short = rdev->wiphy.retry_short;
1761                 old_retry_long = rdev->wiphy.retry_long;
1762                 old_frag_threshold = rdev->wiphy.frag_threshold;
1763                 old_rts_threshold = rdev->wiphy.rts_threshold;
1764                 old_coverage_class = rdev->wiphy.coverage_class;
1765
1766                 if (changed & WIPHY_PARAM_RETRY_SHORT)
1767                         rdev->wiphy.retry_short = retry_short;
1768                 if (changed & WIPHY_PARAM_RETRY_LONG)
1769                         rdev->wiphy.retry_long = retry_long;
1770                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
1771                         rdev->wiphy.frag_threshold = frag_threshold;
1772                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
1773                         rdev->wiphy.rts_threshold = rts_threshold;
1774                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
1775                         rdev->wiphy.coverage_class = coverage_class;
1776
1777                 result = rdev_set_wiphy_params(rdev, changed);
1778                 if (result) {
1779                         rdev->wiphy.retry_short = old_retry_short;
1780                         rdev->wiphy.retry_long = old_retry_long;
1781                         rdev->wiphy.frag_threshold = old_frag_threshold;
1782                         rdev->wiphy.rts_threshold = old_rts_threshold;
1783                         rdev->wiphy.coverage_class = old_coverage_class;
1784                 }
1785         }
1786
1787  bad_res:
1788         mutex_unlock(&rdev->mtx);
1789         if (netdev)
1790                 dev_put(netdev);
1791         return result;
1792 }
1793
1794 static inline u64 wdev_id(struct wireless_dev *wdev)
1795 {
1796         return (u64)wdev->identifier |
1797                ((u64)wiphy_to_dev(wdev->wiphy)->wiphy_idx << 32);
1798 }
1799
1800 static int nl80211_send_chandef(struct sk_buff *msg,
1801                                  struct cfg80211_chan_def *chandef)
1802 {
1803         WARN_ON(!cfg80211_chandef_valid(chandef));
1804
1805         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
1806                         chandef->chan->center_freq))
1807                 return -ENOBUFS;
1808         switch (chandef->width) {
1809         case NL80211_CHAN_WIDTH_20_NOHT:
1810         case NL80211_CHAN_WIDTH_20:
1811         case NL80211_CHAN_WIDTH_40:
1812                 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
1813                                 cfg80211_get_chandef_type(chandef)))
1814                         return -ENOBUFS;
1815                 break;
1816         default:
1817                 break;
1818         }
1819         if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
1820                 return -ENOBUFS;
1821         if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
1822                 return -ENOBUFS;
1823         if (chandef->center_freq2 &&
1824             nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
1825                 return -ENOBUFS;
1826         return 0;
1827 }
1828
1829 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
1830                               struct cfg80211_registered_device *rdev,
1831                               struct wireless_dev *wdev)
1832 {
1833         struct net_device *dev = wdev->netdev;
1834         void *hdr;
1835
1836         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
1837         if (!hdr)
1838                 return -1;
1839
1840         if (dev &&
1841             (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
1842              nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
1843                 goto nla_put_failure;
1844
1845         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1846             nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
1847             nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
1848             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
1849             nla_put_u32(msg, NL80211_ATTR_GENERATION,
1850                         rdev->devlist_generation ^
1851                         (cfg80211_rdev_list_generation << 2)))
1852                 goto nla_put_failure;
1853
1854         if (rdev->ops->get_channel) {
1855                 int ret;
1856                 struct cfg80211_chan_def chandef;
1857
1858                 ret = rdev_get_channel(rdev, wdev, &chandef);
1859                 if (ret == 0) {
1860                         if (nl80211_send_chandef(msg, &chandef))
1861                                 goto nla_put_failure;
1862                 }
1863         }
1864
1865         if (wdev->ssid_len) {
1866                 if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
1867                         goto nla_put_failure;
1868         }
1869
1870         return genlmsg_end(msg, hdr);
1871
1872  nla_put_failure:
1873         genlmsg_cancel(msg, hdr);
1874         return -EMSGSIZE;
1875 }
1876
1877 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
1878 {
1879         int wp_idx = 0;
1880         int if_idx = 0;
1881         int wp_start = cb->args[0];
1882         int if_start = cb->args[1];
1883         struct cfg80211_registered_device *rdev;
1884         struct wireless_dev *wdev;
1885
1886         mutex_lock(&cfg80211_mutex);
1887         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1888                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1889                         continue;
1890                 if (wp_idx < wp_start) {
1891                         wp_idx++;
1892                         continue;
1893                 }
1894                 if_idx = 0;
1895
1896                 mutex_lock(&rdev->devlist_mtx);
1897                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
1898                         if (if_idx < if_start) {
1899                                 if_idx++;
1900                                 continue;
1901                         }
1902                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
1903                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
1904                                                rdev, wdev) < 0) {
1905                                 mutex_unlock(&rdev->devlist_mtx);
1906                                 goto out;
1907                         }
1908                         if_idx++;
1909                 }
1910                 mutex_unlock(&rdev->devlist_mtx);
1911
1912                 wp_idx++;
1913         }
1914  out:
1915         mutex_unlock(&cfg80211_mutex);
1916
1917         cb->args[0] = wp_idx;
1918         cb->args[1] = if_idx;
1919
1920         return skb->len;
1921 }
1922
1923 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
1924 {
1925         struct sk_buff *msg;
1926         struct cfg80211_registered_device *dev = info->user_ptr[0];
1927         struct wireless_dev *wdev = info->user_ptr[1];
1928
1929         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1930         if (!msg)
1931                 return -ENOMEM;
1932
1933         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
1934                                dev, wdev) < 0) {
1935                 nlmsg_free(msg);
1936                 return -ENOBUFS;
1937         }
1938
1939         return genlmsg_reply(msg, info);
1940 }
1941
1942 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
1943         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
1944         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
1945         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
1946         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
1947         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
1948 };
1949
1950 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
1951 {
1952         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
1953         int flag;
1954
1955         *mntrflags = 0;
1956
1957         if (!nla)
1958                 return -EINVAL;
1959
1960         if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
1961                              nla, mntr_flags_policy))
1962                 return -EINVAL;
1963
1964         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
1965                 if (flags[flag])
1966                         *mntrflags |= (1<<flag);
1967
1968         return 0;
1969 }
1970
1971 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
1972                                struct net_device *netdev, u8 use_4addr,
1973                                enum nl80211_iftype iftype)
1974 {
1975         if (!use_4addr) {
1976                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
1977                         return -EBUSY;
1978                 return 0;
1979         }
1980
1981         switch (iftype) {
1982         case NL80211_IFTYPE_AP_VLAN:
1983                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
1984                         return 0;
1985                 break;
1986         case NL80211_IFTYPE_STATION:
1987                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
1988                         return 0;
1989                 break;
1990         default:
1991                 break;
1992         }
1993
1994         return -EOPNOTSUPP;
1995 }
1996
1997 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
1998 {
1999         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2000         struct vif_params params;
2001         int err;
2002         enum nl80211_iftype otype, ntype;
2003         struct net_device *dev = info->user_ptr[1];
2004         u32 _flags, *flags = NULL;
2005         bool change = false;
2006
2007         memset(&params, 0, sizeof(params));
2008
2009         otype = ntype = dev->ieee80211_ptr->iftype;
2010
2011         if (info->attrs[NL80211_ATTR_IFTYPE]) {
2012                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2013                 if (otype != ntype)
2014                         change = true;
2015                 if (ntype > NL80211_IFTYPE_MAX)
2016                         return -EINVAL;
2017         }
2018
2019         if (info->attrs[NL80211_ATTR_MESH_ID]) {
2020                 struct wireless_dev *wdev = dev->ieee80211_ptr;
2021
2022                 if (ntype != NL80211_IFTYPE_MESH_POINT)
2023                         return -EINVAL;
2024                 if (netif_running(dev))
2025                         return -EBUSY;
2026
2027                 wdev_lock(wdev);
2028                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2029                              IEEE80211_MAX_MESH_ID_LEN);
2030                 wdev->mesh_id_up_len =
2031                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2032                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2033                        wdev->mesh_id_up_len);
2034                 wdev_unlock(wdev);
2035         }
2036
2037         if (info->attrs[NL80211_ATTR_4ADDR]) {
2038                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2039                 change = true;
2040                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2041                 if (err)
2042                         return err;
2043         } else {
2044                 params.use_4addr = -1;
2045         }
2046
2047         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2048                 if (ntype != NL80211_IFTYPE_MONITOR)
2049                         return -EINVAL;
2050                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2051                                           &_flags);
2052                 if (err)
2053                         return err;
2054
2055                 flags = &_flags;
2056                 change = true;
2057         }
2058
2059         if (change)
2060                 err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2061         else
2062                 err = 0;
2063
2064         if (!err && params.use_4addr != -1)
2065                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
2066
2067         return err;
2068 }
2069
2070 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2071 {
2072         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2073         struct vif_params params;
2074         struct wireless_dev *wdev;
2075         struct sk_buff *msg;
2076         int err;
2077         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2078         u32 flags;
2079
2080         memset(&params, 0, sizeof(params));
2081
2082         if (!info->attrs[NL80211_ATTR_IFNAME])
2083                 return -EINVAL;
2084
2085         if (info->attrs[NL80211_ATTR_IFTYPE]) {
2086                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2087                 if (type > NL80211_IFTYPE_MAX)
2088                         return -EINVAL;
2089         }
2090
2091         if (!rdev->ops->add_virtual_intf ||
2092             !(rdev->wiphy.interface_modes & (1 << type)))
2093                 return -EOPNOTSUPP;
2094
2095         if (type == NL80211_IFTYPE_P2P_DEVICE && info->attrs[NL80211_ATTR_MAC]) {
2096                 nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2097                            ETH_ALEN);
2098                 if (!is_valid_ether_addr(params.macaddr))
2099                         return -EADDRNOTAVAIL;
2100         }
2101
2102         if (info->attrs[NL80211_ATTR_4ADDR]) {
2103                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2104                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2105                 if (err)
2106                         return err;
2107         }
2108
2109         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2110         if (!msg)
2111                 return -ENOMEM;
2112
2113         err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2114                                   info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2115                                   &flags);
2116         wdev = rdev_add_virtual_intf(rdev,
2117                                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2118                                 type, err ? NULL : &flags, &params);
2119         if (IS_ERR(wdev)) {
2120                 nlmsg_free(msg);
2121                 return PTR_ERR(wdev);
2122         }
2123
2124         switch (type) {
2125         case NL80211_IFTYPE_MESH_POINT:
2126                 if (!info->attrs[NL80211_ATTR_MESH_ID])
2127                         break;
2128                 wdev_lock(wdev);
2129                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2130                              IEEE80211_MAX_MESH_ID_LEN);
2131                 wdev->mesh_id_up_len =
2132                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2133                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2134                        wdev->mesh_id_up_len);
2135                 wdev_unlock(wdev);
2136                 break;
2137         case NL80211_IFTYPE_P2P_DEVICE:
2138                 /*
2139                  * P2P Device doesn't have a netdev, so doesn't go
2140                  * through the netdev notifier and must be added here
2141                  */
2142                 mutex_init(&wdev->mtx);
2143                 INIT_LIST_HEAD(&wdev->event_list);
2144                 spin_lock_init(&wdev->event_lock);
2145                 INIT_LIST_HEAD(&wdev->mgmt_registrations);
2146                 spin_lock_init(&wdev->mgmt_registrations_lock);
2147
2148                 mutex_lock(&rdev->devlist_mtx);
2149                 wdev->identifier = ++rdev->wdev_id;
2150                 list_add_rcu(&wdev->list, &rdev->wdev_list);
2151                 rdev->devlist_generation++;
2152                 mutex_unlock(&rdev->devlist_mtx);
2153                 break;
2154         default:
2155                 break;
2156         }
2157
2158         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2159                                rdev, wdev) < 0) {
2160                 nlmsg_free(msg);
2161                 return -ENOBUFS;
2162         }
2163
2164         return genlmsg_reply(msg, info);
2165 }
2166
2167 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2168 {
2169         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2170         struct wireless_dev *wdev = info->user_ptr[1];
2171
2172         if (!rdev->ops->del_virtual_intf)
2173                 return -EOPNOTSUPP;
2174
2175         /*
2176          * If we remove a wireless device without a netdev then clear
2177          * user_ptr[1] so that nl80211_post_doit won't dereference it
2178          * to check if it needs to do dev_put(). Otherwise it crashes
2179          * since the wdev has been freed, unlike with a netdev where
2180          * we need the dev_put() for the netdev to really be freed.
2181          */
2182         if (!wdev->netdev)
2183                 info->user_ptr[1] = NULL;
2184
2185         return rdev_del_virtual_intf(rdev, wdev);
2186 }
2187
2188 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2189 {
2190         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2191         struct net_device *dev = info->user_ptr[1];
2192         u16 noack_map;
2193
2194         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2195                 return -EINVAL;
2196
2197         if (!rdev->ops->set_noack_map)
2198                 return -EOPNOTSUPP;
2199
2200         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2201
2202         return rdev_set_noack_map(rdev, dev, noack_map);
2203 }
2204
2205 struct get_key_cookie {
2206         struct sk_buff *msg;
2207         int error;
2208         int idx;
2209 };
2210
2211 static void get_key_callback(void *c, struct key_params *params)
2212 {
2213         struct nlattr *key;
2214         struct get_key_cookie *cookie = c;
2215
2216         if ((params->key &&
2217              nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2218                      params->key_len, params->key)) ||
2219             (params->seq &&
2220              nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2221                      params->seq_len, params->seq)) ||
2222             (params->cipher &&
2223              nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2224                          params->cipher)))
2225                 goto nla_put_failure;
2226
2227         key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2228         if (!key)
2229                 goto nla_put_failure;
2230
2231         if ((params->key &&
2232              nla_put(cookie->msg, NL80211_KEY_DATA,
2233                      params->key_len, params->key)) ||
2234             (params->seq &&
2235              nla_put(cookie->msg, NL80211_KEY_SEQ,
2236                      params->seq_len, params->seq)) ||
2237             (params->cipher &&
2238              nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2239                          params->cipher)))
2240                 goto nla_put_failure;
2241
2242         if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2243                 goto nla_put_failure;
2244
2245         nla_nest_end(cookie->msg, key);
2246
2247         return;
2248  nla_put_failure:
2249         cookie->error = 1;
2250 }
2251
2252 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2253 {
2254         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2255         int err;
2256         struct net_device *dev = info->user_ptr[1];
2257         u8 key_idx = 0;
2258         const u8 *mac_addr = NULL;
2259         bool pairwise;
2260         struct get_key_cookie cookie = {
2261                 .error = 0,
2262         };
2263         void *hdr;
2264         struct sk_buff *msg;
2265
2266         if (info->attrs[NL80211_ATTR_KEY_IDX])
2267                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2268
2269         if (key_idx > 5)
2270                 return -EINVAL;
2271
2272         if (info->attrs[NL80211_ATTR_MAC])
2273                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2274
2275         pairwise = !!mac_addr;
2276         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2277                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2278                 if (kt >= NUM_NL80211_KEYTYPES)
2279                         return -EINVAL;
2280                 if (kt != NL80211_KEYTYPE_GROUP &&
2281                     kt != NL80211_KEYTYPE_PAIRWISE)
2282                         return -EINVAL;
2283                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2284         }
2285
2286         if (!rdev->ops->get_key)
2287                 return -EOPNOTSUPP;
2288
2289         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2290         if (!msg)
2291                 return -ENOMEM;
2292
2293         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2294                              NL80211_CMD_NEW_KEY);
2295         if (IS_ERR(hdr))
2296                 return PTR_ERR(hdr);
2297
2298         cookie.msg = msg;
2299         cookie.idx = key_idx;
2300
2301         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2302             nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2303                 goto nla_put_failure;
2304         if (mac_addr &&
2305             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2306                 goto nla_put_failure;
2307
2308         if (pairwise && mac_addr &&
2309             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2310                 return -ENOENT;
2311
2312         err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2313                            get_key_callback);
2314
2315         if (err)
2316                 goto free_msg;
2317
2318         if (cookie.error)
2319                 goto nla_put_failure;
2320
2321         genlmsg_end(msg, hdr);
2322         return genlmsg_reply(msg, info);
2323
2324  nla_put_failure:
2325         err = -ENOBUFS;
2326  free_msg:
2327         nlmsg_free(msg);
2328         return err;
2329 }
2330
2331 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2332 {
2333         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2334         struct key_parse key;
2335         int err;
2336         struct net_device *dev = info->user_ptr[1];
2337
2338         err = nl80211_parse_key(info, &key);
2339         if (err)
2340                 return err;
2341
2342         if (key.idx < 0)
2343                 return -EINVAL;
2344
2345         /* only support setting default key */
2346         if (!key.def && !key.defmgmt)
2347                 return -EINVAL;
2348
2349         wdev_lock(dev->ieee80211_ptr);
2350
2351         if (key.def) {
2352                 if (!rdev->ops->set_default_key) {
2353                         err = -EOPNOTSUPP;
2354                         goto out;
2355                 }
2356
2357                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2358                 if (err)
2359                         goto out;
2360
2361                 err = rdev_set_default_key(rdev, dev, key.idx,
2362                                                  key.def_uni, key.def_multi);
2363
2364                 if (err)
2365                         goto out;
2366
2367 #ifdef CONFIG_CFG80211_WEXT
2368                 dev->ieee80211_ptr->wext.default_key = key.idx;
2369 #endif
2370         } else {
2371                 if (key.def_uni || !key.def_multi) {
2372                         err = -EINVAL;
2373                         goto out;
2374                 }
2375
2376                 if (!rdev->ops->set_default_mgmt_key) {
2377                         err = -EOPNOTSUPP;
2378                         goto out;
2379                 }
2380
2381                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2382                 if (err)
2383                         goto out;
2384
2385                 err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2386                 if (err)
2387                         goto out;
2388
2389 #ifdef CONFIG_CFG80211_WEXT
2390                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2391 #endif
2392         }
2393
2394  out:
2395         wdev_unlock(dev->ieee80211_ptr);
2396
2397         return err;
2398 }
2399
2400 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2401 {
2402         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2403         int err;
2404         struct net_device *dev = info->user_ptr[1];
2405         struct key_parse key;
2406         const u8 *mac_addr = NULL;
2407
2408         err = nl80211_parse_key(info, &key);
2409         if (err)
2410                 return err;
2411
2412         if (!key.p.key)
2413                 return -EINVAL;
2414
2415         if (info->attrs[NL80211_ATTR_MAC])
2416                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2417
2418         if (key.type == -1) {
2419                 if (mac_addr)
2420                         key.type = NL80211_KEYTYPE_PAIRWISE;
2421                 else
2422                         key.type = NL80211_KEYTYPE_GROUP;
2423         }
2424
2425         /* for now */
2426         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2427             key.type != NL80211_KEYTYPE_GROUP)
2428                 return -EINVAL;
2429
2430         if (!rdev->ops->add_key)
2431                 return -EOPNOTSUPP;
2432
2433         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2434                                            key.type == NL80211_KEYTYPE_PAIRWISE,
2435                                            mac_addr))
2436                 return -EINVAL;
2437
2438         wdev_lock(dev->ieee80211_ptr);
2439         err = nl80211_key_allowed(dev->ieee80211_ptr);
2440         if (!err)
2441                 err = rdev_add_key(rdev, dev, key.idx,
2442                                    key.type == NL80211_KEYTYPE_PAIRWISE,
2443                                     mac_addr, &key.p);
2444         wdev_unlock(dev->ieee80211_ptr);
2445
2446         return err;
2447 }
2448
2449 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2450 {
2451         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2452         int err;
2453         struct net_device *dev = info->user_ptr[1];
2454         u8 *mac_addr = NULL;
2455         struct key_parse key;
2456
2457         err = nl80211_parse_key(info, &key);
2458         if (err)
2459                 return err;
2460
2461         if (info->attrs[NL80211_ATTR_MAC])
2462                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2463
2464         if (key.type == -1) {
2465                 if (mac_addr)
2466                         key.type = NL80211_KEYTYPE_PAIRWISE;
2467                 else
2468                         key.type = NL80211_KEYTYPE_GROUP;
2469         }
2470
2471         /* for now */
2472         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2473             key.type != NL80211_KEYTYPE_GROUP)
2474                 return -EINVAL;
2475
2476         if (!rdev->ops->del_key)
2477                 return -EOPNOTSUPP;
2478
2479         wdev_lock(dev->ieee80211_ptr);
2480         err = nl80211_key_allowed(dev->ieee80211_ptr);
2481
2482         if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2483             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2484                 err = -ENOENT;
2485
2486         if (!err)
2487                 err = rdev_del_key(rdev, dev, key.idx,
2488                                    key.type == NL80211_KEYTYPE_PAIRWISE,
2489                                    mac_addr);
2490
2491 #ifdef CONFIG_CFG80211_WEXT
2492         if (!err) {
2493                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
2494                         dev->ieee80211_ptr->wext.default_key = -1;
2495                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2496                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2497         }
2498 #endif
2499         wdev_unlock(dev->ieee80211_ptr);
2500
2501         return err;
2502 }
2503
2504 /* This function returns an error or the number of nested attributes */
2505 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
2506 {
2507         struct nlattr *attr;
2508         int n_entries = 0, tmp;
2509
2510         nla_for_each_nested(attr, nl_attr, tmp) {
2511                 if (nla_len(attr) != ETH_ALEN)
2512                         return -EINVAL;
2513
2514                 n_entries++;
2515         }
2516
2517         return n_entries;
2518 }
2519
2520 /*
2521  * This function parses ACL information and allocates memory for ACL data.
2522  * On successful return, the calling function is responsible to free the
2523  * ACL buffer returned by this function.
2524  */
2525 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
2526                                                 struct genl_info *info)
2527 {
2528         enum nl80211_acl_policy acl_policy;
2529         struct nlattr *attr;
2530         struct cfg80211_acl_data *acl;
2531         int i = 0, n_entries, tmp;
2532
2533         if (!wiphy->max_acl_mac_addrs)
2534                 return ERR_PTR(-EOPNOTSUPP);
2535
2536         if (!info->attrs[NL80211_ATTR_ACL_POLICY])
2537                 return ERR_PTR(-EINVAL);
2538
2539         acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
2540         if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
2541             acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
2542                 return ERR_PTR(-EINVAL);
2543
2544         if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
2545                 return ERR_PTR(-EINVAL);
2546
2547         n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
2548         if (n_entries < 0)
2549                 return ERR_PTR(n_entries);
2550
2551         if (n_entries > wiphy->max_acl_mac_addrs)
2552                 return ERR_PTR(-ENOTSUPP);
2553
2554         acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
2555                       GFP_KERNEL);
2556         if (!acl)
2557                 return ERR_PTR(-ENOMEM);
2558
2559         nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
2560                 memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
2561                 i++;
2562         }
2563
2564         acl->n_acl_entries = n_entries;
2565         acl->acl_policy = acl_policy;
2566
2567         return acl;
2568 }
2569
2570 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
2571 {
2572         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2573         struct net_device *dev = info->user_ptr[1];
2574         struct cfg80211_acl_data *acl;
2575         int err;
2576
2577         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2578             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2579                 return -EOPNOTSUPP;
2580
2581         if (!dev->ieee80211_ptr->beacon_interval)
2582                 return -EINVAL;
2583
2584         acl = parse_acl_data(&rdev->wiphy, info);
2585         if (IS_ERR(acl))
2586                 return PTR_ERR(acl);
2587
2588         err = rdev_set_mac_acl(rdev, dev, acl);
2589
2590         kfree(acl);
2591
2592         return err;
2593 }
2594
2595 static int nl80211_parse_beacon(struct genl_info *info,
2596                                 struct cfg80211_beacon_data *bcn)
2597 {
2598         bool haveinfo = false;
2599
2600         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2601             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2602             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2603             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2604                 return -EINVAL;
2605
2606         memset(bcn, 0, sizeof(*bcn));
2607
2608         if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2609                 bcn->head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2610                 bcn->head_len = nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2611                 if (!bcn->head_len)
2612                         return -EINVAL;
2613                 haveinfo = true;
2614         }
2615
2616         if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2617                 bcn->tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2618                 bcn->tail_len =
2619                     nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2620                 haveinfo = true;
2621         }
2622
2623         if (!haveinfo)
2624                 return -EINVAL;
2625
2626         if (info->attrs[NL80211_ATTR_IE]) {
2627                 bcn->beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
2628                 bcn->beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
2629         }
2630
2631         if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
2632                 bcn->proberesp_ies =
2633                         nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2634                 bcn->proberesp_ies_len =
2635                         nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2636         }
2637
2638         if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
2639                 bcn->assocresp_ies =
2640                         nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2641                 bcn->assocresp_ies_len =
2642                         nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2643         }
2644
2645         if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
2646                 bcn->probe_resp =
2647                         nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
2648                 bcn->probe_resp_len =
2649                         nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
2650         }
2651
2652         return 0;
2653 }
2654
2655 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
2656                                    struct cfg80211_ap_settings *params)
2657 {
2658         struct wireless_dev *wdev;
2659         bool ret = false;
2660
2661         mutex_lock(&rdev->devlist_mtx);
2662
2663         list_for_each_entry(wdev, &rdev->wdev_list, list) {
2664                 if (wdev->iftype != NL80211_IFTYPE_AP &&
2665                     wdev->iftype != NL80211_IFTYPE_P2P_GO)
2666                         continue;
2667
2668                 if (!wdev->preset_chandef.chan)
2669                         continue;
2670
2671                 params->chandef = wdev->preset_chandef;
2672                 ret = true;
2673                 break;
2674         }
2675
2676         mutex_unlock(&rdev->devlist_mtx);
2677
2678         return ret;
2679 }
2680
2681 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
2682                                     enum nl80211_auth_type auth_type,
2683                                     enum nl80211_commands cmd)
2684 {
2685         if (auth_type > NL80211_AUTHTYPE_MAX)
2686                 return false;
2687
2688         switch (cmd) {
2689         case NL80211_CMD_AUTHENTICATE:
2690                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
2691                     auth_type == NL80211_AUTHTYPE_SAE)
2692                         return false;
2693                 return true;
2694         case NL80211_CMD_CONNECT:
2695         case NL80211_CMD_START_AP:
2696                 /* SAE not supported yet */
2697                 if (auth_type == NL80211_AUTHTYPE_SAE)
2698                         return false;
2699                 return true;
2700         default:
2701                 return false;
2702         }
2703 }
2704
2705 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
2706 {
2707         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2708         struct net_device *dev = info->user_ptr[1];
2709         struct wireless_dev *wdev = dev->ieee80211_ptr;
2710         struct cfg80211_ap_settings params;
2711         int err;
2712
2713         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2714             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2715                 return -EOPNOTSUPP;
2716
2717         if (!rdev->ops->start_ap)
2718                 return -EOPNOTSUPP;
2719
2720         if (wdev->beacon_interval)
2721                 return -EALREADY;
2722
2723         memset(&params, 0, sizeof(params));
2724
2725         /* these are required for START_AP */
2726         if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
2727             !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
2728             !info->attrs[NL80211_ATTR_BEACON_HEAD])
2729                 return -EINVAL;
2730
2731         err = nl80211_parse_beacon(info, &params.beacon);
2732         if (err)
2733                 return err;
2734
2735         params.beacon_interval =
2736                 nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
2737         params.dtim_period =
2738                 nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
2739
2740         err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
2741         if (err)
2742                 return err;
2743
2744         /*
2745          * In theory, some of these attributes should be required here
2746          * but since they were not used when the command was originally
2747          * added, keep them optional for old user space programs to let
2748          * them continue to work with drivers that do not need the
2749          * additional information -- drivers must check!
2750          */
2751         if (info->attrs[NL80211_ATTR_SSID]) {
2752                 params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
2753                 params.ssid_len =
2754                         nla_len(info->attrs[NL80211_ATTR_SSID]);
2755                 if (params.ssid_len == 0 ||
2756                     params.ssid_len > IEEE80211_MAX_SSID_LEN)
2757                         return -EINVAL;
2758         }
2759
2760         if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
2761                 params.hidden_ssid = nla_get_u32(
2762                         info->attrs[NL80211_ATTR_HIDDEN_SSID]);
2763                 if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
2764                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
2765                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
2766                         return -EINVAL;
2767         }
2768
2769         params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
2770
2771         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
2772                 params.auth_type = nla_get_u32(
2773                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
2774                 if (!nl80211_valid_auth_type(rdev, params.auth_type,
2775                                              NL80211_CMD_START_AP))
2776                         return -EINVAL;
2777         } else
2778                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
2779
2780         err = nl80211_crypto_settings(rdev, info, &params.crypto,
2781                                       NL80211_MAX_NR_CIPHER_SUITES);
2782         if (err)
2783                 return err;
2784
2785         if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
2786                 if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
2787                         return -EOPNOTSUPP;
2788                 params.inactivity_timeout = nla_get_u16(
2789                         info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
2790         }
2791
2792         if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
2793                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2794                         return -EINVAL;
2795                 params.p2p_ctwindow =
2796                         nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
2797                 if (params.p2p_ctwindow > 127)
2798                         return -EINVAL;
2799                 if (params.p2p_ctwindow != 0 &&
2800                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
2801                         return -EINVAL;
2802         }
2803
2804         if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
2805                 u8 tmp;
2806
2807                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2808                         return -EINVAL;
2809                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
2810                 if (tmp > 1)
2811                         return -EINVAL;
2812                 params.p2p_opp_ps = tmp;
2813                 if (params.p2p_opp_ps != 0 &&
2814                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
2815                         return -EINVAL;
2816         }
2817
2818         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2819                 err = nl80211_parse_chandef(rdev, info, &params.chandef);
2820                 if (err)
2821                         return err;
2822         } else if (wdev->preset_chandef.chan) {
2823                 params.chandef = wdev->preset_chandef;
2824         } else if (!nl80211_get_ap_channel(rdev, &params))
2825                 return -EINVAL;
2826
2827         if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef))
2828                 return -EINVAL;
2829
2830         mutex_lock(&rdev->devlist_mtx);
2831         err = cfg80211_can_use_chan(rdev, wdev, params.chandef.chan,
2832                                     CHAN_MODE_SHARED);
2833         mutex_unlock(&rdev->devlist_mtx);
2834
2835         if (err)
2836                 return err;
2837
2838         if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
2839                 params.acl = parse_acl_data(&rdev->wiphy, info);
2840                 if (IS_ERR(params.acl))
2841                         return PTR_ERR(params.acl);
2842         }
2843
2844         err = rdev_start_ap(rdev, dev, &params);
2845         if (!err) {
2846                 wdev->preset_chandef = params.chandef;
2847                 wdev->beacon_interval = params.beacon_interval;
2848                 wdev->channel = params.chandef.chan;
2849                 wdev->ssid_len = params.ssid_len;
2850                 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
2851         }
2852
2853         kfree(params.acl);
2854
2855         return err;
2856 }
2857
2858 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
2859 {
2860         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2861         struct net_device *dev = info->user_ptr[1];
2862         struct wireless_dev *wdev = dev->ieee80211_ptr;
2863         struct cfg80211_beacon_data params;
2864         int err;
2865
2866         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2867             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2868                 return -EOPNOTSUPP;
2869
2870         if (!rdev->ops->change_beacon)
2871                 return -EOPNOTSUPP;
2872
2873         if (!wdev->beacon_interval)
2874                 return -EINVAL;
2875
2876         err = nl80211_parse_beacon(info, &params);
2877         if (err)
2878                 return err;
2879
2880         return rdev_change_beacon(rdev, dev, &params);
2881 }
2882
2883 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
2884 {
2885         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2886         struct net_device *dev = info->user_ptr[1];
2887
2888         return cfg80211_stop_ap(rdev, dev);
2889 }
2890
2891 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
2892         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
2893         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
2894         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
2895         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
2896         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
2897         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
2898 };
2899
2900 static int parse_station_flags(struct genl_info *info,
2901                                enum nl80211_iftype iftype,
2902                                struct station_parameters *params)
2903 {
2904         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
2905         struct nlattr *nla;
2906         int flag;
2907
2908         /*
2909          * Try parsing the new attribute first so userspace
2910          * can specify both for older kernels.
2911          */
2912         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
2913         if (nla) {
2914                 struct nl80211_sta_flag_update *sta_flags;
2915
2916                 sta_flags = nla_data(nla);
2917                 params->sta_flags_mask = sta_flags->mask;
2918                 params->sta_flags_set = sta_flags->set;
2919                 if ((params->sta_flags_mask |
2920                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
2921                         return -EINVAL;
2922                 return 0;
2923         }
2924
2925         /* if present, parse the old attribute */
2926
2927         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
2928         if (!nla)
2929                 return 0;
2930
2931         if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
2932                              nla, sta_flags_policy))
2933                 return -EINVAL;
2934
2935         /*
2936          * Only allow certain flags for interface types so that
2937          * other attributes are silently ignored. Remember that
2938          * this is backward compatibility code with old userspace
2939          * and shouldn't be hit in other cases anyway.
2940          */
2941         switch (iftype) {
2942         case NL80211_IFTYPE_AP:
2943         case NL80211_IFTYPE_AP_VLAN:
2944         case NL80211_IFTYPE_P2P_GO:
2945                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2946                                          BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
2947                                          BIT(NL80211_STA_FLAG_WME) |
2948                                          BIT(NL80211_STA_FLAG_MFP);
2949                 break;
2950         case NL80211_IFTYPE_P2P_CLIENT:
2951         case NL80211_IFTYPE_STATION:
2952                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2953                                          BIT(NL80211_STA_FLAG_TDLS_PEER);
2954                 break;
2955         case NL80211_IFTYPE_MESH_POINT:
2956                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
2957                                          BIT(NL80211_STA_FLAG_MFP) |
2958                                          BIT(NL80211_STA_FLAG_AUTHORIZED);
2959         default:
2960                 return -EINVAL;
2961         }
2962
2963         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
2964                 if (flags[flag]) {
2965                         params->sta_flags_set |= (1<<flag);
2966
2967                         /* no longer support new API additions in old API */
2968                         if (flag > NL80211_STA_FLAG_MAX_OLD_API)
2969                                 return -EINVAL;
2970                 }
2971         }
2972
2973         return 0;
2974 }
2975
2976 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
2977                                  int attr)
2978 {
2979         struct nlattr *rate;
2980         u32 bitrate;
2981         u16 bitrate_compat;
2982
2983         rate = nla_nest_start(msg, attr);
2984         if (!rate)
2985                 return false;
2986
2987         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
2988         bitrate = cfg80211_calculate_bitrate(info);
2989         /* report 16-bit bitrate only if we can */
2990         bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
2991         if (bitrate > 0 &&
2992             nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
2993                 return false;
2994         if (bitrate_compat > 0 &&
2995             nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
2996                 return false;
2997
2998         if (info->flags & RATE_INFO_FLAGS_MCS) {
2999                 if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3000                         return false;
3001                 if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3002                     nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3003                         return false;
3004                 if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3005                     nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3006                         return false;
3007         } else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3008                 if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3009                         return false;
3010                 if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3011                         return false;
3012                 if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3013                     nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3014                         return false;
3015                 if (info->flags & RATE_INFO_FLAGS_80_MHZ_WIDTH &&
3016                     nla_put_flag(msg, NL80211_RATE_INFO_80_MHZ_WIDTH))
3017                         return false;
3018                 if (info->flags & RATE_INFO_FLAGS_80P80_MHZ_WIDTH &&
3019                     nla_put_flag(msg, NL80211_RATE_INFO_80P80_MHZ_WIDTH))
3020                         return false;
3021                 if (info->flags & RATE_INFO_FLAGS_160_MHZ_WIDTH &&
3022                     nla_put_flag(msg, NL80211_RATE_INFO_160_MHZ_WIDTH))
3023                         return false;
3024                 if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3025                     nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3026                         return false;
3027         }
3028
3029         nla_nest_end(msg, rate);
3030         return true;
3031 }
3032
3033 static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
3034                                 int flags,
3035                                 struct cfg80211_registered_device *rdev,
3036                                 struct net_device *dev,
3037                                 const u8 *mac_addr, struct station_info *sinfo)
3038 {
3039         void *hdr;
3040         struct nlattr *sinfoattr, *bss_param;
3041
3042         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3043         if (!hdr)
3044                 return -1;
3045
3046         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3047             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3048             nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3049                 goto nla_put_failure;
3050
3051         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3052         if (!sinfoattr)
3053                 goto nla_put_failure;
3054         if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
3055             nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
3056                         sinfo->connected_time))
3057                 goto nla_put_failure;
3058         if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
3059             nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
3060                         sinfo->inactive_time))
3061                 goto nla_put_failure;
3062         if ((sinfo->filled & (STATION_INFO_RX_BYTES |
3063                               STATION_INFO_RX_BYTES64)) &&
3064             nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3065                         (u32)sinfo->rx_bytes))
3066                 goto nla_put_failure;
3067         if ((sinfo->filled & (STATION_INFO_TX_BYTES |
3068                               NL80211_STA_INFO_TX_BYTES64)) &&
3069             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3070                         (u32)sinfo->tx_bytes))
3071                 goto nla_put_failure;
3072         if ((sinfo->filled & STATION_INFO_RX_BYTES64) &&
3073             nla_put_u64(msg, NL80211_STA_INFO_RX_BYTES64,
3074                         sinfo->rx_bytes))
3075                 goto nla_put_failure;
3076         if ((sinfo->filled & STATION_INFO_TX_BYTES64) &&
3077             nla_put_u64(msg, NL80211_STA_INFO_TX_BYTES64,
3078                         sinfo->tx_bytes))
3079                 goto nla_put_failure;
3080         if ((sinfo->filled & STATION_INFO_LLID) &&
3081             nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
3082                 goto nla_put_failure;
3083         if ((sinfo->filled & STATION_INFO_PLID) &&
3084             nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
3085                 goto nla_put_failure;
3086         if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
3087             nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
3088                        sinfo->plink_state))
3089                 goto nla_put_failure;
3090         switch (rdev->wiphy.signal_type) {
3091         case CFG80211_SIGNAL_TYPE_MBM:
3092                 if ((sinfo->filled & STATION_INFO_SIGNAL) &&
3093                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
3094                                sinfo->signal))
3095                         goto nla_put_failure;
3096                 if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
3097                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
3098                                sinfo->signal_avg))
3099                         goto nla_put_failure;
3100                 break;
3101         default:
3102                 break;
3103         }
3104         if (sinfo->filled & STATION_INFO_TX_BITRATE) {
3105                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3106                                           NL80211_STA_INFO_TX_BITRATE))
3107                         goto nla_put_failure;
3108         }
3109         if (sinfo->filled & STATION_INFO_RX_BITRATE) {
3110                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3111                                           NL80211_STA_INFO_RX_BITRATE))
3112                         goto nla_put_failure;
3113         }
3114         if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
3115             nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
3116                         sinfo->rx_packets))
3117                 goto nla_put_failure;
3118         if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
3119             nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
3120                         sinfo->tx_packets))
3121                 goto nla_put_failure;
3122         if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
3123             nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
3124                         sinfo->tx_retries))
3125                 goto nla_put_failure;
3126         if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
3127             nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
3128                         sinfo->tx_failed))
3129                 goto nla_put_failure;
3130         if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
3131             nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
3132                         sinfo->beacon_loss_count))
3133                 goto nla_put_failure;
3134         if ((sinfo->filled & STATION_INFO_LOCAL_PM) &&
3135             nla_put_u32(msg, NL80211_STA_INFO_LOCAL_PM,
3136                         sinfo->local_pm))
3137                 goto nla_put_failure;
3138         if ((sinfo->filled & STATION_INFO_PEER_PM) &&
3139             nla_put_u32(msg, NL80211_STA_INFO_PEER_PM,
3140                         sinfo->peer_pm))
3141                 goto nla_put_failure;
3142         if ((sinfo->filled & STATION_INFO_NONPEER_PM) &&
3143             nla_put_u32(msg, NL80211_STA_INFO_NONPEER_PM,
3144                         sinfo->nonpeer_pm))
3145                 goto nla_put_failure;
3146         if (sinfo->filled & STATION_INFO_BSS_PARAM) {
3147                 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3148                 if (!bss_param)
3149                         goto nla_put_failure;
3150
3151                 if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3152                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3153                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3154                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3155                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3156                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3157                     nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3158                                sinfo->bss_param.dtim_period) ||
3159                     nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3160                                 sinfo->bss_param.beacon_interval))
3161                         goto nla_put_failure;
3162
3163                 nla_nest_end(msg, bss_param);
3164         }
3165         if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
3166             nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3167                     sizeof(struct nl80211_sta_flag_update),
3168                     &sinfo->sta_flags))
3169                 goto nla_put_failure;
3170         if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
3171                 nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
3172                             sinfo->t_offset))
3173                 goto nla_put_failure;
3174         nla_nest_end(msg, sinfoattr);
3175
3176         if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
3177             nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3178                     sinfo->assoc_req_ies))
3179                 goto nla_put_failure;
3180
3181         return genlmsg_end(msg, hdr);
3182
3183  nla_put_failure:
3184         genlmsg_cancel(msg, hdr);
3185         return -EMSGSIZE;
3186 }
3187
3188 static int nl80211_dump_station(struct sk_buff *skb,
3189                                 struct netlink_callback *cb)
3190 {
3191         struct station_info sinfo;
3192         struct cfg80211_registered_device *dev;
3193         struct net_device *netdev;
3194         u8 mac_addr[ETH_ALEN];
3195         int sta_idx = cb->args[1];
3196         int err;
3197
3198         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
3199         if (err)
3200                 return err;
3201
3202         if (!dev->ops->dump_station) {
3203                 err = -EOPNOTSUPP;
3204                 goto out_err;
3205         }
3206
3207         while (1) {
3208                 memset(&sinfo, 0, sizeof(sinfo));
3209                 err = rdev_dump_station(dev, netdev, sta_idx,
3210                                         mac_addr, &sinfo);
3211                 if (err == -ENOENT)
3212                         break;
3213                 if (err)
3214                         goto out_err;
3215
3216                 if (nl80211_send_station(skb,
3217                                 NETLINK_CB(cb->skb).portid,
3218                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
3219                                 dev, netdev, mac_addr,
3220                                 &sinfo) < 0)
3221                         goto out;
3222
3223                 sta_idx++;
3224         }
3225
3226
3227  out:
3228         cb->args[1] = sta_idx;
3229         err = skb->len;
3230  out_err:
3231         nl80211_finish_netdev_dump(dev);
3232
3233         return err;
3234 }
3235
3236 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3237 {
3238         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3239         struct net_device *dev = info->user_ptr[1];
3240         struct station_info sinfo;
3241         struct sk_buff *msg;
3242         u8 *mac_addr = NULL;
3243         int err;
3244
3245         memset(&sinfo, 0, sizeof(sinfo));
3246
3247         if (!info->attrs[NL80211_ATTR_MAC])
3248                 return -EINVAL;
3249
3250         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3251
3252         if (!rdev->ops->get_station)
3253                 return -EOPNOTSUPP;
3254
3255         err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3256         if (err)
3257                 return err;
3258
3259         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3260         if (!msg)
3261                 return -ENOMEM;
3262
3263         if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3264                                  rdev, dev, mac_addr, &sinfo) < 0) {
3265                 nlmsg_free(msg);
3266                 return -ENOBUFS;
3267         }
3268
3269         return genlmsg_reply(msg, info);
3270 }
3271
3272 /*
3273  * Get vlan interface making sure it is running and on the right wiphy.
3274  */
3275 static struct net_device *get_vlan(struct genl_info *info,
3276                                    struct cfg80211_registered_device *rdev)
3277 {
3278         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3279         struct net_device *v;
3280         int ret;
3281
3282         if (!vlanattr)
3283                 return NULL;
3284
3285         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3286         if (!v)
3287                 return ERR_PTR(-ENODEV);
3288
3289         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
3290                 ret = -EINVAL;
3291                 goto error;
3292         }
3293
3294         if (!netif_running(v)) {
3295                 ret = -ENETDOWN;
3296                 goto error;
3297         }
3298
3299         return v;
3300  error:
3301         dev_put(v);
3302         return ERR_PTR(ret);
3303 }
3304
3305 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
3306 {
3307         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3308         int err;
3309         struct net_device *dev = info->user_ptr[1];
3310         struct station_parameters params;
3311         u8 *mac_addr = NULL;
3312
3313         memset(&params, 0, sizeof(params));
3314
3315         params.listen_interval = -1;
3316         params.plink_state = -1;
3317
3318         if (info->attrs[NL80211_ATTR_STA_AID])
3319                 return -EINVAL;
3320
3321         if (!info->attrs[NL80211_ATTR_MAC])
3322                 return -EINVAL;
3323
3324         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3325
3326         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
3327                 params.supported_rates =
3328                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3329                 params.supported_rates_len =
3330                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3331         }
3332
3333         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL] ||
3334             info->attrs[NL80211_ATTR_HT_CAPABILITY])
3335                 return -EINVAL;
3336
3337         if (!rdev->ops->change_station)
3338                 return -EOPNOTSUPP;
3339
3340         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3341                 return -EINVAL;
3342
3343         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3344                 params.plink_action =
3345                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3346
3347         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
3348                 params.plink_state =
3349                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
3350
3351         if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
3352                 enum nl80211_mesh_power_mode pm = nla_get_u32(
3353                         info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
3354
3355                 if (pm <= NL80211_MESH_POWER_UNKNOWN ||
3356                     pm > NL80211_MESH_POWER_MAX)
3357                         return -EINVAL;
3358
3359                 params.local_pm = pm;
3360         }
3361
3362         switch (dev->ieee80211_ptr->iftype) {
3363         case NL80211_IFTYPE_AP:
3364         case NL80211_IFTYPE_AP_VLAN:
3365         case NL80211_IFTYPE_P2P_GO:
3366                 /* disallow mesh-specific things */
3367                 if (params.plink_action)
3368                         return -EINVAL;
3369                 if (params.local_pm)
3370                         return -EINVAL;
3371
3372                 /* TDLS can't be set, ... */
3373                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3374                         return -EINVAL;
3375                 /*
3376                  * ... but don't bother the driver with it. This works around
3377                  * a hostapd/wpa_supplicant issue -- it always includes the
3378                  * TLDS_PEER flag in the mask even for AP mode.
3379                  */
3380                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3381
3382                 /* accept only the listed bits */
3383                 if (params.sta_flags_mask &
3384                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3385                                   BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3386                                   BIT(NL80211_STA_FLAG_ASSOCIATED) |
3387                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3388                                   BIT(NL80211_STA_FLAG_WME) |
3389                                   BIT(NL80211_STA_FLAG_MFP)))
3390                         return -EINVAL;
3391
3392                 /* but authenticated/associated only if driver handles it */
3393                 if (!(rdev->wiphy.features &
3394                                 NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3395                     params.sta_flags_mask &
3396                                 (BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3397                                  BIT(NL80211_STA_FLAG_ASSOCIATED)))
3398                         return -EINVAL;
3399
3400                 /* reject other things that can't change */
3401                 if (params.supported_rates)
3402                         return -EINVAL;
3403
3404                 /* must be last in here for error handling */
3405                 params.vlan = get_vlan(info, rdev);
3406                 if (IS_ERR(params.vlan))
3407                         return PTR_ERR(params.vlan);
3408                 break;
3409         case NL80211_IFTYPE_P2P_CLIENT:
3410         case NL80211_IFTYPE_STATION:
3411                 /*
3412                  * Don't allow userspace to change the TDLS_PEER flag,
3413                  * but silently ignore attempts to change it since we
3414                  * don't have state here to verify that it doesn't try
3415                  * to change the flag.
3416                  */
3417                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3418                 /* fall through */
3419         case NL80211_IFTYPE_ADHOC:
3420                 /* disallow things sta doesn't support */
3421                 if (params.plink_action)
3422                         return -EINVAL;
3423                 if (params.local_pm)
3424                         return -EINVAL;
3425                 /* reject any changes other than AUTHORIZED */
3426                 if (params.sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3427                         return -EINVAL;
3428                 break;
3429         case NL80211_IFTYPE_MESH_POINT:
3430                 /* disallow things mesh doesn't support */
3431                 if (params.vlan)
3432                         return -EINVAL;
3433                 if (params.supported_rates)
3434                         return -EINVAL;
3435                 /*
3436                  * No special handling for TDLS here -- the userspace
3437                  * mesh code doesn't have this bug.
3438                  */
3439                 if (params.sta_flags_mask &
3440                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3441                                   BIT(NL80211_STA_FLAG_MFP) |
3442                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
3443                         return -EINVAL;
3444                 break;
3445         default:
3446                 return -EOPNOTSUPP;
3447         }
3448
3449         /* be aware of params.vlan when changing code here */
3450
3451         err = rdev_change_station(rdev, dev, mac_addr, &params);
3452
3453         if (params.vlan)
3454                 dev_put(params.vlan);
3455
3456         return err;
3457 }
3458
3459 static struct nla_policy
3460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
3461         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
3462         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
3463 };
3464
3465 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
3466 {
3467         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3468         int err;
3469         struct net_device *dev = info->user_ptr[1];
3470         struct station_parameters params;
3471         u8 *mac_addr = NULL;
3472
3473         memset(&params, 0, sizeof(params));
3474
3475         if (!info->attrs[NL80211_ATTR_MAC])
3476                 return -EINVAL;
3477
3478         if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3479                 return -EINVAL;
3480
3481         if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
3482                 return -EINVAL;
3483
3484         if (!info->attrs[NL80211_ATTR_STA_AID])
3485                 return -EINVAL;
3486
3487         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3488         params.supported_rates =
3489                 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3490         params.supported_rates_len =
3491                 nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3492         params.listen_interval =
3493                 nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3494
3495         params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
3496         if (!params.aid || params.aid > IEEE80211_MAX_AID)
3497                 return -EINVAL;
3498
3499         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3500                 params.ht_capa =
3501                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3502
3503         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3504                 params.vht_capa =
3505                         nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
3506
3507         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3508                 params.plink_action =
3509                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3510
3511         if (!rdev->ops->add_station)
3512                 return -EOPNOTSUPP;
3513
3514         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3515                 return -EINVAL;
3516
3517         switch (dev->ieee80211_ptr->iftype) {
3518         case NL80211_IFTYPE_AP:
3519         case NL80211_IFTYPE_AP_VLAN:
3520         case NL80211_IFTYPE_P2P_GO:
3521                 /* parse WME attributes if sta is WME capable */
3522                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
3523                     (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) &&
3524                     info->attrs[NL80211_ATTR_STA_WME]) {
3525                         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3526                         struct nlattr *nla;
3527
3528                         nla = info->attrs[NL80211_ATTR_STA_WME];
3529                         err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3530                                                nl80211_sta_wme_policy);
3531                         if (err)
3532                                 return err;
3533
3534                         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3535                                 params.uapsd_queues =
3536                                      nla_get_u8(tb[NL80211_STA_WME_UAPSD_QUEUES]);
3537                         if (params.uapsd_queues &
3538                                         ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3539                                 return -EINVAL;
3540
3541                         if (tb[NL80211_STA_WME_MAX_SP])
3542                                 params.max_sp =
3543                                      nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3544
3545                         if (params.max_sp &
3546                                         ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3547                                 return -EINVAL;
3548
3549                         params.sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3550                 }
3551                 /* TDLS peers cannot be added */
3552                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3553                         return -EINVAL;
3554                 /* but don't bother the driver with it */
3555                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3556
3557                 /* allow authenticated/associated only if driver handles it */
3558                 if (!(rdev->wiphy.features &
3559                                 NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3560                     params.sta_flags_mask &
3561                                 (BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3562                                  BIT(NL80211_STA_FLAG_ASSOCIATED)))
3563                         return -EINVAL;
3564
3565                 /* must be last in here for error handling */
3566                 params.vlan = get_vlan(info, rdev);
3567                 if (IS_ERR(params.vlan))
3568                         return PTR_ERR(params.vlan);
3569                 break;
3570         case NL80211_IFTYPE_MESH_POINT:
3571                 /* associated is disallowed */
3572                 if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
3573                         return -EINVAL;
3574                 /* TDLS peers cannot be added */
3575                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3576                         return -EINVAL;
3577                 break;
3578         case NL80211_IFTYPE_STATION:
3579                 /* associated is disallowed */
3580                 if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
3581                         return -EINVAL;
3582                 /* Only TDLS peers can be added */
3583                 if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3584                         return -EINVAL;
3585                 /* Can only add if TDLS ... */
3586                 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
3587                         return -EOPNOTSUPP;
3588                 /* ... with external setup is supported */
3589                 if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
3590                         return -EOPNOTSUPP;
3591                 break;
3592         default:
3593                 return -EOPNOTSUPP;
3594         }
3595
3596         /* be aware of params.vlan when changing code here */
3597
3598         err = rdev_add_station(rdev, dev, mac_addr, &params);
3599
3600         if (params.vlan)
3601                 dev_put(params.vlan);
3602         return err;
3603 }
3604
3605 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
3606 {
3607         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3608         struct net_device *dev = info->user_ptr[1];
3609         u8 *mac_addr = NULL;
3610
3611         if (info->attrs[NL80211_ATTR_MAC])
3612                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3613
3614         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3615             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
3616             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
3617             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3618                 return -EINVAL;
3619
3620         if (!rdev->ops->del_station)
3621                 return -EOPNOTSUPP;
3622
3623         return rdev_del_station(rdev, dev, mac_addr);
3624 }
3625
3626 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
3627                                 int flags, struct net_device *dev,
3628                                 u8 *dst, u8 *next_hop,
3629                                 struct mpath_info *pinfo)
3630 {
3631         void *hdr;
3632         struct nlattr *pinfoattr;
3633
3634         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3635         if (!hdr)
3636                 return -1;
3637
3638         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3639             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
3640             nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
3641             nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
3642                 goto nla_put_failure;
3643
3644         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
3645         if (!pinfoattr)
3646                 goto nla_put_failure;
3647         if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
3648             nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
3649                         pinfo->frame_qlen))
3650                 goto nla_put_failure;
3651         if (((pinfo->filled & MPATH_INFO_SN) &&
3652              nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
3653             ((pinfo->filled & MPATH_INFO_METRIC) &&
3654              nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
3655                          pinfo->metric)) ||
3656             ((pinfo->filled & MPATH_INFO_EXPTIME) &&
3657              nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
3658                          pinfo->exptime)) ||
3659             ((pinfo->filled & MPATH_INFO_FLAGS) &&
3660              nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
3661                         pinfo->flags)) ||
3662             ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
3663              nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
3664                          pinfo->discovery_timeout)) ||
3665             ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
3666              nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
3667                         pinfo->discovery_retries)))
3668                 goto nla_put_failure;
3669
3670         nla_nest_end(msg, pinfoattr);
3671
3672         return genlmsg_end(msg, hdr);
3673
3674  nla_put_failure:
3675         genlmsg_cancel(msg, hdr);
3676         return -EMSGSIZE;
3677 }
3678
3679 static int nl80211_dump_mpath(struct sk_buff *skb,
3680                               struct netlink_callback *cb)
3681 {
3682         struct mpath_info pinfo;
3683         struct cfg80211_registered_device *dev;
3684         struct net_device *netdev;
3685         u8 dst[ETH_ALEN];
3686         u8 next_hop[ETH_ALEN];
3687         int path_idx = cb->args[1];
3688         int err;
3689
3690         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
3691         if (err)
3692                 return err;
3693
3694         if (!dev->ops->dump_mpath) {
3695                 err = -EOPNOTSUPP;
3696                 goto out_err;
3697         }
3698
3699         if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
3700                 err = -EOPNOTSUPP;
3701                 goto out_err;
3702         }
3703
3704         while (1) {
3705                 err = rdev_dump_mpath(dev, netdev, path_idx, dst, next_hop,
3706                                       &pinfo);
3707                 if (err == -ENOENT)
3708                         break;
3709                 if (err)
3710                         goto out_err;
3711
3712                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
3713                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
3714                                        netdev, dst, next_hop,
3715                                        &pinfo) < 0)
3716                         goto out;
3717
3718                 path_idx++;
3719         }
3720
3721
3722  out:
3723         cb->args[1] = path_idx;
3724         err = skb->len;
3725  out_err:
3726         nl80211_finish_netdev_dump(dev);
3727         return err;
3728 }
3729
3730 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
3731 {
3732         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3733         int err;
3734         struct net_device *dev = info->user_ptr[1];
3735         struct mpath_info pinfo;
3736         struct sk_buff *msg;
3737         u8 *dst = NULL;
3738         u8 next_hop[ETH_ALEN];
3739
3740         memset(&pinfo, 0, sizeof(pinfo));
3741
3742         if (!info->attrs[NL80211_ATTR_MAC])
3743                 return -EINVAL;
3744
3745         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3746
3747         if (!rdev->ops->get_mpath)
3748                 return -EOPNOTSUPP;
3749
3750         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3751                 return -EOPNOTSUPP;
3752
3753         err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
3754         if (err)
3755                 return err;
3756
3757         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3758         if (!msg)
3759                 return -ENOMEM;
3760
3761         if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
3762                                  dev, dst, next_hop, &pinfo) < 0) {
3763                 nlmsg_free(msg);
3764                 return -ENOBUFS;
3765         }
3766
3767         return genlmsg_reply(msg, info);
3768 }
3769
3770 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
3771 {
3772         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3773         struct net_device *dev = info->user_ptr[1];
3774         u8 *dst = NULL;
3775         u8 *next_hop = NULL;
3776
3777         if (!info->attrs[NL80211_ATTR_MAC])
3778                 return -EINVAL;
3779
3780         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3781                 return -EINVAL;
3782
3783         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3784         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3785
3786         if (!rdev->ops->change_mpath)
3787                 return -EOPNOTSUPP;
3788
3789         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3790                 return -EOPNOTSUPP;
3791
3792         return rdev_change_mpath(rdev, dev, dst, next_hop);
3793 }
3794
3795 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
3796 {
3797         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3798         struct net_device *dev = info->user_ptr[1];
3799         u8 *dst = NULL;
3800         u8 *next_hop = NULL;
3801
3802         if (!info->attrs[NL80211_ATTR_MAC])
3803                 return -EINVAL;
3804
3805         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3806                 return -EINVAL;
3807
3808         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3809         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3810
3811         if (!rdev->ops->add_mpath)
3812                 return -EOPNOTSUPP;
3813
3814         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3815                 return -EOPNOTSUPP;
3816
3817         return rdev_add_mpath(rdev, dev, dst, next_hop);
3818 }
3819
3820 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
3821 {
3822         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3823         struct net_device *dev = info->user_ptr[1];
3824         u8 *dst = NULL;
3825
3826         if (info->attrs[NL80211_ATTR_MAC])
3827                 dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3828
3829         if (!rdev->ops->del_mpath)
3830                 return -EOPNOTSUPP;
3831
3832         return rdev_del_mpath(rdev, dev, dst);
3833 }
3834
3835 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
3836 {
3837         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3838         struct net_device *dev = info->user_ptr[1];
3839         struct bss_parameters params;
3840
3841         memset(&params, 0, sizeof(params));
3842         /* default to not changing parameters */
3843         params.use_cts_prot = -1;
3844         params.use_short_preamble = -1;
3845         params.use_short_slot_time = -1;
3846         params.ap_isolate = -1;
3847         params.ht_opmode = -1;
3848         params.p2p_ctwindow = -1;
3849         params.p2p_opp_ps = -1;
3850
3851         if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
3852                 params.use_cts_prot =
3853                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
3854         if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
3855                 params.use_short_preamble =
3856                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
3857         if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
3858                 params.use_short_slot_time =
3859                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
3860         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
3861                 params.basic_rates =
3862                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3863                 params.basic_rates_len =
3864                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3865         }
3866         if (info->attrs[NL80211_ATTR_AP_ISOLATE])
3867                 params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
3868         if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
3869                 params.ht_opmode =
3870                         nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
3871
3872         if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3873                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3874                         return -EINVAL;
3875                 params.p2p_ctwindow =
3876                         nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3877                 if (params.p2p_ctwindow < 0)
3878                         return -EINVAL;
3879                 if (params.p2p_ctwindow != 0 &&
3880                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3881                         return -EINVAL;
3882         }
3883
3884         if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3885                 u8 tmp;
3886
3887                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3888                         return -EINVAL;
3889                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3890                 if (tmp > 1)
3891                         return -EINVAL;
3892                 params.p2p_opp_ps = tmp;
3893                 if (params.p2p_opp_ps &&
3894                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3895                         return -EINVAL;
3896         }
3897
3898         if (!rdev->ops->change_bss)
3899                 return -EOPNOTSUPP;
3900
3901         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3902             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3903                 return -EOPNOTSUPP;
3904
3905         return rdev_change_bss(rdev, dev, &params);
3906 }
3907
3908 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
3909         [NL80211_ATTR_REG_RULE_FLAGS]           = { .type = NLA_U32 },
3910         [NL80211_ATTR_FREQ_RANGE_START]         = { .type = NLA_U32 },
3911         [NL80211_ATTR_FREQ_RANGE_END]           = { .type = NLA_U32 },
3912         [NL80211_ATTR_FREQ_RANGE_MAX_BW]        = { .type = NLA_U32 },
3913         [NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]  = { .type = NLA_U32 },
3914         [NL80211_ATTR_POWER_RULE_MAX_EIRP]      = { .type = NLA_U32 },
3915 };
3916
3917 static int parse_reg_rule(struct nlattr *tb[],
3918         struct ieee80211_reg_rule *reg_rule)
3919 {
3920         struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
3921         struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
3922
3923         if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
3924                 return -EINVAL;
3925         if (!tb[NL80211_ATTR_FREQ_RANGE_START])
3926                 return -EINVAL;
3927         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
3928                 return -EINVAL;
3929         if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
3930                 return -EINVAL;
3931         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
3932                 return -EINVAL;
3933
3934         reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
3935
3936         freq_range->start_freq_khz =
3937                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
3938         freq_range->end_freq_khz =
3939                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
3940         freq_range->max_bandwidth_khz =
3941                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
3942
3943         power_rule->max_eirp =
3944                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
3945
3946         if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
3947                 power_rule->max_antenna_gain =
3948                         nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
3949
3950         return 0;
3951 }
3952
3953 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
3954 {
3955         int r;
3956         char *data = NULL;
3957         enum nl80211_user_reg_hint_type user_reg_hint_type;
3958
3959         /*
3960          * You should only get this when cfg80211 hasn't yet initialized
3961          * completely when built-in to the kernel right between the time
3962          * window between nl80211_init() and regulatory_init(), if that is
3963          * even possible.
3964          */
3965         if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
3966                 return -EINPROGRESS;
3967
3968         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
3969                 return -EINVAL;
3970
3971         data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
3972
3973         if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
3974                 user_reg_hint_type =
3975                   nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
3976         else
3977                 user_reg_hint_type = NL80211_USER_REG_HINT_USER;
3978
3979         switch (user_reg_hint_type) {
3980         case NL80211_USER_REG_HINT_USER:
3981         case NL80211_USER_REG_HINT_CELL_BASE:
3982                 break;
3983         default:
3984                 return -EINVAL;
3985         }
3986
3987         r = regulatory_hint_user(data, user_reg_hint_type);
3988
3989         return r;
3990 }
3991
3992 static int nl80211_get_mesh_config(struct sk_buff *skb,
3993                                    struct genl_info *info)
3994 {
3995         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3996         struct net_device *dev = info->user_ptr[1];
3997         struct wireless_dev *wdev = dev->ieee80211_ptr;
3998         struct mesh_config cur_params;
3999         int err = 0;
4000         void *hdr;
4001         struct nlattr *pinfoattr;
4002         struct sk_buff *msg;
4003
4004         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4005                 return -EOPNOTSUPP;
4006
4007         if (!rdev->ops->get_mesh_config)
4008                 return -EOPNOTSUPP;
4009
4010         wdev_lock(wdev);
4011         /* If not connected, get default parameters */
4012         if (!wdev->mesh_id_len)
4013                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
4014         else
4015                 err = rdev_get_mesh_config(rdev, dev, &cur_params);
4016         wdev_unlock(wdev);
4017
4018         if (err)
4019                 return err;
4020
4021         /* Draw up a netlink message to send back */
4022         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4023         if (!msg)
4024                 return -ENOMEM;
4025         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4026                              NL80211_CMD_GET_MESH_CONFIG);
4027         if (!hdr)
4028                 goto out;
4029         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
4030         if (!pinfoattr)
4031                 goto nla_put_failure;
4032         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4033             nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
4034                         cur_params.dot11MeshRetryTimeout) ||
4035             nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4036                         cur_params.dot11MeshConfirmTimeout) ||
4037             nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
4038                         cur_params.dot11MeshHoldingTimeout) ||
4039             nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
4040                         cur_params.dot11MeshMaxPeerLinks) ||
4041             nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
4042                        cur_params.dot11MeshMaxRetries) ||
4043             nla_put_u8(msg, NL80211_MESHCONF_TTL,
4044                        cur_params.dot11MeshTTL) ||
4045             nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
4046                        cur_params.element_ttl) ||
4047             nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4048                        cur_params.auto_open_plinks) ||
4049             nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4050                         cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
4051             nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4052                        cur_params.dot11MeshHWMPmaxPREQretries) ||
4053             nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
4054                         cur_params.path_refresh_time) ||
4055             nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4056                         cur_params.min_discovery_timeout) ||
4057             nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4058                         cur_params.dot11MeshHWMPactivePathTimeout) ||
4059             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4060                         cur_params.dot11MeshHWMPpreqMinInterval) ||
4061             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4062                         cur_params.dot11MeshHWMPperrMinInterval) ||
4063             nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4064                         cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
4065             nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
4066                        cur_params.dot11MeshHWMPRootMode) ||
4067             nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4068                         cur_params.dot11MeshHWMPRannInterval) ||
4069             nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4070                        cur_params.dot11MeshGateAnnouncementProtocol) ||
4071             nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
4072                        cur_params.dot11MeshForwarding) ||
4073             nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
4074                         cur_params.rssi_threshold) ||
4075             nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
4076                         cur_params.ht_opmode) ||
4077             nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4078                         cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
4079             nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4080                         cur_params.dot11MeshHWMProotInterval) ||
4081             nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4082                         cur_params.dot11MeshHWMPconfirmationInterval) ||
4083             nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
4084                         cur_params.power_mode) ||
4085             nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
4086                         cur_params.dot11MeshAwakeWindowDuration))
4087                 goto nla_put_failure;
4088         nla_nest_end(msg, pinfoattr);
4089         genlmsg_end(msg, hdr);
4090         return genlmsg_reply(msg, info);
4091
4092  nla_put_failure:
4093         genlmsg_cancel(msg, hdr);
4094  out:
4095         nlmsg_free(msg);
4096         return -ENOBUFS;
4097 }
4098
4099 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
4100         [NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
4101         [NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
4102         [NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
4103         [NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
4104         [NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
4105         [NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
4106         [NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
4107         [NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
4108         [NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
4109         [NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
4110         [NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
4111         [NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
4112         [NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
4113         [NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
4114         [NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
4115         [NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
4116         [NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
4117         [NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
4118         [NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
4119         [NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
4120         [NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
4121         [NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
4122         [NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
4123         [NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
4124         [NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
4125         [NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
4126         [NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
4127 };
4128
4129 static const struct nla_policy
4130         nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
4131         [NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
4132         [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
4133         [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
4134         [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
4135         [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
4136                                     .len = IEEE80211_MAX_DATA_LEN },
4137         [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
4138 };
4139
4140 static int nl80211_parse_mesh_config(struct genl_info *info,
4141                                      struct mesh_config *cfg,
4142                                      u32 *mask_out)
4143 {
4144         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
4145         u32 mask = 0;
4146
4147 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
4148 do {                                                                        \
4149         if (tb[attr]) {                                                     \
4150                 if (fn(tb[attr]) < min || fn(tb[attr]) > max)               \
4151                         return -EINVAL;                                     \
4152                 cfg->param = fn(tb[attr]);                                  \
4153                 mask |= (1 << (attr - 1));                                  \
4154         }                                                                   \
4155 } while (0)
4156
4157
4158         if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
4159                 return -EINVAL;
4160         if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
4161                              info->attrs[NL80211_ATTR_MESH_CONFIG],
4162                              nl80211_meshconf_params_policy))
4163                 return -EINVAL;
4164
4165         /* This makes sure that there aren't more than 32 mesh config
4166          * parameters (otherwise our bitfield scheme would not work.) */
4167         BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
4168
4169         /* Fill in the params struct */
4170         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
4171                                   mask, NL80211_MESHCONF_RETRY_TIMEOUT,
4172                                   nla_get_u16);
4173         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
4174                                   mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4175                                   nla_get_u16);
4176         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
4177                                   mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
4178                                   nla_get_u16);
4179         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
4180                                   mask, NL80211_MESHCONF_MAX_PEER_LINKS,
4181                                   nla_get_u16);
4182         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
4183                                   mask, NL80211_MESHCONF_MAX_RETRIES,
4184                                   nla_get_u8);
4185         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
4186                                   mask, NL80211_MESHCONF_TTL, nla_get_u8);
4187         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
4188                                   mask, NL80211_MESHCONF_ELEMENT_TTL,
4189                                   nla_get_u8);
4190         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
4191                                   mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4192                                   nla_get_u8);
4193         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
4194                                   1, 255, mask,
4195                                   NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4196                                   nla_get_u32);
4197         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
4198                                   mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4199                                   nla_get_u8);
4200         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
4201                                   mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
4202                                   nla_get_u32);
4203         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
4204                                   mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4205                                   nla_get_u16);
4206         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
4207                                   1, 65535, mask,
4208                                   NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4209                                   nla_get_u32);
4210         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
4211                                   1, 65535, mask,
4212                                   NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4213                                   nla_get_u16);
4214         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
4215                                   1, 65535, mask,
4216                                   NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4217                                   nla_get_u16);
4218         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4219                                   dot11MeshHWMPnetDiameterTraversalTime,
4220                                   1, 65535, mask,
4221                                   NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4222                                   nla_get_u16);
4223         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
4224                                   mask, NL80211_MESHCONF_HWMP_ROOTMODE,
4225                                   nla_get_u8);
4226         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
4227                                   mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4228                                   nla_get_u16);
4229         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4230                                   dot11MeshGateAnnouncementProtocol, 0, 1,
4231                                   mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4232                                   nla_get_u8);
4233         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
4234                                   mask, NL80211_MESHCONF_FORWARDING,
4235                                   nla_get_u8);
4236         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, 1, 255,
4237                                   mask, NL80211_MESHCONF_RSSI_THRESHOLD,
4238                                   nla_get_u32);
4239         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
4240                                   mask, NL80211_MESHCONF_HT_OPMODE,
4241                                   nla_get_u16);
4242         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
4243                                   1, 65535, mask,
4244                                   NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4245                                   nla_get_u32);
4246         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
4247                                   mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4248                                   nla_get_u16);
4249         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4250                                   dot11MeshHWMPconfirmationInterval,
4251                                   1, 65535, mask,
4252                                   NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4253                                   nla_get_u16);
4254         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
4255                                   NL80211_MESH_POWER_ACTIVE,
4256                                   NL80211_MESH_POWER_MAX,
4257                                   mask, NL80211_MESHCONF_POWER_MODE,
4258                                   nla_get_u32);
4259         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
4260                                   0, 65535, mask,
4261                                   NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
4262         if (mask_out)
4263                 *mask_out = mask;
4264
4265         return 0;
4266
4267 #undef FILL_IN_MESH_PARAM_IF_SET
4268 }
4269
4270 static int nl80211_parse_mesh_setup(struct genl_info *info,
4271                                      struct mesh_setup *setup)
4272 {
4273         struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
4274
4275         if (!info->attrs[NL80211_ATTR_MESH_SETUP])
4276                 return -EINVAL;
4277         if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
4278                              info->attrs[NL80211_ATTR_MESH_SETUP],
4279                              nl80211_mesh_setup_params_policy))
4280                 return -EINVAL;
4281
4282         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
4283                 setup->sync_method =
4284                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
4285                  IEEE80211_SYNC_METHOD_VENDOR :
4286                  IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
4287
4288         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
4289                 setup->path_sel_proto =
4290                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
4291                  IEEE80211_PATH_PROTOCOL_VENDOR :
4292                  IEEE80211_PATH_PROTOCOL_HWMP;
4293
4294         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
4295                 setup->path_metric =
4296                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
4297                  IEEE80211_PATH_METRIC_VENDOR :
4298                  IEEE80211_PATH_METRIC_AIRTIME;
4299
4300
4301         if (tb[NL80211_MESH_SETUP_IE]) {
4302                 struct nlattr *ieattr =
4303                         tb[NL80211_MESH_SETUP_IE];
4304                 if (!is_valid_ie_attr(ieattr))
4305                         return -EINVAL;
4306                 setup->ie = nla_data(ieattr);
4307                 setup->ie_len = nla_len(ieattr);
4308         }
4309         setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
4310         setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
4311
4312         return 0;
4313 }
4314
4315 static int nl80211_update_mesh_config(struct sk_buff *skb,
4316                                       struct genl_info *info)
4317 {
4318         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4319         struct net_device *dev = info->user_ptr[1];
4320         struct wireless_dev *wdev = dev->ieee80211_ptr;
4321         struct mesh_config cfg;
4322         u32 mask;
4323         int err;
4324
4325         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4326                 return -EOPNOTSUPP;
4327
4328         if (!rdev->ops->update_mesh_config)
4329                 return -EOPNOTSUPP;
4330
4331         err = nl80211_parse_mesh_config(info, &cfg, &mask);
4332         if (err)
4333                 return err;
4334
4335         wdev_lock(wdev);
4336         if (!wdev->mesh_id_len)
4337                 err = -ENOLINK;
4338
4339         if (!err)
4340                 err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
4341
4342         wdev_unlock(wdev);
4343
4344         return err;
4345 }
4346
4347 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
4348 {
4349         const struct ieee80211_regdomain *regdom;
4350         struct sk_buff *msg;
4351         void *hdr = NULL;
4352         struct nlattr *nl_reg_rules;
4353         unsigned int i;
4354         int err = -EINVAL;
4355
4356         mutex_lock(&cfg80211_mutex);
4357
4358         if (!cfg80211_regdomain)
4359                 goto out;
4360
4361         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4362         if (!msg) {
4363                 err = -ENOBUFS;
4364                 goto out;
4365         }
4366
4367         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4368                              NL80211_CMD_GET_REG);
4369         if (!hdr)
4370                 goto put_failure;
4371
4372         if (reg_last_request_cell_base() &&
4373             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
4374                         NL80211_USER_REG_HINT_CELL_BASE))
4375                 goto nla_put_failure;
4376
4377         rcu_read_lock();
4378         regdom = rcu_dereference(cfg80211_regdomain);
4379
4380         if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
4381             (regdom->dfs_region &&
4382              nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
4383                 goto nla_put_failure_rcu;
4384
4385         nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
4386         if (!nl_reg_rules)
4387                 goto nla_put_failure_rcu;
4388
4389         for (i = 0; i < regdom->n_reg_rules; i++) {
4390                 struct nlattr *nl_reg_rule;
4391                 const struct ieee80211_reg_rule *reg_rule;
4392                 const struct ieee80211_freq_range *freq_range;
4393                 const struct ieee80211_power_rule *power_rule;
4394
4395                 reg_rule = &regdom->reg_rules[i];
4396                 freq_range = &reg_rule->freq_range;
4397                 power_rule = &reg_rule->power_rule;
4398
4399                 nl_reg_rule = nla_nest_start(msg, i);
4400                 if (!nl_reg_rule)
4401                         goto nla_put_failure_rcu;
4402
4403                 if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
4404                                 reg_rule->flags) ||
4405                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
4406                                 freq_range->start_freq_khz) ||
4407                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
4408                                 freq_range->end_freq_khz) ||
4409                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
4410                                 freq_range->max_bandwidth_khz) ||
4411                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
4412                                 power_rule->max_antenna_gain) ||
4413                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
4414                                 power_rule->max_eirp))
4415                         goto nla_put_failure_rcu;
4416
4417                 nla_nest_end(msg, nl_reg_rule);
4418         }
4419         rcu_read_unlock();
4420
4421         nla_nest_end(msg, nl_reg_rules);
4422
4423         genlmsg_end(msg, hdr);
4424         err = genlmsg_reply(msg, info);
4425         goto out;
4426
4427 nla_put_failure_rcu:
4428         rcu_read_unlock();
4429 nla_put_failure:
4430         genlmsg_cancel(msg, hdr);
4431 put_failure:
4432         nlmsg_free(msg);
4433         err = -EMSGSIZE;
4434 out:
4435         mutex_unlock(&cfg80211_mutex);
4436         return err;
4437 }
4438
4439 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
4440 {
4441         struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
4442         struct nlattr *nl_reg_rule;
4443         char *alpha2 = NULL;
4444         int rem_reg_rules = 0, r = 0;
4445         u32 num_rules = 0, rule_idx = 0, size_of_regd;
4446         u8 dfs_region = 0;
4447         struct ieee80211_regdomain *rd = NULL;
4448
4449         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4450                 return -EINVAL;
4451
4452         if (!info->attrs[NL80211_ATTR_REG_RULES])
4453                 return -EINVAL;
4454
4455         alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4456
4457         if (info->attrs[NL80211_ATTR_DFS_REGION])
4458                 dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
4459
4460         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4461                             rem_reg_rules) {
4462                 num_rules++;
4463                 if (num_rules > NL80211_MAX_SUPP_REG_RULES)
4464                         return -EINVAL;
4465         }
4466
4467         size_of_regd = sizeof(struct ieee80211_regdomain) +
4468                        num_rules * sizeof(struct ieee80211_reg_rule);
4469
4470         rd = kzalloc(size_of_regd, GFP_KERNEL);
4471         if (!rd)
4472                 return -ENOMEM;
4473
4474         rd->n_reg_rules = num_rules;
4475         rd->alpha2[0] = alpha2[0];
4476         rd->alpha2[1] = alpha2[1];
4477
4478         /*
4479          * Disable DFS master mode if the DFS region was
4480          * not supported or known on this kernel.
4481          */
4482         if (reg_supported_dfs_region(dfs_region))
4483                 rd->dfs_region = dfs_region;
4484
4485         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4486                             rem_reg_rules) {
4487                 nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
4488                           nla_data(nl_reg_rule), nla_len(nl_reg_rule),
4489                           reg_rule_policy);
4490                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
4491                 if (r)
4492                         goto bad_reg;
4493
4494                 rule_idx++;
4495
4496                 if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
4497                         r = -EINVAL;
4498                         goto bad_reg;
4499                 }
4500         }
4501
4502         mutex_lock(&cfg80211_mutex);
4503
4504         r = set_regdom(rd);
4505         /* set_regdom took ownership */
4506         rd = NULL;
4507         mutex_unlock(&cfg80211_mutex);
4508
4509  bad_reg:
4510         kfree(rd);
4511         return r;
4512 }
4513
4514 static int validate_scan_freqs(struct nlattr *freqs)
4515 {
4516         struct nlattr *attr1, *attr2;
4517         int n_channels = 0, tmp1, tmp2;
4518
4519         nla_for_each_nested(attr1, freqs, tmp1) {
4520                 n_channels++;
4521                 /*
4522                  * Some hardware has a limited channel list for
4523                  * scanning, and it is pretty much nonsensical
4524                  * to scan for a channel twice, so disallow that
4525                  * and don't require drivers to check that the
4526                  * channel list they get isn't longer than what
4527                  * they can scan, as long as they can scan all
4528                  * the channels they registered at once.
4529                  */
4530                 nla_for_each_nested(attr2, freqs, tmp2)
4531                         if (attr1 != attr2 &&
4532                             nla_get_u32(attr1) == nla_get_u32(attr2))
4533                                 return 0;
4534         }
4535
4536         return n_channels;
4537 }
4538
4539 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4540 {
4541         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4542         struct wireless_dev *wdev = info->user_ptr[1];
4543         struct cfg80211_scan_request *request;
4544         struct nlattr *attr;
4545         struct wiphy *wiphy;
4546         int err, tmp, n_ssids = 0, n_channels, i;
4547         size_t ie_len;
4548
4549         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4550                 return -EINVAL;
4551
4552         wiphy = &rdev->wiphy;
4553
4554         if (!rdev->ops->scan)
4555                 return -EOPNOTSUPP;
4556
4557         if (rdev->scan_req)
4558                 return -EBUSY;
4559
4560         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4561                 n_channels = validate_scan_freqs(
4562                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4563                 if (!n_channels)
4564                         return -EINVAL;
4565         } else {
4566                 enum ieee80211_band band;
4567                 n_channels = 0;
4568
4569                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4570                         if (wiphy->bands[band])
4571                                 n_channels += wiphy->bands[band]->n_channels;
4572         }
4573
4574         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4575                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
4576                         n_ssids++;
4577
4578         if (n_ssids > wiphy->max_scan_ssids)
4579                 return -EINVAL;
4580
4581         if (info->attrs[NL80211_ATTR_IE])
4582                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4583         else
4584                 ie_len = 0;
4585
4586         if (ie_len > wiphy->max_scan_ie_len)
4587                 return -EINVAL;
4588
4589         request = kzalloc(sizeof(*request)
4590                         + sizeof(*request->ssids) * n_ssids
4591                         + sizeof(*request->channels) * n_channels
4592                         + ie_len, GFP_KERNEL);
4593         if (!request)
4594                 return -ENOMEM;
4595
4596         if (n_ssids)
4597                 request->ssids = (void *)&request->channels[n_channels];
4598         request->n_ssids = n_ssids;
4599         if (ie_len) {
4600                 if (request->ssids)
4601                         request->ie = (void *)(request->ssids + n_ssids);
4602                 else
4603                         request->ie = (void *)(request->channels + n_channels);
4604         }
4605
4606         i = 0;
4607         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4608                 /* user specified, bail out if channel not found */
4609                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
4610                         struct ieee80211_channel *chan;
4611
4612                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4613
4614                         if (!chan) {
4615                                 err = -EINVAL;
4616                                 goto out_free;
4617                         }
4618
4619                         /* ignore disabled channels */
4620                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4621                                 continue;
4622
4623                         request->channels[i] = chan;
4624                         i++;
4625                 }
4626         } else {
4627                 enum ieee80211_band band;
4628
4629                 /* all channels */
4630                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4631                         int j;
4632                         if (!wiphy->bands[band])
4633                                 continue;
4634                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4635                                 struct ieee80211_channel *chan;
4636
4637                                 chan = &wiphy->bands[band]->channels[j];
4638
4639                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4640                                         continue;
4641
4642                                 request->channels[i] = chan;
4643                                 i++;
4644                         }
4645                 }
4646         }
4647
4648         if (!i) {
4649                 err = -EINVAL;
4650                 goto out_free;
4651         }
4652
4653         request->n_channels = i;
4654
4655         i = 0;
4656         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4657                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
4658                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4659                                 err = -EINVAL;
4660                                 goto out_free;
4661                         }
4662                         request->ssids[i].ssid_len = nla_len(attr);
4663                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
4664                         i++;
4665                 }
4666         }
4667
4668         if (info->attrs[NL80211_ATTR_IE]) {
4669                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4670                 memcpy((void *)request->ie,
4671                        nla_data(info->attrs[NL80211_ATTR_IE]),
4672                        request->ie_len);
4673         }
4674
4675         for (i = 0; i < IEEE80211_NUM_BANDS; i++)
4676                 if (wiphy->bands[i])
4677                         request->rates[i] =
4678                                 (1 << wiphy->bands[i]->n_bitrates) - 1;
4679
4680         if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
4681                 nla_for_each_nested(attr,
4682                                     info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
4683                                     tmp) {
4684                         enum ieee80211_band band = nla_type(attr);
4685
4686                         if (band < 0 || band >= IEEE80211_NUM_BANDS) {
4687                                 err = -EINVAL;
4688                                 goto out_free;
4689                         }
4690                         err = ieee80211_get_ratemask(wiphy->bands[band],
4691                                                      nla_data(attr),
4692                                                      nla_len(attr),
4693                                                      &request->rates[band]);
4694                         if (err)
4695                                 goto out_free;
4696                 }
4697         }
4698
4699         if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
4700                 request->flags = nla_get_u32(
4701                         info->attrs[NL80211_ATTR_SCAN_FLAGS]);
4702                 if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
4703                      !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
4704                     ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
4705                      !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
4706                         err = -EOPNOTSUPP;
4707                         goto out_free;
4708                 }
4709         }
4710
4711         request->no_cck =
4712                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
4713
4714         request->wdev = wdev;
4715         request->wiphy = &rdev->wiphy;
4716         request->scan_start = jiffies;
4717
4718         rdev->scan_req = request;
4719         err = rdev_scan(rdev, request);
4720
4721         if (!err) {
4722                 nl80211_send_scan_start(rdev, wdev);
4723                 if (wdev->netdev)
4724                         dev_hold(wdev->netdev);
4725         } else {
4726  out_free:
4727                 rdev->scan_req = NULL;
4728                 kfree(request);
4729         }
4730
4731         return err;
4732 }
4733
4734 static int nl80211_start_sched_scan(struct sk_buff *skb,
4735                                     struct genl_info *info)
4736 {
4737         struct cfg80211_sched_scan_request *request;
4738         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4739         struct net_device *dev = info->user_ptr[1];
4740         struct nlattr *attr;
4741         struct wiphy *wiphy;
4742         int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
4743         u32 interval;
4744         enum ieee80211_band band;
4745         size_t ie_len;
4746         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
4747
4748         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4749             !rdev->ops->sched_scan_start)
4750                 return -EOPNOTSUPP;
4751
4752         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4753                 return -EINVAL;
4754
4755         if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
4756                 return -EINVAL;
4757
4758         interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
4759         if (interval == 0)
4760                 return -EINVAL;
4761
4762         wiphy = &rdev->wiphy;
4763
4764         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4765                 n_channels = validate_scan_freqs(
4766                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4767                 if (!n_channels)
4768                         return -EINVAL;
4769         } else {
4770                 n_channels = 0;
4771
4772                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4773                         if (wiphy->bands[band])
4774                                 n_channels += wiphy->bands[band]->n_channels;
4775         }
4776
4777         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4778                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4779                                     tmp)
4780                         n_ssids++;
4781
4782         if (n_ssids > wiphy->max_sched_scan_ssids)
4783                 return -EINVAL;
4784
4785         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
4786                 nla_for_each_nested(attr,
4787                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4788                                     tmp)
4789                         n_match_sets++;
4790
4791         if (n_match_sets > wiphy->max_match_sets)
4792                 return -EINVAL;
4793
4794         if (info->attrs[NL80211_ATTR_IE])
4795                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4796         else
4797                 ie_len = 0;
4798
4799         if (ie_len > wiphy->max_sched_scan_ie_len)
4800                 return -EINVAL;
4801
4802         mutex_lock(&rdev->sched_scan_mtx);
4803
4804         if (rdev->sched_scan_req) {
4805                 err = -EINPROGRESS;
4806                 goto out;
4807         }
4808
4809         request = kzalloc(sizeof(*request)
4810                         + sizeof(*request->ssids) * n_ssids
4811                         + sizeof(*request->match_sets) * n_match_sets
4812                         + sizeof(*request->channels) * n_channels
4813                         + ie_len, GFP_KERNEL);
4814         if (!request) {
4815                 err = -ENOMEM;
4816                 goto out;
4817         }
4818
4819         if (n_ssids)
4820                 request->ssids = (void *)&request->channels[n_channels];
4821         request->n_ssids = n_ssids;
4822         if (ie_len) {
4823                 if (request->ssids)
4824                         request->ie = (void *)(request->ssids + n_ssids);
4825                 else
4826                         request->ie = (void *)(request->channels + n_channels);
4827         }
4828
4829         if (n_match_sets) {
4830                 if (request->ie)
4831                         request->match_sets = (void *)(request->ie + ie_len);
4832                 else if (request->ssids)
4833                         request->match_sets =
4834                                 (void *)(request->ssids + n_ssids);
4835                 else
4836                         request->match_sets =
4837                                 (void *)(request->channels + n_channels);
4838         }
4839         request->n_match_sets = n_match_sets;
4840
4841         i = 0;
4842         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4843                 /* user specified, bail out if channel not found */
4844                 nla_for_each_nested(attr,
4845                                     info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
4846                                     tmp) {
4847                         struct ieee80211_channel *chan;
4848
4849                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4850
4851                         if (!chan) {
4852                                 err = -EINVAL;
4853                                 goto out_free;
4854                         }
4855
4856                         /* ignore disabled channels */
4857                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4858                                 continue;
4859
4860                         request->channels[i] = chan;
4861                         i++;
4862                 }
4863         } else {
4864                 /* all channels */
4865                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4866                         int j;
4867                         if (!wiphy->bands[band])
4868                                 continue;
4869                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4870                                 struct ieee80211_channel *chan;
4871
4872                                 chan = &wiphy->bands[band]->channels[j];
4873
4874                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4875                                         continue;
4876
4877                                 request->channels[i] = chan;
4878                                 i++;
4879                         }
4880                 }
4881         }
4882
4883         if (!i) {
4884                 err = -EINVAL;
4885                 goto out_free;
4886         }
4887
4888         request->n_channels = i;
4889
4890         i = 0;
4891         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4892                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4893                                     tmp) {
4894                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4895                                 err = -EINVAL;
4896                                 goto out_free;
4897                         }
4898                         request->ssids[i].ssid_len = nla_len(attr);
4899                         memcpy(request->ssids[i].ssid, nla_data(attr),
4900                                nla_len(attr));
4901                         i++;
4902                 }
4903         }
4904
4905         i = 0;
4906         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
4907                 nla_for_each_nested(attr,
4908                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4909                                     tmp) {
4910                         struct nlattr *ssid, *rssi;
4911
4912                         nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
4913                                   nla_data(attr), nla_len(attr),
4914                                   nl80211_match_policy);
4915                         ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
4916                         if (ssid) {
4917                                 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
4918                                         err = -EINVAL;
4919                                         goto out_free;
4920                                 }
4921                                 memcpy(request->match_sets[i].ssid.ssid,
4922                                        nla_data(ssid), nla_len(ssid));
4923                                 request->match_sets[i].ssid.ssid_len =
4924                                         nla_len(ssid);
4925                         }
4926                         rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
4927                         if (rssi)
4928                                 request->rssi_thold = nla_get_u32(rssi);
4929                         else
4930                                 request->rssi_thold =
4931                                                    NL80211_SCAN_RSSI_THOLD_OFF;
4932                         i++;
4933                 }
4934         }
4935
4936         if (info->attrs[NL80211_ATTR_IE]) {
4937                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4938                 memcpy((void *)request->ie,
4939                        nla_data(info->attrs[NL80211_ATTR_IE]),
4940                        request->ie_len);
4941         }
4942
4943         if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
4944                 request->flags = nla_get_u32(
4945                         info->attrs[NL80211_ATTR_SCAN_FLAGS]);
4946                 if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
4947                      !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
4948                     ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
4949                      !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
4950                         err = -EOPNOTSUPP;
4951                         goto out_free;
4952                 }
4953         }
4954
4955         request->dev = dev;
4956         request->wiphy = &rdev->wiphy;
4957         request->interval = interval;
4958         request->scan_start = jiffies;
4959
4960         err = rdev_sched_scan_start(rdev, dev, request);
4961         if (!err) {
4962                 rdev->sched_scan_req = request;
4963                 nl80211_send_sched_scan(rdev, dev,
4964                                         NL80211_CMD_START_SCHED_SCAN);
4965                 goto out;
4966         }
4967
4968 out_free:
4969         kfree(request);
4970 out:
4971         mutex_unlock(&rdev->sched_scan_mtx);
4972         return err;
4973 }
4974
4975 static int nl80211_stop_sched_scan(struct sk_buff *skb,
4976                                    struct genl_info *info)
4977 {
4978         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4979         int err;
4980
4981         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4982             !rdev->ops->sched_scan_stop)
4983                 return -EOPNOTSUPP;
4984
4985         mutex_lock(&rdev->sched_scan_mtx);
4986         err = __cfg80211_stop_sched_scan(rdev, false);
4987         mutex_unlock(&rdev->sched_scan_mtx);
4988
4989         return err;
4990 }
4991
4992 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
4993                             u32 seq, int flags,
4994                             struct cfg80211_registered_device *rdev,
4995                             struct wireless_dev *wdev,
4996                             struct cfg80211_internal_bss *intbss)
4997 {
4998         struct cfg80211_bss *res = &intbss->pub;
4999         const struct cfg80211_bss_ies *ies;
5000         void *hdr;
5001         struct nlattr *bss;
5002         bool tsf = false;
5003
5004         ASSERT_WDEV_LOCK(wdev);
5005
5006         hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5007                              NL80211_CMD_NEW_SCAN_RESULTS);
5008         if (!hdr)
5009                 return -1;
5010
5011         genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5012
5013         if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation) ||
5014             nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
5015                 goto nla_put_failure;
5016
5017         bss = nla_nest_start(msg, NL80211_ATTR_BSS);
5018         if (!bss)
5019                 goto nla_put_failure;
5020         if ((!is_zero_ether_addr(res->bssid) &&
5021              nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
5022                 goto nla_put_failure;
5023
5024         rcu_read_lock();
5025         ies = rcu_dereference(res->ies);
5026         if (ies) {
5027                 if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
5028                         goto fail_unlock_rcu;
5029                 tsf = true;
5030                 if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
5031                                         ies->len, ies->data))
5032                         goto fail_unlock_rcu;
5033         }
5034         ies = rcu_dereference(res->beacon_ies);
5035         if (ies) {
5036                 if (!tsf && nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
5037                         goto fail_unlock_rcu;
5038                 if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
5039                                         ies->len, ies->data))
5040                         goto fail_unlock_rcu;
5041         }
5042         rcu_read_unlock();
5043
5044         if (res->beacon_interval &&
5045             nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
5046                 goto nla_put_failure;
5047         if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
5048             nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
5049             nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
5050                         jiffies_to_msecs(jiffies - intbss->ts)))
5051                 goto nla_put_failure;
5052
5053         switch (rdev->wiphy.signal_type) {
5054         case CFG80211_SIGNAL_TYPE_MBM:
5055                 if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
5056                         goto nla_put_failure;
5057                 break;
5058         case CFG80211_SIGNAL_TYPE_UNSPEC:
5059                 if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
5060                         goto nla_put_failure;
5061                 break;
5062         default:
5063                 break;
5064         }
5065
5066         switch (wdev->iftype) {
5067         case NL80211_IFTYPE_P2P_CLIENT:
5068         case NL80211_IFTYPE_STATION:
5069                 if (intbss == wdev->current_bss &&
5070                     nla_put_u32(msg, NL80211_BSS_STATUS,
5071                                 NL80211_BSS_STATUS_ASSOCIATED))
5072                         goto nla_put_failure;
5073                 break;
5074         case NL80211_IFTYPE_ADHOC:
5075                 if (intbss == wdev->current_bss &&
5076                     nla_put_u32(msg, NL80211_BSS_STATUS,
5077                                 NL80211_BSS_STATUS_IBSS_JOINED))
5078                         goto nla_put_failure;
5079                 break;
5080         default:
5081                 break;
5082         }
5083
5084         nla_nest_end(msg, bss);
5085
5086         return genlmsg_end(msg, hdr);
5087
5088  fail_unlock_rcu:
5089         rcu_read_unlock();
5090  nla_put_failure:
5091         genlmsg_cancel(msg, hdr);
5092         return -EMSGSIZE;
5093 }
5094
5095 static int nl80211_dump_scan(struct sk_buff *skb,
5096                              struct netlink_callback *cb)
5097 {
5098         struct cfg80211_registered_device *rdev;
5099         struct net_device *dev;
5100         struct cfg80211_internal_bss *scan;
5101         struct wireless_dev *wdev;
5102         int start = cb->args[1], idx = 0;
5103         int err;
5104
5105         err = nl80211_prepare_netdev_dump(skb, cb, &rdev, &dev);
5106         if (err)
5107                 return err;
5108
5109         wdev = dev->ieee80211_ptr;
5110
5111         wdev_lock(wdev);
5112         spin_lock_bh(&rdev->bss_lock);
5113         cfg80211_bss_expire(rdev);
5114
5115         cb->seq = rdev->bss_generation;
5116
5117         list_for_each_entry(scan, &rdev->bss_list, list) {
5118                 if (++idx <= start)
5119                         continue;
5120                 if (nl80211_send_bss(skb, cb,
5121                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
5122                                 rdev, wdev, scan) < 0) {
5123                         idx--;
5124                         break;
5125                 }
5126         }
5127
5128         spin_unlock_bh(&rdev->bss_lock);
5129         wdev_unlock(wdev);
5130
5131         cb->args[1] = idx;
5132         nl80211_finish_netdev_dump(rdev);
5133
5134         return skb->len;
5135 }
5136
5137 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
5138                                 int flags, struct net_device *dev,
5139                                 struct survey_info *survey)
5140 {
5141         void *hdr;
5142         struct nlattr *infoattr;
5143
5144         hdr = nl80211hdr_put(msg, portid, seq, flags,
5145                              NL80211_CMD_NEW_SURVEY_RESULTS);
5146         if (!hdr)
5147                 return -ENOMEM;
5148
5149         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
5150                 goto nla_put_failure;
5151
5152         infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
5153         if (!infoattr)
5154                 goto nla_put_failure;
5155
5156         if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
5157                         survey->channel->center_freq))
5158                 goto nla_put_failure;
5159
5160         if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
5161             nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
5162                 goto nla_put_failure;
5163         if ((survey->filled & SURVEY_INFO_IN_USE) &&
5164             nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
5165                 goto nla_put_failure;
5166         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
5167             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
5168                         survey->channel_time))
5169                 goto nla_put_failure;
5170         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
5171             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
5172                         survey->channel_time_busy))
5173                 goto nla_put_failure;
5174         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
5175             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
5176                         survey->channel_time_ext_busy))
5177                 goto nla_put_failure;
5178         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
5179             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
5180                         survey->channel_time_rx))
5181                 goto nla_put_failure;
5182         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
5183             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
5184                         survey->channel_time_tx))
5185                 goto nla_put_failure;
5186
5187         nla_nest_end(msg, infoattr);
5188
5189         return genlmsg_end(msg, hdr);
5190
5191  nla_put_failure:
5192         genlmsg_cancel(msg, hdr);
5193         return -EMSGSIZE;
5194 }
5195
5196 static int nl80211_dump_survey(struct sk_buff *skb,
5197                         struct netlink_callback *cb)
5198 {
5199         struct survey_info survey;
5200         struct cfg80211_registered_device *dev;
5201         struct net_device *netdev;
5202         int survey_idx = cb->args[1];
5203         int res;
5204
5205         res = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
5206         if (res)
5207                 return res;
5208
5209         if (!dev->ops->dump_survey) {
5210                 res = -EOPNOTSUPP;
5211                 goto out_err;
5212         }
5213
5214         while (1) {
5215                 struct ieee80211_channel *chan;
5216
5217                 res = rdev_dump_survey(dev, netdev, survey_idx, &survey);
5218                 if (res == -ENOENT)
5219                         break;
5220                 if (res)
5221                         goto out_err;
5222
5223                 /* Survey without a channel doesn't make sense */
5224                 if (!survey.channel) {
5225                         res = -EINVAL;
5226                         goto out;
5227                 }
5228
5229                 chan = ieee80211_get_channel(&dev->wiphy,
5230                                              survey.channel->center_freq);
5231                 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
5232                         survey_idx++;
5233                         continue;
5234                 }
5235
5236                 if (nl80211_send_survey(skb,
5237                                 NETLINK_CB(cb->skb).portid,
5238                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
5239                                 netdev,
5240                                 &survey) < 0)
5241                         goto out;
5242                 survey_idx++;
5243         }
5244
5245  out:
5246         cb->args[1] = survey_idx;
5247         res = skb->len;
5248  out_err:
5249         nl80211_finish_netdev_dump(dev);
5250         return res;
5251 }
5252
5253 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
5254 {
5255         return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
5256                                   NL80211_WPA_VERSION_2));
5257 }
5258
5259 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
5260 {
5261         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5262         struct net_device *dev = info->user_ptr[1];
5263         struct ieee80211_channel *chan;
5264         const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
5265         int err, ssid_len, ie_len = 0, sae_data_len = 0;
5266         enum nl80211_auth_type auth_type;
5267         struct key_parse key;
5268         bool local_state_change;
5269
5270         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5271                 return -EINVAL;
5272
5273         if (!info->attrs[NL80211_ATTR_MAC])
5274                 return -EINVAL;
5275
5276         if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
5277                 return -EINVAL;
5278
5279         if (!info->attrs[NL80211_ATTR_SSID])
5280                 return -EINVAL;
5281
5282         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
5283                 return -EINVAL;
5284
5285         err = nl80211_parse_key(info, &key);
5286         if (err)
5287                 return err;
5288
5289         if (key.idx >= 0) {
5290                 if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
5291                         return -EINVAL;
5292                 if (!key.p.key || !key.p.key_len)
5293                         return -EINVAL;
5294                 if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
5295                      key.p.key_len != WLAN_KEY_LEN_WEP40) &&
5296                     (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
5297                      key.p.key_len != WLAN_KEY_LEN_WEP104))
5298                         return -EINVAL;
5299                 if (key.idx > 4)
5300                         return -EINVAL;
5301         } else {
5302                 key.p.key_len = 0;
5303                 key.p.key = NULL;
5304         }
5305
5306         if (key.idx >= 0) {
5307                 int i;
5308                 bool ok = false;
5309                 for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
5310                         if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
5311                                 ok = true;
5312                                 break;
5313                         }
5314                 }
5315                 if (!ok)
5316                         return -EINVAL;
5317         }
5318
5319         if (!rdev->ops->auth)
5320                 return -EOPNOTSUPP;
5321
5322         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5323             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5324                 return -EOPNOTSUPP;
5325
5326         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5327         chan = ieee80211_get_channel(&rdev->wiphy,
5328                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5329         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5330                 return -EINVAL;
5331
5332         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5333         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5334
5335         if (info->attrs[NL80211_ATTR_IE]) {
5336                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5337                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5338         }
5339
5340         auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5341         if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
5342                 return -EINVAL;
5343
5344         if (auth_type == NL80211_AUTHTYPE_SAE &&
5345             !info->attrs[NL80211_ATTR_SAE_DATA])
5346                 return -EINVAL;
5347
5348         if (info->attrs[NL80211_ATTR_SAE_DATA]) {
5349                 if (auth_type != NL80211_AUTHTYPE_SAE)
5350                         return -EINVAL;
5351                 sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
5352                 sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
5353                 /* need to include at least Auth Transaction and Status Code */
5354                 if (sae_data_len < 4)
5355                         return -EINVAL;
5356         }
5357
5358         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5359
5360         /*
5361          * Since we no longer track auth state, ignore
5362          * requests to only change local state.
5363          */
5364         if (local_state_change)
5365                 return 0;
5366
5367         return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
5368                                   ssid, ssid_len, ie, ie_len,
5369                                   key.p.key, key.p.key_len, key.idx,
5370                                   sae_data, sae_data_len);
5371 }
5372
5373 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
5374                                    struct genl_info *info,
5375                                    struct cfg80211_crypto_settings *settings,
5376                                    int cipher_limit)
5377 {
5378         memset(settings, 0, sizeof(*settings));
5379
5380         settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
5381
5382         if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
5383                 u16 proto;
5384                 proto = nla_get_u16(
5385                         info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
5386                 settings->control_port_ethertype = cpu_to_be16(proto);
5387                 if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
5388                     proto != ETH_P_PAE)
5389                         return -EINVAL;
5390                 if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
5391                         settings->control_port_no_encrypt = true;
5392         } else
5393                 settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
5394
5395         if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
5396                 void *data;
5397                 int len, i;
5398
5399                 data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5400                 len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5401                 settings->n_ciphers_pairwise = len / sizeof(u32);
5402
5403                 if (len % sizeof(u32))
5404                         return -EINVAL;
5405
5406                 if (settings->n_ciphers_pairwise > cipher_limit)
5407                         return -EINVAL;
5408
5409                 memcpy(settings->ciphers_pairwise, data, len);
5410
5411                 for (i = 0; i < settings->n_ciphers_pairwise; i++)
5412                         if (!cfg80211_supported_cipher_suite(
5413                                         &rdev->wiphy,
5414                                         settings->ciphers_pairwise[i]))
5415                                 return -EINVAL;
5416         }
5417
5418         if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
5419                 settings->cipher_group =
5420                         nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
5421                 if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
5422                                                      settings->cipher_group))
5423                         return -EINVAL;
5424         }
5425
5426         if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
5427                 settings->wpa_versions =
5428                         nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
5429                 if (!nl80211_valid_wpa_versions(settings->wpa_versions))
5430                         return -EINVAL;
5431         }
5432
5433         if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
5434                 void *data;
5435                 int len;
5436
5437                 data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
5438                 len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
5439                 settings->n_akm_suites = len / sizeof(u32);
5440
5441                 if (len % sizeof(u32))
5442                         return -EINVAL;
5443
5444                 if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
5445                         return -EINVAL;
5446
5447                 memcpy(settings->akm_suites, data, len);
5448         }
5449
5450         return 0;
5451 }
5452
5453 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
5454 {
5455         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5456         struct net_device *dev = info->user_ptr[1];
5457         struct cfg80211_crypto_settings crypto;
5458         struct ieee80211_channel *chan;
5459         const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
5460         int err, ssid_len, ie_len = 0;
5461         bool use_mfp = false;
5462         u32 flags = 0;
5463         struct ieee80211_ht_cap *ht_capa = NULL;
5464         struct ieee80211_ht_cap *ht_capa_mask = NULL;
5465
5466         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5467                 return -EINVAL;
5468
5469         if (!info->attrs[NL80211_ATTR_MAC] ||
5470             !info->attrs[NL80211_ATTR_SSID] ||
5471             !info->attrs[NL80211_ATTR_WIPHY_FREQ])
5472                 return -EINVAL;
5473
5474         if (!rdev->ops->assoc)
5475                 return -EOPNOTSUPP;
5476
5477         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5478             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5479                 return -EOPNOTSUPP;
5480
5481         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5482
5483         chan = ieee80211_get_channel(&rdev->wiphy,
5484                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5485         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5486                 return -EINVAL;
5487
5488         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5489         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5490
5491         if (info->attrs[NL80211_ATTR_IE]) {
5492                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5493                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5494         }
5495
5496         if (info->attrs[NL80211_ATTR_USE_MFP]) {
5497                 enum nl80211_mfp mfp =
5498                         nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
5499                 if (mfp == NL80211_MFP_REQUIRED)
5500                         use_mfp = true;
5501                 else if (mfp != NL80211_MFP_NO)
5502                         return -EINVAL;
5503         }
5504
5505         if (info->attrs[NL80211_ATTR_PREV_BSSID])
5506                 prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
5507
5508         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5509                 flags |= ASSOC_REQ_DISABLE_HT;
5510
5511         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5512                 ht_capa_mask =
5513                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]);
5514
5515         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5516                 if (!ht_capa_mask)
5517                         return -EINVAL;
5518                 ht_capa = nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5519         }
5520
5521         err = nl80211_crypto_settings(rdev, info, &crypto, 1);
5522         if (!err)
5523                 err = cfg80211_mlme_assoc(rdev, dev, chan, bssid, prev_bssid,
5524                                           ssid, ssid_len, ie, ie_len, use_mfp,
5525                                           &crypto, flags, ht_capa,
5526                                           ht_capa_mask);
5527
5528         return err;
5529 }
5530
5531 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
5532 {
5533         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5534         struct net_device *dev = info->user_ptr[1];
5535         const u8 *ie = NULL, *bssid;
5536         int ie_len = 0;
5537         u16 reason_code;
5538         bool local_state_change;
5539
5540         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5541                 return -EINVAL;
5542
5543         if (!info->attrs[NL80211_ATTR_MAC])
5544                 return -EINVAL;
5545
5546         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5547                 return -EINVAL;
5548
5549         if (!rdev->ops->deauth)
5550                 return -EOPNOTSUPP;
5551
5552         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5553             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5554                 return -EOPNOTSUPP;
5555
5556         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5557
5558         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5559         if (reason_code == 0) {
5560                 /* Reason Code 0 is reserved */
5561                 return -EINVAL;
5562         }
5563
5564         if (info->attrs[NL80211_ATTR_IE]) {
5565                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5566                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5567         }
5568
5569         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5570
5571         return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
5572                                     local_state_change);
5573 }
5574
5575 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
5576 {
5577         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5578         struct net_device *dev = info->user_ptr[1];
5579         const u8 *ie = NULL, *bssid;
5580         int ie_len = 0;
5581         u16 reason_code;
5582         bool local_state_change;
5583
5584         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5585                 return -EINVAL;
5586
5587         if (!info->attrs[NL80211_ATTR_MAC])
5588                 return -EINVAL;
5589
5590         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5591                 return -EINVAL;
5592
5593         if (!rdev->ops->disassoc)
5594                 return -EOPNOTSUPP;
5595
5596         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5597             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5598                 return -EOPNOTSUPP;
5599
5600         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5601
5602         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5603         if (reason_code == 0) {
5604                 /* Reason Code 0 is reserved */
5605                 return -EINVAL;
5606         }
5607
5608         if (info->attrs[NL80211_ATTR_IE]) {
5609                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5610                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5611         }
5612
5613         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5614
5615         return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
5616                                       local_state_change);
5617 }
5618
5619 static bool
5620 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
5621                          int mcast_rate[IEEE80211_NUM_BANDS],
5622                          int rateval)
5623 {
5624         struct wiphy *wiphy = &rdev->wiphy;
5625         bool found = false;
5626         int band, i;
5627
5628         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5629                 struct ieee80211_supported_band *sband;
5630
5631                 sband = wiphy->bands[band];
5632                 if (!sband)
5633                         continue;
5634
5635                 for (i = 0; i < sband->n_bitrates; i++) {
5636                         if (sband->bitrates[i].bitrate == rateval) {
5637                                 mcast_rate[band] = i + 1;
5638                                 found = true;
5639                                 break;
5640                         }
5641                 }
5642         }
5643
5644         return found;
5645 }
5646
5647 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
5648 {
5649         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5650         struct net_device *dev = info->user_ptr[1];
5651         struct cfg80211_ibss_params ibss;
5652         struct wiphy *wiphy;
5653         struct cfg80211_cached_keys *connkeys = NULL;
5654         int err;
5655
5656         memset(&ibss, 0, sizeof(ibss));
5657
5658         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5659                 return -EINVAL;
5660
5661         if (!info->attrs[NL80211_ATTR_SSID] ||
5662             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5663                 return -EINVAL;
5664
5665         ibss.beacon_interval = 100;
5666
5667         if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
5668                 ibss.beacon_interval =
5669                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5670                 if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
5671                         return -EINVAL;
5672         }
5673
5674         if (!rdev->ops->join_ibss)
5675                 return -EOPNOTSUPP;
5676
5677         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5678                 return -EOPNOTSUPP;
5679
5680         wiphy = &rdev->wiphy;
5681
5682         if (info->attrs[NL80211_ATTR_MAC]) {
5683                 ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5684
5685                 if (!is_valid_ether_addr(ibss.bssid))
5686                         return -EINVAL;
5687         }
5688         ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5689         ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5690
5691         if (info->attrs[NL80211_ATTR_IE]) {
5692                 ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5693                 ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5694         }
5695
5696         err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
5697         if (err)
5698                 return err;
5699
5700         if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef))
5701                 return -EINVAL;
5702
5703         if (ibss.chandef.width > NL80211_CHAN_WIDTH_40)
5704                 return -EINVAL;
5705         if (ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
5706             !(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
5707                 return -EINVAL;
5708
5709         ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
5710         ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5711
5712         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5713                 u8 *rates =
5714                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5715                 int n_rates =
5716                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5717                 struct ieee80211_supported_band *sband =
5718                         wiphy->bands[ibss.chandef.chan->band];
5719
5720                 err = ieee80211_get_ratemask(sband, rates, n_rates,
5721                                              &ibss.basic_rates);
5722                 if (err)
5723                         return err;
5724         }
5725
5726         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
5727             !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
5728                         nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
5729                 return -EINVAL;
5730
5731         if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5732                 bool no_ht = false;
5733
5734                 connkeys = nl80211_parse_connkeys(rdev,
5735                                           info->attrs[NL80211_ATTR_KEYS],
5736                                           &no_ht);
5737                 if (IS_ERR(connkeys))
5738                         return PTR_ERR(connkeys);
5739
5740                 if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
5741                     no_ht) {
5742                         kfree(connkeys);
5743                         return -EINVAL;
5744                 }
5745         }
5746
5747         ibss.control_port =
5748                 nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
5749
5750         err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
5751         if (err)
5752                 kfree(connkeys);
5753         return err;
5754 }
5755
5756 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
5757 {
5758         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5759         struct net_device *dev = info->user_ptr[1];
5760
5761         if (!rdev->ops->leave_ibss)
5762                 return -EOPNOTSUPP;
5763
5764         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5765                 return -EOPNOTSUPP;
5766
5767         return cfg80211_l