1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2021 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
__cfg80211_wdev_from_attrs(struct cfg80211_registered_device * rdev,struct net * netns,struct nlattr ** attrs)67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
__cfg80211_rdev_from_attrs(struct net * netns,struct nlattr ** attrs)140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
cfg80211_get_dev_from_info(struct net * netns,struct genl_info * info)220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
validate_beacon_head(const struct nlattr * attr,struct netlink_ext_ack * extack)225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
validate_ie_attr(const struct nlattr * attr,struct netlink_ext_ack * extack)270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 /* policy for the attributes */
289 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
290 
291 static const struct nla_policy
292 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
293 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
294 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
295 					.len = U8_MAX },
296 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
297 					     .len = U8_MAX },
298 };
299 
300 static const struct nla_policy
301 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
302 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
303 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
304 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
305 		NLA_POLICY_MAX(NLA_U8, 15),
306 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
307 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
308 		NLA_POLICY_MAX(NLA_U8, 15),
309 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
310 		NLA_POLICY_MAX(NLA_U8, 31),
311 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
312 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
313 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
314 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
315 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
316 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
317 };
318 
319 static const struct nla_policy
320 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
321 	[NL80211_PMSR_TYPE_FTM] =
322 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
323 };
324 
325 static const struct nla_policy
326 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
327 	[NL80211_PMSR_REQ_ATTR_DATA] =
328 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
329 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
330 };
331 
332 static const struct nla_policy
333 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
334 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
335 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
336 	[NL80211_PMSR_PEER_ATTR_REQ] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
338 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
344 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
345 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
346 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
347 	[NL80211_PMSR_ATTR_PEERS] =
348 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
349 };
350 
351 static const struct nla_policy
352 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
353 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
354 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
355 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
356 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
357 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
358 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
359 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
360 		NLA_POLICY_EXACT_LEN(8),
361 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
362 		NLA_POLICY_EXACT_LEN(8),
363 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
364 };
365 
366 static const struct nla_policy
367 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
368 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
369 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
370 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
371 };
372 
373 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
374 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
375 				    .len = NL80211_MAX_SUPP_RATES },
376 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
377 				.len = NL80211_MAX_SUPP_HT_RATES },
378 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
379 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
380 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
381 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
382 						   NL80211_RATE_INFO_HE_GI_0_8,
383 						   NL80211_RATE_INFO_HE_GI_3_2),
384 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
385 						   NL80211_RATE_INFO_HE_1XLTF,
386 						   NL80211_RATE_INFO_HE_4XLTF),
387 };
388 
389 static const struct nla_policy
390 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
391 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
392 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
393 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
394 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
395 	[NL80211_TID_CONFIG_ATTR_NOACK] =
396 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
397 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
398 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
399 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
400 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
401 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
402 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
403 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
404 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
405 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
406 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
407 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
408 			NLA_POLICY_NESTED(nl80211_txattr_policy),
409 };
410 
411 static const struct nla_policy
412 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
413 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
414 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
415 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
416 			NLA_POLICY_RANGE(NLA_BINARY,
417 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
418 					 IEEE80211_MAX_DATA_LEN),
419 };
420 
421 static const struct nla_policy
422 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
423 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
424 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
425 						       .len = IEEE80211_MAX_DATA_LEN }
426 };
427 
428 static const struct nla_policy
429 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
430 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
431 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
432 };
433 
434 static const struct nla_policy
435 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
436 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
437 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
438 };
439 
440 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
441 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
442 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
443 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
444 				      .len = 20-1 },
445 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
446 
447 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
448 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
449 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
450 						NL80211_EDMG_CHANNELS_MIN,
451 						NL80211_EDMG_CHANNELS_MAX),
452 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
453 						NL80211_EDMG_BW_CONFIG_MIN,
454 						NL80211_EDMG_BW_CONFIG_MAX),
455 
456 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
457 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
458 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
459 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
460 
461 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
462 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
463 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
464 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
465 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
466 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
467 
468 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
469 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
470 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
471 
472 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
473 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
474 
475 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
476 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
477 				    .len = WLAN_MAX_KEY_LEN },
478 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
479 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
480 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
481 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
482 	[NL80211_ATTR_KEY_TYPE] =
483 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
484 
485 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
486 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
487 	[NL80211_ATTR_BEACON_HEAD] =
488 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
489 				       IEEE80211_MAX_DATA_LEN),
490 	[NL80211_ATTR_BEACON_TAIL] =
491 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
492 				       IEEE80211_MAX_DATA_LEN),
493 	[NL80211_ATTR_STA_AID] =
494 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
495 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
496 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
497 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
498 					       .len = NL80211_MAX_SUPP_RATES },
499 	[NL80211_ATTR_STA_PLINK_ACTION] =
500 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
501 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
502 		NLA_POLICY_RANGE(NLA_U8,
503 				 NL80211_TX_POWER_AUTOMATIC,
504 				 NL80211_TX_POWER_FIXED),
505 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
506 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
507 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
508 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
509 				   .len = IEEE80211_MAX_MESH_ID_LEN },
510 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
511 
512 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
513 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
514 
515 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
516 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
517 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
518 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
519 					   .len = NL80211_MAX_SUPP_RATES },
520 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
521 
522 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
523 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
524 
525 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
526 
527 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
528 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
529 						   validate_ie_attr,
530 						   IEEE80211_MAX_DATA_LEN),
531 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
532 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
533 
534 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
535 				.len = IEEE80211_MAX_SSID_LEN },
536 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
537 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
538 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
539 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
540 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
541 						  NL80211_MFP_NO,
542 						  NL80211_MFP_OPTIONAL),
543 	[NL80211_ATTR_STA_FLAGS2] = {
544 		.len = sizeof(struct nl80211_sta_flag_update),
545 	},
546 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
547 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
548 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
549 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
550 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
551 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
552 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
553 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
554 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
555 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
556 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
557 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
558 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
559 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
560 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
561 				 .len = IEEE80211_MAX_DATA_LEN },
562 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
563 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
564 						   NL80211_PS_DISABLED,
565 						   NL80211_PS_ENABLED),
566 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
567 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
568 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
569 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
570 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
571 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
572 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
573 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
574 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
575 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
576 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
577 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
578 	[NL80211_ATTR_STA_PLINK_STATE] =
579 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
580 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
581 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
582 	[NL80211_ATTR_MESH_PEER_AID] =
583 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
584 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
585 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
586 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
587 	[NL80211_ATTR_HIDDEN_SSID] =
588 		NLA_POLICY_RANGE(NLA_U32,
589 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
590 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
591 	[NL80211_ATTR_IE_PROBE_RESP] =
592 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
593 				       IEEE80211_MAX_DATA_LEN),
594 	[NL80211_ATTR_IE_ASSOC_RESP] =
595 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
596 				       IEEE80211_MAX_DATA_LEN),
597 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
598 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
599 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
600 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
601 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
602 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
603 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
604 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
605 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
606 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
607 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
608 				      .len = IEEE80211_MAX_DATA_LEN },
609 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
610 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
611 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
612 		.len = NL80211_HT_CAPABILITY_LEN
613 	},
614 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
615 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
616 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
617 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
618 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
619 
620 	/* need to include at least Auth Transaction and Status Code */
621 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
622 
623 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
624 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
625 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
626 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
627 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
628 		NLA_POLICY_RANGE(NLA_U32,
629 				 NL80211_MESH_POWER_UNKNOWN + 1,
630 				 NL80211_MESH_POWER_MAX),
631 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
632 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
633 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
634 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
635 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
636 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
637 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
638 		.len = NL80211_VHT_CAPABILITY_LEN,
639 	},
640 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
641 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
642 				  .len = IEEE80211_MAX_DATA_LEN },
643 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
644 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
645 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
646 	[NL80211_ATTR_PEER_AID] =
647 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
648 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
649 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
650 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
651 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
652 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
653 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
654 	/*
655 	 * The value of the Length field of the Supported Operating
656 	 * Classes element is between 2 and 253.
657 	 */
658 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
659 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
660 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
661 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
662 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
663 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
664 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
665 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
666 						  IEEE80211_QOS_MAP_LEN_MIN,
667 						  IEEE80211_QOS_MAP_LEN_MAX),
668 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
669 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
670 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
671 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
672 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
673 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
674 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
675 	[NL80211_ATTR_USER_PRIO] =
676 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
677 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
678 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
679 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
680 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
681 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
683 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
684 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
685 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
686 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
687 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
688 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
689 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
690 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
691 	},
692 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
693 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
694 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
695 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
696 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
697 				    .len = FILS_MAX_KEK_LEN },
698 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
699 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
700 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
702 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
703 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
704 	},
705 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
706 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
707 					     .len = FILS_ERP_MAX_USERNAME_LEN },
708 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
709 					  .len = FILS_ERP_MAX_REALM_LEN },
710 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
711 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
712 					.len = FILS_ERP_MAX_RRK_LEN },
713 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
714 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
715 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
716 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
717 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
718 
719 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
720 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
721 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
722 	[NL80211_ATTR_HE_CAPABILITY] =
723 		NLA_POLICY_RANGE(NLA_BINARY,
724 				 NL80211_HE_MIN_CAPABILITY_LEN,
725 				 NL80211_HE_MAX_CAPABILITY_LEN),
726 	[NL80211_ATTR_FTM_RESPONDER] =
727 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
728 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
729 	[NL80211_ATTR_PEER_MEASUREMENTS] =
730 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
731 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
732 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
733 					.len = SAE_PASSWORD_MAX_LEN },
734 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
735 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
736 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
737 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
738 	[NL80211_ATTR_TID_CONFIG] =
739 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
740 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
741 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
742 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
743 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
744 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
745 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
746 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
747 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
748 	[NL80211_ATTR_FILS_DISCOVERY] =
749 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
750 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
751 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
752 	[NL80211_ATTR_S1G_CAPABILITY] =
753 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
754 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
755 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
756 	[NL80211_ATTR_SAE_PWE] =
757 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
758 				 NL80211_SAE_PWE_BOTH),
759 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
760 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
761 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
762 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
763 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
764 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
765 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
766 };
767 
768 /* policy for the key attributes */
769 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
770 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
771 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
772 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
773 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
774 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
775 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
776 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
777 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
778 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
779 };
780 
781 /* policy for the key default flags */
782 static const struct nla_policy
783 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
784 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
785 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
786 };
787 
788 #ifdef CONFIG_PM
789 /* policy for WoWLAN attributes */
790 static const struct nla_policy
791 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
792 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
793 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
794 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
795 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
796 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
797 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
798 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
799 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
800 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
801 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
802 };
803 
804 static const struct nla_policy
805 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
806 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
807 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
808 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
809 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
810 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
811 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
812 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
813 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
814 	},
815 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
816 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
817 	},
818 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
819 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
820 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
821 };
822 #endif /* CONFIG_PM */
823 
824 /* policy for coalesce rule attributes */
825 static const struct nla_policy
826 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
827 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
828 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
829 		NLA_POLICY_RANGE(NLA_U32,
830 				 NL80211_COALESCE_CONDITION_MATCH,
831 				 NL80211_COALESCE_CONDITION_NO_MATCH),
832 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
833 };
834 
835 /* policy for GTK rekey offload attributes */
836 static const struct nla_policy
837 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
838 	[NL80211_REKEY_DATA_KEK] = {
839 		.type = NLA_BINARY,
840 		.len = NL80211_KEK_EXT_LEN
841 	},
842 	[NL80211_REKEY_DATA_KCK] = {
843 		.type = NLA_BINARY,
844 		.len = NL80211_KCK_EXT_LEN
845 	},
846 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
847 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
848 };
849 
850 static const struct nla_policy
851 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
852 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
853 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
854 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
855 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
856 };
857 
858 static const struct nla_policy
859 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
860 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
861 						 .len = IEEE80211_MAX_SSID_LEN },
862 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
863 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
864 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
865 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
866 };
867 
868 static const struct nla_policy
869 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
870 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
871 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
872 };
873 
874 static const struct nla_policy
875 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
876 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
877 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
878 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
879 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
880 	},
881 };
882 
883 /* policy for NAN function attributes */
884 static const struct nla_policy
885 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
886 	[NL80211_NAN_FUNC_TYPE] =
887 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
888 	[NL80211_NAN_FUNC_SERVICE_ID] = {
889 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
890 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
891 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
892 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
893 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
894 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
895 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
896 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
897 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
898 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
899 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
900 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
901 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
902 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
903 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
904 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
905 };
906 
907 /* policy for Service Response Filter attributes */
908 static const struct nla_policy
909 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
910 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
911 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
912 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
913 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
914 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
915 };
916 
917 /* policy for packet pattern attributes */
918 static const struct nla_policy
919 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
920 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
921 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
922 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
923 };
924 
nl80211_prepare_wdev_dump(struct netlink_callback * cb,struct cfg80211_registered_device ** rdev,struct wireless_dev ** wdev)925 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
926 			      struct cfg80211_registered_device **rdev,
927 			      struct wireless_dev **wdev)
928 {
929 	int err;
930 
931 	if (!cb->args[0]) {
932 		struct nlattr **attrbuf;
933 
934 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
935 				  GFP_KERNEL);
936 		if (!attrbuf)
937 			return -ENOMEM;
938 
939 		err = nlmsg_parse_deprecated(cb->nlh,
940 					     GENL_HDRLEN + nl80211_fam.hdrsize,
941 					     attrbuf, nl80211_fam.maxattr,
942 					     nl80211_policy, NULL);
943 		if (err) {
944 			kfree(attrbuf);
945 			return err;
946 		}
947 
948 		rtnl_lock();
949 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
950 						   attrbuf);
951 		kfree(attrbuf);
952 		if (IS_ERR(*wdev)) {
953 			rtnl_unlock();
954 			return PTR_ERR(*wdev);
955 		}
956 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
957 		mutex_lock(&(*rdev)->wiphy.mtx);
958 		rtnl_unlock();
959 		/* 0 is the first index - add 1 to parse only once */
960 		cb->args[0] = (*rdev)->wiphy_idx + 1;
961 		cb->args[1] = (*wdev)->identifier;
962 	} else {
963 		/* subtract the 1 again here */
964 		struct wiphy *wiphy;
965 		struct wireless_dev *tmp;
966 
967 		rtnl_lock();
968 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
969 		if (!wiphy) {
970 			rtnl_unlock();
971 			return -ENODEV;
972 		}
973 		*rdev = wiphy_to_rdev(wiphy);
974 		*wdev = NULL;
975 
976 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
977 			if (tmp->identifier == cb->args[1]) {
978 				*wdev = tmp;
979 				break;
980 			}
981 		}
982 
983 		if (!*wdev) {
984 			rtnl_unlock();
985 			return -ENODEV;
986 		}
987 		mutex_lock(&(*rdev)->wiphy.mtx);
988 		rtnl_unlock();
989 	}
990 
991 	return 0;
992 }
993 
994 /* message building helper */
nl80211hdr_put(struct sk_buff * skb,u32 portid,u32 seq,int flags,u8 cmd)995 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
996 		     int flags, u8 cmd)
997 {
998 	/* since there is no private header just add the generic one */
999 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1000 }
1001 
nl80211_msg_put_wmm_rules(struct sk_buff * msg,const struct ieee80211_reg_rule * rule)1002 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1003 				     const struct ieee80211_reg_rule *rule)
1004 {
1005 	int j;
1006 	struct nlattr *nl_wmm_rules =
1007 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1008 
1009 	if (!nl_wmm_rules)
1010 		goto nla_put_failure;
1011 
1012 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1013 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1014 
1015 		if (!nl_wmm_rule)
1016 			goto nla_put_failure;
1017 
1018 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1019 				rule->wmm_rule.client[j].cw_min) ||
1020 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1021 				rule->wmm_rule.client[j].cw_max) ||
1022 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1023 			       rule->wmm_rule.client[j].aifsn) ||
1024 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1025 			        rule->wmm_rule.client[j].cot))
1026 			goto nla_put_failure;
1027 
1028 		nla_nest_end(msg, nl_wmm_rule);
1029 	}
1030 	nla_nest_end(msg, nl_wmm_rules);
1031 
1032 	return 0;
1033 
1034 nla_put_failure:
1035 	return -ENOBUFS;
1036 }
1037 
nl80211_msg_put_channel(struct sk_buff * msg,struct wiphy * wiphy,struct ieee80211_channel * chan,bool large)1038 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1039 				   struct ieee80211_channel *chan,
1040 				   bool large)
1041 {
1042 	/* Some channels must be completely excluded from the
1043 	 * list to protect old user-space tools from breaking
1044 	 */
1045 	if (!large && chan->flags &
1046 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1047 		return 0;
1048 	if (!large && chan->freq_offset)
1049 		return 0;
1050 
1051 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1052 			chan->center_freq))
1053 		goto nla_put_failure;
1054 
1055 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1056 		goto nla_put_failure;
1057 
1058 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1059 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1060 		goto nla_put_failure;
1061 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1062 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1063 			goto nla_put_failure;
1064 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1065 			goto nla_put_failure;
1066 	}
1067 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1068 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1069 			goto nla_put_failure;
1070 		if (large) {
1071 			u32 time;
1072 
1073 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1074 
1075 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1076 					chan->dfs_state))
1077 				goto nla_put_failure;
1078 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1079 					time))
1080 				goto nla_put_failure;
1081 			if (nla_put_u32(msg,
1082 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1083 					chan->dfs_cac_ms))
1084 				goto nla_put_failure;
1085 		}
1086 	}
1087 
1088 	if (large) {
1089 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1090 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1091 			goto nla_put_failure;
1092 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1093 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1094 			goto nla_put_failure;
1095 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1096 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1097 			goto nla_put_failure;
1098 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1099 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1100 			goto nla_put_failure;
1101 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1102 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1103 			goto nla_put_failure;
1104 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1105 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1106 			goto nla_put_failure;
1107 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1108 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1109 			goto nla_put_failure;
1110 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1111 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1112 			goto nla_put_failure;
1113 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1114 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1115 			goto nla_put_failure;
1116 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1117 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1118 			goto nla_put_failure;
1119 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1120 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1121 			goto nla_put_failure;
1122 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1123 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1124 			goto nla_put_failure;
1125 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1126 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1127 			goto nla_put_failure;
1128 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1129 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1130 			goto nla_put_failure;
1131 	}
1132 
1133 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1134 			DBM_TO_MBM(chan->max_power)))
1135 		goto nla_put_failure;
1136 
1137 	if (large) {
1138 		const struct ieee80211_reg_rule *rule =
1139 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1140 
1141 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1142 			if (nl80211_msg_put_wmm_rules(msg, rule))
1143 				goto nla_put_failure;
1144 		}
1145 	}
1146 
1147 	return 0;
1148 
1149  nla_put_failure:
1150 	return -ENOBUFS;
1151 }
1152 
nl80211_put_txq_stats(struct sk_buff * msg,struct cfg80211_txq_stats * txqstats,int attrtype)1153 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1154 				  struct cfg80211_txq_stats *txqstats,
1155 				  int attrtype)
1156 {
1157 	struct nlattr *txqattr;
1158 
1159 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1160 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1161 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1162 		return false;						  \
1163 	} while (0)
1164 
1165 	txqattr = nla_nest_start_noflag(msg, attrtype);
1166 	if (!txqattr)
1167 		return false;
1168 
1169 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1170 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1171 	PUT_TXQVAL_U32(FLOWS, flows);
1172 	PUT_TXQVAL_U32(DROPS, drops);
1173 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1174 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1175 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1176 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1177 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1178 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1179 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1180 	nla_nest_end(msg, txqattr);
1181 
1182 #undef PUT_TXQVAL_U32
1183 	return true;
1184 }
1185 
1186 /* netlink command implementations */
1187 
1188 struct key_parse {
1189 	struct key_params p;
1190 	int idx;
1191 	int type;
1192 	bool def, defmgmt, defbeacon;
1193 	bool def_uni, def_multi;
1194 };
1195 
nl80211_parse_key_new(struct genl_info * info,struct nlattr * key,struct key_parse * k)1196 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1197 				 struct key_parse *k)
1198 {
1199 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1200 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1201 					      nl80211_key_policy,
1202 					      info->extack);
1203 	if (err)
1204 		return err;
1205 
1206 	k->def = !!tb[NL80211_KEY_DEFAULT];
1207 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1208 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1209 
1210 	if (k->def) {
1211 		k->def_uni = true;
1212 		k->def_multi = true;
1213 	}
1214 	if (k->defmgmt || k->defbeacon)
1215 		k->def_multi = true;
1216 
1217 	if (tb[NL80211_KEY_IDX])
1218 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1219 
1220 	if (tb[NL80211_KEY_DATA]) {
1221 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1222 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1223 	}
1224 
1225 	if (tb[NL80211_KEY_SEQ]) {
1226 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1227 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1228 	}
1229 
1230 	if (tb[NL80211_KEY_CIPHER])
1231 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1232 
1233 	if (tb[NL80211_KEY_TYPE])
1234 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1235 
1236 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1237 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1238 
1239 		err = nla_parse_nested_deprecated(kdt,
1240 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1241 						  tb[NL80211_KEY_DEFAULT_TYPES],
1242 						  nl80211_key_default_policy,
1243 						  info->extack);
1244 		if (err)
1245 			return err;
1246 
1247 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1248 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1249 	}
1250 
1251 	if (tb[NL80211_KEY_MODE])
1252 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1253 
1254 	return 0;
1255 }
1256 
nl80211_parse_key_old(struct genl_info * info,struct key_parse * k)1257 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1258 {
1259 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1260 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1261 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1262 	}
1263 
1264 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1265 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1266 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1267 	}
1268 
1269 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1270 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1271 
1272 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1273 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1274 
1275 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1276 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1277 
1278 	if (k->def) {
1279 		k->def_uni = true;
1280 		k->def_multi = true;
1281 	}
1282 	if (k->defmgmt)
1283 		k->def_multi = true;
1284 
1285 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1286 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1287 
1288 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1289 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1290 		int err = nla_parse_nested_deprecated(kdt,
1291 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1292 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1293 						      nl80211_key_default_policy,
1294 						      info->extack);
1295 		if (err)
1296 			return err;
1297 
1298 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1299 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1300 	}
1301 
1302 	return 0;
1303 }
1304 
nl80211_parse_key(struct genl_info * info,struct key_parse * k)1305 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1306 {
1307 	int err;
1308 
1309 	memset(k, 0, sizeof(*k));
1310 	k->idx = -1;
1311 	k->type = -1;
1312 
1313 	if (info->attrs[NL80211_ATTR_KEY])
1314 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1315 	else
1316 		err = nl80211_parse_key_old(info, k);
1317 
1318 	if (err)
1319 		return err;
1320 
1321 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1322 	    (k->defbeacon ? 1 : 0) > 1) {
1323 		GENL_SET_ERR_MSG(info,
1324 				 "key with multiple default flags is invalid");
1325 		return -EINVAL;
1326 	}
1327 
1328 	if (k->defmgmt || k->defbeacon) {
1329 		if (k->def_uni || !k->def_multi) {
1330 			GENL_SET_ERR_MSG(info,
1331 					 "defmgmt/defbeacon key must be mcast");
1332 			return -EINVAL;
1333 		}
1334 	}
1335 
1336 	if (k->idx != -1) {
1337 		if (k->defmgmt) {
1338 			if (k->idx < 4 || k->idx > 5) {
1339 				GENL_SET_ERR_MSG(info,
1340 						 "defmgmt key idx not 4 or 5");
1341 				return -EINVAL;
1342 			}
1343 		} else if (k->defbeacon) {
1344 			if (k->idx < 6 || k->idx > 7) {
1345 				GENL_SET_ERR_MSG(info,
1346 						 "defbeacon key idx not 6 or 7");
1347 				return -EINVAL;
1348 			}
1349 		} else if (k->def) {
1350 			if (k->idx < 0 || k->idx > 3) {
1351 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1352 				return -EINVAL;
1353 			}
1354 		} else {
1355 			if (k->idx < 0 || k->idx > 7) {
1356 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1357 				return -EINVAL;
1358 			}
1359 		}
1360 	}
1361 
1362 	return 0;
1363 }
1364 
1365 static struct cfg80211_cached_keys *
nl80211_parse_connkeys(struct cfg80211_registered_device * rdev,struct genl_info * info,bool * no_ht)1366 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1367 		       struct genl_info *info, bool *no_ht)
1368 {
1369 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1370 	struct key_parse parse;
1371 	struct nlattr *key;
1372 	struct cfg80211_cached_keys *result;
1373 	int rem, err, def = 0;
1374 	bool have_key = false;
1375 
1376 	nla_for_each_nested(key, keys, rem) {
1377 		have_key = true;
1378 		break;
1379 	}
1380 
1381 	if (!have_key)
1382 		return NULL;
1383 
1384 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1385 	if (!result)
1386 		return ERR_PTR(-ENOMEM);
1387 
1388 	result->def = -1;
1389 
1390 	nla_for_each_nested(key, keys, rem) {
1391 		memset(&parse, 0, sizeof(parse));
1392 		parse.idx = -1;
1393 
1394 		err = nl80211_parse_key_new(info, key, &parse);
1395 		if (err)
1396 			goto error;
1397 		err = -EINVAL;
1398 		if (!parse.p.key)
1399 			goto error;
1400 		if (parse.idx < 0 || parse.idx > 3) {
1401 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1402 			goto error;
1403 		}
1404 		if (parse.def) {
1405 			if (def) {
1406 				GENL_SET_ERR_MSG(info,
1407 						 "only one key can be default");
1408 				goto error;
1409 			}
1410 			def = 1;
1411 			result->def = parse.idx;
1412 			if (!parse.def_uni || !parse.def_multi)
1413 				goto error;
1414 		} else if (parse.defmgmt)
1415 			goto error;
1416 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1417 						     parse.idx, false, NULL);
1418 		if (err)
1419 			goto error;
1420 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1421 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1422 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1423 			err = -EINVAL;
1424 			goto error;
1425 		}
1426 		result->params[parse.idx].cipher = parse.p.cipher;
1427 		result->params[parse.idx].key_len = parse.p.key_len;
1428 		result->params[parse.idx].key = result->data[parse.idx];
1429 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1430 
1431 		/* must be WEP key if we got here */
1432 		if (no_ht)
1433 			*no_ht = true;
1434 	}
1435 
1436 	if (result->def < 0) {
1437 		err = -EINVAL;
1438 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1439 		goto error;
1440 	}
1441 
1442 	return result;
1443  error:
1444 	kfree(result);
1445 	return ERR_PTR(err);
1446 }
1447 
nl80211_key_allowed(struct wireless_dev * wdev)1448 static int nl80211_key_allowed(struct wireless_dev *wdev)
1449 {
1450 	ASSERT_WDEV_LOCK(wdev);
1451 
1452 	switch (wdev->iftype) {
1453 	case NL80211_IFTYPE_AP:
1454 	case NL80211_IFTYPE_AP_VLAN:
1455 	case NL80211_IFTYPE_P2P_GO:
1456 	case NL80211_IFTYPE_MESH_POINT:
1457 		break;
1458 	case NL80211_IFTYPE_ADHOC:
1459 	case NL80211_IFTYPE_STATION:
1460 	case NL80211_IFTYPE_P2P_CLIENT:
1461 		if (!wdev->current_bss)
1462 			return -ENOLINK;
1463 		break;
1464 	case NL80211_IFTYPE_UNSPECIFIED:
1465 	case NL80211_IFTYPE_OCB:
1466 	case NL80211_IFTYPE_MONITOR:
1467 	case NL80211_IFTYPE_NAN:
1468 	case NL80211_IFTYPE_P2P_DEVICE:
1469 	case NL80211_IFTYPE_WDS:
1470 	case NUM_NL80211_IFTYPES:
1471 		return -EINVAL;
1472 	}
1473 
1474 	return 0;
1475 }
1476 
nl80211_get_valid_chan(struct wiphy * wiphy,u32 freq)1477 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1478 							u32 freq)
1479 {
1480 	struct ieee80211_channel *chan;
1481 
1482 	chan = ieee80211_get_channel_khz(wiphy, freq);
1483 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1484 		return NULL;
1485 	return chan;
1486 }
1487 
nl80211_put_iftypes(struct sk_buff * msg,u32 attr,u16 ifmodes)1488 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1489 {
1490 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1491 	int i;
1492 
1493 	if (!nl_modes)
1494 		goto nla_put_failure;
1495 
1496 	i = 0;
1497 	while (ifmodes) {
1498 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1499 			goto nla_put_failure;
1500 		ifmodes >>= 1;
1501 		i++;
1502 	}
1503 
1504 	nla_nest_end(msg, nl_modes);
1505 	return 0;
1506 
1507 nla_put_failure:
1508 	return -ENOBUFS;
1509 }
1510 
nl80211_put_iface_combinations(struct wiphy * wiphy,struct sk_buff * msg,bool large)1511 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1512 					  struct sk_buff *msg,
1513 					  bool large)
1514 {
1515 	struct nlattr *nl_combis;
1516 	int i, j;
1517 
1518 	nl_combis = nla_nest_start_noflag(msg,
1519 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1520 	if (!nl_combis)
1521 		goto nla_put_failure;
1522 
1523 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1524 		const struct ieee80211_iface_combination *c;
1525 		struct nlattr *nl_combi, *nl_limits;
1526 
1527 		c = &wiphy->iface_combinations[i];
1528 
1529 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1530 		if (!nl_combi)
1531 			goto nla_put_failure;
1532 
1533 		nl_limits = nla_nest_start_noflag(msg,
1534 						  NL80211_IFACE_COMB_LIMITS);
1535 		if (!nl_limits)
1536 			goto nla_put_failure;
1537 
1538 		for (j = 0; j < c->n_limits; j++) {
1539 			struct nlattr *nl_limit;
1540 
1541 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1542 			if (!nl_limit)
1543 				goto nla_put_failure;
1544 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1545 					c->limits[j].max))
1546 				goto nla_put_failure;
1547 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1548 						c->limits[j].types))
1549 				goto nla_put_failure;
1550 			nla_nest_end(msg, nl_limit);
1551 		}
1552 
1553 		nla_nest_end(msg, nl_limits);
1554 
1555 		if (c->beacon_int_infra_match &&
1556 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1557 			goto nla_put_failure;
1558 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1559 				c->num_different_channels) ||
1560 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1561 				c->max_interfaces))
1562 			goto nla_put_failure;
1563 		if (large &&
1564 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1565 				c->radar_detect_widths) ||
1566 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1567 				c->radar_detect_regions)))
1568 			goto nla_put_failure;
1569 		if (c->beacon_int_min_gcd &&
1570 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1571 				c->beacon_int_min_gcd))
1572 			goto nla_put_failure;
1573 
1574 		nla_nest_end(msg, nl_combi);
1575 	}
1576 
1577 	nla_nest_end(msg, nl_combis);
1578 
1579 	return 0;
1580 nla_put_failure:
1581 	return -ENOBUFS;
1582 }
1583 
1584 #ifdef CONFIG_PM
nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device * rdev,struct sk_buff * msg)1585 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1586 					struct sk_buff *msg)
1587 {
1588 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1589 	struct nlattr *nl_tcp;
1590 
1591 	if (!tcp)
1592 		return 0;
1593 
1594 	nl_tcp = nla_nest_start_noflag(msg,
1595 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1596 	if (!nl_tcp)
1597 		return -ENOBUFS;
1598 
1599 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1600 			tcp->data_payload_max))
1601 		return -ENOBUFS;
1602 
1603 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1604 			tcp->data_payload_max))
1605 		return -ENOBUFS;
1606 
1607 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1608 		return -ENOBUFS;
1609 
1610 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1611 				sizeof(*tcp->tok), tcp->tok))
1612 		return -ENOBUFS;
1613 
1614 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1615 			tcp->data_interval_max))
1616 		return -ENOBUFS;
1617 
1618 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1619 			tcp->wake_payload_max))
1620 		return -ENOBUFS;
1621 
1622 	nla_nest_end(msg, nl_tcp);
1623 	return 0;
1624 }
1625 
nl80211_send_wowlan(struct sk_buff * msg,struct cfg80211_registered_device * rdev,bool large)1626 static int nl80211_send_wowlan(struct sk_buff *msg,
1627 			       struct cfg80211_registered_device *rdev,
1628 			       bool large)
1629 {
1630 	struct nlattr *nl_wowlan;
1631 
1632 	if (!rdev->wiphy.wowlan)
1633 		return 0;
1634 
1635 	nl_wowlan = nla_nest_start_noflag(msg,
1636 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1637 	if (!nl_wowlan)
1638 		return -ENOBUFS;
1639 
1640 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1641 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1642 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1643 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1644 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1645 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1646 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1647 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1648 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1649 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1650 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1651 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1652 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1653 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1654 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1655 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1656 		return -ENOBUFS;
1657 
1658 	if (rdev->wiphy.wowlan->n_patterns) {
1659 		struct nl80211_pattern_support pat = {
1660 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1661 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1662 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1663 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1664 		};
1665 
1666 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1667 			    sizeof(pat), &pat))
1668 			return -ENOBUFS;
1669 	}
1670 
1671 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1672 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1673 			rdev->wiphy.wowlan->max_nd_match_sets))
1674 		return -ENOBUFS;
1675 
1676 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1677 		return -ENOBUFS;
1678 
1679 	nla_nest_end(msg, nl_wowlan);
1680 
1681 	return 0;
1682 }
1683 #endif
1684 
nl80211_send_coalesce(struct sk_buff * msg,struct cfg80211_registered_device * rdev)1685 static int nl80211_send_coalesce(struct sk_buff *msg,
1686 				 struct cfg80211_registered_device *rdev)
1687 {
1688 	struct nl80211_coalesce_rule_support rule;
1689 
1690 	if (!rdev->wiphy.coalesce)
1691 		return 0;
1692 
1693 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1694 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1695 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1696 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1697 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1698 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1699 
1700 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1701 		return -ENOBUFS;
1702 
1703 	return 0;
1704 }
1705 
1706 static int
nl80211_send_iftype_data(struct sk_buff * msg,const struct ieee80211_supported_band * sband,const struct ieee80211_sband_iftype_data * iftdata)1707 nl80211_send_iftype_data(struct sk_buff *msg,
1708 			 const struct ieee80211_supported_band *sband,
1709 			 const struct ieee80211_sband_iftype_data *iftdata)
1710 {
1711 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1712 
1713 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1714 				iftdata->types_mask))
1715 		return -ENOBUFS;
1716 
1717 	if (he_cap->has_he) {
1718 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1719 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1720 			    he_cap->he_cap_elem.mac_cap_info) ||
1721 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1722 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1723 			    he_cap->he_cap_elem.phy_cap_info) ||
1724 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1725 			    sizeof(he_cap->he_mcs_nss_supp),
1726 			    &he_cap->he_mcs_nss_supp) ||
1727 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1728 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1729 			return -ENOBUFS;
1730 	}
1731 
1732 	if (sband->band == NL80211_BAND_6GHZ &&
1733 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1734 		    sizeof(iftdata->he_6ghz_capa),
1735 		    &iftdata->he_6ghz_capa))
1736 		return -ENOBUFS;
1737 
1738 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1739 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1740 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1741 		return -ENOBUFS;
1742 
1743 	return 0;
1744 }
1745 
nl80211_send_band_rateinfo(struct sk_buff * msg,struct ieee80211_supported_band * sband,bool large)1746 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1747 				      struct ieee80211_supported_band *sband,
1748 				      bool large)
1749 {
1750 	struct nlattr *nl_rates, *nl_rate;
1751 	struct ieee80211_rate *rate;
1752 	int i;
1753 
1754 	/* add HT info */
1755 	if (sband->ht_cap.ht_supported &&
1756 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1757 		     sizeof(sband->ht_cap.mcs),
1758 		     &sband->ht_cap.mcs) ||
1759 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1760 			 sband->ht_cap.cap) ||
1761 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1762 			sband->ht_cap.ampdu_factor) ||
1763 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1764 			sband->ht_cap.ampdu_density)))
1765 		return -ENOBUFS;
1766 
1767 	/* add VHT info */
1768 	if (sband->vht_cap.vht_supported &&
1769 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1770 		     sizeof(sband->vht_cap.vht_mcs),
1771 		     &sband->vht_cap.vht_mcs) ||
1772 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1773 			 sband->vht_cap.cap)))
1774 		return -ENOBUFS;
1775 
1776 	if (large && sband->n_iftype_data) {
1777 		struct nlattr *nl_iftype_data =
1778 			nla_nest_start_noflag(msg,
1779 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1780 		int err;
1781 
1782 		if (!nl_iftype_data)
1783 			return -ENOBUFS;
1784 
1785 		for (i = 0; i < sband->n_iftype_data; i++) {
1786 			struct nlattr *iftdata;
1787 
1788 			iftdata = nla_nest_start_noflag(msg, i + 1);
1789 			if (!iftdata)
1790 				return -ENOBUFS;
1791 
1792 			err = nl80211_send_iftype_data(msg, sband,
1793 						       &sband->iftype_data[i]);
1794 			if (err)
1795 				return err;
1796 
1797 			nla_nest_end(msg, iftdata);
1798 		}
1799 
1800 		nla_nest_end(msg, nl_iftype_data);
1801 	}
1802 
1803 	/* add EDMG info */
1804 	if (large && sband->edmg_cap.channels &&
1805 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1806 		       sband->edmg_cap.channels) ||
1807 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1808 		       sband->edmg_cap.bw_config)))
1809 
1810 		return -ENOBUFS;
1811 
1812 	/* add bitrates */
1813 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1814 	if (!nl_rates)
1815 		return -ENOBUFS;
1816 
1817 	for (i = 0; i < sband->n_bitrates; i++) {
1818 		nl_rate = nla_nest_start_noflag(msg, i);
1819 		if (!nl_rate)
1820 			return -ENOBUFS;
1821 
1822 		rate = &sband->bitrates[i];
1823 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1824 				rate->bitrate))
1825 			return -ENOBUFS;
1826 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1827 		    nla_put_flag(msg,
1828 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1829 			return -ENOBUFS;
1830 
1831 		nla_nest_end(msg, nl_rate);
1832 	}
1833 
1834 	nla_nest_end(msg, nl_rates);
1835 
1836 	return 0;
1837 }
1838 
1839 static int
nl80211_send_mgmt_stypes(struct sk_buff * msg,const struct ieee80211_txrx_stypes * mgmt_stypes)1840 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1841 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1842 {
1843 	u16 stypes;
1844 	struct nlattr *nl_ftypes, *nl_ifs;
1845 	enum nl80211_iftype ift;
1846 	int i;
1847 
1848 	if (!mgmt_stypes)
1849 		return 0;
1850 
1851 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1852 	if (!nl_ifs)
1853 		return -ENOBUFS;
1854 
1855 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1856 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1857 		if (!nl_ftypes)
1858 			return -ENOBUFS;
1859 		i = 0;
1860 		stypes = mgmt_stypes[ift].tx;
1861 		while (stypes) {
1862 			if ((stypes & 1) &&
1863 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1864 					(i << 4) | IEEE80211_FTYPE_MGMT))
1865 				return -ENOBUFS;
1866 			stypes >>= 1;
1867 			i++;
1868 		}
1869 		nla_nest_end(msg, nl_ftypes);
1870 	}
1871 
1872 	nla_nest_end(msg, nl_ifs);
1873 
1874 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1875 	if (!nl_ifs)
1876 		return -ENOBUFS;
1877 
1878 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1879 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1880 		if (!nl_ftypes)
1881 			return -ENOBUFS;
1882 		i = 0;
1883 		stypes = mgmt_stypes[ift].rx;
1884 		while (stypes) {
1885 			if ((stypes & 1) &&
1886 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1887 					(i << 4) | IEEE80211_FTYPE_MGMT))
1888 				return -ENOBUFS;
1889 			stypes >>= 1;
1890 			i++;
1891 		}
1892 		nla_nest_end(msg, nl_ftypes);
1893 	}
1894 	nla_nest_end(msg, nl_ifs);
1895 
1896 	return 0;
1897 }
1898 
1899 #define CMD(op, n)							\
1900 	 do {								\
1901 		if (rdev->ops->op) {					\
1902 			i++;						\
1903 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1904 				goto nla_put_failure;			\
1905 		}							\
1906 	} while (0)
1907 
nl80211_add_commands_unsplit(struct cfg80211_registered_device * rdev,struct sk_buff * msg)1908 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1909 					struct sk_buff *msg)
1910 {
1911 	int i = 0;
1912 
1913 	/*
1914 	 * do *NOT* add anything into this function, new things need to be
1915 	 * advertised only to new versions of userspace that can deal with
1916 	 * the split (and they can't possibly care about new features...
1917 	 */
1918 	CMD(add_virtual_intf, NEW_INTERFACE);
1919 	CMD(change_virtual_intf, SET_INTERFACE);
1920 	CMD(add_key, NEW_KEY);
1921 	CMD(start_ap, START_AP);
1922 	CMD(add_station, NEW_STATION);
1923 	CMD(add_mpath, NEW_MPATH);
1924 	CMD(update_mesh_config, SET_MESH_CONFIG);
1925 	CMD(change_bss, SET_BSS);
1926 	CMD(auth, AUTHENTICATE);
1927 	CMD(assoc, ASSOCIATE);
1928 	CMD(deauth, DEAUTHENTICATE);
1929 	CMD(disassoc, DISASSOCIATE);
1930 	CMD(join_ibss, JOIN_IBSS);
1931 	CMD(join_mesh, JOIN_MESH);
1932 	CMD(set_pmksa, SET_PMKSA);
1933 	CMD(del_pmksa, DEL_PMKSA);
1934 	CMD(flush_pmksa, FLUSH_PMKSA);
1935 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1936 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1937 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1938 	CMD(mgmt_tx, FRAME);
1939 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1940 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1941 		i++;
1942 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1943 			goto nla_put_failure;
1944 	}
1945 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1946 	    rdev->ops->join_mesh) {
1947 		i++;
1948 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1949 			goto nla_put_failure;
1950 	}
1951 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1952 		CMD(tdls_mgmt, TDLS_MGMT);
1953 		CMD(tdls_oper, TDLS_OPER);
1954 	}
1955 	if (rdev->wiphy.max_sched_scan_reqs)
1956 		CMD(sched_scan_start, START_SCHED_SCAN);
1957 	CMD(probe_client, PROBE_CLIENT);
1958 	CMD(set_noack_map, SET_NOACK_MAP);
1959 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1960 		i++;
1961 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1962 			goto nla_put_failure;
1963 	}
1964 	CMD(start_p2p_device, START_P2P_DEVICE);
1965 	CMD(set_mcast_rate, SET_MCAST_RATE);
1966 #ifdef CONFIG_NL80211_TESTMODE
1967 	CMD(testmode_cmd, TESTMODE);
1968 #endif
1969 
1970 	if (rdev->ops->connect || rdev->ops->auth) {
1971 		i++;
1972 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1973 			goto nla_put_failure;
1974 	}
1975 
1976 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1977 		i++;
1978 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1979 			goto nla_put_failure;
1980 	}
1981 
1982 	return i;
1983  nla_put_failure:
1984 	return -ENOBUFS;
1985 }
1986 
1987 static int
nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities * cap,struct sk_buff * msg)1988 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1989 			   struct sk_buff *msg)
1990 {
1991 	struct nlattr *ftm;
1992 
1993 	if (!cap->ftm.supported)
1994 		return 0;
1995 
1996 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1997 	if (!ftm)
1998 		return -ENOBUFS;
1999 
2000 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2001 		return -ENOBUFS;
2002 	if (cap->ftm.non_asap &&
2003 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2004 		return -ENOBUFS;
2005 	if (cap->ftm.request_lci &&
2006 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2007 		return -ENOBUFS;
2008 	if (cap->ftm.request_civicloc &&
2009 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2010 		return -ENOBUFS;
2011 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2012 			cap->ftm.preambles))
2013 		return -ENOBUFS;
2014 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2015 			cap->ftm.bandwidths))
2016 		return -ENOBUFS;
2017 	if (cap->ftm.max_bursts_exponent >= 0 &&
2018 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2019 			cap->ftm.max_bursts_exponent))
2020 		return -ENOBUFS;
2021 	if (cap->ftm.max_ftms_per_burst &&
2022 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2023 			cap->ftm.max_ftms_per_burst))
2024 		return -ENOBUFS;
2025 	if (cap->ftm.trigger_based &&
2026 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2027 		return -ENOBUFS;
2028 	if (cap->ftm.non_trigger_based &&
2029 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2030 		return -ENOBUFS;
2031 
2032 	nla_nest_end(msg, ftm);
2033 	return 0;
2034 }
2035 
nl80211_send_pmsr_capa(struct cfg80211_registered_device * rdev,struct sk_buff * msg)2036 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2037 				  struct sk_buff *msg)
2038 {
2039 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2040 	struct nlattr *pmsr, *caps;
2041 
2042 	if (!cap)
2043 		return 0;
2044 
2045 	/*
2046 	 * we don't need to clean up anything here since the caller
2047 	 * will genlmsg_cancel() if we fail
2048 	 */
2049 
2050 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2051 	if (!pmsr)
2052 		return -ENOBUFS;
2053 
2054 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2055 		return -ENOBUFS;
2056 
2057 	if (cap->report_ap_tsf &&
2058 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2059 		return -ENOBUFS;
2060 
2061 	if (cap->randomize_mac_addr &&
2062 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2063 		return -ENOBUFS;
2064 
2065 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2066 	if (!caps)
2067 		return -ENOBUFS;
2068 
2069 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2070 		return -ENOBUFS;
2071 
2072 	nla_nest_end(msg, caps);
2073 	nla_nest_end(msg, pmsr);
2074 
2075 	return 0;
2076 }
2077 
2078 static int
nl80211_put_iftype_akm_suites(struct cfg80211_registered_device * rdev,struct sk_buff * msg)2079 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2080 			      struct sk_buff *msg)
2081 {
2082 	int i;
2083 	struct nlattr *nested, *nested_akms;
2084 	const struct wiphy_iftype_akm_suites *iftype_akms;
2085 
2086 	if (!rdev->wiphy.num_iftype_akm_suites ||
2087 	    !rdev->wiphy.iftype_akm_suites)
2088 		return 0;
2089 
2090 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2091 	if (!nested)
2092 		return -ENOBUFS;
2093 
2094 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2095 		nested_akms = nla_nest_start(msg, i + 1);
2096 		if (!nested_akms)
2097 			return -ENOBUFS;
2098 
2099 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2100 
2101 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2102 					iftype_akms->iftypes_mask))
2103 			return -ENOBUFS;
2104 
2105 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2106 			    sizeof(u32) * iftype_akms->n_akm_suites,
2107 			    iftype_akms->akm_suites)) {
2108 			return -ENOBUFS;
2109 		}
2110 		nla_nest_end(msg, nested_akms);
2111 	}
2112 
2113 	nla_nest_end(msg, nested);
2114 
2115 	return 0;
2116 }
2117 
2118 static int
nl80211_put_tid_config_support(struct cfg80211_registered_device * rdev,struct sk_buff * msg)2119 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2120 			       struct sk_buff *msg)
2121 {
2122 	struct nlattr *supp;
2123 
2124 	if (!rdev->wiphy.tid_config_support.vif &&
2125 	    !rdev->wiphy.tid_config_support.peer)
2126 		return 0;
2127 
2128 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2129 	if (!supp)
2130 		return -ENOSPC;
2131 
2132 	if (rdev->wiphy.tid_config_support.vif &&
2133 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2134 			      rdev->wiphy.tid_config_support.vif,
2135 			      NL80211_TID_CONFIG_ATTR_PAD))
2136 		goto fail;
2137 
2138 	if (rdev->wiphy.tid_config_support.peer &&
2139 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2140 			      rdev->wiphy.tid_config_support.peer,
2141 			      NL80211_TID_CONFIG_ATTR_PAD))
2142 		goto fail;
2143 
2144 	/* for now we just use the same value ... makes more sense */
2145 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2146 		       rdev->wiphy.tid_config_support.max_retry))
2147 		goto fail;
2148 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2149 		       rdev->wiphy.tid_config_support.max_retry))
2150 		goto fail;
2151 
2152 	nla_nest_end(msg, supp);
2153 
2154 	return 0;
2155 fail:
2156 	nla_nest_cancel(msg, supp);
2157 	return -ENOBUFS;
2158 }
2159 
2160 static int
nl80211_put_sar_specs(struct cfg80211_registered_device * rdev,struct sk_buff * msg)2161 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2162 		      struct sk_buff *msg)
2163 {
2164 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2165 	u8 num_freq_ranges;
2166 	int i;
2167 
2168 	if (!rdev->wiphy.sar_capa)
2169 		return 0;
2170 
2171 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2172 
2173 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2174 	if (!sar_capa)
2175 		return -ENOSPC;
2176 
2177 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2178 		goto fail;
2179 
2180 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2181 	if (!specs)
2182 		goto fail;
2183 
2184 	/* report supported freq_ranges */
2185 	for (i = 0; i < num_freq_ranges; i++) {
2186 		sub_freq_range = nla_nest_start(msg, i + 1);
2187 		if (!sub_freq_range)
2188 			goto fail;
2189 
2190 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2191 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2192 			goto fail;
2193 
2194 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2195 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2196 			goto fail;
2197 
2198 		nla_nest_end(msg, sub_freq_range);
2199 	}
2200 
2201 	nla_nest_end(msg, specs);
2202 	nla_nest_end(msg, sar_capa);
2203 
2204 	return 0;
2205 fail:
2206 	nla_nest_cancel(msg, sar_capa);
2207 	return -ENOBUFS;
2208 }
2209 
2210 struct nl80211_dump_wiphy_state {
2211 	s64 filter_wiphy;
2212 	long start;
2213 	long split_start, band_start, chan_start, capa_start;
2214 	bool split;
2215 };
2216 
nl80211_send_wiphy(struct cfg80211_registered_device * rdev,enum nl80211_commands cmd,struct sk_buff * msg,u32 portid,u32 seq,int flags,struct nl80211_dump_wiphy_state * state)2217 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2218 			      enum nl80211_commands cmd,
2219 			      struct sk_buff *msg, u32 portid, u32 seq,
2220 			      int flags, struct nl80211_dump_wiphy_state *state)
2221 {
2222 	void *hdr;
2223 	struct nlattr *nl_bands, *nl_band;
2224 	struct nlattr *nl_freqs, *nl_freq;
2225 	struct nlattr *nl_cmds;
2226 	enum nl80211_band band;
2227 	struct ieee80211_channel *chan;
2228 	int i;
2229 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2230 				rdev->wiphy.mgmt_stypes;
2231 	u32 features;
2232 
2233 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2234 	if (!hdr)
2235 		return -ENOBUFS;
2236 
2237 	if (WARN_ON(!state))
2238 		return -EINVAL;
2239 
2240 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2241 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2242 			   wiphy_name(&rdev->wiphy)) ||
2243 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2244 			cfg80211_rdev_list_generation))
2245 		goto nla_put_failure;
2246 
2247 	if (cmd != NL80211_CMD_NEW_WIPHY)
2248 		goto finish;
2249 
2250 	switch (state->split_start) {
2251 	case 0:
2252 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2253 			       rdev->wiphy.retry_short) ||
2254 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2255 			       rdev->wiphy.retry_long) ||
2256 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2257 				rdev->wiphy.frag_threshold) ||
2258 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2259 				rdev->wiphy.rts_threshold) ||
2260 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2261 			       rdev->wiphy.coverage_class) ||
2262 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2263 			       rdev->wiphy.max_scan_ssids) ||
2264 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2265 			       rdev->wiphy.max_sched_scan_ssids) ||
2266 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2267 				rdev->wiphy.max_scan_ie_len) ||
2268 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2269 				rdev->wiphy.max_sched_scan_ie_len) ||
2270 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2271 			       rdev->wiphy.max_match_sets))
2272 			goto nla_put_failure;
2273 
2274 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2275 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2276 			goto nla_put_failure;
2277 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2278 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2279 			goto nla_put_failure;
2280 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2281 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2282 			goto nla_put_failure;
2283 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2284 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2285 			goto nla_put_failure;
2286 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2287 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2288 			goto nla_put_failure;
2289 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2290 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2291 			goto nla_put_failure;
2292 		state->split_start++;
2293 		if (state->split)
2294 			break;
2295 		fallthrough;
2296 	case 1:
2297 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2298 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2299 			    rdev->wiphy.cipher_suites))
2300 			goto nla_put_failure;
2301 
2302 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2303 			       rdev->wiphy.max_num_pmkids))
2304 			goto nla_put_failure;
2305 
2306 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2307 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2308 			goto nla_put_failure;
2309 
2310 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2311 				rdev->wiphy.available_antennas_tx) ||
2312 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2313 				rdev->wiphy.available_antennas_rx))
2314 			goto nla_put_failure;
2315 
2316 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2317 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2318 				rdev->wiphy.probe_resp_offload))
2319 			goto nla_put_failure;
2320 
2321 		if ((rdev->wiphy.available_antennas_tx ||
2322 		     rdev->wiphy.available_antennas_rx) &&
2323 		    rdev->ops->get_antenna) {
2324 			u32 tx_ant = 0, rx_ant = 0;
2325 			int res;
2326 
2327 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2328 			if (!res) {
2329 				if (nla_put_u32(msg,
2330 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2331 						tx_ant) ||
2332 				    nla_put_u32(msg,
2333 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2334 						rx_ant))
2335 					goto nla_put_failure;
2336 			}
2337 		}
2338 
2339 		state->split_start++;
2340 		if (state->split)
2341 			break;
2342 		fallthrough;
2343 	case 2:
2344 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2345 					rdev->wiphy.interface_modes))
2346 				goto nla_put_failure;
2347 		state->split_start++;
2348 		if (state->split)
2349 			break;
2350 		fallthrough;
2351 	case 3:
2352 		nl_bands = nla_nest_start_noflag(msg,
2353 						 NL80211_ATTR_WIPHY_BANDS);
2354 		if (!nl_bands)
2355 			goto nla_put_failure;
2356 
2357 		for (band = state->band_start;
2358 		     band < (state->split ?
2359 				NUM_NL80211_BANDS :
2360 				NL80211_BAND_60GHZ + 1);
2361 		     band++) {
2362 			struct ieee80211_supported_band *sband;
2363 
2364 			/* omit higher bands for ancient software */
2365 			if (band > NL80211_BAND_5GHZ && !state->split)
2366 				break;
2367 
2368 			sband = rdev->wiphy.bands[band];
2369 
2370 			if (!sband)
2371 				continue;
2372 
2373 			nl_band = nla_nest_start_noflag(msg, band);
2374 			if (!nl_band)
2375 				goto nla_put_failure;
2376 
2377 			switch (state->chan_start) {
2378 			case 0:
2379 				if (nl80211_send_band_rateinfo(msg, sband,
2380 							       state->split))
2381 					goto nla_put_failure;
2382 				state->chan_start++;
2383 				if (state->split)
2384 					break;
2385 				fallthrough;
2386 			default:
2387 				/* add frequencies */
2388 				nl_freqs = nla_nest_start_noflag(msg,
2389 								 NL80211_BAND_ATTR_FREQS);
2390 				if (!nl_freqs)
2391 					goto nla_put_failure;
2392 
2393 				for (i = state->chan_start - 1;
2394 				     i < sband->n_channels;
2395 				     i++) {
2396 					nl_freq = nla_nest_start_noflag(msg,
2397 									i);
2398 					if (!nl_freq)
2399 						goto nla_put_failure;
2400 
2401 					chan = &sband->channels[i];
2402 
2403 					if (nl80211_msg_put_channel(
2404 							msg, &rdev->wiphy, chan,
2405 							state->split))
2406 						goto nla_put_failure;
2407 
2408 					nla_nest_end(msg, nl_freq);
2409 					if (state->split)
2410 						break;
2411 				}
2412 				if (i < sband->n_channels)
2413 					state->chan_start = i + 2;
2414 				else
2415 					state->chan_start = 0;
2416 				nla_nest_end(msg, nl_freqs);
2417 			}
2418 
2419 			nla_nest_end(msg, nl_band);
2420 
2421 			if (state->split) {
2422 				/* start again here */
2423 				if (state->chan_start)
2424 					band--;
2425 				break;
2426 			}
2427 		}
2428 		nla_nest_end(msg, nl_bands);
2429 
2430 		if (band < NUM_NL80211_BANDS)
2431 			state->band_start = band + 1;
2432 		else
2433 			state->band_start = 0;
2434 
2435 		/* if bands & channels are done, continue outside */
2436 		if (state->band_start == 0 && state->chan_start == 0)
2437 			state->split_start++;
2438 		if (state->split)
2439 			break;
2440 		fallthrough;
2441 	case 4:
2442 		nl_cmds = nla_nest_start_noflag(msg,
2443 						NL80211_ATTR_SUPPORTED_COMMANDS);
2444 		if (!nl_cmds)
2445 			goto nla_put_failure;
2446 
2447 		i = nl80211_add_commands_unsplit(rdev, msg);
2448 		if (i < 0)
2449 			goto nla_put_failure;
2450 		if (state->split) {
2451 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2452 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2453 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2454 				CMD(channel_switch, CHANNEL_SWITCH);
2455 			CMD(set_qos_map, SET_QOS_MAP);
2456 			if (rdev->wiphy.features &
2457 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2458 				CMD(add_tx_ts, ADD_TX_TS);
2459 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2460 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2461 			CMD(update_ft_ies, UPDATE_FT_IES);
2462 			if (rdev->wiphy.sar_capa)
2463 				CMD(set_sar_specs, SET_SAR_SPECS);
2464 		}
2465 #undef CMD
2466 
2467 		nla_nest_end(msg, nl_cmds);
2468 		state->split_start++;
2469 		if (state->split)
2470 			break;
2471 		fallthrough;
2472 	case 5:
2473 		if (rdev->ops->remain_on_channel &&
2474 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2475 		    nla_put_u32(msg,
2476 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2477 				rdev->wiphy.max_remain_on_channel_duration))
2478 			goto nla_put_failure;
2479 
2480 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2481 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2482 			goto nla_put_failure;
2483 
2484 		state->split_start++;
2485 		if (state->split)
2486 			break;
2487 		fallthrough;
2488 	case 6:
2489 #ifdef CONFIG_PM
2490 		if (nl80211_send_wowlan(msg, rdev, state->split))
2491 			goto nla_put_failure;
2492 		state->split_start++;
2493 		if (state->split)
2494 			break;
2495 #else
2496 		state->split_start++;
2497 #endif
2498 		fallthrough;
2499 	case 7:
2500 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2501 					rdev->wiphy.software_iftypes))
2502 			goto nla_put_failure;
2503 
2504 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2505 						   state->split))
2506 			goto nla_put_failure;
2507 
2508 		state->split_start++;
2509 		if (state->split)
2510 			break;
2511 		fallthrough;
2512 	case 8:
2513 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2514 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2515 				rdev->wiphy.ap_sme_capa))
2516 			goto nla_put_failure;
2517 
2518 		features = rdev->wiphy.features;
2519 		/*
2520 		 * We can only add the per-channel limit information if the
2521 		 * dump is split, otherwise it makes it too big. Therefore
2522 		 * only advertise it in that case.
2523 		 */
2524 		if (state->split)
2525 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2526 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2527 			goto nla_put_failure;
2528 
2529 		if (rdev->wiphy.ht_capa_mod_mask &&
2530 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2531 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2532 			    rdev->wiphy.ht_capa_mod_mask))
2533 			goto nla_put_failure;
2534 
2535 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2536 		    rdev->wiphy.max_acl_mac_addrs &&
2537 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2538 				rdev->wiphy.max_acl_mac_addrs))
2539 			goto nla_put_failure;
2540 
2541 		/*
2542 		 * Any information below this point is only available to
2543 		 * applications that can deal with it being split. This
2544 		 * helps ensure that newly added capabilities don't break
2545 		 * older tools by overrunning their buffers.
2546 		 *
2547 		 * We still increment split_start so that in the split
2548 		 * case we'll continue with more data in the next round,
2549 		 * but break unconditionally so unsplit data stops here.
2550 		 */
2551 		if (state->split)
2552 			state->split_start++;
2553 		else
2554 			state->split_start = 0;
2555 		break;
2556 	case 9:
2557 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2558 			goto nla_put_failure;
2559 
2560 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2561 				rdev->wiphy.max_sched_scan_plans) ||
2562 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2563 				rdev->wiphy.max_sched_scan_plan_interval) ||
2564 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2565 				rdev->wiphy.max_sched_scan_plan_iterations))
2566 			goto nla_put_failure;
2567 
2568 		if (rdev->wiphy.extended_capabilities &&
2569 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2570 			     rdev->wiphy.extended_capabilities_len,
2571 			     rdev->wiphy.extended_capabilities) ||
2572 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2573 			     rdev->wiphy.extended_capabilities_len,
2574 			     rdev->wiphy.extended_capabilities_mask)))
2575 			goto nla_put_failure;
2576 
2577 		if (rdev->wiphy.vht_capa_mod_mask &&
2578 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2579 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2580 			    rdev->wiphy.vht_capa_mod_mask))
2581 			goto nla_put_failure;
2582 
2583 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2584 			    rdev->wiphy.perm_addr))
2585 			goto nla_put_failure;
2586 
2587 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2588 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2589 			    rdev->wiphy.addr_mask))
2590 			goto nla_put_failure;
2591 
2592 		if (rdev->wiphy.n_addresses > 1) {
2593 			void *attr;
2594 
2595 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2596 			if (!attr)
2597 				goto nla_put_failure;
2598 
2599 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2600 				if (nla_put(msg, i + 1, ETH_ALEN,
2601 					    rdev->wiphy.addresses[i].addr))
2602 					goto nla_put_failure;
2603 
2604 			nla_nest_end(msg, attr);
2605 		}
2606 
2607 		state->split_start++;
2608 		break;
2609 	case 10:
2610 		if (nl80211_send_coalesce(msg, rdev))
2611 			goto nla_put_failure;
2612 
2613 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2614 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2615 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2616 			goto nla_put_failure;
2617 
2618 		if (rdev->wiphy.max_ap_assoc_sta &&
2619 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2620 				rdev->wiphy.max_ap_assoc_sta))
2621 			goto nla_put_failure;
2622 
2623 		state->split_start++;
2624 		break;
2625 	case 11:
2626 		if (rdev->wiphy.n_vendor_commands) {
2627 			const struct nl80211_vendor_cmd_info *info;
2628 			struct nlattr *nested;
2629 
2630 			nested = nla_nest_start_noflag(msg,
2631 						       NL80211_ATTR_VENDOR_DATA);
2632 			if (!nested)
2633 				goto nla_put_failure;
2634 
2635 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2636 				info = &rdev->wiphy.vendor_commands[i].info;
2637 				if (nla_put(msg, i + 1, sizeof(*info), info))
2638 					goto nla_put_failure;
2639 			}
2640 			nla_nest_end(msg, nested);
2641 		}
2642 
2643 		if (rdev->wiphy.n_vendor_events) {
2644 			const struct nl80211_vendor_cmd_info *info;
2645 			struct nlattr *nested;
2646 
2647 			nested = nla_nest_start_noflag(msg,
2648 						       NL80211_ATTR_VENDOR_EVENTS);
2649 			if (!nested)
2650 				goto nla_put_failure;
2651 
2652 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2653 				info = &rdev->wiphy.vendor_events[i];
2654 				if (nla_put(msg, i + 1, sizeof(*info), info))
2655 					goto nla_put_failure;
2656 			}
2657 			nla_nest_end(msg, nested);
2658 		}
2659 		state->split_start++;
2660 		break;
2661 	case 12:
2662 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2663 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2664 			       rdev->wiphy.max_num_csa_counters))
2665 			goto nla_put_failure;
2666 
2667 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2668 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2669 			goto nla_put_failure;
2670 
2671 		if (rdev->wiphy.max_sched_scan_reqs &&
2672 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2673 				rdev->wiphy.max_sched_scan_reqs))
2674 			goto nla_put_failure;
2675 
2676 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2677 			    sizeof(rdev->wiphy.ext_features),
2678 			    rdev->wiphy.ext_features))
2679 			goto nla_put_failure;
2680 
2681 		if (rdev->wiphy.bss_select_support) {
2682 			struct nlattr *nested;
2683 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2684 
2685 			nested = nla_nest_start_noflag(msg,
2686 						       NL80211_ATTR_BSS_SELECT);
2687 			if (!nested)
2688 				goto nla_put_failure;
2689 
2690 			i = 0;
2691 			while (bss_select_support) {
2692 				if ((bss_select_support & 1) &&
2693 				    nla_put_flag(msg, i))
2694 					goto nla_put_failure;
2695 				i++;
2696 				bss_select_support >>= 1;
2697 			}
2698 			nla_nest_end(msg, nested);
2699 		}
2700 
2701 		state->split_start++;
2702 		break;
2703 	case 13:
2704 		if (rdev->wiphy.num_iftype_ext_capab &&
2705 		    rdev->wiphy.iftype_ext_capab) {
2706 			struct nlattr *nested_ext_capab, *nested;
2707 
2708 			nested = nla_nest_start_noflag(msg,
2709 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2710 			if (!nested)
2711 				goto nla_put_failure;
2712 
2713 			for (i = state->capa_start;
2714 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2715 				const struct wiphy_iftype_ext_capab *capab;
2716 
2717 				capab = &rdev->wiphy.iftype_ext_capab[i];
2718 
2719 				nested_ext_capab = nla_nest_start_noflag(msg,
2720 									 i);
2721 				if (!nested_ext_capab ||
2722 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2723 						capab->iftype) ||
2724 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2725 					    capab->extended_capabilities_len,
2726 					    capab->extended_capabilities) ||
2727 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2728 					    capab->extended_capabilities_len,
2729 					    capab->extended_capabilities_mask))
2730 					goto nla_put_failure;
2731 
2732 				nla_nest_end(msg, nested_ext_capab);
2733 				if (state->split)
2734 					break;
2735 			}
2736 			nla_nest_end(msg, nested);
2737 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2738 				state->capa_start = i + 1;
2739 				break;
2740 			}
2741 		}
2742 
2743 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2744 				rdev->wiphy.nan_supported_bands))
2745 			goto nla_put_failure;
2746 
2747 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2748 					    NL80211_EXT_FEATURE_TXQS)) {
2749 			struct cfg80211_txq_stats txqstats = {};
2750 			int res;
2751 
2752 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2753 			if (!res &&
2754 			    !nl80211_put_txq_stats(msg, &txqstats,
2755 						   NL80211_ATTR_TXQ_STATS))
2756 				goto nla_put_failure;
2757 
2758 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2759 					rdev->wiphy.txq_limit))
2760 				goto nla_put_failure;
2761 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2762 					rdev->wiphy.txq_memory_limit))
2763 				goto nla_put_failure;
2764 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2765 					rdev->wiphy.txq_quantum))
2766 				goto nla_put_failure;
2767 		}
2768 
2769 		state->split_start++;
2770 		break;
2771 	case 14:
2772 		if (nl80211_send_pmsr_capa(rdev, msg))
2773 			goto nla_put_failure;
2774 
2775 		state->split_start++;
2776 		break;
2777 	case 15:
2778 		if (rdev->wiphy.akm_suites &&
2779 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2780 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2781 			    rdev->wiphy.akm_suites))
2782 			goto nla_put_failure;
2783 
2784 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2785 			goto nla_put_failure;
2786 
2787 		if (nl80211_put_tid_config_support(rdev, msg))
2788 			goto nla_put_failure;
2789 		state->split_start++;
2790 		break;
2791 	case 16:
2792 		if (nl80211_put_sar_specs(rdev, msg))
2793 			goto nla_put_failure;
2794 
2795 		/* done */
2796 		state->split_start = 0;
2797 		break;
2798 	}
2799  finish:
2800 	genlmsg_end(msg, hdr);
2801 	return 0;
2802 
2803  nla_put_failure:
2804 	genlmsg_cancel(msg, hdr);
2805 	return -EMSGSIZE;
2806 }
2807 
nl80211_dump_wiphy_parse(struct sk_buff * skb,struct netlink_callback * cb,struct nl80211_dump_wiphy_state * state)2808 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2809 				    struct netlink_callback *cb,
2810 				    struct nl80211_dump_wiphy_state *state)
2811 {
2812 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2813 	int ret;
2814 
2815 	if (!tb)
2816 		return -ENOMEM;
2817 
2818 	ret = nlmsg_parse_deprecated(cb->nlh,
2819 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2820 				     tb, nl80211_fam.maxattr,
2821 				     nl80211_policy, NULL);
2822 	/* ignore parse errors for backward compatibility */
2823 	if (ret) {
2824 		ret = 0;
2825 		goto out;
2826 	}
2827 
2828 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2829 	if (tb[NL80211_ATTR_WIPHY])
2830 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2831 	if (tb[NL80211_ATTR_WDEV])
2832 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2833 	if (tb[NL80211_ATTR_IFINDEX]) {
2834 		struct net_device *netdev;
2835 		struct cfg80211_registered_device *rdev;
2836 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2837 
2838 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2839 		if (!netdev) {
2840 			ret = -ENODEV;
2841 			goto out;
2842 		}
2843 		if (netdev->ieee80211_ptr) {
2844 			rdev = wiphy_to_rdev(
2845 				netdev->ieee80211_ptr->wiphy);
2846 			state->filter_wiphy = rdev->wiphy_idx;
2847 		}
2848 	}
2849 
2850 	ret = 0;
2851 out:
2852 	kfree(tb);
2853 	return ret;
2854 }
2855 
nl80211_dump_wiphy(struct sk_buff * skb,struct netlink_callback * cb)2856 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2857 {
2858 	int idx = 0, ret;
2859 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2860 	struct cfg80211_registered_device *rdev;
2861 
2862 	rtnl_lock();
2863 	if (!state) {
2864 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2865 		if (!state) {
2866 			rtnl_unlock();
2867 			return -ENOMEM;
2868 		}
2869 		state->filter_wiphy = -1;
2870 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2871 		if (ret) {
2872 			kfree(state);
2873 			rtnl_unlock();
2874 			return ret;
2875 		}
2876 		cb->args[0] = (long)state;
2877 	}
2878 
2879 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2880 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2881 			continue;
2882 		if (++idx <= state->start)
2883 			continue;
2884 		if (state->filter_wiphy != -1 &&
2885 		    state->filter_wiphy != rdev->wiphy_idx)
2886 			continue;
2887 		/* attempt to fit multiple wiphy data chunks into the skb */
2888 		do {
2889 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2890 						 skb,
2891 						 NETLINK_CB(cb->skb).portid,
2892 						 cb->nlh->nlmsg_seq,
2893 						 NLM_F_MULTI, state);
2894 			if (ret < 0) {
2895 				/*
2896 				 * If sending the wiphy data didn't fit (ENOBUFS
2897 				 * or EMSGSIZE returned), this SKB is still
2898 				 * empty (so it's not too big because another
2899 				 * wiphy dataset is already in the skb) and
2900 				 * we've not tried to adjust the dump allocation
2901 				 * yet ... then adjust the alloc size to be
2902 				 * bigger, and return 1 but with the empty skb.
2903 				 * This results in an empty message being RX'ed
2904 				 * in userspace, but that is ignored.
2905 				 *
2906 				 * We can then retry with the larger buffer.
2907 				 */
2908 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2909 				    !skb->len && !state->split &&
2910 				    cb->min_dump_alloc < 4096) {
2911 					cb->min_dump_alloc = 4096;
2912 					state->split_start = 0;
2913 					rtnl_unlock();
2914 					return 1;
2915 				}
2916 				idx--;
2917 				break;
2918 			}
2919 		} while (state->split_start > 0);
2920 		break;
2921 	}
2922 	rtnl_unlock();
2923 
2924 	state->start = idx;
2925 
2926 	return skb->len;
2927 }
2928 
nl80211_dump_wiphy_done(struct netlink_callback * cb)2929 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2930 {
2931 	kfree((void *)cb->args[0]);
2932 	return 0;
2933 }
2934 
nl80211_get_wiphy(struct sk_buff * skb,struct genl_info * info)2935 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2936 {
2937 	struct sk_buff *msg;
2938 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2939 	struct nl80211_dump_wiphy_state state = {};
2940 
2941 	msg = nlmsg_new(4096, GFP_KERNEL);
2942 	if (!msg)
2943 		return -ENOMEM;
2944 
2945 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2946 			       info->snd_portid, info->snd_seq, 0,
2947 			       &state) < 0) {
2948 		nlmsg_free(msg);
2949 		return -ENOBUFS;
2950 	}
2951 
2952 	return genlmsg_reply(msg, info);
2953 }
2954 
2955 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2956 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2957 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2958 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2959 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2960 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2961 };
2962 
parse_txq_params(struct nlattr * tb[],struct ieee80211_txq_params * txq_params)2963 static int parse_txq_params(struct nlattr *tb[],
2964 			    struct ieee80211_txq_params *txq_params)
2965 {
2966 	u8 ac;
2967 
2968 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2969 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2970 	    !tb[NL80211_TXQ_ATTR_AIFS])
2971 		return -EINVAL;
2972 
2973 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2974 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2975 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2976 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2977 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2978 
2979 	if (ac >= NL80211_NUM_ACS)
2980 		return -EINVAL;
2981 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2982 	return 0;
2983 }
2984 
nl80211_can_set_dev_channel(struct wireless_dev * wdev)2985 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2986 {
2987 	/*
2988 	 * You can only set the channel explicitly for some interfaces,
2989 	 * most have their channel managed via their respective
2990 	 * "establish a connection" command (connect, join, ...)
2991 	 *
2992 	 * For AP/GO and mesh mode, the channel can be set with the
2993 	 * channel userspace API, but is only stored and passed to the
2994 	 * low-level driver when the AP starts or the mesh is joined.
2995 	 * This is for backward compatibility, userspace can also give
2996 	 * the channel in the start-ap or join-mesh commands instead.
2997 	 *
2998 	 * Monitors are special as they are normally slaved to
2999 	 * whatever else is going on, so they have their own special
3000 	 * operation to set the monitor channel if possible.
3001 	 */
3002 	return !wdev ||
3003 		wdev->iftype == NL80211_IFTYPE_AP ||
3004 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3005 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3006 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3007 }
3008 
nl80211_parse_chandef(struct cfg80211_registered_device * rdev,struct genl_info * info,struct cfg80211_chan_def * chandef)3009 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3010 			  struct genl_info *info,
3011 			  struct cfg80211_chan_def *chandef)
3012 {
3013 	struct netlink_ext_ack *extack = info->extack;
3014 	struct nlattr **attrs = info->attrs;
3015 	u32 control_freq;
3016 
3017 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3018 		return -EINVAL;
3019 
3020 	control_freq = MHZ_TO_KHZ(
3021 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3022 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3023 		control_freq +=
3024 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3025 
3026 	memset(chandef, 0, sizeof(*chandef));
3027 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3028 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3029 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3030 	chandef->freq1_offset = control_freq % 1000;
3031 	chandef->center_freq2 = 0;
3032 
3033 	/* Primary channel not allowed */
3034 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3035 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3036 				    "Channel is disabled");
3037 		return -EINVAL;
3038 	}
3039 
3040 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3041 		enum nl80211_channel_type chantype;
3042 
3043 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3044 
3045 		switch (chantype) {
3046 		case NL80211_CHAN_NO_HT:
3047 		case NL80211_CHAN_HT20:
3048 		case NL80211_CHAN_HT40PLUS:
3049 		case NL80211_CHAN_HT40MINUS:
3050 			cfg80211_chandef_create(chandef, chandef->chan,
3051 						chantype);
3052 			/* user input for center_freq is incorrect */
3053 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3054 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3055 				NL_SET_ERR_MSG_ATTR(extack,
3056 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3057 						    "bad center frequency 1");
3058 				return -EINVAL;
3059 			}
3060 			/* center_freq2 must be zero */
3061 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3062 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3063 				NL_SET_ERR_MSG_ATTR(extack,
3064 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3065 						    "center frequency 2 can't be used");
3066 				return -EINVAL;
3067 			}
3068 			break;
3069 		default:
3070 			NL_SET_ERR_MSG_ATTR(extack,
3071 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3072 					    "invalid channel type");
3073 			return -EINVAL;
3074 		}
3075 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3076 		chandef->width =
3077 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3078 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3079 			chandef->center_freq1 =
3080 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3081 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3082 				chandef->freq1_offset = nla_get_u32(
3083 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3084 			else
3085 				chandef->freq1_offset = 0;
3086 		}
3087 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3088 			chandef->center_freq2 =
3089 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3090 	}
3091 
3092 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3093 		chandef->edmg.channels =
3094 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3095 
3096 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3097 			chandef->edmg.bw_config =
3098 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3099 	} else {
3100 		chandef->edmg.bw_config = 0;
3101 		chandef->edmg.channels = 0;
3102 	}
3103 
3104 	if (!cfg80211_chandef_valid(chandef)) {
3105 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3106 		return -EINVAL;
3107 	}
3108 
3109 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3110 				     IEEE80211_CHAN_DISABLED)) {
3111 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3112 		return -EINVAL;
3113 	}
3114 
3115 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3116 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3117 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3118 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3119 		return -EINVAL;
3120 	}
3121 
3122 	return 0;
3123 }
3124 
__nl80211_set_channel(struct cfg80211_registered_device * rdev,struct net_device * dev,struct genl_info * info)3125 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3126 				 struct net_device *dev,
3127 				 struct genl_info *info)
3128 {
3129 	struct cfg80211_chan_def chandef;
3130 	int result;
3131 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3132 	struct wireless_dev *wdev = NULL;
3133 
3134 	if (dev)
3135 		wdev = dev->ieee80211_ptr;
3136 	if (!nl80211_can_set_dev_channel(wdev))
3137 		return -EOPNOTSUPP;
3138 	if (wdev)
3139 		iftype = wdev->iftype;
3140 
3141 	result = nl80211_parse_chandef(rdev, info, &chandef);
3142 	if (result)
3143 		return result;
3144 
3145 	switch (iftype) {
3146 	case NL80211_IFTYPE_AP:
3147 	case NL80211_IFTYPE_P2P_GO:
3148 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3149 						   iftype)) {
3150 			result = -EINVAL;
3151 			break;
3152 		}
3153 		if (wdev->beacon_interval) {
3154 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3155 			    !(rdev->wiphy.features &
3156 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3157 				result = -EBUSY;
3158 				break;
3159 			}
3160 
3161 			/* Only allow dynamic channel width changes */
3162 			if (chandef.chan != wdev->preset_chandef.chan) {
3163 				result = -EBUSY;
3164 				break;
3165 			}
3166 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3167 			if (result)
3168 				break;
3169 		}
3170 		wdev->preset_chandef = chandef;
3171 		result = 0;
3172 		break;
3173 	case NL80211_IFTYPE_MESH_POINT:
3174 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3175 		break;
3176 	case NL80211_IFTYPE_MONITOR:
3177 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3178 		break;
3179 	default:
3180 		result = -EINVAL;
3181 	}
3182 
3183 	return result;
3184 }
3185 
nl80211_set_channel(struct sk_buff * skb,struct genl_info * info)3186 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3187 {
3188 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3189 	struct net_device *netdev = info->user_ptr[1];
3190 
3191 	return __nl80211_set_channel(rdev, netdev, info);
3192 }
3193 
nl80211_set_wiphy(struct sk_buff * skb,struct genl_info * info)3194 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3195 {
3196 	struct cfg80211_registered_device *rdev = NULL;
3197 	struct net_device *netdev = NULL;
3198 	struct wireless_dev *wdev;
3199 	int result = 0, rem_txq_params = 0;
3200 	struct nlattr *nl_txq_params;
3201 	u32 changed;
3202 	u8 retry_short = 0, retry_long = 0;
3203 	u32 frag_threshold = 0, rts_threshold = 0;
3204 	u8 coverage_class = 0;
3205 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3206 
3207 	rtnl_lock();
3208 	/*
3209 	 * Try to find the wiphy and netdev. Normally this
3210 	 * function shouldn't need the netdev, but this is
3211 	 * done for backward compatibility -- previously
3212 	 * setting the channel was done per wiphy, but now
3213 	 * it is per netdev. Previous userland like hostapd
3214 	 * also passed a netdev to set_wiphy, so that it is
3215 	 * possible to let that go to the right netdev!
3216 	 */
3217 
3218 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3219 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3220 
3221 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3222 		if (netdev && netdev->ieee80211_ptr)
3223 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3224 		else
3225 			netdev = NULL;
3226 	}
3227 
3228 	if (!netdev) {
3229 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3230 						  info->attrs);
3231 		if (IS_ERR(rdev)) {
3232 			rtnl_unlock();
3233 			return PTR_ERR(rdev);
3234 		}
3235 		wdev = NULL;
3236 		netdev = NULL;
3237 		result = 0;
3238 	} else
3239 		wdev = netdev->ieee80211_ptr;
3240 
3241 	wiphy_lock(&rdev->wiphy);
3242 
3243 	/*
3244 	 * end workaround code, by now the rdev is available
3245 	 * and locked, and wdev may or may not be NULL.
3246 	 */
3247 
3248 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3249 		result = cfg80211_dev_rename(
3250 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3251 	rtnl_unlock();
3252 
3253 	if (result)
3254 		goto out;
3255 
3256 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3257 		struct ieee80211_txq_params txq_params;
3258 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3259 
3260 		if (!rdev->ops->set_txq_params) {
3261 			result = -EOPNOTSUPP;
3262 			goto out;
3263 		}
3264 
3265 		if (!netdev) {
3266 			result = -EINVAL;
3267 			goto out;
3268 		}
3269 
3270 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3271 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3272 			result = -EINVAL;
3273 			goto out;
3274 		}
3275 
3276 		if (!netif_running(netdev)) {
3277 			result = -ENETDOWN;
3278 			goto out;
3279 		}
3280 
3281 		nla_for_each_nested(nl_txq_params,
3282 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3283 				    rem_txq_params) {
3284 			result = nla_parse_nested_deprecated(tb,
3285 							     NL80211_TXQ_ATTR_MAX,
3286 							     nl_txq_params,
3287 							     txq_params_policy,
3288 							     info->extack);
3289 			if (result)
3290 				goto out;
3291 			result = parse_txq_params(tb, &txq_params);
3292 			if (result)
3293 				goto out;
3294 
3295 			result = rdev_set_txq_params(rdev, netdev,
3296 						     &txq_params);
3297 			if (result)
3298 				goto out;
3299 		}
3300 	}
3301 
3302 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3303 		result = __nl80211_set_channel(
3304 			rdev,
3305 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3306 			info);
3307 		if (result)
3308 			goto out;
3309 	}
3310 
3311 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3312 		struct wireless_dev *txp_wdev = wdev;
3313 		enum nl80211_tx_power_setting type;
3314 		int idx, mbm = 0;
3315 
3316 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3317 			txp_wdev = NULL;
3318 
3319 		if (!rdev->ops->set_tx_power) {
3320 			result = -EOPNOTSUPP;
3321 			goto out;
3322 		}
3323 
3324 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3325 		type = nla_get_u32(info->attrs[idx]);
3326 
3327 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3328 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3329 			result = -EINVAL;
3330 			goto out;
3331 		}
3332 
3333 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3334 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3335 			mbm = nla_get_u32(info->attrs[idx]);
3336 		}
3337 
3338 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3339 		if (result)
3340 			goto out;
3341 	}
3342 
3343 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3344 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3345 		u32 tx_ant, rx_ant;
3346 
3347 		if ((!rdev->wiphy.available_antennas_tx &&
3348 		     !rdev->wiphy.available_antennas_rx) ||
3349 		    !rdev->ops->set_antenna) {
3350 			result = -EOPNOTSUPP;
3351 			goto out;
3352 		}
3353 
3354 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3355 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3356 
3357 		/* reject antenna configurations which don't match the
3358 		 * available antenna masks, except for the "all" mask */
3359 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3360 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3361 			result = -EINVAL;
3362 			goto out;
3363 		}
3364 
3365 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3366 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3367 
3368 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3369 		if (result)
3370 			goto out;
3371 	}
3372 
3373 	changed = 0;
3374 
3375 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3376 		retry_short = nla_get_u8(
3377 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3378 
3379 		changed |= WIPHY_PARAM_RETRY_SHORT;
3380 	}
3381 
3382 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3383 		retry_long = nla_get_u8(
3384 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3385 
3386 		changed |= WIPHY_PARAM_RETRY_LONG;
3387 	}
3388 
3389 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3390 		frag_threshold = nla_get_u32(
3391 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3392 		if (frag_threshold < 256) {
3393 			result = -EINVAL;
3394 			goto out;
3395 		}
3396 
3397 		if (frag_threshold != (u32) -1) {
3398 			/*
3399 			 * Fragments (apart from the last one) are required to
3400 			 * have even length. Make the fragmentation code
3401 			 * simpler by stripping LSB should someone try to use
3402 			 * odd threshold value.
3403 			 */
3404 			frag_threshold &= ~0x1;
3405 		}
3406 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3407 	}
3408 
3409 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3410 		rts_threshold = nla_get_u32(
3411 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3412 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3413 	}
3414 
3415 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3416 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3417 			result = -EINVAL;
3418 			goto out;
3419 		}
3420 
3421 		coverage_class = nla_get_u8(
3422 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3423 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3424 	}
3425 
3426 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3427 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3428 			result = -EOPNOTSUPP;
3429 			goto out;
3430 		}
3431 
3432 		changed |= WIPHY_PARAM_DYN_ACK;
3433 	}
3434 
3435 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3436 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3437 					     NL80211_EXT_FEATURE_TXQS)) {
3438 			result = -EOPNOTSUPP;
3439 			goto out;
3440 		}
3441 		txq_limit = nla_get_u32(
3442 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3443 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3444 	}
3445 
3446 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3447 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3448 					     NL80211_EXT_FEATURE_TXQS)) {
3449 			result = -EOPNOTSUPP;
3450 			goto out;
3451 		}
3452 		txq_memory_limit = nla_get_u32(
3453 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3454 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3455 	}
3456 
3457 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3458 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3459 					     NL80211_EXT_FEATURE_TXQS)) {
3460 			result = -EOPNOTSUPP;
3461 			goto out;
3462 		}
3463 		txq_quantum = nla_get_u32(
3464 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3465 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3466 	}
3467 
3468 	if (changed) {
3469 		u8 old_retry_short, old_retry_long;
3470 		u32 old_frag_threshold, old_rts_threshold;
3471 		u8 old_coverage_class;
3472 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3473 
3474 		if (!rdev->ops->set_wiphy_params) {
3475 			result = -EOPNOTSUPP;
3476 			goto out;
3477 		}
3478 
3479 		old_retry_short = rdev->wiphy.retry_short;
3480 		old_retry_long = rdev->wiphy.retry_long;
3481 		old_frag_threshold = rdev->wiphy.frag_threshold;
3482 		old_rts_threshold = rdev->wiphy.rts_threshold;
3483 		old_coverage_class = rdev->wiphy.coverage_class;
3484 		old_txq_limit = rdev->wiphy.txq_limit;
3485 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3486 		old_txq_quantum = rdev->wiphy.txq_quantum;
3487 
3488 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3489 			rdev->wiphy.retry_short = retry_short;
3490 		if (changed & WIPHY_PARAM_RETRY_LONG)
3491 			rdev->wiphy.retry_long = retry_long;
3492 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3493 			rdev->wiphy.frag_threshold = frag_threshold;
3494 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3495 			rdev->wiphy.rts_threshold = rts_threshold;
3496 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3497 			rdev->wiphy.coverage_class = coverage_class;
3498 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3499 			rdev->wiphy.txq_limit = txq_limit;
3500 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3501 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3502 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3503 			rdev->wiphy.txq_quantum = txq_quantum;
3504 
3505 		result = rdev_set_wiphy_params(rdev, changed);
3506 		if (result) {
3507 			rdev->wiphy.retry_short = old_retry_short;
3508 			rdev->wiphy.retry_long = old_retry_long;
3509 			rdev->wiphy.frag_threshold = old_frag_threshold;
3510 			rdev->wiphy.rts_threshold = old_rts_threshold;
3511 			rdev->wiphy.coverage_class = old_coverage_class;
3512 			rdev->wiphy.txq_limit = old_txq_limit;
3513 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3514 			rdev->wiphy.txq_quantum = old_txq_quantum;
3515 			goto out;
3516 		}
3517 	}
3518 
3519 	result = 0;
3520 
3521 out:
3522 	wiphy_unlock(&rdev->wiphy);
3523 	return result;
3524 }
3525 
nl80211_send_chandef(struct sk_buff * msg,const struct cfg80211_chan_def * chandef)3526 static int nl80211_send_chandef(struct sk_buff *msg,
3527 				const struct cfg80211_chan_def *chandef)
3528 {
3529 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3530 		return -EINVAL;
3531 
3532 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3533 			chandef->chan->center_freq))
3534 		return -ENOBUFS;
3535 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3536 			chandef->chan->freq_offset))
3537 		return -ENOBUFS;
3538 	switch (chandef->width) {
3539 	case NL80211_CHAN_WIDTH_20_NOHT:
3540 	case NL80211_CHAN_WIDTH_20:
3541 	case NL80211_CHAN_WIDTH_40:
3542 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3543 				cfg80211_get_chandef_type(chandef)))
3544 			return -ENOBUFS;
3545 		break;
3546 	default:
3547 		break;
3548 	}
3549 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3550 		return -ENOBUFS;
3551 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3552 		return -ENOBUFS;
3553 	if (chandef->center_freq2 &&
3554 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3555 		return -ENOBUFS;
3556 	return 0;
3557 }
3558 
nl80211_send_iface(struct sk_buff * msg,u32 portid,u32 seq,int flags,struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,enum nl80211_commands cmd)3559 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3560 			      struct cfg80211_registered_device *rdev,
3561 			      struct wireless_dev *wdev,
3562 			      enum nl80211_commands cmd)
3563 {
3564 	struct net_device *dev = wdev->netdev;
3565 	void *hdr;
3566 
3567 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3568 		cmd != NL80211_CMD_DEL_INTERFACE &&
3569 		cmd != NL80211_CMD_SET_INTERFACE);
3570 
3571 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3572 	if (!hdr)
3573 		return -1;
3574 
3575 	if (dev &&
3576 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3577 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3578 		goto nla_put_failure;
3579 
3580 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3581 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3582 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3583 			      NL80211_ATTR_PAD) ||
3584 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3585 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3586 			rdev->devlist_generation ^
3587 			(cfg80211_rdev_list_generation << 2)) ||
3588 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3589 		goto nla_put_failure;
3590 
3591 	if (rdev->ops->get_channel) {
3592 		int ret;
3593 		struct cfg80211_chan_def chandef = {};
3594 
3595 		ret = rdev_get_channel(rdev, wdev, &chandef);
3596 		if (ret == 0) {
3597 			if (nl80211_send_chandef(msg, &chandef))
3598 				goto nla_put_failure;
3599 		}
3600 	}
3601 
3602 	if (rdev->ops->get_tx_power) {
3603 		int dbm, ret;
3604 
3605 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3606 		if (ret == 0 &&
3607 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3608 				DBM_TO_MBM(dbm)))
3609 			goto nla_put_failure;
3610 	}
3611 
3612 	wdev_lock(wdev);
3613 	switch (wdev->iftype) {
3614 	case NL80211_IFTYPE_AP:
3615 		if (wdev->ssid_len &&
3616 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3617 			goto nla_put_failure_locked;
3618 		break;
3619 	case NL80211_IFTYPE_STATION:
3620 	case NL80211_IFTYPE_P2P_CLIENT:
3621 	case NL80211_IFTYPE_ADHOC: {
3622 		const u8 *ssid_ie;
3623 		if (!wdev->current_bss)
3624 			break;
3625 		rcu_read_lock();
3626 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3627 					       WLAN_EID_SSID);
3628 		if (ssid_ie &&
3629 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3630 			goto nla_put_failure_rcu_locked;
3631 		rcu_read_unlock();
3632 		break;
3633 		}
3634 	default:
3635 		/* nothing */
3636 		break;
3637 	}
3638 	wdev_unlock(wdev);
3639 
3640 	if (rdev->ops->get_txq_stats) {
3641 		struct cfg80211_txq_stats txqstats = {};
3642 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3643 
3644 		if (ret == 0 &&
3645 		    !nl80211_put_txq_stats(msg, &txqstats,
3646 					   NL80211_ATTR_TXQ_STATS))
3647 			goto nla_put_failure;
3648 	}
3649 
3650 	genlmsg_end(msg, hdr);
3651 	return 0;
3652 
3653  nla_put_failure_rcu_locked:
3654 	rcu_read_unlock();
3655  nla_put_failure_locked:
3656 	wdev_unlock(wdev);
3657  nla_put_failure:
3658 	genlmsg_cancel(msg, hdr);
3659 	return -EMSGSIZE;
3660 }
3661 
nl80211_dump_interface(struct sk_buff * skb,struct netlink_callback * cb)3662 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3663 {
3664 	int wp_idx = 0;
3665 	int if_idx = 0;
3666 	int wp_start = cb->args[0];
3667 	int if_start = cb->args[1];
3668 	int filter_wiphy = -1;
3669 	struct cfg80211_registered_device *rdev;
3670 	struct wireless_dev *wdev;
3671 	int ret;
3672 
3673 	rtnl_lock();
3674 	if (!cb->args[2]) {
3675 		struct nl80211_dump_wiphy_state state = {
3676 			.filter_wiphy = -1,
3677 		};
3678 
3679 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3680 		if (ret)
3681 			goto out_unlock;
3682 
3683 		filter_wiphy = state.filter_wiphy;
3684 
3685 		/*
3686 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3687 		 * value needed to determine that parsing is necessary.
3688 		 */
3689 		if (filter_wiphy >= 0)
3690 			cb->args[2] = filter_wiphy + 1;
3691 		else
3692 			cb->args[2] = -1;
3693 	} else if (cb->args[2] > 0) {
3694 		filter_wiphy = cb->args[2] - 1;
3695 	}
3696 
3697 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3698 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3699 			continue;
3700 		if (wp_idx < wp_start) {
3701 			wp_idx++;
3702 			continue;
3703 		}
3704 
3705 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3706 			continue;
3707 
3708 		if_idx = 0;
3709 
3710 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3711 			if (if_idx < if_start) {
3712 				if_idx++;
3713 				continue;
3714 			}
3715 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3716 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3717 					       rdev, wdev,
3718 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3719 				goto out;
3720 			}
3721 			if_idx++;
3722 		}
3723 
3724 		wp_idx++;
3725 	}
3726  out:
3727 	cb->args[0] = wp_idx;
3728 	cb->args[1] = if_idx;
3729 
3730 	ret = skb->len;
3731  out_unlock:
3732 	rtnl_unlock();
3733 
3734 	return ret;
3735 }
3736 
nl80211_get_interface(struct sk_buff * skb,struct genl_info * info)3737 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3738 {
3739 	struct sk_buff *msg;
3740 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3741 	struct wireless_dev *wdev = info->user_ptr[1];
3742 
3743 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3744 	if (!msg)
3745 		return -ENOMEM;
3746 
3747 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3748 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3749 		nlmsg_free(msg);
3750 		return -ENOBUFS;
3751 	}
3752 
3753 	return genlmsg_reply(msg, info);
3754 }
3755 
3756 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3757 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3758 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3759 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3760 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3761 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3762 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3763 };
3764 
parse_monitor_flags(struct nlattr * nla,u32 * mntrflags)3765 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3766 {
3767 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3768 	int flag;
3769 
3770 	*mntrflags = 0;
3771 
3772 	if (!nla)
3773 		return -EINVAL;
3774 
3775 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3776 		return -EINVAL;
3777 
3778 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3779 		if (flags[flag])
3780 			*mntrflags |= (1<<flag);
3781 
3782 	*mntrflags |= MONITOR_FLAG_CHANGED;
3783 
3784 	return 0;
3785 }
3786 
nl80211_parse_mon_options(struct cfg80211_registered_device * rdev,enum nl80211_iftype type,struct genl_info * info,struct vif_params * params)3787 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3788 				     enum nl80211_iftype type,
3789 				     struct genl_info *info,
3790 				     struct vif_params *params)
3791 {
3792 	bool change = false;
3793 	int err;
3794 
3795 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3796 		if (type != NL80211_IFTYPE_MONITOR)
3797 			return -EINVAL;
3798 
3799 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3800 					  &params->flags);
3801 		if (err)
3802 			return err;
3803 
3804 		change = true;
3805 	}
3806 
3807 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3808 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3809 		return -EOPNOTSUPP;
3810 
3811 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3812 		const u8 *mumimo_groups;
3813 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3814 
3815 		if (type != NL80211_IFTYPE_MONITOR)
3816 			return -EINVAL;
3817 
3818 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3819 			return -EOPNOTSUPP;
3820 
3821 		mumimo_groups =
3822 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3823 
3824 		/* bits 0 and 63 are reserved and must be zero */
3825 		if ((mumimo_groups[0] & BIT(0)) ||
3826 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3827 			return -EINVAL;
3828 
3829 		params->vht_mumimo_groups = mumimo_groups;
3830 		change = true;
3831 	}
3832 
3833 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3834 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3835 
3836 		if (type != NL80211_IFTYPE_MONITOR)
3837 			return -EINVAL;
3838 
3839 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3840 			return -EOPNOTSUPP;
3841 
3842 		params->vht_mumimo_follow_addr =
3843 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3844 		change = true;
3845 	}
3846 
3847 	return change ? 1 : 0;
3848 }
3849 
nl80211_valid_4addr(struct cfg80211_registered_device * rdev,struct net_device * netdev,u8 use_4addr,enum nl80211_iftype iftype)3850 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3851 			       struct net_device *netdev, u8 use_4addr,
3852 			       enum nl80211_iftype iftype)
3853 {
3854 	if (!use_4addr) {
3855 		if (netdev && netif_is_bridge_port(netdev))
3856 			return -EBUSY;
3857 		return 0;
3858 	}
3859 
3860 	switch (iftype) {
3861 	case NL80211_IFTYPE_AP_VLAN:
3862 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3863 			return 0;
3864 		break;
3865 	case NL80211_IFTYPE_STATION:
3866 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3867 			return 0;
3868 		break;
3869 	default:
3870 		break;
3871 	}
3872 
3873 	return -EOPNOTSUPP;
3874 }
3875 
nl80211_set_interface(struct sk_buff * skb,struct genl_info * info)3876 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3877 {
3878 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3879 	struct vif_params params;
3880 	int err;
3881 	enum nl80211_iftype otype, ntype;
3882 	struct net_device *dev = info->user_ptr[1];
3883 	bool change = false;
3884 
3885 	memset(&params, 0, sizeof(params));
3886 
3887 	otype = ntype = dev->ieee80211_ptr->iftype;
3888 
3889 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3890 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3891 		if (otype != ntype)
3892 			change = true;
3893 	}
3894 
3895 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3896 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3897 
3898 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3899 			return -EINVAL;
3900 		if (netif_running(dev))
3901 			return -EBUSY;
3902 
3903 		wdev_lock(wdev);
3904 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3905 			     IEEE80211_MAX_MESH_ID_LEN);
3906 		wdev->mesh_id_up_len =
3907 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3908 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3909 		       wdev->mesh_id_up_len);
3910 		wdev_unlock(wdev);
3911 	}
3912 
3913 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3914 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3915 		change = true;
3916 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3917 		if (err)
3918 			return err;
3919 	} else {
3920 		params.use_4addr = -1;
3921 	}
3922 
3923 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3924 	if (err < 0)
3925 		return err;
3926 	if (err > 0)
3927 		change = true;
3928 
3929 	if (change)
3930 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3931 	else
3932 		err = 0;
3933 
3934 	if (!err && params.use_4addr != -1)
3935 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3936 
3937 	if (change && !err) {
3938 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3939 
3940 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3941 	}
3942 
3943 	return err;
3944 }
3945 
_nl80211_new_interface(struct sk_buff * skb,struct genl_info * info)3946 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3947 {
3948 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3949 	struct vif_params params;
3950 	struct wireless_dev *wdev;
3951 	struct sk_buff *msg;
3952 	int err;
3953 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3954 
3955 	memset(&params, 0, sizeof(params));
3956 
3957 	if (!info->attrs[NL80211_ATTR_IFNAME])
3958 		return -EINVAL;
3959 
3960 	if (info->attrs[NL80211_ATTR_IFTYPE])
3961 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3962 
3963 	if (!rdev->ops->add_virtual_intf)
3964 		return -EOPNOTSUPP;
3965 
3966 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3967 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3968 	    info->attrs[NL80211_ATTR_MAC]) {
3969 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3970 			   ETH_ALEN);
3971 		if (!is_valid_ether_addr(params.macaddr))
3972 			return -EADDRNOTAVAIL;
3973 	}
3974 
3975 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3976 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3977 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3978 		if (err)
3979 			return err;
3980 	}
3981 
3982 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3983 		return -EOPNOTSUPP;
3984 
3985 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3986 	if (err < 0)
3987 		return err;
3988 
3989 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3990 	if (!msg)
3991 		return -ENOMEM;
3992 
3993 	wdev = rdev_add_virtual_intf(rdev,
3994 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3995 				NET_NAME_USER, type, &params);
3996 	if (WARN_ON(!wdev)) {
3997 		nlmsg_free(msg);
3998 		return -EPROTO;
3999 	} else if (IS_ERR(wdev)) {
4000 		nlmsg_free(msg);
4001 		return PTR_ERR(wdev);
4002 	}
4003 
4004 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4005 		wdev->owner_nlportid = info->snd_portid;
4006 
4007 	switch (type) {
4008 	case NL80211_IFTYPE_MESH_POINT:
4009 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4010 			break;
4011 		wdev_lock(wdev);
4012 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4013 			     IEEE80211_MAX_MESH_ID_LEN);
4014 		wdev->mesh_id_up_len =
4015 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4016 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4017 		       wdev->mesh_id_up_len);
4018 		wdev_unlock(wdev);
4019 		break;
4020 	case NL80211_IFTYPE_NAN:
4021 	case NL80211_IFTYPE_P2P_DEVICE:
4022 		/*
4023 		 * P2P Device and NAN do not have a netdev, so don't go
4024 		 * through the netdev notifier and must be added here
4025 		 */
4026 		cfg80211_init_wdev(wdev);
4027 		cfg80211_register_wdev(rdev, wdev);
4028 		break;
4029 	default:
4030 		break;
4031 	}
4032 
4033 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4034 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4035 		nlmsg_free(msg);
4036 		return -ENOBUFS;
4037 	}
4038 
4039 	return genlmsg_reply(msg, info);
4040 }
4041 
nl80211_new_interface(struct sk_buff * skb,struct genl_info * info)4042 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4043 {
4044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4045 	int ret;
4046 
4047 	/* to avoid failing a new interface creation due to pending removal */
4048 	cfg80211_destroy_ifaces(rdev);
4049 
4050 	wiphy_lock(&rdev->wiphy);
4051 	ret = _nl80211_new_interface(skb, info);
4052 	wiphy_unlock(&rdev->wiphy);
4053 
4054 	return ret;
4055 }
4056 
nl80211_del_interface(struct sk_buff * skb,struct genl_info * info)4057 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4058 {
4059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4060 	struct wireless_dev *wdev = info->user_ptr[1];
4061 
4062 	if (!rdev->ops->del_virtual_intf)
4063 		return -EOPNOTSUPP;
4064 
4065 	/*
4066 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4067 	 * reach 0, and thus the rdev cannot be deleted.
4068 	 *
4069 	 * We need to do it for the dev_close(), since that will call
4070 	 * the netdev notifiers, and we need to acquire the mutex there
4071 	 * but don't know if we get there from here or from some other
4072 	 * place (e.g. "ip link set ... down").
4073 	 */
4074 	mutex_unlock(&rdev->wiphy.mtx);
4075 
4076 	/*
4077 	 * If we remove a wireless device without a netdev then clear
4078 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4079 	 * to check if it needs to do dev_put(). Otherwise it crashes
4080 	 * since the wdev has been freed, unlike with a netdev where
4081 	 * we need the dev_put() for the netdev to really be freed.
4082 	 */
4083 	if (!wdev->netdev)
4084 		info->user_ptr[1] = NULL;
4085 	else
4086 		dev_close(wdev->netdev);
4087 
4088 	mutex_lock(&rdev->wiphy.mtx);
4089 
4090 	return rdev_del_virtual_intf(rdev, wdev);
4091 }
4092 
nl80211_set_noack_map(struct sk_buff * skb,struct genl_info * info)4093 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4094 {
4095 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4096 	struct net_device *dev = info->user_ptr[1];
4097 	u16 noack_map;
4098 
4099 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4100 		return -EINVAL;
4101 
4102 	if (!rdev->ops->set_noack_map)
4103 		return -EOPNOTSUPP;
4104 
4105 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4106 
4107 	return rdev_set_noack_map(rdev, dev, noack_map);
4108 }
4109 
4110 struct get_key_cookie {
4111 	struct sk_buff *msg;
4112 	int error;
4113 	int idx;
4114 };
4115 
get_key_callback(void * c,struct key_params * params)4116 static void get_key_callback(void *c, struct key_params *params)
4117 {
4118 	struct nlattr *key;
4119 	struct get_key_cookie *cookie = c;
4120 
4121 	if ((params->key &&
4122 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4123 		     params->key_len, params->key)) ||
4124 	    (params->seq &&
4125 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4126 		     params->seq_len, params->seq)) ||
4127 	    (params->cipher &&
4128 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4129 			 params->cipher)))
4130 		goto nla_put_failure;
4131 
4132 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4133 	if (!key)
4134 		goto nla_put_failure;
4135 
4136 	if ((params->key &&
4137 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4138 		     params->key_len, params->key)) ||
4139 	    (params->seq &&
4140 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4141 		     params->seq_len, params->seq)) ||
4142 	    (params->cipher &&
4143 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4144 			 params->cipher)))
4145 		goto nla_put_failure;
4146 
4147 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4148 		goto nla_put_failure;
4149 
4150 	nla_nest_end(cookie->msg, key);
4151 
4152 	return;
4153  nla_put_failure:
4154 	cookie->error = 1;
4155 }
4156 
nl80211_get_key(struct sk_buff * skb,struct genl_info * info)4157 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4158 {
4159 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4160 	int err;
4161 	struct net_device *dev = info->user_ptr[1];
4162 	u8 key_idx = 0;
4163 	const u8 *mac_addr = NULL;
4164 	bool pairwise;
4165 	struct get_key_cookie cookie = {
4166 		.error = 0,
4167 	};
4168 	void *hdr;
4169 	struct sk_buff *msg;
4170 	bool bigtk_support = false;
4171 
4172 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4173 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4174 		bigtk_support = true;
4175 
4176 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4177 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4178 	    wiphy_ext_feature_isset(&rdev->wiphy,
4179 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4180 		bigtk_support = true;
4181 
4182 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4183 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4184 
4185 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4186 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4187 			return -EINVAL;
4188 		}
4189 	}
4190 
4191 	if (info->attrs[NL80211_ATTR_MAC])
4192 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4193 
4194 	pairwise = !!mac_addr;
4195 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4196 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4197 
4198 		if (kt != NL80211_KEYTYPE_GROUP &&
4199 		    kt != NL80211_KEYTYPE_PAIRWISE)
4200 			return -EINVAL;
4201 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4202 	}
4203 
4204 	if (!rdev->ops->get_key)
4205 		return -EOPNOTSUPP;
4206 
4207 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4208 		return -ENOENT;
4209 
4210 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4211 	if (!msg)
4212 		return -ENOMEM;
4213 
4214 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4215 			     NL80211_CMD_NEW_KEY);
4216 	if (!hdr)
4217 		goto nla_put_failure;
4218 
4219 	cookie.msg = msg;
4220 	cookie.idx = key_idx;
4221 
4222 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4223 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4224 		goto nla_put_failure;
4225 	if (mac_addr &&
4226 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4227 		goto nla_put_failure;
4228 
4229 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4230 			   get_key_callback);
4231 
4232 	if (err)
4233 		goto free_msg;
4234 
4235 	if (cookie.error)
4236 		goto nla_put_failure;
4237 
4238 	genlmsg_end(msg, hdr);
4239 	return genlmsg_reply(msg, info);
4240 
4241  nla_put_failure:
4242 	err = -ENOBUFS;
4243  free_msg:
4244 	nlmsg_free(msg);
4245 	return err;
4246 }
4247 
nl80211_set_key(struct sk_buff * skb,struct genl_info * info)4248 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4249 {
4250 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4251 	struct key_parse key;
4252 	int err;
4253 	struct net_device *dev = info->user_ptr[1];
4254 
4255 	err = nl80211_parse_key(info, &key);
4256 	if (err)
4257 		return err;
4258 
4259 	if (key.idx < 0)
4260 		return -EINVAL;
4261 
4262 	/* Only support setting default key and
4263 	 * Extended Key ID action NL80211_KEY_SET_TX.
4264 	 */
4265 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4266 	    !(key.p.mode == NL80211_KEY_SET_TX))
4267 		return -EINVAL;
4268 
4269 	wdev_lock(dev->ieee80211_ptr);
4270 
4271 	if (key.def) {
4272 		if (!rdev->ops->set_default_key) {
4273 			err = -EOPNOTSUPP;
4274 			goto out;
4275 		}
4276 
4277 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4278 		if (err)
4279 			goto out;
4280 
4281 		err = rdev_set_default_key(rdev, dev, key.idx,
4282 						 key.def_uni, key.def_multi);
4283 
4284 		if (err)
4285 			goto out;
4286 
4287 #ifdef CONFIG_CFG80211_WEXT
4288 		dev->ieee80211_ptr->wext.default_key = key.idx;
4289 #endif
4290 	} else if (key.defmgmt) {
4291 		if (key.def_uni || !key.def_multi) {
4292 			err = -EINVAL;
4293 			goto out;
4294 		}
4295 
4296 		if (!rdev->ops->set_default_mgmt_key) {
4297 			err = -EOPNOTSUPP;
4298 			goto out;
4299 		}
4300 
4301 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4302 		if (err)
4303 			goto out;
4304 
4305 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4306 		if (err)
4307 			goto out;
4308 
4309 #ifdef CONFIG_CFG80211_WEXT
4310 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4311 #endif
4312 	} else if (key.defbeacon) {
4313 		if (key.def_uni || !key.def_multi) {
4314 			err = -EINVAL;
4315 			goto out;
4316 		}
4317 
4318 		if (!rdev->ops->set_default_beacon_key) {
4319 			err = -EOPNOTSUPP;
4320 			goto out;
4321 		}
4322 
4323 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4324 		if (err)
4325 			goto out;
4326 
4327 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4328 		if (err)
4329 			goto out;
4330 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4331 		   wiphy_ext_feature_isset(&rdev->wiphy,
4332 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4333 		u8 *mac_addr = NULL;
4334 
4335 		if (info->attrs[NL80211_ATTR_MAC])
4336 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4337 
4338 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4339 			err = -EINVAL;
4340 			goto out;
4341 		}
4342 
4343 		err = rdev_add_key(rdev, dev, key.idx,
4344 				   NL80211_KEYTYPE_PAIRWISE,
4345 				   mac_addr, &key.p);
4346 	} else {
4347 		err = -EINVAL;
4348 	}
4349  out:
4350 	wdev_unlock(dev->ieee80211_ptr);
4351 
4352 	return err;
4353 }
4354 
nl80211_new_key(struct sk_buff * skb,struct genl_info * info)4355 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4356 {
4357 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4358 	int err;
4359 	struct net_device *dev = info->user_ptr[1];
4360 	struct key_parse key;
4361 	const u8 *mac_addr = NULL;
4362 
4363 	err = nl80211_parse_key(info, &key);
4364 	if (err)
4365 		return err;
4366 
4367 	if (!key.p.key) {
4368 		GENL_SET_ERR_MSG(info, "no key");
4369 		return -EINVAL;
4370 	}
4371 
4372 	if (info->attrs[NL80211_ATTR_MAC])
4373 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4374 
4375 	if (key.type == -1) {
4376 		if (mac_addr)
4377 			key.type = NL80211_KEYTYPE_PAIRWISE;
4378 		else
4379 			key.type = NL80211_KEYTYPE_GROUP;
4380 	}
4381 
4382 	/* for now */
4383 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4384 	    key.type != NL80211_KEYTYPE_GROUP) {
4385 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4386 		return -EINVAL;
4387 	}
4388 
4389 	if (key.type == NL80211_KEYTYPE_GROUP &&
4390 	    info->attrs[NL80211_ATTR_VLAN_ID])
4391 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4392 
4393 	if (!rdev->ops->add_key)
4394 		return -EOPNOTSUPP;
4395 
4396 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4397 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4398 					   mac_addr)) {
4399 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4400 		return -EINVAL;
4401 	}
4402 
4403 	wdev_lock(dev->ieee80211_ptr);
4404 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4405 	if (err)
4406 		GENL_SET_ERR_MSG(info, "key not allowed");
4407 	if (!err) {
4408 		err = rdev_add_key(rdev, dev, key.idx,
4409 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4410 				    mac_addr, &key.p);
4411 		if (err)
4412 			GENL_SET_ERR_MSG(info, "key addition failed");
4413 	}
4414 	wdev_unlock(dev->ieee80211_ptr);
4415 
4416 	return err;
4417 }
4418 
nl80211_del_key(struct sk_buff * skb,struct genl_info * info)4419 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4420 {
4421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4422 	int err;
4423 	struct net_device *dev = info->user_ptr[1];
4424 	u8 *mac_addr = NULL;
4425 	struct key_parse key;
4426 
4427 	err = nl80211_parse_key(info, &key);
4428 	if (err)
4429 		return err;
4430 
4431 	if (info->attrs[NL80211_ATTR_MAC])
4432 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4433 
4434 	if (key.type == -1) {
4435 		if (mac_addr)
4436 			key.type = NL80211_KEYTYPE_PAIRWISE;
4437 		else
4438 			key.type = NL80211_KEYTYPE_GROUP;
4439 	}
4440 
4441 	/* for now */
4442 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4443 	    key.type != NL80211_KEYTYPE_GROUP)
4444 		return -EINVAL;
4445 
4446 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4447 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4448 		return -EINVAL;
4449 
4450 	if (!rdev->ops->del_key)
4451 		return -EOPNOTSUPP;
4452 
4453 	wdev_lock(dev->ieee80211_ptr);
4454 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4455 
4456 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4457 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4458 		err = -ENOENT;
4459 
4460 	if (!err)
4461 		err = rdev_del_key(rdev, dev, key.idx,
4462 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4463 				   mac_addr);
4464 
4465 #ifdef CONFIG_CFG80211_WEXT
4466 	if (!err) {
4467 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4468 			dev->ieee80211_ptr->wext.default_key = -1;
4469 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4470 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4471 	}
4472 #endif
4473 	wdev_unlock(dev->ieee80211_ptr);
4474 
4475 	return err;
4476 }
4477 
4478 /* This function returns an error or the number of nested attributes */
validate_acl_mac_addrs(struct nlattr * nl_attr)4479 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4480 {
4481 	struct nlattr *attr;
4482 	int n_entries = 0, tmp;
4483 
4484 	nla_for_each_nested(attr, nl_attr, tmp) {
4485 		if (nla_len(attr) != ETH_ALEN)
4486 			return -EINVAL;
4487 
4488 		n_entries++;
4489 	}
4490 
4491 	return n_entries;
4492 }
4493 
4494 /*
4495  * This function parses ACL information and allocates memory for ACL data.
4496  * On successful return, the calling function is responsible to free the
4497  * ACL buffer returned by this function.
4498  */
parse_acl_data(struct wiphy * wiphy,struct genl_info * info)4499 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4500 						struct genl_info *info)
4501 {
4502 	enum nl80211_acl_policy acl_policy;
4503 	struct nlattr *attr;
4504 	struct cfg80211_acl_data *acl;
4505 	int i = 0, n_entries, tmp;
4506 
4507 	if (!wiphy->max_acl_mac_addrs)
4508 		return ERR_PTR(-EOPNOTSUPP);
4509 
4510 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4511 		return ERR_PTR(-EINVAL);
4512 
4513 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4514 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4515 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4516 		return ERR_PTR(-EINVAL);
4517 
4518 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4519 		return ERR_PTR(-EINVAL);
4520 
4521 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4522 	if (n_entries < 0)
4523 		return ERR_PTR(n_entries);
4524 
4525 	if (n_entries > wiphy->max_acl_mac_addrs)
4526 		return ERR_PTR(-ENOTSUPP);
4527 
4528 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4529 	if (!acl)
4530 		return ERR_PTR(-ENOMEM);
4531 
4532 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4533 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4534 		i++;
4535 	}
4536 
4537 	acl->n_acl_entries = n_entries;
4538 	acl->acl_policy = acl_policy;
4539 
4540 	return acl;
4541 }
4542 
nl80211_set_mac_acl(struct sk_buff * skb,struct genl_info * info)4543 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4544 {
4545 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4546 	struct net_device *dev = info->user_ptr[1];
4547 	struct cfg80211_acl_data *acl;
4548 	int err;
4549 
4550 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4551 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4552 		return -EOPNOTSUPP;
4553 
4554 	if (!dev->ieee80211_ptr->beacon_interval)
4555 		return -EINVAL;
4556 
4557 	acl = parse_acl_data(&rdev->wiphy, info);
4558 	if (IS_ERR(acl))
4559 		return PTR_ERR(acl);
4560 
4561 	err = rdev_set_mac_acl(rdev, dev, acl);
4562 
4563 	kfree(acl);
4564 
4565 	return err;
4566 }
4567 
rateset_to_mask(struct ieee80211_supported_band * sband,u8 * rates,u8 rates_len)4568 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4569 			   u8 *rates, u8 rates_len)
4570 {
4571 	u8 i;
4572 	u32 mask = 0;
4573 
4574 	for (i = 0; i < rates_len; i++) {
4575 		int rate = (rates[i] & 0x7f) * 5;
4576 		int ridx;
4577 
4578 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4579 			struct ieee80211_rate *srate =
4580 				&sband->bitrates[ridx];
4581 			if (rate == srate->bitrate) {
4582 				mask |= 1 << ridx;
4583 				break;
4584 			}
4585 		}
4586 		if (ridx == sband->n_bitrates)
4587 			return 0; /* rate not found */
4588 	}
4589 
4590 	return mask;
4591 }
4592 
ht_rateset_to_mask(struct ieee80211_supported_band * sband,u8 * rates,u8 rates_len,u8 mcs[IEEE80211_HT_MCS_MASK_LEN])4593 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4594 			       u8 *rates, u8 rates_len,
4595 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4596 {
4597 	u8 i;
4598 
4599 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4600 
4601 	for (i = 0; i < rates_len; i++) {
4602 		int ridx, rbit;
4603 
4604 		ridx = rates[i] / 8;
4605 		rbit = BIT(rates[i] % 8);
4606 
4607 		/* check validity */
4608 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4609 			return false;
4610 
4611 		/* check availability */
4612 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4613 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4614 			mcs[ridx] |= rbit;
4615 		else
4616 			return false;
4617 	}
4618 
4619 	return true;
4620 }
4621 
vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)4622 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4623 {
4624 	u16 mcs_mask = 0;
4625 
4626 	switch (vht_mcs_map) {
4627 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4628 		break;
4629 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4630 		mcs_mask = 0x00FF;
4631 		break;
4632 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4633 		mcs_mask = 0x01FF;
4634 		break;
4635 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4636 		mcs_mask = 0x03FF;
4637 		break;
4638 	default:
4639 		break;
4640 	}
4641 
4642 	return mcs_mask;
4643 }
4644 
vht_build_mcs_mask(u16 vht_mcs_map,u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])4645 static void vht_build_mcs_mask(u16 vht_mcs_map,
4646 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4647 {
4648 	u8 nss;
4649 
4650 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4651 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4652 		vht_mcs_map >>= 2;
4653 	}
4654 }
4655 
vht_set_mcs_mask(struct ieee80211_supported_band * sband,struct nl80211_txrate_vht * txrate,u16 mcs[NL80211_VHT_NSS_MAX])4656 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4657 			     struct nl80211_txrate_vht *txrate,
4658 			     u16 mcs[NL80211_VHT_NSS_MAX])
4659 {
4660 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4661 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4662 	u8 i;
4663 
4664 	if (!sband->vht_cap.vht_supported)
4665 		return false;
4666 
4667 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4668 
4669 	/* Build vht_mcs_mask from VHT capabilities */
4670 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4671 
4672 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4673 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4674 			mcs[i] = txrate->mcs[i];
4675 		else
4676 			return false;
4677 	}
4678 
4679 	return true;
4680 }
4681 
he_mcs_map_to_mcs_mask(u8 he_mcs_map)4682 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4683 {
4684 	switch (he_mcs_map) {
4685 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4686 		return 0;
4687 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4688 		return 0x00FF;
4689 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4690 		return 0x03FF;
4691 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4692 		return 0xFFF;
4693 	default:
4694 		break;
4695 	}
4696 	return 0;
4697 }
4698 
he_build_mcs_mask(u16 he_mcs_map,u16 he_mcs_mask[NL80211_HE_NSS_MAX])4699 static void he_build_mcs_mask(u16 he_mcs_map,
4700 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4701 {
4702 	u8 nss;
4703 
4704 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4705 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4706 		he_mcs_map >>= 2;
4707 	}
4708 }
4709 
he_get_txmcsmap(struct genl_info * info,const struct ieee80211_sta_he_cap * he_cap)4710 static u16 he_get_txmcsmap(struct genl_info *info,
4711 			   const struct ieee80211_sta_he_cap *he_cap)
4712 {
4713 	struct net_device *dev = info->user_ptr[1];
4714 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4715 	__le16	tx_mcs;
4716 
4717 	switch (wdev->chandef.width) {
4718 	case NL80211_CHAN_WIDTH_80P80:
4719 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4720 		break;
4721 	case NL80211_CHAN_WIDTH_160:
4722 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4723 		break;
4724 	default:
4725 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4726 		break;
4727 	}
4728 	return le16_to_cpu(tx_mcs);
4729 }
4730 
he_set_mcs_mask(struct genl_info * info,struct wireless_dev * wdev,struct ieee80211_supported_band * sband,struct nl80211_txrate_he * txrate,u16 mcs[NL80211_HE_NSS_MAX])4731 static bool he_set_mcs_mask(struct genl_info *info,
4732 			    struct wireless_dev *wdev,
4733 			    struct ieee80211_supported_band *sband,
4734 			    struct nl80211_txrate_he *txrate,
4735 			    u16 mcs[NL80211_HE_NSS_MAX])
4736 {
4737 	const struct ieee80211_sta_he_cap *he_cap;
4738 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4739 	u16 tx_mcs_map = 0;
4740 	u8 i;
4741 
4742 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4743 	if (!he_cap)
4744 		return false;
4745 
4746 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4747 
4748 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4749 
4750 	/* Build he_mcs_mask from HE capabilities */
4751 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4752 
4753 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4754 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4755 			mcs[i] = txrate->mcs[i];
4756 		else
4757 			return false;
4758 	}
4759 
4760 	return true;
4761 }
4762 
nl80211_parse_tx_bitrate_mask(struct genl_info * info,struct nlattr * attrs[],enum nl80211_attrs attr,struct cfg80211_bitrate_mask * mask,struct net_device * dev,bool default_all_enabled)4763 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4764 					 struct nlattr *attrs[],
4765 					 enum nl80211_attrs attr,
4766 					 struct cfg80211_bitrate_mask *mask,
4767 					 struct net_device *dev,
4768 					 bool default_all_enabled)
4769 {
4770 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4771 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4772 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4773 	int rem, i;
4774 	struct nlattr *tx_rates;
4775 	struct ieee80211_supported_band *sband;
4776 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4777 
4778 	memset(mask, 0, sizeof(*mask));
4779 	/* Default to all rates enabled */
4780 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4781 		const struct ieee80211_sta_he_cap *he_cap;
4782 
4783 		if (!default_all_enabled)
4784 			break;
4785 
4786 		sband = rdev->wiphy.bands[i];
4787 
4788 		if (!sband)
4789 			continue;
4790 
4791 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4792 		memcpy(mask->control[i].ht_mcs,
4793 		       sband->ht_cap.mcs.rx_mask,
4794 		       sizeof(mask->control[i].ht_mcs));
4795 
4796 		if (sband->vht_cap.vht_supported) {
4797 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4798 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4799 		}
4800 
4801 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4802 		if (!he_cap)
4803 			continue;
4804 
4805 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4806 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4807 
4808 		mask->control[i].he_gi = 0xFF;
4809 		mask->control[i].he_ltf = 0xFF;
4810 	}
4811 
4812 	/* if no rates are given set it back to the defaults */
4813 	if (!attrs[attr])
4814 		goto out;
4815 
4816 	/* The nested attribute uses enum nl80211_band as the index. This maps
4817 	 * directly to the enum nl80211_band values used in cfg80211.
4818 	 */
4819 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4820 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4821 		enum nl80211_band band = nla_type(tx_rates);
4822 		int err;
4823 
4824 		if (band < 0 || band >= NUM_NL80211_BANDS)
4825 			return -EINVAL;
4826 		sband = rdev->wiphy.bands[band];
4827 		if (sband == NULL)
4828 			return -EINVAL;
4829 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4830 						  tx_rates,
4831 						  nl80211_txattr_policy,
4832 						  info->extack);
4833 		if (err)
4834 			return err;
4835 		if (tb[NL80211_TXRATE_LEGACY]) {
4836 			mask->control[band].legacy = rateset_to_mask(
4837 				sband,
4838 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4839 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4840 			if ((mask->control[band].legacy == 0) &&
4841 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4842 				return -EINVAL;
4843 		}
4844 		if (tb[NL80211_TXRATE_HT]) {
4845 			if (!ht_rateset_to_mask(
4846 					sband,
4847 					nla_data(tb[NL80211_TXRATE_HT]),
4848 					nla_len(tb[NL80211_TXRATE_HT]),
4849 					mask->control[band].ht_mcs))
4850 				return -EINVAL;
4851 		}
4852 
4853 		if (tb[NL80211_TXRATE_VHT]) {
4854 			if (!vht_set_mcs_mask(
4855 					sband,
4856 					nla_data(tb[NL80211_TXRATE_VHT]),
4857 					mask->control[band].vht_mcs))
4858 				return -EINVAL;
4859 		}
4860 
4861 		if (tb[NL80211_TXRATE_GI]) {
4862 			mask->control[band].gi =
4863 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4864 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4865 				return -EINVAL;
4866 		}
4867 		if (tb[NL80211_TXRATE_HE] &&
4868 		    !he_set_mcs_mask(info, wdev, sband,
4869 				     nla_data(tb[NL80211_TXRATE_HE]),
4870 				     mask->control[band].he_mcs))
4871 			return -EINVAL;
4872 
4873 		if (tb[NL80211_TXRATE_HE_GI])
4874 			mask->control[band].he_gi =
4875 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4876 		if (tb[NL80211_TXRATE_HE_LTF])
4877 			mask->control[band].he_ltf =
4878 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4879 
4880 		if (mask->control[band].legacy == 0) {
4881 			/* don't allow empty legacy rates if HT, VHT or HE
4882 			 * are not even supported.
4883 			 */
4884 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4885 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4886 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4887 				return -EINVAL;
4888 
4889 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4890 				if (mask->control[band].ht_mcs[i])
4891 					goto out;
4892 
4893 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4894 				if (mask->control[band].vht_mcs[i])
4895 					goto out;
4896 
4897 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4898 				if (mask->control[band].he_mcs[i])
4899 					goto out;
4900 
4901 			/* legacy and mcs rates may not be both empty */
4902 			return -EINVAL;
4903 		}
4904 	}
4905 
4906 out:
4907 	return 0;
4908 }
4909 
validate_beacon_tx_rate(struct cfg80211_registered_device * rdev,enum nl80211_band band,struct cfg80211_bitrate_mask * beacon_rate)4910 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4911 				   enum nl80211_band band,
4912 				   struct cfg80211_bitrate_mask *beacon_rate)
4913 {
4914 	u32 count_ht, count_vht, count_he, i;
4915 	u32 rate = beacon_rate->control[band].legacy;
4916 
4917 	/* Allow only one rate */
4918 	if (hweight32(rate) > 1)
4919 		return -EINVAL;
4920 
4921 	count_ht = 0;
4922 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4923 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4924 			return -EINVAL;
4925 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4926 			count_ht++;
4927 			if (count_ht > 1)
4928 				return -EINVAL;
4929 		}
4930 		if (count_ht && rate)
4931 			return -EINVAL;
4932 	}
4933 
4934 	count_vht = 0;
4935 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4936 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4937 			return -EINVAL;
4938 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4939 			count_vht++;
4940 			if (count_vht > 1)
4941 				return -EINVAL;
4942 		}
4943 		if (count_vht && rate)
4944 			return -EINVAL;
4945 	}
4946 
4947 	count_he = 0;
4948 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4949 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
4950 			return -EINVAL;
4951 		} else if (beacon_rate->control[band].he_mcs[i]) {
4952 			count_he++;
4953 			if (count_he > 1)
4954 				return -EINVAL;
4955 		}
4956 		if (count_he && rate)
4957 			return -EINVAL;
4958 	}
4959 
4960 	if ((count_ht && count_vht && count_he) ||
4961 	    (!rate && !count_ht && !count_vht && !count_he))
4962 		return -EINVAL;
4963 
4964 	if (rate &&
4965 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4966 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4967 		return -EINVAL;
4968 	if (count_ht &&
4969 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4970 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4971 		return -EINVAL;
4972 	if (count_vht &&
4973 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4974 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4975 		return -EINVAL;
4976 	if (count_he &&
4977 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4978 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
4979 		return -EINVAL;
4980 
4981 	return 0;
4982 }
4983 
nl80211_parse_beacon(struct cfg80211_registered_device * rdev,struct nlattr * attrs[],struct cfg80211_beacon_data * bcn)4984 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4985 				struct nlattr *attrs[],
4986 				struct cfg80211_beacon_data *bcn)
4987 {
4988 	bool haveinfo = false;
4989 	int err;
4990 
4991 	memset(bcn, 0, sizeof(*bcn));
4992 
4993 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4994 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4995 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4996 		if (!bcn->head_len)
4997 			return -EINVAL;
4998 		haveinfo = true;
4999 	}
5000 
5001 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5002 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5003 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5004 		haveinfo = true;
5005 	}
5006 
5007 	if (!haveinfo)
5008 		return -EINVAL;
5009 
5010 	if (attrs[NL80211_ATTR_IE]) {
5011 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5012 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5013 	}
5014 
5015 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5016 		bcn->proberesp_ies =
5017 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5018 		bcn->proberesp_ies_len =
5019 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5020 	}
5021 
5022 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5023 		bcn->assocresp_ies =
5024 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5025 		bcn->assocresp_ies_len =
5026 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5027 	}
5028 
5029 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5030 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5031 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5032 	}
5033 
5034 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5035 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5036 
5037 		err = nla_parse_nested_deprecated(tb,
5038 						  NL80211_FTM_RESP_ATTR_MAX,
5039 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5040 						  NULL, NULL);
5041 		if (err)
5042 			return err;
5043 
5044 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5045 		    wiphy_ext_feature_isset(&rdev->wiphy,
5046 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5047 			bcn->ftm_responder = 1;
5048 		else
5049 			return -EOPNOTSUPP;
5050 
5051 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5052 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5053 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5054 		}
5055 
5056 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5057 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5058 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5059 		}
5060 	} else {
5061 		bcn->ftm_responder = -1;
5062 	}
5063 
5064 	return 0;
5065 }
5066 
nl80211_parse_he_obss_pd(struct nlattr * attrs,struct ieee80211_he_obss_pd * he_obss_pd)5067 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5068 				    struct ieee80211_he_obss_pd *he_obss_pd)
5069 {
5070 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5071 	int err;
5072 
5073 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5074 			       he_obss_pd_policy, NULL);
5075 	if (err)
5076 		return err;
5077 
5078 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5079 		return -EINVAL;
5080 
5081 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5082 
5083 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5084 		he_obss_pd->min_offset =
5085 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5086 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5087 		he_obss_pd->max_offset =
5088 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5089 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5090 		he_obss_pd->non_srg_max_offset =
5091 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5092 
5093 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5094 		return -EINVAL;
5095 
5096 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5097 		memcpy(he_obss_pd->bss_color_bitmap,
5098 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5099 		       sizeof(he_obss_pd->bss_color_bitmap));
5100 
5101 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5102 		memcpy(he_obss_pd->partial_bssid_bitmap,
5103 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5104 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5105 
5106 	he_obss_pd->enable = true;
5107 
5108 	return 0;
5109 }
5110 
nl80211_parse_he_bss_color(struct nlattr * attrs,struct cfg80211_he_bss_color * he_bss_color)5111 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5112 				      struct cfg80211_he_bss_color *he_bss_color)
5113 {
5114 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5115 	int err;
5116 
5117 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5118 			       he_bss_color_policy, NULL);
5119 	if (err)
5120 		return err;
5121 
5122 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5123 		return -EINVAL;
5124 
5125 	he_bss_color->color =
5126 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5127 	he_bss_color->enabled =
5128 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5129 	he_bss_color->partial =
5130 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5131 
5132 	return 0;
5133 }
5134 
nl80211_parse_fils_discovery(struct cfg80211_registered_device * rdev,struct nlattr * attrs,struct cfg80211_ap_settings * params)5135 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5136 					struct nlattr *attrs,
5137 					struct cfg80211_ap_settings *params)
5138 {
5139 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5140 	int ret;
5141 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5142 
5143 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5144 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5145 		return -EINVAL;
5146 
5147 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5148 			       NULL, NULL);
5149 	if (ret)
5150 		return ret;
5151 
5152 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5153 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5154 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5155 		return -EINVAL;
5156 
5157 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5158 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5159 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5160 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5161 
5162 	return 0;
5163 }
5164 
5165 static int
nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device * rdev,struct nlattr * attrs,struct cfg80211_ap_settings * params)5166 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5167 				     struct nlattr *attrs,
5168 				     struct cfg80211_ap_settings *params)
5169 {
5170 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5171 	int ret;
5172 	struct cfg80211_unsol_bcast_probe_resp *presp =
5173 					&params->unsol_bcast_probe_resp;
5174 
5175 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5176 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5177 		return -EINVAL;
5178 
5179 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5180 			       attrs, NULL, NULL);
5181 	if (ret)
5182 		return ret;
5183 
5184 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5185 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5186 		return -EINVAL;
5187 
5188 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5189 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5190 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5191 	return 0;
5192 }
5193 
nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings * params,const u8 * rates)5194 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5195 					    const u8 *rates)
5196 {
5197 	int i;
5198 
5199 	if (!rates)
5200 		return;
5201 
5202 	for (i = 0; i < rates[1]; i++) {
5203 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5204 			params->ht_required = true;
5205 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5206 			params->vht_required = true;
5207 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5208 			params->he_required = true;
5209 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5210 			params->sae_h2e_required = true;
5211 	}
5212 }
5213 
5214 /*
5215  * Since the nl80211 API didn't include, from the beginning, attributes about
5216  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5217  * benefit of drivers that rebuild IEs in the firmware.
5218  */
nl80211_calculate_ap_params(struct cfg80211_ap_settings * params)5219 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5220 {
5221 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5222 	size_t ies_len = bcn->tail_len;
5223 	const u8 *ies = bcn->tail;
5224 	const u8 *rates;
5225 	const u8 *cap;
5226 
5227 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
5228 	nl80211_check_ap_rate_selectors(params, rates);
5229 
5230 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5231 	nl80211_check_ap_rate_selectors(params, rates);
5232 
5233 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5234 	if (cap && cap[1] >= sizeof(*params->ht_cap))
5235 		params->ht_cap = (void *)(cap + 2);
5236 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5237 	if (cap && cap[1] >= sizeof(*params->vht_cap))
5238 		params->vht_cap = (void *)(cap + 2);
5239 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5240 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
5241 		params->he_cap = (void *)(cap + 3);
5242 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5243 	if (cap && cap[1] >= sizeof(*params->he_oper) + 1)
5244 		params->he_oper = (void *)(cap + 3);
5245 }
5246 
nl80211_get_ap_channel(struct cfg80211_registered_device * rdev,struct cfg80211_ap_settings * params)5247 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5248 				   struct cfg80211_ap_settings *params)
5249 {
5250 	struct wireless_dev *wdev;
5251 	bool ret = false;
5252 
5253 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5254 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5255 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5256 			continue;
5257 
5258 		if (!wdev->preset_chandef.chan)
5259 			continue;
5260 
5261 		params->chandef = wdev->preset_chandef;
5262 		ret = true;
5263 		break;
5264 	}
5265 
5266 	return ret;
5267 }
5268 
nl80211_valid_auth_type(struct cfg80211_registered_device * rdev,enum nl80211_auth_type auth_type,enum nl80211_commands cmd)5269 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5270 				    enum nl80211_auth_type auth_type,
5271 				    enum nl80211_commands cmd)
5272 {
5273 	if (auth_type > NL80211_AUTHTYPE_MAX)
5274 		return false;
5275 
5276 	switch (cmd) {
5277 	case NL80211_CMD_AUTHENTICATE:
5278 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5279 		    auth_type == NL80211_AUTHTYPE_SAE)
5280 			return false;
5281 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5282 					     NL80211_EXT_FEATURE_FILS_STA) &&
5283 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5284 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5285 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5286 			return false;
5287 		return true;
5288 	case NL80211_CMD_CONNECT:
5289 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5290 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5291 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5292 		    auth_type == NL80211_AUTHTYPE_SAE)
5293 			return false;
5294 
5295 		/* FILS with SK PFS or PK not supported yet */
5296 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5297 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5298 			return false;
5299 		if (!wiphy_ext_feature_isset(
5300 			    &rdev->wiphy,
5301 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5302 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5303 			return false;
5304 		return true;
5305 	case NL80211_CMD_START_AP:
5306 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5307 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5308 		    auth_type == NL80211_AUTHTYPE_SAE)
5309 			return false;
5310 		/* FILS not supported yet */
5311 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5312 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5313 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5314 			return false;
5315 		return true;
5316 	default:
5317 		return false;
5318 	}
5319 }
5320 
nl80211_start_ap(struct sk_buff * skb,struct genl_info * info)5321 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5322 {
5323 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5324 	struct net_device *dev = info->user_ptr[1];
5325 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5326 	struct cfg80211_ap_settings params;
5327 	int err;
5328 
5329 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5330 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5331 		return -EOPNOTSUPP;
5332 
5333 	if (!rdev->ops->start_ap)
5334 		return -EOPNOTSUPP;
5335 
5336 	if (wdev->beacon_interval)
5337 		return -EALREADY;
5338 
5339 	memset(&params, 0, sizeof(params));
5340 
5341 	/* these are required for START_AP */
5342 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5343 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5344 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5345 		return -EINVAL;
5346 
5347 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
5348 	if (err)
5349 		return err;
5350 
5351 	params.beacon_interval =
5352 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5353 	params.dtim_period =
5354 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5355 
5356 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5357 					   params.beacon_interval);
5358 	if (err)
5359 		return err;
5360 
5361 	/*
5362 	 * In theory, some of these attributes should be required here
5363 	 * but since they were not used when the command was originally
5364 	 * added, keep them optional for old user space programs to let
5365 	 * them continue to work with drivers that do not need the
5366 	 * additional information -- drivers must check!
5367 	 */
5368 	if (info->attrs[NL80211_ATTR_SSID]) {
5369 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5370 		params.ssid_len =
5371 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5372 		if (params.ssid_len == 0)
5373 			return -EINVAL;
5374 	}
5375 
5376 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5377 		params.hidden_ssid = nla_get_u32(
5378 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5379 
5380 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5381 
5382 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5383 		params.auth_type = nla_get_u32(
5384 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5385 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
5386 					     NL80211_CMD_START_AP))
5387 			return -EINVAL;
5388 	} else
5389 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5390 
5391 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
5392 				      NL80211_MAX_NR_CIPHER_SUITES);
5393 	if (err)
5394 		return err;
5395 
5396 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5397 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
5398 			return -EOPNOTSUPP;
5399 		params.inactivity_timeout = nla_get_u16(
5400 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5401 	}
5402 
5403 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5404 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5405 			return -EINVAL;
5406 		params.p2p_ctwindow =
5407 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5408 		if (params.p2p_ctwindow != 0 &&
5409 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5410 			return -EINVAL;
5411 	}
5412 
5413 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5414 		u8 tmp;
5415 
5416 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5417 			return -EINVAL;
5418 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5419 		params.p2p_opp_ps = tmp;
5420 		if (params.p2p_opp_ps != 0 &&
5421 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5422 			return -EINVAL;
5423 	}
5424 
5425 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5426 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
5427 		if (err)
5428 			return err;
5429 	} else if (wdev->preset_chandef.chan) {
5430 		params.chandef = wdev->preset_chandef;
5431 	} else if (!nl80211_get_ap_channel(rdev, &params))
5432 		return -EINVAL;
5433 
5434 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
5435 					   wdev->iftype))
5436 		return -EINVAL;
5437 
5438 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5439 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5440 						    NL80211_ATTR_TX_RATES,
5441 						    &params.beacon_rate,
5442 						    dev, false);
5443 		if (err)
5444 			return err;
5445 
5446 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
5447 					      &params.beacon_rate);
5448 		if (err)
5449 			return err;
5450 	}
5451 
5452 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5453 		params.smps_mode =
5454 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5455 		switch (params.smps_mode) {
5456 		case NL80211_SMPS_OFF:
5457 			break;
5458 		case NL80211_SMPS_STATIC:
5459 			if (!(rdev->wiphy.features &
5460 			      NL80211_FEATURE_STATIC_SMPS))
5461 				return -EINVAL;
5462 			break;
5463 		case NL80211_SMPS_DYNAMIC:
5464 			if (!(rdev->wiphy.features &
5465 			      NL80211_FEATURE_DYNAMIC_SMPS))
5466 				return -EINVAL;
5467 			break;
5468 		default:
5469 			return -EINVAL;
5470 		}
5471 	} else {
5472 		params.smps_mode = NL80211_SMPS_OFF;
5473 	}
5474 
5475 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5476 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
5477 		return -EOPNOTSUPP;
5478 
5479 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5480 		params.acl = parse_acl_data(&rdev->wiphy, info);
5481 		if (IS_ERR(params.acl))
5482 			return PTR_ERR(params.acl);
5483 	}
5484 
5485 	params.twt_responder =
5486 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5487 
5488 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5489 		err = nl80211_parse_he_obss_pd(
5490 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5491 					&params.he_obss_pd);
5492 		if (err)
5493 			goto out;
5494 	}
5495 
5496 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5497 		err = nl80211_parse_he_bss_color(
5498 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5499 					&params.he_bss_color);
5500 		if (err)
5501 			goto out;
5502 	}
5503 
5504 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5505 		err = nl80211_parse_fils_discovery(rdev,
5506 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5507 						   &params);
5508 		if (err)
5509 			goto out;
5510 	}
5511 
5512 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5513 		err = nl80211_parse_unsol_bcast_probe_resp(
5514 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5515 			&params);
5516 		if (err)
5517 			goto out;
5518 	}
5519 
5520 	nl80211_calculate_ap_params(&params);
5521 
5522 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5523 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5524 
5525 	wdev_lock(wdev);
5526 	err = rdev_start_ap(rdev, dev, &params);
5527 	if (!err) {
5528 		wdev->preset_chandef = params.chandef;
5529 		wdev->beacon_interval = params.beacon_interval;
5530 		wdev->chandef = params.chandef;
5531 		wdev->ssid_len = params.ssid_len;
5532 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
5533 
5534 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5535 			wdev->conn_owner_nlportid = info->snd_portid;
5536 	}
5537 	wdev_unlock(wdev);
5538 
5539 out:
5540 	kfree(params.acl);
5541 
5542 	return err;
5543 }
5544 
nl80211_set_beacon(struct sk_buff * skb,struct genl_info * info)5545 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5546 {
5547 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5548 	struct net_device *dev = info->user_ptr[1];
5549 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5550 	struct cfg80211_beacon_data params;
5551 	int err;
5552 
5553 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5554 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5555 		return -EOPNOTSUPP;
5556 
5557 	if (!rdev->ops->change_beacon)
5558 		return -EOPNOTSUPP;
5559 
5560 	if (!wdev->beacon_interval)
5561 		return -EINVAL;
5562 
5563 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5564 	if (err)
5565 		return err;
5566 
5567 	wdev_lock(wdev);
5568 	err = rdev_change_beacon(rdev, dev, &params);
5569 	wdev_unlock(wdev);
5570 
5571 	return err;
5572 }
5573 
nl80211_stop_ap(struct sk_buff * skb,struct genl_info * info)5574 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5575 {
5576 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5577 	struct net_device *dev = info->user_ptr[1];
5578 
5579 	return cfg80211_stop_ap(rdev, dev, false);
5580 }
5581 
5582 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5583 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5584 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5585 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5586 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5587 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5588 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5589 };
5590 
parse_station_flags(struct genl_info * info,enum nl80211_iftype iftype,struct station_parameters * params)5591 static int parse_station_flags(struct genl_info *info,
5592 			       enum nl80211_iftype iftype,
5593 			       struct station_parameters *params)
5594 {
5595 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5596 	struct nlattr *nla;
5597 	int flag;
5598 
5599 	/*
5600 	 * Try parsing the new attribute first so userspace
5601 	 * can specify both for older kernels.
5602 	 */
5603 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5604 	if (nla) {
5605 		struct nl80211_sta_flag_update *sta_flags;
5606 
5607 		sta_flags = nla_data(nla);
5608 		params->sta_flags_mask = sta_flags->mask;
5609 		params->sta_flags_set = sta_flags->set;
5610 		params->sta_flags_set &= params->sta_flags_mask;
5611 		if ((params->sta_flags_mask |
5612 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5613 			return -EINVAL;
5614 		return 0;
5615 	}
5616 
5617 	/* if present, parse the old attribute */
5618 
5619 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5620 	if (!nla)
5621 		return 0;
5622 
5623 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5624 		return -EINVAL;
5625 
5626 	/*
5627 	 * Only allow certain flags for interface types so that
5628 	 * other attributes are silently ignored. Remember that
5629 	 * this is backward compatibility code with old userspace
5630 	 * and shouldn't be hit in other cases anyway.
5631 	 */
5632 	switch (iftype) {
5633 	case NL80211_IFTYPE_AP:
5634 	case NL80211_IFTYPE_AP_VLAN:
5635 	case NL80211_IFTYPE_P2P_GO:
5636 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5637 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5638 					 BIT(NL80211_STA_FLAG_WME) |
5639 					 BIT(NL80211_STA_FLAG_MFP);
5640 		break;
5641 	case NL80211_IFTYPE_P2P_CLIENT:
5642 	case NL80211_IFTYPE_STATION:
5643 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5644 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5645 		break;
5646 	case NL80211_IFTYPE_MESH_POINT:
5647 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5648 					 BIT(NL80211_STA_FLAG_MFP) |
5649 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5650 		break;
5651 	default:
5652 		return -EINVAL;
5653 	}
5654 
5655 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5656 		if (flags[flag]) {
5657 			params->sta_flags_set |= (1<<flag);
5658 
5659 			/* no longer support new API additions in old API */
5660 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5661 				return -EINVAL;
5662 		}
5663 	}
5664 
5665 	return 0;
5666 }
5667 
nl80211_put_sta_rate(struct sk_buff * msg,struct rate_info * info,int attr)5668 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5669 {
5670 	struct nlattr *rate;
5671 	u32 bitrate;
5672 	u16 bitrate_compat;
5673 	enum nl80211_rate_info rate_flg;
5674 
5675 	rate = nla_nest_start_noflag(msg, attr);
5676 	if (!rate)
5677 		return false;
5678 
5679 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5680 	bitrate = cfg80211_calculate_bitrate(info);
5681 	/* report 16-bit bitrate only if we can */
5682 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5683 	if (bitrate > 0 &&
5684 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5685 		return false;
5686 	if (bitrate_compat > 0 &&
5687 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5688 		return false;
5689 
5690 	switch (info->bw) {
5691 	case RATE_INFO_BW_5:
5692 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5693 		break;
5694 	case RATE_INFO_BW_10:
5695 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5696 		break;
5697 	default:
5698 		WARN_ON(1);
5699 		fallthrough;
5700 	case RATE_INFO_BW_20:
5701 		rate_flg = 0;
5702 		break;
5703 	case RATE_INFO_BW_40:
5704 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5705 		break;
5706 	case RATE_INFO_BW_80:
5707 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5708 		break;
5709 	case RATE_INFO_BW_160:
5710 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5711 		break;
5712 	case RATE_INFO_BW_HE_RU:
5713 		rate_flg = 0;
5714 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5715 	}
5716 
5717 	if (rate_flg && nla_put_flag(msg, rate_flg))
5718 		return false;
5719 
5720 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5721 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5722 			return false;
5723 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5724 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5725 			return false;
5726 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5727 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5728 			return false;
5729 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5730 			return false;
5731 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5732 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5733 			return false;
5734 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5735 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5736 			return false;
5737 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5738 			return false;
5739 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5740 			return false;
5741 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5742 			return false;
5743 		if (info->bw == RATE_INFO_BW_HE_RU &&
5744 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5745 			       info->he_ru_alloc))
5746 			return false;
5747 	}
5748 
5749 	nla_nest_end(msg, rate);
5750 	return true;
5751 }
5752 
nl80211_put_signal(struct sk_buff * msg,u8 mask,s8 * signal,int id)5753 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5754 			       int id)
5755 {
5756 	void *attr;
5757 	int i = 0;
5758 
5759 	if (!mask)
5760 		return true;
5761 
5762 	attr = nla_nest_start_noflag(msg, id);
5763 	if (!attr)
5764 		return false;
5765 
5766 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5767 		if (!(mask & BIT(i)))
5768 			continue;
5769 
5770 		if (nla_put_u8(msg, i, signal[i]))
5771 			return false;
5772 	}
5773 
5774 	nla_nest_end(msg, attr);
5775 
5776 	return true;
5777 }
5778 
nl80211_send_station(struct sk_buff * msg,u32 cmd,u32 portid,u32 seq,int flags,struct cfg80211_registered_device * rdev,struct net_device * dev,const u8 * mac_addr,struct station_info * sinfo)5779 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5780 				u32 seq, int flags,
5781 				struct cfg80211_registered_device *rdev,
5782 				struct net_device *dev,
5783 				const u8 *mac_addr, struct station_info *sinfo)
5784 {
5785 	void *hdr;
5786 	struct nlattr *sinfoattr, *bss_param;
5787 
5788 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5789 	if (!hdr) {
5790 		cfg80211_sinfo_release_content(sinfo);
5791 		return -1;
5792 	}
5793 
5794 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5795 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5796 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5797 		goto nla_put_failure;
5798 
5799 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5800 	if (!sinfoattr)
5801 		goto nla_put_failure;
5802 
5803 #define PUT_SINFO(attr, memb, type) do {				\
5804 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5805 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5806 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5807 			     sinfo->memb))				\
5808 		goto nla_put_failure;					\
5809 	} while (0)
5810 #define PUT_SINFO_U64(attr, memb) do {					\
5811 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5812 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5813 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5814 		goto nla_put_failure;					\
5815 	} while (0)
5816 
5817 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5818 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5819 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5820 
5821 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5822 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5823 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5824 			(u32)sinfo->rx_bytes))
5825 		goto nla_put_failure;
5826 
5827 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5828 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5829 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5830 			(u32)sinfo->tx_bytes))
5831 		goto nla_put_failure;
5832 
5833 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5834 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5835 	PUT_SINFO(LLID, llid, u16);
5836 	PUT_SINFO(PLID, plid, u16);
5837 	PUT_SINFO(PLINK_STATE, plink_state, u8);
5838 	PUT_SINFO_U64(RX_DURATION, rx_duration);
5839 	PUT_SINFO_U64(TX_DURATION, tx_duration);
5840 
5841 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5842 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5843 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5844 
5845 	switch (rdev->wiphy.signal_type) {
5846 	case CFG80211_SIGNAL_TYPE_MBM:
5847 		PUT_SINFO(SIGNAL, signal, u8);
5848 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5849 		break;
5850 	default:
5851 		break;
5852 	}
5853 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5854 		if (!nl80211_put_signal(msg, sinfo->chains,
5855 					sinfo->chain_signal,
5856 					NL80211_STA_INFO_CHAIN_SIGNAL))
5857 			goto nla_put_failure;
5858 	}
5859 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5860 		if (!nl80211_put_signal(msg, sinfo->chains,
5861 					sinfo->chain_signal_avg,
5862 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5863 			goto nla_put_failure;
5864 	}
5865 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5866 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5867 					  NL80211_STA_INFO_TX_BITRATE))
5868 			goto nla_put_failure;
5869 	}
5870 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5871 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5872 					  NL80211_STA_INFO_RX_BITRATE))
5873 			goto nla_put_failure;
5874 	}
5875 
5876 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5877 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5878 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5879 	PUT_SINFO(TX_FAILED, tx_failed, u32);
5880 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5881 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5882 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5883 	PUT_SINFO(LOCAL_PM, local_pm, u32);
5884 	PUT_SINFO(PEER_PM, peer_pm, u32);
5885 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5886 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5887 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
5888 
5889 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5890 		bss_param = nla_nest_start_noflag(msg,
5891 						  NL80211_STA_INFO_BSS_PARAM);
5892 		if (!bss_param)
5893 			goto nla_put_failure;
5894 
5895 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5896 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5897 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5898 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5899 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5900 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5901 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5902 			       sinfo->bss_param.dtim_period) ||
5903 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5904 				sinfo->bss_param.beacon_interval))
5905 			goto nla_put_failure;
5906 
5907 		nla_nest_end(msg, bss_param);
5908 	}
5909 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5910 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5911 		    sizeof(struct nl80211_sta_flag_update),
5912 		    &sinfo->sta_flags))
5913 		goto nla_put_failure;
5914 
5915 	PUT_SINFO_U64(T_OFFSET, t_offset);
5916 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5917 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5918 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5919 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5920 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5921 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5922 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5923 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5924 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5925 	}
5926 
5927 #undef PUT_SINFO
5928 #undef PUT_SINFO_U64
5929 
5930 	if (sinfo->pertid) {
5931 		struct nlattr *tidsattr;
5932 		int tid;
5933 
5934 		tidsattr = nla_nest_start_noflag(msg,
5935 						 NL80211_STA_INFO_TID_STATS);
5936 		if (!tidsattr)
5937 			goto nla_put_failure;
5938 
5939 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5940 			struct cfg80211_tid_stats *tidstats;
5941 			struct nlattr *tidattr;
5942 
5943 			tidstats = &sinfo->pertid[tid];
5944 
5945 			if (!tidstats->filled)
5946 				continue;
5947 
5948 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5949 			if (!tidattr)
5950 				goto nla_put_failure;
5951 
5952 #define PUT_TIDVAL_U64(attr, memb) do {					\
5953 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5954 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5955 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5956 		goto nla_put_failure;					\
5957 	} while (0)
5958 
5959 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5960 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5961 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5962 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5963 
5964 #undef PUT_TIDVAL_U64
5965 			if ((tidstats->filled &
5966 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5967 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5968 						   NL80211_TID_STATS_TXQ_STATS))
5969 				goto nla_put_failure;
5970 
5971 			nla_nest_end(msg, tidattr);
5972 		}
5973 
5974 		nla_nest_end(msg, tidsattr);
5975 	}
5976 
5977 	nla_nest_end(msg, sinfoattr);
5978 
5979 	if (sinfo->assoc_req_ies_len &&
5980 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5981 		    sinfo->assoc_req_ies))
5982 		goto nla_put_failure;
5983 
5984 	cfg80211_sinfo_release_content(sinfo);
5985 	genlmsg_end(msg, hdr);
5986 	return 0;
5987 
5988  nla_put_failure:
5989 	cfg80211_sinfo_release_content(sinfo);
5990 	genlmsg_cancel(msg, hdr);
5991 	return -EMSGSIZE;
5992 }
5993 
nl80211_dump_station(struct sk_buff * skb,struct netlink_callback * cb)5994 static int nl80211_dump_station(struct sk_buff *skb,
5995 				struct netlink_callback *cb)
5996 {
5997 	struct station_info sinfo;
5998 	struct cfg80211_registered_device *rdev;
5999 	struct wireless_dev *wdev;
6000 	u8 mac_addr[ETH_ALEN];
6001 	int sta_idx = cb->args[2];
6002 	int err;
6003 
6004 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6005 	if (err)
6006 		return err;
6007 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6008 	__acquire(&rdev->wiphy.mtx);
6009 
6010 	if (!wdev->netdev) {
6011 		err = -EINVAL;
6012 		goto out_err;
6013 	}
6014 
6015 	if (!rdev->ops->dump_station) {
6016 		err = -EOPNOTSUPP;
6017 		goto out_err;
6018 	}
6019 
6020 	while (1) {
6021 		memset(&sinfo, 0, sizeof(sinfo));
6022 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6023 					mac_addr, &sinfo);
6024 		if (err == -ENOENT)
6025 			break;
6026 		if (err)
6027 			goto out_err;
6028 
6029 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6030 				NETLINK_CB(cb->skb).portid,
6031 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6032 				rdev, wdev->netdev, mac_addr,
6033 				&sinfo) < 0)
6034 			goto out;
6035 
6036 		sta_idx++;
6037 	}
6038 
6039  out:
6040 	cb->args[2] = sta_idx;
6041 	err = skb->len;
6042  out_err:
6043 	wiphy_unlock(&rdev->wiphy);
6044 
6045 	return err;
6046 }
6047 
nl80211_get_station(struct sk_buff * skb,struct genl_info * info)6048 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6049 {
6050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6051 	struct net_device *dev = info->user_ptr[1];
6052 	struct station_info sinfo;
6053 	struct sk_buff *msg;
6054 	u8 *mac_addr = NULL;
6055 	int err;
6056 
6057 	memset(&sinfo, 0, sizeof(sinfo));
6058 
6059 	if (!info->attrs[NL80211_ATTR_MAC])
6060 		return -EINVAL;
6061 
6062 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6063 
6064 	if (!rdev->ops->get_station)
6065 		return -EOPNOTSUPP;
6066 
6067 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6068 	if (err)
6069 		return err;
6070 
6071 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6072 	if (!msg) {
6073 		cfg80211_sinfo_release_content(&sinfo);
6074 		return -ENOMEM;
6075 	}
6076 
6077 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6078 				 info->snd_portid, info->snd_seq, 0,
6079 				 rdev, dev, mac_addr, &sinfo) < 0) {
6080 		nlmsg_free(msg);
6081 		return -ENOBUFS;
6082 	}
6083 
6084 	return genlmsg_reply(msg, info);
6085 }
6086 
cfg80211_check_station_change(struct wiphy * wiphy,struct station_parameters * params,enum cfg80211_station_type statype)6087 int cfg80211_check_station_change(struct wiphy *wiphy,
6088 				  struct station_parameters *params,
6089 				  enum cfg80211_station_type statype)
6090 {
6091 	if (params->listen_interval != -1 &&
6092 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6093 		return -EINVAL;
6094 
6095 	if (params->support_p2p_ps != -1 &&
6096 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6097 		return -EINVAL;
6098 
6099 	if (params->aid &&
6100 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6101 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6102 		return -EINVAL;
6103 
6104 	/* When you run into this, adjust the code below for the new flag */
6105 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6106 
6107 	switch (statype) {
6108 	case CFG80211_STA_MESH_PEER_KERNEL:
6109 	case CFG80211_STA_MESH_PEER_USER:
6110 		/*
6111 		 * No ignoring the TDLS flag here -- the userspace mesh
6112 		 * code doesn't have the bug of including TDLS in the
6113 		 * mask everywhere.
6114 		 */
6115 		if (params->sta_flags_mask &
6116 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6117 				  BIT(NL80211_STA_FLAG_MFP) |
6118 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6119 			return -EINVAL;
6120 		break;
6121 	case CFG80211_STA_TDLS_PEER_SETUP:
6122 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6123 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6124 			return -EINVAL;
6125 		/* ignore since it can't change */
6126 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6127 		break;
6128 	default:
6129 		/* disallow mesh-specific things */
6130 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6131 			return -EINVAL;
6132 		if (params->local_pm)
6133 			return -EINVAL;
6134 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6135 			return -EINVAL;
6136 	}
6137 
6138 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6139 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6140 		/* TDLS can't be set, ... */
6141 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6142 			return -EINVAL;
6143 		/*
6144 		 * ... but don't bother the driver with it. This works around
6145 		 * a hostapd/wpa_supplicant issue -- it always includes the
6146 		 * TLDS_PEER flag in the mask even for AP mode.
6147 		 */
6148 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6149 	}
6150 
6151 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6152 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6153 		/* reject other things that can't change */
6154 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6155 			return -EINVAL;
6156 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6157 			return -EINVAL;
6158 		if (params->supported_rates)
6159 			return -EINVAL;
6160 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6161 		    params->he_capa)
6162 			return -EINVAL;
6163 	}
6164 
6165 	if (statype != CFG80211_STA_AP_CLIENT &&
6166 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6167 		if (params->vlan)
6168 			return -EINVAL;
6169 	}
6170 
6171 	switch (statype) {
6172 	case CFG80211_STA_AP_MLME_CLIENT:
6173 		/* Use this only for authorizing/unauthorizing a station */
6174 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6175 			return -EOPNOTSUPP;
6176 		break;
6177 	case CFG80211_STA_AP_CLIENT:
6178 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6179 		/* accept only the listed bits */
6180 		if (params->sta_flags_mask &
6181 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6182 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6183 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6184 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6185 				  BIT(NL80211_STA_FLAG_WME) |
6186 				  BIT(NL80211_STA_FLAG_MFP)))
6187 			return -EINVAL;
6188 
6189 		/* but authenticated/associated only if driver handles it */
6190 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6191 		    params->sta_flags_mask &
6192 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6193 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6194 			return -EINVAL;
6195 		break;
6196 	case CFG80211_STA_IBSS:
6197 	case CFG80211_STA_AP_STA:
6198 		/* reject any changes other than AUTHORIZED */
6199 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6200 			return -EINVAL;
6201 		break;
6202 	case CFG80211_STA_TDLS_PEER_SETUP:
6203 		/* reject any changes other than AUTHORIZED or WME */
6204 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6205 					       BIT(NL80211_STA_FLAG_WME)))
6206 			return -EINVAL;
6207 		/* force (at least) rates when authorizing */
6208 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6209 		    !params->supported_rates)
6210 			return -EINVAL;
6211 		break;
6212 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6213 		/* reject any changes */
6214 		return -EINVAL;
6215 	case CFG80211_STA_MESH_PEER_KERNEL:
6216 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6217 			return -EINVAL;
6218 		break;
6219 	case CFG80211_STA_MESH_PEER_USER:
6220 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6221 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6222 			return -EINVAL;
6223 		break;
6224 	}
6225 
6226 	/*
6227 	 * Older kernel versions ignored this attribute entirely, so don't
6228 	 * reject attempts to update it but mark it as unused instead so the
6229 	 * driver won't look at the data.
6230 	 */
6231 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6232 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6233 		params->opmode_notif_used = false;
6234 
6235 	return 0;
6236 }
6237 EXPORT_SYMBOL(cfg80211_check_station_change);
6238 
6239 /*
6240  * Get vlan interface making sure it is running and on the right wiphy.
6241  */
get_vlan(struct genl_info * info,struct cfg80211_registered_device * rdev)6242 static struct net_device *get_vlan(struct genl_info *info,
6243 				   struct cfg80211_registered_device *rdev)
6244 {
6245 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6246 	struct net_device *v;
6247 	int ret;
6248 
6249 	if (!vlanattr)
6250 		return NULL;
6251 
6252 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6253 	if (!v)
6254 		return ERR_PTR(-ENODEV);
6255 
6256 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6257 		ret = -EINVAL;
6258 		goto error;
6259 	}
6260 
6261 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6262 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6263 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6264 		ret = -EINVAL;
6265 		goto error;
6266 	}
6267 
6268 	if (!netif_running(v)) {
6269 		ret = -ENETDOWN;
6270 		goto error;
6271 	}
6272 
6273 	return v;
6274  error:
6275 	dev_put(v);
6276 	return ERR_PTR(ret);
6277 }
6278 
6279 static const struct nla_policy
6280 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6281 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6282 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6283 };
6284 
nl80211_parse_sta_wme(struct genl_info * info,struct station_parameters * params)6285 static int nl80211_parse_sta_wme(struct genl_info *info,
6286 				 struct station_parameters *params)
6287 {
6288 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6289 	struct nlattr *nla;
6290 	int err;
6291 
6292 	/* parse WME attributes if present */
6293 	if (!info->attrs[NL80211_ATTR_STA_WME])
6294 		return 0;
6295 
6296 	nla = info->attrs[NL80211_ATTR_STA_WME];
6297 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6298 					  nl80211_sta_wme_policy,
6299 					  info->extack);
6300 	if (err)
6301 		return err;
6302 
6303 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6304 		params->uapsd_queues = nla_get_u8(
6305 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6306 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6307 		return -EINVAL;
6308 
6309 	if (tb[NL80211_STA_WME_MAX_SP])
6310 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6311 
6312 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6313 		return -EINVAL;
6314 
6315 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6316 
6317 	return 0;
6318 }
6319 
nl80211_parse_sta_channel_info(struct genl_info * info,struct station_parameters * params)6320 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6321 				      struct station_parameters *params)
6322 {
6323 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6324 		params->supported_channels =
6325 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6326 		params->supported_channels_len =
6327 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6328 		/*
6329 		 * Need to include at least one (first channel, number of
6330 		 * channels) tuple for each subband (checked in policy),
6331 		 * and must have proper tuples for the rest of the data as well.
6332 		 */
6333 		if (params->supported_channels_len % 2)
6334 			return -EINVAL;
6335 	}
6336 
6337 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6338 		params->supported_oper_classes =
6339 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6340 		params->supported_oper_classes_len =
6341 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6342 	}
6343 	return 0;
6344 }
6345 
nl80211_set_station_tdls(struct genl_info * info,struct station_parameters * params)6346 static int nl80211_set_station_tdls(struct genl_info *info,
6347 				    struct station_parameters *params)
6348 {
6349 	int err;
6350 	/* Dummy STA entry gets updated once the peer capabilities are known */
6351 	if (info->attrs[NL80211_ATTR_PEER_AID])
6352 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6353 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6354 		params->ht_capa =
6355 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6356 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6357 		params->vht_capa =
6358 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6359 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6360 		params->he_capa =
6361 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6362 		params->he_capa_len =
6363 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6364 	}
6365 
6366 	err = nl80211_parse_sta_channel_info(info, params);
6367 	if (err)
6368 		return err;
6369 
6370 	return nl80211_parse_sta_wme(info, params);
6371 }
6372 
nl80211_parse_sta_txpower_setting(struct genl_info * info,struct station_parameters * params)6373 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6374 					     struct station_parameters *params)
6375 {
6376 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6377 	int idx;
6378 
6379 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6380 		if (!rdev->ops->set_tx_power ||
6381 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6382 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6383 			return -EOPNOTSUPP;
6384 
6385 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6386 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6387 
6388 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6389 			idx = NL80211_ATTR_STA_TX_POWER;
6390 
6391 			if (info->attrs[idx])
6392 				params->txpwr.power =
6393 					nla_get_s16(info->attrs[idx]);
6394 			else
6395 				return -EINVAL;
6396 		}
6397 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6398 	}
6399 
6400 	return 0;
6401 }
6402 
nl80211_set_station(struct sk_buff * skb,struct genl_info * info)6403 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6404 {
6405 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6406 	struct net_device *dev = info->user_ptr[1];
6407 	struct station_parameters params;
6408 	u8 *mac_addr;
6409 	int err;
6410 
6411 	memset(&params, 0, sizeof(params));
6412 
6413 	if (!rdev->ops->change_station)
6414 		return -EOPNOTSUPP;
6415 
6416 	/*
6417 	 * AID and listen_interval properties can be set only for unassociated
6418 	 * station. Include these parameters here and will check them in
6419 	 * cfg80211_check_station_change().
6420 	 */
6421 	if (info->attrs[NL80211_ATTR_STA_AID])
6422 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6423 
6424 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6425 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6426 
6427 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6428 		params.listen_interval =
6429 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6430 	else
6431 		params.listen_interval = -1;
6432 
6433 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6434 		params.support_p2p_ps =
6435 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6436 	else
6437 		params.support_p2p_ps = -1;
6438 
6439 	if (!info->attrs[NL80211_ATTR_MAC])
6440 		return -EINVAL;
6441 
6442 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6443 
6444 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6445 		params.supported_rates =
6446 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6447 		params.supported_rates_len =
6448 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6449 	}
6450 
6451 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6452 		params.capability =
6453 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6454 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6455 	}
6456 
6457 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6458 		params.ext_capab =
6459 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6460 		params.ext_capab_len =
6461 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6462 	}
6463 
6464 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6465 		return -EINVAL;
6466 
6467 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6468 		params.plink_action =
6469 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6470 
6471 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6472 		params.plink_state =
6473 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6474 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6475 			params.peer_aid = nla_get_u16(
6476 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6477 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6478 	}
6479 
6480 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6481 		params.local_pm = nla_get_u32(
6482 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6483 
6484 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6485 		params.opmode_notif_used = true;
6486 		params.opmode_notif =
6487 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6488 	}
6489 
6490 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6491 		params.he_6ghz_capa =
6492 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6493 
6494 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6495 		params.airtime_weight =
6496 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6497 
6498 	if (params.airtime_weight &&
6499 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6500 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6501 		return -EOPNOTSUPP;
6502 
6503 	err = nl80211_parse_sta_txpower_setting(info, &params);
6504 	if (err)
6505 		return err;
6506 
6507 	/* Include parameters for TDLS peer (will check later) */
6508 	err = nl80211_set_station_tdls(info, &params);
6509 	if (err)
6510 		return err;
6511 
6512 	params.vlan = get_vlan(info, rdev);
6513 	if (IS_ERR(params.vlan))
6514 		return PTR_ERR(params.vlan);
6515 
6516 	switch (dev->ieee80211_ptr->iftype) {
6517 	case NL80211_IFTYPE_AP:
6518 	case NL80211_IFTYPE_AP_VLAN:
6519 	case NL80211_IFTYPE_P2P_GO:
6520 	case NL80211_IFTYPE_P2P_CLIENT:
6521 	case NL80211_IFTYPE_STATION:
6522 	case NL80211_IFTYPE_ADHOC:
6523 	case NL80211_IFTYPE_MESH_POINT:
6524 		break;
6525 	default:
6526 		err = -EOPNOTSUPP;
6527 		goto out_put_vlan;
6528 	}
6529 
6530 	/* driver will call cfg80211_check_station_change() */
6531 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6532 
6533  out_put_vlan:
6534 	dev_put(params.vlan);
6535 
6536 	return err;
6537 }
6538 
nl80211_new_station(struct sk_buff * skb,struct genl_info * info)6539 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6540 {
6541 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6542 	int err;
6543 	struct net_device *dev = info->user_ptr[1];
6544 	struct station_parameters params;
6545 	u8 *mac_addr = NULL;
6546 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6547 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6548 
6549 	memset(&params, 0, sizeof(params));
6550 
6551 	if (!rdev->ops->add_station)
6552 		return -EOPNOTSUPP;
6553 
6554 	if (!info->attrs[NL80211_ATTR_MAC])
6555 		return -EINVAL;
6556 
6557 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6558 		return -EINVAL;
6559 
6560 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6561 		return -EINVAL;
6562 
6563 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6564 	    !info->attrs[NL80211_ATTR_PEER_AID])
6565 		return -EINVAL;
6566 
6567 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6568 	params.supported_rates =
6569 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6570 	params.supported_rates_len =
6571 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6572 	params.listen_interval =
6573 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6574 
6575 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6576 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6577 
6578 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6579 		params.support_p2p_ps =
6580 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6581 	} else {
6582 		/*
6583 		 * if not specified, assume it's supported for P2P GO interface,
6584 		 * and is NOT supported for AP interface
6585 		 */
6586 		params.support_p2p_ps =
6587 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6588 	}
6589 
6590 	if (info->attrs[NL80211_ATTR_PEER_AID])
6591 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6592 	else
6593 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6594 
6595 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6596 		params.capability =
6597 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6598 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6599 	}
6600 
6601 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6602 		params.ext_capab =
6603 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6604 		params.ext_capab_len =
6605 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6606 	}
6607 
6608 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6609 		params.ht_capa =
6610 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6611 
6612 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6613 		params.vht_capa =
6614 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6615 
6616 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6617 		params.he_capa =
6618 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6619 		params.he_capa_len =
6620 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6621 	}
6622 
6623 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6624 		params.he_6ghz_capa =
6625 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6626 
6627 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6628 		params.opmode_notif_used = true;
6629 		params.opmode_notif =
6630 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6631 	}
6632 
6633 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6634 		params.plink_action =
6635 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6636 
6637 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6638 		params.airtime_weight =
6639 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6640 
6641 	if (params.airtime_weight &&
6642 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6643 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6644 		return -EOPNOTSUPP;
6645 
6646 	err = nl80211_parse_sta_txpower_setting(info, &params);
6647 	if (err)
6648 		return err;
6649 
6650 	err = nl80211_parse_sta_channel_info(info, &params);
6651 	if (err)
6652 		return err;
6653 
6654 	err = nl80211_parse_sta_wme(info, &params);
6655 	if (err)
6656 		return err;
6657 
6658 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6659 		return -EINVAL;
6660 
6661 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6662 	 * as userspace might just pass through the capabilities from the IEs
6663 	 * directly, rather than enforcing this restriction and returning an
6664 	 * error in this case.
6665 	 */
6666 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6667 		params.ht_capa = NULL;
6668 		params.vht_capa = NULL;
6669 
6670 		/* HE requires WME */
6671 		if (params.he_capa_len || params.he_6ghz_capa)
6672 			return -EINVAL;
6673 	}
6674 
6675 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6676 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6677 		return -EINVAL;
6678 
6679 	/* When you run into this, adjust the code below for the new flag */
6680 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6681 
6682 	switch (dev->ieee80211_ptr->iftype) {
6683 	case NL80211_IFTYPE_AP:
6684 	case NL80211_IFTYPE_AP_VLAN:
6685 	case NL80211_IFTYPE_P2P_GO:
6686 		/* ignore WME attributes if iface/sta is not capable */
6687 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6688 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6689 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6690 
6691 		/* TDLS peers cannot be added */
6692 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6693 		    info->attrs[NL80211_ATTR_PEER_AID])
6694 			return -EINVAL;
6695 		/* but don't bother the driver with it */
6696 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6697 
6698 		/* allow authenticated/associated only if driver handles it */
6699 		if (!(rdev->wiphy.features &
6700 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6701 		    params.sta_flags_mask & auth_assoc)
6702 			return -EINVAL;
6703 
6704 		/* Older userspace, or userspace wanting to be compatible with
6705 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6706 		 * and assoc flags in the mask, but assumes the station will be
6707 		 * added as associated anyway since this was the required driver
6708 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6709 		 * introduced.
6710 		 * In order to not bother drivers with this quirk in the API
6711 		 * set the flags in both the mask and set for new stations in
6712 		 * this case.
6713 		 */
6714 		if (!(params.sta_flags_mask & auth_assoc)) {
6715 			params.sta_flags_mask |= auth_assoc;
6716 			params.sta_flags_set |= auth_assoc;
6717 		}
6718 
6719 		/* must be last in here for error handling */
6720 		params.vlan = get_vlan(info, rdev);
6721 		if (IS_ERR(params.vlan))
6722 			return PTR_ERR(params.vlan);
6723 		break;
6724 	case NL80211_IFTYPE_MESH_POINT:
6725 		/* ignore uAPSD data */
6726 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6727 
6728 		/* associated is disallowed */
6729 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6730 			return -EINVAL;
6731 		/* TDLS peers cannot be added */
6732 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6733 		    info->attrs[NL80211_ATTR_PEER_AID])
6734 			return -EINVAL;
6735 		break;
6736 	case NL80211_IFTYPE_STATION:
6737 	case NL80211_IFTYPE_P2P_CLIENT:
6738 		/* ignore uAPSD data */
6739 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6740 
6741 		/* these are disallowed */
6742 		if (params.sta_flags_mask &
6743 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6744 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6745 			return -EINVAL;
6746 		/* Only TDLS peers can be added */
6747 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6748 			return -EINVAL;
6749 		/* Can only add if TDLS ... */
6750 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6751 			return -EOPNOTSUPP;
6752 		/* ... with external setup is supported */
6753 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6754 			return -EOPNOTSUPP;
6755 		/*
6756 		 * Older wpa_supplicant versions always mark the TDLS peer
6757 		 * as authorized, but it shouldn't yet be.
6758 		 */
6759 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6760 		break;
6761 	default:
6762 		return -EOPNOTSUPP;
6763 	}
6764 
6765 	/* be aware of params.vlan when changing code here */
6766 
6767 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6768 
6769 	dev_put(params.vlan);
6770 	return err;
6771 }
6772 
nl80211_del_station(struct sk_buff * skb,struct genl_info * info)6773 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6774 {
6775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6776 	struct net_device *dev = info->user_ptr[1];
6777 	struct station_del_parameters params;
6778 
6779 	memset(&params, 0, sizeof(params));
6780 
6781 	if (info->attrs[NL80211_ATTR_MAC])
6782 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6783 
6784 	switch (dev->ieee80211_ptr->iftype) {
6785 	case NL80211_IFTYPE_AP:
6786 	case NL80211_IFTYPE_AP_VLAN:
6787 	case NL80211_IFTYPE_MESH_POINT:
6788 	case NL80211_IFTYPE_P2P_GO:
6789 		/* always accept these */
6790 		break;
6791 	case NL80211_IFTYPE_ADHOC:
6792 		/* conditionally accept */
6793 		if (wiphy_ext_feature_isset(&rdev->wiphy,
6794 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6795 			break;
6796 		return -EINVAL;
6797 	default:
6798 		return -EINVAL;
6799 	}
6800 
6801 	if (!rdev->ops->del_station)
6802 		return -EOPNOTSUPP;
6803 
6804 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6805 		params.subtype =
6806 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6807 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6808 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6809 			return -EINVAL;
6810 	} else {
6811 		/* Default to Deauthentication frame */
6812 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6813 	}
6814 
6815 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6816 		params.reason_code =
6817 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6818 		if (params.reason_code == 0)
6819 			return -EINVAL; /* 0 is reserved */
6820 	} else {
6821 		/* Default to reason code 2 */
6822 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6823 	}
6824 
6825 	return rdev_del_station(rdev, dev, &params);
6826 }
6827 
nl80211_send_mpath(struct sk_buff * msg,u32 portid,u32 seq,int flags,struct net_device * dev,u8 * dst,u8 * next_hop,struct mpath_info * pinfo)6828 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6829 				int flags, struct net_device *dev,
6830 				u8 *dst, u8 *next_hop,
6831 				struct mpath_info *pinfo)
6832 {
6833 	void *hdr;
6834 	struct nlattr *pinfoattr;
6835 
6836 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6837 	if (!hdr)
6838 		return -1;
6839 
6840 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6841 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6842 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6843 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6844 		goto nla_put_failure;
6845 
6846 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6847 	if (!pinfoattr)
6848 		goto nla_put_failure;
6849 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6850 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6851 			pinfo->frame_qlen))
6852 		goto nla_put_failure;
6853 	if (((pinfo->filled & MPATH_INFO_SN) &&
6854 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6855 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6856 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6857 			 pinfo->metric)) ||
6858 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6859 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6860 			 pinfo->exptime)) ||
6861 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6862 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6863 			pinfo->flags)) ||
6864 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6865 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6866 			 pinfo->discovery_timeout)) ||
6867 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6868 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6869 			pinfo->discovery_retries)) ||
6870 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6871 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6872 			pinfo->hop_count)) ||
6873 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6874 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6875 			 pinfo->path_change_count)))
6876 		goto nla_put_failure;
6877 
6878 	nla_nest_end(msg, pinfoattr);
6879 
6880 	genlmsg_end(msg, hdr);
6881 	return 0;
6882 
6883  nla_put_failure:
6884 	genlmsg_cancel(msg, hdr);
6885 	return -EMSGSIZE;
6886 }
6887 
nl80211_dump_mpath(struct sk_buff * skb,struct netlink_callback * cb)6888 static int nl80211_dump_mpath(struct sk_buff *skb,
6889 			      struct netlink_callback *cb)
6890 {
6891 	struct mpath_info pinfo;
6892 	struct cfg80211_registered_device *rdev;
6893 	struct wireless_dev *wdev;
6894 	u8 dst[ETH_ALEN];
6895 	u8 next_hop[ETH_ALEN];
6896 	int path_idx = cb->args[2];
6897 	int err;
6898 
6899 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6900 	if (err)
6901 		return err;
6902 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6903 	__acquire(&rdev->wiphy.mtx);
6904 
6905 	if (!rdev->ops->dump_mpath) {
6906 		err = -EOPNOTSUPP;
6907 		goto out_err;
6908 	}
6909 
6910 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6911 		err = -EOPNOTSUPP;
6912 		goto out_err;
6913 	}
6914 
6915 	while (1) {
6916 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6917 				      next_hop, &pinfo);
6918 		if (err == -ENOENT)
6919 			break;
6920 		if (err)
6921 			goto out_err;
6922 
6923 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6924 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6925 				       wdev->netdev, dst, next_hop,
6926 				       &pinfo) < 0)
6927 			goto out;
6928 
6929 		path_idx++;
6930 	}
6931 
6932  out:
6933 	cb->args[2] = path_idx;
6934 	err = skb->len;
6935  out_err:
6936 	wiphy_unlock(&rdev->wiphy);
6937 	return err;
6938 }
6939 
nl80211_get_mpath(struct sk_buff * skb,struct genl_info * info)6940 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6941 {
6942 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6943 	int err;
6944 	struct net_device *dev = info->user_ptr[1];
6945 	struct mpath_info pinfo;
6946 	struct sk_buff *msg;
6947 	u8 *dst = NULL;
6948 	u8 next_hop[ETH_ALEN];
6949 
6950 	memset(&pinfo, 0, sizeof(pinfo));
6951 
6952 	if (!info->attrs[NL80211_ATTR_MAC])
6953 		return -EINVAL;
6954 
6955 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6956 
6957 	if (!rdev->ops->get_mpath)
6958 		return -EOPNOTSUPP;
6959 
6960 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6961 		return -EOPNOTSUPP;
6962 
6963 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6964 	if (err)
6965 		return err;
6966 
6967 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6968 	if (!msg)
6969 		return -ENOMEM;
6970 
6971 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6972 				 dev, dst, next_hop, &pinfo) < 0) {
6973 		nlmsg_free(msg);
6974 		return -ENOBUFS;
6975 	}
6976 
6977 	return genlmsg_reply(msg, info);
6978 }
6979 
nl80211_set_mpath(struct sk_buff * skb,struct genl_info * info)6980 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6981 {
6982 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6983 	struct net_device *dev = info->user_ptr[1];
6984 	u8 *dst = NULL;
6985 	u8 *next_hop = NULL;
6986 
6987 	if (!info->attrs[NL80211_ATTR_MAC])
6988 		return -EINVAL;
6989 
6990 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6991 		return -EINVAL;
6992 
6993 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6994 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6995 
6996 	if (!rdev->ops->change_mpath)
6997 		return -EOPNOTSUPP;
6998 
6999 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7000 		return -EOPNOTSUPP;
7001 
7002 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7003 }
7004 
nl80211_new_mpath(struct sk_buff * skb,struct genl_info * info)7005 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7006 {
7007 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7008 	struct net_device *dev = info->user_ptr[1];
7009 	u8 *dst = NULL;
7010 	u8 *next_hop = NULL;
7011 
7012 	if (!info->attrs[NL80211_ATTR_MAC])
7013 		return -EINVAL;
7014 
7015 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7016 		return -EINVAL;
7017 
7018 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7019 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7020 
7021 	if (!rdev->ops->add_mpath)
7022 		return -EOPNOTSUPP;
7023 
7024 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7025 		return -EOPNOTSUPP;
7026 
7027 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7028 }
7029 
nl80211_del_mpath(struct sk_buff * skb,struct genl_info * info)7030 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7031 {
7032 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7033 	struct net_device *dev = info->user_ptr[1];
7034 	u8 *dst = NULL;
7035 
7036 	if (info->attrs[NL80211_ATTR_MAC])
7037 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7038 
7039 	if (!rdev->ops->del_mpath)
7040 		return -EOPNOTSUPP;
7041 
7042 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7043 		return -EOPNOTSUPP;
7044 
7045 	return rdev_del_mpath(rdev, dev, dst);
7046 }
7047 
nl80211_get_mpp(struct sk_buff * skb,struct genl_info * info)7048 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7049 {
7050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7051 	int err;
7052 	struct net_device *dev = info->user_ptr[1];
7053 	struct mpath_info pinfo;
7054 	struct sk_buff *msg;
7055 	u8 *dst = NULL;
7056 	u8 mpp[ETH_ALEN];
7057 
7058 	memset(&pinfo, 0, sizeof(pinfo));
7059 
7060 	if (!info->attrs[NL80211_ATTR_MAC])
7061 		return -EINVAL;
7062 
7063 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7064 
7065 	if (!rdev->ops->get_mpp)
7066 		return -EOPNOTSUPP;
7067 
7068 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7069 		return -EOPNOTSUPP;
7070 
7071 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7072 	if (err)
7073 		return err;
7074 
7075 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7076 	if (!msg)
7077 		return -ENOMEM;
7078 
7079 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7080 			       dev, dst, mpp, &pinfo) < 0) {
7081 		nlmsg_free(msg);
7082 		return -ENOBUFS;
7083 	}
7084 
7085 	return genlmsg_reply(msg, info);
7086 }
7087 
nl80211_dump_mpp(struct sk_buff * skb,struct netlink_callback * cb)7088 static int nl80211_dump_mpp(struct sk_buff *skb,
7089 			    struct netlink_callback *cb)
7090 {
7091 	struct mpath_info pinfo;
7092 	struct cfg80211_registered_device *rdev;
7093 	struct wireless_dev *wdev;
7094 	u8 dst[ETH_ALEN];
7095 	u8 mpp[ETH_ALEN];
7096 	int path_idx = cb->args[2];
7097 	int err;
7098 
7099 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
7100 	if (err)
7101 		return err;
7102 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7103 	__acquire(&rdev->wiphy.mtx);
7104 
7105 	if (!rdev->ops->dump_mpp) {
7106 		err = -EOPNOTSUPP;
7107 		goto out_err;
7108 	}
7109 
7110 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7111 		err = -EOPNOTSUPP;
7112 		goto out_err;
7113 	}
7114 
7115 	while (1) {
7116 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7117 				    mpp, &pinfo);
7118 		if (err == -ENOENT)
7119 			break;
7120 		if (err)
7121 			goto out_err;
7122 
7123 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7124 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7125 				       wdev->netdev, dst, mpp,
7126 				       &pinfo) < 0)
7127 			goto out;
7128 
7129 		path_idx++;
7130 	}
7131 
7132  out:
7133 	cb->args[2] = path_idx;
7134 	err = skb->len;
7135  out_err:
7136 	wiphy_unlock(&rdev->wiphy);
7137 	return err;
7138 }
7139 
nl80211_set_bss(struct sk_buff * skb,struct genl_info * info)7140 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7141 {
7142 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7143 	struct net_device *dev = info->user_ptr[1];
7144 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7145 	struct bss_parameters params;
7146 	int err;
7147 
7148 	memset(&params, 0, sizeof(params));
7149 	/* default to not changing parameters */
7150 	params.use_cts_prot = -1;
7151 	params.use_short_preamble = -1;
7152 	params.use_short_slot_time = -1;
7153 	params.ap_isolate = -1;
7154 	params.ht_opmode = -1;
7155 	params.p2p_ctwindow = -1;
7156 	params.p2p_opp_ps = -1;
7157 
7158 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7159 		params.use_cts_prot =
7160 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7161 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7162 		params.use_short_preamble =
7163 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7164 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7165 		params.use_short_slot_time =
7166 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7167 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7168 		params.basic_rates =
7169 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7170 		params.basic_rates_len =
7171 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7172 	}
7173 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7174 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7175 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7176 		params.ht_opmode =
7177 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7178 
7179 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7180 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7181 			return -EINVAL;
7182 		params.p2p_ctwindow =
7183 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7184 		if (params.p2p_ctwindow != 0 &&
7185 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7186 			return -EINVAL;
7187 	}
7188 
7189 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7190 		u8 tmp;
7191 
7192 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7193 			return -EINVAL;
7194 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7195 		params.p2p_opp_ps = tmp;
7196 		if (params.p2p_opp_ps &&
7197 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7198 			return -EINVAL;
7199 	}
7200 
7201 	if (!rdev->ops->change_bss)
7202 		return -EOPNOTSUPP;
7203 
7204 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7205 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7206 		return -EOPNOTSUPP;
7207 
7208 	wdev_lock(wdev);
7209 	err = rdev_change_bss(rdev, dev, &params);
7210 	wdev_unlock(wdev);
7211 
7212 	return err;
7213 }
7214 
nl80211_req_set_reg(struct sk_buff * skb,struct genl_info * info)7215 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7216 {
7217 	char *data = NULL;
7218 	bool is_indoor;
7219 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7220 	u32 owner_nlportid;
7221 
7222 	/*
7223 	 * You should only get this when cfg80211 hasn't yet initialized
7224 	 * completely when built-in to the kernel right between the time
7225 	 * window between nl80211_init() and regulatory_init(), if that is
7226 	 * even possible.
7227 	 */
7228 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7229 		return -EINPROGRESS;
7230 
7231 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7232 		user_reg_hint_type =
7233 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7234 	else
7235 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7236 
7237 	switch (user_reg_hint_type) {
7238 	case NL80211_USER_REG_HINT_USER:
7239 	case NL80211_USER_REG_HINT_CELL_BASE:
7240 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7241 			return -EINVAL;
7242 
7243 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7244 		return regulatory_hint_user(data, user_reg_hint_type);
7245 	case NL80211_USER_REG_HINT_INDOOR:
7246 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7247 			owner_nlportid = info->snd_portid;
7248 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7249 		} else {
7250 			owner_nlportid = 0;
7251 			is_indoor = true;
7252 		}
7253 
7254 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7255 	default:
7256 		return -EINVAL;
7257 	}
7258 }
7259 
nl80211_reload_regdb(struct sk_buff * skb,struct genl_info * info)7260 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7261 {
7262 	return reg_reload_regdb();
7263 }
7264 
nl80211_get_mesh_config(struct sk_buff * skb,struct genl_info * info)7265 static int nl80211_get_mesh_config(struct sk_buff *skb,
7266 				   struct genl_info *info)
7267 {
7268 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7269 	struct net_device *dev = info->user_ptr[1];
7270 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7271 	struct mesh_config cur_params;
7272 	int err = 0;
7273 	void *hdr;
7274 	struct nlattr *pinfoattr;
7275 	struct sk_buff *msg;
7276 
7277 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7278 		return -EOPNOTSUPP;
7279 
7280 	if (!rdev->ops->get_mesh_config)
7281 		return -EOPNOTSUPP;
7282 
7283 	wdev_lock(wdev);
7284 	/* If not connected, get default parameters */
7285 	if (!wdev->mesh_id_len)
7286 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7287 	else
7288 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7289 	wdev_unlock(wdev);
7290 
7291 	if (err)
7292 		return err;
7293 
7294 	/* Draw up a netlink message to send back */
7295 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7296 	if (!msg)
7297 		return -ENOMEM;
7298 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7299 			     NL80211_CMD_GET_MESH_CONFIG);
7300 	if (!hdr)
7301 		goto out;
7302 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7303 	if (!pinfoattr)
7304 		goto nla_put_failure;
7305 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7306 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7307 			cur_params.dot11MeshRetryTimeout) ||
7308 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7309 			cur_params.dot11MeshConfirmTimeout) ||
7310 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7311 			cur_params.dot11MeshHoldingTimeout) ||
7312 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7313 			cur_params.dot11MeshMaxPeerLinks) ||
7314 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7315 		       cur_params.dot11MeshMaxRetries) ||
7316 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7317 		       cur_params.dot11MeshTTL) ||
7318 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7319 		       cur_params.element_ttl) ||
7320 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7321 		       cur_params.auto_open_plinks) ||
7322 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7323 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7324 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7325 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7326 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7327 			cur_params.path_refresh_time) ||
7328 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7329 			cur_params.min_discovery_timeout) ||
7330 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7331 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7332 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7333 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7334 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7335 			cur_params.dot11MeshHWMPperrMinInterval) ||
7336 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7337 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7338 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7339 		       cur_params.dot11MeshHWMPRootMode) ||
7340 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7341 			cur_params.dot11MeshHWMPRannInterval) ||
7342 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7343 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7344 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7345 		       cur_params.dot11MeshForwarding) ||
7346 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7347 			cur_params.rssi_threshold) ||
7348 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7349 			cur_params.ht_opmode) ||
7350 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7351 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7352 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7353 			cur_params.dot11MeshHWMProotInterval) ||
7354 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7355 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7356 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7357 			cur_params.power_mode) ||
7358 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7359 			cur_params.dot11MeshAwakeWindowDuration) ||
7360 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7361 			cur_params.plink_timeout) ||
7362 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7363 		       cur_params.dot11MeshConnectedToMeshGate) ||
7364 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7365 		       cur_params.dot11MeshNolearn) ||
7366 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7367 		       cur_params.dot11MeshConnectedToAuthServer))
7368 		goto nla_put_failure;
7369 	nla_nest_end(msg, pinfoattr);
7370 	genlmsg_end(msg, hdr);
7371 	return genlmsg_reply(msg, info);
7372 
7373  nla_put_failure:
7374  out:
7375 	nlmsg_free(msg);
7376 	return -ENOBUFS;
7377 }
7378 
7379 static const struct nla_policy
7380 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7381 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7382 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7383 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7384 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7385 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7386 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7387 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7388 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7389 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7390 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7391 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7392 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7393 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7394 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7395 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7396 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7397 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7398 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7399 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7400 		NLA_POLICY_MIN(NLA_U16, 1),
7401 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7402 		NLA_POLICY_MIN(NLA_U16, 1),
7403 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7404 		NLA_POLICY_MIN(NLA_U16, 1),
7405 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7406 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7407 		NLA_POLICY_MIN(NLA_U16, 1),
7408 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7409 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7410 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7411 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7412 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7413 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7414 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7415 		NLA_POLICY_MIN(NLA_U16, 1),
7416 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7417 		NLA_POLICY_MIN(NLA_U16, 1),
7418 	[NL80211_MESHCONF_POWER_MODE] =
7419 		NLA_POLICY_RANGE(NLA_U32,
7420 				 NL80211_MESH_POWER_ACTIVE,
7421 				 NL80211_MESH_POWER_MAX),
7422 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7423 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7424 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7425 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7426 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7427 };
7428 
7429 static const struct nla_policy
7430 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7431 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7432 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7433 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7434 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7435 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7436 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7437 	[NL80211_MESH_SETUP_IE] =
7438 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7439 				       IEEE80211_MAX_DATA_LEN),
7440 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7441 };
7442 
nl80211_parse_mesh_config(struct genl_info * info,struct mesh_config * cfg,u32 * mask_out)7443 static int nl80211_parse_mesh_config(struct genl_info *info,
7444 				     struct mesh_config *cfg,
7445 				     u32 *mask_out)
7446 {
7447 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7448 	u32 mask = 0;
7449 	u16 ht_opmode;
7450 
7451 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7452 do {									\
7453 	if (tb[attr]) {							\
7454 		cfg->param = fn(tb[attr]);				\
7455 		mask |= BIT((attr) - 1);				\
7456 	}								\
7457 } while (0)
7458 
7459 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7460 		return -EINVAL;
7461 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7462 		return -EINVAL;
7463 
7464 	/* This makes sure that there aren't more than 32 mesh config
7465 	 * parameters (otherwise our bitfield scheme would not work.) */
7466 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7467 
7468 	/* Fill in the params struct */
7469 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7470 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7471 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7472 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7473 				  nla_get_u16);
7474 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7475 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7476 				  nla_get_u16);
7477 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7478 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7479 				  nla_get_u16);
7480 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7481 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7482 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7483 				  NL80211_MESHCONF_TTL, nla_get_u8);
7484 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7485 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7486 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7487 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7488 				  nla_get_u8);
7489 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7490 				  mask,
7491 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7492 				  nla_get_u32);
7493 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7494 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7495 				  nla_get_u8);
7496 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7497 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7498 				  nla_get_u32);
7499 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7500 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7501 		return -EINVAL;
7502 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7503 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7504 				  nla_get_u16);
7505 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7506 				  mask,
7507 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7508 				  nla_get_u32);
7509 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7510 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7511 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7512 		return -EINVAL;
7513 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7514 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7515 				  nla_get_u16);
7516 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7517 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7518 				  nla_get_u16);
7519 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7520 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7521 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7522 				  nla_get_u16);
7523 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7524 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7525 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7526 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7527 				  nla_get_u16);
7528 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7529 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7530 				  nla_get_u8);
7531 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7532 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7533 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7534 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7535 				  nla_get_s32);
7536 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7537 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7538 				  nla_get_u8);
7539 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7540 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7541 				  nla_get_u8);
7542 	/*
7543 	 * Check HT operation mode based on
7544 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7545 	 */
7546 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7547 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7548 
7549 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7550 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7551 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7552 			return -EINVAL;
7553 
7554 		/* NON_HT_STA bit is reserved, but some programs set it */
7555 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7556 
7557 		cfg->ht_opmode = ht_opmode;
7558 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7559 	}
7560 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7561 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7562 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7563 				  nla_get_u32);
7564 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7565 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7566 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7567 		return -EINVAL;
7568 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7569 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7570 				  nla_get_u16);
7571 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7572 				  mask,
7573 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7574 				  nla_get_u16);
7575 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7576 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7577 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7578 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7579 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7580 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7581 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7582 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7583 	if (mask_out)
7584 		*mask_out = mask;
7585 
7586 	return 0;
7587 
7588 #undef FILL_IN_MESH_PARAM_IF_SET
7589 }
7590 
nl80211_parse_mesh_setup(struct genl_info * info,struct mesh_setup * setup)7591 static int nl80211_parse_mesh_setup(struct genl_info *info,
7592 				     struct mesh_setup *setup)
7593 {
7594 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7595 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7596 
7597 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7598 		return -EINVAL;
7599 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7600 		return -EINVAL;
7601 
7602 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7603 		setup->sync_method =
7604 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7605 		 IEEE80211_SYNC_METHOD_VENDOR :
7606 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7607 
7608 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7609 		setup->path_sel_proto =
7610 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7611 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7612 		 IEEE80211_PATH_PROTOCOL_HWMP;
7613 
7614 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7615 		setup->path_metric =
7616 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7617 		 IEEE80211_PATH_METRIC_VENDOR :
7618 		 IEEE80211_PATH_METRIC_AIRTIME;
7619 
7620 	if (tb[NL80211_MESH_SETUP_IE]) {
7621 		struct nlattr *ieattr =
7622 			tb[NL80211_MESH_SETUP_IE];
7623 		setup->ie = nla_data(ieattr);
7624 		setup->ie_len = nla_len(ieattr);
7625 	}
7626 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7627 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7628 		return -EINVAL;
7629 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7630 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7631 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7632 	if (setup->is_secure)
7633 		setup->user_mpm = true;
7634 
7635 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7636 		if (!setup->user_mpm)
7637 			return -EINVAL;
7638 		setup->auth_id =
7639 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7640 	}
7641 
7642 	return 0;
7643 }
7644 
nl80211_update_mesh_config(struct sk_buff * skb,struct genl_info * info)7645 static int nl80211_update_mesh_config(struct sk_buff *skb,
7646 				      struct genl_info *info)
7647 {
7648 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7649 	struct net_device *dev = info->user_ptr[1];
7650 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7651 	struct mesh_config cfg;
7652 	u32 mask;
7653 	int err;
7654 
7655 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7656 		return -EOPNOTSUPP;
7657 
7658 	if (!rdev->ops->update_mesh_config)
7659 		return -EOPNOTSUPP;
7660 
7661 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7662 	if (err)
7663 		return err;
7664 
7665 	wdev_lock(wdev);
7666 	if (!wdev->mesh_id_len)
7667 		err = -ENOLINK;
7668 
7669 	if (!err)
7670 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7671 
7672 	wdev_unlock(wdev);
7673 
7674 	return err;
7675 }
7676 
nl80211_put_regdom(const struct ieee80211_regdomain * regdom,struct sk_buff * msg)7677 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7678 			      struct sk_buff *msg)
7679 {
7680 	struct nlattr *nl_reg_rules;
7681 	unsigned int i;
7682 
7683 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7684 	    (regdom->dfs_region &&
7685 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7686 		goto nla_put_failure;
7687 
7688 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7689 	if (!nl_reg_rules)
7690 		goto nla_put_failure;
7691 
7692 	for (i = 0; i < regdom->n_reg_rules; i++) {
7693 		struct nlattr *nl_reg_rule;
7694 		const struct ieee80211_reg_rule *reg_rule;
7695 		const struct ieee80211_freq_range *freq_range;
7696 		const struct ieee80211_power_rule *power_rule;
7697 		unsigned int max_bandwidth_khz;
7698 
7699 		reg_rule = &regdom->reg_rules[i];
7700 		freq_range = &reg_rule->freq_range;
7701 		power_rule = &reg_rule->power_rule;
7702 
7703 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7704 		if (!nl_reg_rule)
7705 			goto nla_put_failure;
7706 
7707 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7708 		if (!max_bandwidth_khz)
7709 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7710 								  reg_rule);
7711 
7712 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7713 				reg_rule->flags) ||
7714 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7715 				freq_range->start_freq_khz) ||
7716 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7717 				freq_range->end_freq_khz) ||
7718 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7719 				max_bandwidth_khz) ||
7720 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7721 				power_rule->max_antenna_gain) ||
7722 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7723 				power_rule->max_eirp) ||
7724 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7725 				reg_rule->dfs_cac_ms))
7726 			goto nla_put_failure;
7727 
7728 		nla_nest_end(msg, nl_reg_rule);
7729 	}
7730 
7731 	nla_nest_end(msg, nl_reg_rules);
7732 	return 0;
7733 
7734 nla_put_failure:
7735 	return -EMSGSIZE;
7736 }
7737 
nl80211_get_reg_do(struct sk_buff * skb,struct genl_info * info)7738 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7739 {
7740 	const struct ieee80211_regdomain *regdom = NULL;
7741 	struct cfg80211_registered_device *rdev;
7742 	struct wiphy *wiphy = NULL;
7743 	struct sk_buff *msg;
7744 	void *hdr;
7745 
7746 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7747 	if (!msg)
7748 		return -ENOBUFS;
7749 
7750 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7751 			     NL80211_CMD_GET_REG);
7752 	if (!hdr)
7753 		goto put_failure;
7754 
7755 	rtnl_lock();
7756 
7757 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7758 		bool self_managed;
7759 
7760 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7761 		if (IS_ERR(rdev)) {
7762 			nlmsg_free(msg);
7763 			rtnl_unlock();
7764 			return PTR_ERR(rdev);
7765 		}
7766 
7767 		wiphy = &rdev->wiphy;
7768 		self_managed = wiphy->regulatory_flags &
7769 			       REGULATORY_WIPHY_SELF_MANAGED;
7770 		regdom = get_wiphy_regdom(wiphy);
7771 
7772 		/* a self-managed-reg device must have a private regdom */
7773 		if (WARN_ON(!regdom && self_managed)) {
7774 			nlmsg_free(msg);
7775 			rtnl_unlock();
7776 			return -EINVAL;
7777 		}
7778 
7779 		if (regdom &&
7780 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7781 			goto nla_put_failure;
7782 	}
7783 
7784 	if (!wiphy && reg_last_request_cell_base() &&
7785 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7786 			NL80211_USER_REG_HINT_CELL_BASE))
7787 		goto nla_put_failure;
7788 
7789 	rcu_read_lock();
7790 
7791 	if (!regdom)
7792 		regdom = rcu_dereference(cfg80211_regdomain);
7793 
7794 	if (nl80211_put_regdom(regdom, msg))
7795 		goto nla_put_failure_rcu;
7796 
7797 	rcu_read_unlock();
7798 
7799 	genlmsg_end(msg, hdr);
7800 	rtnl_unlock();
7801 	return genlmsg_reply(msg, info);
7802 
7803 nla_put_failure_rcu:
7804 	rcu_read_unlock();
7805 nla_put_failure:
7806 	rtnl_unlock();
7807 put_failure:
7808 	nlmsg_free(msg);
7809 	return -EMSGSIZE;
7810 }
7811 
nl80211_send_regdom(struct sk_buff * msg,struct netlink_callback * cb,u32 seq,int flags,struct wiphy * wiphy,const struct ieee80211_regdomain * regdom)7812 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7813 			       u32 seq, int flags, struct wiphy *wiphy,
7814 			       const struct ieee80211_regdomain *regdom)
7815 {
7816 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7817 				   NL80211_CMD_GET_REG);
7818 
7819 	if (!hdr)
7820 		return -1;
7821 
7822 	genl_dump_check_consistent(cb, hdr);
7823 
7824 	if (nl80211_put_regdom(regdom, msg))
7825 		goto nla_put_failure;
7826 
7827 	if (!wiphy && reg_last_request_cell_base() &&
7828 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7829 			NL80211_USER_REG_HINT_CELL_BASE))
7830 		goto nla_put_failure;
7831 
7832 	if (wiphy &&
7833 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7834 		goto nla_put_failure;
7835 
7836 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7837 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7838 		goto nla_put_failure;
7839 
7840 	genlmsg_end(msg, hdr);
7841 	return 0;
7842 
7843 nla_put_failure:
7844 	genlmsg_cancel(msg, hdr);
7845 	return -EMSGSIZE;
7846 }
7847 
nl80211_get_reg_dump(struct sk_buff * skb,struct netlink_callback * cb)7848 static int nl80211_get_reg_dump(struct sk_buff *skb,
7849 				struct netlink_callback *cb)
7850 {
7851 	const struct ieee80211_regdomain *regdom = NULL;
7852 	struct cfg80211_registered_device *rdev;
7853 	int err, reg_idx, start = cb->args[2];
7854 
7855 	rtnl_lock();
7856 
7857 	if (cfg80211_regdomain && start == 0) {
7858 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7859 					  NLM_F_MULTI, NULL,
7860 					  rtnl_dereference(cfg80211_regdomain));
7861 		if (err < 0)
7862 			goto out_err;
7863 	}
7864 
7865 	/* the global regdom is idx 0 */
7866 	reg_idx = 1;
7867 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7868 		regdom = get_wiphy_regdom(&rdev->wiphy);
7869 		if (!regdom)
7870 			continue;
7871 
7872 		if (++reg_idx <= start)
7873 			continue;
7874 
7875 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7876 					  NLM_F_MULTI, &rdev->wiphy, regdom);
7877 		if (err < 0) {
7878 			reg_idx--;
7879 			break;
7880 		}
7881 	}
7882 
7883 	cb->args[2] = reg_idx;
7884 	err = skb->len;
7885 out_err:
7886 	rtnl_unlock();
7887 	return err;
7888 }
7889 
7890 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
7891 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7892 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7893 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7894 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7895 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7896 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7897 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7898 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7899 };
7900 
parse_reg_rule(struct nlattr * tb[],struct ieee80211_reg_rule * reg_rule)7901 static int parse_reg_rule(struct nlattr *tb[],
7902 	struct ieee80211_reg_rule *reg_rule)
7903 {
7904 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7905 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7906 
7907 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7908 		return -EINVAL;
7909 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7910 		return -EINVAL;
7911 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7912 		return -EINVAL;
7913 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7914 		return -EINVAL;
7915 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7916 		return -EINVAL;
7917 
7918 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7919 
7920 	freq_range->start_freq_khz =
7921 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7922 	freq_range->end_freq_khz =
7923 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7924 	freq_range->max_bandwidth_khz =
7925 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7926 
7927 	power_rule->max_eirp =
7928 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7929 
7930 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7931 		power_rule->max_antenna_gain =
7932 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7933 
7934 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7935 		reg_rule->dfs_cac_ms =
7936 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7937 
7938 	return 0;
7939 }
7940 
nl80211_set_reg(struct sk_buff * skb,struct genl_info * info)7941 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7942 {
7943 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7944 	struct nlattr *nl_reg_rule;
7945 	char *alpha2;
7946 	int rem_reg_rules, r;
7947 	u32 num_rules = 0, rule_idx = 0;
7948 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7949 	struct ieee80211_regdomain *rd;
7950 
7951 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7952 		return -EINVAL;
7953 
7954 	if (!info->attrs[NL80211_ATTR_REG_RULES])
7955 		return -EINVAL;
7956 
7957 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7958 
7959 	if (info->attrs[NL80211_ATTR_DFS_REGION])
7960 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7961 
7962 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7963 			    rem_reg_rules) {
7964 		num_rules++;
7965 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7966 			return -EINVAL;
7967 	}
7968 
7969 	rtnl_lock();
7970 	if (!reg_is_valid_request(alpha2)) {
7971 		r = -EINVAL;
7972 		goto out;
7973 	}
7974 
7975 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7976 	if (!rd) {
7977 		r = -ENOMEM;
7978 		goto out;
7979 	}
7980 
7981 	rd->n_reg_rules = num_rules;
7982 	rd->alpha2[0] = alpha2[0];
7983 	rd->alpha2[1] = alpha2[1];
7984 
7985 	/*
7986 	 * Disable DFS master mode if the DFS region was
7987 	 * not supported or known on this kernel.
7988 	 */
7989 	if (reg_supported_dfs_region(dfs_region))
7990 		rd->dfs_region = dfs_region;
7991 
7992 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7993 			    rem_reg_rules) {
7994 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7995 						nl_reg_rule, reg_rule_policy,
7996 						info->extack);
7997 		if (r)
7998 			goto bad_reg;
7999 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8000 		if (r)
8001 			goto bad_reg;
8002 
8003 		rule_idx++;
8004 
8005 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8006 			r = -EINVAL;
8007 			goto bad_reg;
8008 		}
8009 	}
8010 
8011 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8012 	/* set_regdom takes ownership of rd */
8013 	rd = NULL;
8014  bad_reg:
8015 	kfree(rd);
8016  out:
8017 	rtnl_unlock();
8018 	return r;
8019 }
8020 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8021 
validate_scan_freqs(struct nlattr * freqs)8022 static int validate_scan_freqs(struct nlattr *freqs)
8023 {
8024 	struct nlattr *attr1, *attr2;
8025 	int n_channels = 0, tmp1, tmp2;
8026 
8027 	nla_for_each_nested(attr1, freqs, tmp1)
8028 		if (nla_len(attr1) != sizeof(u32))
8029 			return 0;
8030 
8031 	nla_for_each_nested(attr1, freqs, tmp1) {
8032 		n_channels++;
8033 		/*
8034 		 * Some hardware has a limited channel list for
8035 		 * scanning, and it is pretty much nonsensical
8036 		 * to scan for a channel twice, so disallow that
8037 		 * and don't require drivers to check that the
8038 		 * channel list they get isn't longer than what
8039 		 * they can scan, as long as they can scan all
8040 		 * the channels they registered at once.
8041 		 */
8042 		nla_for_each_nested(attr2, freqs, tmp2)
8043 			if (attr1 != attr2 &&
8044 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8045 				return 0;
8046 	}
8047 
8048 	return n_channels;
8049 }
8050 
is_band_valid(struct wiphy * wiphy,enum nl80211_band b)8051 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8052 {
8053 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8054 }
8055 
parse_bss_select(struct nlattr * nla,struct wiphy * wiphy,struct cfg80211_bss_selection * bss_select)8056 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8057 			    struct cfg80211_bss_selection *bss_select)
8058 {
8059 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8060 	struct nlattr *nest;
8061 	int err;
8062 	bool found = false;
8063 	int i;
8064 
8065 	/* only process one nested attribute */
8066 	nest = nla_data(nla);
8067 	if (!nla_ok(nest, nla_len(nest)))
8068 		return -EINVAL;
8069 
8070 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8071 					  nest, nl80211_bss_select_policy,
8072 					  NULL);
8073 	if (err)
8074 		return err;
8075 
8076 	/* only one attribute may be given */
8077 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8078 		if (attr[i]) {
8079 			if (found)
8080 				return -EINVAL;
8081 			found = true;
8082 		}
8083 	}
8084 
8085 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8086 
8087 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8088 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8089 
8090 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8091 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8092 		bss_select->param.band_pref =
8093 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8094 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8095 			return -EINVAL;
8096 	}
8097 
8098 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8099 		struct nl80211_bss_select_rssi_adjust *adj_param;
8100 
8101 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8102 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8103 		bss_select->param.adjust.band = adj_param->band;
8104 		bss_select->param.adjust.delta = adj_param->delta;
8105 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8106 			return -EINVAL;
8107 	}
8108 
8109 	/* user-space did not provide behaviour attribute */
8110 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8111 		return -EINVAL;
8112 
8113 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8114 		return -EINVAL;
8115 
8116 	return 0;
8117 }
8118 
nl80211_parse_random_mac(struct nlattr ** attrs,u8 * mac_addr,u8 * mac_addr_mask)8119 int nl80211_parse_random_mac(struct nlattr **attrs,
8120 			     u8 *mac_addr, u8 *mac_addr_mask)
8121 {
8122 	int i;
8123 
8124 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8125 		eth_zero_addr(mac_addr);
8126 		eth_zero_addr(mac_addr_mask);
8127 		mac_addr[0] = 0x2;
8128 		mac_addr_mask[0] = 0x3;
8129 
8130 		return 0;
8131 	}
8132 
8133 	/* need both or none */
8134 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8135 		return -EINVAL;
8136 
8137 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8138 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8139 
8140 	/* don't allow or configure an mcast address */
8141 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8142 	    is_multicast_ether_addr(mac_addr))
8143 		return -EINVAL;
8144 
8145 	/*
8146 	 * allow users to pass a MAC address that has bits set outside
8147 	 * of the mask, but don't bother drivers with having to deal
8148 	 * with such bits
8149 	 */
8150 	for (i = 0; i < ETH_ALEN; i++)
8151 		mac_addr[i] &= mac_addr_mask[i];
8152 
8153 	return 0;
8154 }
8155 
cfg80211_off_channel_oper_allowed(struct wireless_dev * wdev)8156 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8157 {
8158 	ASSERT_WDEV_LOCK(wdev);
8159 
8160 	if (!cfg80211_beaconing_iface_active(wdev))
8161 		return true;
8162 
8163 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8164 		return true;
8165 
8166 	return regulatory_pre_cac_allowed(wdev->wiphy);
8167 }
8168 
nl80211_check_scan_feat(struct wiphy * wiphy,u32 flags,u32 flag,enum nl80211_ext_feature_index feat)8169 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8170 				    enum nl80211_ext_feature_index feat)
8171 {
8172 	if (!(flags & flag))
8173 		return true;
8174 	if (wiphy_ext_feature_isset(wiphy, feat))
8175 		return true;
8176 	return false;
8177 }
8178 
8179 static int
nl80211_check_scan_flags(struct wiphy * wiphy,struct wireless_dev * wdev,void * request,struct nlattr ** attrs,bool is_sched_scan)8180 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8181 			 void *request, struct nlattr **attrs,
8182 			 bool is_sched_scan)
8183 {
8184 	u8 *mac_addr, *mac_addr_mask;
8185 	u32 *flags;
8186 	enum nl80211_feature_flags randomness_flag;
8187 
8188 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8189 		return 0;
8190 
8191 	if (is_sched_scan) {
8192 		struct cfg80211_sched_scan_request *req = request;
8193 
8194 		randomness_flag = wdev ?
8195 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8196 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8197 		flags = &req->flags;
8198 		mac_addr = req->mac_addr;
8199 		mac_addr_mask = req->mac_addr_mask;
8200 	} else {
8201 		struct cfg80211_scan_request *req = request;
8202 
8203 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8204 		flags = &req->flags;
8205 		mac_addr = req->mac_addr;
8206 		mac_addr_mask = req->mac_addr_mask;
8207 	}
8208 
8209 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8210 
8211 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8212 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8213 	    !nl80211_check_scan_feat(wiphy, *flags,
8214 				     NL80211_SCAN_FLAG_LOW_SPAN,
8215 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8216 	    !nl80211_check_scan_feat(wiphy, *flags,
8217 				     NL80211_SCAN_FLAG_LOW_POWER,
8218 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8219 	    !nl80211_check_scan_feat(wiphy, *flags,
8220 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8221 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8222 	    !nl80211_check_scan_feat(wiphy, *flags,
8223 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8224 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8225 	    !nl80211_check_scan_feat(wiphy, *flags,
8226 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8227 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8228 	    !nl80211_check_scan_feat(wiphy, *flags,
8229 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8230 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8231 	    !nl80211_check_scan_feat(wiphy, *flags,
8232 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8233 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8234 	    !nl80211_check_scan_feat(wiphy, *flags,
8235 				     NL80211_SCAN_FLAG_RANDOM_SN,
8236 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8237 	    !nl80211_check_scan_feat(wiphy, *flags,
8238 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8239 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8240 		return -EOPNOTSUPP;
8241 
8242 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8243 		int err;
8244 
8245 		if (!(wiphy->features & randomness_flag) ||
8246 		    (wdev && wdev->current_bss))
8247 			return -EOPNOTSUPP;
8248 
8249 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8250 		if (err)
8251 			return err;
8252 	}
8253 
8254 	return 0;
8255 }
8256 
nl80211_trigger_scan(struct sk_buff * skb,struct genl_info * info)8257 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8258 {
8259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8260 	struct wireless_dev *wdev = info->user_ptr[1];
8261 	struct cfg80211_scan_request *request;
8262 	struct nlattr *scan_freqs = NULL;
8263 	bool scan_freqs_khz = false;
8264 	struct nlattr *attr;
8265 	struct wiphy *wiphy;
8266 	int err, tmp, n_ssids = 0, n_channels, i;
8267 	size_t ie_len;
8268 
8269 	wiphy = &rdev->wiphy;
8270 
8271 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8272 		return -EOPNOTSUPP;
8273 
8274 	if (!rdev->ops->scan)
8275 		return -EOPNOTSUPP;
8276 
8277 	if (rdev->scan_req || rdev->scan_msg)
8278 		return -EBUSY;
8279 
8280 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8281 		if (!wiphy_ext_feature_isset(wiphy,
8282 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8283 			return -EOPNOTSUPP;
8284 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8285 		scan_freqs_khz = true;
8286 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8287 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8288 
8289 	if (scan_freqs) {
8290 		n_channels = validate_scan_freqs(scan_freqs);
8291 		if (!n_channels)
8292 			return -EINVAL;
8293 	} else {
8294 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8295 	}
8296 
8297 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8298 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8299 			n_ssids++;
8300 
8301 	if (n_ssids > wiphy->max_scan_ssids)
8302 		return -EINVAL;
8303 
8304 	if (info->attrs[NL80211_ATTR_IE])
8305 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8306 	else
8307 		ie_len = 0;
8308 
8309 	if (ie_len > wiphy->max_scan_ie_len)
8310 		return -EINVAL;
8311 
8312 	request = kzalloc(sizeof(*request)
8313 			+ sizeof(*request->ssids) * n_ssids
8314 			+ sizeof(*request->channels) * n_channels
8315 			+ ie_len, GFP_KERNEL);
8316 	if (!request)
8317 		return -ENOMEM;
8318 
8319 	if (n_ssids)
8320 		request->ssids = (void *)&request->channels[n_channels];
8321 	request->n_ssids = n_ssids;
8322 	if (ie_len) {
8323 		if (n_ssids)
8324 			request->ie = (void *)(request->ssids + n_ssids);
8325 		else
8326 			request->ie = (void *)(request->channels + n_channels);
8327 	}
8328 
8329 	i = 0;
8330 	if (scan_freqs) {
8331 		/* user specified, bail out if channel not found */
8332 		nla_for_each_nested(attr, scan_freqs, tmp) {
8333 			struct ieee80211_channel *chan;
8334 			int freq = nla_get_u32(attr);
8335 
8336 			if (!scan_freqs_khz)
8337 				freq = MHZ_TO_KHZ(freq);
8338 
8339 			chan = ieee80211_get_channel_khz(wiphy, freq);
8340 			if (!chan) {
8341 				err = -EINVAL;
8342 				goto out_free;
8343 			}
8344 
8345 			/* ignore disabled channels */
8346 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8347 				continue;
8348 
8349 			request->channels[i] = chan;
8350 			i++;
8351 		}
8352 	} else {
8353 		enum nl80211_band band;
8354 
8355 		/* all channels */
8356 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8357 			int j;
8358 
8359 			if (!wiphy->bands[band])
8360 				continue;
8361 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8362 				struct ieee80211_channel *chan;
8363 
8364 				chan = &wiphy->bands[band]->channels[j];
8365 
8366 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8367 					continue;
8368 
8369 				request->channels[i] = chan;
8370 				i++;
8371 			}
8372 		}
8373 	}
8374 
8375 	if (!i) {
8376 		err = -EINVAL;
8377 		goto out_free;
8378 	}
8379 
8380 	request->n_channels = i;
8381 
8382 	wdev_lock(wdev);
8383 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8384 		struct ieee80211_channel *chan;
8385 
8386 		if (request->n_channels != 1) {
8387 			wdev_unlock(wdev);
8388 			err = -EBUSY;
8389 			goto out_free;
8390 		}
8391 
8392 		chan = request->channels[0];
8393 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8394 			wdev_unlock(wdev);
8395 			err = -EBUSY;
8396 			goto out_free;
8397 		}
8398 	}
8399 	wdev_unlock(wdev);
8400 
8401 	i = 0;
8402 	if (n_ssids) {
8403 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8404 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8405 				err = -EINVAL;
8406 				goto out_free;
8407 			}
8408 			request->ssids[i].ssid_len = nla_len(attr);
8409 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8410 			i++;
8411 		}
8412 	}
8413 
8414 	if (info->attrs[NL80211_ATTR_IE]) {
8415 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8416 		memcpy((void *)request->ie,
8417 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8418 		       request->ie_len);
8419 	}
8420 
8421 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8422 		if (wiphy->bands[i])
8423 			request->rates[i] =
8424 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8425 
8426 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8427 		nla_for_each_nested(attr,
8428 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8429 				    tmp) {
8430 			enum nl80211_band band = nla_type(attr);
8431 
8432 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8433 				err = -EINVAL;
8434 				goto out_free;
8435 			}
8436 
8437 			if (!wiphy->bands[band])
8438 				continue;
8439 
8440 			err = ieee80211_get_ratemask(wiphy->bands[band],
8441 						     nla_data(attr),
8442 						     nla_len(attr),
8443 						     &request->rates[band]);
8444 			if (err)
8445 				goto out_free;
8446 		}
8447 	}
8448 
8449 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8450 		request->duration =
8451 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8452 		request->duration_mandatory =
8453 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8454 	}
8455 
8456 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8457 				       false);
8458 	if (err)
8459 		goto out_free;
8460 
8461 	request->no_cck =
8462 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8463 
8464 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8465 	 * BSSID to scan for. This was problematic because that same attribute
8466 	 * was already used for another purpose (local random MAC address). The
8467 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8468 	 * compatibility with older userspace components, also use the
8469 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8470 	 * the specific BSSID use case instead of the random MAC address
8471 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8472 	 */
8473 	if (info->attrs[NL80211_ATTR_BSSID])
8474 		memcpy(request->bssid,
8475 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8476 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8477 		 info->attrs[NL80211_ATTR_MAC])
8478 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8479 		       ETH_ALEN);
8480 	else
8481 		eth_broadcast_addr(request->bssid);
8482 
8483 	request->wdev = wdev;
8484 	request->wiphy = &rdev->wiphy;
8485 	request->scan_start = jiffies;
8486 
8487 	rdev->scan_req = request;
8488 	err = cfg80211_scan(rdev);
8489 
8490 	if (err)
8491 		goto out_free;
8492 
8493 	nl80211_send_scan_start(rdev, wdev);
8494 	dev_hold(wdev->netdev);
8495 
8496 	return 0;
8497 
8498  out_free:
8499 	rdev->scan_req = NULL;
8500 	kfree(request);
8501 
8502 	return err;
8503 }
8504 
nl80211_abort_scan(struct sk_buff * skb,struct genl_info * info)8505 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8506 {
8507 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8508 	struct wireless_dev *wdev = info->user_ptr[1];
8509 
8510 	if (!rdev->ops->abort_scan)
8511 		return -EOPNOTSUPP;
8512 
8513 	if (rdev->scan_msg)
8514 		return 0;
8515 
8516 	if (!rdev->scan_req)
8517 		return -ENOENT;
8518 
8519 	rdev_abort_scan(rdev, wdev);
8520 	return 0;
8521 }
8522 
8523 static int
nl80211_parse_sched_scan_plans(struct wiphy * wiphy,int n_plans,struct cfg80211_sched_scan_request * request,struct nlattr ** attrs)8524 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8525 			       struct cfg80211_sched_scan_request *request,
8526 			       struct nlattr **attrs)
8527 {
8528 	int tmp, err, i = 0;
8529 	struct nlattr *attr;
8530 
8531 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8532 		u32 interval;
8533 
8534 		/*
8535 		 * If scan plans are not specified,
8536 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8537 		 * case one scan plan will be set with the specified scan
8538 		 * interval and infinite number of iterations.
8539 		 */
8540 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8541 		if (!interval)
8542 			return -EINVAL;
8543 
8544 		request->scan_plans[0].interval =
8545 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8546 		if (!request->scan_plans[0].interval)
8547 			return -EINVAL;
8548 
8549 		if (request->scan_plans[0].interval >
8550 		    wiphy->max_sched_scan_plan_interval)
8551 			request->scan_plans[0].interval =
8552 				wiphy->max_sched_scan_plan_interval;
8553 
8554 		return 0;
8555 	}
8556 
8557 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8558 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8559 
8560 		if (WARN_ON(i >= n_plans))
8561 			return -EINVAL;
8562 
8563 		err = nla_parse_nested_deprecated(plan,
8564 						  NL80211_SCHED_SCAN_PLAN_MAX,
8565 						  attr, nl80211_plan_policy,
8566 						  NULL);
8567 		if (err)
8568 			return err;
8569 
8570 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8571 			return -EINVAL;
8572 
8573 		request->scan_plans[i].interval =
8574 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8575 		if (!request->scan_plans[i].interval ||
8576 		    request->scan_plans[i].interval >
8577 		    wiphy->max_sched_scan_plan_interval)
8578 			return -EINVAL;
8579 
8580 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8581 			request->scan_plans[i].iterations =
8582 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8583 			if (!request->scan_plans[i].iterations ||
8584 			    (request->scan_plans[i].iterations >
8585 			     wiphy->max_sched_scan_plan_iterations))
8586 				return -EINVAL;
8587 		} else if (i < n_plans - 1) {
8588 			/*
8589 			 * All scan plans but the last one must specify
8590 			 * a finite number of iterations
8591 			 */
8592 			return -EINVAL;
8593 		}
8594 
8595 		i++;
8596 	}
8597 
8598 	/*
8599 	 * The last scan plan must not specify the number of
8600 	 * iterations, it is supposed to run infinitely
8601 	 */
8602 	if (request->scan_plans[n_plans - 1].iterations)
8603 		return  -EINVAL;
8604 
8605 	return 0;
8606 }
8607 
8608 static int
nl80211_parse_sched_scan_per_band_rssi(struct wiphy * wiphy,struct cfg80211_match_set * match_sets,struct nlattr * tb_band_rssi,s32 rssi_thold)8609 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8610 				       struct cfg80211_match_set *match_sets,
8611 				       struct nlattr *tb_band_rssi,
8612 				       s32 rssi_thold)
8613 {
8614 	struct nlattr *attr;
8615 	int i, tmp, ret = 0;
8616 
8617 	if (!wiphy_ext_feature_isset(wiphy,
8618 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8619 		if (tb_band_rssi)
8620 			ret = -EOPNOTSUPP;
8621 		else
8622 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8623 				match_sets->per_band_rssi_thold[i] =
8624 					NL80211_SCAN_RSSI_THOLD_OFF;
8625 		return ret;
8626 	}
8627 
8628 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8629 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8630 
8631 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8632 		enum nl80211_band band = nla_type(attr);
8633 
8634 		if (band < 0 || band >= NUM_NL80211_BANDS)
8635 			return -EINVAL;
8636 
8637 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8638 	}
8639 
8640 	return 0;
8641 }
8642 
8643 static struct cfg80211_sched_scan_request *
nl80211_parse_sched_scan(struct wiphy * wiphy,struct wireless_dev * wdev,struct nlattr ** attrs,int max_match_sets)8644 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8645 			 struct nlattr **attrs, int max_match_sets)
8646 {
8647 	struct cfg80211_sched_scan_request *request;
8648 	struct nlattr *attr;
8649 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8650 	enum nl80211_band band;
8651 	size_t ie_len;
8652 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8653 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8654 
8655 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8656 		n_channels = validate_scan_freqs(
8657 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8658 		if (!n_channels)
8659 			return ERR_PTR(-EINVAL);
8660 	} else {
8661 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8662 	}
8663 
8664 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8665 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8666 				    tmp)
8667 			n_ssids++;
8668 
8669 	if (n_ssids > wiphy->max_sched_scan_ssids)
8670 		return ERR_PTR(-EINVAL);
8671 
8672 	/*
8673 	 * First, count the number of 'real' matchsets. Due to an issue with
8674 	 * the old implementation, matchsets containing only the RSSI attribute
8675 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8676 	 * RSSI for all matchsets, rather than their own matchset for reporting
8677 	 * all APs with a strong RSSI. This is needed to be compatible with
8678 	 * older userspace that treated a matchset with only the RSSI as the
8679 	 * global RSSI for all other matchsets - if there are other matchsets.
8680 	 */
8681 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8682 		nla_for_each_nested(attr,
8683 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8684 				    tmp) {
8685 			struct nlattr *rssi;
8686 
8687 			err = nla_parse_nested_deprecated(tb,
8688 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8689 							  attr,
8690 							  nl80211_match_policy,
8691 							  NULL);
8692 			if (err)
8693 				return ERR_PTR(err);
8694 
8695 			/* SSID and BSSID are mutually exclusive */
8696 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8697 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8698 				return ERR_PTR(-EINVAL);
8699 
8700 			/* add other standalone attributes here */
8701 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8702 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8703 				n_match_sets++;
8704 				continue;
8705 			}
8706 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8707 			if (rssi)
8708 				default_match_rssi = nla_get_s32(rssi);
8709 		}
8710 	}
8711 
8712 	/* However, if there's no other matchset, add the RSSI one */
8713 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8714 		n_match_sets = 1;
8715 
8716 	if (n_match_sets > max_match_sets)
8717 		return ERR_PTR(-EINVAL);
8718 
8719 	if (attrs[NL80211_ATTR_IE])
8720 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8721 	else
8722 		ie_len = 0;
8723 
8724 	if (ie_len > wiphy->max_sched_scan_ie_len)
8725 		return ERR_PTR(-EINVAL);
8726 
8727 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8728 		/*
8729 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8730 		 * each scan plan already specifies its own interval
8731 		 */
8732 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8733 			return ERR_PTR(-EINVAL);
8734 
8735 		nla_for_each_nested(attr,
8736 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8737 			n_plans++;
8738 	} else {
8739 		/*
8740 		 * The scan interval attribute is kept for backward
8741 		 * compatibility. If no scan plans are specified and sched scan
8742 		 * interval is specified, one scan plan will be set with this
8743 		 * scan interval and infinite number of iterations.
8744 		 */
8745 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8746 			return ERR_PTR(-EINVAL);
8747 
8748 		n_plans = 1;
8749 	}
8750 
8751 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8752 		return ERR_PTR(-EINVAL);
8753 
8754 	if (!wiphy_ext_feature_isset(
8755 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8756 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8757 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8758 		return ERR_PTR(-EINVAL);
8759 
8760 	request = kzalloc(sizeof(*request)
8761 			+ sizeof(*request->ssids) * n_ssids
8762 			+ sizeof(*request->match_sets) * n_match_sets
8763 			+ sizeof(*request->scan_plans) * n_plans
8764 			+ sizeof(*request->channels) * n_channels
8765 			+ ie_len, GFP_KERNEL);
8766 	if (!request)
8767 		return ERR_PTR(-ENOMEM);
8768 
8769 	if (n_ssids)
8770 		request->ssids = (void *)&request->channels[n_channels];
8771 	request->n_ssids = n_ssids;
8772 	if (ie_len) {
8773 		if (n_ssids)
8774 			request->ie = (void *)(request->ssids + n_ssids);
8775 		else
8776 			request->ie = (void *)(request->channels + n_channels);
8777 	}
8778 
8779 	if (n_match_sets) {
8780 		if (request->ie)
8781 			request->match_sets = (void *)(request->ie + ie_len);
8782 		else if (n_ssids)
8783 			request->match_sets =
8784 				(void *)(request->ssids + n_ssids);
8785 		else
8786 			request->match_sets =
8787 				(void *)(request->channels + n_channels);
8788 	}
8789 	request->n_match_sets = n_match_sets;
8790 
8791 	if (n_match_sets)
8792 		request->scan_plans = (void *)(request->match_sets +
8793 					       n_match_sets);
8794 	else if (request->ie)
8795 		request->scan_plans = (void *)(request->ie + ie_len);
8796 	else if (n_ssids)
8797 		request->scan_plans = (void *)(request->ssids + n_ssids);
8798 	else
8799 		request->scan_plans = (void *)(request->channels + n_channels);
8800 
8801 	request->n_scan_plans = n_plans;
8802 
8803 	i = 0;
8804 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8805 		/* user specified, bail out if channel not found */
8806 		nla_for_each_nested(attr,
8807 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8808 				    tmp) {
8809 			struct ieee80211_channel *chan;
8810 
8811 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8812 
8813 			if (!chan) {
8814 				err = -EINVAL;
8815 				goto out_free;
8816 			}
8817 
8818 			/* ignore disabled channels */
8819 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8820 				continue;
8821 
8822 			request->channels[i] = chan;
8823 			i++;
8824 		}
8825 	} else {
8826 		/* all channels */
8827 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8828 			int j;
8829 
8830 			if (!wiphy->bands[band])
8831 				continue;
8832 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8833 				struct ieee80211_channel *chan;
8834 
8835 				chan = &wiphy->bands[band]->channels[j];
8836 
8837 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8838 					continue;
8839 
8840 				request->channels[i] = chan;
8841 				i++;
8842 			}
8843 		}
8844 	}
8845 
8846 	if (!i) {
8847 		err = -EINVAL;
8848 		goto out_free;
8849 	}
8850 
8851 	request->n_channels = i;
8852 
8853 	i = 0;
8854 	if (n_ssids) {
8855 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8856 				    tmp) {
8857 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8858 				err = -EINVAL;
8859 				goto out_free;
8860 			}
8861 			request->ssids[i].ssid_len = nla_len(attr);
8862 			memcpy(request->ssids[i].ssid, nla_data(attr),
8863 			       nla_len(attr));
8864 			i++;
8865 		}
8866 	}
8867 
8868 	i = 0;
8869 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8870 		nla_for_each_nested(attr,
8871 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8872 				    tmp) {
8873 			struct nlattr *ssid, *bssid, *rssi;
8874 
8875 			err = nla_parse_nested_deprecated(tb,
8876 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8877 							  attr,
8878 							  nl80211_match_policy,
8879 							  NULL);
8880 			if (err)
8881 				goto out_free;
8882 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8883 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8884 
8885 			if (!ssid && !bssid) {
8886 				i++;
8887 				continue;
8888 			}
8889 
8890 			if (WARN_ON(i >= n_match_sets)) {
8891 				/* this indicates a programming error,
8892 				 * the loop above should have verified
8893 				 * things properly
8894 				 */
8895 				err = -EINVAL;
8896 				goto out_free;
8897 			}
8898 
8899 			if (ssid) {
8900 				memcpy(request->match_sets[i].ssid.ssid,
8901 				       nla_data(ssid), nla_len(ssid));
8902 				request->match_sets[i].ssid.ssid_len =
8903 					nla_len(ssid);
8904 			}
8905 			if (bssid)
8906 				memcpy(request->match_sets[i].bssid,
8907 				       nla_data(bssid), ETH_ALEN);
8908 
8909 			/* special attribute - old implementation w/a */
8910 			request->match_sets[i].rssi_thold = default_match_rssi;
8911 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8912 			if (rssi)
8913 				request->match_sets[i].rssi_thold =
8914 					nla_get_s32(rssi);
8915 
8916 			/* Parse per band RSSI attribute */
8917 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8918 				&request->match_sets[i],
8919 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8920 				request->match_sets[i].rssi_thold);
8921 			if (err)
8922 				goto out_free;
8923 
8924 			i++;
8925 		}
8926 
8927 		/* there was no other matchset, so the RSSI one is alone */
8928 		if (i == 0 && n_match_sets)
8929 			request->match_sets[0].rssi_thold = default_match_rssi;
8930 
8931 		request->min_rssi_thold = INT_MAX;
8932 		for (i = 0; i < n_match_sets; i++)
8933 			request->min_rssi_thold =
8934 				min(request->match_sets[i].rssi_thold,
8935 				    request->min_rssi_thold);
8936 	} else {
8937 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8938 	}
8939 
8940 	if (ie_len) {
8941 		request->ie_len = ie_len;
8942 		memcpy((void *)request->ie,
8943 		       nla_data(attrs[NL80211_ATTR_IE]),
8944 		       request->ie_len);
8945 	}
8946 
8947 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8948 	if (err)
8949 		goto out_free;
8950 
8951 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8952 		request->delay =
8953 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8954 
8955 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8956 		request->relative_rssi = nla_get_s8(
8957 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8958 		request->relative_rssi_set = true;
8959 	}
8960 
8961 	if (request->relative_rssi_set &&
8962 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8963 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8964 
8965 		rssi_adjust = nla_data(
8966 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8967 		request->rssi_adjust.band = rssi_adjust->band;
8968 		request->rssi_adjust.delta = rssi_adjust->delta;
8969 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8970 			err = -EINVAL;
8971 			goto out_free;
8972 		}
8973 	}
8974 
8975 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8976 	if (err)
8977 		goto out_free;
8978 
8979 	request->scan_start = jiffies;
8980 
8981 	return request;
8982 
8983 out_free:
8984 	kfree(request);
8985 	return ERR_PTR(err);
8986 }
8987 
nl80211_start_sched_scan(struct sk_buff * skb,struct genl_info * info)8988 static int nl80211_start_sched_scan(struct sk_buff *skb,
8989 				    struct genl_info *info)
8990 {
8991 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8992 	struct net_device *dev = info->user_ptr[1];
8993 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8994 	struct cfg80211_sched_scan_request *sched_scan_req;
8995 	bool want_multi;
8996 	int err;
8997 
8998 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8999 		return -EOPNOTSUPP;
9000 
9001 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9002 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9003 	if (err)
9004 		return err;
9005 
9006 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9007 						  info->attrs,
9008 						  rdev->wiphy.max_match_sets);
9009 
9010 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9011 	if (err)
9012 		goto out_err;
9013 
9014 	/* leave request id zero for legacy request
9015 	 * or if driver does not support multi-scheduled scan
9016 	 */
9017 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9018 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9019 
9020 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9021 	if (err)
9022 		goto out_free;
9023 
9024 	sched_scan_req->dev = dev;
9025 	sched_scan_req->wiphy = &rdev->wiphy;
9026 
9027 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9028 		sched_scan_req->owner_nlportid = info->snd_portid;
9029 
9030 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9031 
9032 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9033 	return 0;
9034 
9035 out_free:
9036 	kfree(sched_scan_req);
9037 out_err:
9038 	return err;
9039 }
9040 
nl80211_stop_sched_scan(struct sk_buff * skb,struct genl_info * info)9041 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9042 				   struct genl_info *info)
9043 {
9044 	struct cfg80211_sched_scan_request *req;
9045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9046 	u64 cookie;
9047 
9048 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9049 		return -EOPNOTSUPP;
9050 
9051 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9052 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9053 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9054 	}
9055 
9056 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9057 				     struct cfg80211_sched_scan_request,
9058 				     list);
9059 	if (!req || req->reqid ||
9060 	    (req->owner_nlportid &&
9061 	     req->owner_nlportid != info->snd_portid))
9062 		return -ENOENT;
9063 
9064 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9065 }
9066 
nl80211_start_radar_detection(struct sk_buff * skb,struct genl_info * info)9067 static int nl80211_start_radar_detection(struct sk_buff *skb,
9068 					 struct genl_info *info)
9069 {
9070 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9071 	struct net_device *dev = info->user_ptr[1];
9072 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9073 	struct wiphy *wiphy = wdev->wiphy;
9074 	struct cfg80211_chan_def chandef;
9075 	enum nl80211_dfs_regions dfs_region;
9076 	unsigned int cac_time_ms;
9077 	int err;
9078 
9079 	dfs_region = reg_get_dfs_region(wiphy);
9080 	if (dfs_region == NL80211_DFS_UNSET)
9081 		return -EINVAL;
9082 
9083 	err = nl80211_parse_chandef(rdev, info, &chandef);
9084 	if (err)
9085 		return err;
9086 
9087 	if (netif_carrier_ok(dev))
9088 		return -EBUSY;
9089 
9090 	if (wdev->cac_started)
9091 		return -EBUSY;
9092 
9093 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9094 	if (err < 0)
9095 		return err;
9096 
9097 	if (err == 0)
9098 		return -EINVAL;
9099 
9100 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
9101 		return -EINVAL;
9102 
9103 	/* CAC start is offloaded to HW and can't be started manually */
9104 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
9105 		return -EOPNOTSUPP;
9106 
9107 	if (!rdev->ops->start_radar_detection)
9108 		return -EOPNOTSUPP;
9109 
9110 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9111 	if (WARN_ON(!cac_time_ms))
9112 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9113 
9114 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9115 	if (!err) {
9116 		wdev->chandef = chandef;
9117 		wdev->cac_started = true;
9118 		wdev->cac_start_time = jiffies;
9119 		wdev->cac_time_ms = cac_time_ms;
9120 	}
9121 	return err;
9122 }
9123 
nl80211_notify_radar_detection(struct sk_buff * skb,struct genl_info * info)9124 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9125 					  struct genl_info *info)
9126 {
9127 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9128 	struct net_device *dev = info->user_ptr[1];
9129 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9130 	struct wiphy *wiphy = wdev->wiphy;
9131 	struct cfg80211_chan_def chandef;
9132 	enum nl80211_dfs_regions dfs_region;
9133 	int err;
9134 
9135 	dfs_region = reg_get_dfs_region(wiphy);
9136 	if (dfs_region == NL80211_DFS_UNSET) {
9137 		GENL_SET_ERR_MSG(info,
9138 				 "DFS Region is not set. Unexpected Radar indication");
9139 		return -EINVAL;
9140 	}
9141 
9142 	err = nl80211_parse_chandef(rdev, info, &chandef);
9143 	if (err) {
9144 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9145 		return err;
9146 	}
9147 
9148 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9149 	if (err < 0) {
9150 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9151 		return err;
9152 	}
9153 
9154 	if (err == 0) {
9155 		GENL_SET_ERR_MSG(info,
9156 				 "Unexpected Radar indication for chandef/iftype");
9157 		return -EINVAL;
9158 	}
9159 
9160 	/* Do not process this notification if radar is already detected
9161 	 * by kernel on this channel, and return success.
9162 	 */
9163 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9164 		return 0;
9165 
9166 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9167 
9168 	cfg80211_sched_dfs_chan_update(rdev);
9169 
9170 	rdev->radar_chandef = chandef;
9171 
9172 	/* Propagate this notification to other radios as well */
9173 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9174 
9175 	return 0;
9176 }
9177 
nl80211_channel_switch(struct sk_buff * skb,struct genl_info * info)9178 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9179 {
9180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9181 	struct net_device *dev = info->user_ptr[1];
9182 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9183 	struct cfg80211_csa_settings params;
9184 	struct nlattr **csa_attrs = NULL;
9185 	int err;
9186 	bool need_new_beacon = false;
9187 	bool need_handle_dfs_flag = true;
9188 	int len, i;
9189 	u32 cs_count;
9190 
9191 	if (!rdev->ops->channel_switch ||
9192 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9193 		return -EOPNOTSUPP;
9194 
9195 	switch (dev->ieee80211_ptr->iftype) {
9196 	case NL80211_IFTYPE_AP:
9197 	case NL80211_IFTYPE_P2P_GO:
9198 		need_new_beacon = true;
9199 		/* For all modes except AP the handle_dfs flag needs to be
9200 		 * supplied to tell the kernel that userspace will handle radar
9201 		 * events when they happen. Otherwise a switch to a channel
9202 		 * requiring DFS will be rejected.
9203 		 */
9204 		need_handle_dfs_flag = false;
9205 
9206 		/* useless if AP is not running */
9207 		if (!wdev->beacon_interval)
9208 			return -ENOTCONN;
9209 		break;
9210 	case NL80211_IFTYPE_ADHOC:
9211 		if (!wdev->ssid_len)
9212 			return -ENOTCONN;
9213 		break;
9214 	case NL80211_IFTYPE_MESH_POINT:
9215 		if (!wdev->mesh_id_len)
9216 			return -ENOTCONN;
9217 		break;
9218 	default:
9219 		return -EOPNOTSUPP;
9220 	}
9221 
9222 	memset(&params, 0, sizeof(params));
9223 	params.beacon_csa.ftm_responder = -1;
9224 
9225 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9226 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9227 		return -EINVAL;
9228 
9229 	/* only important for AP, IBSS and mesh create IEs internally */
9230 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9231 		return -EINVAL;
9232 
9233 	/* Even though the attribute is u32, the specification says
9234 	 * u8, so let's make sure we don't overflow.
9235 	 */
9236 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9237 	if (cs_count > 255)
9238 		return -EINVAL;
9239 
9240 	params.count = cs_count;
9241 
9242 	if (!need_new_beacon)
9243 		goto skip_beacons;
9244 
9245 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9246 	if (err)
9247 		return err;
9248 
9249 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9250 			    GFP_KERNEL);
9251 	if (!csa_attrs)
9252 		return -ENOMEM;
9253 
9254 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9255 					  info->attrs[NL80211_ATTR_CSA_IES],
9256 					  nl80211_policy, info->extack);
9257 	if (err)
9258 		goto free;
9259 
9260 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9261 	if (err)
9262 		goto free;
9263 
9264 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9265 		err = -EINVAL;
9266 		goto free;
9267 	}
9268 
9269 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9270 	if (!len || (len % sizeof(u16))) {
9271 		err = -EINVAL;
9272 		goto free;
9273 	}
9274 
9275 	params.n_counter_offsets_beacon = len / sizeof(u16);
9276 	if (rdev->wiphy.max_num_csa_counters &&
9277 	    (params.n_counter_offsets_beacon >
9278 	     rdev->wiphy.max_num_csa_counters)) {
9279 		err = -EINVAL;
9280 		goto free;
9281 	}
9282 
9283 	params.counter_offsets_beacon =
9284 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9285 
9286 	/* sanity checks - counters should fit and be the same */
9287 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9288 		u16 offset = params.counter_offsets_beacon[i];
9289 
9290 		if (offset >= params.beacon_csa.tail_len) {
9291 			err = -EINVAL;
9292 			goto free;
9293 		}
9294 
9295 		if (params.beacon_csa.tail[offset] != params.count) {
9296 			err = -EINVAL;
9297 			goto free;
9298 		}
9299 	}
9300 
9301 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9302 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9303 		if (!len || (len % sizeof(u16))) {
9304 			err = -EINVAL;
9305 			goto free;
9306 		}
9307 
9308 		params.n_counter_offsets_presp = len / sizeof(u16);
9309 		if (rdev->wiphy.max_num_csa_counters &&
9310 		    (params.n_counter_offsets_presp >
9311 		     rdev->wiphy.max_num_csa_counters)) {
9312 			err = -EINVAL;
9313 			goto free;
9314 		}
9315 
9316 		params.counter_offsets_presp =
9317 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9318 
9319 		/* sanity checks - counters should fit and be the same */
9320 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9321 			u16 offset = params.counter_offsets_presp[i];
9322 
9323 			if (offset >= params.beacon_csa.probe_resp_len) {
9324 				err = -EINVAL;
9325 				goto free;
9326 			}
9327 
9328 			if (params.beacon_csa.probe_resp[offset] !=
9329 			    params.count) {
9330 				err = -EINVAL;
9331 				goto free;
9332 			}
9333 		}
9334 	}
9335 
9336 skip_beacons:
9337 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9338 	if (err)
9339 		goto free;
9340 
9341 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9342 					   wdev->iftype)) {
9343 		err = -EINVAL;
9344 		goto free;
9345 	}
9346 
9347 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9348 					    &params.chandef,
9349 					    wdev->iftype);
9350 	if (err < 0)
9351 		goto free;
9352 
9353 	if (err > 0) {
9354 		params.radar_required = true;
9355 		if (need_handle_dfs_flag &&
9356 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9357 			err = -EINVAL;
9358 			goto free;
9359 		}
9360 	}
9361 
9362 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9363 		params.block_tx = true;
9364 
9365 	wdev_lock(wdev);
9366 	err = rdev_channel_switch(rdev, dev, &params);
9367 	wdev_unlock(wdev);
9368 
9369 free:
9370 	kfree(csa_attrs);
9371 	return err;
9372 }
9373 
nl80211_send_bss(struct sk_buff * msg,struct netlink_callback * cb,u32 seq,int flags,struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,struct cfg80211_internal_bss * intbss)9374 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9375 			    u32 seq, int flags,
9376 			    struct cfg80211_registered_device *rdev,
9377 			    struct wireless_dev *wdev,
9378 			    struct cfg80211_internal_bss *intbss)
9379 {
9380 	struct cfg80211_bss *res = &intbss->pub;
9381 	const struct cfg80211_bss_ies *ies;
9382 	void *hdr;
9383 	struct nlattr *bss;
9384 
9385 	ASSERT_WDEV_LOCK(wdev);
9386 
9387 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9388 			     NL80211_CMD_NEW_SCAN_RESULTS);
9389 	if (!hdr)
9390 		return -1;
9391 
9392 	genl_dump_check_consistent(cb, hdr);
9393 
9394 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9395 		goto nla_put_failure;
9396 	if (wdev->netdev &&
9397 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9398 		goto nla_put_failure;
9399 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9400 			      NL80211_ATTR_PAD))
9401 		goto nla_put_failure;
9402 
9403 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9404 	if (!bss)
9405 		goto nla_put_failure;
9406 	if ((!is_zero_ether_addr(res->bssid) &&
9407 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9408 		goto nla_put_failure;
9409 
9410 	rcu_read_lock();
9411 	/* indicate whether we have probe response data or not */
9412 	if (rcu_access_pointer(res->proberesp_ies) &&
9413 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9414 		goto fail_unlock_rcu;
9415 
9416 	/* this pointer prefers to be pointed to probe response data
9417 	 * but is always valid
9418 	 */
9419 	ies = rcu_dereference(res->ies);
9420 	if (ies) {
9421 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9422 				      NL80211_BSS_PAD))
9423 			goto fail_unlock_rcu;
9424 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9425 					ies->len, ies->data))
9426 			goto fail_unlock_rcu;
9427 	}
9428 
9429 	/* and this pointer is always (unless driver didn't know) beacon data */
9430 	ies = rcu_dereference(res->beacon_ies);
9431 	if (ies && ies->from_beacon) {
9432 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9433 				      NL80211_BSS_PAD))
9434 			goto fail_unlock_rcu;
9435 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9436 					ies->len, ies->data))
9437 			goto fail_unlock_rcu;
9438 	}
9439 	rcu_read_unlock();
9440 
9441 	if (res->beacon_interval &&
9442 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9443 		goto nla_put_failure;
9444 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9445 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9446 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9447 			res->channel->freq_offset) ||
9448 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9449 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9450 			jiffies_to_msecs(jiffies - intbss->ts)))
9451 		goto nla_put_failure;
9452 
9453 	if (intbss->parent_tsf &&
9454 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9455 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9456 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9457 		     intbss->parent_bssid)))
9458 		goto nla_put_failure;
9459 
9460 	if (intbss->ts_boottime &&
9461 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9462 			      intbss->ts_boottime, NL80211_BSS_PAD))
9463 		goto nla_put_failure;
9464 
9465 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9466 				intbss->pub.chain_signal,
9467 				NL80211_BSS_CHAIN_SIGNAL))
9468 		goto nla_put_failure;
9469 
9470 	switch (rdev->wiphy.signal_type) {
9471 	case CFG80211_SIGNAL_TYPE_MBM:
9472 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9473 			goto nla_put_failure;
9474 		break;
9475 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9476 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9477 			goto nla_put_failure;
9478 		break;
9479 	default:
9480 		break;
9481 	}
9482 
9483 	switch (wdev->iftype) {
9484 	case NL80211_IFTYPE_P2P_CLIENT:
9485 	case NL80211_IFTYPE_STATION:
9486 		if (intbss == wdev->current_bss &&
9487 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9488 				NL80211_BSS_STATUS_ASSOCIATED))
9489 			goto nla_put_failure;
9490 		break;
9491 	case NL80211_IFTYPE_ADHOC:
9492 		if (intbss == wdev->current_bss &&
9493 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9494 				NL80211_BSS_STATUS_IBSS_JOINED))
9495 			goto nla_put_failure;
9496 		break;
9497 	default:
9498 		break;
9499 	}
9500 
9501 	nla_nest_end(msg, bss);
9502 
9503 	genlmsg_end(msg, hdr);
9504 	return 0;
9505 
9506  fail_unlock_rcu:
9507 	rcu_read_unlock();
9508  nla_put_failure:
9509 	genlmsg_cancel(msg, hdr);
9510 	return -EMSGSIZE;
9511 }
9512 
nl80211_dump_scan(struct sk_buff * skb,struct netlink_callback * cb)9513 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9514 {
9515 	struct cfg80211_registered_device *rdev;
9516 	struct cfg80211_internal_bss *scan;
9517 	struct wireless_dev *wdev;
9518 	int start = cb->args[2], idx = 0;
9519 	int err;
9520 
9521 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9522 	if (err)
9523 		return err;
9524 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9525 	__acquire(&rdev->wiphy.mtx);
9526 
9527 	wdev_lock(wdev);
9528 	spin_lock_bh(&rdev->bss_lock);
9529 
9530 	/*
9531 	 * dump_scan will be called multiple times to break up the scan results
9532 	 * into multiple messages.  It is unlikely that any more bss-es will be
9533 	 * expired after the first call, so only call only call this on the
9534 	 * first dump_scan invocation.
9535 	 */
9536 	if (start == 0)
9537 		cfg80211_bss_expire(rdev);
9538 
9539 	cb->seq = rdev->bss_generation;
9540 
9541 	list_for_each_entry(scan, &rdev->bss_list, list) {
9542 		if (++idx <= start)
9543 			continue;
9544 		if (nl80211_send_bss(skb, cb,
9545 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9546 				rdev, wdev, scan) < 0) {
9547 			idx--;
9548 			break;
9549 		}
9550 	}
9551 
9552 	spin_unlock_bh(&rdev->bss_lock);
9553 	wdev_unlock(wdev);
9554 
9555 	cb->args[2] = idx;
9556 	wiphy_unlock(&rdev->wiphy);
9557 
9558 	return skb->len;
9559 }
9560 
nl80211_send_survey(struct sk_buff * msg,u32 portid,u32 seq,int flags,struct net_device * dev,bool allow_radio_stats,struct survey_info * survey)9561 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9562 			       int flags, struct net_device *dev,
9563 			       bool allow_radio_stats,
9564 			       struct survey_info *survey)
9565 {
9566 	void *hdr;
9567 	struct nlattr *infoattr;
9568 
9569 	/* skip radio stats if userspace didn't request them */
9570 	if (!survey->channel && !allow_radio_stats)
9571 		return 0;
9572 
9573 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9574 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9575 	if (!hdr)
9576 		return -ENOMEM;
9577 
9578 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9579 		goto nla_put_failure;
9580 
9581 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9582 	if (!infoattr)
9583 		goto nla_put_failure;
9584 
9585 	if (survey->channel &&
9586 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9587 			survey->channel->center_freq))
9588 		goto nla_put_failure;
9589 
9590 	if (survey->channel && survey->channel->freq_offset &&
9591 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9592 			survey->channel->freq_offset))
9593 		goto nla_put_failure;
9594 
9595 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9596 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9597 		goto nla_put_failure;
9598 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9599 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9600 		goto nla_put_failure;
9601 	if ((survey->filled & SURVEY_INFO_TIME) &&
9602 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9603 			survey->time, NL80211_SURVEY_INFO_PAD))
9604 		goto nla_put_failure;
9605 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9606 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9607 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9608 		goto nla_put_failure;
9609 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9610 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9611 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9612 		goto nla_put_failure;
9613 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9614 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9615 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9616 		goto nla_put_failure;
9617 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9618 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9619 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9620 		goto nla_put_failure;
9621 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9622 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9623 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9624 		goto nla_put_failure;
9625 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9626 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9627 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9628 		goto nla_put_failure;
9629 
9630 	nla_nest_end(msg, infoattr);
9631 
9632 	genlmsg_end(msg, hdr);
9633 	return 0;
9634 
9635  nla_put_failure:
9636 	genlmsg_cancel(msg, hdr);
9637 	return -EMSGSIZE;
9638 }
9639 
nl80211_dump_survey(struct sk_buff * skb,struct netlink_callback * cb)9640 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9641 {
9642 	struct nlattr **attrbuf;
9643 	struct survey_info survey;
9644 	struct cfg80211_registered_device *rdev;
9645 	struct wireless_dev *wdev;
9646 	int survey_idx = cb->args[2];
9647 	int res;
9648 	bool radio_stats;
9649 
9650 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9651 	if (!attrbuf)
9652 		return -ENOMEM;
9653 
9654 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9655 	if (res) {
9656 		kfree(attrbuf);
9657 		return res;
9658 	}
9659 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9660 	__acquire(&rdev->wiphy.mtx);
9661 
9662 	/* prepare_wdev_dump parsed the attributes */
9663 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9664 
9665 	if (!wdev->netdev) {
9666 		res = -EINVAL;
9667 		goto out_err;
9668 	}
9669 
9670 	if (!rdev->ops->dump_survey) {
9671 		res = -EOPNOTSUPP;
9672 		goto out_err;
9673 	}
9674 
9675 	while (1) {
9676 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9677 		if (res == -ENOENT)
9678 			break;
9679 		if (res)
9680 			goto out_err;
9681 
9682 		/* don't send disabled channels, but do send non-channel data */
9683 		if (survey.channel &&
9684 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9685 			survey_idx++;
9686 			continue;
9687 		}
9688 
9689 		if (nl80211_send_survey(skb,
9690 				NETLINK_CB(cb->skb).portid,
9691 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9692 				wdev->netdev, radio_stats, &survey) < 0)
9693 			goto out;
9694 		survey_idx++;
9695 	}
9696 
9697  out:
9698 	cb->args[2] = survey_idx;
9699 	res = skb->len;
9700  out_err:
9701 	kfree(attrbuf);
9702 	wiphy_unlock(&rdev->wiphy);
9703 	return res;
9704 }
9705 
nl80211_valid_wpa_versions(u32 wpa_versions)9706 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9707 {
9708 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9709 				  NL80211_WPA_VERSION_2 |
9710 				  NL80211_WPA_VERSION_3));
9711 }
9712 
nl80211_authenticate(struct sk_buff * skb,struct genl_info * info)9713 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9714 {
9715 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9716 	struct net_device *dev = info->user_ptr[1];
9717 	struct ieee80211_channel *chan;
9718 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9719 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9720 	enum nl80211_auth_type auth_type;
9721 	struct key_parse key;
9722 	bool local_state_change;
9723 	u32 freq;
9724 
9725 	if (!info->attrs[NL80211_ATTR_MAC])
9726 		return -EINVAL;
9727 
9728 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9729 		return -EINVAL;
9730 
9731 	if (!info->attrs[NL80211_ATTR_SSID])
9732 		return -EINVAL;
9733 
9734 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9735 		return -EINVAL;
9736 
9737 	err = nl80211_parse_key(info, &key);
9738 	if (err)
9739 		return err;
9740 
9741 	if (key.idx >= 0) {
9742 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9743 			return -EINVAL;
9744 		if (!key.p.key || !key.p.key_len)
9745 			return -EINVAL;
9746 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9747 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9748 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9749 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9750 			return -EINVAL;
9751 		if (key.idx > 3)
9752 			return -EINVAL;
9753 	} else {
9754 		key.p.key_len = 0;
9755 		key.p.key = NULL;
9756 	}
9757 
9758 	if (key.idx >= 0) {
9759 		int i;
9760 		bool ok = false;
9761 
9762 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9763 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9764 				ok = true;
9765 				break;
9766 			}
9767 		}
9768 		if (!ok)
9769 			return -EINVAL;
9770 	}
9771 
9772 	if (!rdev->ops->auth)
9773 		return -EOPNOTSUPP;
9774 
9775 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9776 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9777 		return -EOPNOTSUPP;
9778 
9779 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9780 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9781 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9782 		freq +=
9783 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9784 
9785 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9786 	if (!chan)
9787 		return -EINVAL;
9788 
9789 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9790 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9791 
9792 	if (info->attrs[NL80211_ATTR_IE]) {
9793 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9794 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9795 	}
9796 
9797 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9798 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
9799 		return -EINVAL;
9800 
9801 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
9802 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
9803 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
9804 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
9805 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
9806 		return -EINVAL;
9807 
9808 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
9809 		if (auth_type != NL80211_AUTHTYPE_SAE &&
9810 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
9811 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
9812 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
9813 			return -EINVAL;
9814 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
9815 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
9816 	}
9817 
9818 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9819 
9820 	/*
9821 	 * Since we no longer track auth state, ignore
9822 	 * requests to only change local state.
9823 	 */
9824 	if (local_state_change)
9825 		return 0;
9826 
9827 	wdev_lock(dev->ieee80211_ptr);
9828 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9829 				 ssid, ssid_len, ie, ie_len,
9830 				 key.p.key, key.p.key_len, key.idx,
9831 				 auth_data, auth_data_len);
9832 	wdev_unlock(dev->ieee80211_ptr);
9833 	return err;
9834 }
9835 
validate_pae_over_nl80211(struct cfg80211_registered_device * rdev,struct genl_info * info)9836 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9837 				     struct genl_info *info)
9838 {
9839 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9840 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9841 		return -EINVAL;
9842 	}
9843 
9844 	if (!rdev->ops->tx_control_port ||
9845 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9846 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9847 		return -EOPNOTSUPP;
9848 
9849 	return 0;
9850 }
9851 
nl80211_crypto_settings(struct cfg80211_registered_device * rdev,struct genl_info * info,struct cfg80211_crypto_settings * settings,int cipher_limit)9852 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9853 				   struct genl_info *info,
9854 				   struct cfg80211_crypto_settings *settings,
9855 				   int cipher_limit)
9856 {
9857 	memset(settings, 0, sizeof(*settings));
9858 
9859 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9860 
9861 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9862 		u16 proto;
9863 
9864 		proto = nla_get_u16(
9865 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9866 		settings->control_port_ethertype = cpu_to_be16(proto);
9867 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9868 		    proto != ETH_P_PAE)
9869 			return -EINVAL;
9870 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9871 			settings->control_port_no_encrypt = true;
9872 	} else
9873 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9874 
9875 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9876 		int r = validate_pae_over_nl80211(rdev, info);
9877 
9878 		if (r < 0)
9879 			return r;
9880 
9881 		settings->control_port_over_nl80211 = true;
9882 
9883 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
9884 			settings->control_port_no_preauth = true;
9885 	}
9886 
9887 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9888 		void *data;
9889 		int len, i;
9890 
9891 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9892 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9893 		settings->n_ciphers_pairwise = len / sizeof(u32);
9894 
9895 		if (len % sizeof(u32))
9896 			return -EINVAL;
9897 
9898 		if (settings->n_ciphers_pairwise > cipher_limit)
9899 			return -EINVAL;
9900 
9901 		memcpy(settings->ciphers_pairwise, data, len);
9902 
9903 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9904 			if (!cfg80211_supported_cipher_suite(
9905 					&rdev->wiphy,
9906 					settings->ciphers_pairwise[i]))
9907 				return -EINVAL;
9908 	}
9909 
9910 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9911 		settings->cipher_group =
9912 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9913 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9914 						     settings->cipher_group))
9915 			return -EINVAL;
9916 	}
9917 
9918 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9919 		settings->wpa_versions =
9920 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9921 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9922 			return -EINVAL;
9923 	}
9924 
9925 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9926 		void *data;
9927 		int len;
9928 
9929 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9930 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9931 		settings->n_akm_suites = len / sizeof(u32);
9932 
9933 		if (len % sizeof(u32))
9934 			return -EINVAL;
9935 
9936 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9937 			return -EINVAL;
9938 
9939 		memcpy(settings->akm_suites, data, len);
9940 	}
9941 
9942 	if (info->attrs[NL80211_ATTR_PMK]) {
9943 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9944 			return -EINVAL;
9945 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9946 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
9947 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9948 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
9949 			return -EINVAL;
9950 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9951 	}
9952 
9953 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9954 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9955 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
9956 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9957 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
9958 			return -EINVAL;
9959 		settings->sae_pwd =
9960 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9961 		settings->sae_pwd_len =
9962 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9963 	}
9964 
9965 	if (info->attrs[NL80211_ATTR_SAE_PWE])
9966 		settings->sae_pwe =
9967 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
9968 	else
9969 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
9970 
9971 	return 0;
9972 }
9973 
nl80211_associate(struct sk_buff * skb,struct genl_info * info)9974 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9975 {
9976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9977 	struct net_device *dev = info->user_ptr[1];
9978 	struct ieee80211_channel *chan;
9979 	struct cfg80211_assoc_request req = {};
9980 	const u8 *bssid, *ssid;
9981 	int err, ssid_len = 0;
9982 	u32 freq;
9983 
9984 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9985 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9986 		return -EPERM;
9987 
9988 	if (!info->attrs[NL80211_ATTR_MAC] ||
9989 	    !info->attrs[NL80211_ATTR_SSID] ||
9990 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9991 		return -EINVAL;
9992 
9993 	if (!rdev->ops->assoc)
9994 		return -EOPNOTSUPP;
9995 
9996 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9997 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9998 		return -EOPNOTSUPP;
9999 
10000 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10001 
10002 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10003 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10004 		freq +=
10005 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10006 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10007 	if (!chan)
10008 		return -EINVAL;
10009 
10010 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10011 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10012 
10013 	if (info->attrs[NL80211_ATTR_IE]) {
10014 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10015 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10016 	}
10017 
10018 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10019 		enum nl80211_mfp mfp =
10020 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10021 		if (mfp == NL80211_MFP_REQUIRED)
10022 			req.use_mfp = true;
10023 		else if (mfp != NL80211_MFP_NO)
10024 			return -EINVAL;
10025 	}
10026 
10027 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10028 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10029 
10030 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10031 		req.flags |= ASSOC_REQ_DISABLE_HT;
10032 
10033 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10034 		memcpy(&req.ht_capa_mask,
10035 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10036 		       sizeof(req.ht_capa_mask));
10037 
10038 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10039 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10040 			return -EINVAL;
10041 		memcpy(&req.ht_capa,
10042 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10043 		       sizeof(req.ht_capa));
10044 	}
10045 
10046 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10047 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10048 
10049 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10050 		req.flags |= ASSOC_REQ_DISABLE_HE;
10051 
10052 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10053 		memcpy(&req.vht_capa_mask,
10054 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10055 		       sizeof(req.vht_capa_mask));
10056 
10057 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10058 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10059 			return -EINVAL;
10060 		memcpy(&req.vht_capa,
10061 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10062 		       sizeof(req.vht_capa));
10063 	}
10064 
10065 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10066 		if (!((rdev->wiphy.features &
10067 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10068 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10069 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10070 					     NL80211_EXT_FEATURE_RRM))
10071 			return -EINVAL;
10072 		req.flags |= ASSOC_REQ_USE_RRM;
10073 	}
10074 
10075 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10076 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10077 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10078 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10079 			return -EINVAL;
10080 		req.fils_nonces =
10081 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10082 	}
10083 
10084 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10085 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10086 			return -EINVAL;
10087 		memcpy(&req.s1g_capa_mask,
10088 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10089 		       sizeof(req.s1g_capa_mask));
10090 	}
10091 
10092 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10093 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10094 			return -EINVAL;
10095 		memcpy(&req.s1g_capa,
10096 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10097 		       sizeof(req.s1g_capa));
10098 	}
10099 
10100 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10101 	if (!err) {
10102 		wdev_lock(dev->ieee80211_ptr);
10103 
10104 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10105 					  ssid, ssid_len, &req);
10106 
10107 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10108 			dev->ieee80211_ptr->conn_owner_nlportid =
10109 				info->snd_portid;
10110 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10111 			       bssid, ETH_ALEN);
10112 		}
10113 
10114 		wdev_unlock(dev->ieee80211_ptr);
10115 	}
10116 
10117 	return err;
10118 }
10119 
nl80211_deauthenticate(struct sk_buff * skb,struct genl_info * info)10120 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10121 {
10122 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10123 	struct net_device *dev = info->user_ptr[1];
10124 	const u8 *ie = NULL, *bssid;
10125 	int ie_len = 0, err;
10126 	u16 reason_code;
10127 	bool local_state_change;
10128 
10129 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10130 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10131 		return -EPERM;
10132 
10133 	if (!info->attrs[NL80211_ATTR_MAC])
10134 		return -EINVAL;
10135 
10136 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10137 		return -EINVAL;
10138 
10139 	if (!rdev->ops->deauth)
10140 		return -EOPNOTSUPP;
10141 
10142 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10143 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10144 		return -EOPNOTSUPP;
10145 
10146 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10147 
10148 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10149 	if (reason_code == 0) {
10150 		/* Reason Code 0 is reserved */
10151 		return -EINVAL;
10152 	}
10153 
10154 	if (info->attrs[NL80211_ATTR_IE]) {
10155 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10156 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10157 	}
10158 
10159 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10160 
10161 	wdev_lock(dev->ieee80211_ptr);
10162 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10163 				   local_state_change);
10164 	wdev_unlock(dev->ieee80211_ptr);
10165 	return err;
10166 }
10167 
nl80211_disassociate(struct sk_buff * skb,struct genl_info * info)10168 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10169 {
10170 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10171 	struct net_device *dev = info->user_ptr[1];
10172 	const u8 *ie = NULL, *bssid;
10173 	int ie_len = 0, err;
10174 	u16 reason_code;
10175 	bool local_state_change;
10176 
10177 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10178 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10179 		return -EPERM;
10180 
10181 	if (!info->attrs[NL80211_ATTR_MAC])
10182 		return -EINVAL;
10183 
10184 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10185 		return -EINVAL;
10186 
10187 	if (!rdev->ops->disassoc)
10188 		return -EOPNOTSUPP;
10189 
10190 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10191 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10192 		return -EOPNOTSUPP;
10193 
10194 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10195 
10196 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10197 	if (reason_code == 0) {
10198 		/* Reason Code 0 is reserved */
10199 		return -EINVAL;
10200 	}
10201 
10202 	if (info->attrs[NL80211_ATTR_IE]) {
10203 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10204 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10205 	}
10206 
10207 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10208 
10209 	wdev_lock(dev->ieee80211_ptr);
10210 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10211 				     local_state_change);
10212 	wdev_unlock(dev->ieee80211_ptr);
10213 	return err;
10214 }
10215 
10216 static bool
nl80211_parse_mcast_rate(struct cfg80211_registered_device * rdev,int mcast_rate[NUM_NL80211_BANDS],int rateval)10217 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10218 			 int mcast_rate[NUM_NL80211_BANDS],
10219 			 int rateval)
10220 {
10221 	struct wiphy *wiphy = &rdev->wiphy;
10222 	bool found = false;
10223 	int band, i;
10224 
10225 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10226 		struct ieee80211_supported_band *sband;
10227 
10228 		sband = wiphy->bands[band];
10229 		if (!sband)
10230 			continue;
10231 
10232 		for (i = 0; i < sband->n_bitrates; i++) {
10233 			if (sband->bitrates[i].bitrate == rateval) {
10234 				mcast_rate[band] = i + 1;
10235 				found = true;
10236 				break;
10237 			}
10238 		}
10239 	}
10240 
10241 	return found;
10242 }
10243 
nl80211_join_ibss(struct sk_buff * skb,struct genl_info * info)10244 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10245 {
10246 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10247 	struct net_device *dev = info->user_ptr[1];
10248 	struct cfg80211_ibss_params ibss;
10249 	struct wiphy *wiphy;
10250 	struct cfg80211_cached_keys *connkeys = NULL;
10251 	int err;
10252 
10253 	memset(&ibss, 0, sizeof(ibss));
10254 
10255 	if (!info->attrs[NL80211_ATTR_SSID] ||
10256 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10257 		return -EINVAL;
10258 
10259 	ibss.beacon_interval = 100;
10260 
10261 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10262 		ibss.beacon_interval =
10263 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10264 
10265 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10266 					   ibss.beacon_interval);
10267 	if (err)
10268 		return err;
10269 
10270 	if (!rdev->ops->join_ibss)
10271 		return -EOPNOTSUPP;
10272 
10273 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10274 		return -EOPNOTSUPP;
10275 
10276 	wiphy = &rdev->wiphy;
10277 
10278 	if (info->attrs[NL80211_ATTR_MAC]) {
10279 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10280 
10281 		if (!is_valid_ether_addr(ibss.bssid))
10282 			return -EINVAL;
10283 	}
10284 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10285 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10286 
10287 	if (info->attrs[NL80211_ATTR_IE]) {
10288 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10289 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10290 	}
10291 
10292 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10293 	if (err)
10294 		return err;
10295 
10296 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10297 				     NL80211_IFTYPE_ADHOC))
10298 		return -EINVAL;
10299 
10300 	switch (ibss.chandef.width) {
10301 	case NL80211_CHAN_WIDTH_5:
10302 	case NL80211_CHAN_WIDTH_10:
10303 	case NL80211_CHAN_WIDTH_20_NOHT:
10304 		break;
10305 	case NL80211_CHAN_WIDTH_20:
10306 	case NL80211_CHAN_WIDTH_40:
10307 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10308 			return -EINVAL;
10309 		break;
10310 	case NL80211_CHAN_WIDTH_80:
10311 	case NL80211_CHAN_WIDTH_80P80:
10312 	case NL80211_CHAN_WIDTH_160:
10313 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10314 			return -EINVAL;
10315 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10316 					     NL80211_EXT_FEATURE_VHT_IBSS))
10317 			return -EINVAL;
10318 		break;
10319 	default:
10320 		return -EINVAL;
10321 	}
10322 
10323 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10324 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10325 
10326 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10327 		u8 *rates =
10328 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10329 		int n_rates =
10330 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10331 		struct ieee80211_supported_band *sband =
10332 			wiphy->bands[ibss.chandef.chan->band];
10333 
10334 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10335 					     &ibss.basic_rates);
10336 		if (err)
10337 			return err;
10338 	}
10339 
10340 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10341 		memcpy(&ibss.ht_capa_mask,
10342 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10343 		       sizeof(ibss.ht_capa_mask));
10344 
10345 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10346 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10347 			return -EINVAL;
10348 		memcpy(&ibss.ht_capa,
10349 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10350 		       sizeof(ibss.ht_capa));
10351 	}
10352 
10353 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10354 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10355 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10356 		return -EINVAL;
10357 
10358 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10359 		bool no_ht = false;
10360 
10361 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10362 		if (IS_ERR(connkeys))
10363 			return PTR_ERR(connkeys);
10364 
10365 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10366 		    no_ht) {
10367 			kfree_sensitive(connkeys);
10368 			return -EINVAL;
10369 		}
10370 	}
10371 
10372 	ibss.control_port =
10373 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10374 
10375 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10376 		int r = validate_pae_over_nl80211(rdev, info);
10377 
10378 		if (r < 0) {
10379 			kfree_sensitive(connkeys);
10380 			return r;
10381 		}
10382 
10383 		ibss.control_port_over_nl80211 = true;
10384 	}
10385 
10386 	ibss.userspace_handles_dfs =
10387 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10388 
10389 	wdev_lock(dev->ieee80211_ptr);
10390 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10391 	if (err)
10392 		kfree_sensitive(connkeys);
10393 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10394 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10395 	wdev_unlock(dev->ieee80211_ptr);
10396 
10397 	return err;
10398 }
10399 
nl80211_leave_ibss(struct sk_buff * skb,struct genl_info * info)10400 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10401 {
10402 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10403 	struct net_device *dev = info->user_ptr[1];
10404 
10405 	if (!rdev->ops->leave_ibss)
10406 		return -EOPNOTSUPP;
10407 
10408 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10409 		return -EOPNOTSUPP;
10410 
10411 	return cfg80211_leave_ibss(rdev, dev, false);
10412 }
10413 
nl80211_set_mcast_rate(struct sk_buff * skb,struct genl_info * info)10414 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10415 {
10416 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10417 	struct net_device *dev = info->user_ptr[1];
10418 	int mcast_rate[NUM_NL80211_BANDS];
10419 	u32 nla_rate;
10420 	int err;
10421 
10422 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10423 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10424 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10425 		return -EOPNOTSUPP;
10426 
10427 	if (!rdev->ops->set_mcast_rate)
10428 		return -EOPNOTSUPP;
10429 
10430 	memset(mcast_rate, 0, sizeof(mcast_rate));
10431 
10432 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10433 		return -EINVAL;
10434 
10435 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10436 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10437 		return -EINVAL;
10438 
10439 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10440 
10441 	return err;
10442 }
10443 
10444 static struct sk_buff *
__cfg80211_alloc_vendor_skb(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,int approxlen,u32 portid,u32 seq,enum nl80211_commands cmd,enum nl80211_attrs attr,const struct nl80211_vendor_cmd_info * info,gfp_t gfp)10445 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10446 			    struct wireless_dev *wdev, int approxlen,
10447 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10448 			    enum nl80211_attrs attr,
10449 			    const struct nl80211_vendor_cmd_info *info,
10450 			    gfp_t gfp)
10451 {
10452 	struct sk_buff *skb;
10453 	void *hdr;
10454 	struct nlattr *data;
10455 
10456 	skb = nlmsg_new(approxlen + 100, gfp);
10457 	if (!skb)
10458 		return NULL;
10459 
10460 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10461 	if (!hdr) {
10462 		kfree_skb(skb);
10463 		return NULL;
10464 	}
10465 
10466 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10467 		goto nla_put_failure;
10468 
10469 	if (info) {
10470 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10471 				info->vendor_id))
10472 			goto nla_put_failure;
10473 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10474 				info->subcmd))
10475 			goto nla_put_failure;
10476 	}
10477 
10478 	if (wdev) {
10479 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10480 				      wdev_id(wdev), NL80211_ATTR_PAD))
10481 			goto nla_put_failure;
10482 		if (wdev->netdev &&
10483 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10484 				wdev->netdev->ifindex))
10485 			goto nla_put_failure;
10486 	}
10487 
10488 	data = nla_nest_start_noflag(skb, attr);
10489 	if (!data)
10490 		goto nla_put_failure;
10491 
10492 	((void **)skb->cb)[0] = rdev;
10493 	((void **)skb->cb)[1] = hdr;
10494 	((void **)skb->cb)[2] = data;
10495 
10496 	return skb;
10497 
10498  nla_put_failure:
10499 	kfree_skb(skb);
10500 	return NULL;
10501 }
10502 
__cfg80211_alloc_event_skb(struct wiphy * wiphy,struct wireless_dev * wdev,enum nl80211_commands cmd,enum nl80211_attrs attr,unsigned int portid,int vendor_event_idx,int approxlen,gfp_t gfp)10503 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10504 					   struct wireless_dev *wdev,
10505 					   enum nl80211_commands cmd,
10506 					   enum nl80211_attrs attr,
10507 					   unsigned int portid,
10508 					   int vendor_event_idx,
10509 					   int approxlen, gfp_t gfp)
10510 {
10511 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10512 	const struct nl80211_vendor_cmd_info *info;
10513 
10514 	switch (cmd) {
10515 	case NL80211_CMD_TESTMODE:
10516 		if (WARN_ON(vendor_event_idx != -1))
10517 			return NULL;
10518 		info = NULL;
10519 		break;
10520 	case NL80211_CMD_VENDOR:
10521 		if (WARN_ON(vendor_event_idx < 0 ||
10522 			    vendor_event_idx >= wiphy->n_vendor_events))
10523 			return NULL;
10524 		info = &wiphy->vendor_events[vendor_event_idx];
10525 		break;
10526 	default:
10527 		WARN_ON(1);
10528 		return NULL;
10529 	}
10530 
10531 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10532 					   cmd, attr, info, gfp);
10533 }
10534 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10535 
__cfg80211_send_event_skb(struct sk_buff * skb,gfp_t gfp)10536 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10537 {
10538 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10539 	void *hdr = ((void **)skb->cb)[1];
10540 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10541 	struct nlattr *data = ((void **)skb->cb)[2];
10542 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10543 
10544 	/* clear CB data for netlink core to own from now on */
10545 	memset(skb->cb, 0, sizeof(skb->cb));
10546 
10547 	nla_nest_end(skb, data);
10548 	genlmsg_end(skb, hdr);
10549 
10550 	if (nlhdr->nlmsg_pid) {
10551 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10552 				nlhdr->nlmsg_pid);
10553 	} else {
10554 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10555 			mcgrp = NL80211_MCGRP_VENDOR;
10556 
10557 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10558 					skb, 0, mcgrp, gfp);
10559 	}
10560 }
10561 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10562 
10563 #ifdef CONFIG_NL80211_TESTMODE
nl80211_testmode_do(struct sk_buff * skb,struct genl_info * info)10564 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10565 {
10566 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10567 	struct wireless_dev *wdev;
10568 	int err;
10569 
10570 	lockdep_assert_held(&rdev->wiphy.mtx);
10571 
10572 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10573 					  info->attrs);
10574 
10575 	if (!rdev->ops->testmode_cmd)
10576 		return -EOPNOTSUPP;
10577 
10578 	if (IS_ERR(wdev)) {
10579 		err = PTR_ERR(wdev);
10580 		if (err != -EINVAL)
10581 			return err;
10582 		wdev = NULL;
10583 	} else if (wdev->wiphy != &rdev->wiphy) {
10584 		return -EINVAL;
10585 	}
10586 
10587 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10588 		return -EINVAL;
10589 
10590 	rdev->cur_cmd_info = info;
10591 	err = rdev_testmode_cmd(rdev, wdev,
10592 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10593 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10594 	rdev->cur_cmd_info = NULL;
10595 
10596 	return err;
10597 }
10598 
nl80211_testmode_dump(struct sk_buff * skb,struct netlink_callback * cb)10599 static int nl80211_testmode_dump(struct sk_buff *skb,
10600 				 struct netlink_callback *cb)
10601 {
10602 	struct cfg80211_registered_device *rdev;
10603 	struct nlattr **attrbuf = NULL;
10604 	int err;
10605 	long phy_idx;
10606 	void *data = NULL;
10607 	int data_len = 0;
10608 
10609 	rtnl_lock();
10610 
10611 	if (cb->args[0]) {
10612 		/*
10613 		 * 0 is a valid index, but not valid for args[0],
10614 		 * so we need to offset by 1.
10615 		 */
10616 		phy_idx = cb->args[0] - 1;
10617 
10618 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10619 		if (!rdev) {
10620 			err = -ENOENT;
10621 			goto out_err;
10622 		}
10623 	} else {
10624 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10625 				  GFP_KERNEL);
10626 		if (!attrbuf) {
10627 			err = -ENOMEM;
10628 			goto out_err;
10629 		}
10630 
10631 		err = nlmsg_parse_deprecated(cb->nlh,
10632 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10633 					     attrbuf, nl80211_fam.maxattr,
10634 					     nl80211_policy, NULL);
10635 		if (err)
10636 			goto out_err;
10637 
10638 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10639 		if (IS_ERR(rdev)) {
10640 			err = PTR_ERR(rdev);
10641 			goto out_err;
10642 		}
10643 		phy_idx = rdev->wiphy_idx;
10644 
10645 		if (attrbuf[NL80211_ATTR_TESTDATA])
10646 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10647 	}
10648 
10649 	if (cb->args[1]) {
10650 		data = nla_data((void *)cb->args[1]);
10651 		data_len = nla_len((void *)cb->args[1]);
10652 	}
10653 
10654 	if (!rdev->ops->testmode_dump) {
10655 		err = -EOPNOTSUPP;
10656 		goto out_err;
10657 	}
10658 
10659 	while (1) {
10660 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10661 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10662 					   NL80211_CMD_TESTMODE);
10663 		struct nlattr *tmdata;
10664 
10665 		if (!hdr)
10666 			break;
10667 
10668 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10669 			genlmsg_cancel(skb, hdr);
10670 			break;
10671 		}
10672 
10673 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10674 		if (!tmdata) {
10675 			genlmsg_cancel(skb, hdr);
10676 			break;
10677 		}
10678 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10679 		nla_nest_end(skb, tmdata);
10680 
10681 		if (err == -ENOBUFS || err == -ENOENT) {
10682 			genlmsg_cancel(skb, hdr);
10683 			break;
10684 		} else if (err) {
10685 			genlmsg_cancel(skb, hdr);
10686 			goto out_err;
10687 		}
10688 
10689 		genlmsg_end(skb, hdr);
10690 	}
10691 
10692 	err = skb->len;
10693 	/* see above */
10694 	cb->args[0] = phy_idx + 1;
10695  out_err:
10696 	kfree(attrbuf);
10697 	rtnl_unlock();
10698 	return err;
10699 }
10700 #endif
10701 
nl80211_connect(struct sk_buff * skb,struct genl_info * info)10702 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10703 {
10704 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10705 	struct net_device *dev = info->user_ptr[1];
10706 	struct cfg80211_connect_params connect;
10707 	struct wiphy *wiphy;
10708 	struct cfg80211_cached_keys *connkeys = NULL;
10709 	u32 freq = 0;
10710 	int err;
10711 
10712 	memset(&connect, 0, sizeof(connect));
10713 
10714 	if (!info->attrs[NL80211_ATTR_SSID] ||
10715 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10716 		return -EINVAL;
10717 
10718 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10719 		connect.auth_type =
10720 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10721 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10722 					     NL80211_CMD_CONNECT))
10723 			return -EINVAL;
10724 	} else
10725 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10726 
10727 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10728 
10729 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10730 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10731 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10732 		return -EINVAL;
10733 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10734 
10735 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10736 				      NL80211_MAX_NR_CIPHER_SUITES);
10737 	if (err)
10738 		return err;
10739 
10740 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10741 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10742 		return -EOPNOTSUPP;
10743 
10744 	wiphy = &rdev->wiphy;
10745 
10746 	connect.bg_scan_period = -1;
10747 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10748 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10749 		connect.bg_scan_period =
10750 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10751 	}
10752 
10753 	if (info->attrs[NL80211_ATTR_MAC])
10754 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10755 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10756 		connect.bssid_hint =
10757 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10758 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10759 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10760 
10761 	if (info->attrs[NL80211_ATTR_IE]) {
10762 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10763 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10764 	}
10765 
10766 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10767 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10768 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10769 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10770 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10771 			return -EOPNOTSUPP;
10772 	} else {
10773 		connect.mfp = NL80211_MFP_NO;
10774 	}
10775 
10776 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10777 		connect.prev_bssid =
10778 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10779 
10780 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
10781 		freq = MHZ_TO_KHZ(nla_get_u32(
10782 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10783 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10784 		freq +=
10785 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10786 
10787 	if (freq) {
10788 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
10789 		if (!connect.channel)
10790 			return -EINVAL;
10791 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10792 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10793 		freq = MHZ_TO_KHZ(freq);
10794 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
10795 		if (!connect.channel_hint)
10796 			return -EINVAL;
10797 	}
10798 
10799 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
10800 		connect.edmg.channels =
10801 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
10802 
10803 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
10804 			connect.edmg.bw_config =
10805 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
10806 	}
10807 
10808 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10809 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
10810 		if (IS_ERR(connkeys))
10811 			return PTR_ERR(connkeys);
10812 	}
10813 
10814 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10815 		connect.flags |= ASSOC_REQ_DISABLE_HT;
10816 
10817 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10818 		memcpy(&connect.ht_capa_mask,
10819 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10820 		       sizeof(connect.ht_capa_mask));
10821 
10822 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10823 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
10824 			kfree_sensitive(connkeys);
10825 			return -EINVAL;
10826 		}
10827 		memcpy(&connect.ht_capa,
10828 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10829 		       sizeof(connect.ht_capa));
10830 	}
10831 
10832 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10833 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
10834 
10835 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10836 		connect.flags |= ASSOC_REQ_DISABLE_HE;
10837 
10838 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10839 		memcpy(&connect.vht_capa_mask,
10840 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10841 		       sizeof(connect.vht_capa_mask));
10842 
10843 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10844 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
10845 			kfree_sensitive(connkeys);
10846 			return -EINVAL;
10847 		}
10848 		memcpy(&connect.vht_capa,
10849 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10850 		       sizeof(connect.vht_capa));
10851 	}
10852 
10853 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10854 		if (!((rdev->wiphy.features &
10855 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10856 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10857 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10858 					     NL80211_EXT_FEATURE_RRM)) {
10859 			kfree_sensitive(connkeys);
10860 			return -EINVAL;
10861 		}
10862 		connect.flags |= ASSOC_REQ_USE_RRM;
10863 	}
10864 
10865 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
10866 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
10867 		kfree_sensitive(connkeys);
10868 		return -EOPNOTSUPP;
10869 	}
10870 
10871 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
10872 		/* bss selection makes no sense if bssid is set */
10873 		if (connect.bssid) {
10874 			kfree_sensitive(connkeys);
10875 			return -EINVAL;
10876 		}
10877 
10878 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10879 				       wiphy, &connect.bss_select);
10880 		if (err) {
10881 			kfree_sensitive(connkeys);
10882 			return err;
10883 		}
10884 	}
10885 
10886 	if (wiphy_ext_feature_isset(&rdev->wiphy,
10887 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10888 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10889 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10890 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10891 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10892 		connect.fils_erp_username =
10893 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10894 		connect.fils_erp_username_len =
10895 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10896 		connect.fils_erp_realm =
10897 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10898 		connect.fils_erp_realm_len =
10899 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10900 		connect.fils_erp_next_seq_num =
10901 			nla_get_u16(
10902 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10903 		connect.fils_erp_rrk =
10904 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10905 		connect.fils_erp_rrk_len =
10906 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10907 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10908 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10909 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10910 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10911 		kfree_sensitive(connkeys);
10912 		return -EINVAL;
10913 	}
10914 
10915 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10916 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10917 			kfree_sensitive(connkeys);
10918 			GENL_SET_ERR_MSG(info,
10919 					 "external auth requires connection ownership");
10920 			return -EINVAL;
10921 		}
10922 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10923 	}
10924 
10925 	wdev_lock(dev->ieee80211_ptr);
10926 
10927 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10928 			       connect.prev_bssid);
10929 	if (err)
10930 		kfree_sensitive(connkeys);
10931 
10932 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10933 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10934 		if (connect.bssid)
10935 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10936 			       connect.bssid, ETH_ALEN);
10937 		else
10938 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
10939 	}
10940 
10941 	wdev_unlock(dev->ieee80211_ptr);
10942 
10943 	return err;
10944 }
10945 
nl80211_update_connect_params(struct sk_buff * skb,struct genl_info * info)10946 static int nl80211_update_connect_params(struct sk_buff *skb,
10947 					 struct genl_info *info)
10948 {
10949 	struct cfg80211_connect_params connect = {};
10950 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10951 	struct net_device *dev = info->user_ptr[1];
10952 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10953 	bool fils_sk_offload;
10954 	u32 auth_type;
10955 	u32 changed = 0;
10956 	int ret;
10957 
10958 	if (!rdev->ops->update_connect_params)
10959 		return -EOPNOTSUPP;
10960 
10961 	if (info->attrs[NL80211_ATTR_IE]) {
10962 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10963 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10964 		changed |= UPDATE_ASSOC_IES;
10965 	}
10966 
10967 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10968 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10969 
10970 	/*
10971 	 * when driver supports fils-sk offload all attributes must be
10972 	 * provided. So the else covers "fils-sk-not-all" and
10973 	 * "no-fils-sk-any".
10974 	 */
10975 	if (fils_sk_offload &&
10976 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10977 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10978 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10979 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10980 		connect.fils_erp_username =
10981 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10982 		connect.fils_erp_username_len =
10983 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10984 		connect.fils_erp_realm =
10985 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10986 		connect.fils_erp_realm_len =
10987 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10988 		connect.fils_erp_next_seq_num =
10989 			nla_get_u16(
10990 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10991 		connect.fils_erp_rrk =
10992 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10993 		connect.fils_erp_rrk_len =
10994 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10995 		changed |= UPDATE_FILS_ERP_INFO;
10996 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10997 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10998 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10999 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11000 		return -EINVAL;
11001 	}
11002 
11003 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11004 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11005 		if (!nl80211_valid_auth_type(rdev, auth_type,
11006 					     NL80211_CMD_CONNECT))
11007 			return -EINVAL;
11008 
11009 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11010 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11011 			return -EINVAL;
11012 
11013 		connect.auth_type = auth_type;
11014 		changed |= UPDATE_AUTH_TYPE;
11015 	}
11016 
11017 	wdev_lock(dev->ieee80211_ptr);
11018 	if (!wdev->current_bss)
11019 		ret = -ENOLINK;
11020 	else
11021 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11022 	wdev_unlock(dev->ieee80211_ptr);
11023 
11024 	return ret;
11025 }
11026 
nl80211_disconnect(struct sk_buff * skb,struct genl_info * info)11027 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11028 {
11029 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11030 	struct net_device *dev = info->user_ptr[1];
11031 	u16 reason;
11032 	int ret;
11033 
11034 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11035 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11036 		return -EPERM;
11037 
11038 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11039 		reason = WLAN_REASON_DEAUTH_LEAVING;
11040 	else
11041 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11042 
11043 	if (reason == 0)
11044 		return -EINVAL;
11045 
11046 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11047 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11048 		return -EOPNOTSUPP;
11049 
11050 	wdev_lock(dev->ieee80211_ptr);
11051 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11052 	wdev_unlock(dev->ieee80211_ptr);
11053 	return ret;
11054 }
11055 
nl80211_wiphy_netns(struct sk_buff * skb,struct genl_info * info)11056 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11057 {
11058 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11059 	struct net *net;
11060 	int err;
11061 
11062 	if (info->attrs[NL80211_ATTR_PID]) {
11063 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11064 
11065 		net = get_net_ns_by_pid(pid);
11066 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11067 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11068 
11069 		net = get_net_ns_by_fd(fd);
11070 	} else {
11071 		return -EINVAL;
11072 	}
11073 
11074 	if (IS_ERR(net))
11075 		return PTR_ERR(net);
11076 
11077 	err = 0;
11078 
11079 	/* check if anything to do */
11080 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11081 		err = cfg80211_switch_netns(rdev, net);
11082 
11083 	put_net(net);
11084 	return err;
11085 }
11086 
nl80211_setdel_pmksa(struct sk_buff * skb,struct genl_info * info)11087 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11088 {
11089 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11090 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11091 			struct cfg80211_pmksa *pmksa) = NULL;
11092 	struct net_device *dev = info->user_ptr[1];
11093 	struct cfg80211_pmksa pmksa;
11094 
11095 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11096 
11097 	if (!info->attrs[NL80211_ATTR_PMKID])
11098 		return -EINVAL;
11099 
11100 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11101 
11102 	if (info->attrs[NL80211_ATTR_MAC]) {
11103 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11104 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11105 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11106 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11107 		    info->attrs[NL80211_ATTR_PMK])) {
11108 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11109 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11110 		pmksa.cache_id =
11111 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11112 	} else {
11113 		return -EINVAL;
11114 	}
11115 	if (info->attrs[NL80211_ATTR_PMK]) {
11116 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11117 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11118 	}
11119 
11120 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11121 		pmksa.pmk_lifetime =
11122 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11123 
11124 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11125 		pmksa.pmk_reauth_threshold =
11126 			nla_get_u8(
11127 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11128 
11129 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11130 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11131 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11132 	      wiphy_ext_feature_isset(&rdev->wiphy,
11133 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11134 		return -EOPNOTSUPP;
11135 
11136 	switch (info->genlhdr->cmd) {
11137 	case NL80211_CMD_SET_PMKSA:
11138 		rdev_ops = rdev->ops->set_pmksa;
11139 		break;
11140 	case NL80211_CMD_DEL_PMKSA:
11141 		rdev_ops = rdev->ops->del_pmksa;
11142 		break;
11143 	default:
11144 		WARN_ON(1);
11145 		break;
11146 	}
11147 
11148 	if (!rdev_ops)
11149 		return -EOPNOTSUPP;
11150 
11151 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11152 }
11153 
nl80211_flush_pmksa(struct sk_buff * skb,struct genl_info * info)11154 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11155 {
11156 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11157 	struct net_device *dev = info->user_ptr[1];
11158 
11159 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11160 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11161 		return -EOPNOTSUPP;
11162 
11163 	if (!rdev->ops->flush_pmksa)
11164 		return -EOPNOTSUPP;
11165 
11166 	return rdev_flush_pmksa(rdev, dev);
11167 }
11168 
nl80211_tdls_mgmt(struct sk_buff * skb,struct genl_info * info)11169 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11170 {
11171 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11172 	struct net_device *dev = info->user_ptr[1];
11173 	u8 action_code, dialog_token;
11174 	u32 peer_capability = 0;
11175 	u16 status_code;
11176 	u8 *peer;
11177 	bool initiator;
11178 
11179 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11180 	    !rdev->ops->tdls_mgmt)
11181 		return -EOPNOTSUPP;
11182 
11183 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11184 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11185 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11186 	    !info->attrs[NL80211_ATTR_IE] ||
11187 	    !info->attrs[NL80211_ATTR_MAC])
11188 		return -EINVAL;
11189 
11190 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11191 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11192 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11193 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11194 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11195 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11196 		peer_capability =
11197 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11198 
11199 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11200 			      dialog_token, status_code, peer_capability,
11201 			      initiator,
11202 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11203 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11204 }
11205 
nl80211_tdls_oper(struct sk_buff * skb,struct genl_info * info)11206 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11207 {
11208 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11209 	struct net_device *dev = info->user_ptr[1];
11210 	enum nl80211_tdls_operation operation;
11211 	u8 *peer;
11212 
11213 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11214 	    !rdev->ops->tdls_oper)
11215 		return -EOPNOTSUPP;
11216 
11217 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11218 	    !info->attrs[NL80211_ATTR_MAC])
11219 		return -EINVAL;
11220 
11221 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11222 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11223 
11224 	return rdev_tdls_oper(rdev, dev, peer, operation);
11225 }
11226 
nl80211_remain_on_channel(struct sk_buff * skb,struct genl_info * info)11227 static int nl80211_remain_on_channel(struct sk_buff *skb,
11228 				     struct genl_info *info)
11229 {
11230 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11231 	struct wireless_dev *wdev = info->user_ptr[1];
11232 	struct cfg80211_chan_def chandef;
11233 	const struct cfg80211_chan_def *compat_chandef;
11234 	struct sk_buff *msg;
11235 	void *hdr;
11236 	u64 cookie;
11237 	u32 duration;
11238 	int err;
11239 
11240 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11241 	    !info->attrs[NL80211_ATTR_DURATION])
11242 		return -EINVAL;
11243 
11244 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11245 
11246 	if (!rdev->ops->remain_on_channel ||
11247 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11248 		return -EOPNOTSUPP;
11249 
11250 	/*
11251 	 * We should be on that channel for at least a minimum amount of
11252 	 * time (10ms) but no longer than the driver supports.
11253 	 */
11254 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11255 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11256 		return -EINVAL;
11257 
11258 	err = nl80211_parse_chandef(rdev, info, &chandef);
11259 	if (err)
11260 		return err;
11261 
11262 	wdev_lock(wdev);
11263 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11264 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11265 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11266 							     &chandef);
11267 		if (compat_chandef != &chandef) {
11268 			wdev_unlock(wdev);
11269 			return -EBUSY;
11270 		}
11271 	}
11272 	wdev_unlock(wdev);
11273 
11274 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11275 	if (!msg)
11276 		return -ENOMEM;
11277 
11278 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11279 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11280 	if (!hdr) {
11281 		err = -ENOBUFS;
11282 		goto free_msg;
11283 	}
11284 
11285 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11286 				     duration, &cookie);
11287 
11288 	if (err)
11289 		goto free_msg;
11290 
11291 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11292 			      NL80211_ATTR_PAD))
11293 		goto nla_put_failure;
11294 
11295 	genlmsg_end(msg, hdr);
11296 
11297 	return genlmsg_reply(msg, info);
11298 
11299  nla_put_failure:
11300 	err = -ENOBUFS;
11301  free_msg:
11302 	nlmsg_free(msg);
11303 	return err;
11304 }
11305 
nl80211_cancel_remain_on_channel(struct sk_buff * skb,struct genl_info * info)11306 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11307 					    struct genl_info *info)
11308 {
11309 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11310 	struct wireless_dev *wdev = info->user_ptr[1];
11311 	u64 cookie;
11312 
11313 	if (!info->attrs[NL80211_ATTR_COOKIE])
11314 		return -EINVAL;
11315 
11316 	if (!rdev->ops->cancel_remain_on_channel)
11317 		return -EOPNOTSUPP;
11318 
11319 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11320 
11321 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11322 }
11323 
nl80211_set_tx_bitrate_mask(struct sk_buff * skb,struct genl_info * info)11324 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11325 				       struct genl_info *info)
11326 {
11327 	struct cfg80211_bitrate_mask mask;
11328 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11329 	struct net_device *dev = info->user_ptr[1];
11330 	int err;
11331 
11332 	if (!rdev->ops->set_bitrate_mask)
11333 		return -EOPNOTSUPP;
11334 
11335 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11336 					    NL80211_ATTR_TX_RATES, &mask,
11337 					    dev, true);
11338 	if (err)
11339 		return err;
11340 
11341 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11342 }
11343 
nl80211_register_mgmt(struct sk_buff * skb,struct genl_info * info)11344 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11345 {
11346 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11347 	struct wireless_dev *wdev = info->user_ptr[1];
11348 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11349 
11350 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11351 		return -EINVAL;
11352 
11353 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11354 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11355 
11356 	switch (wdev->iftype) {
11357 	case NL80211_IFTYPE_STATION:
11358 	case NL80211_IFTYPE_ADHOC:
11359 	case NL80211_IFTYPE_P2P_CLIENT:
11360 	case NL80211_IFTYPE_AP:
11361 	case NL80211_IFTYPE_AP_VLAN:
11362 	case NL80211_IFTYPE_MESH_POINT:
11363 	case NL80211_IFTYPE_P2P_GO:
11364 	case NL80211_IFTYPE_P2P_DEVICE:
11365 		break;
11366 	case NL80211_IFTYPE_NAN:
11367 	default:
11368 		return -EOPNOTSUPP;
11369 	}
11370 
11371 	/* not much point in registering if we can't reply */
11372 	if (!rdev->ops->mgmt_tx)
11373 		return -EOPNOTSUPP;
11374 
11375 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11376 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11377 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11378 		GENL_SET_ERR_MSG(info,
11379 				 "multicast RX registrations are not supported");
11380 		return -EOPNOTSUPP;
11381 	}
11382 
11383 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11384 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11385 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11386 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11387 					   info->extack);
11388 }
11389 
nl80211_tx_mgmt(struct sk_buff * skb,struct genl_info * info)11390 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11391 {
11392 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11393 	struct wireless_dev *wdev = info->user_ptr[1];
11394 	struct cfg80211_chan_def chandef;
11395 	int err;
11396 	void *hdr = NULL;
11397 	u64 cookie;
11398 	struct sk_buff *msg = NULL;
11399 	struct cfg80211_mgmt_tx_params params = {
11400 		.dont_wait_for_ack =
11401 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11402 	};
11403 
11404 	if (!info->attrs[NL80211_ATTR_FRAME])
11405 		return -EINVAL;
11406 
11407 	if (!rdev->ops->mgmt_tx)
11408 		return -EOPNOTSUPP;
11409 
11410 	switch (wdev->iftype) {
11411 	case NL80211_IFTYPE_P2P_DEVICE:
11412 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11413 			return -EINVAL;
11414 		break;
11415 	case NL80211_IFTYPE_STATION:
11416 	case NL80211_IFTYPE_ADHOC:
11417 	case NL80211_IFTYPE_P2P_CLIENT:
11418 	case NL80211_IFTYPE_AP:
11419 	case NL80211_IFTYPE_AP_VLAN:
11420 	case NL80211_IFTYPE_MESH_POINT:
11421 	case NL80211_IFTYPE_P2P_GO:
11422 		break;
11423 	case NL80211_IFTYPE_NAN:
11424 	default:
11425 		return -EOPNOTSUPP;
11426 	}
11427 
11428 	if (info->attrs[NL80211_ATTR_DURATION]) {
11429 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11430 			return -EINVAL;
11431 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11432 
11433 		/*
11434 		 * We should wait on the channel for at least a minimum amount
11435 		 * of time (10ms) but no longer than the driver supports.
11436 		 */
11437 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11438 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11439 			return -EINVAL;
11440 	}
11441 
11442 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11443 
11444 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11445 		return -EINVAL;
11446 
11447 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11448 
11449 	/* get the channel if any has been specified, otherwise pass NULL to
11450 	 * the driver. The latter will use the current one
11451 	 */
11452 	chandef.chan = NULL;
11453 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11454 		err = nl80211_parse_chandef(rdev, info, &chandef);
11455 		if (err)
11456 			return err;
11457 	}
11458 
11459 	if (!chandef.chan && params.offchan)
11460 		return -EINVAL;
11461 
11462 	wdev_lock(wdev);
11463 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11464 		wdev_unlock(wdev);
11465 		return -EBUSY;
11466 	}
11467 	wdev_unlock(wdev);
11468 
11469 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11470 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11471 
11472 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11473 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11474 		int i;
11475 
11476 		if (len % sizeof(u16))
11477 			return -EINVAL;
11478 
11479 		params.n_csa_offsets = len / sizeof(u16);
11480 		params.csa_offsets =
11481 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11482 
11483 		/* check that all the offsets fit the frame */
11484 		for (i = 0; i < params.n_csa_offsets; i++) {
11485 			if (params.csa_offsets[i] >= params.len)
11486 				return -EINVAL;
11487 		}
11488 	}
11489 
11490 	if (!params.dont_wait_for_ack) {
11491 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11492 		if (!msg)
11493 			return -ENOMEM;
11494 
11495 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11496 				     NL80211_CMD_FRAME);
11497 		if (!hdr) {
11498 			err = -ENOBUFS;
11499 			goto free_msg;
11500 		}
11501 	}
11502 
11503 	params.chan = chandef.chan;
11504 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11505 	if (err)
11506 		goto free_msg;
11507 
11508 	if (msg) {
11509 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11510 				      NL80211_ATTR_PAD))
11511 			goto nla_put_failure;
11512 
11513 		genlmsg_end(msg, hdr);
11514 		return genlmsg_reply(msg, info);
11515 	}
11516 
11517 	return 0;
11518 
11519  nla_put_failure:
11520 	err = -ENOBUFS;
11521  free_msg:
11522 	nlmsg_free(msg);
11523 	return err;
11524 }
11525 
nl80211_tx_mgmt_cancel_wait(struct sk_buff * skb,struct genl_info * info)11526 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11527 {
11528 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11529 	struct wireless_dev *wdev = info->user_ptr[1];
11530 	u64 cookie;
11531 
11532 	if (!info->attrs[NL80211_ATTR_COOKIE])
11533 		return -EINVAL;
11534 
11535 	if (!rdev->ops->mgmt_tx_cancel_wait)
11536 		return -EOPNOTSUPP;
11537 
11538 	switch (wdev->iftype) {
11539 	case NL80211_IFTYPE_STATION:
11540 	case NL80211_IFTYPE_ADHOC:
11541 	case NL80211_IFTYPE_P2P_CLIENT:
11542 	case NL80211_IFTYPE_AP:
11543 	case NL80211_IFTYPE_AP_VLAN:
11544 	case NL80211_IFTYPE_P2P_GO:
11545 	case NL80211_IFTYPE_P2P_DEVICE:
11546 		break;
11547 	case NL80211_IFTYPE_NAN:
11548 	default:
11549 		return -EOPNOTSUPP;
11550 	}
11551 
11552 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11553 
11554 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11555 }
11556 
nl80211_set_power_save(struct sk_buff * skb,struct genl_info * info)11557 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11558 {
11559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11560 	struct wireless_dev *wdev;
11561 	struct net_device *dev = info->user_ptr[1];
11562 	u8 ps_state;
11563 	bool state;
11564 	int err;
11565 
11566 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11567 		return -EINVAL;
11568 
11569 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11570 
11571 	wdev = dev->ieee80211_ptr;
11572 
11573 	if (!rdev->ops->set_power_mgmt)
11574 		return -EOPNOTSUPP;
11575 
11576 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11577 
11578 	if (state == wdev->ps)
11579 		return 0;
11580 
11581 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11582 	if (!err)
11583 		wdev->ps = state;
11584 	return err;
11585 }
11586 
nl80211_get_power_save(struct sk_buff * skb,struct genl_info * info)11587 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11588 {
11589 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11590 	enum nl80211_ps_state ps_state;
11591 	struct wireless_dev *wdev;
11592 	struct net_device *dev = info->user_ptr[1];
11593 	struct sk_buff *msg;
11594 	void *hdr;
11595 	int err;
11596 
11597 	wdev = dev->ieee80211_ptr;
11598 
11599 	if (!rdev->ops->set_power_mgmt)
11600 		return -EOPNOTSUPP;
11601 
11602 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11603 	if (!msg)
11604 		return -ENOMEM;
11605 
11606 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11607 			     NL80211_CMD_GET_POWER_SAVE);
11608 	if (!hdr) {
11609 		err = -ENOBUFS;
11610 		goto free_msg;
11611 	}
11612 
11613 	if (wdev->ps)
11614 		ps_state = NL80211_PS_ENABLED;
11615 	else
11616 		ps_state = NL80211_PS_DISABLED;
11617 
11618 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11619 		goto nla_put_failure;
11620 
11621 	genlmsg_end(msg, hdr);
11622 	return genlmsg_reply(msg, info);
11623 
11624  nla_put_failure:
11625 	err = -ENOBUFS;
11626  free_msg:
11627 	nlmsg_free(msg);
11628 	return err;
11629 }
11630 
11631 static const struct nla_policy
11632 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11633 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11634 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11635 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11636 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11637 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11638 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11639 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11640 };
11641 
nl80211_set_cqm_txe(struct genl_info * info,u32 rate,u32 pkts,u32 intvl)11642 static int nl80211_set_cqm_txe(struct genl_info *info,
11643 			       u32 rate, u32 pkts, u32 intvl)
11644 {
11645 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11646 	struct net_device *dev = info->user_ptr[1];
11647 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11648 
11649 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11650 		return -EINVAL;
11651 
11652 	if (!rdev->ops->set_cqm_txe_config)
11653 		return -EOPNOTSUPP;
11654 
11655 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11656 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11657 		return -EOPNOTSUPP;
11658 
11659 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11660 }
11661 
cfg80211_cqm_rssi_update(struct cfg80211_registered_device * rdev,struct net_device * dev)11662 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11663 				    struct net_device *dev)
11664 {
11665 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11666 	s32 last, low, high;
11667 	u32 hyst;
11668 	int i, n, low_index;
11669 	int err;
11670 
11671 	/* RSSI reporting disabled? */
11672 	if (!wdev->cqm_config)
11673 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11674 
11675 	/*
11676 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11677 	 * event has been received yet, we should receive an event after a
11678 	 * connection is established and enough beacons received to calculate
11679 	 * the average.
11680 	 */
11681 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11682 	    rdev->ops->get_station) {
11683 		struct station_info sinfo = {};
11684 		u8 *mac_addr;
11685 
11686 		mac_addr = wdev->current_bss->pub.bssid;
11687 
11688 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11689 		if (err)
11690 			return err;
11691 
11692 		cfg80211_sinfo_release_content(&sinfo);
11693 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11694 			wdev->cqm_config->last_rssi_event_value =
11695 				(s8) sinfo.rx_beacon_signal_avg;
11696 	}
11697 
11698 	last = wdev->cqm_config->last_rssi_event_value;
11699 	hyst = wdev->cqm_config->rssi_hyst;
11700 	n = wdev->cqm_config->n_rssi_thresholds;
11701 
11702 	for (i = 0; i < n; i++) {
11703 		i = array_index_nospec(i, n);
11704 		if (last < wdev->cqm_config->rssi_thresholds[i])
11705 			break;
11706 	}
11707 
11708 	low_index = i - 1;
11709 	if (low_index >= 0) {
11710 		low_index = array_index_nospec(low_index, n);
11711 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11712 	} else {
11713 		low = S32_MIN;
11714 	}
11715 	if (i < n) {
11716 		i = array_index_nospec(i, n);
11717 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11718 	} else {
11719 		high = S32_MAX;
11720 	}
11721 
11722 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11723 }
11724 
nl80211_set_cqm_rssi(struct genl_info * info,const s32 * thresholds,int n_thresholds,u32 hysteresis)11725 static int nl80211_set_cqm_rssi(struct genl_info *info,
11726 				const s32 *thresholds, int n_thresholds,
11727 				u32 hysteresis)
11728 {
11729 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11730 	struct net_device *dev = info->user_ptr[1];
11731 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11732 	int i, err;
11733 	s32 prev = S32_MIN;
11734 
11735 	/* Check all values negative and sorted */
11736 	for (i = 0; i < n_thresholds; i++) {
11737 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11738 			return -EINVAL;
11739 
11740 		prev = thresholds[i];
11741 	}
11742 
11743 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11744 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11745 		return -EOPNOTSUPP;
11746 
11747 	wdev_lock(wdev);
11748 	cfg80211_cqm_config_free(wdev);
11749 	wdev_unlock(wdev);
11750 
11751 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11752 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11753 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11754 
11755 		return rdev_set_cqm_rssi_config(rdev, dev,
11756 						thresholds[0], hysteresis);
11757 	}
11758 
11759 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11760 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11761 		return -EOPNOTSUPP;
11762 
11763 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11764 		n_thresholds = 0;
11765 
11766 	wdev_lock(wdev);
11767 	if (n_thresholds) {
11768 		struct cfg80211_cqm_config *cqm_config;
11769 
11770 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
11771 				     n_thresholds * sizeof(s32), GFP_KERNEL);
11772 		if (!cqm_config) {
11773 			err = -ENOMEM;
11774 			goto unlock;
11775 		}
11776 
11777 		cqm_config->rssi_hyst = hysteresis;
11778 		cqm_config->n_rssi_thresholds = n_thresholds;
11779 		memcpy(cqm_config->rssi_thresholds, thresholds,
11780 		       n_thresholds * sizeof(s32));
11781 
11782 		wdev->cqm_config = cqm_config;
11783 	}
11784 
11785 	err = cfg80211_cqm_rssi_update(rdev, dev);
11786 
11787 unlock:
11788 	wdev_unlock(wdev);
11789 
11790 	return err;
11791 }
11792 
nl80211_set_cqm(struct sk_buff * skb,struct genl_info * info)11793 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
11794 {
11795 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
11796 	struct nlattr *cqm;
11797 	int err;
11798 
11799 	cqm = info->attrs[NL80211_ATTR_CQM];
11800 	if (!cqm)
11801 		return -EINVAL;
11802 
11803 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
11804 					  nl80211_attr_cqm_policy,
11805 					  info->extack);
11806 	if (err)
11807 		return err;
11808 
11809 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
11810 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
11811 		const s32 *thresholds =
11812 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11813 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11814 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
11815 
11816 		if (len % 4)
11817 			return -EINVAL;
11818 
11819 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
11820 					    hysteresis);
11821 	}
11822 
11823 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
11824 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
11825 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
11826 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
11827 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
11828 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
11829 
11830 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
11831 	}
11832 
11833 	return -EINVAL;
11834 }
11835 
nl80211_join_ocb(struct sk_buff * skb,struct genl_info * info)11836 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
11837 {
11838 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11839 	struct net_device *dev = info->user_ptr[1];
11840 	struct ocb_setup setup = {};
11841 	int err;
11842 
11843 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11844 	if (err)
11845 		return err;
11846 
11847 	return cfg80211_join_ocb(rdev, dev, &setup);
11848 }
11849 
nl80211_leave_ocb(struct sk_buff * skb,struct genl_info * info)11850 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
11851 {
11852 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11853 	struct net_device *dev = info->user_ptr[1];
11854 
11855 	return cfg80211_leave_ocb(rdev, dev);
11856 }
11857 
nl80211_join_mesh(struct sk_buff * skb,struct genl_info * info)11858 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
11859 {
11860 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11861 	struct net_device *dev = info->user_ptr[1];
11862 	struct mesh_config cfg;
11863 	struct mesh_setup setup;
11864 	int err;
11865 
11866 	/* start with default */
11867 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
11868 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
11869 
11870 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
11871 		/* and parse parameters if given */
11872 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
11873 		if (err)
11874 			return err;
11875 	}
11876 
11877 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
11878 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
11879 		return -EINVAL;
11880 
11881 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
11882 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
11883 
11884 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11885 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
11886 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11887 			return -EINVAL;
11888 
11889 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
11890 		setup.beacon_interval =
11891 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11892 
11893 		err = cfg80211_validate_beacon_int(rdev,
11894 						   NL80211_IFTYPE_MESH_POINT,
11895 						   setup.beacon_interval);
11896 		if (err)
11897 			return err;
11898 	}
11899 
11900 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11901 		setup.dtim_period =
11902 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11903 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11904 			return -EINVAL;
11905 	}
11906 
11907 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11908 		/* parse additional setup parameters if given */
11909 		err = nl80211_parse_mesh_setup(info, &setup);
11910 		if (err)
11911 			return err;
11912 	}
11913 
11914 	if (setup.user_mpm)
11915 		cfg.auto_open_plinks = false;
11916 
11917 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11918 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11919 		if (err)
11920 			return err;
11921 	} else {
11922 		/* __cfg80211_join_mesh() will sort it out */
11923 		setup.chandef.chan = NULL;
11924 	}
11925 
11926 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11927 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11928 		int n_rates =
11929 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11930 		struct ieee80211_supported_band *sband;
11931 
11932 		if (!setup.chandef.chan)
11933 			return -EINVAL;
11934 
11935 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11936 
11937 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11938 					     &setup.basic_rates);
11939 		if (err)
11940 			return err;
11941 	}
11942 
11943 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11944 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11945 						    NL80211_ATTR_TX_RATES,
11946 						    &setup.beacon_rate,
11947 						    dev, false);
11948 		if (err)
11949 			return err;
11950 
11951 		if (!setup.chandef.chan)
11952 			return -EINVAL;
11953 
11954 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11955 					      &setup.beacon_rate);
11956 		if (err)
11957 			return err;
11958 	}
11959 
11960 	setup.userspace_handles_dfs =
11961 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11962 
11963 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11964 		int r = validate_pae_over_nl80211(rdev, info);
11965 
11966 		if (r < 0)
11967 			return r;
11968 
11969 		setup.control_port_over_nl80211 = true;
11970 	}
11971 
11972 	wdev_lock(dev->ieee80211_ptr);
11973 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11974 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11975 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11976 	wdev_unlock(dev->ieee80211_ptr);
11977 
11978 	return err;
11979 }
11980 
nl80211_leave_mesh(struct sk_buff * skb,struct genl_info * info)11981 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11982 {
11983 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11984 	struct net_device *dev = info->user_ptr[1];
11985 
11986 	return cfg80211_leave_mesh(rdev, dev);
11987 }
11988 
11989 #ifdef CONFIG_PM
nl80211_send_wowlan_patterns(struct sk_buff * msg,struct cfg80211_registered_device * rdev)11990 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11991 					struct cfg80211_registered_device *rdev)
11992 {
11993 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11994 	struct nlattr *nl_pats, *nl_pat;
11995 	int i, pat_len;
11996 
11997 	if (!wowlan->n_patterns)
11998 		return 0;
11999 
12000 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12001 	if (!nl_pats)
12002 		return -ENOBUFS;
12003 
12004 	for (i = 0; i < wowlan->n_patterns; i++) {
12005 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12006 		if (!nl_pat)
12007 			return -ENOBUFS;
12008 		pat_len = wowlan->patterns[i].pattern_len;
12009 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12010 			    wowlan->patterns[i].mask) ||
12011 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12012 			    wowlan->patterns[i].pattern) ||
12013 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12014 				wowlan->patterns[i].pkt_offset))
12015 			return -ENOBUFS;
12016 		nla_nest_end(msg, nl_pat);
12017 	}
12018 	nla_nest_end(msg, nl_pats);
12019 
12020 	return 0;
12021 }
12022 
nl80211_send_wowlan_tcp(struct sk_buff * msg,struct cfg80211_wowlan_tcp * tcp)12023 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12024 				   struct cfg80211_wowlan_tcp *tcp)
12025 {
12026 	struct nlattr *nl_tcp;
12027 
12028 	if (!tcp)
12029 		return 0;
12030 
12031 	nl_tcp = nla_nest_start_noflag(msg,
12032 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12033 	if (!nl_tcp)
12034 		return -ENOBUFS;
12035 
12036 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12037 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12038 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12039 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12040 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12041 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12042 		    tcp->payload_len, tcp->payload) ||
12043 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12044 			tcp->data_interval) ||
12045 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12046 		    tcp->wake_len, tcp->wake_data) ||
12047 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12048 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12049 		return -ENOBUFS;
12050 
12051 	if (tcp->payload_seq.len &&
12052 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12053 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12054 		return -ENOBUFS;
12055 
12056 	if (tcp->payload_tok.len &&
12057 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12058 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12059 		    &tcp->payload_tok))
12060 		return -ENOBUFS;
12061 
12062 	nla_nest_end(msg, nl_tcp);
12063 
12064 	return 0;
12065 }
12066 
nl80211_send_wowlan_nd(struct sk_buff * msg,struct cfg80211_sched_scan_request * req)12067 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12068 				  struct cfg80211_sched_scan_request *req)
12069 {
12070 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12071 	int i;
12072 
12073 	if (!req)
12074 		return 0;
12075 
12076 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12077 	if (!nd)
12078 		return -ENOBUFS;
12079 
12080 	if (req->n_scan_plans == 1 &&
12081 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12082 			req->scan_plans[0].interval * 1000))
12083 		return -ENOBUFS;
12084 
12085 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12086 		return -ENOBUFS;
12087 
12088 	if (req->relative_rssi_set) {
12089 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12090 
12091 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12092 			       req->relative_rssi))
12093 			return -ENOBUFS;
12094 
12095 		rssi_adjust.band = req->rssi_adjust.band;
12096 		rssi_adjust.delta = req->rssi_adjust.delta;
12097 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12098 			    sizeof(rssi_adjust), &rssi_adjust))
12099 			return -ENOBUFS;
12100 	}
12101 
12102 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12103 	if (!freqs)
12104 		return -ENOBUFS;
12105 
12106 	for (i = 0; i < req->n_channels; i++) {
12107 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12108 			return -ENOBUFS;
12109 	}
12110 
12111 	nla_nest_end(msg, freqs);
12112 
12113 	if (req->n_match_sets) {
12114 		matches = nla_nest_start_noflag(msg,
12115 						NL80211_ATTR_SCHED_SCAN_MATCH);
12116 		if (!matches)
12117 			return -ENOBUFS;
12118 
12119 		for (i = 0; i < req->n_match_sets; i++) {
12120 			match = nla_nest_start_noflag(msg, i);
12121 			if (!match)
12122 				return -ENOBUFS;
12123 
12124 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12125 				    req->match_sets[i].ssid.ssid_len,
12126 				    req->match_sets[i].ssid.ssid))
12127 				return -ENOBUFS;
12128 			nla_nest_end(msg, match);
12129 		}
12130 		nla_nest_end(msg, matches);
12131 	}
12132 
12133 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12134 	if (!scan_plans)
12135 		return -ENOBUFS;
12136 
12137 	for (i = 0; i < req->n_scan_plans; i++) {
12138 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12139 		if (!scan_plan)
12140 			return -ENOBUFS;
12141 
12142 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12143 				req->scan_plans[i].interval) ||
12144 		    (req->scan_plans[i].iterations &&
12145 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12146 				 req->scan_plans[i].iterations)))
12147 			return -ENOBUFS;
12148 		nla_nest_end(msg, scan_plan);
12149 	}
12150 	nla_nest_end(msg, scan_plans);
12151 
12152 	nla_nest_end(msg, nd);
12153 
12154 	return 0;
12155 }
12156 
nl80211_get_wowlan(struct sk_buff * skb,struct genl_info * info)12157 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12158 {
12159 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12160 	struct sk_buff *msg;
12161 	void *hdr;
12162 	u32 size = NLMSG_DEFAULT_SIZE;
12163 
12164 	if (!rdev->wiphy.wowlan)
12165 		return -EOPNOTSUPP;
12166 
12167 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12168 		/* adjust size to have room for all the data */
12169 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12170 			rdev->wiphy.wowlan_config->tcp->payload_len +
12171 			rdev->wiphy.wowlan_config->tcp->wake_len +
12172 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12173 	}
12174 
12175 	msg = nlmsg_new(size, GFP_KERNEL);
12176 	if (!msg)
12177 		return -ENOMEM;
12178 
12179 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12180 			     NL80211_CMD_GET_WOWLAN);
12181 	if (!hdr)
12182 		goto nla_put_failure;
12183 
12184 	if (rdev->wiphy.wowlan_config) {
12185 		struct nlattr *nl_wowlan;
12186 
12187 		nl_wowlan = nla_nest_start_noflag(msg,
12188 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12189 		if (!nl_wowlan)
12190 			goto nla_put_failure;
12191 
12192 		if ((rdev->wiphy.wowlan_config->any &&
12193 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12194 		    (rdev->wiphy.wowlan_config->disconnect &&
12195 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12196 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12197 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12198 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12199 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12200 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12201 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12202 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12203 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12204 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12205 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12206 			goto nla_put_failure;
12207 
12208 		if (nl80211_send_wowlan_patterns(msg, rdev))
12209 			goto nla_put_failure;
12210 
12211 		if (nl80211_send_wowlan_tcp(msg,
12212 					    rdev->wiphy.wowlan_config->tcp))
12213 			goto nla_put_failure;
12214 
12215 		if (nl80211_send_wowlan_nd(
12216 			    msg,
12217 			    rdev->wiphy.wowlan_config->nd_config))
12218 			goto nla_put_failure;
12219 
12220 		nla_nest_end(msg, nl_wowlan);
12221 	}
12222 
12223 	genlmsg_end(msg, hdr);
12224 	return genlmsg_reply(msg, info);
12225 
12226 nla_put_failure:
12227 	nlmsg_free(msg);
12228 	return -ENOBUFS;
12229 }
12230 
nl80211_parse_wowlan_tcp(struct cfg80211_registered_device * rdev,struct nlattr * attr,struct cfg80211_wowlan * trig)12231 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12232 				    struct nlattr *attr,
12233 				    struct cfg80211_wowlan *trig)
12234 {
12235 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12236 	struct cfg80211_wowlan_tcp *cfg;
12237 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12238 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12239 	u32 size;
12240 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12241 	int err, port;
12242 
12243 	if (!rdev->wiphy.wowlan->tcp)
12244 		return -EINVAL;
12245 
12246 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12247 					  nl80211_wowlan_tcp_policy, NULL);
12248 	if (err)
12249 		return err;
12250 
12251 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12252 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12253 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12254 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12255 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12256 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12257 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12258 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12259 		return -EINVAL;
12260 
12261 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12262 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12263 		return -EINVAL;
12264 
12265 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12266 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12267 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12268 		return -EINVAL;
12269 
12270 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12271 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12272 		return -EINVAL;
12273 
12274 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12275 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12276 		return -EINVAL;
12277 
12278 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12279 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12280 
12281 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12282 		tokens_size = tokln - sizeof(*tok);
12283 
12284 		if (!tok->len || tokens_size % tok->len)
12285 			return -EINVAL;
12286 		if (!rdev->wiphy.wowlan->tcp->tok)
12287 			return -EINVAL;
12288 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12289 			return -EINVAL;
12290 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12291 			return -EINVAL;
12292 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12293 			return -EINVAL;
12294 		if (tok->offset + tok->len > data_size)
12295 			return -EINVAL;
12296 	}
12297 
12298 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12299 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12300 		if (!rdev->wiphy.wowlan->tcp->seq)
12301 			return -EINVAL;
12302 		if (seq->len == 0 || seq->len > 4)
12303 			return -EINVAL;
12304 		if (seq->len + seq->offset > data_size)
12305 			return -EINVAL;
12306 	}
12307 
12308 	size = sizeof(*cfg);
12309 	size += data_size;
12310 	size += wake_size + wake_mask_size;
12311 	size += tokens_size;
12312 
12313 	cfg = kzalloc(size, GFP_KERNEL);
12314 	if (!cfg)
12315 		return -ENOMEM;
12316 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12317 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12318 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12319 	       ETH_ALEN);
12320 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12321 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12322 	else
12323 		port = 0;
12324 #ifdef CONFIG_INET
12325 	/* allocate a socket and port for it and use it */
12326 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12327 			    IPPROTO_TCP, &cfg->sock, 1);
12328 	if (err) {
12329 		kfree(cfg);
12330 		return err;
12331 	}
12332 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12333 		sock_release(cfg->sock);
12334 		kfree(cfg);
12335 		return -EADDRINUSE;
12336 	}
12337 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12338 #else
12339 	if (!port) {
12340 		kfree(cfg);
12341 		return -EINVAL;
12342 	}
12343 	cfg->src_port = port;
12344 #endif
12345 
12346 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12347 	cfg->payload_len = data_size;
12348 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12349 	memcpy((void *)cfg->payload,
12350 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12351 	       data_size);
12352 	if (seq)
12353 		cfg->payload_seq = *seq;
12354 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12355 	cfg->wake_len = wake_size;
12356 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12357 	memcpy((void *)cfg->wake_data,
12358 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12359 	       wake_size);
12360 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12361 			 data_size + wake_size;
12362 	memcpy((void *)cfg->wake_mask,
12363 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12364 	       wake_mask_size);
12365 	if (tok) {
12366 		cfg->tokens_size = tokens_size;
12367 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12368 	}
12369 
12370 	trig->tcp = cfg;
12371 
12372 	return 0;
12373 }
12374 
nl80211_parse_wowlan_nd(struct cfg80211_registered_device * rdev,const struct wiphy_wowlan_support * wowlan,struct nlattr * attr,struct cfg80211_wowlan * trig)12375 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12376 				   const struct wiphy_wowlan_support *wowlan,
12377 				   struct nlattr *attr,
12378 				   struct cfg80211_wowlan *trig)
12379 {
12380 	struct nlattr **tb;
12381 	int err;
12382 
12383 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12384 	if (!tb)
12385 		return -ENOMEM;
12386 
12387 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12388 		err = -EOPNOTSUPP;
12389 		goto out;
12390 	}
12391 
12392 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12393 					  nl80211_policy, NULL);
12394 	if (err)
12395 		goto out;
12396 
12397 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12398 						   wowlan->max_nd_match_sets);
12399 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12400 	if (err)
12401 		trig->nd_config = NULL;
12402 
12403 out:
12404 	kfree(tb);
12405 	return err;
12406 }
12407 
nl80211_set_wowlan(struct sk_buff * skb,struct genl_info * info)12408 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12409 {
12410 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12411 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12412 	struct cfg80211_wowlan new_triggers = {};
12413 	struct cfg80211_wowlan *ntrig;
12414 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12415 	int err, i;
12416 	bool prev_enabled = rdev->wiphy.wowlan_config;
12417 	bool regular = false;
12418 
12419 	if (!wowlan)
12420 		return -EOPNOTSUPP;
12421 
12422 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12423 		cfg80211_rdev_free_wowlan(rdev);
12424 		rdev->wiphy.wowlan_config = NULL;
12425 		goto set_wakeup;
12426 	}
12427 
12428 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12429 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12430 					  nl80211_wowlan_policy, info->extack);
12431 	if (err)
12432 		return err;
12433 
12434 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12435 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12436 			return -EINVAL;
12437 		new_triggers.any = true;
12438 	}
12439 
12440 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12441 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12442 			return -EINVAL;
12443 		new_triggers.disconnect = true;
12444 		regular = true;
12445 	}
12446 
12447 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12448 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12449 			return -EINVAL;
12450 		new_triggers.magic_pkt = true;
12451 		regular = true;
12452 	}
12453 
12454 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12455 		return -EINVAL;
12456 
12457 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12458 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12459 			return -EINVAL;
12460 		new_triggers.gtk_rekey_failure = true;
12461 		regular = true;
12462 	}
12463 
12464 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12465 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12466 			return -EINVAL;
12467 		new_triggers.eap_identity_req = true;
12468 		regular = true;
12469 	}
12470 
12471 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12472 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12473 			return -EINVAL;
12474 		new_triggers.four_way_handshake = true;
12475 		regular = true;
12476 	}
12477 
12478 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12479 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12480 			return -EINVAL;
12481 		new_triggers.rfkill_release = true;
12482 		regular = true;
12483 	}
12484 
12485 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12486 		struct nlattr *pat;
12487 		int n_patterns = 0;
12488 		int rem, pat_len, mask_len, pkt_offset;
12489 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12490 
12491 		regular = true;
12492 
12493 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12494 				    rem)
12495 			n_patterns++;
12496 		if (n_patterns > wowlan->n_patterns)
12497 			return -EINVAL;
12498 
12499 		new_triggers.patterns = kcalloc(n_patterns,
12500 						sizeof(new_triggers.patterns[0]),
12501 						GFP_KERNEL);
12502 		if (!new_triggers.patterns)
12503 			return -ENOMEM;
12504 
12505 		new_triggers.n_patterns = n_patterns;
12506 		i = 0;
12507 
12508 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12509 				    rem) {
12510 			u8 *mask_pat;
12511 
12512 			err = nla_parse_nested_deprecated(pat_tb,
12513 							  MAX_NL80211_PKTPAT,
12514 							  pat,
12515 							  nl80211_packet_pattern_policy,
12516 							  info->extack);
12517 			if (err)
12518 				goto error;
12519 
12520 			err = -EINVAL;
12521 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12522 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12523 				goto error;
12524 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12525 			mask_len = DIV_ROUND_UP(pat_len, 8);
12526 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12527 				goto error;
12528 			if (pat_len > wowlan->pattern_max_len ||
12529 			    pat_len < wowlan->pattern_min_len)
12530 				goto error;
12531 
12532 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12533 				pkt_offset = 0;
12534 			else
12535 				pkt_offset = nla_get_u32(
12536 					pat_tb[NL80211_PKTPAT_OFFSET]);
12537 			if (pkt_offset > wowlan->max_pkt_offset)
12538 				goto error;
12539 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12540 
12541 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12542 			if (!mask_pat) {
12543 				err = -ENOMEM;
12544 				goto error;
12545 			}
12546 			new_triggers.patterns[i].mask = mask_pat;
12547 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12548 			       mask_len);
12549 			mask_pat += mask_len;
12550 			new_triggers.patterns[i].pattern = mask_pat;
12551 			new_triggers.patterns[i].pattern_len = pat_len;
12552 			memcpy(mask_pat,
12553 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12554 			       pat_len);
12555 			i++;
12556 		}
12557 	}
12558 
12559 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12560 		regular = true;
12561 		err = nl80211_parse_wowlan_tcp(
12562 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12563 			&new_triggers);
12564 		if (err)
12565 			goto error;
12566 	}
12567 
12568 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12569 		regular = true;
12570 		err = nl80211_parse_wowlan_nd(
12571 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12572 			&new_triggers);
12573 		if (err)
12574 			goto error;
12575 	}
12576 
12577 	/* The 'any' trigger means the device continues operating more or less
12578 	 * as in its normal operation mode and wakes up the host on most of the
12579 	 * normal interrupts (like packet RX, ...)
12580 	 * It therefore makes little sense to combine with the more constrained
12581 	 * wakeup trigger modes.
12582 	 */
12583 	if (new_triggers.any && regular) {
12584 		err = -EINVAL;
12585 		goto error;
12586 	}
12587 
12588 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12589 	if (!ntrig) {
12590 		err = -ENOMEM;
12591 		goto error;
12592 	}
12593 	cfg80211_rdev_free_wowlan(rdev);
12594 	rdev->wiphy.wowlan_config = ntrig;
12595 
12596  set_wakeup:
12597 	if (rdev->ops->set_wakeup &&
12598 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12599 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12600 
12601 	return 0;
12602  error:
12603 	for (i = 0; i < new_triggers.n_patterns; i++)
12604 		kfree(new_triggers.patterns[i].mask);
12605 	kfree(new_triggers.patterns);
12606 	if (new_triggers.tcp && new_triggers.tcp->sock)
12607 		sock_release(new_triggers.tcp->sock);
12608 	kfree(new_triggers.tcp);
12609 	kfree(new_triggers.nd_config);
12610 	return err;
12611 }
12612 #endif
12613 
nl80211_send_coalesce_rules(struct sk_buff * msg,struct cfg80211_registered_device * rdev)12614 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12615 				       struct cfg80211_registered_device *rdev)
12616 {
12617 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12618 	int i, j, pat_len;
12619 	struct cfg80211_coalesce_rules *rule;
12620 
12621 	if (!rdev->coalesce->n_rules)
12622 		return 0;
12623 
12624 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12625 	if (!nl_rules)
12626 		return -ENOBUFS;
12627 
12628 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12629 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12630 		if (!nl_rule)
12631 			return -ENOBUFS;
12632 
12633 		rule = &rdev->coalesce->rules[i];
12634 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12635 				rule->delay))
12636 			return -ENOBUFS;
12637 
12638 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12639 				rule->condition))
12640 			return -ENOBUFS;
12641 
12642 		nl_pats = nla_nest_start_noflag(msg,
12643 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12644 		if (!nl_pats)
12645 			return -ENOBUFS;
12646 
12647 		for (j = 0; j < rule->n_patterns; j++) {
12648 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12649 			if (!nl_pat)
12650 				return -ENOBUFS;
12651 			pat_len = rule->patterns[j].pattern_len;
12652 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12653 				    DIV_ROUND_UP(pat_len, 8),
12654 				    rule->patterns[j].mask) ||
12655 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12656 				    rule->patterns[j].pattern) ||
12657 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12658 					rule->patterns[j].pkt_offset))
12659 				return -ENOBUFS;
12660 			nla_nest_end(msg, nl_pat);
12661 		}
12662 		nla_nest_end(msg, nl_pats);
12663 		nla_nest_end(msg, nl_rule);
12664 	}
12665 	nla_nest_end(msg, nl_rules);
12666 
12667 	return 0;
12668 }
12669 
nl80211_get_coalesce(struct sk_buff * skb,struct genl_info * info)12670 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12671 {
12672 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12673 	struct sk_buff *msg;
12674 	void *hdr;
12675 
12676 	if (!rdev->wiphy.coalesce)
12677 		return -EOPNOTSUPP;
12678 
12679 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12680 	if (!msg)
12681 		return -ENOMEM;
12682 
12683 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12684 			     NL80211_CMD_GET_COALESCE);
12685 	if (!hdr)
12686 		goto nla_put_failure;
12687 
12688 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12689 		goto nla_put_failure;
12690 
12691 	genlmsg_end(msg, hdr);
12692 	return genlmsg_reply(msg, info);
12693 
12694 nla_put_failure:
12695 	nlmsg_free(msg);
12696 	return -ENOBUFS;
12697 }
12698 
cfg80211_rdev_free_coalesce(struct cfg80211_registered_device * rdev)12699 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12700 {
12701 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12702 	int i, j;
12703 	struct cfg80211_coalesce_rules *rule;
12704 
12705 	if (!coalesce)
12706 		return;
12707 
12708 	for (i = 0; i < coalesce->n_rules; i++) {
12709 		rule = &coalesce->rules[i];
12710 		for (j = 0; j < rule->n_patterns; j++)
12711 			kfree(rule->patterns[j].mask);
12712 		kfree(rule->patterns);
12713 	}
12714 	kfree(coalesce->rules);
12715 	kfree(coalesce);
12716 	rdev->coalesce = NULL;
12717 }
12718 
nl80211_parse_coalesce_rule(struct cfg80211_registered_device * rdev,struct nlattr * rule,struct cfg80211_coalesce_rules * new_rule)12719 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12720 				       struct nlattr *rule,
12721 				       struct cfg80211_coalesce_rules *new_rule)
12722 {
12723 	int err, i;
12724 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12725 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12726 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12727 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12728 
12729 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12730 					  rule, nl80211_coalesce_policy, NULL);
12731 	if (err)
12732 		return err;
12733 
12734 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12735 		new_rule->delay =
12736 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12737 	if (new_rule->delay > coalesce->max_delay)
12738 		return -EINVAL;
12739 
12740 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12741 		new_rule->condition =
12742 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12743 
12744 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12745 		return -EINVAL;
12746 
12747 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12748 			    rem)
12749 		n_patterns++;
12750 	if (n_patterns > coalesce->n_patterns)
12751 		return -EINVAL;
12752 
12753 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12754 				     GFP_KERNEL);
12755 	if (!new_rule->patterns)
12756 		return -ENOMEM;
12757 
12758 	new_rule->n_patterns = n_patterns;
12759 	i = 0;
12760 
12761 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12762 			    rem) {
12763 		u8 *mask_pat;
12764 
12765 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12766 						  pat,
12767 						  nl80211_packet_pattern_policy,
12768 						  NULL);
12769 		if (err)
12770 			return err;
12771 
12772 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12773 		    !pat_tb[NL80211_PKTPAT_PATTERN])
12774 			return -EINVAL;
12775 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12776 		mask_len = DIV_ROUND_UP(pat_len, 8);
12777 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12778 			return -EINVAL;
12779 		if (pat_len > coalesce->pattern_max_len ||
12780 		    pat_len < coalesce->pattern_min_len)
12781 			return -EINVAL;
12782 
12783 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12784 			pkt_offset = 0;
12785 		else
12786 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12787 		if (pkt_offset > coalesce->max_pkt_offset)
12788 			return -EINVAL;
12789 		new_rule->patterns[i].pkt_offset = pkt_offset;
12790 
12791 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12792 		if (!mask_pat)
12793 			return -ENOMEM;
12794 
12795 		new_rule->patterns[i].mask = mask_pat;
12796 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12797 		       mask_len);
12798 
12799 		mask_pat += mask_len;
12800 		new_rule->patterns[i].pattern = mask_pat;
12801 		new_rule->patterns[i].pattern_len = pat_len;
12802 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12803 		       pat_len);
12804 		i++;
12805 	}
12806 
12807 	return 0;
12808 }
12809 
nl80211_set_coalesce(struct sk_buff * skb,struct genl_info * info)12810 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
12811 {
12812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12813 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12814 	struct cfg80211_coalesce new_coalesce = {};
12815 	struct cfg80211_coalesce *n_coalesce;
12816 	int err, rem_rule, n_rules = 0, i, j;
12817 	struct nlattr *rule;
12818 	struct cfg80211_coalesce_rules *tmp_rule;
12819 
12820 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
12821 		return -EOPNOTSUPP;
12822 
12823 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
12824 		cfg80211_rdev_free_coalesce(rdev);
12825 		rdev_set_coalesce(rdev, NULL);
12826 		return 0;
12827 	}
12828 
12829 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12830 			    rem_rule)
12831 		n_rules++;
12832 	if (n_rules > coalesce->n_rules)
12833 		return -EINVAL;
12834 
12835 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
12836 				     GFP_KERNEL);
12837 	if (!new_coalesce.rules)
12838 		return -ENOMEM;
12839 
12840 	new_coalesce.n_rules = n_rules;
12841 	i = 0;
12842 
12843 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12844 			    rem_rule) {
12845 		err = nl80211_parse_coalesce_rule(rdev, rule,
12846 						  &new_coalesce.rules[i]);
12847 		if (err)
12848 			goto error;
12849 
12850 		i++;
12851 	}
12852 
12853 	err = rdev_set_coalesce(rdev, &new_coalesce);
12854 	if (err)
12855 		goto error;
12856 
12857 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
12858 	if (!n_coalesce) {
12859 		err = -ENOMEM;
12860 		goto error;
12861 	}
12862 	cfg80211_rdev_free_coalesce(rdev);
12863 	rdev->coalesce = n_coalesce;
12864 
12865 	return 0;
12866 error:
12867 	for (i = 0; i < new_coalesce.n_rules; i++) {
12868 		tmp_rule = &new_coalesce.rules[i];
12869 		for (j = 0; j < tmp_rule->n_patterns; j++)
12870 			kfree(tmp_rule->patterns[j].mask);
12871 		kfree(tmp_rule->patterns);
12872 	}
12873 	kfree(new_coalesce.rules);
12874 
12875 	return err;
12876 }
12877 
nl80211_set_rekey_data(struct sk_buff * skb,struct genl_info * info)12878 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
12879 {
12880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12881 	struct net_device *dev = info->user_ptr[1];
12882 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12883 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
12884 	struct cfg80211_gtk_rekey_data rekey_data = {};
12885 	int err;
12886 
12887 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
12888 		return -EINVAL;
12889 
12890 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
12891 					  info->attrs[NL80211_ATTR_REKEY_DATA],
12892 					  nl80211_rekey_policy, info->extack);
12893 	if (err)
12894 		return err;
12895 
12896 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
12897 	    !tb[NL80211_REKEY_DATA_KCK])
12898 		return -EINVAL;
12899 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
12900 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12901 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
12902 		return -ERANGE;
12903 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
12904 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12905 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
12906 		return -ERANGE;
12907 
12908 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12909 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12910 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12911 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
12912 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
12913 	if (tb[NL80211_REKEY_DATA_AKM])
12914 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
12915 
12916 	wdev_lock(wdev);
12917 	if (!wdev->current_bss) {
12918 		err = -ENOTCONN;
12919 		goto out;
12920 	}
12921 
12922 	if (!rdev->ops->set_rekey_data) {
12923 		err = -EOPNOTSUPP;
12924 		goto out;
12925 	}
12926 
12927 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12928  out:
12929 	wdev_unlock(wdev);
12930 	return err;
12931 }
12932 
nl80211_register_unexpected_frame(struct sk_buff * skb,struct genl_info * info)12933 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12934 					     struct genl_info *info)
12935 {
12936 	struct net_device *dev = info->user_ptr[1];
12937 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12938 
12939 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12940 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12941 		return -EINVAL;
12942 
12943 	if (wdev->ap_unexpected_nlportid)
12944 		return -EBUSY;
12945 
12946 	wdev->ap_unexpected_nlportid = info->snd_portid;
12947 	return 0;
12948 }
12949 
nl80211_probe_client(struct sk_buff * skb,struct genl_info * info)12950 static int nl80211_probe_client(struct sk_buff *skb,
12951 				struct genl_info *info)
12952 {
12953 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12954 	struct net_device *dev = info->user_ptr[1];
12955 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12956 	struct sk_buff *msg;
12957 	void *hdr;
12958 	const u8 *addr;
12959 	u64 cookie;
12960 	int err;
12961 
12962 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12963 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12964 		return -EOPNOTSUPP;
12965 
12966 	if (!info->attrs[NL80211_ATTR_MAC])
12967 		return -EINVAL;
12968 
12969 	if (!rdev->ops->probe_client)
12970 		return -EOPNOTSUPP;
12971 
12972 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12973 	if (!msg)
12974 		return -ENOMEM;
12975 
12976 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12977 			     NL80211_CMD_PROBE_CLIENT);
12978 	if (!hdr) {
12979 		err = -ENOBUFS;
12980 		goto free_msg;
12981 	}
12982 
12983 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12984 
12985 	err = rdev_probe_client(rdev, dev, addr, &cookie);
12986 	if (err)
12987 		goto free_msg;
12988 
12989 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12990 			      NL80211_ATTR_PAD))
12991 		goto nla_put_failure;
12992 
12993 	genlmsg_end(msg, hdr);
12994 
12995 	return genlmsg_reply(msg, info);
12996 
12997  nla_put_failure:
12998 	err = -ENOBUFS;
12999  free_msg:
13000 	nlmsg_free(msg);
13001 	return err;
13002 }
13003 
nl80211_register_beacons(struct sk_buff * skb,struct genl_info * info)13004 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13005 {
13006 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13007 	struct cfg80211_beacon_registration *reg, *nreg;
13008 	int rv;
13009 
13010 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13011 		return -EOPNOTSUPP;
13012 
13013 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13014 	if (!nreg)
13015 		return -ENOMEM;
13016 
13017 	/* First, check if already registered. */
13018 	spin_lock_bh(&rdev->beacon_registrations_lock);
13019 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13020 		if (reg->nlportid == info->snd_portid) {
13021 			rv = -EALREADY;
13022 			goto out_err;
13023 		}
13024 	}
13025 	/* Add it to the list */
13026 	nreg->nlportid = info->snd_portid;
13027 	list_add(&nreg->list, &rdev->beacon_registrations);
13028 
13029 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13030 
13031 	return 0;
13032 out_err:
13033 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13034 	kfree(nreg);
13035 	return rv;
13036 }
13037 
nl80211_start_p2p_device(struct sk_buff * skb,struct genl_info * info)13038 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13039 {
13040 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13041 	struct wireless_dev *wdev = info->user_ptr[1];
13042 	int err;
13043 
13044 	if (!rdev->ops->start_p2p_device)
13045 		return -EOPNOTSUPP;
13046 
13047 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13048 		return -EOPNOTSUPP;
13049 
13050 	if (wdev_running(wdev))
13051 		return 0;
13052 
13053 	if (rfkill_blocked(rdev->wiphy.rfkill))
13054 		return -ERFKILL;
13055 
13056 	err = rdev_start_p2p_device(rdev, wdev);
13057 	if (err)
13058 		return err;
13059 
13060 	wdev->is_running = true;
13061 	rdev->opencount++;
13062 
13063 	return 0;
13064 }
13065 
nl80211_stop_p2p_device(struct sk_buff * skb,struct genl_info * info)13066 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13067 {
13068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13069 	struct wireless_dev *wdev = info->user_ptr[1];
13070 
13071 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13072 		return -EOPNOTSUPP;
13073 
13074 	if (!rdev->ops->stop_p2p_device)
13075 		return -EOPNOTSUPP;
13076 
13077 	cfg80211_stop_p2p_device(rdev, wdev);
13078 
13079 	return 0;
13080 }
13081 
nl80211_start_nan(struct sk_buff * skb,struct genl_info * info)13082 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13083 {
13084 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13085 	struct wireless_dev *wdev = info->user_ptr[1];
13086 	struct cfg80211_nan_conf conf = {};
13087 	int err;
13088 
13089 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13090 		return -EOPNOTSUPP;
13091 
13092 	if (wdev_running(wdev))
13093 		return -EEXIST;
13094 
13095 	if (rfkill_blocked(rdev->wiphy.rfkill))
13096 		return -ERFKILL;
13097 
13098 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13099 		return -EINVAL;
13100 
13101 	conf.master_pref =
13102 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13103 
13104 	if (info->attrs[NL80211_ATTR_BANDS]) {
13105 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13106 
13107 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13108 			return -EOPNOTSUPP;
13109 
13110 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13111 			return -EINVAL;
13112 
13113 		conf.bands = bands;
13114 	}
13115 
13116 	err = rdev_start_nan(rdev, wdev, &conf);
13117 	if (err)
13118 		return err;
13119 
13120 	wdev->is_running = true;
13121 	rdev->opencount++;
13122 
13123 	return 0;
13124 }
13125 
nl80211_stop_nan(struct sk_buff * skb,struct genl_info * info)13126 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13127 {
13128 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13129 	struct wireless_dev *wdev = info->user_ptr[1];
13130 
13131 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13132 		return -EOPNOTSUPP;
13133 
13134 	cfg80211_stop_nan(rdev, wdev);
13135 
13136 	return 0;
13137 }
13138 
validate_nan_filter(struct nlattr * filter_attr)13139 static int validate_nan_filter(struct nlattr *filter_attr)
13140 {
13141 	struct nlattr *attr;
13142 	int len = 0, n_entries = 0, rem;
13143 
13144 	nla_for_each_nested(attr, filter_attr, rem) {
13145 		len += nla_len(attr);
13146 		n_entries++;
13147 	}
13148 
13149 	if (len >= U8_MAX)
13150 		return -EINVAL;
13151 
13152 	return n_entries;
13153 }
13154 
handle_nan_filter(struct nlattr * attr_filter,struct cfg80211_nan_func * func,bool tx)13155 static int handle_nan_filter(struct nlattr *attr_filter,
13156 			     struct cfg80211_nan_func *func,
13157 			     bool tx)
13158 {
13159 	struct nlattr *attr;
13160 	int n_entries, rem, i;
13161 	struct cfg80211_nan_func_filter *filter;
13162 
13163 	n_entries = validate_nan_filter(attr_filter);
13164 	if (n_entries < 0)
13165 		return n_entries;
13166 
13167 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13168 
13169 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13170 	if (!filter)
13171 		return -ENOMEM;
13172 
13173 	i = 0;
13174 	nla_for_each_nested(attr, attr_filter, rem) {
13175 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13176 		filter[i].len = nla_len(attr);
13177 		i++;
13178 	}
13179 	if (tx) {
13180 		func->num_tx_filters = n_entries;
13181 		func->tx_filters = filter;
13182 	} else {
13183 		func->num_rx_filters = n_entries;
13184 		func->rx_filters = filter;
13185 	}
13186 
13187 	return 0;
13188 }
13189 
nl80211_nan_add_func(struct sk_buff * skb,struct genl_info * info)13190 static int nl80211_nan_add_func(struct sk_buff *skb,
13191 				struct genl_info *info)
13192 {
13193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13194 	struct wireless_dev *wdev = info->user_ptr[1];
13195 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13196 	struct cfg80211_nan_func *func;
13197 	struct sk_buff *msg = NULL;
13198 	void *hdr = NULL;
13199 	int err = 0;
13200 
13201 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13202 		return -EOPNOTSUPP;
13203 
13204 	if (!wdev_running(wdev))
13205 		return -ENOTCONN;
13206 
13207 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13208 		return -EINVAL;
13209 
13210 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13211 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13212 					  nl80211_nan_func_policy,
13213 					  info->extack);
13214 	if (err)
13215 		return err;
13216 
13217 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13218 	if (!func)
13219 		return -ENOMEM;
13220 
13221 	func->cookie = cfg80211_assign_cookie(rdev);
13222 
13223 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13224 		err = -EINVAL;
13225 		goto out;
13226 	}
13227 
13228 
13229 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13230 
13231 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13232 		err = -EINVAL;
13233 		goto out;
13234 	}
13235 
13236 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13237 	       sizeof(func->service_id));
13238 
13239 	func->close_range =
13240 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13241 
13242 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13243 		func->serv_spec_info_len =
13244 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13245 		func->serv_spec_info =
13246 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13247 				func->serv_spec_info_len,
13248 				GFP_KERNEL);
13249 		if (!func->serv_spec_info) {
13250 			err = -ENOMEM;
13251 			goto out;
13252 		}
13253 	}
13254 
13255 	if (tb[NL80211_NAN_FUNC_TTL])
13256 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13257 
13258 	switch (func->type) {
13259 	case NL80211_NAN_FUNC_PUBLISH:
13260 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13261 			err = -EINVAL;
13262 			goto out;
13263 		}
13264 
13265 		func->publish_type =
13266 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13267 		func->publish_bcast =
13268 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13269 
13270 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13271 			func->publish_bcast) {
13272 			err = -EINVAL;
13273 			goto out;
13274 		}
13275 		break;
13276 	case NL80211_NAN_FUNC_SUBSCRIBE:
13277 		func->subscribe_active =
13278 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13279 		break;
13280 	case NL80211_NAN_FUNC_FOLLOW_UP:
13281 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13282 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13283 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13284 			err = -EINVAL;
13285 			goto out;
13286 		}
13287 
13288 		func->followup_id =
13289 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13290 		func->followup_reqid =
13291 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13292 		memcpy(func->followup_dest.addr,
13293 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13294 		       sizeof(func->followup_dest.addr));
13295 		if (func->ttl) {
13296 			err = -EINVAL;
13297 			goto out;
13298 		}
13299 		break;
13300 	default:
13301 		err = -EINVAL;
13302 		goto out;
13303 	}
13304 
13305 	if (tb[NL80211_NAN_FUNC_SRF]) {
13306 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13307 
13308 		err = nla_parse_nested_deprecated(srf_tb,
13309 						  NL80211_NAN_SRF_ATTR_MAX,
13310 						  tb[NL80211_NAN_FUNC_SRF],
13311 						  nl80211_nan_srf_policy,
13312 						  info->extack);
13313 		if (err)
13314 			goto out;
13315 
13316 		func->srf_include =
13317 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13318 
13319 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13320 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13321 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13322 				err = -EINVAL;
13323 				goto out;
13324 			}
13325 
13326 			func->srf_bf_len =
13327 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13328 			func->srf_bf =
13329 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13330 					func->srf_bf_len, GFP_KERNEL);
13331 			if (!func->srf_bf) {
13332 				err = -ENOMEM;
13333 				goto out;
13334 			}
13335 
13336 			func->srf_bf_idx =
13337 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13338 		} else {
13339 			struct nlattr *attr, *mac_attr =
13340 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13341 			int n_entries, rem, i = 0;
13342 
13343 			if (!mac_attr) {
13344 				err = -EINVAL;
13345 				goto out;
13346 			}
13347 
13348 			n_entries = validate_acl_mac_addrs(mac_attr);
13349 			if (n_entries <= 0) {
13350 				err = -EINVAL;
13351 				goto out;
13352 			}
13353 
13354 			func->srf_num_macs = n_entries;
13355 			func->srf_macs =
13356 				kcalloc(n_entries, sizeof(*func->srf_macs),
13357 					GFP_KERNEL);
13358 			if (!func->srf_macs) {
13359 				err = -ENOMEM;
13360 				goto out;
13361 			}
13362 
13363 			nla_for_each_nested(attr, mac_attr, rem)
13364 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13365 				       sizeof(*func->srf_macs));
13366 		}
13367 	}
13368 
13369 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13370 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13371 					func, true);
13372 		if (err)
13373 			goto out;
13374 	}
13375 
13376 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13377 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13378 					func, false);
13379 		if (err)
13380 			goto out;
13381 	}
13382 
13383 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13384 	if (!msg) {
13385 		err = -ENOMEM;
13386 		goto out;
13387 	}
13388 
13389 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13390 			     NL80211_CMD_ADD_NAN_FUNCTION);
13391 	/* This can't really happen - we just allocated 4KB */
13392 	if (WARN_ON(!hdr)) {
13393 		err = -ENOMEM;
13394 		goto out;
13395 	}
13396 
13397 	err = rdev_add_nan_func(rdev, wdev, func);
13398 out:
13399 	if (err < 0) {
13400 		cfg80211_free_nan_func(func);
13401 		nlmsg_free(msg);
13402 		return err;
13403 	}
13404 
13405 	/* propagate the instance id and cookie to userspace  */
13406 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13407 			      NL80211_ATTR_PAD))
13408 		goto nla_put_failure;
13409 
13410 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13411 	if (!func_attr)
13412 		goto nla_put_failure;
13413 
13414 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13415 		       func->instance_id))
13416 		goto nla_put_failure;
13417 
13418 	nla_nest_end(msg, func_attr);
13419 
13420 	genlmsg_end(msg, hdr);
13421 	return genlmsg_reply(msg, info);
13422 
13423 nla_put_failure:
13424 	nlmsg_free(msg);
13425 	return -ENOBUFS;
13426 }
13427 
nl80211_nan_del_func(struct sk_buff * skb,struct genl_info * info)13428 static int nl80211_nan_del_func(struct sk_buff *skb,
13429 			       struct genl_info *info)
13430 {
13431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13432 	struct wireless_dev *wdev = info->user_ptr[1];
13433 	u64 cookie;
13434 
13435 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13436 		return -EOPNOTSUPP;
13437 
13438 	if (!wdev_running(wdev))
13439 		return -ENOTCONN;
13440 
13441 	if (!info->attrs[NL80211_ATTR_COOKIE])
13442 		return -EINVAL;
13443 
13444 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13445 
13446 	rdev_del_nan_func(rdev, wdev, cookie);
13447 
13448 	return 0;
13449 }
13450 
nl80211_nan_change_config(struct sk_buff * skb,struct genl_info * info)13451 static int nl80211_nan_change_config(struct sk_buff *skb,
13452 				     struct genl_info *info)
13453 {
13454 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13455 	struct wireless_dev *wdev = info->user_ptr[1];
13456 	struct cfg80211_nan_conf conf = {};
13457 	u32 changed = 0;
13458 
13459 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13460 		return -EOPNOTSUPP;
13461 
13462 	if (!wdev_running(wdev))
13463 		return -ENOTCONN;
13464 
13465 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13466 		conf.master_pref =
13467 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13468 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13469 			return -EINVAL;
13470 
13471 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13472 	}
13473 
13474 	if (info->attrs[NL80211_ATTR_BANDS]) {
13475 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13476 
13477 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13478 			return -EOPNOTSUPP;
13479 
13480 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13481 			return -EINVAL;
13482 
13483 		conf.bands = bands;
13484 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13485 	}
13486 
13487 	if (!changed)
13488 		return -EINVAL;
13489 
13490 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13491 }
13492 
cfg80211_nan_match(struct wireless_dev * wdev,struct cfg80211_nan_match_params * match,gfp_t gfp)13493 void cfg80211_nan_match(struct wireless_dev *wdev,
13494 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13495 {
13496 	struct wiphy *wiphy = wdev->wiphy;
13497 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13498 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13499 	struct sk_buff *msg;
13500 	void *hdr;
13501 
13502 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13503 		return;
13504 
13505 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13506 	if (!msg)
13507 		return;
13508 
13509 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13510 	if (!hdr) {
13511 		nlmsg_free(msg);
13512 		return;
13513 	}
13514 
13515 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13516 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13517 					 wdev->netdev->ifindex)) ||
13518 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13519 			      NL80211_ATTR_PAD))
13520 		goto nla_put_failure;
13521 
13522 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13523 			      NL80211_ATTR_PAD) ||
13524 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13525 		goto nla_put_failure;
13526 
13527 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13528 	if (!match_attr)
13529 		goto nla_put_failure;
13530 
13531 	local_func_attr = nla_nest_start_noflag(msg,
13532 						NL80211_NAN_MATCH_FUNC_LOCAL);
13533 	if (!local_func_attr)
13534 		goto nla_put_failure;
13535 
13536 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13537 		goto nla_put_failure;
13538 
13539 	nla_nest_end(msg, local_func_attr);
13540 
13541 	peer_func_attr = nla_nest_start_noflag(msg,
13542 					       NL80211_NAN_MATCH_FUNC_PEER);
13543 	if (!peer_func_attr)
13544 		goto nla_put_failure;
13545 
13546 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13547 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13548 		goto nla_put_failure;
13549 
13550 	if (match->info && match->info_len &&
13551 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13552 		    match->info))
13553 		goto nla_put_failure;
13554 
13555 	nla_nest_end(msg, peer_func_attr);
13556 	nla_nest_end(msg, match_attr);
13557 	genlmsg_end(msg, hdr);
13558 
13559 	if (!wdev->owner_nlportid)
13560 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13561 					msg, 0, NL80211_MCGRP_NAN, gfp);
13562 	else
13563 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13564 				wdev->owner_nlportid);
13565 
13566 	return;
13567 
13568 nla_put_failure:
13569 	nlmsg_free(msg);
13570 }
13571 EXPORT_SYMBOL(cfg80211_nan_match);
13572 
cfg80211_nan_func_terminated(struct wireless_dev * wdev,u8 inst_id,enum nl80211_nan_func_term_reason reason,u64 cookie,gfp_t gfp)13573 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13574 				  u8 inst_id,
13575 				  enum nl80211_nan_func_term_reason reason,
13576 				  u64 cookie, gfp_t gfp)
13577 {
13578 	struct wiphy *wiphy = wdev->wiphy;
13579 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13580 	struct sk_buff *msg;
13581 	struct nlattr *func_attr;
13582 	void *hdr;
13583 
13584 	if (WARN_ON(!inst_id))
13585 		return;
13586 
13587 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13588 	if (!msg)
13589 		return;
13590 
13591 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13592 	if (!hdr) {
13593 		nlmsg_free(msg);
13594 		return;
13595 	}
13596 
13597 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13598 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13599 					 wdev->netdev->ifindex)) ||
13600 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13601 			      NL80211_ATTR_PAD))
13602 		goto nla_put_failure;
13603 
13604 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13605 			      NL80211_ATTR_PAD))
13606 		goto nla_put_failure;
13607 
13608 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13609 	if (!func_attr)
13610 		goto nla_put_failure;
13611 
13612 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13613 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13614 		goto nla_put_failure;
13615 
13616 	nla_nest_end(msg, func_attr);
13617 	genlmsg_end(msg, hdr);
13618 
13619 	if (!wdev->owner_nlportid)
13620 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13621 					msg, 0, NL80211_MCGRP_NAN, gfp);
13622 	else
13623 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13624 				wdev->owner_nlportid);
13625 
13626 	return;
13627 
13628 nla_put_failure:
13629 	nlmsg_free(msg);
13630 }
13631 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13632 
nl80211_get_protocol_features(struct sk_buff * skb,struct genl_info * info)13633 static int nl80211_get_protocol_features(struct sk_buff *skb,
13634 					 struct genl_info *info)
13635 {
13636 	void *hdr;
13637 	struct sk_buff *msg;
13638 
13639 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13640 	if (!msg)
13641 		return -ENOMEM;
13642 
13643 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13644 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13645 	if (!hdr)
13646 		goto nla_put_failure;
13647 
13648 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13649 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13650 		goto nla_put_failure;
13651 
13652 	genlmsg_end(msg, hdr);
13653 	return genlmsg_reply(msg, info);
13654 
13655  nla_put_failure:
13656 	kfree_skb(msg);
13657 	return -ENOBUFS;
13658 }
13659 
nl80211_update_ft_ies(struct sk_buff * skb,struct genl_info * info)13660 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13661 {
13662 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13663 	struct cfg80211_update_ft_ies_params ft_params;
13664 	struct net_device *dev = info->user_ptr[1];
13665 
13666 	if (!rdev->ops->update_ft_ies)
13667 		return -EOPNOTSUPP;
13668 
13669 	if (!info->attrs[NL80211_ATTR_MDID] ||
13670 	    !info->attrs[NL80211_ATTR_IE])
13671 		return -EINVAL;
13672 
13673 	memset(&ft_params, 0, sizeof(ft_params));
13674 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13675 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13676 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13677 
13678 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13679 }
13680 
nl80211_crit_protocol_start(struct sk_buff * skb,struct genl_info * info)13681 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13682 				       struct genl_info *info)
13683 {
13684 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13685 	struct wireless_dev *wdev = info->user_ptr[1];
13686 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13687 	u16 duration;
13688 	int ret;
13689 
13690 	if (!rdev->ops->crit_proto_start)
13691 		return -EOPNOTSUPP;
13692 
13693 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13694 		return -EINVAL;
13695 
13696 	if (rdev->crit_proto_nlportid)
13697 		return -EBUSY;
13698 
13699 	/* determine protocol if provided */
13700 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13701 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13702 
13703 	if (proto >= NUM_NL80211_CRIT_PROTO)
13704 		return -EINVAL;
13705 
13706 	/* timeout must be provided */
13707 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13708 		return -EINVAL;
13709 
13710 	duration =
13711 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13712 
13713 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13714 	if (!ret)
13715 		rdev->crit_proto_nlportid = info->snd_portid;
13716 
13717 	return ret;
13718 }
13719 
nl80211_crit_protocol_stop(struct sk_buff * skb,struct genl_info * info)13720 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13721 				      struct genl_info *info)
13722 {
13723 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13724 	struct wireless_dev *wdev = info->user_ptr[1];
13725 
13726 	if (!rdev->ops->crit_proto_stop)
13727 		return -EOPNOTSUPP;
13728 
13729 	if (rdev->crit_proto_nlportid) {
13730 		rdev->crit_proto_nlportid = 0;
13731 		rdev_crit_proto_stop(rdev, wdev);
13732 	}
13733 	return 0;
13734 }
13735 
nl80211_vendor_check_policy(const struct wiphy_vendor_command * vcmd,struct nlattr * attr,struct netlink_ext_ack * extack)13736 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13737 				       struct nlattr *attr,
13738 				       struct netlink_ext_ack *extack)
13739 {
13740 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13741 		if (attr->nla_type & NLA_F_NESTED) {
13742 			NL_SET_ERR_MSG_ATTR(extack, attr,
13743 					    "unexpected nested data");
13744 			return -EINVAL;
13745 		}
13746 
13747 		return 0;
13748 	}
13749 
13750 	if (!(attr->nla_type & NLA_F_NESTED)) {
13751 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13752 		return -EINVAL;
13753 	}
13754 
13755 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13756 }
13757 
nl80211_vendor_cmd(struct sk_buff * skb,struct genl_info * info)13758 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13759 {
13760 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13761 	struct wireless_dev *wdev =
13762 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13763 					   info->attrs);
13764 	int i, err;
13765 	u32 vid, subcmd;
13766 
13767 	if (!rdev->wiphy.vendor_commands)
13768 		return -EOPNOTSUPP;
13769 
13770 	if (IS_ERR(wdev)) {
13771 		err = PTR_ERR(wdev);
13772 		if (err != -EINVAL)
13773 			return err;
13774 		wdev = NULL;
13775 	} else if (wdev->wiphy != &rdev->wiphy) {
13776 		return -EINVAL;
13777 	}
13778 
13779 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13780 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13781 		return -EINVAL;
13782 
13783 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13784 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13785 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13786 		const struct wiphy_vendor_command *vcmd;
13787 		void *data = NULL;
13788 		int len = 0;
13789 
13790 		vcmd = &rdev->wiphy.vendor_commands[i];
13791 
13792 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13793 			continue;
13794 
13795 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13796 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13797 			if (!wdev)
13798 				return -EINVAL;
13799 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13800 			    !wdev->netdev)
13801 				return -EINVAL;
13802 
13803 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13804 				if (!wdev_running(wdev))
13805 					return -ENETDOWN;
13806 			}
13807 		} else {
13808 			wdev = NULL;
13809 		}
13810 
13811 		if (!vcmd->doit)
13812 			return -EOPNOTSUPP;
13813 
13814 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
13815 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13816 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13817 
13818 			err = nl80211_vendor_check_policy(vcmd,
13819 					info->attrs[NL80211_ATTR_VENDOR_DATA],
13820 					info->extack);
13821 			if (err)
13822 				return err;
13823 		}
13824 
13825 		rdev->cur_cmd_info = info;
13826 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
13827 		rdev->cur_cmd_info = NULL;
13828 		return err;
13829 	}
13830 
13831 	return -EOPNOTSUPP;
13832 }
13833 
nl80211_prepare_vendor_dump(struct sk_buff * skb,struct netlink_callback * cb,struct cfg80211_registered_device ** rdev,struct wireless_dev ** wdev)13834 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
13835 				       struct netlink_callback *cb,
13836 				       struct cfg80211_registered_device **rdev,
13837 				       struct wireless_dev **wdev)
13838 {
13839 	struct nlattr **attrbuf;
13840 	u32 vid, subcmd;
13841 	unsigned int i;
13842 	int vcmd_idx = -1;
13843 	int err;
13844 	void *data = NULL;
13845 	unsigned int data_len = 0;
13846 
13847 	if (cb->args[0]) {
13848 		/* subtract the 1 again here */
13849 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
13850 		struct wireless_dev *tmp;
13851 
13852 		if (!wiphy)
13853 			return -ENODEV;
13854 		*rdev = wiphy_to_rdev(wiphy);
13855 		*wdev = NULL;
13856 
13857 		if (cb->args[1]) {
13858 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
13859 				if (tmp->identifier == cb->args[1] - 1) {
13860 					*wdev = tmp;
13861 					break;
13862 				}
13863 			}
13864 		}
13865 
13866 		/* keep rtnl locked in successful case */
13867 		return 0;
13868 	}
13869 
13870 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
13871 	if (!attrbuf)
13872 		return -ENOMEM;
13873 
13874 	err = nlmsg_parse_deprecated(cb->nlh,
13875 				     GENL_HDRLEN + nl80211_fam.hdrsize,
13876 				     attrbuf, nl80211_fam.maxattr,
13877 				     nl80211_policy, NULL);
13878 	if (err)
13879 		goto out;
13880 
13881 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
13882 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
13883 		err = -EINVAL;
13884 		goto out;
13885 	}
13886 
13887 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
13888 	if (IS_ERR(*wdev))
13889 		*wdev = NULL;
13890 
13891 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13892 	if (IS_ERR(*rdev)) {
13893 		err = PTR_ERR(*rdev);
13894 		goto out;
13895 	}
13896 
13897 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
13898 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
13899 
13900 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
13901 		const struct wiphy_vendor_command *vcmd;
13902 
13903 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
13904 
13905 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13906 			continue;
13907 
13908 		if (!vcmd->dumpit) {
13909 			err = -EOPNOTSUPP;
13910 			goto out;
13911 		}
13912 
13913 		vcmd_idx = i;
13914 		break;
13915 	}
13916 
13917 	if (vcmd_idx < 0) {
13918 		err = -EOPNOTSUPP;
13919 		goto out;
13920 	}
13921 
13922 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13923 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13924 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13925 
13926 		err = nl80211_vendor_check_policy(
13927 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13928 				attrbuf[NL80211_ATTR_VENDOR_DATA],
13929 				cb->extack);
13930 		if (err)
13931 			goto out;
13932 	}
13933 
13934 	/* 0 is the first index - add 1 to parse only once */
13935 	cb->args[0] = (*rdev)->wiphy_idx + 1;
13936 	/* add 1 to know if it was NULL */
13937 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13938 	cb->args[2] = vcmd_idx;
13939 	cb->args[3] = (unsigned long)data;
13940 	cb->args[4] = data_len;
13941 
13942 	/* keep rtnl locked in successful case */
13943 	err = 0;
13944 out:
13945 	kfree(attrbuf);
13946 	return err;
13947 }
13948 
nl80211_vendor_cmd_dump(struct sk_buff * skb,struct netlink_callback * cb)13949 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13950 				   struct netlink_callback *cb)
13951 {
13952 	struct cfg80211_registered_device *rdev;
13953 	struct wireless_dev *wdev;
13954 	unsigned int vcmd_idx;
13955 	const struct wiphy_vendor_command *vcmd;
13956 	void *data;
13957 	int data_len;
13958 	int err;
13959 	struct nlattr *vendor_data;
13960 
13961 	rtnl_lock();
13962 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13963 	if (err)
13964 		goto out;
13965 
13966 	vcmd_idx = cb->args[2];
13967 	data = (void *)cb->args[3];
13968 	data_len = cb->args[4];
13969 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13970 
13971 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13972 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13973 		if (!wdev) {
13974 			err = -EINVAL;
13975 			goto out;
13976 		}
13977 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13978 		    !wdev->netdev) {
13979 			err = -EINVAL;
13980 			goto out;
13981 		}
13982 
13983 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13984 			if (!wdev_running(wdev)) {
13985 				err = -ENETDOWN;
13986 				goto out;
13987 			}
13988 		}
13989 	}
13990 
13991 	while (1) {
13992 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13993 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13994 					   NL80211_CMD_VENDOR);
13995 		if (!hdr)
13996 			break;
13997 
13998 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13999 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14000 					       wdev_id(wdev),
14001 					       NL80211_ATTR_PAD))) {
14002 			genlmsg_cancel(skb, hdr);
14003 			break;
14004 		}
14005 
14006 		vendor_data = nla_nest_start_noflag(skb,
14007 						    NL80211_ATTR_VENDOR_DATA);
14008 		if (!vendor_data) {
14009 			genlmsg_cancel(skb, hdr);
14010 			break;
14011 		}
14012 
14013 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14014 				   (unsigned long *)&cb->args[5]);
14015 		nla_nest_end(skb, vendor_data);
14016 
14017 		if (err == -ENOBUFS || err == -ENOENT) {
14018 			genlmsg_cancel(skb, hdr);
14019 			break;
14020 		} else if (err <= 0) {
14021 			genlmsg_cancel(skb, hdr);
14022 			goto out;
14023 		}
14024 
14025 		genlmsg_end(skb, hdr);
14026 	}
14027 
14028 	err = skb->len;
14029  out:
14030 	rtnl_unlock();
14031 	return err;
14032 }
14033 
__cfg80211_alloc_reply_skb(struct wiphy * wiphy,enum nl80211_commands cmd,enum nl80211_attrs attr,int approxlen)14034 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14035 					   enum nl80211_commands cmd,
14036 					   enum nl80211_attrs attr,
14037 					   int approxlen)
14038 {
14039 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14040 
14041 	if (WARN_ON(!rdev->cur_cmd_info))
14042 		return NULL;
14043 
14044 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14045 					   rdev->cur_cmd_info->snd_portid,
14046 					   rdev->cur_cmd_info->snd_seq,
14047 					   cmd, attr, NULL, GFP_KERNEL);
14048 }
14049 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14050 
cfg80211_vendor_cmd_reply(struct sk_buff * skb)14051 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14052 {
14053 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14054 	void *hdr = ((void **)skb->cb)[1];
14055 	struct nlattr *data = ((void **)skb->cb)[2];
14056 
14057 	/* clear CB data for netlink core to own from now on */
14058 	memset(skb->cb, 0, sizeof(skb->cb));
14059 
14060 	if (WARN_ON(!rdev->cur_cmd_info)) {
14061 		kfree_skb(skb);
14062 		return -EINVAL;
14063 	}
14064 
14065 	nla_nest_end(skb, data);
14066 	genlmsg_end(skb, hdr);
14067 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14068 }
14069 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14070 
cfg80211_vendor_cmd_get_sender(struct wiphy * wiphy)14071 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14072 {
14073 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14074 
14075 	if (WARN_ON(!rdev->cur_cmd_info))
14076 		return 0;
14077 
14078 	return rdev->cur_cmd_info->snd_portid;
14079 }
14080 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14081 
nl80211_set_qos_map(struct sk_buff * skb,struct genl_info * info)14082 static int nl80211_set_qos_map(struct sk_buff *skb,
14083 			       struct genl_info *info)
14084 {
14085 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14086 	struct cfg80211_qos_map *qos_map = NULL;
14087 	struct net_device *dev = info->user_ptr[1];
14088 	u8 *pos, len, num_des, des_len, des;
14089 	int ret;
14090 
14091 	if (!rdev->ops->set_qos_map)
14092 		return -EOPNOTSUPP;
14093 
14094 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14095 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14096 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14097 
14098 		if (len % 2)
14099 			return -EINVAL;
14100 
14101 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14102 		if (!qos_map)
14103 			return -ENOMEM;
14104 
14105 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14106 		if (num_des) {
14107 			des_len = num_des *
14108 				sizeof(struct cfg80211_dscp_exception);
14109 			memcpy(qos_map->dscp_exception, pos, des_len);
14110 			qos_map->num_des = num_des;
14111 			for (des = 0; des < num_des; des++) {
14112 				if (qos_map->dscp_exception[des].up > 7) {
14113 					kfree(qos_map);
14114 					return -EINVAL;
14115 				}
14116 			}
14117 			pos += des_len;
14118 		}
14119 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14120 	}
14121 
14122 	wdev_lock(dev->ieee80211_ptr);
14123 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14124 	if (!ret)
14125 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14126 	wdev_unlock(dev->ieee80211_ptr);
14127 
14128 	kfree(qos_map);
14129 	return ret;
14130 }
14131 
nl80211_add_tx_ts(struct sk_buff * skb,struct genl_info * info)14132 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14133 {
14134 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14135 	struct net_device *dev = info->user_ptr[1];
14136 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14137 	const u8 *peer;
14138 	u8 tsid, up;
14139 	u16 admitted_time = 0;
14140 	int err;
14141 
14142 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14143 		return -EOPNOTSUPP;
14144 
14145 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14146 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14147 		return -EINVAL;
14148 
14149 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14150 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14151 
14152 	/* WMM uses TIDs 0-7 even for TSPEC */
14153 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14154 		/* TODO: handle 802.11 TSPEC/admission control
14155 		 * need more attributes for that (e.g. BA session requirement);
14156 		 * change the WMM adminssion test above to allow both then
14157 		 */
14158 		return -EINVAL;
14159 	}
14160 
14161 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14162 
14163 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14164 		admitted_time =
14165 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14166 		if (!admitted_time)
14167 			return -EINVAL;
14168 	}
14169 
14170 	wdev_lock(wdev);
14171 	switch (wdev->iftype) {
14172 	case NL80211_IFTYPE_STATION:
14173 	case NL80211_IFTYPE_P2P_CLIENT:
14174 		if (wdev->current_bss)
14175 			break;
14176 		err = -ENOTCONN;
14177 		goto out;
14178 	default:
14179 		err = -EOPNOTSUPP;
14180 		goto out;
14181 	}
14182 
14183 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14184 
14185  out:
14186 	wdev_unlock(wdev);
14187 	return err;
14188 }
14189 
nl80211_del_tx_ts(struct sk_buff * skb,struct genl_info * info)14190 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14191 {
14192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14193 	struct net_device *dev = info->user_ptr[1];
14194 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14195 	const u8 *peer;
14196 	u8 tsid;
14197 	int err;
14198 
14199 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14200 		return -EINVAL;
14201 
14202 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14203 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14204 
14205 	wdev_lock(wdev);
14206 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14207 	wdev_unlock(wdev);
14208 
14209 	return err;
14210 }
14211 
nl80211_tdls_channel_switch(struct sk_buff * skb,struct genl_info * info)14212 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14213 				       struct genl_info *info)
14214 {
14215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14216 	struct net_device *dev = info->user_ptr[1];
14217 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14218 	struct cfg80211_chan_def chandef = {};
14219 	const u8 *addr;
14220 	u8 oper_class;
14221 	int err;
14222 
14223 	if (!rdev->ops->tdls_channel_switch ||
14224 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14225 		return -EOPNOTSUPP;
14226 
14227 	switch (dev->ieee80211_ptr->iftype) {
14228 	case NL80211_IFTYPE_STATION:
14229 	case NL80211_IFTYPE_P2P_CLIENT:
14230 		break;
14231 	default:
14232 		return -EOPNOTSUPP;
14233 	}
14234 
14235 	if (!info->attrs[NL80211_ATTR_MAC] ||
14236 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14237 		return -EINVAL;
14238 
14239 	err = nl80211_parse_chandef(rdev, info, &chandef);
14240 	if (err)
14241 		return err;
14242 
14243 	/*
14244 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14245 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14246 	 * specification is not defined for them.
14247 	 */
14248 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14249 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14250 	    chandef.width != NL80211_CHAN_WIDTH_20)
14251 		return -EINVAL;
14252 
14253 	/* we will be active on the TDLS link */
14254 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14255 					   wdev->iftype))
14256 		return -EINVAL;
14257 
14258 	/* don't allow switching to DFS channels */
14259 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14260 		return -EINVAL;
14261 
14262 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14263 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14264 
14265 	wdev_lock(wdev);
14266 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14267 	wdev_unlock(wdev);
14268 
14269 	return err;
14270 }
14271 
nl80211_tdls_cancel_channel_switch(struct sk_buff * skb,struct genl_info * info)14272 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14273 					      struct genl_info *info)
14274 {
14275 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14276 	struct net_device *dev = info->user_ptr[1];
14277 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14278 	const u8 *addr;
14279 
14280 	if (!rdev->ops->tdls_channel_switch ||
14281 	    !rdev->ops->tdls_cancel_channel_switch ||
14282 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14283 		return -EOPNOTSUPP;
14284 
14285 	switch (dev->ieee80211_ptr->iftype) {
14286 	case NL80211_IFTYPE_STATION:
14287 	case NL80211_IFTYPE_P2P_CLIENT:
14288 		break;
14289 	default:
14290 		return -EOPNOTSUPP;
14291 	}
14292 
14293 	if (!info->attrs[NL80211_ATTR_MAC])
14294 		return -EINVAL;
14295 
14296 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14297 
14298 	wdev_lock(wdev);
14299 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14300 	wdev_unlock(wdev);
14301 
14302 	return 0;
14303 }
14304 
nl80211_set_multicast_to_unicast(struct sk_buff * skb,struct genl_info * info)14305 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14306 					    struct genl_info *info)
14307 {
14308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14309 	struct net_device *dev = info->user_ptr[1];
14310 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14311 	const struct nlattr *nla;
14312 	bool enabled;
14313 
14314 	if (!rdev->ops->set_multicast_to_unicast)
14315 		return -EOPNOTSUPP;
14316 
14317 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14318 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14319 		return -EOPNOTSUPP;
14320 
14321 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14322 	enabled = nla_get_flag(nla);
14323 
14324 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14325 }
14326 
nl80211_set_pmk(struct sk_buff * skb,struct genl_info * info)14327 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14328 {
14329 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14330 	struct net_device *dev = info->user_ptr[1];
14331 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14332 	struct cfg80211_pmk_conf pmk_conf = {};
14333 	int ret;
14334 
14335 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14336 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14337 		return -EOPNOTSUPP;
14338 
14339 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14340 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14341 		return -EOPNOTSUPP;
14342 
14343 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14344 		return -EINVAL;
14345 
14346 	wdev_lock(wdev);
14347 	if (!wdev->current_bss) {
14348 		ret = -ENOTCONN;
14349 		goto out;
14350 	}
14351 
14352 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14353 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14354 		ret = -EINVAL;
14355 		goto out;
14356 	}
14357 
14358 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14359 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14360 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14361 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14362 		ret = -EINVAL;
14363 		goto out;
14364 	}
14365 
14366 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14367 		pmk_conf.pmk_r0_name =
14368 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14369 
14370 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14371 out:
14372 	wdev_unlock(wdev);
14373 	return ret;
14374 }
14375 
nl80211_del_pmk(struct sk_buff * skb,struct genl_info * info)14376 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14377 {
14378 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14379 	struct net_device *dev = info->user_ptr[1];
14380 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14381 	const u8 *aa;
14382 	int ret;
14383 
14384 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14385 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14386 		return -EOPNOTSUPP;
14387 
14388 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14389 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14390 		return -EOPNOTSUPP;
14391 
14392 	if (!info->attrs[NL80211_ATTR_MAC])
14393 		return -EINVAL;
14394 
14395 	wdev_lock(wdev);
14396 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14397 	ret = rdev_del_pmk(rdev, dev, aa);
14398 	wdev_unlock(wdev);
14399 
14400 	return ret;
14401 }
14402 
nl80211_external_auth(struct sk_buff * skb,struct genl_info * info)14403 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14404 {
14405 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14406 	struct net_device *dev = info->user_ptr[1];
14407 	struct cfg80211_external_auth_params params;
14408 
14409 	if (!rdev->ops->external_auth)
14410 		return -EOPNOTSUPP;
14411 
14412 	if (!info->attrs[NL80211_ATTR_SSID] &&
14413 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14414 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14415 		return -EINVAL;
14416 
14417 	if (!info->attrs[NL80211_ATTR_BSSID])
14418 		return -EINVAL;
14419 
14420 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14421 		return -EINVAL;
14422 
14423 	memset(&params, 0, sizeof(params));
14424 
14425 	if (info->attrs[NL80211_ATTR_SSID]) {
14426 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14427 		if (params.ssid.ssid_len == 0)
14428 			return -EINVAL;
14429 		memcpy(params.ssid.ssid,
14430 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14431 		       params.ssid.ssid_len);
14432 	}
14433 
14434 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14435 	       ETH_ALEN);
14436 
14437 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14438 
14439 	if (info->attrs[NL80211_ATTR_PMKID])
14440 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14441 
14442 	return rdev_external_auth(rdev, dev, &params);
14443 }
14444 
nl80211_tx_control_port(struct sk_buff * skb,struct genl_info * info)14445 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14446 {
14447 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14448 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14449 	struct net_device *dev = info->user_ptr[1];
14450 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14451 	const u8 *buf;
14452 	size_t len;
14453 	u8 *dest;
14454 	u16 proto;
14455 	bool noencrypt;
14456 	u64 cookie = 0;
14457 	int err;
14458 
14459 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14460 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14461 		return -EOPNOTSUPP;
14462 
14463 	if (!rdev->ops->tx_control_port)
14464 		return -EOPNOTSUPP;
14465 
14466 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14467 	    !info->attrs[NL80211_ATTR_MAC] ||
14468 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14469 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14470 		return -EINVAL;
14471 	}
14472 
14473 	wdev_lock(wdev);
14474 
14475 	switch (wdev->iftype) {
14476 	case NL80211_IFTYPE_AP:
14477 	case NL80211_IFTYPE_P2P_GO:
14478 	case NL80211_IFTYPE_MESH_POINT:
14479 		break;
14480 	case NL80211_IFTYPE_ADHOC:
14481 	case NL80211_IFTYPE_STATION:
14482 	case NL80211_IFTYPE_P2P_CLIENT:
14483 		if (wdev->current_bss)
14484 			break;
14485 		err = -ENOTCONN;
14486 		goto out;
14487 	default:
14488 		err = -EOPNOTSUPP;
14489 		goto out;
14490 	}
14491 
14492 	wdev_unlock(wdev);
14493 
14494 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14495 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14496 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14497 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14498 	noencrypt =
14499 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14500 
14501 	err = rdev_tx_control_port(rdev, dev, buf, len,
14502 				   dest, cpu_to_be16(proto), noencrypt,
14503 				   dont_wait_for_ack ? NULL : &cookie);
14504 	if (!err && !dont_wait_for_ack)
14505 		nl_set_extack_cookie_u64(info->extack, cookie);
14506 	return err;
14507  out:
14508 	wdev_unlock(wdev);
14509 	return err;
14510 }
14511 
nl80211_get_ftm_responder_stats(struct sk_buff * skb,struct genl_info * info)14512 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14513 					   struct genl_info *info)
14514 {
14515 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14516 	struct net_device *dev = info->user_ptr[1];
14517 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14518 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14519 	struct sk_buff *msg;
14520 	void *hdr;
14521 	struct nlattr *ftm_stats_attr;
14522 	int err;
14523 
14524 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14525 		return -EOPNOTSUPP;
14526 
14527 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14528 	if (err)
14529 		return err;
14530 
14531 	if (!ftm_stats.filled)
14532 		return -ENODATA;
14533 
14534 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14535 	if (!msg)
14536 		return -ENOMEM;
14537 
14538 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14539 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14540 	if (!hdr)
14541 		goto nla_put_failure;
14542 
14543 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14544 		goto nla_put_failure;
14545 
14546 	ftm_stats_attr = nla_nest_start_noflag(msg,
14547 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14548 	if (!ftm_stats_attr)
14549 		goto nla_put_failure;
14550 
14551 #define SET_FTM(field, name, type)					 \
14552 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14553 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14554 			     ftm_stats.field))				 \
14555 		goto nla_put_failure; } while (0)
14556 #define SET_FTM_U64(field, name)					 \
14557 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14558 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14559 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14560 		goto nla_put_failure; } while (0)
14561 
14562 	SET_FTM(success_num, SUCCESS_NUM, u32);
14563 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14564 	SET_FTM(failed_num, FAILED_NUM, u32);
14565 	SET_FTM(asap_num, ASAP_NUM, u32);
14566 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14567 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14568 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14569 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14570 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14571 #undef SET_FTM
14572 
14573 	nla_nest_end(msg, ftm_stats_attr);
14574 
14575 	genlmsg_end(msg, hdr);
14576 	return genlmsg_reply(msg, info);
14577 
14578 nla_put_failure:
14579 	nlmsg_free(msg);
14580 	return -ENOBUFS;
14581 }
14582 
nl80211_update_owe_info(struct sk_buff * skb,struct genl_info * info)14583 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14584 {
14585 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14586 	struct cfg80211_update_owe_info owe_info;
14587 	struct net_device *dev = info->user_ptr[1];
14588 
14589 	if (!rdev->ops->update_owe_info)
14590 		return -EOPNOTSUPP;
14591 
14592 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14593 	    !info->attrs[NL80211_ATTR_MAC])
14594 		return -EINVAL;
14595 
14596 	memset(&owe_info, 0, sizeof(owe_info));
14597 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14598 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14599 
14600 	if (info->attrs[NL80211_ATTR_IE]) {
14601 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14602 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14603 	}
14604 
14605 	return rdev_update_owe_info(rdev, dev, &owe_info);
14606 }
14607 
nl80211_probe_mesh_link(struct sk_buff * skb,struct genl_info * info)14608 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14609 {
14610 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14611 	struct net_device *dev = info->user_ptr[1];
14612 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14613 	struct station_info sinfo = {};
14614 	const u8 *buf;
14615 	size_t len;
14616 	u8 *dest;
14617 	int err;
14618 
14619 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14620 		return -EOPNOTSUPP;
14621 
14622 	if (!info->attrs[NL80211_ATTR_MAC] ||
14623 	    !info->attrs[NL80211_ATTR_FRAME]) {
14624 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14625 		return -EINVAL;
14626 	}
14627 
14628 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14629 		return -EOPNOTSUPP;
14630 
14631 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14632 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14633 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14634 
14635 	if (len < sizeof(struct ethhdr))
14636 		return -EINVAL;
14637 
14638 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14639 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14640 		return -EINVAL;
14641 
14642 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14643 	if (err)
14644 		return err;
14645 
14646 	cfg80211_sinfo_release_content(&sinfo);
14647 
14648 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14649 }
14650 
parse_tid_conf(struct cfg80211_registered_device * rdev,struct nlattr * attrs[],struct net_device * dev,struct cfg80211_tid_cfg * tid_conf,struct genl_info * info,const u8 * peer)14651 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14652 			  struct nlattr *attrs[], struct net_device *dev,
14653 			  struct cfg80211_tid_cfg *tid_conf,
14654 			  struct genl_info *info, const u8 *peer)
14655 {
14656 	struct netlink_ext_ack *extack = info->extack;
14657 	u64 mask;
14658 	int err;
14659 
14660 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14661 		return -EINVAL;
14662 
14663 	tid_conf->config_override =
14664 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14665 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14666 
14667 	if (tid_conf->config_override) {
14668 		if (rdev->ops->reset_tid_config) {
14669 			err = rdev_reset_tid_config(rdev, dev, peer,
14670 						    tid_conf->tids);
14671 			if (err)
14672 				return err;
14673 		} else {
14674 			return -EINVAL;
14675 		}
14676 	}
14677 
14678 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14679 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14680 		tid_conf->noack =
14681 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14682 	}
14683 
14684 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14685 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14686 		tid_conf->retry_short =
14687 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14688 
14689 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14690 			return -EINVAL;
14691 	}
14692 
14693 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14694 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14695 		tid_conf->retry_long =
14696 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14697 
14698 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14699 			return -EINVAL;
14700 	}
14701 
14702 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14703 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14704 		tid_conf->ampdu =
14705 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14706 	}
14707 
14708 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14709 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14710 		tid_conf->rtscts =
14711 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14712 	}
14713 
14714 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
14715 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
14716 		tid_conf->amsdu =
14717 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
14718 	}
14719 
14720 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
14721 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
14722 
14723 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
14724 
14725 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
14726 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
14727 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
14728 						    &tid_conf->txrate_mask, dev,
14729 						    true);
14730 			if (err)
14731 				return err;
14732 
14733 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
14734 		}
14735 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
14736 	}
14737 
14738 	if (peer)
14739 		mask = rdev->wiphy.tid_config_support.peer;
14740 	else
14741 		mask = rdev->wiphy.tid_config_support.vif;
14742 
14743 	if (tid_conf->mask & ~mask) {
14744 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14745 		return -ENOTSUPP;
14746 	}
14747 
14748 	return 0;
14749 }
14750 
nl80211_set_tid_config(struct sk_buff * skb,struct genl_info * info)14751 static int nl80211_set_tid_config(struct sk_buff *skb,
14752 				  struct genl_info *info)
14753 {
14754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14755 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14756 	struct net_device *dev = info->user_ptr[1];
14757 	struct cfg80211_tid_config *tid_config;
14758 	struct nlattr *tid;
14759 	int conf_idx = 0, rem_conf;
14760 	int ret = -EINVAL;
14761 	u32 num_conf = 0;
14762 
14763 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14764 		return -EINVAL;
14765 
14766 	if (!rdev->ops->set_tid_config)
14767 		return -EOPNOTSUPP;
14768 
14769 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14770 			    rem_conf)
14771 		num_conf++;
14772 
14773 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14774 			     GFP_KERNEL);
14775 	if (!tid_config)
14776 		return -ENOMEM;
14777 
14778 	tid_config->n_tid_conf = num_conf;
14779 
14780 	if (info->attrs[NL80211_ATTR_MAC])
14781 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14782 
14783 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14784 			    rem_conf) {
14785 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14786 				       tid, NULL, NULL);
14787 
14788 		if (ret)
14789 			goto bad_tid_conf;
14790 
14791 		ret = parse_tid_conf(rdev, attrs, dev,
14792 				     &tid_config->tid_conf[conf_idx],
14793 				     info, tid_config->peer);
14794 		if (ret)
14795 			goto bad_tid_conf;
14796 
14797 		conf_idx++;
14798 	}
14799 
14800 	ret = rdev_set_tid_config(rdev, dev, tid_config);
14801 
14802 bad_tid_conf:
14803 	kfree(tid_config);
14804 	return ret;
14805 }
14806 
nl80211_color_change(struct sk_buff * skb,struct genl_info * info)14807 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
14808 {
14809 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14810 	struct cfg80211_color_change_settings params = {};
14811 	struct net_device *dev = info->user_ptr[1];
14812 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14813 	struct nlattr **tb;
14814 	u16 offset;
14815 	int err;
14816 
14817 	if (!rdev->ops->color_change)
14818 		return -EOPNOTSUPP;
14819 
14820 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14821 				     NL80211_EXT_FEATURE_BSS_COLOR))
14822 		return -EOPNOTSUPP;
14823 
14824 	if (wdev->iftype != NL80211_IFTYPE_AP)
14825 		return -EOPNOTSUPP;
14826 
14827 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
14828 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
14829 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
14830 		return -EINVAL;
14831 
14832 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
14833 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
14834 
14835 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
14836 	if (err)
14837 		return err;
14838 
14839 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
14840 	if (!tb)
14841 		return -ENOMEM;
14842 
14843 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
14844 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
14845 			       nl80211_policy, info->extack);
14846 	if (err)
14847 		goto out;
14848 
14849 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
14850 	if (err)
14851 		goto out;
14852 
14853 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
14854 		err = -EINVAL;
14855 		goto out;
14856 	}
14857 
14858 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
14859 		err = -EINVAL;
14860 		goto out;
14861 	}
14862 
14863 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
14864 	if (offset >= params.beacon_color_change.tail_len) {
14865 		err = -EINVAL;
14866 		goto out;
14867 	}
14868 
14869 	if (params.beacon_color_change.tail[offset] != params.count) {
14870 		err = -EINVAL;
14871 		goto out;
14872 	}
14873 
14874 	params.counter_offset_beacon = offset;
14875 
14876 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
14877 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
14878 		    sizeof(u16)) {
14879 			err = -EINVAL;
14880 			goto out;
14881 		}
14882 
14883 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
14884 		if (offset >= params.beacon_color_change.probe_resp_len) {
14885 			err = -EINVAL;
14886 			goto out;
14887 		}
14888 
14889 		if (params.beacon_color_change.probe_resp[offset] !=
14890 		    params.count) {
14891 			err = -EINVAL;
14892 			goto out;
14893 		}
14894 
14895 		params.counter_offset_presp = offset;
14896 	}
14897 
14898 	wdev_lock(wdev);
14899 	err = rdev_color_change(rdev, dev, &params);
14900 	wdev_unlock(wdev);
14901 
14902 out:
14903 	kfree(tb);
14904 	return err;
14905 }
14906 
14907 #define NL80211_FLAG_NEED_WIPHY		0x01
14908 #define NL80211_FLAG_NEED_NETDEV	0x02
14909 #define NL80211_FLAG_NEED_RTNL		0x04
14910 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
14911 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
14912 					 NL80211_FLAG_CHECK_NETDEV_UP)
14913 #define NL80211_FLAG_NEED_WDEV		0x10
14914 /* If a netdev is associated, it must be UP, P2P must be started */
14915 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
14916 					 NL80211_FLAG_CHECK_NETDEV_UP)
14917 #define NL80211_FLAG_CLEAR_SKB		0x20
14918 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
14919 
nl80211_pre_doit(const struct genl_ops * ops,struct sk_buff * skb,struct genl_info * info)14920 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
14921 			    struct genl_info *info)
14922 {
14923 	struct cfg80211_registered_device *rdev = NULL;
14924 	struct wireless_dev *wdev;
14925 	struct net_device *dev;
14926 
14927 	rtnl_lock();
14928 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
14929 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
14930 		if (IS_ERR(rdev)) {
14931 			rtnl_unlock();
14932 			return PTR_ERR(rdev);
14933 		}
14934 		info->user_ptr[0] = rdev;
14935 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
14936 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14937 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
14938 						  info->attrs);
14939 		if (IS_ERR(wdev)) {
14940 			rtnl_unlock();
14941 			return PTR_ERR(wdev);
14942 		}
14943 
14944 		dev = wdev->netdev;
14945 		rdev = wiphy_to_rdev(wdev->wiphy);
14946 
14947 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
14948 			if (!dev) {
14949 				rtnl_unlock();
14950 				return -EINVAL;
14951 			}
14952 
14953 			info->user_ptr[1] = dev;
14954 		} else {
14955 			info->user_ptr[1] = wdev;
14956 		}
14957 
14958 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
14959 		    !wdev_running(wdev)) {
14960 			rtnl_unlock();
14961 			return -ENETDOWN;
14962 		}
14963 
14964 		dev_hold(dev);
14965 		info->user_ptr[0] = rdev;
14966 	}
14967 
14968 	if (rdev && !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
14969 		wiphy_lock(&rdev->wiphy);
14970 		/* we keep the mutex locked until post_doit */
14971 		__release(&rdev->wiphy.mtx);
14972 	}
14973 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
14974 		rtnl_unlock();
14975 
14976 	return 0;
14977 }
14978 
nl80211_post_doit(const struct genl_ops * ops,struct sk_buff * skb,struct genl_info * info)14979 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
14980 			      struct genl_info *info)
14981 {
14982 	if (info->user_ptr[1]) {
14983 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14984 			struct wireless_dev *wdev = info->user_ptr[1];
14985 
14986 			dev_put(wdev->netdev);
14987 		} else {
14988 			dev_put(info->user_ptr[1]);
14989 		}
14990 	}
14991 
14992 	if (info->user_ptr[0] &&
14993 	    !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
14994 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
14995 
14996 		/* we kept the mutex locked since pre_doit */
14997 		__acquire(&rdev->wiphy.mtx);
14998 		wiphy_unlock(&rdev->wiphy);
14999 	}
15000 
15001 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
15002 		rtnl_unlock();
15003 
15004 	/* If needed, clear the netlink message payload from the SKB
15005 	 * as it might contain key data that shouldn't stick around on
15006 	 * the heap after the SKB is freed. The netlink message header
15007 	 * is still needed for further processing, so leave it intact.
15008 	 */
15009 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
15010 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15011 
15012 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15013 	}
15014 }
15015 
nl80211_set_sar_sub_specs(struct cfg80211_registered_device * rdev,struct cfg80211_sar_specs * sar_specs,struct nlattr * spec[],int index)15016 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15017 				     struct cfg80211_sar_specs *sar_specs,
15018 				     struct nlattr *spec[], int index)
15019 {
15020 	u32 range_index, i;
15021 
15022 	if (!sar_specs || !spec)
15023 		return -EINVAL;
15024 
15025 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15026 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15027 		return -EINVAL;
15028 
15029 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15030 
15031 	/* check if range_index exceeds num_freq_ranges */
15032 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15033 		return -EINVAL;
15034 
15035 	/* check if range_index duplicates */
15036 	for (i = 0; i < index; i++) {
15037 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15038 			return -EINVAL;
15039 	}
15040 
15041 	sar_specs->sub_specs[index].power =
15042 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15043 
15044 	sar_specs->sub_specs[index].freq_range_index = range_index;
15045 
15046 	return 0;
15047 }
15048 
nl80211_set_sar_specs(struct sk_buff * skb,struct genl_info * info)15049 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15050 {
15051 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15052 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15053 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15054 	struct cfg80211_sar_specs *sar_spec;
15055 	enum nl80211_sar_type type;
15056 	struct nlattr *spec_list;
15057 	u32 specs;
15058 	int rem, err;
15059 
15060 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15061 		return -EOPNOTSUPP;
15062 
15063 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15064 		return -EINVAL;
15065 
15066 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15067 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15068 			 NULL, NULL);
15069 
15070 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15071 		return -EINVAL;
15072 
15073 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15074 	if (type != rdev->wiphy.sar_capa->type)
15075 		return -EINVAL;
15076 
15077 	specs = 0;
15078 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15079 		specs++;
15080 
15081 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15082 		return -EINVAL;
15083 
15084 	sar_spec = kzalloc(sizeof(*sar_spec) +
15085 			   specs * sizeof(struct cfg80211_sar_sub_specs),
15086 			   GFP_KERNEL);
15087 	if (!sar_spec)
15088 		return -ENOMEM;
15089 
15090 	sar_spec->type = type;
15091 	specs = 0;
15092 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15093 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15094 				 spec_list, NULL, NULL);
15095 
15096 		switch (type) {
15097 		case NL80211_SAR_TYPE_POWER:
15098 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15099 						      spec, specs)) {
15100 				err = -EINVAL;
15101 				goto error;
15102 			}
15103 			break;
15104 		default:
15105 			err = -EINVAL;
15106 			goto error;
15107 		}
15108 		specs++;
15109 	}
15110 
15111 	sar_spec->num_sub_specs = specs;
15112 
15113 	rdev->cur_cmd_info = info;
15114 	err = rdev_set_sar_specs(rdev, sar_spec);
15115 	rdev->cur_cmd_info = NULL;
15116 error:
15117 	kfree(sar_spec);
15118 	return err;
15119 }
15120 
15121 static const struct genl_ops nl80211_ops[] = {
15122 	{
15123 		.cmd = NL80211_CMD_GET_WIPHY,
15124 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15125 		.doit = nl80211_get_wiphy,
15126 		.dumpit = nl80211_dump_wiphy,
15127 		.done = nl80211_dump_wiphy_done,
15128 		/* can be retrieved by unprivileged users */
15129 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15130 	},
15131 };
15132 
15133 static const struct genl_small_ops nl80211_small_ops[] = {
15134 	{
15135 		.cmd = NL80211_CMD_SET_WIPHY,
15136 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15137 		.doit = nl80211_set_wiphy,
15138 		.flags = GENL_UNS_ADMIN_PERM,
15139 	},
15140 	{
15141 		.cmd = NL80211_CMD_GET_INTERFACE,
15142 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15143 		.doit = nl80211_get_interface,
15144 		.dumpit = nl80211_dump_interface,
15145 		/* can be retrieved by unprivileged users */
15146 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15147 	},
15148 	{
15149 		.cmd = NL80211_CMD_SET_INTERFACE,
15150 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15151 		.doit = nl80211_set_interface,
15152 		.flags = GENL_UNS_ADMIN_PERM,
15153 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15154 				  NL80211_FLAG_NEED_RTNL,
15155 	},
15156 	{
15157 		.cmd = NL80211_CMD_NEW_INTERFACE,
15158 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15159 		.doit = nl80211_new_interface,
15160 		.flags = GENL_UNS_ADMIN_PERM,
15161 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15162 				  NL80211_FLAG_NEED_RTNL |
15163 				  /* we take the wiphy mutex later ourselves */
15164 				  NL80211_FLAG_NO_WIPHY_MTX,
15165 	},
15166 	{
15167 		.cmd = NL80211_CMD_DEL_INTERFACE,
15168 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15169 		.doit = nl80211_del_interface,
15170 		.flags = GENL_UNS_ADMIN_PERM,
15171 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15172 				  NL80211_FLAG_NEED_RTNL,
15173 	},
15174 	{
15175 		.cmd = NL80211_CMD_GET_KEY,
15176 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15177 		.doit = nl80211_get_key,
15178 		.flags = GENL_UNS_ADMIN_PERM,
15179 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15180 	},
15181 	{
15182 		.cmd = NL80211_CMD_SET_KEY,
15183 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15184 		.doit = nl80211_set_key,
15185 		.flags = GENL_UNS_ADMIN_PERM,
15186 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15187 				  NL80211_FLAG_CLEAR_SKB,
15188 	},
15189 	{
15190 		.cmd = NL80211_CMD_NEW_KEY,
15191 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15192 		.doit = nl80211_new_key,
15193 		.flags = GENL_UNS_ADMIN_PERM,
15194 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15195 				  NL80211_FLAG_CLEAR_SKB,
15196 	},
15197 	{
15198 		.cmd = NL80211_CMD_DEL_KEY,
15199 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15200 		.doit = nl80211_del_key,
15201 		.flags = GENL_UNS_ADMIN_PERM,
15202 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15203 	},
15204 	{
15205 		.cmd = NL80211_CMD_SET_BEACON,
15206 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15207 		.flags = GENL_UNS_ADMIN_PERM,
15208 		.doit = nl80211_set_beacon,
15209 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15210 	},
15211 	{
15212 		.cmd = NL80211_CMD_START_AP,
15213 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15214 		.flags = GENL_UNS_ADMIN_PERM,
15215 		.doit = nl80211_start_ap,
15216 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15217 	},
15218 	{
15219 		.cmd = NL80211_CMD_STOP_AP,
15220 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15221 		.flags = GENL_UNS_ADMIN_PERM,
15222 		.doit = nl80211_stop_ap,
15223 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15224 	},
15225 	{
15226 		.cmd = NL80211_CMD_GET_STATION,
15227 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15228 		.doit = nl80211_get_station,
15229 		.dumpit = nl80211_dump_station,
15230 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15231 	},
15232 	{
15233 		.cmd = NL80211_CMD_SET_STATION,
15234 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15235 		.doit = nl80211_set_station,
15236 		.flags = GENL_UNS_ADMIN_PERM,
15237 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15238 	},
15239 	{
15240 		.cmd = NL80211_CMD_NEW_STATION,
15241 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15242 		.doit = nl80211_new_station,
15243 		.flags = GENL_UNS_ADMIN_PERM,
15244 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15245 	},
15246 	{
15247 		.cmd = NL80211_CMD_DEL_STATION,
15248 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15249 		.doit = nl80211_del_station,
15250 		.flags = GENL_UNS_ADMIN_PERM,
15251 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15252 	},
15253 	{
15254 		.cmd = NL80211_CMD_GET_MPATH,
15255 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15256 		.doit = nl80211_get_mpath,
15257 		.dumpit = nl80211_dump_mpath,
15258 		.flags = GENL_UNS_ADMIN_PERM,
15259 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15260 	},
15261 	{
15262 		.cmd = NL80211_CMD_GET_MPP,
15263 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15264 		.doit = nl80211_get_mpp,
15265 		.dumpit = nl80211_dump_mpp,
15266 		.flags = GENL_UNS_ADMIN_PERM,
15267 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15268 	},
15269 	{
15270 		.cmd = NL80211_CMD_SET_MPATH,
15271 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15272 		.doit = nl80211_set_mpath,
15273 		.flags = GENL_UNS_ADMIN_PERM,
15274 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15275 	},
15276 	{
15277 		.cmd = NL80211_CMD_NEW_MPATH,
15278 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15279 		.doit = nl80211_new_mpath,
15280 		.flags = GENL_UNS_ADMIN_PERM,
15281 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15282 	},
15283 	{
15284 		.cmd = NL80211_CMD_DEL_MPATH,
15285 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15286 		.doit = nl80211_del_mpath,
15287 		.flags = GENL_UNS_ADMIN_PERM,
15288 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15289 	},
15290 	{
15291 		.cmd = NL80211_CMD_SET_BSS,
15292 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15293 		.doit = nl80211_set_bss,
15294 		.flags = GENL_UNS_ADMIN_PERM,
15295 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15296 	},
15297 	{
15298 		.cmd = NL80211_CMD_GET_REG,
15299 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15300 		.doit = nl80211_get_reg_do,
15301 		.dumpit = nl80211_get_reg_dump,
15302 		.internal_flags = 0,
15303 		/* can be retrieved by unprivileged users */
15304 	},
15305 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15306 	{
15307 		.cmd = NL80211_CMD_SET_REG,
15308 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15309 		.doit = nl80211_set_reg,
15310 		.flags = GENL_ADMIN_PERM,
15311 		.internal_flags = 0,
15312 	},
15313 #endif
15314 	{
15315 		.cmd = NL80211_CMD_REQ_SET_REG,
15316 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15317 		.doit = nl80211_req_set_reg,
15318 		.flags = GENL_ADMIN_PERM,
15319 	},
15320 	{
15321 		.cmd = NL80211_CMD_RELOAD_REGDB,
15322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15323 		.doit = nl80211_reload_regdb,
15324 		.flags = GENL_ADMIN_PERM,
15325 	},
15326 	{
15327 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15328 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15329 		.doit = nl80211_get_mesh_config,
15330 		/* can be retrieved by unprivileged users */
15331 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15332 	},
15333 	{
15334 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15335 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15336 		.doit = nl80211_update_mesh_config,
15337 		.flags = GENL_UNS_ADMIN_PERM,
15338 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15339 	},
15340 	{
15341 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15342 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15343 		.doit = nl80211_trigger_scan,
15344 		.flags = GENL_UNS_ADMIN_PERM,
15345 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15346 	},
15347 	{
15348 		.cmd = NL80211_CMD_ABORT_SCAN,
15349 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15350 		.doit = nl80211_abort_scan,
15351 		.flags = GENL_UNS_ADMIN_PERM,
15352 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15353 	},
15354 	{
15355 		.cmd = NL80211_CMD_GET_SCAN,
15356 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15357 		.dumpit = nl80211_dump_scan,
15358 	},
15359 	{
15360 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15361 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15362 		.doit = nl80211_start_sched_scan,
15363 		.flags = GENL_UNS_ADMIN_PERM,
15364 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15365 	},
15366 	{
15367 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15368 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15369 		.doit = nl80211_stop_sched_scan,
15370 		.flags = GENL_UNS_ADMIN_PERM,
15371 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15372 	},
15373 	{
15374 		.cmd = NL80211_CMD_AUTHENTICATE,
15375 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15376 		.doit = nl80211_authenticate,
15377 		.flags = GENL_UNS_ADMIN_PERM,
15378 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15379 				  0 |
15380 				  NL80211_FLAG_CLEAR_SKB,
15381 	},
15382 	{
15383 		.cmd = NL80211_CMD_ASSOCIATE,
15384 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15385 		.doit = nl80211_associate,
15386 		.flags = GENL_UNS_ADMIN_PERM,
15387 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15388 				  0 |
15389 				  NL80211_FLAG_CLEAR_SKB,
15390 	},
15391 	{
15392 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15393 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15394 		.doit = nl80211_deauthenticate,
15395 		.flags = GENL_UNS_ADMIN_PERM,
15396 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15397 	},
15398 	{
15399 		.cmd = NL80211_CMD_DISASSOCIATE,
15400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15401 		.doit = nl80211_disassociate,
15402 		.flags = GENL_UNS_ADMIN_PERM,
15403 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15404 	},
15405 	{
15406 		.cmd = NL80211_CMD_JOIN_IBSS,
15407 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15408 		.doit = nl80211_join_ibss,
15409 		.flags = GENL_UNS_ADMIN_PERM,
15410 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15411 	},
15412 	{
15413 		.cmd = NL80211_CMD_LEAVE_IBSS,
15414 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15415 		.doit = nl80211_leave_ibss,
15416 		.flags = GENL_UNS_ADMIN_PERM,
15417 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15418 	},
15419 #ifdef CONFIG_NL80211_TESTMODE
15420 	{
15421 		.cmd = NL80211_CMD_TESTMODE,
15422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15423 		.doit = nl80211_testmode_do,
15424 		.dumpit = nl80211_testmode_dump,
15425 		.flags = GENL_UNS_ADMIN_PERM,
15426 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15427 	},
15428 #endif
15429 	{
15430 		.cmd = NL80211_CMD_CONNECT,
15431 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15432 		.doit = nl80211_connect,
15433 		.flags = GENL_UNS_ADMIN_PERM,
15434 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15435 				  0 |
15436 				  NL80211_FLAG_CLEAR_SKB,
15437 	},
15438 	{
15439 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15441 		.doit = nl80211_update_connect_params,
15442 		.flags = GENL_ADMIN_PERM,
15443 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15444 				  0 |
15445 				  NL80211_FLAG_CLEAR_SKB,
15446 	},
15447 	{
15448 		.cmd = NL80211_CMD_DISCONNECT,
15449 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15450 		.doit = nl80211_disconnect,
15451 		.flags = GENL_UNS_ADMIN_PERM,
15452 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15453 	},
15454 	{
15455 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15457 		.doit = nl80211_wiphy_netns,
15458 		.flags = GENL_UNS_ADMIN_PERM,
15459 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15460 				  NL80211_FLAG_NEED_RTNL |
15461 				  NL80211_FLAG_NO_WIPHY_MTX,
15462 	},
15463 	{
15464 		.cmd = NL80211_CMD_GET_SURVEY,
15465 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15466 		.dumpit = nl80211_dump_survey,
15467 	},
15468 	{
15469 		.cmd = NL80211_CMD_SET_PMKSA,
15470 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15471 		.doit = nl80211_setdel_pmksa,
15472 		.flags = GENL_UNS_ADMIN_PERM,
15473 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15474 				  0 |
15475 				  NL80211_FLAG_CLEAR_SKB,
15476 	},
15477 	{
15478 		.cmd = NL80211_CMD_DEL_PMKSA,
15479 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15480 		.doit = nl80211_setdel_pmksa,
15481 		.flags = GENL_UNS_ADMIN_PERM,
15482 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15483 	},
15484 	{
15485 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15487 		.doit = nl80211_flush_pmksa,
15488 		.flags = GENL_UNS_ADMIN_PERM,
15489 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15490 	},
15491 	{
15492 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15493 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15494 		.doit = nl80211_remain_on_channel,
15495 		.flags = GENL_UNS_ADMIN_PERM,
15496 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15497 	},
15498 	{
15499 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15500 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15501 		.doit = nl80211_cancel_remain_on_channel,
15502 		.flags = GENL_UNS_ADMIN_PERM,
15503 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15504 	},
15505 	{
15506 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15507 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15508 		.doit = nl80211_set_tx_bitrate_mask,
15509 		.flags = GENL_UNS_ADMIN_PERM,
15510 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15511 	},
15512 	{
15513 		.cmd = NL80211_CMD_REGISTER_FRAME,
15514 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15515 		.doit = nl80211_register_mgmt,
15516 		.flags = GENL_UNS_ADMIN_PERM,
15517 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15518 	},
15519 	{
15520 		.cmd = NL80211_CMD_FRAME,
15521 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15522 		.doit = nl80211_tx_mgmt,
15523 		.flags = GENL_UNS_ADMIN_PERM,
15524 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15525 	},
15526 	{
15527 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15528 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15529 		.doit = nl80211_tx_mgmt_cancel_wait,
15530 		.flags = GENL_UNS_ADMIN_PERM,
15531 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15532 	},
15533 	{
15534 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15535 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15536 		.doit = nl80211_set_power_save,
15537 		.flags = GENL_UNS_ADMIN_PERM,
15538 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15539 	},
15540 	{
15541 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15542 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15543 		.doit = nl80211_get_power_save,
15544 		/* can be retrieved by unprivileged users */
15545 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15546 	},
15547 	{
15548 		.cmd = NL80211_CMD_SET_CQM,
15549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15550 		.doit = nl80211_set_cqm,
15551 		.flags = GENL_UNS_ADMIN_PERM,
15552 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15553 	},
15554 	{
15555 		.cmd = NL80211_CMD_SET_CHANNEL,
15556 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15557 		.doit = nl80211_set_channel,
15558 		.flags = GENL_UNS_ADMIN_PERM,
15559 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15560 	},
15561 	{
15562 		.cmd = NL80211_CMD_JOIN_MESH,
15563 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15564 		.doit = nl80211_join_mesh,
15565 		.flags = GENL_UNS_ADMIN_PERM,
15566 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15567 	},
15568 	{
15569 		.cmd = NL80211_CMD_LEAVE_MESH,
15570 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15571 		.doit = nl80211_leave_mesh,
15572 		.flags = GENL_UNS_ADMIN_PERM,
15573 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15574 	},
15575 	{
15576 		.cmd = NL80211_CMD_JOIN_OCB,
15577 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15578 		.doit = nl80211_join_ocb,
15579 		.flags = GENL_UNS_ADMIN_PERM,
15580 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15581 	},
15582 	{
15583 		.cmd = NL80211_CMD_LEAVE_OCB,
15584 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15585 		.doit = nl80211_leave_ocb,
15586 		.flags = GENL_UNS_ADMIN_PERM,
15587 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15588 	},
15589 #ifdef CONFIG_PM
15590 	{
15591 		.cmd = NL80211_CMD_GET_WOWLAN,
15592 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15593 		.doit = nl80211_get_wowlan,
15594 		/* can be retrieved by unprivileged users */
15595 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15596 	},
15597 	{
15598 		.cmd = NL80211_CMD_SET_WOWLAN,
15599 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15600 		.doit = nl80211_set_wowlan,
15601 		.flags = GENL_UNS_ADMIN_PERM,
15602 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15603 	},
15604 #endif
15605 	{
15606 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15607 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15608 		.doit = nl80211_set_rekey_data,
15609 		.flags = GENL_UNS_ADMIN_PERM,
15610 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15611 				  0 |
15612 				  NL80211_FLAG_CLEAR_SKB,
15613 	},
15614 	{
15615 		.cmd = NL80211_CMD_TDLS_MGMT,
15616 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15617 		.doit = nl80211_tdls_mgmt,
15618 		.flags = GENL_UNS_ADMIN_PERM,
15619 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15620 	},
15621 	{
15622 		.cmd = NL80211_CMD_TDLS_OPER,
15623 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15624 		.doit = nl80211_tdls_oper,
15625 		.flags = GENL_UNS_ADMIN_PERM,
15626 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15627 	},
15628 	{
15629 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15630 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15631 		.doit = nl80211_register_unexpected_frame,
15632 		.flags = GENL_UNS_ADMIN_PERM,
15633 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15634 	},
15635 	{
15636 		.cmd = NL80211_CMD_PROBE_CLIENT,
15637 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15638 		.doit = nl80211_probe_client,
15639 		.flags = GENL_UNS_ADMIN_PERM,
15640 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15641 	},
15642 	{
15643 		.cmd = NL80211_CMD_REGISTER_BEACONS,
15644 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15645 		.doit = nl80211_register_beacons,
15646 		.flags = GENL_UNS_ADMIN_PERM,
15647 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15648 	},
15649 	{
15650 		.cmd = NL80211_CMD_SET_NOACK_MAP,
15651 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15652 		.doit = nl80211_set_noack_map,
15653 		.flags = GENL_UNS_ADMIN_PERM,
15654 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15655 	},
15656 	{
15657 		.cmd = NL80211_CMD_START_P2P_DEVICE,
15658 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15659 		.doit = nl80211_start_p2p_device,
15660 		.flags = GENL_UNS_ADMIN_PERM,
15661 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15662 				  NL80211_FLAG_NEED_RTNL,
15663 	},
15664 	{
15665 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
15666 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15667 		.doit = nl80211_stop_p2p_device,
15668 		.flags = GENL_UNS_ADMIN_PERM,
15669 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15670 				  NL80211_FLAG_NEED_RTNL,
15671 	},
15672 	{
15673 		.cmd = NL80211_CMD_START_NAN,
15674 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15675 		.doit = nl80211_start_nan,
15676 		.flags = GENL_ADMIN_PERM,
15677 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15678 				  NL80211_FLAG_NEED_RTNL,
15679 	},
15680 	{
15681 		.cmd = NL80211_CMD_STOP_NAN,
15682 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15683 		.doit = nl80211_stop_nan,
15684 		.flags = GENL_ADMIN_PERM,
15685 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15686 				  NL80211_FLAG_NEED_RTNL,
15687 	},
15688 	{
15689 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
15690 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15691 		.doit = nl80211_nan_add_func,
15692 		.flags = GENL_ADMIN_PERM,
15693 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15694 	},
15695 	{
15696 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
15697 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15698 		.doit = nl80211_nan_del_func,
15699 		.flags = GENL_ADMIN_PERM,
15700 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15701 	},
15702 	{
15703 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
15704 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15705 		.doit = nl80211_nan_change_config,
15706 		.flags = GENL_ADMIN_PERM,
15707 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15708 	},
15709 	{
15710 		.cmd = NL80211_CMD_SET_MCAST_RATE,
15711 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15712 		.doit = nl80211_set_mcast_rate,
15713 		.flags = GENL_UNS_ADMIN_PERM,
15714 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15715 	},
15716 	{
15717 		.cmd = NL80211_CMD_SET_MAC_ACL,
15718 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15719 		.doit = nl80211_set_mac_acl,
15720 		.flags = GENL_UNS_ADMIN_PERM,
15721 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15722 	},
15723 	{
15724 		.cmd = NL80211_CMD_RADAR_DETECT,
15725 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15726 		.doit = nl80211_start_radar_detection,
15727 		.flags = GENL_UNS_ADMIN_PERM,
15728 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15729 	},
15730 	{
15731 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
15732 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15733 		.doit = nl80211_get_protocol_features,
15734 	},
15735 	{
15736 		.cmd = NL80211_CMD_UPDATE_FT_IES,
15737 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15738 		.doit = nl80211_update_ft_ies,
15739 		.flags = GENL_UNS_ADMIN_PERM,
15740 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15741 	},
15742 	{
15743 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
15744 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15745 		.doit = nl80211_crit_protocol_start,
15746 		.flags = GENL_UNS_ADMIN_PERM,
15747 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15748 	},
15749 	{
15750 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
15751 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15752 		.doit = nl80211_crit_protocol_stop,
15753 		.flags = GENL_UNS_ADMIN_PERM,
15754 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15755 	},
15756 	{
15757 		.cmd = NL80211_CMD_GET_COALESCE,
15758 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15759 		.doit = nl80211_get_coalesce,
15760 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15761 	},
15762 	{
15763 		.cmd = NL80211_CMD_SET_COALESCE,
15764 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15765 		.doit = nl80211_set_coalesce,
15766 		.flags = GENL_UNS_ADMIN_PERM,
15767 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15768 	},
15769 	{
15770 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
15771 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15772 		.doit = nl80211_channel_switch,
15773 		.flags = GENL_UNS_ADMIN_PERM,
15774 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15775 	},
15776 	{
15777 		.cmd = NL80211_CMD_VENDOR,
15778 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15779 		.doit = nl80211_vendor_cmd,
15780 		.dumpit = nl80211_vendor_cmd_dump,
15781 		.flags = GENL_UNS_ADMIN_PERM,
15782 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15783 				  0 |
15784 				  NL80211_FLAG_CLEAR_SKB,
15785 	},
15786 	{
15787 		.cmd = NL80211_CMD_SET_QOS_MAP,
15788 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15789 		.doit = nl80211_set_qos_map,
15790 		.flags = GENL_UNS_ADMIN_PERM,
15791 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15792 	},
15793 	{
15794 		.cmd = NL80211_CMD_ADD_TX_TS,
15795 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15796 		.doit = nl80211_add_tx_ts,
15797 		.flags = GENL_UNS_ADMIN_PERM,
15798 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15799 	},
15800 	{
15801 		.cmd = NL80211_CMD_DEL_TX_TS,
15802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15803 		.doit = nl80211_del_tx_ts,
15804 		.flags = GENL_UNS_ADMIN_PERM,
15805 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15806 	},
15807 	{
15808 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
15809 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15810 		.doit = nl80211_tdls_channel_switch,
15811 		.flags = GENL_UNS_ADMIN_PERM,
15812 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15813 	},
15814 	{
15815 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
15816 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15817 		.doit = nl80211_tdls_cancel_channel_switch,
15818 		.flags = GENL_UNS_ADMIN_PERM,
15819 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15820 	},
15821 	{
15822 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
15823 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15824 		.doit = nl80211_set_multicast_to_unicast,
15825 		.flags = GENL_UNS_ADMIN_PERM,
15826 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15827 	},
15828 	{
15829 		.cmd = NL80211_CMD_SET_PMK,
15830 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15831 		.doit = nl80211_set_pmk,
15832 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15833 				  0 |
15834 				  NL80211_FLAG_CLEAR_SKB,
15835 	},
15836 	{
15837 		.cmd = NL80211_CMD_DEL_PMK,
15838 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15839 		.doit = nl80211_del_pmk,
15840 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15841 	},
15842 	{
15843 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
15844 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15845 		.doit = nl80211_external_auth,
15846 		.flags = GENL_ADMIN_PERM,
15847 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15848 	},
15849 	{
15850 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
15851 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15852 		.doit = nl80211_tx_control_port,
15853 		.flags = GENL_UNS_ADMIN_PERM,
15854 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15855 	},
15856 	{
15857 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
15858 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15859 		.doit = nl80211_get_ftm_responder_stats,
15860 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15861 	},
15862 	{
15863 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
15864 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15865 		.doit = nl80211_pmsr_start,
15866 		.flags = GENL_UNS_ADMIN_PERM,
15867 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15868 	},
15869 	{
15870 		.cmd = NL80211_CMD_NOTIFY_RADAR,
15871 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15872 		.doit = nl80211_notify_radar_detection,
15873 		.flags = GENL_UNS_ADMIN_PERM,
15874 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15875 	},
15876 	{
15877 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
15878 		.doit = nl80211_update_owe_info,
15879 		.flags = GENL_ADMIN_PERM,
15880 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15881 	},
15882 	{
15883 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
15884 		.doit = nl80211_probe_mesh_link,
15885 		.flags = GENL_UNS_ADMIN_PERM,
15886 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15887 	},
15888 	{
15889 		.cmd = NL80211_CMD_SET_TID_CONFIG,
15890 		.doit = nl80211_set_tid_config,
15891 		.flags = GENL_UNS_ADMIN_PERM,
15892 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15893 	},
15894 	{
15895 		.cmd = NL80211_CMD_SET_SAR_SPECS,
15896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15897 		.doit = nl80211_set_sar_specs,
15898 		.flags = GENL_UNS_ADMIN_PERM,
15899 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15900 				  NL80211_FLAG_NEED_RTNL,
15901 	},
15902 	{
15903 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
15904 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15905 		.doit = nl80211_color_change,
15906 		.flags = GENL_UNS_ADMIN_PERM,
15907 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15908 				  NL80211_FLAG_NEED_RTNL,
15909 	},
15910 };
15911 
15912 static struct genl_family nl80211_fam __ro_after_init = {
15913 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
15914 	.hdrsize = 0,			/* no private header */
15915 	.version = 1,			/* no particular meaning now */
15916 	.maxattr = NL80211_ATTR_MAX,
15917 	.policy = nl80211_policy,
15918 	.netnsok = true,
15919 	.pre_doit = nl80211_pre_doit,
15920 	.post_doit = nl80211_post_doit,
15921 	.module = THIS_MODULE,
15922 	.ops = nl80211_ops,
15923 	.n_ops = ARRAY_SIZE(nl80211_ops),
15924 	.small_ops = nl80211_small_ops,
15925 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
15926 	.mcgrps = nl80211_mcgrps,
15927 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
15928 	.parallel_ops = true,
15929 };
15930 
15931 /* notification functions */
15932 
nl80211_notify_wiphy(struct cfg80211_registered_device * rdev,enum nl80211_commands cmd)15933 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
15934 			  enum nl80211_commands cmd)
15935 {
15936 	struct sk_buff *msg;
15937 	struct nl80211_dump_wiphy_state state = {};
15938 
15939 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
15940 		cmd != NL80211_CMD_DEL_WIPHY);
15941 
15942 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15943 	if (!msg)
15944 		return;
15945 
15946 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
15947 		nlmsg_free(msg);
15948 		return;
15949 	}
15950 
15951 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15952 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15953 }
15954 
nl80211_notify_iface(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,enum nl80211_commands cmd)15955 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
15956 				struct wireless_dev *wdev,
15957 				enum nl80211_commands cmd)
15958 {
15959 	struct sk_buff *msg;
15960 
15961 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15962 	if (!msg)
15963 		return;
15964 
15965 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
15966 		nlmsg_free(msg);
15967 		return;
15968 	}
15969 
15970 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15971 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15972 }
15973 
nl80211_add_scan_req(struct sk_buff * msg,struct cfg80211_registered_device * rdev)15974 static int nl80211_add_scan_req(struct sk_buff *msg,
15975 				struct cfg80211_registered_device *rdev)
15976 {
15977 	struct cfg80211_scan_request *req = rdev->scan_req;
15978 	struct nlattr *nest;
15979 	int i;
15980 	struct cfg80211_scan_info *info;
15981 
15982 	if (WARN_ON(!req))
15983 		return 0;
15984 
15985 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
15986 	if (!nest)
15987 		goto nla_put_failure;
15988 	for (i = 0; i < req->n_ssids; i++) {
15989 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
15990 			goto nla_put_failure;
15991 	}
15992 	nla_nest_end(msg, nest);
15993 
15994 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
15995 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
15996 		if (!nest)
15997 			goto nla_put_failure;
15998 		for (i = 0; i < req->n_channels; i++) {
15999 			if (nla_put_u32(msg, i,
16000 				   ieee80211_channel_to_khz(req->channels[i])))
16001 				goto nla_put_failure;
16002 		}
16003 		nla_nest_end(msg, nest);
16004 	} else {
16005 		nest = nla_nest_start_noflag(msg,
16006 					     NL80211_ATTR_SCAN_FREQUENCIES);
16007 		if (!nest)
16008 			goto nla_put_failure;
16009 		for (i = 0; i < req->n_channels; i++) {
16010 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16011 				goto nla_put_failure;
16012 		}
16013 		nla_nest_end(msg, nest);
16014 	}
16015 
16016 	if (req->ie &&
16017 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16018 		goto nla_put_failure;
16019 
16020 	if (req->flags &&
16021 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16022 		goto nla_put_failure;
16023 
16024 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16025 		&rdev->scan_req->info;
16026 	if (info->scan_start_tsf &&
16027 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16028 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16029 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16030 		     info->tsf_bssid)))
16031 		goto nla_put_failure;
16032 
16033 	return 0;
16034  nla_put_failure:
16035 	return -ENOBUFS;
16036 }
16037 
nl80211_prep_scan_msg(struct sk_buff * msg,struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,u32 portid,u32 seq,int flags,u32 cmd)16038 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16039 				 struct cfg80211_registered_device *rdev,
16040 				 struct wireless_dev *wdev,
16041 				 u32 portid, u32 seq, int flags,
16042 				 u32 cmd)
16043 {
16044 	void *hdr;
16045 
16046 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16047 	if (!hdr)
16048 		return -1;
16049 
16050 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16051 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16052 					 wdev->netdev->ifindex)) ||
16053 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16054 			      NL80211_ATTR_PAD))
16055 		goto nla_put_failure;
16056 
16057 	/* ignore errors and send incomplete event anyway */
16058 	nl80211_add_scan_req(msg, rdev);
16059 
16060 	genlmsg_end(msg, hdr);
16061 	return 0;
16062 
16063  nla_put_failure:
16064 	genlmsg_cancel(msg, hdr);
16065 	return -EMSGSIZE;
16066 }
16067 
16068 static int
nl80211_prep_sched_scan_msg(struct sk_buff * msg,struct cfg80211_sched_scan_request * req,u32 cmd)16069 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16070 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16071 {
16072 	void *hdr;
16073 
16074 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16075 	if (!hdr)
16076 		return -1;
16077 
16078 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16079 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16080 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16081 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16082 			      NL80211_ATTR_PAD))
16083 		goto nla_put_failure;
16084 
16085 	genlmsg_end(msg, hdr);
16086 	return 0;
16087 
16088  nla_put_failure:
16089 	genlmsg_cancel(msg, hdr);
16090 	return -EMSGSIZE;
16091 }
16092 
nl80211_send_scan_start(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev)16093 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16094 			     struct wireless_dev *wdev)
16095 {
16096 	struct sk_buff *msg;
16097 
16098 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16099 	if (!msg)
16100 		return;
16101 
16102 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16103 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16104 		nlmsg_free(msg);
16105 		return;
16106 	}
16107 
16108 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16109 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16110 }
16111 
nl80211_build_scan_msg(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,bool aborted)16112 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16113 				       struct wireless_dev *wdev, bool aborted)
16114 {
16115 	struct sk_buff *msg;
16116 
16117 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16118 	if (!msg)
16119 		return NULL;
16120 
16121 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16122 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16123 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16124 		nlmsg_free(msg);
16125 		return NULL;
16126 	}
16127 
16128 	return msg;
16129 }
16130 
16131 /* send message created by nl80211_build_scan_msg() */
nl80211_send_scan_msg(struct cfg80211_registered_device * rdev,struct sk_buff * msg)16132 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16133 			   struct sk_buff *msg)
16134 {
16135 	if (!msg)
16136 		return;
16137 
16138 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16139 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16140 }
16141 
nl80211_send_sched_scan(struct cfg80211_sched_scan_request * req,u32 cmd)16142 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16143 {
16144 	struct sk_buff *msg;
16145 
16146 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16147 	if (!msg)
16148 		return;
16149 
16150 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16151 		nlmsg_free(msg);
16152 		return;
16153 	}
16154 
16155 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16156 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16157 }
16158 
nl80211_reg_change_event_fill(struct sk_buff * msg,struct regulatory_request * request)16159 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16160 					  struct regulatory_request *request)
16161 {
16162 	/* Userspace can always count this one always being set */
16163 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16164 		goto nla_put_failure;
16165 
16166 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16167 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16168 			       NL80211_REGDOM_TYPE_WORLD))
16169 			goto nla_put_failure;
16170 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16171 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16172 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16173 			goto nla_put_failure;
16174 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16175 		   request->intersect) {
16176 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16177 			       NL80211_REGDOM_TYPE_INTERSECTION))
16178 			goto nla_put_failure;
16179 	} else {
16180 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16181 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16182 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16183 				   request->alpha2))
16184 			goto nla_put_failure;
16185 	}
16186 
16187 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16188 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16189 
16190 		if (wiphy &&
16191 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16192 			goto nla_put_failure;
16193 
16194 		if (wiphy &&
16195 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16196 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16197 			goto nla_put_failure;
16198 	}
16199 
16200 	return true;
16201 
16202 nla_put_failure:
16203 	return false;
16204 }
16205 
16206 /*
16207  * This can happen on global regulatory changes or device specific settings
16208  * based on custom regulatory domains.
16209  */
nl80211_common_reg_change_event(enum nl80211_commands cmd_id,struct regulatory_request * request)16210 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16211 				     struct regulatory_request *request)
16212 {
16213 	struct sk_buff *msg;
16214 	void *hdr;
16215 
16216 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16217 	if (!msg)
16218 		return;
16219 
16220 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16221 	if (!hdr)
16222 		goto nla_put_failure;
16223 
16224 	if (!nl80211_reg_change_event_fill(msg, request))
16225 		goto nla_put_failure;
16226 
16227 	genlmsg_end(msg, hdr);
16228 
16229 	rcu_read_lock();
16230 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16231 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16232 	rcu_read_unlock();
16233 
16234 	return;
16235 
16236 nla_put_failure:
16237 	nlmsg_free(msg);
16238 }
16239 
nl80211_send_mlme_event(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * buf,size_t len,enum nl80211_commands cmd,gfp_t gfp,int uapsd_queues,const u8 * req_ies,size_t req_ies_len,bool reconnect)16240 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16241 				    struct net_device *netdev,
16242 				    const u8 *buf, size_t len,
16243 				    enum nl80211_commands cmd, gfp_t gfp,
16244 				    int uapsd_queues, const u8 *req_ies,
16245 				    size_t req_ies_len, bool reconnect)
16246 {
16247 	struct sk_buff *msg;
16248 	void *hdr;
16249 
16250 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16251 	if (!msg)
16252 		return;
16253 
16254 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16255 	if (!hdr) {
16256 		nlmsg_free(msg);
16257 		return;
16258 	}
16259 
16260 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16261 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16262 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16263 	    (req_ies &&
16264 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16265 		goto nla_put_failure;
16266 
16267 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16268 		goto nla_put_failure;
16269 
16270 	if (uapsd_queues >= 0) {
16271 		struct nlattr *nla_wmm =
16272 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16273 		if (!nla_wmm)
16274 			goto nla_put_failure;
16275 
16276 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16277 			       uapsd_queues))
16278 			goto nla_put_failure;
16279 
16280 		nla_nest_end(msg, nla_wmm);
16281 	}
16282 
16283 	genlmsg_end(msg, hdr);
16284 
16285 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16286 				NL80211_MCGRP_MLME, gfp);
16287 	return;
16288 
16289  nla_put_failure:
16290 	nlmsg_free(msg);
16291 }
16292 
nl80211_send_rx_auth(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * buf,size_t len,gfp_t gfp)16293 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16294 			  struct net_device *netdev, const u8 *buf,
16295 			  size_t len, gfp_t gfp)
16296 {
16297 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16298 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16299 				false);
16300 }
16301 
nl80211_send_rx_assoc(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * buf,size_t len,gfp_t gfp,int uapsd_queues,const u8 * req_ies,size_t req_ies_len)16302 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16303 			   struct net_device *netdev, const u8 *buf,
16304 			   size_t len, gfp_t gfp, int uapsd_queues,
16305 			   const u8 *req_ies, size_t req_ies_len)
16306 {
16307 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16308 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16309 				req_ies, req_ies_len, false);
16310 }
16311 
nl80211_send_deauth(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * buf,size_t len,bool reconnect,gfp_t gfp)16312 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16313 			 struct net_device *netdev, const u8 *buf,
16314 			 size_t len, bool reconnect, gfp_t gfp)
16315 {
16316 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16317 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16318 				reconnect);
16319 }
16320 
nl80211_send_disassoc(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * buf,size_t len,bool reconnect,gfp_t gfp)16321 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16322 			   struct net_device *netdev, const u8 *buf,
16323 			   size_t len, bool reconnect, gfp_t gfp)
16324 {
16325 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16326 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16327 				reconnect);
16328 }
16329 
cfg80211_rx_unprot_mlme_mgmt(struct net_device * dev,const u8 * buf,size_t len)16330 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16331 				  size_t len)
16332 {
16333 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16334 	struct wiphy *wiphy = wdev->wiphy;
16335 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16336 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16337 	u32 cmd;
16338 
16339 	if (WARN_ON(len < 2))
16340 		return;
16341 
16342 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16343 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16344 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16345 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16346 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16347 		if (wdev->unprot_beacon_reported &&
16348 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16349 			return;
16350 		cmd = NL80211_CMD_UNPROT_BEACON;
16351 		wdev->unprot_beacon_reported = jiffies;
16352 	} else {
16353 		return;
16354 	}
16355 
16356 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16357 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16358 				NULL, 0, false);
16359 }
16360 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16361 
nl80211_send_mlme_timeout(struct cfg80211_registered_device * rdev,struct net_device * netdev,int cmd,const u8 * addr,gfp_t gfp)16362 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16363 				      struct net_device *netdev, int cmd,
16364 				      const u8 *addr, gfp_t gfp)
16365 {
16366 	struct sk_buff *msg;
16367 	void *hdr;
16368 
16369 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16370 	if (!msg)
16371 		return;
16372 
16373 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16374 	if (!hdr) {
16375 		nlmsg_free(msg);
16376 		return;
16377 	}
16378 
16379 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16380 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16381 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16382 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16383 		goto nla_put_failure;
16384 
16385 	genlmsg_end(msg, hdr);
16386 
16387 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16388 				NL80211_MCGRP_MLME, gfp);
16389 	return;
16390 
16391  nla_put_failure:
16392 	nlmsg_free(msg);
16393 }
16394 
nl80211_send_auth_timeout(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * addr,gfp_t gfp)16395 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16396 			       struct net_device *netdev, const u8 *addr,
16397 			       gfp_t gfp)
16398 {
16399 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16400 				  addr, gfp);
16401 }
16402 
nl80211_send_assoc_timeout(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * addr,gfp_t gfp)16403 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16404 				struct net_device *netdev, const u8 *addr,
16405 				gfp_t gfp)
16406 {
16407 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16408 				  addr, gfp);
16409 }
16410 
nl80211_send_connect_result(struct cfg80211_registered_device * rdev,struct net_device * netdev,struct cfg80211_connect_resp_params * cr,gfp_t gfp)16411 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16412 				 struct net_device *netdev,
16413 				 struct cfg80211_connect_resp_params *cr,
16414 				 gfp_t gfp)
16415 {
16416 	struct sk_buff *msg;
16417 	void *hdr;
16418 
16419 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16420 			cr->fils.kek_len + cr->fils.pmk_len +
16421 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16422 	if (!msg)
16423 		return;
16424 
16425 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16426 	if (!hdr) {
16427 		nlmsg_free(msg);
16428 		return;
16429 	}
16430 
16431 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16432 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16433 	    (cr->bssid &&
16434 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16435 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16436 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16437 			cr->status) ||
16438 	    (cr->status < 0 &&
16439 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16440 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16441 			  cr->timeout_reason))) ||
16442 	    (cr->req_ie &&
16443 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16444 	    (cr->resp_ie &&
16445 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16446 		     cr->resp_ie)) ||
16447 	    (cr->fils.update_erp_next_seq_num &&
16448 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16449 			 cr->fils.erp_next_seq_num)) ||
16450 	    (cr->status == WLAN_STATUS_SUCCESS &&
16451 	     ((cr->fils.kek &&
16452 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16453 		       cr->fils.kek)) ||
16454 	      (cr->fils.pmk &&
16455 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16456 	      (cr->fils.pmkid &&
16457 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16458 		goto nla_put_failure;
16459 
16460 	genlmsg_end(msg, hdr);
16461 
16462 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16463 				NL80211_MCGRP_MLME, gfp);
16464 	return;
16465 
16466  nla_put_failure:
16467 	nlmsg_free(msg);
16468 }
16469 
nl80211_send_roamed(struct cfg80211_registered_device * rdev,struct net_device * netdev,struct cfg80211_roam_info * info,gfp_t gfp)16470 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16471 			 struct net_device *netdev,
16472 			 struct cfg80211_roam_info *info, gfp_t gfp)
16473 {
16474 	struct sk_buff *msg;
16475 	void *hdr;
16476 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16477 
16478 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16479 			info->fils.kek_len + info->fils.pmk_len +
16480 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16481 	if (!msg)
16482 		return;
16483 
16484 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16485 	if (!hdr) {
16486 		nlmsg_free(msg);
16487 		return;
16488 	}
16489 
16490 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16491 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16492 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16493 	    (info->req_ie &&
16494 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16495 		     info->req_ie)) ||
16496 	    (info->resp_ie &&
16497 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16498 		     info->resp_ie)) ||
16499 	    (info->fils.update_erp_next_seq_num &&
16500 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16501 			 info->fils.erp_next_seq_num)) ||
16502 	    (info->fils.kek &&
16503 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16504 		     info->fils.kek)) ||
16505 	    (info->fils.pmk &&
16506 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16507 	    (info->fils.pmkid &&
16508 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16509 		goto nla_put_failure;
16510 
16511 	genlmsg_end(msg, hdr);
16512 
16513 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16514 				NL80211_MCGRP_MLME, gfp);
16515 	return;
16516 
16517  nla_put_failure:
16518 	nlmsg_free(msg);
16519 }
16520 
nl80211_send_port_authorized(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * bssid)16521 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16522 				  struct net_device *netdev, const u8 *bssid)
16523 {
16524 	struct sk_buff *msg;
16525 	void *hdr;
16526 
16527 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16528 	if (!msg)
16529 		return;
16530 
16531 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16532 	if (!hdr) {
16533 		nlmsg_free(msg);
16534 		return;
16535 	}
16536 
16537 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16538 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16539 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16540 		goto nla_put_failure;
16541 
16542 	genlmsg_end(msg, hdr);
16543 
16544 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16545 				NL80211_MCGRP_MLME, GFP_KERNEL);
16546 	return;
16547 
16548  nla_put_failure:
16549 	nlmsg_free(msg);
16550 }
16551 
nl80211_send_disconnected(struct cfg80211_registered_device * rdev,struct net_device * netdev,u16 reason,const u8 * ie,size_t ie_len,bool from_ap)16552 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16553 			       struct net_device *netdev, u16 reason,
16554 			       const u8 *ie, size_t ie_len, bool from_ap)
16555 {
16556 	struct sk_buff *msg;
16557 	void *hdr;
16558 
16559 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16560 	if (!msg)
16561 		return;
16562 
16563 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16564 	if (!hdr) {
16565 		nlmsg_free(msg);
16566 		return;
16567 	}
16568 
16569 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16570 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16571 	    (reason &&
16572 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16573 	    (from_ap &&
16574 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16575 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16576 		goto nla_put_failure;
16577 
16578 	genlmsg_end(msg, hdr);
16579 
16580 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16581 				NL80211_MCGRP_MLME, GFP_KERNEL);
16582 	return;
16583 
16584  nla_put_failure:
16585 	nlmsg_free(msg);
16586 }
16587 
nl80211_send_ibss_bssid(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * bssid,gfp_t gfp)16588 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16589 			     struct net_device *netdev, const u8 *bssid,
16590 			     gfp_t gfp)
16591 {
16592 	struct sk_buff *msg;
16593 	void *hdr;
16594 
16595 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16596 	if (!msg)
16597 		return;
16598 
16599 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16600 	if (!hdr) {
16601 		nlmsg_free(msg);
16602 		return;
16603 	}
16604 
16605 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16606 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16607 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16608 		goto nla_put_failure;
16609 
16610 	genlmsg_end(msg, hdr);
16611 
16612 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16613 				NL80211_MCGRP_MLME, gfp);
16614 	return;
16615 
16616  nla_put_failure:
16617 	nlmsg_free(msg);
16618 }
16619 
cfg80211_notify_new_peer_candidate(struct net_device * dev,const u8 * addr,const u8 * ie,u8 ie_len,int sig_dbm,gfp_t gfp)16620 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16621 					const u8 *ie, u8 ie_len,
16622 					int sig_dbm, gfp_t gfp)
16623 {
16624 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16625 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16626 	struct sk_buff *msg;
16627 	void *hdr;
16628 
16629 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
16630 		return;
16631 
16632 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
16633 
16634 	msg = nlmsg_new(100 + ie_len, gfp);
16635 	if (!msg)
16636 		return;
16637 
16638 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
16639 	if (!hdr) {
16640 		nlmsg_free(msg);
16641 		return;
16642 	}
16643 
16644 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16645 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16646 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16647 	    (ie_len && ie &&
16648 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
16649 	    (sig_dbm &&
16650 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
16651 		goto nla_put_failure;
16652 
16653 	genlmsg_end(msg, hdr);
16654 
16655 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16656 				NL80211_MCGRP_MLME, gfp);
16657 	return;
16658 
16659  nla_put_failure:
16660 	nlmsg_free(msg);
16661 }
16662 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
16663 
nl80211_michael_mic_failure(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * addr,enum nl80211_key_type key_type,int key_id,const u8 * tsc,gfp_t gfp)16664 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
16665 				 struct net_device *netdev, const u8 *addr,
16666 				 enum nl80211_key_type key_type, int key_id,
16667 				 const u8 *tsc, gfp_t gfp)
16668 {
16669 	struct sk_buff *msg;
16670 	void *hdr;
16671 
16672 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16673 	if (!msg)
16674 		return;
16675 
16676 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
16677 	if (!hdr) {
16678 		nlmsg_free(msg);
16679 		return;
16680 	}
16681 
16682 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16683 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16684 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
16685 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
16686 	    (key_id != -1 &&
16687 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
16688 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
16689 		goto nla_put_failure;
16690 
16691 	genlmsg_end(msg, hdr);
16692 
16693 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16694 				NL80211_MCGRP_MLME, gfp);
16695 	return;
16696 
16697  nla_put_failure:
16698 	nlmsg_free(msg);
16699 }
16700 
nl80211_send_beacon_hint_event(struct wiphy * wiphy,struct ieee80211_channel * channel_before,struct ieee80211_channel * channel_after)16701 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
16702 				    struct ieee80211_channel *channel_before,
16703 				    struct ieee80211_channel *channel_after)
16704 {
16705 	struct sk_buff *msg;
16706 	void *hdr;
16707 	struct nlattr *nl_freq;
16708 
16709 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
16710 	if (!msg)
16711 		return;
16712 
16713 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
16714 	if (!hdr) {
16715 		nlmsg_free(msg);
16716 		return;
16717 	}
16718 
16719 	/*
16720 	 * Since we are applying the beacon hint to a wiphy we know its
16721 	 * wiphy_idx is valid
16722 	 */
16723 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
16724 		goto nla_put_failure;
16725 
16726 	/* Before */
16727 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
16728 	if (!nl_freq)
16729 		goto nla_put_failure;
16730 
16731 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
16732 		goto nla_put_failure;
16733 	nla_nest_end(msg, nl_freq);
16734 
16735 	/* After */
16736 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
16737 	if (!nl_freq)
16738 		goto nla_put_failure;
16739 
16740 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
16741 		goto nla_put_failure;
16742 	nla_nest_end(msg, nl_freq);
16743 
16744 	genlmsg_end(msg, hdr);
16745 
16746 	rcu_read_lock();
16747 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16748 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16749 	rcu_read_unlock();
16750 
16751 	return;
16752 
16753 nla_put_failure:
16754 	nlmsg_free(msg);
16755 }
16756 
nl80211_send_remain_on_chan_event(int cmd,struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,u64 cookie,struct ieee80211_channel * chan,unsigned int duration,gfp_t gfp)16757 static void nl80211_send_remain_on_chan_event(
16758 	int cmd, struct cfg80211_registered_device *rdev,
16759 	struct wireless_dev *wdev, u64 cookie,
16760 	struct ieee80211_channel *chan,
16761 	unsigned int duration, gfp_t gfp)
16762 {
16763 	struct sk_buff *msg;
16764 	void *hdr;
16765 
16766 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16767 	if (!msg)
16768 		return;
16769 
16770 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16771 	if (!hdr) {
16772 		nlmsg_free(msg);
16773 		return;
16774 	}
16775 
16776 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16777 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16778 					 wdev->netdev->ifindex)) ||
16779 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16780 			      NL80211_ATTR_PAD) ||
16781 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
16782 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
16783 			NL80211_CHAN_NO_HT) ||
16784 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16785 			      NL80211_ATTR_PAD))
16786 		goto nla_put_failure;
16787 
16788 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
16789 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
16790 		goto nla_put_failure;
16791 
16792 	genlmsg_end(msg, hdr);
16793 
16794 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16795 				NL80211_MCGRP_MLME, gfp);
16796 	return;
16797 
16798  nla_put_failure:
16799 	nlmsg_free(msg);
16800 }
16801 
cfg80211_ready_on_channel(struct wireless_dev * wdev,u64 cookie,struct ieee80211_channel * chan,unsigned int duration,gfp_t gfp)16802 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
16803 			       struct ieee80211_channel *chan,
16804 			       unsigned int duration, gfp_t gfp)
16805 {
16806 	struct wiphy *wiphy = wdev->wiphy;
16807 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16808 
16809 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
16810 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
16811 					  rdev, wdev, cookie, chan,
16812 					  duration, gfp);
16813 }
16814 EXPORT_SYMBOL(cfg80211_ready_on_channel);
16815 
cfg80211_remain_on_channel_expired(struct wireless_dev * wdev,u64 cookie,struct ieee80211_channel * chan,gfp_t gfp)16816 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
16817 					struct ieee80211_channel *chan,
16818 					gfp_t gfp)
16819 {
16820 	struct wiphy *wiphy = wdev->wiphy;
16821 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16822 
16823 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
16824 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16825 					  rdev, wdev, cookie, chan, 0, gfp);
16826 }
16827 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
16828 
cfg80211_tx_mgmt_expired(struct wireless_dev * wdev,u64 cookie,struct ieee80211_channel * chan,gfp_t gfp)16829 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
16830 					struct ieee80211_channel *chan,
16831 					gfp_t gfp)
16832 {
16833 	struct wiphy *wiphy = wdev->wiphy;
16834 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16835 
16836 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
16837 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
16838 					  rdev, wdev, cookie, chan, 0, gfp);
16839 }
16840 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
16841 
cfg80211_new_sta(struct net_device * dev,const u8 * mac_addr,struct station_info * sinfo,gfp_t gfp)16842 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
16843 		      struct station_info *sinfo, gfp_t gfp)
16844 {
16845 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16846 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16847 	struct sk_buff *msg;
16848 
16849 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
16850 
16851 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16852 	if (!msg)
16853 		return;
16854 
16855 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
16856 				 rdev, dev, mac_addr, sinfo) < 0) {
16857 		nlmsg_free(msg);
16858 		return;
16859 	}
16860 
16861 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16862 				NL80211_MCGRP_MLME, gfp);
16863 }
16864 EXPORT_SYMBOL(cfg80211_new_sta);
16865 
cfg80211_del_sta_sinfo(struct net_device * dev,const u8 * mac_addr,struct station_info * sinfo,gfp_t gfp)16866 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
16867 			    struct station_info *sinfo, gfp_t gfp)
16868 {
16869 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16870 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16871 	struct sk_buff *msg;
16872 	struct station_info empty_sinfo = {};
16873 
16874 	if (!sinfo)
16875 		sinfo = &empty_sinfo;
16876 
16877 	trace_cfg80211_del_sta(dev, mac_addr);
16878 
16879 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16880 	if (!msg) {
16881 		cfg80211_sinfo_release_content(sinfo);
16882 		return;
16883 	}
16884 
16885 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
16886 				 rdev, dev, mac_addr, sinfo) < 0) {
16887 		nlmsg_free(msg);
16888 		return;
16889 	}
16890 
16891 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16892 				NL80211_MCGRP_MLME, gfp);
16893 }
16894 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
16895 
cfg80211_conn_failed(struct net_device * dev,const u8 * mac_addr,enum nl80211_connect_failed_reason reason,gfp_t gfp)16896 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
16897 			  enum nl80211_connect_failed_reason reason,
16898 			  gfp_t gfp)
16899 {
16900 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16901 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16902 	struct sk_buff *msg;
16903 	void *hdr;
16904 
16905 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
16906 	if (!msg)
16907 		return;
16908 
16909 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
16910 	if (!hdr) {
16911 		nlmsg_free(msg);
16912 		return;
16913 	}
16914 
16915 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16916 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
16917 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
16918 		goto nla_put_failure;
16919 
16920 	genlmsg_end(msg, hdr);
16921 
16922 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16923 				NL80211_MCGRP_MLME, gfp);
16924 	return;
16925 
16926  nla_put_failure:
16927 	nlmsg_free(msg);
16928 }
16929 EXPORT_SYMBOL(cfg80211_conn_failed);
16930 
__nl80211_unexpected_frame(struct net_device * dev,u8 cmd,const u8 * addr,gfp_t gfp)16931 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
16932 				       const u8 *addr, gfp_t gfp)
16933 {
16934 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16935 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16936 	struct sk_buff *msg;
16937 	void *hdr;
16938 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
16939 
16940 	if (!nlportid)
16941 		return false;
16942 
16943 	msg = nlmsg_new(100, gfp);
16944 	if (!msg)
16945 		return true;
16946 
16947 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16948 	if (!hdr) {
16949 		nlmsg_free(msg);
16950 		return true;
16951 	}
16952 
16953 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16954 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16955 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16956 		goto nla_put_failure;
16957 
16958 	genlmsg_end(msg, hdr);
16959 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16960 	return true;
16961 
16962  nla_put_failure:
16963 	nlmsg_free(msg);
16964 	return true;
16965 }
16966 
cfg80211_rx_spurious_frame(struct net_device * dev,const u8 * addr,gfp_t gfp)16967 bool cfg80211_rx_spurious_frame(struct net_device *dev,
16968 				const u8 *addr, gfp_t gfp)
16969 {
16970 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16971 	bool ret;
16972 
16973 	trace_cfg80211_rx_spurious_frame(dev, addr);
16974 
16975 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16976 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
16977 		trace_cfg80211_return_bool(false);
16978 		return false;
16979 	}
16980 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
16981 					 addr, gfp);
16982 	trace_cfg80211_return_bool(ret);
16983 	return ret;
16984 }
16985 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
16986 
cfg80211_rx_unexpected_4addr_frame(struct net_device * dev,const u8 * addr,gfp_t gfp)16987 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
16988 					const u8 *addr, gfp_t gfp)
16989 {
16990 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16991 	bool ret;
16992 
16993 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
16994 
16995 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16996 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
16997 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
16998 		trace_cfg80211_return_bool(false);
16999 		return false;
17000 	}
17001 	ret = __nl80211_unexpected_frame(dev,
17002 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17003 					 addr, gfp);
17004 	trace_cfg80211_return_bool(ret);
17005 	return ret;
17006 }
17007 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17008 
nl80211_send_mgmt(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,u32 nlportid,int freq,int sig_dbm,const u8 * buf,size_t len,u32 flags,gfp_t gfp)17009 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17010 		      struct wireless_dev *wdev, u32 nlportid,
17011 		      int freq, int sig_dbm,
17012 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17013 {
17014 	struct net_device *netdev = wdev->netdev;
17015 	struct sk_buff *msg;
17016 	void *hdr;
17017 
17018 	msg = nlmsg_new(100 + len, gfp);
17019 	if (!msg)
17020 		return -ENOMEM;
17021 
17022 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17023 	if (!hdr) {
17024 		nlmsg_free(msg);
17025 		return -ENOMEM;
17026 	}
17027 
17028 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17029 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17030 					netdev->ifindex)) ||
17031 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17032 			      NL80211_ATTR_PAD) ||
17033 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17034 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17035 	    (sig_dbm &&
17036 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17037 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17038 	    (flags &&
17039 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17040 		goto nla_put_failure;
17041 
17042 	genlmsg_end(msg, hdr);
17043 
17044 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17045 
17046  nla_put_failure:
17047 	nlmsg_free(msg);
17048 	return -ENOBUFS;
17049 }
17050 
nl80211_frame_tx_status(struct wireless_dev * wdev,u64 cookie,const u8 * buf,size_t len,bool ack,gfp_t gfp,enum nl80211_commands command)17051 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17052 				    const u8 *buf, size_t len, bool ack,
17053 				    gfp_t gfp, enum nl80211_commands command)
17054 {
17055 	struct wiphy *wiphy = wdev->wiphy;
17056 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17057 	struct net_device *netdev = wdev->netdev;
17058 	struct sk_buff *msg;
17059 	void *hdr;
17060 
17061 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17062 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17063 	else
17064 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17065 
17066 	msg = nlmsg_new(100 + len, gfp);
17067 	if (!msg)
17068 		return;
17069 
17070 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17071 	if (!hdr) {
17072 		nlmsg_free(msg);
17073 		return;
17074 	}
17075 
17076 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17077 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17078 				   netdev->ifindex)) ||
17079 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17080 			      NL80211_ATTR_PAD) ||
17081 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17082 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17083 			      NL80211_ATTR_PAD) ||
17084 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17085 		goto nla_put_failure;
17086 
17087 	genlmsg_end(msg, hdr);
17088 
17089 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17090 				NL80211_MCGRP_MLME, gfp);
17091 	return;
17092 
17093 nla_put_failure:
17094 	nlmsg_free(msg);
17095 }
17096 
cfg80211_control_port_tx_status(struct wireless_dev * wdev,u64 cookie,const u8 * buf,size_t len,bool ack,gfp_t gfp)17097 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17098 				     const u8 *buf, size_t len, bool ack,
17099 				     gfp_t gfp)
17100 {
17101 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17102 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17103 }
17104 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17105 
cfg80211_mgmt_tx_status(struct wireless_dev * wdev,u64 cookie,const u8 * buf,size_t len,bool ack,gfp_t gfp)17106 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17107 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17108 {
17109 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17110 				NL80211_CMD_FRAME_TX_STATUS);
17111 }
17112 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17113 
__nl80211_rx_control_port(struct net_device * dev,struct sk_buff * skb,bool unencrypted,gfp_t gfp)17114 static int __nl80211_rx_control_port(struct net_device *dev,
17115 				     struct sk_buff *skb,
17116 				     bool unencrypted, gfp_t gfp)
17117 {
17118 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17119 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17120 	struct ethhdr *ehdr = eth_hdr(skb);
17121 	const u8 *addr = ehdr->h_source;
17122 	u16 proto = be16_to_cpu(skb->protocol);
17123 	struct sk_buff *msg;
17124 	void *hdr;
17125 	struct nlattr *frame;
17126 
17127 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17128 
17129 	if (!nlportid)
17130 		return -ENOENT;
17131 
17132 	msg = nlmsg_new(100 + skb->len, gfp);
17133 	if (!msg)
17134 		return -ENOMEM;
17135 
17136 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17137 	if (!hdr) {
17138 		nlmsg_free(msg);
17139 		return -ENOBUFS;
17140 	}
17141 
17142 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17143 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17144 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17145 			      NL80211_ATTR_PAD) ||
17146 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17147 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17148 	    (unencrypted && nla_put_flag(msg,
17149 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17150 		goto nla_put_failure;
17151 
17152 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17153 	if (!frame)
17154 		goto nla_put_failure;
17155 
17156 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17157 	genlmsg_end(msg, hdr);
17158 
17159 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17160 
17161  nla_put_failure:
17162 	nlmsg_free(msg);
17163 	return -ENOBUFS;
17164 }
17165 
cfg80211_rx_control_port(struct net_device * dev,struct sk_buff * skb,bool unencrypted)17166 bool cfg80211_rx_control_port(struct net_device *dev,
17167 			      struct sk_buff *skb, bool unencrypted)
17168 {
17169 	int ret;
17170 
17171 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17172 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17173 	trace_cfg80211_return_bool(ret == 0);
17174 	return ret == 0;
17175 }
17176 EXPORT_SYMBOL(cfg80211_rx_control_port);
17177 
cfg80211_prepare_cqm(struct net_device * dev,const char * mac,gfp_t gfp)17178 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17179 					    const char *mac, gfp_t gfp)
17180 {
17181 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17182 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17183 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17184 	void **cb;
17185 
17186 	if (!msg)
17187 		return NULL;
17188 
17189 	cb = (void **)msg->cb;
17190 
17191 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17192 	if (!cb[0]) {
17193 		nlmsg_free(msg);
17194 		return NULL;
17195 	}
17196 
17197 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17198 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17199 		goto nla_put_failure;
17200 
17201 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17202 		goto nla_put_failure;
17203 
17204 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17205 	if (!cb[1])
17206 		goto nla_put_failure;
17207 
17208 	cb[2] = rdev;
17209 
17210 	return msg;
17211  nla_put_failure:
17212 	nlmsg_free(msg);
17213 	return NULL;
17214 }
17215 
cfg80211_send_cqm(struct sk_buff * msg,gfp_t gfp)17216 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17217 {
17218 	void **cb = (void **)msg->cb;
17219 	struct cfg80211_registered_device *rdev = cb[2];
17220 
17221 	nla_nest_end(msg, cb[1]);
17222 	genlmsg_end(msg, cb[0]);
17223 
17224 	memset(msg->cb, 0, sizeof(msg->cb));
17225 
17226 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17227 				NL80211_MCGRP_MLME, gfp);
17228 }
17229 
cfg80211_cqm_rssi_notify(struct net_device * dev,enum nl80211_cqm_rssi_threshold_event rssi_event,s32 rssi_level,gfp_t gfp)17230 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17231 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17232 			      s32 rssi_level, gfp_t gfp)
17233 {
17234 	struct sk_buff *msg;
17235 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17236 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17237 
17238 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17239 
17240 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17241 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17242 		return;
17243 
17244 	if (wdev->cqm_config) {
17245 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17246 
17247 		cfg80211_cqm_rssi_update(rdev, dev);
17248 
17249 		if (rssi_level == 0)
17250 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17251 	}
17252 
17253 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17254 	if (!msg)
17255 		return;
17256 
17257 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17258 			rssi_event))
17259 		goto nla_put_failure;
17260 
17261 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17262 				      rssi_level))
17263 		goto nla_put_failure;
17264 
17265 	cfg80211_send_cqm(msg, gfp);
17266 
17267 	return;
17268 
17269  nla_put_failure:
17270 	nlmsg_free(msg);
17271 }
17272 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17273 
cfg80211_cqm_txe_notify(struct net_device * dev,const u8 * peer,u32 num_packets,u32 rate,u32 intvl,gfp_t gfp)17274 void cfg80211_cqm_txe_notify(struct net_device *dev,
17275 			     const u8 *peer, u32 num_packets,
17276 			     u32 rate, u32 intvl, gfp_t gfp)
17277 {
17278 	struct sk_buff *msg;
17279 
17280 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17281 	if (!msg)
17282 		return;
17283 
17284 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17285 		goto nla_put_failure;
17286 
17287 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17288 		goto nla_put_failure;
17289 
17290 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17291 		goto nla_put_failure;
17292 
17293 	cfg80211_send_cqm(msg, gfp);
17294 	return;
17295 
17296  nla_put_failure:
17297 	nlmsg_free(msg);
17298 }
17299 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17300 
cfg80211_cqm_pktloss_notify(struct net_device * dev,const u8 * peer,u32 num_packets,gfp_t gfp)17301 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17302 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17303 {
17304 	struct sk_buff *msg;
17305 
17306 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17307 
17308 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17309 	if (!msg)
17310 		return;
17311 
17312 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17313 		goto nla_put_failure;
17314 
17315 	cfg80211_send_cqm(msg, gfp);
17316 	return;
17317 
17318  nla_put_failure:
17319 	nlmsg_free(msg);
17320 }
17321 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17322 
cfg80211_cqm_beacon_loss_notify(struct net_device * dev,gfp_t gfp)17323 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17324 {
17325 	struct sk_buff *msg;
17326 
17327 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17328 	if (!msg)
17329 		return;
17330 
17331 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17332 		goto nla_put_failure;
17333 
17334 	cfg80211_send_cqm(msg, gfp);
17335 	return;
17336 
17337  nla_put_failure:
17338 	nlmsg_free(msg);
17339 }
17340 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17341 
nl80211_gtk_rekey_notify(struct cfg80211_registered_device * rdev,struct net_device * netdev,const u8 * bssid,const u8 * replay_ctr,gfp_t gfp)17342 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17343 				     struct net_device *netdev, const u8 *bssid,
17344 				     const u8 *replay_ctr, gfp_t gfp)
17345 {
17346 	struct sk_buff *msg;
17347 	struct nlattr *rekey_attr;
17348 	void *hdr;
17349 
17350 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17351 	if (!msg)
17352 		return;
17353 
17354 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17355 	if (!hdr) {
17356 		nlmsg_free(msg);
17357 		return;
17358 	}
17359 
17360 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17361 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17362 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17363 		goto nla_put_failure;
17364 
17365 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17366 	if (!rekey_attr)
17367 		goto nla_put_failure;
17368 
17369 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17370 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17371 		goto nla_put_failure;
17372 
17373 	nla_nest_end(msg, rekey_attr);
17374 
17375 	genlmsg_end(msg, hdr);
17376 
17377 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17378 				NL80211_MCGRP_MLME, gfp);
17379 	return;
17380 
17381  nla_put_failure:
17382 	nlmsg_free(msg);
17383 }
17384 
cfg80211_gtk_rekey_notify(struct net_device * dev,const u8 * bssid,const u8 * replay_ctr,gfp_t gfp)17385 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17386 			       const u8 *replay_ctr, gfp_t gfp)
17387 {
17388 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17389 	struct wiphy *wiphy = wdev->wiphy;
17390 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17391 
17392 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17393 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17394 }
17395 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17396 
17397 static void
nl80211_pmksa_candidate_notify(struct cfg80211_registered_device * rdev,struct net_device * netdev,int index,const u8 * bssid,bool preauth,gfp_t gfp)17398 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17399 			       struct net_device *netdev, int index,
17400 			       const u8 *bssid, bool preauth, gfp_t gfp)
17401 {
17402 	struct sk_buff *msg;
17403 	struct nlattr *attr;
17404 	void *hdr;
17405 
17406 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17407 	if (!msg)
17408 		return;
17409 
17410 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17411 	if (!hdr) {
17412 		nlmsg_free(msg);
17413 		return;
17414 	}
17415 
17416 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17417 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17418 		goto nla_put_failure;
17419 
17420 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17421 	if (!attr)
17422 		goto nla_put_failure;
17423 
17424 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17425 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17426 	    (preauth &&
17427 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17428 		goto nla_put_failure;
17429 
17430 	nla_nest_end(msg, attr);
17431 
17432 	genlmsg_end(msg, hdr);
17433 
17434 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17435 				NL80211_MCGRP_MLME, gfp);
17436 	return;
17437 
17438  nla_put_failure:
17439 	nlmsg_free(msg);
17440 }
17441 
cfg80211_pmksa_candidate_notify(struct net_device * dev,int index,const u8 * bssid,bool preauth,gfp_t gfp)17442 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17443 				     const u8 *bssid, bool preauth, gfp_t gfp)
17444 {
17445 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17446 	struct wiphy *wiphy = wdev->wiphy;
17447 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17448 
17449 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17450 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17451 }
17452 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17453 
nl80211_ch_switch_notify(struct cfg80211_registered_device * rdev,struct net_device * netdev,struct cfg80211_chan_def * chandef,gfp_t gfp,enum nl80211_commands notif,u8 count,bool quiet)17454 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17455 				     struct net_device *netdev,
17456 				     struct cfg80211_chan_def *chandef,
17457 				     gfp_t gfp,
17458 				     enum nl80211_commands notif,
17459 				     u8 count, bool quiet)
17460 {
17461 	struct sk_buff *msg;
17462 	void *hdr;
17463 
17464 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17465 	if (!msg)
17466 		return;
17467 
17468 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17469 	if (!hdr) {
17470 		nlmsg_free(msg);
17471 		return;
17472 	}
17473 
17474 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17475 		goto nla_put_failure;
17476 
17477 	if (nl80211_send_chandef(msg, chandef))
17478 		goto nla_put_failure;
17479 
17480 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17481 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17482 			goto nla_put_failure;
17483 		if (quiet &&
17484 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17485 			goto nla_put_failure;
17486 	}
17487 
17488 	genlmsg_end(msg, hdr);
17489 
17490 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17491 				NL80211_MCGRP_MLME, gfp);
17492 	return;
17493 
17494  nla_put_failure:
17495 	nlmsg_free(msg);
17496 }
17497 
cfg80211_ch_switch_notify(struct net_device * dev,struct cfg80211_chan_def * chandef)17498 void cfg80211_ch_switch_notify(struct net_device *dev,
17499 			       struct cfg80211_chan_def *chandef)
17500 {
17501 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17502 	struct wiphy *wiphy = wdev->wiphy;
17503 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17504 
17505 	ASSERT_WDEV_LOCK(wdev);
17506 
17507 	trace_cfg80211_ch_switch_notify(dev, chandef);
17508 
17509 	wdev->chandef = *chandef;
17510 	wdev->preset_chandef = *chandef;
17511 
17512 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
17513 	    !WARN_ON(!wdev->current_bss))
17514 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17515 
17516 	cfg80211_sched_dfs_chan_update(rdev);
17517 
17518 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17519 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17520 }
17521 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17522 
cfg80211_ch_switch_started_notify(struct net_device * dev,struct cfg80211_chan_def * chandef,u8 count,bool quiet)17523 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17524 				       struct cfg80211_chan_def *chandef,
17525 				       u8 count, bool quiet)
17526 {
17527 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17528 	struct wiphy *wiphy = wdev->wiphy;
17529 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17530 
17531 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17532 
17533 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17534 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17535 				 count, quiet);
17536 }
17537 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17538 
cfg80211_bss_color_notify(struct net_device * dev,gfp_t gfp,enum nl80211_commands cmd,u8 count,u64 color_bitmap)17539 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
17540 			      enum nl80211_commands cmd, u8 count,
17541 			      u64 color_bitmap)
17542 {
17543 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17544 	struct wiphy *wiphy = wdev->wiphy;
17545 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17546 	struct sk_buff *msg;
17547 	void *hdr;
17548 
17549 	ASSERT_WDEV_LOCK(wdev);
17550 
17551 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
17552 
17553 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17554 	if (!msg)
17555 		return -ENOMEM;
17556 
17557 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17558 	if (!hdr)
17559 		goto nla_put_failure;
17560 
17561 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17562 		goto nla_put_failure;
17563 
17564 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
17565 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
17566 		goto nla_put_failure;
17567 
17568 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
17569 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
17570 			      color_bitmap, NL80211_ATTR_PAD))
17571 		goto nla_put_failure;
17572 
17573 	genlmsg_end(msg, hdr);
17574 
17575 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17576 				       msg, 0, NL80211_MCGRP_MLME, gfp);
17577 
17578 nla_put_failure:
17579 	nlmsg_free(msg);
17580 	return -EINVAL;
17581 }
17582 EXPORT_SYMBOL(cfg80211_bss_color_notify);
17583 
17584 void
nl80211_radar_notify(struct cfg80211_registered_device * rdev,const struct cfg80211_chan_def * chandef,enum nl80211_radar_event event,struct net_device * netdev,gfp_t gfp)17585 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
17586 		     const struct cfg80211_chan_def *chandef,
17587 		     enum nl80211_radar_event event,
17588 		     struct net_device *netdev, gfp_t gfp)
17589 {
17590 	struct sk_buff *msg;
17591 	void *hdr;
17592 
17593 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17594 	if (!msg)
17595 		return;
17596 
17597 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
17598 	if (!hdr) {
17599 		nlmsg_free(msg);
17600 		return;
17601 	}
17602 
17603 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17604 		goto nla_put_failure;
17605 
17606 	/* NOP and radar events don't need a netdev parameter */
17607 	if (netdev) {
17608 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
17609 
17610 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17611 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17612 				      NL80211_ATTR_PAD))
17613 			goto nla_put_failure;
17614 	}
17615 
17616 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
17617 		goto nla_put_failure;
17618 
17619 	if (nl80211_send_chandef(msg, chandef))
17620 		goto nla_put_failure;
17621 
17622 	genlmsg_end(msg, hdr);
17623 
17624 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17625 				NL80211_MCGRP_MLME, gfp);
17626 	return;
17627 
17628  nla_put_failure:
17629 	nlmsg_free(msg);
17630 }
17631 
cfg80211_sta_opmode_change_notify(struct net_device * dev,const u8 * mac,struct sta_opmode_info * sta_opmode,gfp_t gfp)17632 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
17633 				       struct sta_opmode_info *sta_opmode,
17634 				       gfp_t gfp)
17635 {
17636 	struct sk_buff *msg;
17637 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17638 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17639 	void *hdr;
17640 
17641 	if (WARN_ON(!mac))
17642 		return;
17643 
17644 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17645 	if (!msg)
17646 		return;
17647 
17648 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
17649 	if (!hdr) {
17650 		nlmsg_free(msg);
17651 		return;
17652 	}
17653 
17654 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17655 		goto nla_put_failure;
17656 
17657 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17658 		goto nla_put_failure;
17659 
17660 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17661 		goto nla_put_failure;
17662 
17663 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
17664 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
17665 		goto nla_put_failure;
17666 
17667 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
17668 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
17669 		goto nla_put_failure;
17670 
17671 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
17672 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
17673 		goto nla_put_failure;
17674 
17675 	genlmsg_end(msg, hdr);
17676 
17677 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17678 				NL80211_MCGRP_MLME, gfp);
17679 
17680 	return;
17681 
17682 nla_put_failure:
17683 	nlmsg_free(msg);
17684 }
17685 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
17686 
cfg80211_probe_status(struct net_device * dev,const u8 * addr,u64 cookie,bool acked,s32 ack_signal,bool is_valid_ack_signal,gfp_t gfp)17687 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
17688 			   u64 cookie, bool acked, s32 ack_signal,
17689 			   bool is_valid_ack_signal, gfp_t gfp)
17690 {
17691 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17692 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17693 	struct sk_buff *msg;
17694 	void *hdr;
17695 
17696 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
17697 
17698 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17699 
17700 	if (!msg)
17701 		return;
17702 
17703 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
17704 	if (!hdr) {
17705 		nlmsg_free(msg);
17706 		return;
17707 	}
17708 
17709 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17710 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17711 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17712 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17713 			      NL80211_ATTR_PAD) ||
17714 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
17715 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
17716 						ack_signal)))
17717 		goto nla_put_failure;
17718 
17719 	genlmsg_end(msg, hdr);
17720 
17721 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17722 				NL80211_MCGRP_MLME, gfp);
17723 	return;
17724 
17725  nla_put_failure:
17726 	nlmsg_free(msg);
17727 }
17728 EXPORT_SYMBOL(cfg80211_probe_status);
17729 
cfg80211_report_obss_beacon_khz(struct wiphy * wiphy,const u8 * frame,size_t len,int freq,int sig_dbm)17730 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
17731 				     size_t len, int freq, int sig_dbm)
17732 {
17733 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17734 	struct sk_buff *msg;
17735 	void *hdr;
17736 	struct cfg80211_beacon_registration *reg;
17737 
17738 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
17739 
17740 	spin_lock_bh(&rdev->beacon_registrations_lock);
17741 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
17742 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
17743 		if (!msg) {
17744 			spin_unlock_bh(&rdev->beacon_registrations_lock);
17745 			return;
17746 		}
17747 
17748 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17749 		if (!hdr)
17750 			goto nla_put_failure;
17751 
17752 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17753 		    (freq &&
17754 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
17755 				  KHZ_TO_MHZ(freq)) ||
17756 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
17757 				  freq % 1000))) ||
17758 		    (sig_dbm &&
17759 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17760 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
17761 			goto nla_put_failure;
17762 
17763 		genlmsg_end(msg, hdr);
17764 
17765 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
17766 	}
17767 	spin_unlock_bh(&rdev->beacon_registrations_lock);
17768 	return;
17769 
17770  nla_put_failure:
17771 	spin_unlock_bh(&rdev->beacon_registrations_lock);
17772 	nlmsg_free(msg);
17773 }
17774 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
17775 
17776 #ifdef CONFIG_PM
cfg80211_net_detect_results(struct sk_buff * msg,struct cfg80211_wowlan_wakeup * wakeup)17777 static int cfg80211_net_detect_results(struct sk_buff *msg,
17778 				       struct cfg80211_wowlan_wakeup *wakeup)
17779 {
17780 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
17781 	struct nlattr *nl_results, *nl_match, *nl_freqs;
17782 	int i, j;
17783 
17784 	nl_results = nla_nest_start_noflag(msg,
17785 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
17786 	if (!nl_results)
17787 		return -EMSGSIZE;
17788 
17789 	for (i = 0; i < nd->n_matches; i++) {
17790 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
17791 
17792 		nl_match = nla_nest_start_noflag(msg, i);
17793 		if (!nl_match)
17794 			break;
17795 
17796 		/* The SSID attribute is optional in nl80211, but for
17797 		 * simplicity reasons it's always present in the
17798 		 * cfg80211 structure.  If a driver can't pass the
17799 		 * SSID, that needs to be changed.  A zero length SSID
17800 		 * is still a valid SSID (wildcard), so it cannot be
17801 		 * used for this purpose.
17802 		 */
17803 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
17804 			    match->ssid.ssid)) {
17805 			nla_nest_cancel(msg, nl_match);
17806 			goto out;
17807 		}
17808 
17809 		if (match->n_channels) {
17810 			nl_freqs = nla_nest_start_noflag(msg,
17811 							 NL80211_ATTR_SCAN_FREQUENCIES);
17812 			if (!nl_freqs) {
17813 				nla_nest_cancel(msg, nl_match);
17814 				goto out;
17815 			}
17816 
17817 			for (j = 0; j < match->n_channels; j++) {
17818 				if (nla_put_u32(msg, j, match->channels[j])) {
17819 					nla_nest_cancel(msg, nl_freqs);
17820 					nla_nest_cancel(msg, nl_match);
17821 					goto out;
17822 				}
17823 			}
17824 
17825 			nla_nest_end(msg, nl_freqs);
17826 		}
17827 
17828 		nla_nest_end(msg, nl_match);
17829 	}
17830 
17831 out:
17832 	nla_nest_end(msg, nl_results);
17833 	return 0;
17834 }
17835 
cfg80211_report_wowlan_wakeup(struct wireless_dev * wdev,struct cfg80211_wowlan_wakeup * wakeup,gfp_t gfp)17836 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
17837 				   struct cfg80211_wowlan_wakeup *wakeup,
17838 				   gfp_t gfp)
17839 {
17840 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17841 	struct sk_buff *msg;
17842 	void *hdr;
17843 	int size = 200;
17844 
17845 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
17846 
17847 	if (wakeup)
17848 		size += wakeup->packet_present_len;
17849 
17850 	msg = nlmsg_new(size, gfp);
17851 	if (!msg)
17852 		return;
17853 
17854 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
17855 	if (!hdr)
17856 		goto free_msg;
17857 
17858 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17859 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17860 			      NL80211_ATTR_PAD))
17861 		goto free_msg;
17862 
17863 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17864 					wdev->netdev->ifindex))
17865 		goto free_msg;
17866 
17867 	if (wakeup) {
17868 		struct nlattr *reasons;
17869 
17870 		reasons = nla_nest_start_noflag(msg,
17871 						NL80211_ATTR_WOWLAN_TRIGGERS);
17872 		if (!reasons)
17873 			goto free_msg;
17874 
17875 		if (wakeup->disconnect &&
17876 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
17877 			goto free_msg;
17878 		if (wakeup->magic_pkt &&
17879 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
17880 			goto free_msg;
17881 		if (wakeup->gtk_rekey_failure &&
17882 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
17883 			goto free_msg;
17884 		if (wakeup->eap_identity_req &&
17885 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
17886 			goto free_msg;
17887 		if (wakeup->four_way_handshake &&
17888 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
17889 			goto free_msg;
17890 		if (wakeup->rfkill_release &&
17891 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
17892 			goto free_msg;
17893 
17894 		if (wakeup->pattern_idx >= 0 &&
17895 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
17896 				wakeup->pattern_idx))
17897 			goto free_msg;
17898 
17899 		if (wakeup->tcp_match &&
17900 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
17901 			goto free_msg;
17902 
17903 		if (wakeup->tcp_connlost &&
17904 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
17905 			goto free_msg;
17906 
17907 		if (wakeup->tcp_nomoretokens &&
17908 		    nla_put_flag(msg,
17909 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
17910 			goto free_msg;
17911 
17912 		if (wakeup->packet) {
17913 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
17914 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
17915 
17916 			if (!wakeup->packet_80211) {
17917 				pkt_attr =
17918 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
17919 				len_attr =
17920 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
17921 			}
17922 
17923 			if (wakeup->packet_len &&
17924 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
17925 				goto free_msg;
17926 
17927 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
17928 				    wakeup->packet))
17929 				goto free_msg;
17930 		}
17931 
17932 		if (wakeup->net_detect &&
17933 		    cfg80211_net_detect_results(msg, wakeup))
17934 				goto free_msg;
17935 
17936 		nla_nest_end(msg, reasons);
17937 	}
17938 
17939 	genlmsg_end(msg, hdr);
17940 
17941 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17942 				NL80211_MCGRP_MLME, gfp);
17943 	return;
17944 
17945  free_msg:
17946 	nlmsg_free(msg);
17947 }
17948 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
17949 #endif
17950 
cfg80211_tdls_oper_request(struct net_device * dev,const u8 * peer,enum nl80211_tdls_operation oper,u16 reason_code,gfp_t gfp)17951 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
17952 				enum nl80211_tdls_operation oper,
17953 				u16 reason_code, gfp_t gfp)
17954 {
17955 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17956 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17957 	struct sk_buff *msg;
17958 	void *hdr;
17959 
17960 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
17961 					 reason_code);
17962 
17963 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17964 	if (!msg)
17965 		return;
17966 
17967 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
17968 	if (!hdr) {
17969 		nlmsg_free(msg);
17970 		return;
17971 	}
17972 
17973 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17974 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17975 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
17976 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
17977 	    (reason_code > 0 &&
17978 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
17979 		goto nla_put_failure;
17980 
17981 	genlmsg_end(msg, hdr);
17982 
17983 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17984 				NL80211_MCGRP_MLME, gfp);
17985 	return;
17986 
17987  nla_put_failure:
17988 	nlmsg_free(msg);
17989 }
17990 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
17991 
nl80211_netlink_notify(struct notifier_block * nb,unsigned long state,void * _notify)17992 static int nl80211_netlink_notify(struct notifier_block * nb,
17993 				  unsigned long state,
17994 				  void *_notify)
17995 {
17996 	struct netlink_notify *notify = _notify;
17997 	struct cfg80211_registered_device *rdev;
17998 	struct wireless_dev *wdev;
17999 	struct cfg80211_beacon_registration *reg, *tmp;
18000 
18001 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18002 		return NOTIFY_DONE;
18003 
18004 	rcu_read_lock();
18005 
18006 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18007 		struct cfg80211_sched_scan_request *sched_scan_req;
18008 
18009 		list_for_each_entry_rcu(sched_scan_req,
18010 					&rdev->sched_scan_req_list,
18011 					list) {
18012 			if (sched_scan_req->owner_nlportid == notify->portid) {
18013 				sched_scan_req->nl_owner_dead = true;
18014 				schedule_work(&rdev->sched_scan_stop_wk);
18015 			}
18016 		}
18017 
18018 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18019 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18020 
18021 			if (wdev->owner_nlportid == notify->portid) {
18022 				wdev->nl_owner_dead = true;
18023 				schedule_work(&rdev->destroy_work);
18024 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18025 				schedule_work(&wdev->disconnect_wk);
18026 			}
18027 
18028 			cfg80211_release_pmsr(wdev, notify->portid);
18029 		}
18030 
18031 		spin_lock_bh(&rdev->beacon_registrations_lock);
18032 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18033 					 list) {
18034 			if (reg->nlportid == notify->portid) {
18035 				list_del(&reg->list);
18036 				kfree(reg);
18037 				break;
18038 			}
18039 		}
18040 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18041 	}
18042 
18043 	rcu_read_unlock();
18044 
18045 	/*
18046 	 * It is possible that the user space process that is controlling the
18047 	 * indoor setting disappeared, so notify the regulatory core.
18048 	 */
18049 	regulatory_netlink_notify(notify->portid);
18050 	return NOTIFY_OK;
18051 }
18052 
18053 static struct notifier_block nl80211_netlink_notifier = {
18054 	.notifier_call = nl80211_netlink_notify,
18055 };
18056 
cfg80211_ft_event(struct net_device * netdev,struct cfg80211_ft_event_params * ft_event)18057 void cfg80211_ft_event(struct net_device *netdev,
18058 		       struct cfg80211_ft_event_params *ft_event)
18059 {
18060 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18061 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18062 	struct sk_buff *msg;
18063 	void *hdr;
18064 
18065 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18066 
18067 	if (!ft_event->target_ap)
18068 		return;
18069 
18070 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18071 			GFP_KERNEL);
18072 	if (!msg)
18073 		return;
18074 
18075 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18076 	if (!hdr)
18077 		goto out;
18078 
18079 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18080 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18081 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18082 		goto out;
18083 
18084 	if (ft_event->ies &&
18085 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18086 		goto out;
18087 	if (ft_event->ric_ies &&
18088 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18089 		    ft_event->ric_ies))
18090 		goto out;
18091 
18092 	genlmsg_end(msg, hdr);
18093 
18094 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18095 				NL80211_MCGRP_MLME, GFP_KERNEL);
18096 	return;
18097  out:
18098 	nlmsg_free(msg);
18099 }
18100 EXPORT_SYMBOL(cfg80211_ft_event);
18101 
cfg80211_crit_proto_stopped(struct wireless_dev * wdev,gfp_t gfp)18102 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18103 {
18104 	struct cfg80211_registered_device *rdev;
18105 	struct sk_buff *msg;
18106 	void *hdr;
18107 	u32 nlportid;
18108 
18109 	rdev = wiphy_to_rdev(wdev->wiphy);
18110 	if (!rdev->crit_proto_nlportid)
18111 		return;
18112 
18113 	nlportid = rdev->crit_proto_nlportid;
18114 	rdev->crit_proto_nlportid = 0;
18115 
18116 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18117 	if (!msg)
18118 		return;
18119 
18120 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18121 	if (!hdr)
18122 		goto nla_put_failure;
18123 
18124 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18125 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18126 			      NL80211_ATTR_PAD))
18127 		goto nla_put_failure;
18128 
18129 	genlmsg_end(msg, hdr);
18130 
18131 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18132 	return;
18133 
18134  nla_put_failure:
18135 	nlmsg_free(msg);
18136 }
18137 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18138 
nl80211_send_ap_stopped(struct wireless_dev * wdev)18139 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18140 {
18141 	struct wiphy *wiphy = wdev->wiphy;
18142 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18143 	struct sk_buff *msg;
18144 	void *hdr;
18145 
18146 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18147 	if (!msg)
18148 		return;
18149 
18150 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18151 	if (!hdr)
18152 		goto out;
18153 
18154 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18155 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18156 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18157 			      NL80211_ATTR_PAD))
18158 		goto out;
18159 
18160 	genlmsg_end(msg, hdr);
18161 
18162 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18163 				NL80211_MCGRP_MLME, GFP_KERNEL);
18164 	return;
18165  out:
18166 	nlmsg_free(msg);
18167 }
18168 
cfg80211_external_auth_request(struct net_device * dev,struct cfg80211_external_auth_params * params,gfp_t gfp)18169 int cfg80211_external_auth_request(struct net_device *dev,
18170 				   struct cfg80211_external_auth_params *params,
18171 				   gfp_t gfp)
18172 {
18173 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18174 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18175 	struct sk_buff *msg;
18176 	void *hdr;
18177 
18178 	if (!wdev->conn_owner_nlportid)
18179 		return -EINVAL;
18180 
18181 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18182 	if (!msg)
18183 		return -ENOMEM;
18184 
18185 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18186 	if (!hdr)
18187 		goto nla_put_failure;
18188 
18189 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18190 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18191 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18192 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18193 			params->action) ||
18194 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18195 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18196 		    params->ssid.ssid))
18197 		goto nla_put_failure;
18198 
18199 	genlmsg_end(msg, hdr);
18200 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18201 			wdev->conn_owner_nlportid);
18202 	return 0;
18203 
18204  nla_put_failure:
18205 	nlmsg_free(msg);
18206 	return -ENOBUFS;
18207 }
18208 EXPORT_SYMBOL(cfg80211_external_auth_request);
18209 
cfg80211_update_owe_info_event(struct net_device * netdev,struct cfg80211_update_owe_info * owe_info,gfp_t gfp)18210 void cfg80211_update_owe_info_event(struct net_device *netdev,
18211 				    struct cfg80211_update_owe_info *owe_info,
18212 				    gfp_t gfp)
18213 {
18214 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18215 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18216 	struct sk_buff *msg;
18217 	void *hdr;
18218 
18219 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18220 
18221 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18222 	if (!msg)
18223 		return;
18224 
18225 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18226 	if (!hdr)
18227 		goto nla_put_failure;
18228 
18229 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18230 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18231 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18232 		goto nla_put_failure;
18233 
18234 	if (!owe_info->ie_len ||
18235 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18236 		goto nla_put_failure;
18237 
18238 	genlmsg_end(msg, hdr);
18239 
18240 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18241 				NL80211_MCGRP_MLME, gfp);
18242 	return;
18243 
18244 nla_put_failure:
18245 	genlmsg_cancel(msg, hdr);
18246 	nlmsg_free(msg);
18247 }
18248 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18249 
18250 /* initialisation/exit functions */
18251 
nl80211_init(void)18252 int __init nl80211_init(void)
18253 {
18254 	int err;
18255 
18256 	err = genl_register_family(&nl80211_fam);
18257 	if (err)
18258 		return err;
18259 
18260 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18261 	if (err)
18262 		goto err_out;
18263 
18264 	return 0;
18265  err_out:
18266 	genl_unregister_family(&nl80211_fam);
18267 	return err;
18268 }
18269 
nl80211_exit(void)18270 void nl80211_exit(void)
18271 {
18272 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18273 	genl_unregister_family(&nl80211_fam);
18274 }
18275