diff options
Diffstat (limited to 'net/wireless')
| -rw-r--r-- | net/wireless/chan.c | 2 | ||||
| -rw-r--r-- | net/wireless/core.c | 43 | ||||
| -rw-r--r-- | net/wireless/core.h | 10 | ||||
| -rw-r--r-- | net/wireless/ibss.c | 14 | ||||
| -rw-r--r-- | net/wireless/mlme.c | 3 | ||||
| -rw-r--r-- | net/wireless/nl80211.c | 1357 | ||||
| -rw-r--r-- | net/wireless/nl80211.h | 3 | ||||
| -rw-r--r-- | net/wireless/rdev-ops.h | 58 | ||||
| -rw-r--r-- | net/wireless/scan.c | 127 | ||||
| -rw-r--r-- | net/wireless/sme.c | 9 | ||||
| -rw-r--r-- | net/wireless/sysfs.c | 7 | ||||
| -rw-r--r-- | net/wireless/trace.h | 90 | ||||
| -rw-r--r-- | net/wireless/util.c | 80 | ||||
| -rw-r--r-- | net/wireless/wext-compat.c | 21 | ||||
| -rw-r--r-- | net/wireless/wext-sme.c | 5 | 
15 files changed, 1471 insertions, 358 deletions
| diff --git a/net/wireless/chan.c b/net/wireless/chan.c index 0f506220a3bd..5497d022fada 100644 --- a/net/wireless/chan.c +++ b/net/wireless/chan.c @@ -372,6 +372,7 @@ int cfg80211_chandef_dfs_required(struct wiphy *wiphy,  	case NL80211_IFTYPE_AP_VLAN:  	case NL80211_IFTYPE_WDS:  	case NL80211_IFTYPE_P2P_DEVICE: +	case NL80211_IFTYPE_NAN:  		break;  	case NL80211_IFTYPE_UNSPECIFIED:  	case NUM_NL80211_IFTYPES: @@ -946,6 +947,7 @@ cfg80211_get_chan_state(struct wireless_dev *wdev,  	case NL80211_IFTYPE_AP_VLAN:  	case NL80211_IFTYPE_WDS:  	case NL80211_IFTYPE_P2P_DEVICE: +	case NL80211_IFTYPE_NAN:  		/* these interface types don't really have a channel */  		return;  	case NL80211_IFTYPE_UNSPECIFIED: diff --git a/net/wireless/core.c b/net/wireless/core.c index 7645e97362c0..8201e6d7449e 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -225,6 +225,23 @@ void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev,  	}  } +void cfg80211_stop_nan(struct cfg80211_registered_device *rdev, +		       struct wireless_dev *wdev) +{ +	ASSERT_RTNL(); + +	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_NAN)) +		return; + +	if (!wdev->nan_started) +		return; + +	rdev_stop_nan(rdev, wdev); +	wdev->nan_started = false; + +	rdev->opencount--; +} +  void cfg80211_shutdown_all_interfaces(struct wiphy *wiphy)  {  	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); @@ -242,6 +259,9 @@ void cfg80211_shutdown_all_interfaces(struct wiphy *wiphy)  		case NL80211_IFTYPE_P2P_DEVICE:  			cfg80211_stop_p2p_device(rdev, wdev);  			break; +		case NL80211_IFTYPE_NAN: +			cfg80211_stop_nan(rdev, wdev); +			break;  		default:  			break;  		} @@ -537,6 +557,11 @@ static int wiphy_verify_combinations(struct wiphy *wiphy)  				    c->limits[j].max > 1))  				return -EINVAL; +			/* Only a single NAN can be allowed */ +			if (WARN_ON(types & BIT(NL80211_IFTYPE_NAN) && +				    c->limits[j].max > 1)) +				return -EINVAL; +  			cnt += c->limits[j].max;  			/*  			 * Don't advertise an unsupported type @@ -579,6 +604,11 @@ int wiphy_register(struct wiphy *wiphy)  		     !rdev->ops->tdls_cancel_channel_switch)))  		return -EINVAL; +	if (WARN_ON((wiphy->interface_modes & BIT(NL80211_IFTYPE_NAN)) && +		    (!rdev->ops->start_nan || !rdev->ops->stop_nan || +		     !rdev->ops->add_nan_func || !rdev->ops->del_nan_func))) +		return -EINVAL; +  	/*  	 * if a wiphy has unsupported modes for regulatory channel enforcement,  	 * opt-out of enforcement checking @@ -589,6 +619,7 @@ int wiphy_register(struct wiphy *wiphy)  				       BIT(NL80211_IFTYPE_P2P_GO) |  				       BIT(NL80211_IFTYPE_ADHOC) |  				       BIT(NL80211_IFTYPE_P2P_DEVICE) | +				       BIT(NL80211_IFTYPE_NAN) |  				       BIT(NL80211_IFTYPE_AP_VLAN) |  				       BIT(NL80211_IFTYPE_MONITOR)))  		wiphy->regulatory_flags |= REGULATORY_IGNORE_STALE_KICKOFF; @@ -906,6 +937,8 @@ void cfg80211_unregister_wdev(struct wireless_dev *wdev)  	if (WARN_ON(wdev->netdev))  		return; +	nl80211_notify_iface(rdev, wdev, NL80211_CMD_DEL_INTERFACE); +  	list_del_rcu(&wdev->list);  	rdev->devlist_generation++; @@ -914,6 +947,9 @@ void cfg80211_unregister_wdev(struct wireless_dev *wdev)  		cfg80211_mlme_purge_registrations(wdev);  		cfg80211_stop_p2p_device(rdev, wdev);  		break; +	case NL80211_IFTYPE_NAN: +		cfg80211_stop_nan(rdev, wdev); +		break;  	default:  		WARN_ON_ONCE(1);  		break; @@ -977,6 +1013,7 @@ void __cfg80211_leave(struct cfg80211_registered_device *rdev,  		/* must be handled by mac80211/driver, has no APIs */  		break;  	case NL80211_IFTYPE_P2P_DEVICE: +	case NL80211_IFTYPE_NAN:  		/* cannot happen, has no netdev */  		break;  	case NL80211_IFTYPE_AP_VLAN: @@ -1079,6 +1116,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,  		     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT ||  		     wdev->iftype == NL80211_IFTYPE_ADHOC) && !wdev->use_4addr)  			dev->priv_flags |= IFF_DONT_BRIDGE; + +		nl80211_notify_iface(rdev, wdev, NL80211_CMD_NEW_INTERFACE);  		break;  	case NETDEV_GOING_DOWN:  		cfg80211_leave(rdev, wdev); @@ -1157,6 +1196,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,  		 * remove and clean it up.  		 */  		if (!list_empty(&wdev->list)) { +			nl80211_notify_iface(rdev, wdev, +					     NL80211_CMD_DEL_INTERFACE);  			sysfs_remove_link(&dev->dev.kobj, "phy80211");  			list_del_rcu(&wdev->list);  			rdev->devlist_generation++; @@ -1246,7 +1287,7 @@ static int __init cfg80211_init(void)  	if (err)  		goto out_fail_reg; -	cfg80211_wq = create_singlethread_workqueue("cfg80211"); +	cfg80211_wq = alloc_ordered_workqueue("cfg80211", WQ_MEM_RECLAIM);  	if (!cfg80211_wq) {  		err = -ENOMEM;  		goto out_fail_wq; diff --git a/net/wireless/core.h b/net/wireless/core.h index eee91443924d..f0c0c8a48c92 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -71,6 +71,7 @@ struct cfg80211_registered_device {  	struct list_head bss_list;  	struct rb_root bss_tree;  	u32 bss_generation; +	u32 bss_entries;  	struct cfg80211_scan_request *scan_req; /* protected by RTNL */  	struct sk_buff *scan_msg;  	struct cfg80211_sched_scan_request __rcu *sched_scan_req; @@ -249,9 +250,9 @@ struct cfg80211_event {  };  struct cfg80211_cached_keys { -	struct key_params params[6]; -	u8 data[6][WLAN_MAX_KEY_LEN]; -	int def, defmgmt; +	struct key_params params[CFG80211_MAX_WEP_KEYS]; +	u8 data[CFG80211_MAX_WEP_KEYS][WLAN_KEY_LEN_WEP104]; +	int def;  };  enum cfg80211_chan_mode { @@ -488,6 +489,9 @@ void cfg80211_leave(struct cfg80211_registered_device *rdev,  void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev,  			      struct wireless_dev *wdev); +void cfg80211_stop_nan(struct cfg80211_registered_device *rdev, +		       struct wireless_dev *wdev); +  #define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10  #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c index 4a4dda53bdf1..364f900a3dc4 100644 --- a/net/wireless/ibss.c +++ b/net/wireless/ibss.c @@ -43,7 +43,8 @@ void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,  	cfg80211_hold_bss(bss_from_pub(bss));  	wdev->current_bss = bss_from_pub(bss); -	cfg80211_upload_connect_keys(wdev); +	if (!(wdev->wiphy->flags & WIPHY_FLAG_HAS_STATIC_WEP)) +		cfg80211_upload_connect_keys(wdev);  	nl80211_send_ibss_bssid(wiphy_to_rdev(wdev->wiphy), dev, bssid,  				GFP_KERNEL); @@ -114,6 +115,9 @@ static int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev,  		}  	} +	if (WARN_ON(connkeys && connkeys->def < 0)) +		return -EINVAL; +  	if (WARN_ON(wdev->connect_keys))  		kzfree(wdev->connect_keys);  	wdev->connect_keys = connkeys; @@ -284,18 +288,16 @@ int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,  	if (!netif_running(wdev->netdev))  		return 0; -	if (wdev->wext.keys) { +	if (wdev->wext.keys)  		wdev->wext.keys->def = wdev->wext.default_key; -		wdev->wext.keys->defmgmt = wdev->wext.default_mgmt_key; -	}  	wdev->wext.ibss.privacy = wdev->wext.default_key != -1; -	if (wdev->wext.keys) { +	if (wdev->wext.keys && wdev->wext.keys->def != -1) {  		ck = kmemdup(wdev->wext.keys, sizeof(*ck), GFP_KERNEL);  		if (!ck)  			return -ENOMEM; -		for (i = 0; i < 6; i++) +		for (i = 0; i < CFG80211_MAX_WEP_KEYS; i++)  			ck->params[i].key = ck->data[i];  	}  	err = __cfg80211_join_ibss(rdev, wdev->netdev, diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c index c284d883c349..cbb48e26a871 100644 --- a/net/wireless/mlme.c +++ b/net/wireless/mlme.c @@ -222,7 +222,7 @@ int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,  	ASSERT_WDEV_LOCK(wdev);  	if (auth_type == NL80211_AUTHTYPE_SHARED_KEY) -		if (!key || !key_len || key_idx < 0 || key_idx > 4) +		if (!key || !key_len || key_idx < 0 || key_idx > 3)  			return -EINVAL;  	if (wdev->current_bss && @@ -634,6 +634,7 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,  			 * fall through, P2P device only supports  			 * public action frames  			 */ +		case NL80211_IFTYPE_NAN:  		default:  			err = -EOPNOTSUPP;  			break; diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index f02653a08993..c510810f0b7c 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -56,6 +56,7 @@ enum nl80211_multicast_groups {  	NL80211_MCGRP_REGULATORY,  	NL80211_MCGRP_MLME,  	NL80211_MCGRP_VENDOR, +	NL80211_MCGRP_NAN,  	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */  }; @@ -65,6 +66,7 @@ static const struct genl_multicast_group nl80211_mcgrps[] = {  	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },  	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },  	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR }, +	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },  #ifdef CONFIG_NL80211_TESTMODE  	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }  #endif @@ -409,6 +411,9 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {  		.len = VHT_MUMIMO_GROUPS_DATA_LEN  	},  	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = { .len = ETH_ALEN }, +	[NL80211_ATTR_NAN_MASTER_PREF] = { .type = NLA_U8 }, +	[NL80211_ATTR_NAN_DUAL] = { .type = NLA_U8 }, +	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },  };  /* policy for the key attributes */ @@ -502,6 +507,39 @@ nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {  	},  }; +/* policy for NAN function attributes */ +static const struct nla_policy +nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = { +	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 }, +	[NL80211_NAN_FUNC_SERVICE_ID] = { .type = NLA_BINARY, +				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN }, +	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 }, +	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG }, +	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG }, +	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 }, +	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 }, +	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = { .len = ETH_ALEN }, +	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG }, +	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 }, +	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY, +			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN }, +	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED }, +	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED }, +	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED }, +	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 }, +	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 }, +}; + +/* policy for Service Response Filter attributes */ +static const struct nla_policy +nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = { +	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG }, +	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY, +				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN }, +	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 }, +	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED }, +}; +  static int nl80211_prepare_wdev_dump(struct sk_buff *skb,  				     struct netlink_callback *cb,  				     struct cfg80211_registered_device **rdev, @@ -848,13 +886,21 @@ nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,  	struct nlattr *key;  	struct cfg80211_cached_keys *result;  	int rem, err, def = 0; +	bool have_key = false; + +	nla_for_each_nested(key, keys, rem) { +		have_key = true; +		break; +	} + +	if (!have_key) +		return NULL;  	result = kzalloc(sizeof(*result), GFP_KERNEL);  	if (!result)  		return ERR_PTR(-ENOMEM);  	result->def = -1; -	result->defmgmt = -1;  	nla_for_each_nested(key, keys, rem) {  		memset(&parse, 0, sizeof(parse)); @@ -866,7 +912,7 @@ nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,  		err = -EINVAL;  		if (!parse.p.key)  			goto error; -		if (parse.idx < 0 || parse.idx > 4) +		if (parse.idx < 0 || parse.idx > 3)  			goto error;  		if (parse.def) {  			if (def) @@ -881,16 +927,24 @@ nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,  						     parse.idx, false, NULL);  		if (err)  			goto error; +		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 && +		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) { +			err = -EINVAL; +			goto error; +		}  		result->params[parse.idx].cipher = parse.p.cipher;  		result->params[parse.idx].key_len = parse.p.key_len;  		result->params[parse.idx].key = result->data[parse.idx];  		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len); -		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 || -		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) { -			if (no_ht) -				*no_ht = true; -		} +		/* must be WEP key if we got here */ +		if (no_ht) +			*no_ht = true; +	} + +	if (result->def < 0) { +		err = -EINVAL; +		goto error;  	}  	return result; @@ -918,6 +972,7 @@ static int nl80211_key_allowed(struct wireless_dev *wdev)  	case NL80211_IFTYPE_UNSPECIFIED:  	case NL80211_IFTYPE_OCB:  	case NL80211_IFTYPE_MONITOR: +	case NL80211_IFTYPE_NAN:  	case NL80211_IFTYPE_P2P_DEVICE:  	case NL80211_IFTYPE_WDS:  	case NUM_NL80211_IFTYPES: @@ -2525,10 +2580,35 @@ static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *  	int if_idx = 0;  	int wp_start = cb->args[0];  	int if_start = cb->args[1]; +	int filter_wiphy = -1;  	struct cfg80211_registered_device *rdev;  	struct wireless_dev *wdev;  	rtnl_lock(); +	if (!cb->args[2]) { +		struct nl80211_dump_wiphy_state state = { +			.filter_wiphy = -1, +		}; +		int ret; + +		ret = nl80211_dump_wiphy_parse(skb, cb, &state); +		if (ret) +			return ret; + +		filter_wiphy = state.filter_wiphy; + +		/* +		 * if filtering, set cb->args[2] to +1 since 0 is the default +		 * value needed to determine that parsing is necessary. +		 */ +		if (filter_wiphy >= 0) +			cb->args[2] = filter_wiphy + 1; +		else +			cb->args[2] = -1; +	} else if (cb->args[2] > 0) { +		filter_wiphy = cb->args[2] - 1; +	} +  	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {  		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))  			continue; @@ -2536,6 +2616,10 @@ static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *  			wp_idx++;  			continue;  		} + +		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx) +			continue; +  		if_idx = 0;  		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) { @@ -2751,7 +2835,7 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)  	struct cfg80211_registered_device *rdev = info->user_ptr[0];  	struct vif_params params;  	struct wireless_dev *wdev; -	struct sk_buff *msg, *event; +	struct sk_buff *msg;  	int err;  	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;  	u32 flags; @@ -2774,7 +2858,7 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)  	    !(rdev->wiphy.interface_modes & (1 << type)))  		return -EOPNOTSUPP; -	if ((type == NL80211_IFTYPE_P2P_DEVICE || +	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||  	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&  	    info->attrs[NL80211_ATTR_MAC]) {  		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC], @@ -2830,9 +2914,10 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)  		       wdev->mesh_id_up_len);  		wdev_unlock(wdev);  		break; +	case NL80211_IFTYPE_NAN:  	case NL80211_IFTYPE_P2P_DEVICE:  		/* -		 * P2P Device doesn't have a netdev, so doesn't go +		 * P2P Device and NAN do not have a netdev, so don't go  		 * through the netdev notifier and must be added here  		 */  		mutex_init(&wdev->mtx); @@ -2855,20 +2940,15 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)  		return -ENOBUFS;  	} -	event = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); -	if (event) { -		if (nl80211_send_iface(event, 0, 0, 0, -				       rdev, wdev, false) < 0) { -			nlmsg_free(event); -			goto out; -		} - -		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), -					event, 0, NL80211_MCGRP_CONFIG, -					GFP_KERNEL); -	} +	/* +	 * For wdevs which have no associated netdev object (e.g. of type +	 * NL80211_IFTYPE_P2P_DEVICE), emit the NEW_INTERFACE event here. +	 * For all other types, the event will be generated from the +	 * netdev notifier +	 */ +	if (!wdev->netdev) +		nl80211_notify_iface(rdev, wdev, NL80211_CMD_NEW_INTERFACE); -out:  	return genlmsg_reply(msg, info);  } @@ -2876,18 +2956,10 @@ static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)  {  	struct cfg80211_registered_device *rdev = info->user_ptr[0];  	struct wireless_dev *wdev = info->user_ptr[1]; -	struct sk_buff *msg; -	int status;  	if (!rdev->ops->del_virtual_intf)  		return -EOPNOTSUPP; -	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); -	if (msg && nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, true) < 0) { -		nlmsg_free(msg); -		msg = NULL; -	} -  	/*  	 * If we remove a wireless device without a netdev then clear  	 * user_ptr[1] so that nl80211_post_doit won't dereference it @@ -2898,15 +2970,7 @@ static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)  	if (!wdev->netdev)  		info->user_ptr[1] = NULL; -	status = rdev_del_virtual_intf(rdev, wdev); -	if (status >= 0 && msg) -		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), -					msg, 0, NL80211_MCGRP_CONFIG, -					GFP_KERNEL); -	else -		nlmsg_free(msg); - -	return status; +	return rdev_del_virtual_intf(rdev, wdev);  }  static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info) @@ -3316,6 +3380,291 @@ static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)  	return err;  } +static u32 rateset_to_mask(struct ieee80211_supported_band *sband, +			   u8 *rates, u8 rates_len) +{ +	u8 i; +	u32 mask = 0; + +	for (i = 0; i < rates_len; i++) { +		int rate = (rates[i] & 0x7f) * 5; +		int ridx; + +		for (ridx = 0; ridx < sband->n_bitrates; ridx++) { +			struct ieee80211_rate *srate = +				&sband->bitrates[ridx]; +			if (rate == srate->bitrate) { +				mask |= 1 << ridx; +				break; +			} +		} +		if (ridx == sband->n_bitrates) +			return 0; /* rate not found */ +	} + +	return mask; +} + +static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband, +			       u8 *rates, u8 rates_len, +			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN]) +{ +	u8 i; + +	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN); + +	for (i = 0; i < rates_len; i++) { +		int ridx, rbit; + +		ridx = rates[i] / 8; +		rbit = BIT(rates[i] % 8); + +		/* check validity */ +		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN)) +			return false; + +		/* check availability */ +		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit) +			mcs[ridx] |= rbit; +		else +			return false; +	} + +	return true; +} + +static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map) +{ +	u16 mcs_mask = 0; + +	switch (vht_mcs_map) { +	case IEEE80211_VHT_MCS_NOT_SUPPORTED: +		break; +	case IEEE80211_VHT_MCS_SUPPORT_0_7: +		mcs_mask = 0x00FF; +		break; +	case IEEE80211_VHT_MCS_SUPPORT_0_8: +		mcs_mask = 0x01FF; +		break; +	case IEEE80211_VHT_MCS_SUPPORT_0_9: +		mcs_mask = 0x03FF; +		break; +	default: +		break; +	} + +	return mcs_mask; +} + +static void vht_build_mcs_mask(u16 vht_mcs_map, +			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX]) +{ +	u8 nss; + +	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) { +		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03); +		vht_mcs_map >>= 2; +	} +} + +static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband, +			     struct nl80211_txrate_vht *txrate, +			     u16 mcs[NL80211_VHT_NSS_MAX]) +{ +	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map); +	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {}; +	u8 i; + +	if (!sband->vht_cap.vht_supported) +		return false; + +	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX); + +	/* Build vht_mcs_mask from VHT capabilities */ +	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask); + +	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) { +		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i]) +			mcs[i] = txrate->mcs[i]; +		else +			return false; +	} + +	return true; +} + +static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = { +	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY, +				    .len = NL80211_MAX_SUPP_RATES }, +	[NL80211_TXRATE_HT] = { .type = NLA_BINARY, +				.len = NL80211_MAX_SUPP_HT_RATES }, +	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)}, +	[NL80211_TXRATE_GI] = { .type = NLA_U8 }, +}; + +static int nl80211_parse_tx_bitrate_mask(struct genl_info *info, +					 struct cfg80211_bitrate_mask *mask) +{ +	struct nlattr *tb[NL80211_TXRATE_MAX + 1]; +	struct cfg80211_registered_device *rdev = info->user_ptr[0]; +	int rem, i; +	struct nlattr *tx_rates; +	struct ieee80211_supported_band *sband; +	u16 vht_tx_mcs_map; + +	memset(mask, 0, sizeof(*mask)); +	/* Default to all rates enabled */ +	for (i = 0; i < NUM_NL80211_BANDS; i++) { +		sband = rdev->wiphy.bands[i]; + +		if (!sband) +			continue; + +		mask->control[i].legacy = (1 << sband->n_bitrates) - 1; +		memcpy(mask->control[i].ht_mcs, +		       sband->ht_cap.mcs.rx_mask, +		       sizeof(mask->control[i].ht_mcs)); + +		if (!sband->vht_cap.vht_supported) +			continue; + +		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map); +		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs); +	} + +	/* if no rates are given set it back to the defaults */ +	if (!info->attrs[NL80211_ATTR_TX_RATES]) +		goto out; + +	/* The nested attribute uses enum nl80211_band as the index. This maps +	 * directly to the enum nl80211_band values used in cfg80211. +	 */ +	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8); +	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) { +		enum nl80211_band band = nla_type(tx_rates); +		int err; + +		if (band < 0 || band >= NUM_NL80211_BANDS) +			return -EINVAL; +		sband = rdev->wiphy.bands[band]; +		if (sband == NULL) +			return -EINVAL; +		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates), +				nla_len(tx_rates), nl80211_txattr_policy); +		if (err) +			return err; +		if (tb[NL80211_TXRATE_LEGACY]) { +			mask->control[band].legacy = rateset_to_mask( +				sband, +				nla_data(tb[NL80211_TXRATE_LEGACY]), +				nla_len(tb[NL80211_TXRATE_LEGACY])); +			if ((mask->control[band].legacy == 0) && +			    nla_len(tb[NL80211_TXRATE_LEGACY])) +				return -EINVAL; +		} +		if (tb[NL80211_TXRATE_HT]) { +			if (!ht_rateset_to_mask( +					sband, +					nla_data(tb[NL80211_TXRATE_HT]), +					nla_len(tb[NL80211_TXRATE_HT]), +					mask->control[band].ht_mcs)) +				return -EINVAL; +		} +		if (tb[NL80211_TXRATE_VHT]) { +			if (!vht_set_mcs_mask( +					sband, +					nla_data(tb[NL80211_TXRATE_VHT]), +					mask->control[band].vht_mcs)) +				return -EINVAL; +		} +		if (tb[NL80211_TXRATE_GI]) { +			mask->control[band].gi = +				nla_get_u8(tb[NL80211_TXRATE_GI]); +			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI) +				return -EINVAL; +		} + +		if (mask->control[band].legacy == 0) { +			/* don't allow empty legacy rates if HT or VHT +			 * are not even supported. +			 */ +			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported || +			      rdev->wiphy.bands[band]->vht_cap.vht_supported)) +				return -EINVAL; + +			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) +				if (mask->control[band].ht_mcs[i]) +					goto out; + +			for (i = 0; i < NL80211_VHT_NSS_MAX; i++) +				if (mask->control[band].vht_mcs[i]) +					goto out; + +			/* legacy and mcs rates may not be both empty */ +			return -EINVAL; +		} +	} + +out: +	return 0; +} + +static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev, +				   enum nl80211_band band, +				   struct cfg80211_bitrate_mask *beacon_rate) +{ +	u32 count_ht, count_vht, i; +	u32 rate = beacon_rate->control[band].legacy; + +	/* Allow only one rate */ +	if (hweight32(rate) > 1) +		return -EINVAL; + +	count_ht = 0; +	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) { +		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) { +			return -EINVAL; +		} else if (beacon_rate->control[band].ht_mcs[i]) { +			count_ht++; +			if (count_ht > 1) +				return -EINVAL; +		} +		if (count_ht && rate) +			return -EINVAL; +	} + +	count_vht = 0; +	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) { +		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) { +			return -EINVAL; +		} else if (beacon_rate->control[band].vht_mcs[i]) { +			count_vht++; +			if (count_vht > 1) +				return -EINVAL; +		} +		if (count_vht && rate) +			return -EINVAL; +	} + +	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht)) +		return -EINVAL; + +	if (rate && +	    !wiphy_ext_feature_isset(&rdev->wiphy, +				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY)) +		return -EINVAL; +	if (count_ht && +	    !wiphy_ext_feature_isset(&rdev->wiphy, +				     NL80211_EXT_FEATURE_BEACON_RATE_HT)) +		return -EINVAL; +	if (count_vht && +	    !wiphy_ext_feature_isset(&rdev->wiphy, +				     NL80211_EXT_FEATURE_BEACON_RATE_VHT)) +		return -EINVAL; + +	return 0; +} +  static int nl80211_parse_beacon(struct nlattr *attrs[],  				struct cfg80211_beacon_data *bcn)  { @@ -3545,6 +3894,17 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)  					   wdev->iftype))  		return -EINVAL; +	if (info->attrs[NL80211_ATTR_TX_RATES]) { +		err = nl80211_parse_tx_bitrate_mask(info, ¶ms.beacon_rate); +		if (err) +			return err; + +		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band, +					      ¶ms.beacon_rate); +		if (err) +			return err; +	} +  	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {  		params.smps_mode =  			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]); @@ -5374,6 +5734,18 @@ static int nl80211_check_s32(const struct nlattr *nla, s32 min, s32 max, s32 *ou  	return 0;  } +static int nl80211_check_power_mode(const struct nlattr *nla, +				    enum nl80211_mesh_power_mode min, +				    enum nl80211_mesh_power_mode max, +				    enum nl80211_mesh_power_mode *out) +{ +	u32 val = nla_get_u32(nla); +	if (val < min || val > max) +		return -EINVAL; +	*out = val; +	return 0; +} +  static int nl80211_parse_mesh_config(struct genl_info *info,  				     struct mesh_config *cfg,  				     u32 *mask_out) @@ -5518,7 +5890,7 @@ do {									    \  				  NL80211_MESH_POWER_ACTIVE,  				  NL80211_MESH_POWER_MAX,  				  mask, NL80211_MESHCONF_POWER_MODE, -				  nl80211_check_u32); +				  nl80211_check_power_mode);  	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,  				  0, 65535, mask,  				  NL80211_MESHCONF_AWAKE_WINDOW, nl80211_check_u16); @@ -6102,6 +6474,9 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)  	wiphy = &rdev->wiphy; +	if (wdev->iftype == NL80211_IFTYPE_NAN) +		return -EOPNOTSUPP; +  	if (!rdev->ops->scan)  		return -EOPNOTSUPP; @@ -6978,7 +7353,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)  		params.n_counter_offsets_presp = len / sizeof(u16);  		if (rdev->wiphy.max_num_csa_counters && -		    (params.n_counter_offsets_beacon > +		    (params.n_counter_offsets_presp >  		     rdev->wiphy.max_num_csa_counters))  			return -EINVAL; @@ -7368,7 +7743,7 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)  		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||  		     key.p.key_len != WLAN_KEY_LEN_WEP104))  			return -EINVAL; -		if (key.idx > 4) +		if (key.idx > 3)  			return -EINVAL;  	} else {  		key.p.key_len = 0; @@ -7773,12 +8148,13 @@ static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)  	ibss.beacon_interval = 100; -	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) { +	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])  		ibss.beacon_interval =  			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]); -		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000) -			return -EINVAL; -	} + +	err = cfg80211_validate_beacon_int(rdev, ibss.beacon_interval); +	if (err) +		return err;  	if (!rdev->ops->join_ibss)  		return -EOPNOTSUPP; @@ -7985,6 +8361,8 @@ __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,  	}  	data = nla_nest_start(skb, attr); +	if (!data) +		goto nla_put_failure;  	((void **)skb->cb)[0] = rdev;  	((void **)skb->cb)[1] = hdr; @@ -8602,238 +8980,21 @@ static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,  	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);  } -static u32 rateset_to_mask(struct ieee80211_supported_band *sband, -			   u8 *rates, u8 rates_len) -{ -	u8 i; -	u32 mask = 0; - -	for (i = 0; i < rates_len; i++) { -		int rate = (rates[i] & 0x7f) * 5; -		int ridx; - -		for (ridx = 0; ridx < sband->n_bitrates; ridx++) { -			struct ieee80211_rate *srate = -				&sband->bitrates[ridx]; -			if (rate == srate->bitrate) { -				mask |= 1 << ridx; -				break; -			} -		} -		if (ridx == sband->n_bitrates) -			return 0; /* rate not found */ -	} - -	return mask; -} - -static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband, -			       u8 *rates, u8 rates_len, -			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN]) -{ -	u8 i; - -	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN); - -	for (i = 0; i < rates_len; i++) { -		int ridx, rbit; - -		ridx = rates[i] / 8; -		rbit = BIT(rates[i] % 8); - -		/* check validity */ -		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN)) -			return false; - -		/* check availability */ -		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit) -			mcs[ridx] |= rbit; -		else -			return false; -	} - -	return true; -} - -static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map) -{ -	u16 mcs_mask = 0; - -	switch (vht_mcs_map) { -	case IEEE80211_VHT_MCS_NOT_SUPPORTED: -		break; -	case IEEE80211_VHT_MCS_SUPPORT_0_7: -		mcs_mask = 0x00FF; -		break; -	case IEEE80211_VHT_MCS_SUPPORT_0_8: -		mcs_mask = 0x01FF; -		break; -	case IEEE80211_VHT_MCS_SUPPORT_0_9: -		mcs_mask = 0x03FF; -		break; -	default: -		break; -	} - -	return mcs_mask; -} - -static void vht_build_mcs_mask(u16 vht_mcs_map, -			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX]) -{ -	u8 nss; - -	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) { -		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03); -		vht_mcs_map >>= 2; -	} -} - -static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband, -			     struct nl80211_txrate_vht *txrate, -			     u16 mcs[NL80211_VHT_NSS_MAX]) -{ -	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map); -	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {}; -	u8 i; - -	if (!sband->vht_cap.vht_supported) -		return false; - -	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX); - -	/* Build vht_mcs_mask from VHT capabilities */ -	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask); - -	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) { -		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i]) -			mcs[i] = txrate->mcs[i]; -		else -			return false; -	} - -	return true; -} - -static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = { -	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY, -				    .len = NL80211_MAX_SUPP_RATES }, -	[NL80211_TXRATE_HT] = { .type = NLA_BINARY, -				.len = NL80211_MAX_SUPP_HT_RATES }, -	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)}, -	[NL80211_TXRATE_GI] = { .type = NLA_U8 }, -}; -  static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,  				       struct genl_info *info)  { -	struct nlattr *tb[NL80211_TXRATE_MAX + 1]; -	struct cfg80211_registered_device *rdev = info->user_ptr[0];  	struct cfg80211_bitrate_mask mask; -	int rem, i; +	struct cfg80211_registered_device *rdev = info->user_ptr[0];  	struct net_device *dev = info->user_ptr[1]; -	struct nlattr *tx_rates; -	struct ieee80211_supported_band *sband; -	u16 vht_tx_mcs_map; +	int err;  	if (!rdev->ops->set_bitrate_mask)  		return -EOPNOTSUPP; -	memset(&mask, 0, sizeof(mask)); -	/* Default to all rates enabled */ -	for (i = 0; i < NUM_NL80211_BANDS; i++) { -		sband = rdev->wiphy.bands[i]; - -		if (!sband) -			continue; - -		mask.control[i].legacy = (1 << sband->n_bitrates) - 1; -		memcpy(mask.control[i].ht_mcs, -		       sband->ht_cap.mcs.rx_mask, -		       sizeof(mask.control[i].ht_mcs)); - -		if (!sband->vht_cap.vht_supported) -			continue; - -		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map); -		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs); -	} - -	/* if no rates are given set it back to the defaults */ -	if (!info->attrs[NL80211_ATTR_TX_RATES]) -		goto out; - -	/* -	 * The nested attribute uses enum nl80211_band as the index. This maps -	 * directly to the enum nl80211_band values used in cfg80211. -	 */ -	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8); -	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) { -		enum nl80211_band band = nla_type(tx_rates); -		int err; - -		if (band < 0 || band >= NUM_NL80211_BANDS) -			return -EINVAL; -		sband = rdev->wiphy.bands[band]; -		if (sband == NULL) -			return -EINVAL; -		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates), -				nla_len(tx_rates), nl80211_txattr_policy); -		if (err) -			return err; -		if (tb[NL80211_TXRATE_LEGACY]) { -			mask.control[band].legacy = rateset_to_mask( -				sband, -				nla_data(tb[NL80211_TXRATE_LEGACY]), -				nla_len(tb[NL80211_TXRATE_LEGACY])); -			if ((mask.control[band].legacy == 0) && -			    nla_len(tb[NL80211_TXRATE_LEGACY])) -				return -EINVAL; -		} -		if (tb[NL80211_TXRATE_HT]) { -			if (!ht_rateset_to_mask( -					sband, -					nla_data(tb[NL80211_TXRATE_HT]), -					nla_len(tb[NL80211_TXRATE_HT]), -					mask.control[band].ht_mcs)) -				return -EINVAL; -		} -		if (tb[NL80211_TXRATE_VHT]) { -			if (!vht_set_mcs_mask( -					sband, -					nla_data(tb[NL80211_TXRATE_VHT]), -					mask.control[band].vht_mcs)) -				return -EINVAL; -		} -		if (tb[NL80211_TXRATE_GI]) { -			mask.control[band].gi = -				nla_get_u8(tb[NL80211_TXRATE_GI]); -			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI) -				return -EINVAL; -		} - -		if (mask.control[band].legacy == 0) { -			/* don't allow empty legacy rates if HT or VHT -			 * are not even supported. -			 */ -			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported || -			      rdev->wiphy.bands[band]->vht_cap.vht_supported)) -				return -EINVAL; - -			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) -				if (mask.control[band].ht_mcs[i]) -					goto out; - -			for (i = 0; i < NL80211_VHT_NSS_MAX; i++) -				if (mask.control[band].vht_mcs[i]) -					goto out; - -			/* legacy and mcs rates may not be both empty */ -			return -EINVAL; -		} -	} +	err = nl80211_parse_tx_bitrate_mask(info, &mask); +	if (err) +		return err; -out:  	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);  } @@ -8859,6 +9020,7 @@ static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)  	case NL80211_IFTYPE_P2P_GO:  	case NL80211_IFTYPE_P2P_DEVICE:  		break; +	case NL80211_IFTYPE_NAN:  	default:  		return -EOPNOTSUPP;  	} @@ -8904,6 +9066,7 @@ static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)  	case NL80211_IFTYPE_MESH_POINT:  	case NL80211_IFTYPE_P2P_GO:  		break; +	case NL80211_IFTYPE_NAN:  	default:  		return -EOPNOTSUPP;  	} @@ -9020,6 +9183,7 @@ static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *in  	case NL80211_IFTYPE_P2P_GO:  	case NL80211_IFTYPE_P2P_DEVICE:  		break; +	case NL80211_IFTYPE_NAN:  	default:  		return -EOPNOTSUPP;  	} @@ -9252,9 +9416,10 @@ static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)  	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {  		setup.beacon_interval =  			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]); -		if (setup.beacon_interval < 10 || -		    setup.beacon_interval > 10000) -			return -EINVAL; + +		err = cfg80211_validate_beacon_int(rdev, setup.beacon_interval); +		if (err) +			return err;  	}  	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) { @@ -9300,6 +9465,17 @@ static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)  			return err;  	} +	if (info->attrs[NL80211_ATTR_TX_RATES]) { +		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate); +		if (err) +			return err; + +		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band, +					      &setup.beacon_rate); +		if (err) +			return err; +	} +  	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);  } @@ -9413,18 +9589,27 @@ static int nl80211_send_wowlan_nd(struct sk_buff *msg,  	if (!freqs)  		return -ENOBUFS; -	for (i = 0; i < req->n_channels; i++) -		nla_put_u32(msg, i, req->channels[i]->center_freq); +	for (i = 0; i < req->n_channels; i++) { +		if (nla_put_u32(msg, i, req->channels[i]->center_freq)) +			return -ENOBUFS; +	}  	nla_nest_end(msg, freqs);  	if (req->n_match_sets) {  		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH); +		if (!matches) +			return -ENOBUFS; +  		for (i = 0; i < req->n_match_sets; i++) {  			match = nla_nest_start(msg, i); -			nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID, -				req->match_sets[i].ssid.ssid_len, -				req->match_sets[i].ssid.ssid); +			if (!match) +				return -ENOBUFS; + +			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID, +				    req->match_sets[i].ssid.ssid_len, +				    req->match_sets[i].ssid.ssid)) +				return -ENOBUFS;  			nla_nest_end(msg, match);  		}  		nla_nest_end(msg, matches); @@ -9436,6 +9621,9 @@ static int nl80211_send_wowlan_nd(struct sk_buff *msg,  	for (i = 0; i < req->n_scan_plans; i++) {  		scan_plan = nla_nest_start(msg, i + 1); +		if (!scan_plan) +			return -ENOBUFS; +  		if (!scan_plan ||  		    nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,  				req->scan_plans[i].interval) || @@ -10362,6 +10550,549 @@ static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)  	return 0;  } +static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info) +{ +	struct cfg80211_registered_device *rdev = info->user_ptr[0]; +	struct wireless_dev *wdev = info->user_ptr[1]; +	struct cfg80211_nan_conf conf = {}; +	int err; + +	if (wdev->iftype != NL80211_IFTYPE_NAN) +		return -EOPNOTSUPP; + +	if (wdev->nan_started) +		return -EEXIST; + +	if (rfkill_blocked(rdev->rfkill)) +		return -ERFKILL; + +	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) +		return -EINVAL; + +	if (!info->attrs[NL80211_ATTR_NAN_DUAL]) +		return -EINVAL; + +	conf.master_pref = +		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]); +	if (!conf.master_pref) +		return -EINVAL; + +	conf.dual = nla_get_u8(info->attrs[NL80211_ATTR_NAN_DUAL]); + +	err = rdev_start_nan(rdev, wdev, &conf); +	if (err) +		return err; + +	wdev->nan_started = true; +	rdev->opencount++; + +	return 0; +} + +static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info) +{ +	struct cfg80211_registered_device *rdev = info->user_ptr[0]; +	struct wireless_dev *wdev = info->user_ptr[1]; + +	if (wdev->iftype != NL80211_IFTYPE_NAN) +		return -EOPNOTSUPP; + +	cfg80211_stop_nan(rdev, wdev); + +	return 0; +} + +static int validate_nan_filter(struct nlattr *filter_attr) +{ +	struct nlattr *attr; +	int len = 0, n_entries = 0, rem; + +	nla_for_each_nested(attr, filter_attr, rem) { +		len += nla_len(attr); +		n_entries++; +	} + +	if (len >= U8_MAX) +		return -EINVAL; + +	return n_entries; +} + +static int handle_nan_filter(struct nlattr *attr_filter, +			     struct cfg80211_nan_func *func, +			     bool tx) +{ +	struct nlattr *attr; +	int n_entries, rem, i; +	struct cfg80211_nan_func_filter *filter; + +	n_entries = validate_nan_filter(attr_filter); +	if (n_entries < 0) +		return n_entries; + +	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters)); + +	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL); +	if (!filter) +		return -ENOMEM; + +	i = 0; +	nla_for_each_nested(attr, attr_filter, rem) { +		filter[i].filter = kmemdup(nla_data(attr), nla_len(attr), +					   GFP_KERNEL); +		filter[i].len = nla_len(attr); +		i++; +	} +	if (tx) { +		func->num_tx_filters = n_entries; +		func->tx_filters = filter; +	} else { +		func->num_rx_filters = n_entries; +		func->rx_filters = filter; +	} + +	return 0; +} + +static int nl80211_nan_add_func(struct sk_buff *skb, +				struct genl_info *info) +{ +	struct cfg80211_registered_device *rdev = info->user_ptr[0]; +	struct wireless_dev *wdev = info->user_ptr[1]; +	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr; +	struct cfg80211_nan_func *func; +	struct sk_buff *msg = NULL; +	void *hdr = NULL; +	int err = 0; + +	if (wdev->iftype != NL80211_IFTYPE_NAN) +		return -EOPNOTSUPP; + +	if (!wdev->nan_started) +		return -ENOTCONN; + +	if (!info->attrs[NL80211_ATTR_NAN_FUNC]) +		return -EINVAL; + +	if (wdev->owner_nlportid && +	    wdev->owner_nlportid != info->snd_portid) +		return -ENOTCONN; + +	err = nla_parse(tb, NL80211_NAN_FUNC_ATTR_MAX, +			nla_data(info->attrs[NL80211_ATTR_NAN_FUNC]), +			nla_len(info->attrs[NL80211_ATTR_NAN_FUNC]), +			nl80211_nan_func_policy); +	if (err) +		return err; + +	func = kzalloc(sizeof(*func), GFP_KERNEL); +	if (!func) +		return -ENOMEM; + +	func->cookie = wdev->wiphy->cookie_counter++; + +	if (!tb[NL80211_NAN_FUNC_TYPE] || +	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) { +		err = -EINVAL; +		goto out; +	} + + +	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]); + +	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) { +		err = -EINVAL; +		goto out; +	} + +	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]), +	       sizeof(func->service_id)); + +	func->close_range = +		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]); + +	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) { +		func->serv_spec_info_len = +			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]); +		func->serv_spec_info = +			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]), +				func->serv_spec_info_len, +				GFP_KERNEL); +		if (!func->serv_spec_info) { +			err = -ENOMEM; +			goto out; +		} +	} + +	if (tb[NL80211_NAN_FUNC_TTL]) +		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]); + +	switch (func->type) { +	case NL80211_NAN_FUNC_PUBLISH: +		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) { +			err = -EINVAL; +			goto out; +		} + +		func->publish_type = +			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]); +		func->publish_bcast = +			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]); + +		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) && +			func->publish_bcast) { +			err = -EINVAL; +			goto out; +		} +		break; +	case NL80211_NAN_FUNC_SUBSCRIBE: +		func->subscribe_active = +			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]); +		break; +	case NL80211_NAN_FUNC_FOLLOW_UP: +		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] || +		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]) { +			err = -EINVAL; +			goto out; +		} + +		func->followup_id = +			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]); +		func->followup_reqid = +			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]); +		memcpy(func->followup_dest.addr, +		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]), +		       sizeof(func->followup_dest.addr)); +		if (func->ttl) { +			err = -EINVAL; +			goto out; +		} +		break; +	default: +		err = -EINVAL; +		goto out; +	} + +	if (tb[NL80211_NAN_FUNC_SRF]) { +		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR]; + +		err = nla_parse(srf_tb, NL80211_NAN_SRF_ATTR_MAX, +				nla_data(tb[NL80211_NAN_FUNC_SRF]), +				nla_len(tb[NL80211_NAN_FUNC_SRF]), NULL); +		if (err) +			goto out; + +		func->srf_include = +			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]); + +		if (srf_tb[NL80211_NAN_SRF_BF]) { +			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] || +			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) { +				err = -EINVAL; +				goto out; +			} + +			func->srf_bf_len = +				nla_len(srf_tb[NL80211_NAN_SRF_BF]); +			func->srf_bf = +				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]), +					func->srf_bf_len, GFP_KERNEL); +			if (!func->srf_bf) { +				err = -ENOMEM; +				goto out; +			} + +			func->srf_bf_idx = +				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]); +		} else { +			struct nlattr *attr, *mac_attr = +				srf_tb[NL80211_NAN_SRF_MAC_ADDRS]; +			int n_entries, rem, i = 0; + +			if (!mac_attr) { +				err = -EINVAL; +				goto out; +			} + +			n_entries = validate_acl_mac_addrs(mac_attr); +			if (n_entries <= 0) { +				err = -EINVAL; +				goto out; +			} + +			func->srf_num_macs = n_entries; +			func->srf_macs = +				kzalloc(sizeof(*func->srf_macs) * n_entries, +					GFP_KERNEL); +			if (!func->srf_macs) { +				err = -ENOMEM; +				goto out; +			} + +			nla_for_each_nested(attr, mac_attr, rem) +				memcpy(func->srf_macs[i++].addr, nla_data(attr), +				       sizeof(*func->srf_macs)); +		} +	} + +	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) { +		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER], +					func, true); +		if (err) +			goto out; +	} + +	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) { +		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER], +					func, false); +		if (err) +			goto out; +	} + +	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); +	if (!msg) { +		err = -ENOMEM; +		goto out; +	} + +	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0, +			     NL80211_CMD_ADD_NAN_FUNCTION); +	/* This can't really happen - we just allocated 4KB */ +	if (WARN_ON(!hdr)) { +		err = -ENOMEM; +		goto out; +	} + +	err = rdev_add_nan_func(rdev, wdev, func); +out: +	if (err < 0) { +		cfg80211_free_nan_func(func); +		nlmsg_free(msg); +		return err; +	} + +	/* propagate the instance id and cookie to userspace  */ +	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie, +			      NL80211_ATTR_PAD)) +		goto nla_put_failure; + +	func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC); +	if (!func_attr) +		goto nla_put_failure; + +	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, +		       func->instance_id)) +		goto nla_put_failure; + +	nla_nest_end(msg, func_attr); + +	genlmsg_end(msg, hdr); +	return genlmsg_reply(msg, info); + +nla_put_failure: +	nlmsg_free(msg); +	return -ENOBUFS; +} + +static int nl80211_nan_del_func(struct sk_buff *skb, +			       struct genl_info *info) +{ +	struct cfg80211_registered_device *rdev = info->user_ptr[0]; +	struct wireless_dev *wdev = info->user_ptr[1]; +	u64 cookie; + +	if (wdev->iftype != NL80211_IFTYPE_NAN) +		return -EOPNOTSUPP; + +	if (!wdev->nan_started) +		return -ENOTCONN; + +	if (!info->attrs[NL80211_ATTR_COOKIE]) +		return -EINVAL; + +	if (wdev->owner_nlportid && +	    wdev->owner_nlportid != info->snd_portid) +		return -ENOTCONN; + +	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]); + +	rdev_del_nan_func(rdev, wdev, cookie); + +	return 0; +} + +static int nl80211_nan_change_config(struct sk_buff *skb, +				     struct genl_info *info) +{ +	struct cfg80211_registered_device *rdev = info->user_ptr[0]; +	struct wireless_dev *wdev = info->user_ptr[1]; +	struct cfg80211_nan_conf conf = {}; +	u32 changed = 0; + +	if (wdev->iftype != NL80211_IFTYPE_NAN) +		return -EOPNOTSUPP; + +	if (!wdev->nan_started) +		return -ENOTCONN; + +	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) { +		conf.master_pref = +			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]); +		if (conf.master_pref <= 1 || conf.master_pref == 255) +			return -EINVAL; + +		changed |= CFG80211_NAN_CONF_CHANGED_PREF; +	} + +	if (info->attrs[NL80211_ATTR_NAN_DUAL]) { +		conf.dual = nla_get_u8(info->attrs[NL80211_ATTR_NAN_DUAL]); +		changed |= CFG80211_NAN_CONF_CHANGED_DUAL; +	} + +	if (!changed) +		return -EINVAL; + +	return rdev_nan_change_conf(rdev, wdev, &conf, changed); +} + +void cfg80211_nan_match(struct wireless_dev *wdev, +			struct cfg80211_nan_match_params *match, gfp_t gfp) +{ +	struct wiphy *wiphy = wdev->wiphy; +	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); +	struct nlattr *match_attr, *local_func_attr, *peer_func_attr; +	struct sk_buff *msg; +	void *hdr; + +	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr)) +		return; + +	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); +	if (!msg) +		return; + +	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH); +	if (!hdr) { +		nlmsg_free(msg); +		return; +	} + +	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) || +	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX, +					 wdev->netdev->ifindex)) || +	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev), +			      NL80211_ATTR_PAD)) +		goto nla_put_failure; + +	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie, +			      NL80211_ATTR_PAD) || +	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr)) +		goto nla_put_failure; + +	match_attr = nla_nest_start(msg, NL80211_ATTR_NAN_MATCH); +	if (!match_attr) +		goto nla_put_failure; + +	local_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_LOCAL); +	if (!local_func_attr) +		goto nla_put_failure; + +	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id)) +		goto nla_put_failure; + +	nla_nest_end(msg, local_func_attr); + +	peer_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_PEER); +	if (!peer_func_attr) +		goto nla_put_failure; + +	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) || +	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id)) +		goto nla_put_failure; + +	if (match->info && match->info_len && +	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len, +		    match->info)) +		goto nla_put_failure; + +	nla_nest_end(msg, peer_func_attr); +	nla_nest_end(msg, match_attr); +	genlmsg_end(msg, hdr); + +	if (!wdev->owner_nlportid) +		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), +					msg, 0, NL80211_MCGRP_NAN, gfp); +	else +		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, +				wdev->owner_nlportid); + +	return; + +nla_put_failure: +	nlmsg_free(msg); +} +EXPORT_SYMBOL(cfg80211_nan_match); + +void cfg80211_nan_func_terminated(struct wireless_dev *wdev, +				  u8 inst_id, +				  enum nl80211_nan_func_term_reason reason, +				  u64 cookie, gfp_t gfp) +{ +	struct wiphy *wiphy = wdev->wiphy; +	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); +	struct sk_buff *msg; +	struct nlattr *func_attr; +	void *hdr; + +	if (WARN_ON(!inst_id)) +		return; + +	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); +	if (!msg) +		return; + +	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION); +	if (!hdr) { +		nlmsg_free(msg); +		return; +	} + +	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) || +	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX, +					 wdev->netdev->ifindex)) || +	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev), +			      NL80211_ATTR_PAD)) +		goto nla_put_failure; + +	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie, +			      NL80211_ATTR_PAD)) +		goto nla_put_failure; + +	func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC); +	if (!func_attr) +		goto nla_put_failure; + +	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) || +	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason)) +		goto nla_put_failure; + +	nla_nest_end(msg, func_attr); +	genlmsg_end(msg, hdr); + +	if (!wdev->owner_nlportid) +		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), +					msg, 0, NL80211_MCGRP_NAN, gfp); +	else +		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, +				wdev->owner_nlportid); + +	return; + +nla_put_failure: +	nlmsg_free(msg); +} +EXPORT_SYMBOL(cfg80211_nan_func_terminated); +  static int nl80211_get_protocol_features(struct sk_buff *skb,  					 struct genl_info *info)  { @@ -11063,7 +11794,14 @@ static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,  			dev_hold(dev);  		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) { -			if (!wdev->p2p_started) { +			if (wdev->iftype == NL80211_IFTYPE_P2P_DEVICE && +			    !wdev->p2p_started) { +				if (rtnl) +					rtnl_unlock(); +				return -ENETDOWN; +			} +			if (wdev->iftype == NL80211_IFTYPE_NAN && +			    !wdev->nan_started) {  				if (rtnl)  					rtnl_unlock();  				return -ENETDOWN; @@ -11697,6 +12435,46 @@ static const struct genl_ops nl80211_ops[] = {  				  NL80211_FLAG_NEED_RTNL,  	},  	{ +		.cmd = NL80211_CMD_START_NAN, +		.doit = nl80211_start_nan, +		.policy = nl80211_policy, +		.flags = GENL_ADMIN_PERM, +		.internal_flags = NL80211_FLAG_NEED_WDEV | +				  NL80211_FLAG_NEED_RTNL, +	}, +	{ +		.cmd = NL80211_CMD_STOP_NAN, +		.doit = nl80211_stop_nan, +		.policy = nl80211_policy, +		.flags = GENL_ADMIN_PERM, +		.internal_flags = NL80211_FLAG_NEED_WDEV_UP | +				  NL80211_FLAG_NEED_RTNL, +	}, +	{ +		.cmd = NL80211_CMD_ADD_NAN_FUNCTION, +		.doit = nl80211_nan_add_func, +		.policy = nl80211_policy, +		.flags = GENL_ADMIN_PERM, +		.internal_flags = NL80211_FLAG_NEED_WDEV_UP | +				  NL80211_FLAG_NEED_RTNL, +	}, +	{ +		.cmd = NL80211_CMD_DEL_NAN_FUNCTION, +		.doit = nl80211_nan_del_func, +		.policy = nl80211_policy, +		.flags = GENL_ADMIN_PERM, +		.internal_flags = NL80211_FLAG_NEED_WDEV_UP | +				  NL80211_FLAG_NEED_RTNL, +	}, +	{ +		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG, +		.doit = nl80211_nan_change_config, +		.policy = nl80211_policy, +		.flags = GENL_ADMIN_PERM, +		.internal_flags = NL80211_FLAG_NEED_WDEV_UP | +				  NL80211_FLAG_NEED_RTNL, +	}, +	{  		.cmd = NL80211_CMD_SET_MCAST_RATE,  		.doit = nl80211_set_mcast_rate,  		.policy = nl80211_policy, @@ -11847,6 +12625,29 @@ void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,  				NL80211_MCGRP_CONFIG, GFP_KERNEL);  } +void nl80211_notify_iface(struct cfg80211_registered_device *rdev, +				struct wireless_dev *wdev, +				enum nl80211_commands cmd) +{ +	struct sk_buff *msg; + +	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE && +		cmd != NL80211_CMD_DEL_INTERFACE); + +	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); +	if (!msg) +		return; + +	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, +			       cmd == NL80211_CMD_DEL_INTERFACE) < 0) { +		nlmsg_free(msg); +		return; +	} + +	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0, +				NL80211_MCGRP_CONFIG, GFP_KERNEL); +} +  static int nl80211_add_scan_req(struct sk_buff *msg,  				struct cfg80211_registered_device *rdev)  { diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h index a63f402b10b7..7e3821d7fcc5 100644 --- a/net/wireless/nl80211.h +++ b/net/wireless/nl80211.h @@ -7,6 +7,9 @@ int nl80211_init(void);  void nl80211_exit(void);  void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,  			  enum nl80211_commands cmd); +void nl80211_notify_iface(struct cfg80211_registered_device *rdev, +			  struct wireless_dev *wdev, +			  enum nl80211_commands cmd);  void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,  			     struct wireless_dev *wdev);  struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev, diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h index 85ff30bee2b9..11cf83c8ad4f 100644 --- a/net/wireless/rdev-ops.h +++ b/net/wireless/rdev-ops.h @@ -887,6 +887,64 @@ static inline void rdev_stop_p2p_device(struct cfg80211_registered_device *rdev,  	trace_rdev_return_void(&rdev->wiphy);  } +static inline int rdev_start_nan(struct cfg80211_registered_device *rdev, +				 struct wireless_dev *wdev, +				 struct cfg80211_nan_conf *conf) +{ +	int ret; + +	trace_rdev_start_nan(&rdev->wiphy, wdev, conf); +	ret = rdev->ops->start_nan(&rdev->wiphy, wdev, conf); +	trace_rdev_return_int(&rdev->wiphy, ret); +	return ret; +} + +static inline void rdev_stop_nan(struct cfg80211_registered_device *rdev, +				 struct wireless_dev *wdev) +{ +	trace_rdev_stop_nan(&rdev->wiphy, wdev); +	rdev->ops->stop_nan(&rdev->wiphy, wdev); +	trace_rdev_return_void(&rdev->wiphy); +} + +static inline int +rdev_add_nan_func(struct cfg80211_registered_device *rdev, +		  struct wireless_dev *wdev, +		  struct cfg80211_nan_func *nan_func) +{ +	int ret; + +	trace_rdev_add_nan_func(&rdev->wiphy, wdev, nan_func); +	ret = rdev->ops->add_nan_func(&rdev->wiphy, wdev, nan_func); +	trace_rdev_return_int(&rdev->wiphy, ret); +	return ret; +} + +static inline void rdev_del_nan_func(struct cfg80211_registered_device *rdev, +				    struct wireless_dev *wdev, u64 cookie) +{ +	trace_rdev_del_nan_func(&rdev->wiphy, wdev, cookie); +	rdev->ops->del_nan_func(&rdev->wiphy, wdev, cookie); +	trace_rdev_return_void(&rdev->wiphy); +} + +static inline int +rdev_nan_change_conf(struct cfg80211_registered_device *rdev, +		     struct wireless_dev *wdev, +		     struct cfg80211_nan_conf *conf, u32 changes) +{ +	int ret; + +	trace_rdev_nan_change_conf(&rdev->wiphy, wdev, conf, changes); +	if (rdev->ops->nan_change_conf) +		ret = rdev->ops->nan_change_conf(&rdev->wiphy, wdev, conf, +						 changes); +	else +		ret = -ENOTSUPP; +	trace_rdev_return_int(&rdev->wiphy, ret); +	return ret; +} +  static inline int rdev_set_mac_acl(struct cfg80211_registered_device *rdev,  				   struct net_device *dev,  				   struct cfg80211_acl_data *params) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 0358e12be54b..35ad69fd0838 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -57,6 +57,19 @@   * also linked into the probe response struct.   */ +/* + * Limit the number of BSS entries stored in mac80211. Each one is + * a bit over 4k at most, so this limits to roughly 4-5M of memory. + * If somebody wants to really attack this though, they'd likely + * use small beacons, and only one type of frame, limiting each of + * the entries to a much smaller size (in order to generate more + * entries in total, so overhead is bigger.) + */ +static int bss_entries_limit = 1000; +module_param(bss_entries_limit, int, 0644); +MODULE_PARM_DESC(bss_entries_limit, +                 "limit to number of scan BSS entries (per wiphy, default 1000)"); +  #define IEEE80211_SCAN_RESULT_EXPIRE	(30 * HZ)  static void bss_free(struct cfg80211_internal_bss *bss) @@ -137,6 +150,10 @@ static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev,  	list_del_init(&bss->list);  	rb_erase(&bss->rbn, &rdev->bss_tree); +	rdev->bss_entries--; +	WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list), +		  "rdev bss entries[%d]/list[empty:%d] corruption\n", +		  rdev->bss_entries, list_empty(&rdev->bss_list));  	bss_ref_put(rdev, bss);  	return true;  } @@ -163,6 +180,40 @@ static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev,  		rdev->bss_generation++;  } +static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev) +{ +	struct cfg80211_internal_bss *bss, *oldest = NULL; +	bool ret; + +	lockdep_assert_held(&rdev->bss_lock); + +	list_for_each_entry(bss, &rdev->bss_list, list) { +		if (atomic_read(&bss->hold)) +			continue; + +		if (!list_empty(&bss->hidden_list) && +		    !bss->pub.hidden_beacon_bss) +			continue; + +		if (oldest && time_before(oldest->ts, bss->ts)) +			continue; +		oldest = bss; +	} + +	if (WARN_ON(!oldest)) +		return false; + +	/* +	 * The callers make sure to increase rdev->bss_generation if anything +	 * gets removed (and a new entry added), so there's no need to also do +	 * it here. +	 */ + +	ret = __cfg80211_unlink_bss(rdev, oldest); +	WARN_ON(!ret); +	return ret; +} +  void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,  			   bool send_message)  { @@ -352,52 +403,48 @@ void cfg80211_bss_expire(struct cfg80211_registered_device *rdev)  	__cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE);  } -const u8 *cfg80211_find_ie(u8 eid, const u8 *ies, int len) +const u8 *cfg80211_find_ie_match(u8 eid, const u8 *ies, int len, +				 const u8 *match, int match_len, +				 int match_offset)  { -	while (len > 2 && ies[0] != eid) { +	/* match_offset can't be smaller than 2, unless match_len is +	 * zero, in which case match_offset must be zero as well. +	 */ +	if (WARN_ON((match_len && match_offset < 2) || +		    (!match_len && match_offset))) +		return NULL; + +	while (len >= 2 && len >= ies[1] + 2) { +		if ((ies[0] == eid) && +		    (ies[1] + 2 >= match_offset + match_len) && +		    !memcmp(ies + match_offset, match, match_len)) +			return ies; +  		len -= ies[1] + 2;  		ies += ies[1] + 2;  	} -	if (len < 2) -		return NULL; -	if (len < 2 + ies[1]) -		return NULL; -	return ies; + +	return NULL;  } -EXPORT_SYMBOL(cfg80211_find_ie); +EXPORT_SYMBOL(cfg80211_find_ie_match);  const u8 *cfg80211_find_vendor_ie(unsigned int oui, int oui_type,  				  const u8 *ies, int len)  { -	struct ieee80211_vendor_ie *ie; -	const u8 *pos = ies, *end = ies + len; -	int ie_oui; +	const u8 *ie; +	u8 match[] = { oui >> 16, oui >> 8, oui, oui_type }; +	int match_len = (oui_type < 0) ? 3 : sizeof(match);  	if (WARN_ON(oui_type > 0xff))  		return NULL; -	while (pos < end) { -		pos = cfg80211_find_ie(WLAN_EID_VENDOR_SPECIFIC, pos, -				       end - pos); -		if (!pos) -			return NULL; - -		ie = (struct ieee80211_vendor_ie *)pos; +	ie = cfg80211_find_ie_match(WLAN_EID_VENDOR_SPECIFIC, ies, len, +				    match, match_len, 2); -		/* make sure we can access ie->len */ -		BUILD_BUG_ON(offsetof(struct ieee80211_vendor_ie, len) != 1); - -		if (ie->len < sizeof(*ie)) -			goto cont; +	if (ie && (ie[1] < 4)) +		return NULL; -		ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2]; -		if (ie_oui == oui && -		    (oui_type < 0 || ie->oui_type == oui_type)) -			return pos; -cont: -		pos += 2 + ie->len; -	} -	return NULL; +	return ie;  }  EXPORT_SYMBOL(cfg80211_find_vendor_ie); @@ -693,6 +740,7 @@ static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,  	const u8 *ie;  	int i, ssidlen;  	u8 fold = 0; +	u32 n_entries = 0;  	ies = rcu_access_pointer(new->pub.beacon_ies);  	if (WARN_ON(!ies)) @@ -716,6 +764,12 @@ static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,  	/* This is the bad part ... */  	list_for_each_entry(bss, &rdev->bss_list, list) { +		/* +		 * we're iterating all the entries anyway, so take the +		 * opportunity to validate the list length accounting +		 */ +		n_entries++; +  		if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))  			continue;  		if (bss->pub.channel != new->pub.channel) @@ -744,6 +798,10 @@ static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,  				   new->pub.beacon_ies);  	} +	WARN_ONCE(n_entries != rdev->bss_entries, +		  "rdev bss entries[%d]/list[len:%d] corruption\n", +		  rdev->bss_entries, n_entries); +  	return true;  } @@ -898,7 +956,14 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,  			}  		} +		if (rdev->bss_entries >= bss_entries_limit && +		    !cfg80211_bss_expire_oldest(rdev)) { +			kfree(new); +			goto drop; +		} +  		list_add_tail(&new->list, &rdev->bss_list); +		rdev->bss_entries++;  		rb_insert_bss(rdev, new);  		found = new;  	} diff --git a/net/wireless/sme.c b/net/wireless/sme.c index add6824c44fd..a77db333927e 100644 --- a/net/wireless/sme.c +++ b/net/wireless/sme.c @@ -726,7 +726,8 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,  	wdev->current_bss = bss_from_pub(bss); -	cfg80211_upload_connect_keys(wdev); +	if (!(wdev->wiphy->flags & WIPHY_FLAG_HAS_STATIC_WEP)) +		cfg80211_upload_connect_keys(wdev);  	rcu_read_lock();  	country_ie = ieee80211_bss_get_ie(bss, WLAN_EID_COUNTRY); @@ -1043,6 +1044,12 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,  				connect->crypto.ciphers_pairwise[0] = cipher;  			}  		} + +		connect->crypto.wep_keys = connkeys->params; +		connect->crypto.wep_tx_key = connkeys->def; +	} else { +		if (WARN_ON(connkeys)) +			return -EINVAL;  	}  	wdev->connect_keys = connkeys; diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c index e46469bc130f..14b3f007826d 100644 --- a/net/wireless/sysfs.c +++ b/net/wireless/sysfs.c @@ -57,7 +57,7 @@ static ssize_t addresses_show(struct device *dev,  		return sprintf(buf, "%pM\n", wiphy->perm_addr);  	for (i = 0; i < wiphy->n_addresses; i++) -		buf += sprintf(buf, "%pM\n", &wiphy->addresses[i].addr); +		buf += sprintf(buf, "%pM\n", wiphy->addresses[i].addr);  	return buf - start;  } @@ -104,13 +104,16 @@ static int wiphy_suspend(struct device *dev)  	rtnl_lock();  	if (rdev->wiphy.registered) { -		if (!rdev->wiphy.wowlan_config) +		if (!rdev->wiphy.wowlan_config) {  			cfg80211_leave_all(rdev); +			cfg80211_process_rdev_events(rdev); +		}  		if (rdev->ops->suspend)  			ret = rdev_suspend(rdev, rdev->wiphy.wowlan_config);  		if (ret == 1) {  			/* Driver refuse to configure wowlan */  			cfg80211_leave_all(rdev); +			cfg80211_process_rdev_events(rdev);  			ret = rdev_suspend(rdev, NULL);  		}  	} diff --git a/net/wireless/trace.h b/net/wireless/trace.h index 72b5255cefe2..a3d0a91b1e09 100644 --- a/net/wireless/trace.h +++ b/net/wireless/trace.h @@ -1889,6 +1889,96 @@ DEFINE_EVENT(wiphy_wdev_evt, rdev_stop_p2p_device,  	TP_ARGS(wiphy, wdev)  ); +TRACE_EVENT(rdev_start_nan, +	TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev, +		 struct cfg80211_nan_conf *conf), +	TP_ARGS(wiphy, wdev, conf), +	TP_STRUCT__entry( +		WIPHY_ENTRY +		WDEV_ENTRY +		__field(u8, master_pref) +		__field(u8, dual); +	), +	TP_fast_assign( +		WIPHY_ASSIGN; +		WDEV_ASSIGN; +		__entry->master_pref = conf->master_pref; +		__entry->dual = conf->dual; +	), +	TP_printk(WIPHY_PR_FMT ", " WDEV_PR_FMT +		  ", master preference: %u, dual: %d", +		  WIPHY_PR_ARG, WDEV_PR_ARG, __entry->master_pref, +		  __entry->dual) +); + +TRACE_EVENT(rdev_nan_change_conf, +	TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev, +		 struct cfg80211_nan_conf *conf, u32 changes), +	TP_ARGS(wiphy, wdev, conf, changes), +	TP_STRUCT__entry( +		WIPHY_ENTRY +		WDEV_ENTRY +		__field(u8, master_pref) +		__field(u8, dual); +		__field(u32, changes); +	), +	TP_fast_assign( +		WIPHY_ASSIGN; +		WDEV_ASSIGN; +		__entry->master_pref = conf->master_pref; +		__entry->dual = conf->dual; +		__entry->changes = changes; +	), +	TP_printk(WIPHY_PR_FMT ", " WDEV_PR_FMT +		  ", master preference: %u, dual: %d, changes: %x", +		  WIPHY_PR_ARG, WDEV_PR_ARG, __entry->master_pref, +		  __entry->dual, __entry->changes) +); + +DEFINE_EVENT(wiphy_wdev_evt, rdev_stop_nan, +	TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev), +	TP_ARGS(wiphy, wdev) +); + +TRACE_EVENT(rdev_add_nan_func, +	TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev, +		 const struct cfg80211_nan_func *func), +	TP_ARGS(wiphy, wdev, func), +	TP_STRUCT__entry( +		WIPHY_ENTRY +		WDEV_ENTRY +		__field(u8, func_type) +		__field(u64, cookie) +	), +	TP_fast_assign( +		WIPHY_ASSIGN; +		WDEV_ASSIGN; +		__entry->func_type = func->type; +		__entry->cookie = func->cookie +	), +	TP_printk(WIPHY_PR_FMT ", " WDEV_PR_FMT ", type=%u, cookie=%llu", +		  WIPHY_PR_ARG, WDEV_PR_ARG, __entry->func_type, +		  __entry->cookie) +); + +TRACE_EVENT(rdev_del_nan_func, +	TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev, +		 u64 cookie), +	TP_ARGS(wiphy, wdev, cookie), +	TP_STRUCT__entry( +		WIPHY_ENTRY +		WDEV_ENTRY +		__field(u64, cookie) +	), +	TP_fast_assign( +		WIPHY_ASSIGN; +		WDEV_ASSIGN; +		__entry->cookie = cookie; +	), +	TP_printk(WIPHY_PR_FMT ", " WDEV_PR_FMT ", cookie=%llu", +		  WIPHY_PR_ARG, WDEV_PR_ARG, __entry->cookie) +); +  TRACE_EVENT(rdev_set_mac_acl,  	TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,  		 struct cfg80211_acl_data *params), diff --git a/net/wireless/util.c b/net/wireless/util.c index b7d1592bd5b8..659b507b347d 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -218,7 +218,7 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,  				   struct key_params *params, int key_idx,  				   bool pairwise, const u8 *mac_addr)  { -	if (key_idx > 5) +	if (key_idx < 0 || key_idx > 5)  		return -EINVAL;  	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) @@ -249,7 +249,13 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,  		/* Disallow BIP (group-only) cipher as pairwise cipher */  		if (pairwise)  			return -EINVAL; +		if (key_idx < 4) +			return -EINVAL;  		break; +	case WLAN_CIPHER_SUITE_WEP40: +	case WLAN_CIPHER_SUITE_WEP104: +		if (key_idx > 3) +			return -EINVAL;  	default:  		break;  	} @@ -414,8 +420,8 @@ unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)  }  EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen); -static int __ieee80211_data_to_8023(struct sk_buff *skb, struct ethhdr *ehdr, -				    const u8 *addr, enum nl80211_iftype iftype) +int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, +				  const u8 *addr, enum nl80211_iftype iftype)  {  	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;  	struct { @@ -519,13 +525,7 @@ static int __ieee80211_data_to_8023(struct sk_buff *skb, struct ethhdr *ehdr,  	return 0;  } - -int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr, -			   enum nl80211_iftype iftype) -{ -	return __ieee80211_data_to_8023(skb, NULL, addr, iftype); -} -EXPORT_SYMBOL(ieee80211_data_to_8023); +EXPORT_SYMBOL(ieee80211_data_to_8023_exthdr);  int ieee80211_data_from_8023(struct sk_buff *skb, const u8 *addr,  			     enum nl80211_iftype iftype, @@ -740,24 +740,18 @@ __ieee80211_amsdu_copy(struct sk_buff *skb, unsigned int hlen,  void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,  			      const u8 *addr, enum nl80211_iftype iftype,  			      const unsigned int extra_headroom, -			      bool has_80211_header) +			      const u8 *check_da, const u8 *check_sa)  {  	unsigned int hlen = ALIGN(extra_headroom, 4);  	struct sk_buff *frame = NULL;  	u16 ethertype;  	u8 *payload; -	int offset = 0, remaining, err; +	int offset = 0, remaining;  	struct ethhdr eth;  	bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb);  	bool reuse_skb = false;  	bool last = false; -	if (has_80211_header) { -		err = __ieee80211_data_to_8023(skb, ð, addr, iftype); -		if (err) -			goto out; -	} -  	while (!last) {  		unsigned int subframe_len;  		int len; @@ -774,8 +768,17 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,  			goto purge;  		offset += sizeof(struct ethhdr); -		/* reuse skb for the last subframe */  		last = remaining <= subframe_len + padding; + +		/* FIXME: should we really accept multicast DA? */ +		if ((check_da && !is_multicast_ether_addr(eth.h_dest) && +		     !ether_addr_equal(check_da, eth.h_dest)) || +		    (check_sa && !ether_addr_equal(check_sa, eth.h_source))) { +			offset += len + padding; +			continue; +		} + +		/* reuse skb for the last subframe */  		if (!skb_is_nonlinear(skb) && !reuse_frag && last) {  			skb_pull(skb, offset);  			frame = skb; @@ -813,7 +816,6 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,   purge:  	__skb_queue_purge(list); - out:  	dev_kfree_skb(skb);  }  EXPORT_SYMBOL(ieee80211_amsdu_to_8023s); @@ -906,7 +908,7 @@ void cfg80211_upload_connect_keys(struct wireless_dev *wdev)  	if (!wdev->connect_keys)  		return; -	for (i = 0; i < 6; i++) { +	for (i = 0; i < CFG80211_MAX_WEP_KEYS; i++) {  		if (!wdev->connect_keys->params[i].cipher)  			continue;  		if (rdev_add_key(rdev, dev, i, false, NULL, @@ -919,9 +921,6 @@ void cfg80211_upload_connect_keys(struct wireless_dev *wdev)  				netdev_err(dev, "failed to set defkey %d\n", i);  				continue;  			} -		if (wdev->connect_keys->defmgmt == i) -			if (rdev_set_default_mgmt_key(rdev, dev, i)) -				netdev_err(dev, "failed to set mgtdef %d\n", i);  	}  	kzfree(wdev->connect_keys); @@ -1005,8 +1004,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,  	if (otype == NL80211_IFTYPE_AP_VLAN)  		return -EOPNOTSUPP; -	/* cannot change into P2P device type */ -	if (ntype == NL80211_IFTYPE_P2P_DEVICE) +	/* cannot change into P2P device or NAN */ +	if (ntype == NL80211_IFTYPE_P2P_DEVICE || +	    ntype == NL80211_IFTYPE_NAN)  		return -EOPNOTSUPP;  	if (!rdev->ops->change_virtual_intf || @@ -1085,6 +1085,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,  			/* not happening */  			break;  		case NL80211_IFTYPE_P2P_DEVICE: +		case NL80211_IFTYPE_NAN:  			WARN_ON(1);  			break;  		} @@ -1157,7 +1158,8 @@ static u32 cfg80211_calculate_bitrate_vht(struct rate_info *rate)  		   58500000,  		   65000000,  		   78000000, -		   0, +		/* not in the spec, but some devices use this: */ +		   86500000,  		},  		{  13500000,  		   27000000, @@ -1559,7 +1561,7 @@ int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev,  	struct wireless_dev *wdev;  	int res = 0; -	if (!beacon_int) +	if (beacon_int < 10 || beacon_int > 10000)  		return -EINVAL;  	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) { @@ -1757,6 +1759,28 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr,  }  EXPORT_SYMBOL(cfg80211_get_station); +void cfg80211_free_nan_func(struct cfg80211_nan_func *f) +{ +	int i; + +	if (!f) +		return; + +	kfree(f->serv_spec_info); +	kfree(f->srf_bf); +	kfree(f->srf_macs); +	for (i = 0; i < f->num_rx_filters; i++) +		kfree(f->rx_filters[i].filter); + +	for (i = 0; i < f->num_tx_filters; i++) +		kfree(f->tx_filters[i].filter); + +	kfree(f->rx_filters); +	kfree(f->tx_filters); +	kfree(f); +} +EXPORT_SYMBOL(cfg80211_free_nan_func); +  /* See IEEE 802.1H for LLC/SNAP encapsulation/decapsulation */  /* Ethernet-II snap header (RFC1042 for most EtherTypes) */  const unsigned char rfc1042_header[] __aligned(2) = diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c index 9f27221c8913..a220156cf217 100644 --- a/net/wireless/wext-compat.c +++ b/net/wireless/wext-compat.c @@ -406,12 +406,16 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,  	if (pairwise && !addr)  		return -EINVAL; +	/* +	 * In many cases we won't actually need this, but it's better +	 * to do it first in case the allocation fails. Don't use wext. +	 */  	if (!wdev->wext.keys) {  		wdev->wext.keys = kzalloc(sizeof(*wdev->wext.keys), -					      GFP_KERNEL); +					  GFP_KERNEL);  		if (!wdev->wext.keys)  			return -ENOMEM; -		for (i = 0; i < 6; i++) +		for (i = 0; i < CFG80211_MAX_WEP_KEYS; i++)  			wdev->wext.keys->params[i].key =  				wdev->wext.keys->data[i];  	} @@ -460,7 +464,7 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,  		if (err == -ENOENT)  			err = 0;  		if (!err) { -			if (!addr) { +			if (!addr && idx < 4) {  				memset(wdev->wext.keys->data[idx], 0,  				       sizeof(wdev->wext.keys->data[idx]));  				wdev->wext.keys->params[idx].key_len = 0; @@ -487,10 +491,19 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,  	err = 0;  	if (wdev->current_bss)  		err = rdev_add_key(rdev, dev, idx, pairwise, addr, params); +	else if (params->cipher != WLAN_CIPHER_SUITE_WEP40 && +		 params->cipher != WLAN_CIPHER_SUITE_WEP104) +		return -EINVAL;  	if (err)  		return err; -	if (!addr) { +	/* +	 * We only need to store WEP keys, since they're the only keys that +	 * can be be set before a connection is established and persist after +	 * disconnecting. +	 */ +	if (!addr && (params->cipher == WLAN_CIPHER_SUITE_WEP40 || +		      params->cipher == WLAN_CIPHER_SUITE_WEP104)) {  		wdev->wext.keys->params[idx] = *params;  		memcpy(wdev->wext.keys->data[idx],  			params->key, params->key_len); diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c index a4e8af3321d2..995163830a61 100644 --- a/net/wireless/wext-sme.c +++ b/net/wireless/wext-sme.c @@ -35,7 +35,6 @@ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,  	if (wdev->wext.keys) {  		wdev->wext.keys->def = wdev->wext.default_key; -		wdev->wext.keys->defmgmt = wdev->wext.default_mgmt_key;  		if (wdev->wext.default_key != -1)  			wdev->wext.connect.privacy = true;  	} @@ -43,11 +42,11 @@ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,  	if (!wdev->wext.connect.ssid_len)  		return 0; -	if (wdev->wext.keys) { +	if (wdev->wext.keys && wdev->wext.keys->def != -1) {  		ck = kmemdup(wdev->wext.keys, sizeof(*ck), GFP_KERNEL);  		if (!ck)  			return -ENOMEM; -		for (i = 0; i < 6; i++) +		for (i = 0; i < CFG80211_MAX_WEP_KEYS; i++)  			ck->params[i].key = ck->data[i];  	} |