1 /* 2 * This file implement the Wireless Extensions core API. 3 * 4 * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> 5 * Copyright (c) 1997-2007 Jean Tourrilhes, All Rights Reserved. 6 * Copyright 2009 Johannes Berg <johannes@sipsolutions.net> 7 * Copyright (C) 2024 Intel Corporation 8 * 9 * (As all part of the Linux kernel, this file is GPL) 10 */ 11 #include <linux/kernel.h> 12 #include <linux/netdevice.h> 13 #include <linux/rtnetlink.h> 14 #include <linux/slab.h> 15 #include <linux/wireless.h> 16 #include <linux/uaccess.h> 17 #include <linux/export.h> 18 #include <net/cfg80211.h> 19 #include <net/iw_handler.h> 20 #include <net/netlink.h> 21 #include <net/wext.h> 22 #include <net/net_namespace.h> 23 24 typedef int (*wext_ioctl_func)(struct net_device *, struct iwreq *, 25 unsigned int, struct iw_request_info *, 26 iw_handler); 27 28 29 /* 30 * Meta-data about all the standard Wireless Extension request we 31 * know about. 32 */ 33 static const struct iw_ioctl_description standard_ioctl[] = { 34 [IW_IOCTL_IDX(SIOCSIWCOMMIT)] = { 35 .header_type = IW_HEADER_TYPE_NULL, 36 }, 37 [IW_IOCTL_IDX(SIOCGIWNAME)] = { 38 .header_type = IW_HEADER_TYPE_CHAR, 39 .flags = IW_DESCR_FLAG_DUMP, 40 }, 41 [IW_IOCTL_IDX(SIOCSIWNWID)] = { 42 .header_type = IW_HEADER_TYPE_PARAM, 43 .flags = IW_DESCR_FLAG_EVENT, 44 }, 45 [IW_IOCTL_IDX(SIOCGIWNWID)] = { 46 .header_type = IW_HEADER_TYPE_PARAM, 47 .flags = IW_DESCR_FLAG_DUMP, 48 }, 49 [IW_IOCTL_IDX(SIOCSIWFREQ)] = { 50 .header_type = IW_HEADER_TYPE_FREQ, 51 .flags = IW_DESCR_FLAG_EVENT, 52 }, 53 [IW_IOCTL_IDX(SIOCGIWFREQ)] = { 54 .header_type = IW_HEADER_TYPE_FREQ, 55 .flags = IW_DESCR_FLAG_DUMP, 56 }, 57 [IW_IOCTL_IDX(SIOCSIWMODE)] = { 58 .header_type = IW_HEADER_TYPE_UINT, 59 .flags = IW_DESCR_FLAG_EVENT, 60 }, 61 [IW_IOCTL_IDX(SIOCGIWMODE)] = { 62 .header_type = IW_HEADER_TYPE_UINT, 63 .flags = IW_DESCR_FLAG_DUMP, 64 }, 65 [IW_IOCTL_IDX(SIOCSIWSENS)] = { 66 .header_type = IW_HEADER_TYPE_PARAM, 67 }, 68 [IW_IOCTL_IDX(SIOCGIWSENS)] = { 69 .header_type = IW_HEADER_TYPE_PARAM, 70 }, 71 [IW_IOCTL_IDX(SIOCSIWRANGE)] = { 72 .header_type = IW_HEADER_TYPE_NULL, 73 }, 74 [IW_IOCTL_IDX(SIOCGIWRANGE)] = { 75 .header_type = IW_HEADER_TYPE_POINT, 76 .token_size = 1, 77 .max_tokens = sizeof(struct iw_range), 78 .flags = IW_DESCR_FLAG_DUMP, 79 }, 80 [IW_IOCTL_IDX(SIOCSIWPRIV)] = { 81 .header_type = IW_HEADER_TYPE_NULL, 82 }, 83 [IW_IOCTL_IDX(SIOCGIWPRIV)] = { /* (handled directly by us) */ 84 .header_type = IW_HEADER_TYPE_POINT, 85 .token_size = sizeof(struct iw_priv_args), 86 .max_tokens = 16, 87 .flags = IW_DESCR_FLAG_NOMAX, 88 }, 89 [IW_IOCTL_IDX(SIOCSIWSTATS)] = { 90 .header_type = IW_HEADER_TYPE_NULL, 91 }, 92 [IW_IOCTL_IDX(SIOCGIWSTATS)] = { /* (handled directly by us) */ 93 .header_type = IW_HEADER_TYPE_POINT, 94 .token_size = 1, 95 .max_tokens = sizeof(struct iw_statistics), 96 .flags = IW_DESCR_FLAG_DUMP, 97 }, 98 [IW_IOCTL_IDX(SIOCSIWSPY)] = { 99 .header_type = IW_HEADER_TYPE_POINT, 100 .token_size = sizeof(struct sockaddr), 101 .max_tokens = IW_MAX_SPY, 102 }, 103 [IW_IOCTL_IDX(SIOCGIWSPY)] = { 104 .header_type = IW_HEADER_TYPE_POINT, 105 .token_size = sizeof(struct sockaddr) + 106 sizeof(struct iw_quality), 107 .max_tokens = IW_MAX_SPY, 108 }, 109 [IW_IOCTL_IDX(SIOCSIWTHRSPY)] = { 110 .header_type = IW_HEADER_TYPE_POINT, 111 .token_size = sizeof(struct iw_thrspy), 112 .min_tokens = 1, 113 .max_tokens = 1, 114 }, 115 [IW_IOCTL_IDX(SIOCGIWTHRSPY)] = { 116 .header_type = IW_HEADER_TYPE_POINT, 117 .token_size = sizeof(struct iw_thrspy), 118 .min_tokens = 1, 119 .max_tokens = 1, 120 }, 121 [IW_IOCTL_IDX(SIOCSIWAP)] = { 122 .header_type = IW_HEADER_TYPE_ADDR, 123 }, 124 [IW_IOCTL_IDX(SIOCGIWAP)] = { 125 .header_type = IW_HEADER_TYPE_ADDR, 126 .flags = IW_DESCR_FLAG_DUMP, 127 }, 128 [IW_IOCTL_IDX(SIOCSIWMLME)] = { 129 .header_type = IW_HEADER_TYPE_POINT, 130 .token_size = 1, 131 .min_tokens = sizeof(struct iw_mlme), 132 .max_tokens = sizeof(struct iw_mlme), 133 }, 134 [IW_IOCTL_IDX(SIOCGIWAPLIST)] = { 135 .header_type = IW_HEADER_TYPE_POINT, 136 .token_size = sizeof(struct sockaddr) + 137 sizeof(struct iw_quality), 138 .max_tokens = IW_MAX_AP, 139 .flags = IW_DESCR_FLAG_NOMAX, 140 }, 141 [IW_IOCTL_IDX(SIOCSIWSCAN)] = { 142 .header_type = IW_HEADER_TYPE_POINT, 143 .token_size = 1, 144 .min_tokens = 0, 145 .max_tokens = sizeof(struct iw_scan_req), 146 }, 147 [IW_IOCTL_IDX(SIOCGIWSCAN)] = { 148 .header_type = IW_HEADER_TYPE_POINT, 149 .token_size = 1, 150 .max_tokens = IW_SCAN_MAX_DATA, 151 .flags = IW_DESCR_FLAG_NOMAX, 152 }, 153 [IW_IOCTL_IDX(SIOCSIWESSID)] = { 154 .header_type = IW_HEADER_TYPE_POINT, 155 .token_size = 1, 156 .max_tokens = IW_ESSID_MAX_SIZE, 157 .flags = IW_DESCR_FLAG_EVENT, 158 }, 159 [IW_IOCTL_IDX(SIOCGIWESSID)] = { 160 .header_type = IW_HEADER_TYPE_POINT, 161 .token_size = 1, 162 .max_tokens = IW_ESSID_MAX_SIZE, 163 .flags = IW_DESCR_FLAG_DUMP, 164 }, 165 [IW_IOCTL_IDX(SIOCSIWNICKN)] = { 166 .header_type = IW_HEADER_TYPE_POINT, 167 .token_size = 1, 168 .max_tokens = IW_ESSID_MAX_SIZE, 169 }, 170 [IW_IOCTL_IDX(SIOCGIWNICKN)] = { 171 .header_type = IW_HEADER_TYPE_POINT, 172 .token_size = 1, 173 .max_tokens = IW_ESSID_MAX_SIZE, 174 }, 175 [IW_IOCTL_IDX(SIOCSIWRATE)] = { 176 .header_type = IW_HEADER_TYPE_PARAM, 177 }, 178 [IW_IOCTL_IDX(SIOCGIWRATE)] = { 179 .header_type = IW_HEADER_TYPE_PARAM, 180 }, 181 [IW_IOCTL_IDX(SIOCSIWRTS)] = { 182 .header_type = IW_HEADER_TYPE_PARAM, 183 }, 184 [IW_IOCTL_IDX(SIOCGIWRTS)] = { 185 .header_type = IW_HEADER_TYPE_PARAM, 186 }, 187 [IW_IOCTL_IDX(SIOCSIWFRAG)] = { 188 .header_type = IW_HEADER_TYPE_PARAM, 189 }, 190 [IW_IOCTL_IDX(SIOCGIWFRAG)] = { 191 .header_type = IW_HEADER_TYPE_PARAM, 192 }, 193 [IW_IOCTL_IDX(SIOCSIWTXPOW)] = { 194 .header_type = IW_HEADER_TYPE_PARAM, 195 }, 196 [IW_IOCTL_IDX(SIOCGIWTXPOW)] = { 197 .header_type = IW_HEADER_TYPE_PARAM, 198 }, 199 [IW_IOCTL_IDX(SIOCSIWRETRY)] = { 200 .header_type = IW_HEADER_TYPE_PARAM, 201 }, 202 [IW_IOCTL_IDX(SIOCGIWRETRY)] = { 203 .header_type = IW_HEADER_TYPE_PARAM, 204 }, 205 [IW_IOCTL_IDX(SIOCSIWENCODE)] = { 206 .header_type = IW_HEADER_TYPE_POINT, 207 .token_size = 1, 208 .max_tokens = IW_ENCODING_TOKEN_MAX, 209 .flags = IW_DESCR_FLAG_EVENT | IW_DESCR_FLAG_RESTRICT, 210 }, 211 [IW_IOCTL_IDX(SIOCGIWENCODE)] = { 212 .header_type = IW_HEADER_TYPE_POINT, 213 .token_size = 1, 214 .max_tokens = IW_ENCODING_TOKEN_MAX, 215 .flags = IW_DESCR_FLAG_DUMP | IW_DESCR_FLAG_RESTRICT, 216 }, 217 [IW_IOCTL_IDX(SIOCSIWPOWER)] = { 218 .header_type = IW_HEADER_TYPE_PARAM, 219 }, 220 [IW_IOCTL_IDX(SIOCGIWPOWER)] = { 221 .header_type = IW_HEADER_TYPE_PARAM, 222 }, 223 [IW_IOCTL_IDX(SIOCSIWGENIE)] = { 224 .header_type = IW_HEADER_TYPE_POINT, 225 .token_size = 1, 226 .max_tokens = IW_GENERIC_IE_MAX, 227 }, 228 [IW_IOCTL_IDX(SIOCGIWGENIE)] = { 229 .header_type = IW_HEADER_TYPE_POINT, 230 .token_size = 1, 231 .max_tokens = IW_GENERIC_IE_MAX, 232 }, 233 [IW_IOCTL_IDX(SIOCSIWAUTH)] = { 234 .header_type = IW_HEADER_TYPE_PARAM, 235 }, 236 [IW_IOCTL_IDX(SIOCGIWAUTH)] = { 237 .header_type = IW_HEADER_TYPE_PARAM, 238 }, 239 [IW_IOCTL_IDX(SIOCSIWENCODEEXT)] = { 240 .header_type = IW_HEADER_TYPE_POINT, 241 .token_size = 1, 242 .min_tokens = sizeof(struct iw_encode_ext), 243 .max_tokens = sizeof(struct iw_encode_ext) + 244 IW_ENCODING_TOKEN_MAX, 245 }, 246 [IW_IOCTL_IDX(SIOCGIWENCODEEXT)] = { 247 .header_type = IW_HEADER_TYPE_POINT, 248 .token_size = 1, 249 .min_tokens = sizeof(struct iw_encode_ext), 250 .max_tokens = sizeof(struct iw_encode_ext) + 251 IW_ENCODING_TOKEN_MAX, 252 }, 253 [IW_IOCTL_IDX(SIOCSIWPMKSA)] = { 254 .header_type = IW_HEADER_TYPE_POINT, 255 .token_size = 1, 256 .min_tokens = sizeof(struct iw_pmksa), 257 .max_tokens = sizeof(struct iw_pmksa), 258 }, 259 }; 260 static const unsigned int standard_ioctl_num = ARRAY_SIZE(standard_ioctl); 261 262 /* 263 * Meta-data about all the additional standard Wireless Extension events 264 * we know about. 265 */ 266 static const struct iw_ioctl_description standard_event[] = { 267 [IW_EVENT_IDX(IWEVTXDROP)] = { 268 .header_type = IW_HEADER_TYPE_ADDR, 269 }, 270 [IW_EVENT_IDX(IWEVQUAL)] = { 271 .header_type = IW_HEADER_TYPE_QUAL, 272 }, 273 [IW_EVENT_IDX(IWEVCUSTOM)] = { 274 .header_type = IW_HEADER_TYPE_POINT, 275 .token_size = 1, 276 .max_tokens = IW_CUSTOM_MAX, 277 }, 278 [IW_EVENT_IDX(IWEVREGISTERED)] = { 279 .header_type = IW_HEADER_TYPE_ADDR, 280 }, 281 [IW_EVENT_IDX(IWEVEXPIRED)] = { 282 .header_type = IW_HEADER_TYPE_ADDR, 283 }, 284 [IW_EVENT_IDX(IWEVGENIE)] = { 285 .header_type = IW_HEADER_TYPE_POINT, 286 .token_size = 1, 287 .max_tokens = IW_GENERIC_IE_MAX, 288 }, 289 [IW_EVENT_IDX(IWEVMICHAELMICFAILURE)] = { 290 .header_type = IW_HEADER_TYPE_POINT, 291 .token_size = 1, 292 .max_tokens = sizeof(struct iw_michaelmicfailure), 293 }, 294 [IW_EVENT_IDX(IWEVASSOCREQIE)] = { 295 .header_type = IW_HEADER_TYPE_POINT, 296 .token_size = 1, 297 .max_tokens = IW_GENERIC_IE_MAX, 298 }, 299 [IW_EVENT_IDX(IWEVASSOCRESPIE)] = { 300 .header_type = IW_HEADER_TYPE_POINT, 301 .token_size = 1, 302 .max_tokens = IW_GENERIC_IE_MAX, 303 }, 304 [IW_EVENT_IDX(IWEVPMKIDCAND)] = { 305 .header_type = IW_HEADER_TYPE_POINT, 306 .token_size = 1, 307 .max_tokens = sizeof(struct iw_pmkid_cand), 308 }, 309 }; 310 static const unsigned int standard_event_num = ARRAY_SIZE(standard_event); 311 312 /* Size (in bytes) of various events */ 313 static const int event_type_size[] = { 314 IW_EV_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 315 0, 316 IW_EV_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 317 0, 318 IW_EV_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 319 IW_EV_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 320 IW_EV_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 321 0, 322 IW_EV_POINT_LEN, /* Without variable payload */ 323 IW_EV_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 324 IW_EV_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 325 }; 326 327 #ifdef CONFIG_COMPAT 328 static const int compat_event_type_size[] = { 329 IW_EV_COMPAT_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 330 0, 331 IW_EV_COMPAT_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 332 0, 333 IW_EV_COMPAT_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 334 IW_EV_COMPAT_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 335 IW_EV_COMPAT_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 336 0, 337 IW_EV_COMPAT_POINT_LEN, /* Without variable payload */ 338 IW_EV_COMPAT_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 339 IW_EV_COMPAT_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 340 }; 341 #endif 342 343 344 /* IW event code */ 345 346 void wireless_nlevent_flush(void) 347 { 348 struct sk_buff *skb; 349 struct net *net; 350 351 down_read(&net_rwsem); 352 for_each_net(net) { 353 while ((skb = skb_dequeue(&net->wext_nlevents))) 354 rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, 355 GFP_KERNEL); 356 } 357 up_read(&net_rwsem); 358 } 359 EXPORT_SYMBOL_GPL(wireless_nlevent_flush); 360 361 static int wext_netdev_notifier_call(struct notifier_block *nb, 362 unsigned long state, void *ptr) 363 { 364 /* 365 * When a netdev changes state in any way, flush all pending messages 366 * to avoid them going out in a strange order, e.g. RTM_NEWLINK after 367 * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() 368 * or similar - all of which could otherwise happen due to delays from 369 * schedule_work(). 370 */ 371 wireless_nlevent_flush(); 372 373 return NOTIFY_OK; 374 } 375 376 static struct notifier_block wext_netdev_notifier = { 377 .notifier_call = wext_netdev_notifier_call, 378 }; 379 380 static int __net_init wext_pernet_init(struct net *net) 381 { 382 skb_queue_head_init(&net->wext_nlevents); 383 return 0; 384 } 385 386 static void __net_exit wext_pernet_exit(struct net *net) 387 { 388 skb_queue_purge(&net->wext_nlevents); 389 } 390 391 static struct pernet_operations wext_pernet_ops = { 392 .init = wext_pernet_init, 393 .exit = wext_pernet_exit, 394 }; 395 396 static int __init wireless_nlevent_init(void) 397 { 398 int err = register_pernet_subsys(&wext_pernet_ops); 399 400 if (err) 401 return err; 402 403 err = register_netdevice_notifier(&wext_netdev_notifier); 404 if (err) 405 unregister_pernet_subsys(&wext_pernet_ops); 406 return err; 407 } 408 409 subsys_initcall(wireless_nlevent_init); 410 411 /* Process events generated by the wireless layer or the driver. */ 412 static void wireless_nlevent_process(struct work_struct *work) 413 { 414 wireless_nlevent_flush(); 415 } 416 417 static DECLARE_WORK(wireless_nlevent_work, wireless_nlevent_process); 418 419 static struct nlmsghdr *rtnetlink_ifinfo_prep(struct net_device *dev, 420 struct sk_buff *skb) 421 { 422 struct ifinfomsg *r; 423 struct nlmsghdr *nlh; 424 425 nlh = nlmsg_put(skb, 0, 0, RTM_NEWLINK, sizeof(*r), 0); 426 if (!nlh) 427 return NULL; 428 429 r = nlmsg_data(nlh); 430 r->ifi_family = AF_UNSPEC; 431 r->__ifi_pad = 0; 432 r->ifi_type = dev->type; 433 r->ifi_index = dev->ifindex; 434 r->ifi_flags = dev_get_flags(dev); 435 r->ifi_change = 0; /* Wireless changes don't affect those flags */ 436 437 if (nla_put_string(skb, IFLA_IFNAME, dev->name)) 438 goto nla_put_failure; 439 440 return nlh; 441 nla_put_failure: 442 nlmsg_cancel(skb, nlh); 443 return NULL; 444 } 445 446 447 /* 448 * Main event dispatcher. Called from other parts and drivers. 449 * Send the event on the appropriate channels. 450 * May be called from interrupt context. 451 */ 452 void wireless_send_event(struct net_device * dev, 453 unsigned int cmd, 454 union iwreq_data * wrqu, 455 const char * extra) 456 { 457 const struct iw_ioctl_description * descr = NULL; 458 int extra_len = 0; 459 struct iw_event *event; /* Mallocated whole event */ 460 int event_len; /* Its size */ 461 int hdr_len; /* Size of the event header */ 462 int wrqu_off = 0; /* Offset in wrqu */ 463 /* Don't "optimise" the following variable, it will crash */ 464 unsigned int cmd_index; /* *MUST* be unsigned */ 465 struct sk_buff *skb; 466 struct nlmsghdr *nlh; 467 struct nlattr *nla; 468 #ifdef CONFIG_COMPAT 469 struct __compat_iw_event *compat_event; 470 struct compat_iw_point compat_wrqu; 471 struct sk_buff *compskb; 472 int ptr_len; 473 #endif 474 475 /* 476 * Nothing in the kernel sends scan events with data, be safe. 477 * This is necessary because we cannot fix up scan event data 478 * for compat, due to being contained in 'extra', but normally 479 * applications are required to retrieve the scan data anyway 480 * and no data is included in the event, this codifies that 481 * practice. 482 */ 483 if (WARN_ON(cmd == SIOCGIWSCAN && extra)) 484 extra = NULL; 485 486 /* Get the description of the Event */ 487 if (cmd <= SIOCIWLAST) { 488 cmd_index = IW_IOCTL_IDX(cmd); 489 if (cmd_index < standard_ioctl_num) 490 descr = &(standard_ioctl[cmd_index]); 491 } else { 492 cmd_index = IW_EVENT_IDX(cmd); 493 if (cmd_index < standard_event_num) 494 descr = &(standard_event[cmd_index]); 495 } 496 /* Don't accept unknown events */ 497 if (descr == NULL) { 498 /* Note : we don't return an error to the driver, because 499 * the driver would not know what to do about it. It can't 500 * return an error to the user, because the event is not 501 * initiated by a user request. 502 * The best the driver could do is to log an error message. 503 * We will do it ourselves instead... 504 */ 505 netdev_err(dev, "(WE) : Invalid/Unknown Wireless Event (0x%04X)\n", 506 cmd); 507 return; 508 } 509 510 /* Check extra parameters and set extra_len */ 511 if (descr->header_type == IW_HEADER_TYPE_POINT) { 512 /* Check if number of token fits within bounds */ 513 if (wrqu->data.length > descr->max_tokens) { 514 netdev_err(dev, "(WE) : Wireless Event (cmd=0x%04X) too big (%d)\n", 515 cmd, wrqu->data.length); 516 return; 517 } 518 if (wrqu->data.length < descr->min_tokens) { 519 netdev_err(dev, "(WE) : Wireless Event (cmd=0x%04X) too small (%d)\n", 520 cmd, wrqu->data.length); 521 return; 522 } 523 /* Calculate extra_len - extra is NULL for restricted events */ 524 if (extra != NULL) 525 extra_len = wrqu->data.length * descr->token_size; 526 /* Always at an offset in wrqu */ 527 wrqu_off = IW_EV_POINT_OFF; 528 } 529 530 /* Total length of the event */ 531 hdr_len = event_type_size[descr->header_type]; 532 event_len = hdr_len + extra_len; 533 534 /* 535 * The problem for 64/32 bit. 536 * 537 * On 64-bit, a regular event is laid out as follows: 538 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 539 * | event.len | event.cmd | p a d d i n g | 540 * | wrqu data ... (with the correct size) | 541 * 542 * This padding exists because we manipulate event->u, 543 * and 'event' is not packed. 544 * 545 * An iw_point event is laid out like this instead: 546 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 547 * | event.len | event.cmd | p a d d i n g | 548 * | iwpnt.len | iwpnt.flg | p a d d i n g | 549 * | extra data ... 550 * 551 * The second padding exists because struct iw_point is extended, 552 * but this depends on the platform... 553 * 554 * On 32-bit, all the padding shouldn't be there. 555 */ 556 557 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 558 if (!skb) 559 return; 560 561 /* Send via the RtNetlink event channel */ 562 nlh = rtnetlink_ifinfo_prep(dev, skb); 563 if (WARN_ON(!nlh)) { 564 kfree_skb(skb); 565 return; 566 } 567 568 /* Add the wireless events in the netlink packet */ 569 nla = nla_reserve(skb, IFLA_WIRELESS, event_len); 570 if (!nla) { 571 kfree_skb(skb); 572 return; 573 } 574 event = nla_data(nla); 575 576 /* Fill event - first clear to avoid data leaking */ 577 memset(event, 0, hdr_len); 578 event->len = event_len; 579 event->cmd = cmd; 580 memcpy(&event->u, ((char *) wrqu) + wrqu_off, hdr_len - IW_EV_LCP_LEN); 581 if (extra_len) 582 memcpy(((char *) event) + hdr_len, extra, extra_len); 583 584 nlmsg_end(skb, nlh); 585 #ifdef CONFIG_COMPAT 586 hdr_len = compat_event_type_size[descr->header_type]; 587 588 /* ptr_len is remaining size in event header apart from LCP */ 589 ptr_len = hdr_len - IW_EV_COMPAT_LCP_LEN; 590 event_len = hdr_len + extra_len; 591 592 compskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 593 if (!compskb) { 594 kfree_skb(skb); 595 return; 596 } 597 598 /* Send via the RtNetlink event channel */ 599 nlh = rtnetlink_ifinfo_prep(dev, compskb); 600 if (WARN_ON(!nlh)) { 601 kfree_skb(skb); 602 kfree_skb(compskb); 603 return; 604 } 605 606 /* Add the wireless events in the netlink packet */ 607 nla = nla_reserve(compskb, IFLA_WIRELESS, event_len); 608 if (!nla) { 609 kfree_skb(skb); 610 kfree_skb(compskb); 611 return; 612 } 613 compat_event = nla_data(nla); 614 615 compat_event->len = event_len; 616 compat_event->cmd = cmd; 617 if (descr->header_type == IW_HEADER_TYPE_POINT) { 618 compat_wrqu.length = wrqu->data.length; 619 compat_wrqu.flags = wrqu->data.flags; 620 memcpy(compat_event->ptr_bytes, 621 ((char *)&compat_wrqu) + IW_EV_COMPAT_POINT_OFF, 622 ptr_len); 623 if (extra_len) 624 memcpy(&compat_event->ptr_bytes[ptr_len], 625 extra, extra_len); 626 } else { 627 /* extra_len must be zero, so no if (extra) needed */ 628 memcpy(compat_event->ptr_bytes, wrqu, ptr_len); 629 } 630 631 nlmsg_end(compskb, nlh); 632 633 skb_shinfo(skb)->frag_list = compskb; 634 #endif 635 skb_queue_tail(&dev_net(dev)->wext_nlevents, skb); 636 schedule_work(&wireless_nlevent_work); 637 } 638 EXPORT_SYMBOL(wireless_send_event); 639 640 #ifdef CONFIG_CFG80211_WEXT 641 static void wireless_warn_cfg80211_wext(void) 642 { 643 char name[sizeof(current->comm)]; 644 645 pr_warn_once("warning: `%s' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211\n", 646 get_task_comm(name, current)); 647 } 648 #endif 649 650 /* IW handlers */ 651 652 struct iw_statistics *get_wireless_stats(struct net_device *dev) 653 { 654 #ifdef CONFIG_WIRELESS_EXT 655 if ((dev->wireless_handlers != NULL) && 656 (dev->wireless_handlers->get_wireless_stats != NULL)) 657 return dev->wireless_handlers->get_wireless_stats(dev); 658 #endif 659 660 #ifdef CONFIG_CFG80211_WEXT 661 if (dev->ieee80211_ptr && 662 dev->ieee80211_ptr->wiphy && 663 dev->ieee80211_ptr->wiphy->wext && 664 dev->ieee80211_ptr->wiphy->wext->get_wireless_stats) { 665 wireless_warn_cfg80211_wext(); 666 if (dev->ieee80211_ptr->wiphy->flags & (WIPHY_FLAG_SUPPORTS_MLO | 667 WIPHY_FLAG_DISABLE_WEXT)) 668 return NULL; 669 return dev->ieee80211_ptr->wiphy->wext->get_wireless_stats(dev); 670 } 671 #endif 672 673 /* not found */ 674 return NULL; 675 } 676 677 /* noinline to avoid a bogus warning with -O3 */ 678 static noinline int iw_handler_get_iwstats(struct net_device * dev, 679 struct iw_request_info * info, 680 union iwreq_data * wrqu, 681 char * extra) 682 { 683 /* Get stats from the driver */ 684 struct iw_statistics *stats; 685 686 stats = get_wireless_stats(dev); 687 if (stats) { 688 /* Copy statistics to extra */ 689 memcpy(extra, stats, sizeof(struct iw_statistics)); 690 wrqu->data.length = sizeof(struct iw_statistics); 691 692 /* Check if we need to clear the updated flag */ 693 if (wrqu->data.flags != 0) 694 stats->qual.updated &= ~IW_QUAL_ALL_UPDATED; 695 return 0; 696 } else 697 return -EOPNOTSUPP; 698 } 699 700 static iw_handler get_handler(struct net_device *dev, unsigned int cmd) 701 { 702 /* Don't "optimise" the following variable, it will crash */ 703 unsigned int index; /* *MUST* be unsigned */ 704 const struct iw_handler_def *handlers = NULL; 705 706 #ifdef CONFIG_CFG80211_WEXT 707 if (dev->ieee80211_ptr && dev->ieee80211_ptr->wiphy) { 708 wireless_warn_cfg80211_wext(); 709 if (dev->ieee80211_ptr->wiphy->flags & (WIPHY_FLAG_SUPPORTS_MLO | 710 WIPHY_FLAG_DISABLE_WEXT)) 711 return NULL; 712 handlers = dev->ieee80211_ptr->wiphy->wext; 713 } 714 #endif 715 #ifdef CONFIG_WIRELESS_EXT 716 if (dev->wireless_handlers) 717 handlers = dev->wireless_handlers; 718 #endif 719 720 if (!handlers) 721 return NULL; 722 723 /* Try as a standard command */ 724 index = IW_IOCTL_IDX(cmd); 725 if (index < handlers->num_standard) 726 return handlers->standard[index]; 727 728 #ifdef CONFIG_WEXT_PRIV 729 /* Try as a private command */ 730 index = cmd - SIOCIWFIRSTPRIV; 731 if (index < handlers->num_private) 732 return handlers->private[index]; 733 #endif 734 735 /* Not found */ 736 return NULL; 737 } 738 739 static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, 740 const struct iw_ioctl_description *descr, 741 iw_handler handler, struct net_device *dev, 742 struct iw_request_info *info) 743 { 744 int err, extra_size, user_length = 0, essid_compat = 0; 745 char *extra; 746 747 /* Calculate space needed by arguments. Always allocate 748 * for max space. 749 */ 750 extra_size = descr->max_tokens * descr->token_size; 751 752 /* Check need for ESSID compatibility for WE < 21 */ 753 switch (cmd) { 754 case SIOCSIWESSID: 755 case SIOCGIWESSID: 756 case SIOCSIWNICKN: 757 case SIOCGIWNICKN: 758 if (iwp->length == descr->max_tokens + 1) 759 essid_compat = 1; 760 else if (IW_IS_SET(cmd) && (iwp->length != 0)) { 761 char essid[IW_ESSID_MAX_SIZE + 1]; 762 unsigned int len; 763 len = iwp->length * descr->token_size; 764 765 if (len > IW_ESSID_MAX_SIZE) 766 return -EFAULT; 767 768 err = copy_from_user(essid, iwp->pointer, len); 769 if (err) 770 return -EFAULT; 771 772 if (essid[iwp->length - 1] == '\0') 773 essid_compat = 1; 774 } 775 break; 776 default: 777 break; 778 } 779 780 iwp->length -= essid_compat; 781 782 /* Check what user space is giving us */ 783 if (IW_IS_SET(cmd)) { 784 /* Check NULL pointer */ 785 if (!iwp->pointer && iwp->length != 0) 786 return -EFAULT; 787 /* Check if number of token fits within bounds */ 788 if (iwp->length > descr->max_tokens) 789 return -E2BIG; 790 if (iwp->length < descr->min_tokens) 791 return -EINVAL; 792 } else { 793 /* Check NULL pointer */ 794 if (!iwp->pointer) 795 return -EFAULT; 796 /* Save user space buffer size for checking */ 797 user_length = iwp->length; 798 799 /* Don't check if user_length > max to allow forward 800 * compatibility. The test user_length < min is 801 * implied by the test at the end. 802 */ 803 804 /* Support for very large requests */ 805 if ((descr->flags & IW_DESCR_FLAG_NOMAX) && 806 (user_length > descr->max_tokens)) { 807 /* Allow userspace to GET more than max so 808 * we can support any size GET requests. 809 * There is still a limit : -ENOMEM. 810 */ 811 extra_size = user_length * descr->token_size; 812 813 /* Note : user_length is originally a __u16, 814 * and token_size is controlled by us, 815 * so extra_size won't get negative and 816 * won't overflow... 817 */ 818 } 819 } 820 821 /* Sanity-check to ensure we never end up _allocating_ zero 822 * bytes of data for extra. 823 */ 824 if (extra_size <= 0) 825 return -EFAULT; 826 827 /* kzalloc() ensures NULL-termination for essid_compat. */ 828 extra = kzalloc(extra_size, GFP_KERNEL); 829 if (!extra) 830 return -ENOMEM; 831 832 /* If it is a SET, get all the extra data in here */ 833 if (IW_IS_SET(cmd) && (iwp->length != 0)) { 834 if (copy_from_user(extra, iwp->pointer, 835 iwp->length * 836 descr->token_size)) { 837 err = -EFAULT; 838 goto out; 839 } 840 841 if (cmd == SIOCSIWENCODEEXT) { 842 struct iw_encode_ext *ee = (void *) extra; 843 844 if (iwp->length < sizeof(*ee) + ee->key_len) { 845 err = -EFAULT; 846 goto out; 847 } 848 } 849 } 850 851 if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) { 852 /* 853 * If this is a GET, but not NOMAX, it means that the extra 854 * data is not bounded by userspace, but by max_tokens. Thus 855 * set the length to max_tokens. This matches the extra data 856 * allocation. 857 * The driver should fill it with the number of tokens it 858 * provided, and it may check iwp->length rather than having 859 * knowledge of max_tokens. If the driver doesn't change the 860 * iwp->length, this ioctl just copies back max_token tokens 861 * filled with zeroes. Hopefully the driver isn't claiming 862 * them to be valid data. 863 */ 864 iwp->length = descr->max_tokens; 865 } 866 867 err = handler(dev, info, (union iwreq_data *) iwp, extra); 868 869 iwp->length += essid_compat; 870 871 /* If we have something to return to the user */ 872 if (!err && IW_IS_GET(cmd)) { 873 /* Check if there is enough buffer up there */ 874 if (user_length < iwp->length) { 875 err = -E2BIG; 876 goto out; 877 } 878 879 if (copy_to_user(iwp->pointer, extra, 880 iwp->length * 881 descr->token_size)) { 882 err = -EFAULT; 883 goto out; 884 } 885 } 886 887 /* Generate an event to notify listeners of the change */ 888 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 889 ((err == 0) || (err == -EIWCOMMIT))) { 890 union iwreq_data *data = (union iwreq_data *) iwp; 891 892 if (descr->flags & IW_DESCR_FLAG_RESTRICT) 893 /* If the event is restricted, don't 894 * export the payload. 895 */ 896 wireless_send_event(dev, cmd, data, NULL); 897 else 898 wireless_send_event(dev, cmd, data, extra); 899 } 900 901 out: 902 kfree(extra); 903 return err; 904 } 905 906 /* 907 * Call the commit handler in the driver 908 * (if exist and if conditions are right) 909 * 910 * Note : our current commit strategy is currently pretty dumb, 911 * but we will be able to improve on that... 912 * The goal is to try to agreagate as many changes as possible 913 * before doing the commit. Drivers that will define a commit handler 914 * are usually those that need a reset after changing parameters, so 915 * we want to minimise the number of reset. 916 * A cool idea is to use a timer : at each "set" command, we re-set the 917 * timer, when the timer eventually fires, we call the driver. 918 * Hopefully, more on that later. 919 * 920 * Also, I'm waiting to see how many people will complain about the 921 * netif_running(dev) test. I'm open on that one... 922 * Hopefully, the driver will remember to do a commit in "open()" ;-) 923 */ 924 int call_commit_handler(struct net_device *dev) 925 { 926 #ifdef CONFIG_WIRELESS_EXT 927 if (netif_running(dev) && 928 dev->wireless_handlers && 929 dev->wireless_handlers->standard[0]) 930 /* Call the commit handler on the driver */ 931 return dev->wireless_handlers->standard[0](dev, NULL, 932 NULL, NULL); 933 else 934 return 0; /* Command completed successfully */ 935 #else 936 /* cfg80211 has no commit */ 937 return 0; 938 #endif 939 } 940 941 /* 942 * Main IOCTl dispatcher. 943 * Check the type of IOCTL and call the appropriate wrapper... 944 */ 945 static int wireless_process_ioctl(struct net *net, struct iwreq *iwr, 946 unsigned int cmd, 947 struct iw_request_info *info, 948 wext_ioctl_func standard, 949 wext_ioctl_func private) 950 { 951 struct net_device *dev; 952 iw_handler handler; 953 954 /* Permissions are already checked in dev_ioctl() before calling us. 955 * The copy_to/from_user() of ifr is also dealt with in there */ 956 957 /* Make sure the device exist */ 958 if ((dev = __dev_get_by_name(net, iwr->ifr_name)) == NULL) 959 return -ENODEV; 960 961 /* A bunch of special cases, then the generic case... 962 * Note that 'cmd' is already filtered in dev_ioctl() with 963 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */ 964 if (cmd == SIOCGIWSTATS) 965 return standard(dev, iwr, cmd, info, 966 &iw_handler_get_iwstats); 967 968 #ifdef CONFIG_WEXT_PRIV 969 if (cmd == SIOCGIWPRIV && dev->wireless_handlers) 970 return standard(dev, iwr, cmd, info, 971 iw_handler_get_private); 972 #endif 973 974 /* Basic check */ 975 if (!netif_device_present(dev)) 976 return -ENODEV; 977 978 /* New driver API : try to find the handler */ 979 handler = get_handler(dev, cmd); 980 if (handler) { 981 /* Standard and private are not the same */ 982 if (cmd < SIOCIWFIRSTPRIV) 983 return standard(dev, iwr, cmd, info, handler); 984 else if (private) 985 return private(dev, iwr, cmd, info, handler); 986 } 987 return -EOPNOTSUPP; 988 } 989 990 /* If command is `set a parameter', or `get the encoding parameters', 991 * check if the user has the right to do it. 992 */ 993 static int wext_permission_check(unsigned int cmd) 994 { 995 if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || 996 cmd == SIOCGIWENCODEEXT) && 997 !capable(CAP_NET_ADMIN)) 998 return -EPERM; 999 1000 return 0; 1001 } 1002 1003 /* entry point from dev ioctl */ 1004 static int wext_ioctl_dispatch(struct net *net, struct iwreq *iwr, 1005 unsigned int cmd, struct iw_request_info *info, 1006 wext_ioctl_func standard, 1007 wext_ioctl_func private) 1008 { 1009 int ret = wext_permission_check(cmd); 1010 1011 if (ret) 1012 return ret; 1013 1014 dev_load(net, iwr->ifr_name); 1015 rtnl_lock(); 1016 ret = wireless_process_ioctl(net, iwr, cmd, info, standard, private); 1017 rtnl_unlock(); 1018 1019 return ret; 1020 } 1021 1022 /* 1023 * Wrapper to call a standard Wireless Extension handler. 1024 * We do various checks and also take care of moving data between 1025 * user space and kernel space. 1026 */ 1027 static int ioctl_standard_call(struct net_device * dev, 1028 struct iwreq *iwr, 1029 unsigned int cmd, 1030 struct iw_request_info *info, 1031 iw_handler handler) 1032 { 1033 const struct iw_ioctl_description * descr; 1034 int ret = -EINVAL; 1035 1036 /* Get the description of the IOCTL */ 1037 if (IW_IOCTL_IDX(cmd) >= standard_ioctl_num) 1038 return -EOPNOTSUPP; 1039 descr = &(standard_ioctl[IW_IOCTL_IDX(cmd)]); 1040 1041 /* Check if we have a pointer to user space data or not */ 1042 if (descr->header_type != IW_HEADER_TYPE_POINT) { 1043 1044 /* No extra arguments. Trivial to handle */ 1045 ret = handler(dev, info, &(iwr->u), NULL); 1046 1047 /* Generate an event to notify listeners of the change */ 1048 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 1049 ((ret == 0) || (ret == -EIWCOMMIT))) 1050 wireless_send_event(dev, cmd, &(iwr->u), NULL); 1051 } else { 1052 ret = ioctl_standard_iw_point(&iwr->u.data, cmd, descr, 1053 handler, dev, info); 1054 } 1055 1056 /* Call commit handler if needed and defined */ 1057 if (ret == -EIWCOMMIT) 1058 ret = call_commit_handler(dev); 1059 1060 /* Here, we will generate the appropriate event if needed */ 1061 1062 return ret; 1063 } 1064 1065 1066 int wext_handle_ioctl(struct net *net, unsigned int cmd, void __user *arg) 1067 { 1068 struct iw_request_info info = { .cmd = cmd, .flags = 0 }; 1069 struct iwreq iwr; 1070 int ret; 1071 1072 if (copy_from_user(&iwr, arg, sizeof(iwr))) 1073 return -EFAULT; 1074 1075 iwr.ifr_name[sizeof(iwr.ifr_name) - 1] = 0; 1076 1077 ret = wext_ioctl_dispatch(net, &iwr, cmd, &info, 1078 ioctl_standard_call, 1079 ioctl_private_call); 1080 if (ret >= 0 && 1081 IW_IS_GET(cmd) && 1082 copy_to_user(arg, &iwr, sizeof(struct iwreq))) 1083 return -EFAULT; 1084 1085 return ret; 1086 } 1087 1088 #ifdef CONFIG_COMPAT 1089 static int compat_standard_call(struct net_device *dev, 1090 struct iwreq *iwr, 1091 unsigned int cmd, 1092 struct iw_request_info *info, 1093 iw_handler handler) 1094 { 1095 const struct iw_ioctl_description *descr; 1096 struct compat_iw_point *iwp_compat; 1097 struct iw_point iwp; 1098 int err; 1099 1100 descr = standard_ioctl + IW_IOCTL_IDX(cmd); 1101 1102 if (descr->header_type != IW_HEADER_TYPE_POINT) 1103 return ioctl_standard_call(dev, iwr, cmd, info, handler); 1104 1105 iwp_compat = (struct compat_iw_point *) &iwr->u.data; 1106 iwp.pointer = compat_ptr(iwp_compat->pointer); 1107 iwp.length = iwp_compat->length; 1108 iwp.flags = iwp_compat->flags; 1109 1110 err = ioctl_standard_iw_point(&iwp, cmd, descr, handler, dev, info); 1111 1112 iwp_compat->pointer = ptr_to_compat(iwp.pointer); 1113 iwp_compat->length = iwp.length; 1114 iwp_compat->flags = iwp.flags; 1115 1116 return err; 1117 } 1118 1119 int compat_wext_handle_ioctl(struct net *net, unsigned int cmd, 1120 unsigned long arg) 1121 { 1122 void __user *argp = (void __user *)arg; 1123 struct iw_request_info info; 1124 struct iwreq iwr; 1125 char *colon; 1126 int ret; 1127 1128 if (copy_from_user(&iwr, argp, sizeof(struct iwreq))) 1129 return -EFAULT; 1130 1131 iwr.ifr_name[IFNAMSIZ-1] = 0; 1132 colon = strchr(iwr.ifr_name, ':'); 1133 if (colon) 1134 *colon = 0; 1135 1136 info.cmd = cmd; 1137 info.flags = IW_REQUEST_FLAG_COMPAT; 1138 1139 ret = wext_ioctl_dispatch(net, &iwr, cmd, &info, 1140 compat_standard_call, 1141 compat_private_call); 1142 1143 if (ret >= 0 && 1144 IW_IS_GET(cmd) && 1145 copy_to_user(argp, &iwr, sizeof(struct iwreq))) 1146 return -EFAULT; 1147 1148 return ret; 1149 } 1150 #endif 1151 1152 char *iwe_stream_add_event(struct iw_request_info *info, char *stream, 1153 char *ends, struct iw_event *iwe, int event_len) 1154 { 1155 int lcp_len = iwe_stream_lcp_len(info); 1156 1157 event_len = iwe_stream_event_len_adjust(info, event_len); 1158 1159 /* Check if it's possible */ 1160 if (likely((stream + event_len) < ends)) { 1161 iwe->len = event_len; 1162 /* Beware of alignement issues on 64 bits */ 1163 memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); 1164 memcpy(stream + lcp_len, &iwe->u, 1165 event_len - lcp_len); 1166 stream += event_len; 1167 } 1168 1169 return stream; 1170 } 1171 EXPORT_SYMBOL(iwe_stream_add_event); 1172 1173 char *iwe_stream_add_point(struct iw_request_info *info, char *stream, 1174 char *ends, struct iw_event *iwe, char *extra) 1175 { 1176 int event_len = iwe_stream_point_len(info) + iwe->u.data.length; 1177 int point_len = iwe_stream_point_len(info); 1178 int lcp_len = iwe_stream_lcp_len(info); 1179 1180 /* Check if it's possible */ 1181 if (likely((stream + event_len) < ends)) { 1182 iwe->len = event_len; 1183 memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); 1184 memcpy(stream + lcp_len, 1185 ((char *) &iwe->u) + IW_EV_POINT_OFF, 1186 IW_EV_POINT_PK_LEN - IW_EV_LCP_PK_LEN); 1187 if (iwe->u.data.length && extra) 1188 memcpy(stream + point_len, extra, iwe->u.data.length); 1189 stream += event_len; 1190 } 1191 1192 return stream; 1193 } 1194 EXPORT_SYMBOL(iwe_stream_add_point); 1195 1196 char *iwe_stream_add_value(struct iw_request_info *info, char *event, 1197 char *value, char *ends, struct iw_event *iwe, 1198 int event_len) 1199 { 1200 int lcp_len = iwe_stream_lcp_len(info); 1201 1202 /* Don't duplicate LCP */ 1203 event_len -= IW_EV_LCP_LEN; 1204 1205 /* Check if it's possible */ 1206 if (likely((value + event_len) < ends)) { 1207 /* Add new value */ 1208 memcpy(value, &iwe->u, event_len); 1209 value += event_len; 1210 /* Patch LCP */ 1211 iwe->len = value - event; 1212 memcpy(event, (char *) iwe, lcp_len); 1213 } 1214 1215 return value; 1216 } 1217 EXPORT_SYMBOL(iwe_stream_add_value); 1218