1 /* 2 * This file implement the Wireless Extensions core API. 3 * 4 * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> 5 * Copyright (c) 1997-2007 Jean Tourrilhes, All Rights Reserved. 6 * Copyright 2009 Johannes Berg <johannes@sipsolutions.net> 7 * 8 * (As all part of the Linux kernel, this file is GPL) 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netdevice.h> 12 #include <linux/rtnetlink.h> 13 #include <linux/slab.h> 14 #include <linux/wireless.h> 15 #include <linux/uaccess.h> 16 #include <linux/export.h> 17 #include <net/cfg80211.h> 18 #include <net/iw_handler.h> 19 #include <net/netlink.h> 20 #include <net/wext.h> 21 #include <net/net_namespace.h> 22 23 typedef int (*wext_ioctl_func)(struct net_device *, struct iwreq *, 24 unsigned int, struct iw_request_info *, 25 iw_handler); 26 27 28 /* 29 * Meta-data about all the standard Wireless Extension request we 30 * know about. 31 */ 32 static const struct iw_ioctl_description standard_ioctl[] = { 33 [IW_IOCTL_IDX(SIOCSIWCOMMIT)] = { 34 .header_type = IW_HEADER_TYPE_NULL, 35 }, 36 [IW_IOCTL_IDX(SIOCGIWNAME)] = { 37 .header_type = IW_HEADER_TYPE_CHAR, 38 .flags = IW_DESCR_FLAG_DUMP, 39 }, 40 [IW_IOCTL_IDX(SIOCSIWNWID)] = { 41 .header_type = IW_HEADER_TYPE_PARAM, 42 .flags = IW_DESCR_FLAG_EVENT, 43 }, 44 [IW_IOCTL_IDX(SIOCGIWNWID)] = { 45 .header_type = IW_HEADER_TYPE_PARAM, 46 .flags = IW_DESCR_FLAG_DUMP, 47 }, 48 [IW_IOCTL_IDX(SIOCSIWFREQ)] = { 49 .header_type = IW_HEADER_TYPE_FREQ, 50 .flags = IW_DESCR_FLAG_EVENT, 51 }, 52 [IW_IOCTL_IDX(SIOCGIWFREQ)] = { 53 .header_type = IW_HEADER_TYPE_FREQ, 54 .flags = IW_DESCR_FLAG_DUMP, 55 }, 56 [IW_IOCTL_IDX(SIOCSIWMODE)] = { 57 .header_type = IW_HEADER_TYPE_UINT, 58 .flags = IW_DESCR_FLAG_EVENT, 59 }, 60 [IW_IOCTL_IDX(SIOCGIWMODE)] = { 61 .header_type = IW_HEADER_TYPE_UINT, 62 .flags = IW_DESCR_FLAG_DUMP, 63 }, 64 [IW_IOCTL_IDX(SIOCSIWSENS)] = { 65 .header_type = IW_HEADER_TYPE_PARAM, 66 }, 67 [IW_IOCTL_IDX(SIOCGIWSENS)] = { 68 .header_type = IW_HEADER_TYPE_PARAM, 69 }, 70 [IW_IOCTL_IDX(SIOCSIWRANGE)] = { 71 .header_type = IW_HEADER_TYPE_NULL, 72 }, 73 [IW_IOCTL_IDX(SIOCGIWRANGE)] = { 74 .header_type = IW_HEADER_TYPE_POINT, 75 .token_size = 1, 76 .max_tokens = sizeof(struct iw_range), 77 .flags = IW_DESCR_FLAG_DUMP, 78 }, 79 [IW_IOCTL_IDX(SIOCSIWPRIV)] = { 80 .header_type = IW_HEADER_TYPE_NULL, 81 }, 82 [IW_IOCTL_IDX(SIOCGIWPRIV)] = { /* (handled directly by us) */ 83 .header_type = IW_HEADER_TYPE_POINT, 84 .token_size = sizeof(struct iw_priv_args), 85 .max_tokens = 16, 86 .flags = IW_DESCR_FLAG_NOMAX, 87 }, 88 [IW_IOCTL_IDX(SIOCSIWSTATS)] = { 89 .header_type = IW_HEADER_TYPE_NULL, 90 }, 91 [IW_IOCTL_IDX(SIOCGIWSTATS)] = { /* (handled directly by us) */ 92 .header_type = IW_HEADER_TYPE_POINT, 93 .token_size = 1, 94 .max_tokens = sizeof(struct iw_statistics), 95 .flags = IW_DESCR_FLAG_DUMP, 96 }, 97 [IW_IOCTL_IDX(SIOCSIWSPY)] = { 98 .header_type = IW_HEADER_TYPE_POINT, 99 .token_size = sizeof(struct sockaddr), 100 .max_tokens = IW_MAX_SPY, 101 }, 102 [IW_IOCTL_IDX(SIOCGIWSPY)] = { 103 .header_type = IW_HEADER_TYPE_POINT, 104 .token_size = sizeof(struct sockaddr) + 105 sizeof(struct iw_quality), 106 .max_tokens = IW_MAX_SPY, 107 }, 108 [IW_IOCTL_IDX(SIOCSIWTHRSPY)] = { 109 .header_type = IW_HEADER_TYPE_POINT, 110 .token_size = sizeof(struct iw_thrspy), 111 .min_tokens = 1, 112 .max_tokens = 1, 113 }, 114 [IW_IOCTL_IDX(SIOCGIWTHRSPY)] = { 115 .header_type = IW_HEADER_TYPE_POINT, 116 .token_size = sizeof(struct iw_thrspy), 117 .min_tokens = 1, 118 .max_tokens = 1, 119 }, 120 [IW_IOCTL_IDX(SIOCSIWAP)] = { 121 .header_type = IW_HEADER_TYPE_ADDR, 122 }, 123 [IW_IOCTL_IDX(SIOCGIWAP)] = { 124 .header_type = IW_HEADER_TYPE_ADDR, 125 .flags = IW_DESCR_FLAG_DUMP, 126 }, 127 [IW_IOCTL_IDX(SIOCSIWMLME)] = { 128 .header_type = IW_HEADER_TYPE_POINT, 129 .token_size = 1, 130 .min_tokens = sizeof(struct iw_mlme), 131 .max_tokens = sizeof(struct iw_mlme), 132 }, 133 [IW_IOCTL_IDX(SIOCGIWAPLIST)] = { 134 .header_type = IW_HEADER_TYPE_POINT, 135 .token_size = sizeof(struct sockaddr) + 136 sizeof(struct iw_quality), 137 .max_tokens = IW_MAX_AP, 138 .flags = IW_DESCR_FLAG_NOMAX, 139 }, 140 [IW_IOCTL_IDX(SIOCSIWSCAN)] = { 141 .header_type = IW_HEADER_TYPE_POINT, 142 .token_size = 1, 143 .min_tokens = 0, 144 .max_tokens = sizeof(struct iw_scan_req), 145 }, 146 [IW_IOCTL_IDX(SIOCGIWSCAN)] = { 147 .header_type = IW_HEADER_TYPE_POINT, 148 .token_size = 1, 149 .max_tokens = IW_SCAN_MAX_DATA, 150 .flags = IW_DESCR_FLAG_NOMAX, 151 }, 152 [IW_IOCTL_IDX(SIOCSIWESSID)] = { 153 .header_type = IW_HEADER_TYPE_POINT, 154 .token_size = 1, 155 .max_tokens = IW_ESSID_MAX_SIZE, 156 .flags = IW_DESCR_FLAG_EVENT, 157 }, 158 [IW_IOCTL_IDX(SIOCGIWESSID)] = { 159 .header_type = IW_HEADER_TYPE_POINT, 160 .token_size = 1, 161 .max_tokens = IW_ESSID_MAX_SIZE, 162 .flags = IW_DESCR_FLAG_DUMP, 163 }, 164 [IW_IOCTL_IDX(SIOCSIWNICKN)] = { 165 .header_type = IW_HEADER_TYPE_POINT, 166 .token_size = 1, 167 .max_tokens = IW_ESSID_MAX_SIZE, 168 }, 169 [IW_IOCTL_IDX(SIOCGIWNICKN)] = { 170 .header_type = IW_HEADER_TYPE_POINT, 171 .token_size = 1, 172 .max_tokens = IW_ESSID_MAX_SIZE, 173 }, 174 [IW_IOCTL_IDX(SIOCSIWRATE)] = { 175 .header_type = IW_HEADER_TYPE_PARAM, 176 }, 177 [IW_IOCTL_IDX(SIOCGIWRATE)] = { 178 .header_type = IW_HEADER_TYPE_PARAM, 179 }, 180 [IW_IOCTL_IDX(SIOCSIWRTS)] = { 181 .header_type = IW_HEADER_TYPE_PARAM, 182 }, 183 [IW_IOCTL_IDX(SIOCGIWRTS)] = { 184 .header_type = IW_HEADER_TYPE_PARAM, 185 }, 186 [IW_IOCTL_IDX(SIOCSIWFRAG)] = { 187 .header_type = IW_HEADER_TYPE_PARAM, 188 }, 189 [IW_IOCTL_IDX(SIOCGIWFRAG)] = { 190 .header_type = IW_HEADER_TYPE_PARAM, 191 }, 192 [IW_IOCTL_IDX(SIOCSIWTXPOW)] = { 193 .header_type = IW_HEADER_TYPE_PARAM, 194 }, 195 [IW_IOCTL_IDX(SIOCGIWTXPOW)] = { 196 .header_type = IW_HEADER_TYPE_PARAM, 197 }, 198 [IW_IOCTL_IDX(SIOCSIWRETRY)] = { 199 .header_type = IW_HEADER_TYPE_PARAM, 200 }, 201 [IW_IOCTL_IDX(SIOCGIWRETRY)] = { 202 .header_type = IW_HEADER_TYPE_PARAM, 203 }, 204 [IW_IOCTL_IDX(SIOCSIWENCODE)] = { 205 .header_type = IW_HEADER_TYPE_POINT, 206 .token_size = 1, 207 .max_tokens = IW_ENCODING_TOKEN_MAX, 208 .flags = IW_DESCR_FLAG_EVENT | IW_DESCR_FLAG_RESTRICT, 209 }, 210 [IW_IOCTL_IDX(SIOCGIWENCODE)] = { 211 .header_type = IW_HEADER_TYPE_POINT, 212 .token_size = 1, 213 .max_tokens = IW_ENCODING_TOKEN_MAX, 214 .flags = IW_DESCR_FLAG_DUMP | IW_DESCR_FLAG_RESTRICT, 215 }, 216 [IW_IOCTL_IDX(SIOCSIWPOWER)] = { 217 .header_type = IW_HEADER_TYPE_PARAM, 218 }, 219 [IW_IOCTL_IDX(SIOCGIWPOWER)] = { 220 .header_type = IW_HEADER_TYPE_PARAM, 221 }, 222 [IW_IOCTL_IDX(SIOCSIWGENIE)] = { 223 .header_type = IW_HEADER_TYPE_POINT, 224 .token_size = 1, 225 .max_tokens = IW_GENERIC_IE_MAX, 226 }, 227 [IW_IOCTL_IDX(SIOCGIWGENIE)] = { 228 .header_type = IW_HEADER_TYPE_POINT, 229 .token_size = 1, 230 .max_tokens = IW_GENERIC_IE_MAX, 231 }, 232 [IW_IOCTL_IDX(SIOCSIWAUTH)] = { 233 .header_type = IW_HEADER_TYPE_PARAM, 234 }, 235 [IW_IOCTL_IDX(SIOCGIWAUTH)] = { 236 .header_type = IW_HEADER_TYPE_PARAM, 237 }, 238 [IW_IOCTL_IDX(SIOCSIWENCODEEXT)] = { 239 .header_type = IW_HEADER_TYPE_POINT, 240 .token_size = 1, 241 .min_tokens = sizeof(struct iw_encode_ext), 242 .max_tokens = sizeof(struct iw_encode_ext) + 243 IW_ENCODING_TOKEN_MAX, 244 }, 245 [IW_IOCTL_IDX(SIOCGIWENCODEEXT)] = { 246 .header_type = IW_HEADER_TYPE_POINT, 247 .token_size = 1, 248 .min_tokens = sizeof(struct iw_encode_ext), 249 .max_tokens = sizeof(struct iw_encode_ext) + 250 IW_ENCODING_TOKEN_MAX, 251 }, 252 [IW_IOCTL_IDX(SIOCSIWPMKSA)] = { 253 .header_type = IW_HEADER_TYPE_POINT, 254 .token_size = 1, 255 .min_tokens = sizeof(struct iw_pmksa), 256 .max_tokens = sizeof(struct iw_pmksa), 257 }, 258 }; 259 static const unsigned int standard_ioctl_num = ARRAY_SIZE(standard_ioctl); 260 261 /* 262 * Meta-data about all the additional standard Wireless Extension events 263 * we know about. 264 */ 265 static const struct iw_ioctl_description standard_event[] = { 266 [IW_EVENT_IDX(IWEVTXDROP)] = { 267 .header_type = IW_HEADER_TYPE_ADDR, 268 }, 269 [IW_EVENT_IDX(IWEVQUAL)] = { 270 .header_type = IW_HEADER_TYPE_QUAL, 271 }, 272 [IW_EVENT_IDX(IWEVCUSTOM)] = { 273 .header_type = IW_HEADER_TYPE_POINT, 274 .token_size = 1, 275 .max_tokens = IW_CUSTOM_MAX, 276 }, 277 [IW_EVENT_IDX(IWEVREGISTERED)] = { 278 .header_type = IW_HEADER_TYPE_ADDR, 279 }, 280 [IW_EVENT_IDX(IWEVEXPIRED)] = { 281 .header_type = IW_HEADER_TYPE_ADDR, 282 }, 283 [IW_EVENT_IDX(IWEVGENIE)] = { 284 .header_type = IW_HEADER_TYPE_POINT, 285 .token_size = 1, 286 .max_tokens = IW_GENERIC_IE_MAX, 287 }, 288 [IW_EVENT_IDX(IWEVMICHAELMICFAILURE)] = { 289 .header_type = IW_HEADER_TYPE_POINT, 290 .token_size = 1, 291 .max_tokens = sizeof(struct iw_michaelmicfailure), 292 }, 293 [IW_EVENT_IDX(IWEVASSOCREQIE)] = { 294 .header_type = IW_HEADER_TYPE_POINT, 295 .token_size = 1, 296 .max_tokens = IW_GENERIC_IE_MAX, 297 }, 298 [IW_EVENT_IDX(IWEVASSOCRESPIE)] = { 299 .header_type = IW_HEADER_TYPE_POINT, 300 .token_size = 1, 301 .max_tokens = IW_GENERIC_IE_MAX, 302 }, 303 [IW_EVENT_IDX(IWEVPMKIDCAND)] = { 304 .header_type = IW_HEADER_TYPE_POINT, 305 .token_size = 1, 306 .max_tokens = sizeof(struct iw_pmkid_cand), 307 }, 308 }; 309 static const unsigned int standard_event_num = ARRAY_SIZE(standard_event); 310 311 /* Size (in bytes) of various events */ 312 static const int event_type_size[] = { 313 IW_EV_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 314 0, 315 IW_EV_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 316 0, 317 IW_EV_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 318 IW_EV_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 319 IW_EV_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 320 0, 321 IW_EV_POINT_LEN, /* Without variable payload */ 322 IW_EV_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 323 IW_EV_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 324 }; 325 326 #ifdef CONFIG_COMPAT 327 static const int compat_event_type_size[] = { 328 IW_EV_COMPAT_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 329 0, 330 IW_EV_COMPAT_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 331 0, 332 IW_EV_COMPAT_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 333 IW_EV_COMPAT_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 334 IW_EV_COMPAT_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 335 0, 336 IW_EV_COMPAT_POINT_LEN, /* Without variable payload */ 337 IW_EV_COMPAT_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 338 IW_EV_COMPAT_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 339 }; 340 #endif 341 342 343 /* IW event code */ 344 345 void wireless_nlevent_flush(void) 346 { 347 struct sk_buff *skb; 348 struct net *net; 349 350 down_read(&net_rwsem); 351 for_each_net(net) { 352 while ((skb = skb_dequeue(&net->wext_nlevents))) 353 rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, 354 GFP_KERNEL); 355 } 356 up_read(&net_rwsem); 357 } 358 EXPORT_SYMBOL_GPL(wireless_nlevent_flush); 359 360 static int wext_netdev_notifier_call(struct notifier_block *nb, 361 unsigned long state, void *ptr) 362 { 363 /* 364 * When a netdev changes state in any way, flush all pending messages 365 * to avoid them going out in a strange order, e.g. RTM_NEWLINK after 366 * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() 367 * or similar - all of which could otherwise happen due to delays from 368 * schedule_work(). 369 */ 370 wireless_nlevent_flush(); 371 372 return NOTIFY_OK; 373 } 374 375 static struct notifier_block wext_netdev_notifier = { 376 .notifier_call = wext_netdev_notifier_call, 377 }; 378 379 static int __net_init wext_pernet_init(struct net *net) 380 { 381 skb_queue_head_init(&net->wext_nlevents); 382 return 0; 383 } 384 385 static void __net_exit wext_pernet_exit(struct net *net) 386 { 387 skb_queue_purge(&net->wext_nlevents); 388 } 389 390 static struct pernet_operations wext_pernet_ops = { 391 .init = wext_pernet_init, 392 .exit = wext_pernet_exit, 393 }; 394 395 static int __init wireless_nlevent_init(void) 396 { 397 int err = register_pernet_subsys(&wext_pernet_ops); 398 399 if (err) 400 return err; 401 402 err = register_netdevice_notifier(&wext_netdev_notifier); 403 if (err) 404 unregister_pernet_subsys(&wext_pernet_ops); 405 return err; 406 } 407 408 subsys_initcall(wireless_nlevent_init); 409 410 /* Process events generated by the wireless layer or the driver. */ 411 static void wireless_nlevent_process(struct work_struct *work) 412 { 413 wireless_nlevent_flush(); 414 } 415 416 static DECLARE_WORK(wireless_nlevent_work, wireless_nlevent_process); 417 418 static struct nlmsghdr *rtnetlink_ifinfo_prep(struct net_device *dev, 419 struct sk_buff *skb) 420 { 421 struct ifinfomsg *r; 422 struct nlmsghdr *nlh; 423 424 nlh = nlmsg_put(skb, 0, 0, RTM_NEWLINK, sizeof(*r), 0); 425 if (!nlh) 426 return NULL; 427 428 r = nlmsg_data(nlh); 429 r->ifi_family = AF_UNSPEC; 430 r->__ifi_pad = 0; 431 r->ifi_type = dev->type; 432 r->ifi_index = dev->ifindex; 433 r->ifi_flags = dev_get_flags(dev); 434 r->ifi_change = 0; /* Wireless changes don't affect those flags */ 435 436 if (nla_put_string(skb, IFLA_IFNAME, dev->name)) 437 goto nla_put_failure; 438 439 return nlh; 440 nla_put_failure: 441 nlmsg_cancel(skb, nlh); 442 return NULL; 443 } 444 445 446 /* 447 * Main event dispatcher. Called from other parts and drivers. 448 * Send the event on the appropriate channels. 449 * May be called from interrupt context. 450 */ 451 void wireless_send_event(struct net_device * dev, 452 unsigned int cmd, 453 union iwreq_data * wrqu, 454 const char * extra) 455 { 456 const struct iw_ioctl_description * descr = NULL; 457 int extra_len = 0; 458 struct iw_event *event; /* Mallocated whole event */ 459 int event_len; /* Its size */ 460 int hdr_len; /* Size of the event header */ 461 int wrqu_off = 0; /* Offset in wrqu */ 462 /* Don't "optimise" the following variable, it will crash */ 463 unsigned int cmd_index; /* *MUST* be unsigned */ 464 struct sk_buff *skb; 465 struct nlmsghdr *nlh; 466 struct nlattr *nla; 467 #ifdef CONFIG_COMPAT 468 struct __compat_iw_event *compat_event; 469 struct compat_iw_point compat_wrqu; 470 struct sk_buff *compskb; 471 int ptr_len; 472 #endif 473 474 /* 475 * Nothing in the kernel sends scan events with data, be safe. 476 * This is necessary because we cannot fix up scan event data 477 * for compat, due to being contained in 'extra', but normally 478 * applications are required to retrieve the scan data anyway 479 * and no data is included in the event, this codifies that 480 * practice. 481 */ 482 if (WARN_ON(cmd == SIOCGIWSCAN && extra)) 483 extra = NULL; 484 485 /* Get the description of the Event */ 486 if (cmd <= SIOCIWLAST) { 487 cmd_index = IW_IOCTL_IDX(cmd); 488 if (cmd_index < standard_ioctl_num) 489 descr = &(standard_ioctl[cmd_index]); 490 } else { 491 cmd_index = IW_EVENT_IDX(cmd); 492 if (cmd_index < standard_event_num) 493 descr = &(standard_event[cmd_index]); 494 } 495 /* Don't accept unknown events */ 496 if (descr == NULL) { 497 /* Note : we don't return an error to the driver, because 498 * the driver would not know what to do about it. It can't 499 * return an error to the user, because the event is not 500 * initiated by a user request. 501 * The best the driver could do is to log an error message. 502 * We will do it ourselves instead... 503 */ 504 netdev_err(dev, "(WE) : Invalid/Unknown Wireless Event (0x%04X)\n", 505 cmd); 506 return; 507 } 508 509 /* Check extra parameters and set extra_len */ 510 if (descr->header_type == IW_HEADER_TYPE_POINT) { 511 /* Check if number of token fits within bounds */ 512 if (wrqu->data.length > descr->max_tokens) { 513 netdev_err(dev, "(WE) : Wireless Event (cmd=0x%04X) too big (%d)\n", 514 cmd, wrqu->data.length); 515 return; 516 } 517 if (wrqu->data.length < descr->min_tokens) { 518 netdev_err(dev, "(WE) : Wireless Event (cmd=0x%04X) too small (%d)\n", 519 cmd, wrqu->data.length); 520 return; 521 } 522 /* Calculate extra_len - extra is NULL for restricted events */ 523 if (extra != NULL) 524 extra_len = wrqu->data.length * descr->token_size; 525 /* Always at an offset in wrqu */ 526 wrqu_off = IW_EV_POINT_OFF; 527 } 528 529 /* Total length of the event */ 530 hdr_len = event_type_size[descr->header_type]; 531 event_len = hdr_len + extra_len; 532 533 /* 534 * The problem for 64/32 bit. 535 * 536 * On 64-bit, a regular event is laid out as follows: 537 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 538 * | event.len | event.cmd | p a d d i n g | 539 * | wrqu data ... (with the correct size) | 540 * 541 * This padding exists because we manipulate event->u, 542 * and 'event' is not packed. 543 * 544 * An iw_point event is laid out like this instead: 545 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 546 * | event.len | event.cmd | p a d d i n g | 547 * | iwpnt.len | iwpnt.flg | p a d d i n g | 548 * | extra data ... 549 * 550 * The second padding exists because struct iw_point is extended, 551 * but this depends on the platform... 552 * 553 * On 32-bit, all the padding shouldn't be there. 554 */ 555 556 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 557 if (!skb) 558 return; 559 560 /* Send via the RtNetlink event channel */ 561 nlh = rtnetlink_ifinfo_prep(dev, skb); 562 if (WARN_ON(!nlh)) { 563 kfree_skb(skb); 564 return; 565 } 566 567 /* Add the wireless events in the netlink packet */ 568 nla = nla_reserve(skb, IFLA_WIRELESS, event_len); 569 if (!nla) { 570 kfree_skb(skb); 571 return; 572 } 573 event = nla_data(nla); 574 575 /* Fill event - first clear to avoid data leaking */ 576 memset(event, 0, hdr_len); 577 event->len = event_len; 578 event->cmd = cmd; 579 memcpy(&event->u, ((char *) wrqu) + wrqu_off, hdr_len - IW_EV_LCP_LEN); 580 if (extra_len) 581 memcpy(((char *) event) + hdr_len, extra, extra_len); 582 583 nlmsg_end(skb, nlh); 584 #ifdef CONFIG_COMPAT 585 hdr_len = compat_event_type_size[descr->header_type]; 586 587 /* ptr_len is remaining size in event header apart from LCP */ 588 ptr_len = hdr_len - IW_EV_COMPAT_LCP_LEN; 589 event_len = hdr_len + extra_len; 590 591 compskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 592 if (!compskb) { 593 kfree_skb(skb); 594 return; 595 } 596 597 /* Send via the RtNetlink event channel */ 598 nlh = rtnetlink_ifinfo_prep(dev, compskb); 599 if (WARN_ON(!nlh)) { 600 kfree_skb(skb); 601 kfree_skb(compskb); 602 return; 603 } 604 605 /* Add the wireless events in the netlink packet */ 606 nla = nla_reserve(compskb, IFLA_WIRELESS, event_len); 607 if (!nla) { 608 kfree_skb(skb); 609 kfree_skb(compskb); 610 return; 611 } 612 compat_event = nla_data(nla); 613 614 compat_event->len = event_len; 615 compat_event->cmd = cmd; 616 if (descr->header_type == IW_HEADER_TYPE_POINT) { 617 compat_wrqu.length = wrqu->data.length; 618 compat_wrqu.flags = wrqu->data.flags; 619 memcpy(compat_event->ptr_bytes, 620 ((char *)&compat_wrqu) + IW_EV_COMPAT_POINT_OFF, 621 ptr_len); 622 if (extra_len) 623 memcpy(&compat_event->ptr_bytes[ptr_len], 624 extra, extra_len); 625 } else { 626 /* extra_len must be zero, so no if (extra) needed */ 627 memcpy(compat_event->ptr_bytes, wrqu, ptr_len); 628 } 629 630 nlmsg_end(compskb, nlh); 631 632 skb_shinfo(skb)->frag_list = compskb; 633 #endif 634 skb_queue_tail(&dev_net(dev)->wext_nlevents, skb); 635 schedule_work(&wireless_nlevent_work); 636 } 637 EXPORT_SYMBOL(wireless_send_event); 638 639 #ifdef CONFIG_CFG80211_WEXT 640 static void wireless_warn_cfg80211_wext(void) 641 { 642 char name[sizeof(current->comm)]; 643 644 pr_warn_once("warning: `%s' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211\n", 645 get_task_comm(name, current)); 646 } 647 #endif 648 649 /* IW handlers */ 650 651 struct iw_statistics *get_wireless_stats(struct net_device *dev) 652 { 653 #ifdef CONFIG_WIRELESS_EXT 654 if ((dev->wireless_handlers != NULL) && 655 (dev->wireless_handlers->get_wireless_stats != NULL)) 656 return dev->wireless_handlers->get_wireless_stats(dev); 657 #endif 658 659 #ifdef CONFIG_CFG80211_WEXT 660 if (dev->ieee80211_ptr && 661 dev->ieee80211_ptr->wiphy && 662 dev->ieee80211_ptr->wiphy->wext && 663 dev->ieee80211_ptr->wiphy->wext->get_wireless_stats) { 664 wireless_warn_cfg80211_wext(); 665 if (dev->ieee80211_ptr->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO) 666 return NULL; 667 return dev->ieee80211_ptr->wiphy->wext->get_wireless_stats(dev); 668 } 669 #endif 670 671 /* not found */ 672 return NULL; 673 } 674 675 /* noinline to avoid a bogus warning with -O3 */ 676 static noinline int iw_handler_get_iwstats(struct net_device * dev, 677 struct iw_request_info * info, 678 union iwreq_data * wrqu, 679 char * extra) 680 { 681 /* Get stats from the driver */ 682 struct iw_statistics *stats; 683 684 stats = get_wireless_stats(dev); 685 if (stats) { 686 /* Copy statistics to extra */ 687 memcpy(extra, stats, sizeof(struct iw_statistics)); 688 wrqu->data.length = sizeof(struct iw_statistics); 689 690 /* Check if we need to clear the updated flag */ 691 if (wrqu->data.flags != 0) 692 stats->qual.updated &= ~IW_QUAL_ALL_UPDATED; 693 return 0; 694 } else 695 return -EOPNOTSUPP; 696 } 697 698 static iw_handler get_handler(struct net_device *dev, unsigned int cmd) 699 { 700 /* Don't "optimise" the following variable, it will crash */ 701 unsigned int index; /* *MUST* be unsigned */ 702 const struct iw_handler_def *handlers = NULL; 703 704 #ifdef CONFIG_CFG80211_WEXT 705 if (dev->ieee80211_ptr && dev->ieee80211_ptr->wiphy) { 706 wireless_warn_cfg80211_wext(); 707 if (dev->ieee80211_ptr->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO) 708 return NULL; 709 handlers = dev->ieee80211_ptr->wiphy->wext; 710 } 711 #endif 712 #ifdef CONFIG_WIRELESS_EXT 713 if (dev->wireless_handlers) 714 handlers = dev->wireless_handlers; 715 #endif 716 717 if (!handlers) 718 return NULL; 719 720 /* Try as a standard command */ 721 index = IW_IOCTL_IDX(cmd); 722 if (index < handlers->num_standard) 723 return handlers->standard[index]; 724 725 #ifdef CONFIG_WEXT_PRIV 726 /* Try as a private command */ 727 index = cmd - SIOCIWFIRSTPRIV; 728 if (index < handlers->num_private) 729 return handlers->private[index]; 730 #endif 731 732 /* Not found */ 733 return NULL; 734 } 735 736 static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, 737 const struct iw_ioctl_description *descr, 738 iw_handler handler, struct net_device *dev, 739 struct iw_request_info *info) 740 { 741 int err, extra_size, user_length = 0, essid_compat = 0; 742 char *extra; 743 744 /* Calculate space needed by arguments. Always allocate 745 * for max space. 746 */ 747 extra_size = descr->max_tokens * descr->token_size; 748 749 /* Check need for ESSID compatibility for WE < 21 */ 750 switch (cmd) { 751 case SIOCSIWESSID: 752 case SIOCGIWESSID: 753 case SIOCSIWNICKN: 754 case SIOCGIWNICKN: 755 if (iwp->length == descr->max_tokens + 1) 756 essid_compat = 1; 757 else if (IW_IS_SET(cmd) && (iwp->length != 0)) { 758 char essid[IW_ESSID_MAX_SIZE + 1]; 759 unsigned int len; 760 len = iwp->length * descr->token_size; 761 762 if (len > IW_ESSID_MAX_SIZE) 763 return -EFAULT; 764 765 err = copy_from_user(essid, iwp->pointer, len); 766 if (err) 767 return -EFAULT; 768 769 if (essid[iwp->length - 1] == '\0') 770 essid_compat = 1; 771 } 772 break; 773 default: 774 break; 775 } 776 777 iwp->length -= essid_compat; 778 779 /* Check what user space is giving us */ 780 if (IW_IS_SET(cmd)) { 781 /* Check NULL pointer */ 782 if (!iwp->pointer && iwp->length != 0) 783 return -EFAULT; 784 /* Check if number of token fits within bounds */ 785 if (iwp->length > descr->max_tokens) 786 return -E2BIG; 787 if (iwp->length < descr->min_tokens) 788 return -EINVAL; 789 } else { 790 /* Check NULL pointer */ 791 if (!iwp->pointer) 792 return -EFAULT; 793 /* Save user space buffer size for checking */ 794 user_length = iwp->length; 795 796 /* Don't check if user_length > max to allow forward 797 * compatibility. The test user_length < min is 798 * implied by the test at the end. 799 */ 800 801 /* Support for very large requests */ 802 if ((descr->flags & IW_DESCR_FLAG_NOMAX) && 803 (user_length > descr->max_tokens)) { 804 /* Allow userspace to GET more than max so 805 * we can support any size GET requests. 806 * There is still a limit : -ENOMEM. 807 */ 808 extra_size = user_length * descr->token_size; 809 810 /* Note : user_length is originally a __u16, 811 * and token_size is controlled by us, 812 * so extra_size won't get negative and 813 * won't overflow... 814 */ 815 } 816 } 817 818 /* Sanity-check to ensure we never end up _allocating_ zero 819 * bytes of data for extra. 820 */ 821 if (extra_size <= 0) 822 return -EFAULT; 823 824 /* kzalloc() ensures NULL-termination for essid_compat. */ 825 extra = kzalloc(extra_size, GFP_KERNEL); 826 if (!extra) 827 return -ENOMEM; 828 829 /* If it is a SET, get all the extra data in here */ 830 if (IW_IS_SET(cmd) && (iwp->length != 0)) { 831 if (copy_from_user(extra, iwp->pointer, 832 iwp->length * 833 descr->token_size)) { 834 err = -EFAULT; 835 goto out; 836 } 837 838 if (cmd == SIOCSIWENCODEEXT) { 839 struct iw_encode_ext *ee = (void *) extra; 840 841 if (iwp->length < sizeof(*ee) + ee->key_len) { 842 err = -EFAULT; 843 goto out; 844 } 845 } 846 } 847 848 if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) { 849 /* 850 * If this is a GET, but not NOMAX, it means that the extra 851 * data is not bounded by userspace, but by max_tokens. Thus 852 * set the length to max_tokens. This matches the extra data 853 * allocation. 854 * The driver should fill it with the number of tokens it 855 * provided, and it may check iwp->length rather than having 856 * knowledge of max_tokens. If the driver doesn't change the 857 * iwp->length, this ioctl just copies back max_token tokens 858 * filled with zeroes. Hopefully the driver isn't claiming 859 * them to be valid data. 860 */ 861 iwp->length = descr->max_tokens; 862 } 863 864 err = handler(dev, info, (union iwreq_data *) iwp, extra); 865 866 iwp->length += essid_compat; 867 868 /* If we have something to return to the user */ 869 if (!err && IW_IS_GET(cmd)) { 870 /* Check if there is enough buffer up there */ 871 if (user_length < iwp->length) { 872 err = -E2BIG; 873 goto out; 874 } 875 876 if (copy_to_user(iwp->pointer, extra, 877 iwp->length * 878 descr->token_size)) { 879 err = -EFAULT; 880 goto out; 881 } 882 } 883 884 /* Generate an event to notify listeners of the change */ 885 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 886 ((err == 0) || (err == -EIWCOMMIT))) { 887 union iwreq_data *data = (union iwreq_data *) iwp; 888 889 if (descr->flags & IW_DESCR_FLAG_RESTRICT) 890 /* If the event is restricted, don't 891 * export the payload. 892 */ 893 wireless_send_event(dev, cmd, data, NULL); 894 else 895 wireless_send_event(dev, cmd, data, extra); 896 } 897 898 out: 899 kfree(extra); 900 return err; 901 } 902 903 /* 904 * Call the commit handler in the driver 905 * (if exist and if conditions are right) 906 * 907 * Note : our current commit strategy is currently pretty dumb, 908 * but we will be able to improve on that... 909 * The goal is to try to agreagate as many changes as possible 910 * before doing the commit. Drivers that will define a commit handler 911 * are usually those that need a reset after changing parameters, so 912 * we want to minimise the number of reset. 913 * A cool idea is to use a timer : at each "set" command, we re-set the 914 * timer, when the timer eventually fires, we call the driver. 915 * Hopefully, more on that later. 916 * 917 * Also, I'm waiting to see how many people will complain about the 918 * netif_running(dev) test. I'm open on that one... 919 * Hopefully, the driver will remember to do a commit in "open()" ;-) 920 */ 921 int call_commit_handler(struct net_device *dev) 922 { 923 #ifdef CONFIG_WIRELESS_EXT 924 if (netif_running(dev) && 925 dev->wireless_handlers && 926 dev->wireless_handlers->standard[0]) 927 /* Call the commit handler on the driver */ 928 return dev->wireless_handlers->standard[0](dev, NULL, 929 NULL, NULL); 930 else 931 return 0; /* Command completed successfully */ 932 #else 933 /* cfg80211 has no commit */ 934 return 0; 935 #endif 936 } 937 938 /* 939 * Main IOCTl dispatcher. 940 * Check the type of IOCTL and call the appropriate wrapper... 941 */ 942 static int wireless_process_ioctl(struct net *net, struct iwreq *iwr, 943 unsigned int cmd, 944 struct iw_request_info *info, 945 wext_ioctl_func standard, 946 wext_ioctl_func private) 947 { 948 struct net_device *dev; 949 iw_handler handler; 950 951 /* Permissions are already checked in dev_ioctl() before calling us. 952 * The copy_to/from_user() of ifr is also dealt with in there */ 953 954 /* Make sure the device exist */ 955 if ((dev = __dev_get_by_name(net, iwr->ifr_name)) == NULL) 956 return -ENODEV; 957 958 /* A bunch of special cases, then the generic case... 959 * Note that 'cmd' is already filtered in dev_ioctl() with 960 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */ 961 if (cmd == SIOCGIWSTATS) 962 return standard(dev, iwr, cmd, info, 963 &iw_handler_get_iwstats); 964 965 #ifdef CONFIG_WEXT_PRIV 966 if (cmd == SIOCGIWPRIV && dev->wireless_handlers) 967 return standard(dev, iwr, cmd, info, 968 iw_handler_get_private); 969 #endif 970 971 /* Basic check */ 972 if (!netif_device_present(dev)) 973 return -ENODEV; 974 975 /* New driver API : try to find the handler */ 976 handler = get_handler(dev, cmd); 977 if (handler) { 978 /* Standard and private are not the same */ 979 if (cmd < SIOCIWFIRSTPRIV) 980 return standard(dev, iwr, cmd, info, handler); 981 else if (private) 982 return private(dev, iwr, cmd, info, handler); 983 } 984 return -EOPNOTSUPP; 985 } 986 987 /* If command is `set a parameter', or `get the encoding parameters', 988 * check if the user has the right to do it. 989 */ 990 static int wext_permission_check(unsigned int cmd) 991 { 992 if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || 993 cmd == SIOCGIWENCODEEXT) && 994 !capable(CAP_NET_ADMIN)) 995 return -EPERM; 996 997 return 0; 998 } 999 1000 /* entry point from dev ioctl */ 1001 static int wext_ioctl_dispatch(struct net *net, struct iwreq *iwr, 1002 unsigned int cmd, struct iw_request_info *info, 1003 wext_ioctl_func standard, 1004 wext_ioctl_func private) 1005 { 1006 int ret = wext_permission_check(cmd); 1007 1008 if (ret) 1009 return ret; 1010 1011 dev_load(net, iwr->ifr_name); 1012 rtnl_lock(); 1013 ret = wireless_process_ioctl(net, iwr, cmd, info, standard, private); 1014 rtnl_unlock(); 1015 1016 return ret; 1017 } 1018 1019 /* 1020 * Wrapper to call a standard Wireless Extension handler. 1021 * We do various checks and also take care of moving data between 1022 * user space and kernel space. 1023 */ 1024 static int ioctl_standard_call(struct net_device * dev, 1025 struct iwreq *iwr, 1026 unsigned int cmd, 1027 struct iw_request_info *info, 1028 iw_handler handler) 1029 { 1030 const struct iw_ioctl_description * descr; 1031 int ret = -EINVAL; 1032 1033 /* Get the description of the IOCTL */ 1034 if (IW_IOCTL_IDX(cmd) >= standard_ioctl_num) 1035 return -EOPNOTSUPP; 1036 descr = &(standard_ioctl[IW_IOCTL_IDX(cmd)]); 1037 1038 /* Check if we have a pointer to user space data or not */ 1039 if (descr->header_type != IW_HEADER_TYPE_POINT) { 1040 1041 /* No extra arguments. Trivial to handle */ 1042 ret = handler(dev, info, &(iwr->u), NULL); 1043 1044 /* Generate an event to notify listeners of the change */ 1045 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 1046 ((ret == 0) || (ret == -EIWCOMMIT))) 1047 wireless_send_event(dev, cmd, &(iwr->u), NULL); 1048 } else { 1049 ret = ioctl_standard_iw_point(&iwr->u.data, cmd, descr, 1050 handler, dev, info); 1051 } 1052 1053 /* Call commit handler if needed and defined */ 1054 if (ret == -EIWCOMMIT) 1055 ret = call_commit_handler(dev); 1056 1057 /* Here, we will generate the appropriate event if needed */ 1058 1059 return ret; 1060 } 1061 1062 1063 int wext_handle_ioctl(struct net *net, unsigned int cmd, void __user *arg) 1064 { 1065 struct iw_request_info info = { .cmd = cmd, .flags = 0 }; 1066 struct iwreq iwr; 1067 int ret; 1068 1069 if (copy_from_user(&iwr, arg, sizeof(iwr))) 1070 return -EFAULT; 1071 1072 iwr.ifr_name[sizeof(iwr.ifr_name) - 1] = 0; 1073 1074 ret = wext_ioctl_dispatch(net, &iwr, cmd, &info, 1075 ioctl_standard_call, 1076 ioctl_private_call); 1077 if (ret >= 0 && 1078 IW_IS_GET(cmd) && 1079 copy_to_user(arg, &iwr, sizeof(struct iwreq))) 1080 return -EFAULT; 1081 1082 return ret; 1083 } 1084 1085 #ifdef CONFIG_COMPAT 1086 static int compat_standard_call(struct net_device *dev, 1087 struct iwreq *iwr, 1088 unsigned int cmd, 1089 struct iw_request_info *info, 1090 iw_handler handler) 1091 { 1092 const struct iw_ioctl_description *descr; 1093 struct compat_iw_point *iwp_compat; 1094 struct iw_point iwp; 1095 int err; 1096 1097 descr = standard_ioctl + IW_IOCTL_IDX(cmd); 1098 1099 if (descr->header_type != IW_HEADER_TYPE_POINT) 1100 return ioctl_standard_call(dev, iwr, cmd, info, handler); 1101 1102 iwp_compat = (struct compat_iw_point *) &iwr->u.data; 1103 iwp.pointer = compat_ptr(iwp_compat->pointer); 1104 iwp.length = iwp_compat->length; 1105 iwp.flags = iwp_compat->flags; 1106 1107 err = ioctl_standard_iw_point(&iwp, cmd, descr, handler, dev, info); 1108 1109 iwp_compat->pointer = ptr_to_compat(iwp.pointer); 1110 iwp_compat->length = iwp.length; 1111 iwp_compat->flags = iwp.flags; 1112 1113 return err; 1114 } 1115 1116 int compat_wext_handle_ioctl(struct net *net, unsigned int cmd, 1117 unsigned long arg) 1118 { 1119 void __user *argp = (void __user *)arg; 1120 struct iw_request_info info; 1121 struct iwreq iwr; 1122 char *colon; 1123 int ret; 1124 1125 if (copy_from_user(&iwr, argp, sizeof(struct iwreq))) 1126 return -EFAULT; 1127 1128 iwr.ifr_name[IFNAMSIZ-1] = 0; 1129 colon = strchr(iwr.ifr_name, ':'); 1130 if (colon) 1131 *colon = 0; 1132 1133 info.cmd = cmd; 1134 info.flags = IW_REQUEST_FLAG_COMPAT; 1135 1136 ret = wext_ioctl_dispatch(net, &iwr, cmd, &info, 1137 compat_standard_call, 1138 compat_private_call); 1139 1140 if (ret >= 0 && 1141 IW_IS_GET(cmd) && 1142 copy_to_user(argp, &iwr, sizeof(struct iwreq))) 1143 return -EFAULT; 1144 1145 return ret; 1146 } 1147 #endif 1148 1149 char *iwe_stream_add_event(struct iw_request_info *info, char *stream, 1150 char *ends, struct iw_event *iwe, int event_len) 1151 { 1152 int lcp_len = iwe_stream_lcp_len(info); 1153 1154 event_len = iwe_stream_event_len_adjust(info, event_len); 1155 1156 /* Check if it's possible */ 1157 if (likely((stream + event_len) < ends)) { 1158 iwe->len = event_len; 1159 /* Beware of alignement issues on 64 bits */ 1160 memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); 1161 memcpy(stream + lcp_len, &iwe->u, 1162 event_len - lcp_len); 1163 stream += event_len; 1164 } 1165 1166 return stream; 1167 } 1168 EXPORT_SYMBOL(iwe_stream_add_event); 1169 1170 char *iwe_stream_add_point(struct iw_request_info *info, char *stream, 1171 char *ends, struct iw_event *iwe, char *extra) 1172 { 1173 int event_len = iwe_stream_point_len(info) + iwe->u.data.length; 1174 int point_len = iwe_stream_point_len(info); 1175 int lcp_len = iwe_stream_lcp_len(info); 1176 1177 /* Check if it's possible */ 1178 if (likely((stream + event_len) < ends)) { 1179 iwe->len = event_len; 1180 memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); 1181 memcpy(stream + lcp_len, 1182 ((char *) &iwe->u) + IW_EV_POINT_OFF, 1183 IW_EV_POINT_PK_LEN - IW_EV_LCP_PK_LEN); 1184 if (iwe->u.data.length && extra) 1185 memcpy(stream + point_len, extra, iwe->u.data.length); 1186 stream += event_len; 1187 } 1188 1189 return stream; 1190 } 1191 EXPORT_SYMBOL(iwe_stream_add_point); 1192 1193 char *iwe_stream_add_value(struct iw_request_info *info, char *event, 1194 char *value, char *ends, struct iw_event *iwe, 1195 int event_len) 1196 { 1197 int lcp_len = iwe_stream_lcp_len(info); 1198 1199 /* Don't duplicate LCP */ 1200 event_len -= IW_EV_LCP_LEN; 1201 1202 /* Check if it's possible */ 1203 if (likely((value + event_len) < ends)) { 1204 /* Add new value */ 1205 memcpy(value, &iwe->u, event_len); 1206 value += event_len; 1207 /* Patch LCP */ 1208 iwe->len = value - event; 1209 memcpy(event, (char *) iwe, lcp_len); 1210 } 1211 1212 return value; 1213 } 1214 EXPORT_SYMBOL(iwe_stream_add_value); 1215