1 /* 2 * This file implement the Wireless Extensions core API. 3 * 4 * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> 5 * Copyright (c) 1997-2007 Jean Tourrilhes, All Rights Reserved. 6 * Copyright 2009 Johannes Berg <johannes@sipsolutions.net> 7 * 8 * (As all part of the Linux kernel, this file is GPL) 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netdevice.h> 12 #include <linux/rtnetlink.h> 13 #include <linux/slab.h> 14 #include <linux/wireless.h> 15 #include <linux/uaccess.h> 16 #include <net/cfg80211.h> 17 #include <net/iw_handler.h> 18 #include <net/netlink.h> 19 #include <net/wext.h> 20 #include <net/net_namespace.h> 21 22 typedef int (*wext_ioctl_func)(struct net_device *, struct iwreq *, 23 unsigned int, struct iw_request_info *, 24 iw_handler); 25 26 27 /* 28 * Meta-data about all the standard Wireless Extension request we 29 * know about. 30 */ 31 static const struct iw_ioctl_description standard_ioctl[] = { 32 [IW_IOCTL_IDX(SIOCSIWCOMMIT)] = { 33 .header_type = IW_HEADER_TYPE_NULL, 34 }, 35 [IW_IOCTL_IDX(SIOCGIWNAME)] = { 36 .header_type = IW_HEADER_TYPE_CHAR, 37 .flags = IW_DESCR_FLAG_DUMP, 38 }, 39 [IW_IOCTL_IDX(SIOCSIWNWID)] = { 40 .header_type = IW_HEADER_TYPE_PARAM, 41 .flags = IW_DESCR_FLAG_EVENT, 42 }, 43 [IW_IOCTL_IDX(SIOCGIWNWID)] = { 44 .header_type = IW_HEADER_TYPE_PARAM, 45 .flags = IW_DESCR_FLAG_DUMP, 46 }, 47 [IW_IOCTL_IDX(SIOCSIWFREQ)] = { 48 .header_type = IW_HEADER_TYPE_FREQ, 49 .flags = IW_DESCR_FLAG_EVENT, 50 }, 51 [IW_IOCTL_IDX(SIOCGIWFREQ)] = { 52 .header_type = IW_HEADER_TYPE_FREQ, 53 .flags = IW_DESCR_FLAG_DUMP, 54 }, 55 [IW_IOCTL_IDX(SIOCSIWMODE)] = { 56 .header_type = IW_HEADER_TYPE_UINT, 57 .flags = IW_DESCR_FLAG_EVENT, 58 }, 59 [IW_IOCTL_IDX(SIOCGIWMODE)] = { 60 .header_type = IW_HEADER_TYPE_UINT, 61 .flags = IW_DESCR_FLAG_DUMP, 62 }, 63 [IW_IOCTL_IDX(SIOCSIWSENS)] = { 64 .header_type = IW_HEADER_TYPE_PARAM, 65 }, 66 [IW_IOCTL_IDX(SIOCGIWSENS)] = { 67 .header_type = IW_HEADER_TYPE_PARAM, 68 }, 69 [IW_IOCTL_IDX(SIOCSIWRANGE)] = { 70 .header_type = IW_HEADER_TYPE_NULL, 71 }, 72 [IW_IOCTL_IDX(SIOCGIWRANGE)] = { 73 .header_type = IW_HEADER_TYPE_POINT, 74 .token_size = 1, 75 .max_tokens = sizeof(struct iw_range), 76 .flags = IW_DESCR_FLAG_DUMP, 77 }, 78 [IW_IOCTL_IDX(SIOCSIWPRIV)] = { 79 .header_type = IW_HEADER_TYPE_NULL, 80 }, 81 [IW_IOCTL_IDX(SIOCGIWPRIV)] = { /* (handled directly by us) */ 82 .header_type = IW_HEADER_TYPE_POINT, 83 .token_size = sizeof(struct iw_priv_args), 84 .max_tokens = 16, 85 .flags = IW_DESCR_FLAG_NOMAX, 86 }, 87 [IW_IOCTL_IDX(SIOCSIWSTATS)] = { 88 .header_type = IW_HEADER_TYPE_NULL, 89 }, 90 [IW_IOCTL_IDX(SIOCGIWSTATS)] = { /* (handled directly by us) */ 91 .header_type = IW_HEADER_TYPE_POINT, 92 .token_size = 1, 93 .max_tokens = sizeof(struct iw_statistics), 94 .flags = IW_DESCR_FLAG_DUMP, 95 }, 96 [IW_IOCTL_IDX(SIOCSIWSPY)] = { 97 .header_type = IW_HEADER_TYPE_POINT, 98 .token_size = sizeof(struct sockaddr), 99 .max_tokens = IW_MAX_SPY, 100 }, 101 [IW_IOCTL_IDX(SIOCGIWSPY)] = { 102 .header_type = IW_HEADER_TYPE_POINT, 103 .token_size = sizeof(struct sockaddr) + 104 sizeof(struct iw_quality), 105 .max_tokens = IW_MAX_SPY, 106 }, 107 [IW_IOCTL_IDX(SIOCSIWTHRSPY)] = { 108 .header_type = IW_HEADER_TYPE_POINT, 109 .token_size = sizeof(struct iw_thrspy), 110 .min_tokens = 1, 111 .max_tokens = 1, 112 }, 113 [IW_IOCTL_IDX(SIOCGIWTHRSPY)] = { 114 .header_type = IW_HEADER_TYPE_POINT, 115 .token_size = sizeof(struct iw_thrspy), 116 .min_tokens = 1, 117 .max_tokens = 1, 118 }, 119 [IW_IOCTL_IDX(SIOCSIWAP)] = { 120 .header_type = IW_HEADER_TYPE_ADDR, 121 }, 122 [IW_IOCTL_IDX(SIOCGIWAP)] = { 123 .header_type = IW_HEADER_TYPE_ADDR, 124 .flags = IW_DESCR_FLAG_DUMP, 125 }, 126 [IW_IOCTL_IDX(SIOCSIWMLME)] = { 127 .header_type = IW_HEADER_TYPE_POINT, 128 .token_size = 1, 129 .min_tokens = sizeof(struct iw_mlme), 130 .max_tokens = sizeof(struct iw_mlme), 131 }, 132 [IW_IOCTL_IDX(SIOCGIWAPLIST)] = { 133 .header_type = IW_HEADER_TYPE_POINT, 134 .token_size = sizeof(struct sockaddr) + 135 sizeof(struct iw_quality), 136 .max_tokens = IW_MAX_AP, 137 .flags = IW_DESCR_FLAG_NOMAX, 138 }, 139 [IW_IOCTL_IDX(SIOCSIWSCAN)] = { 140 .header_type = IW_HEADER_TYPE_POINT, 141 .token_size = 1, 142 .min_tokens = 0, 143 .max_tokens = sizeof(struct iw_scan_req), 144 }, 145 [IW_IOCTL_IDX(SIOCGIWSCAN)] = { 146 .header_type = IW_HEADER_TYPE_POINT, 147 .token_size = 1, 148 .max_tokens = IW_SCAN_MAX_DATA, 149 .flags = IW_DESCR_FLAG_NOMAX, 150 }, 151 [IW_IOCTL_IDX(SIOCSIWESSID)] = { 152 .header_type = IW_HEADER_TYPE_POINT, 153 .token_size = 1, 154 .max_tokens = IW_ESSID_MAX_SIZE, 155 .flags = IW_DESCR_FLAG_EVENT, 156 }, 157 [IW_IOCTL_IDX(SIOCGIWESSID)] = { 158 .header_type = IW_HEADER_TYPE_POINT, 159 .token_size = 1, 160 .max_tokens = IW_ESSID_MAX_SIZE, 161 .flags = IW_DESCR_FLAG_DUMP, 162 }, 163 [IW_IOCTL_IDX(SIOCSIWNICKN)] = { 164 .header_type = IW_HEADER_TYPE_POINT, 165 .token_size = 1, 166 .max_tokens = IW_ESSID_MAX_SIZE, 167 }, 168 [IW_IOCTL_IDX(SIOCGIWNICKN)] = { 169 .header_type = IW_HEADER_TYPE_POINT, 170 .token_size = 1, 171 .max_tokens = IW_ESSID_MAX_SIZE, 172 }, 173 [IW_IOCTL_IDX(SIOCSIWRATE)] = { 174 .header_type = IW_HEADER_TYPE_PARAM, 175 }, 176 [IW_IOCTL_IDX(SIOCGIWRATE)] = { 177 .header_type = IW_HEADER_TYPE_PARAM, 178 }, 179 [IW_IOCTL_IDX(SIOCSIWRTS)] = { 180 .header_type = IW_HEADER_TYPE_PARAM, 181 }, 182 [IW_IOCTL_IDX(SIOCGIWRTS)] = { 183 .header_type = IW_HEADER_TYPE_PARAM, 184 }, 185 [IW_IOCTL_IDX(SIOCSIWFRAG)] = { 186 .header_type = IW_HEADER_TYPE_PARAM, 187 }, 188 [IW_IOCTL_IDX(SIOCGIWFRAG)] = { 189 .header_type = IW_HEADER_TYPE_PARAM, 190 }, 191 [IW_IOCTL_IDX(SIOCSIWTXPOW)] = { 192 .header_type = IW_HEADER_TYPE_PARAM, 193 }, 194 [IW_IOCTL_IDX(SIOCGIWTXPOW)] = { 195 .header_type = IW_HEADER_TYPE_PARAM, 196 }, 197 [IW_IOCTL_IDX(SIOCSIWRETRY)] = { 198 .header_type = IW_HEADER_TYPE_PARAM, 199 }, 200 [IW_IOCTL_IDX(SIOCGIWRETRY)] = { 201 .header_type = IW_HEADER_TYPE_PARAM, 202 }, 203 [IW_IOCTL_IDX(SIOCSIWENCODE)] = { 204 .header_type = IW_HEADER_TYPE_POINT, 205 .token_size = 1, 206 .max_tokens = IW_ENCODING_TOKEN_MAX, 207 .flags = IW_DESCR_FLAG_EVENT | IW_DESCR_FLAG_RESTRICT, 208 }, 209 [IW_IOCTL_IDX(SIOCGIWENCODE)] = { 210 .header_type = IW_HEADER_TYPE_POINT, 211 .token_size = 1, 212 .max_tokens = IW_ENCODING_TOKEN_MAX, 213 .flags = IW_DESCR_FLAG_DUMP | IW_DESCR_FLAG_RESTRICT, 214 }, 215 [IW_IOCTL_IDX(SIOCSIWPOWER)] = { 216 .header_type = IW_HEADER_TYPE_PARAM, 217 }, 218 [IW_IOCTL_IDX(SIOCGIWPOWER)] = { 219 .header_type = IW_HEADER_TYPE_PARAM, 220 }, 221 [IW_IOCTL_IDX(SIOCSIWGENIE)] = { 222 .header_type = IW_HEADER_TYPE_POINT, 223 .token_size = 1, 224 .max_tokens = IW_GENERIC_IE_MAX, 225 }, 226 [IW_IOCTL_IDX(SIOCGIWGENIE)] = { 227 .header_type = IW_HEADER_TYPE_POINT, 228 .token_size = 1, 229 .max_tokens = IW_GENERIC_IE_MAX, 230 }, 231 [IW_IOCTL_IDX(SIOCSIWAUTH)] = { 232 .header_type = IW_HEADER_TYPE_PARAM, 233 }, 234 [IW_IOCTL_IDX(SIOCGIWAUTH)] = { 235 .header_type = IW_HEADER_TYPE_PARAM, 236 }, 237 [IW_IOCTL_IDX(SIOCSIWENCODEEXT)] = { 238 .header_type = IW_HEADER_TYPE_POINT, 239 .token_size = 1, 240 .min_tokens = sizeof(struct iw_encode_ext), 241 .max_tokens = sizeof(struct iw_encode_ext) + 242 IW_ENCODING_TOKEN_MAX, 243 }, 244 [IW_IOCTL_IDX(SIOCGIWENCODEEXT)] = { 245 .header_type = IW_HEADER_TYPE_POINT, 246 .token_size = 1, 247 .min_tokens = sizeof(struct iw_encode_ext), 248 .max_tokens = sizeof(struct iw_encode_ext) + 249 IW_ENCODING_TOKEN_MAX, 250 }, 251 [IW_IOCTL_IDX(SIOCSIWPMKSA)] = { 252 .header_type = IW_HEADER_TYPE_POINT, 253 .token_size = 1, 254 .min_tokens = sizeof(struct iw_pmksa), 255 .max_tokens = sizeof(struct iw_pmksa), 256 }, 257 }; 258 static const unsigned standard_ioctl_num = ARRAY_SIZE(standard_ioctl); 259 260 /* 261 * Meta-data about all the additional standard Wireless Extension events 262 * we know about. 263 */ 264 static const struct iw_ioctl_description standard_event[] = { 265 [IW_EVENT_IDX(IWEVTXDROP)] = { 266 .header_type = IW_HEADER_TYPE_ADDR, 267 }, 268 [IW_EVENT_IDX(IWEVQUAL)] = { 269 .header_type = IW_HEADER_TYPE_QUAL, 270 }, 271 [IW_EVENT_IDX(IWEVCUSTOM)] = { 272 .header_type = IW_HEADER_TYPE_POINT, 273 .token_size = 1, 274 .max_tokens = IW_CUSTOM_MAX, 275 }, 276 [IW_EVENT_IDX(IWEVREGISTERED)] = { 277 .header_type = IW_HEADER_TYPE_ADDR, 278 }, 279 [IW_EVENT_IDX(IWEVEXPIRED)] = { 280 .header_type = IW_HEADER_TYPE_ADDR, 281 }, 282 [IW_EVENT_IDX(IWEVGENIE)] = { 283 .header_type = IW_HEADER_TYPE_POINT, 284 .token_size = 1, 285 .max_tokens = IW_GENERIC_IE_MAX, 286 }, 287 [IW_EVENT_IDX(IWEVMICHAELMICFAILURE)] = { 288 .header_type = IW_HEADER_TYPE_POINT, 289 .token_size = 1, 290 .max_tokens = sizeof(struct iw_michaelmicfailure), 291 }, 292 [IW_EVENT_IDX(IWEVASSOCREQIE)] = { 293 .header_type = IW_HEADER_TYPE_POINT, 294 .token_size = 1, 295 .max_tokens = IW_GENERIC_IE_MAX, 296 }, 297 [IW_EVENT_IDX(IWEVASSOCRESPIE)] = { 298 .header_type = IW_HEADER_TYPE_POINT, 299 .token_size = 1, 300 .max_tokens = IW_GENERIC_IE_MAX, 301 }, 302 [IW_EVENT_IDX(IWEVPMKIDCAND)] = { 303 .header_type = IW_HEADER_TYPE_POINT, 304 .token_size = 1, 305 .max_tokens = sizeof(struct iw_pmkid_cand), 306 }, 307 }; 308 static const unsigned standard_event_num = ARRAY_SIZE(standard_event); 309 310 /* Size (in bytes) of various events */ 311 static const int event_type_size[] = { 312 IW_EV_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 313 0, 314 IW_EV_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 315 0, 316 IW_EV_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 317 IW_EV_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 318 IW_EV_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 319 0, 320 IW_EV_POINT_LEN, /* Without variable payload */ 321 IW_EV_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 322 IW_EV_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 323 }; 324 325 #ifdef CONFIG_COMPAT 326 static const int compat_event_type_size[] = { 327 IW_EV_COMPAT_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 328 0, 329 IW_EV_COMPAT_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 330 0, 331 IW_EV_COMPAT_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 332 IW_EV_COMPAT_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 333 IW_EV_COMPAT_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 334 0, 335 IW_EV_COMPAT_POINT_LEN, /* Without variable payload */ 336 IW_EV_COMPAT_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 337 IW_EV_COMPAT_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 338 }; 339 #endif 340 341 342 /* IW event code */ 343 344 static int __net_init wext_pernet_init(struct net *net) 345 { 346 skb_queue_head_init(&net->wext_nlevents); 347 return 0; 348 } 349 350 static void __net_exit wext_pernet_exit(struct net *net) 351 { 352 skb_queue_purge(&net->wext_nlevents); 353 } 354 355 static struct pernet_operations wext_pernet_ops = { 356 .init = wext_pernet_init, 357 .exit = wext_pernet_exit, 358 }; 359 360 static int __init wireless_nlevent_init(void) 361 { 362 return register_pernet_subsys(&wext_pernet_ops); 363 } 364 365 subsys_initcall(wireless_nlevent_init); 366 367 /* Process events generated by the wireless layer or the driver. */ 368 static void wireless_nlevent_process(struct work_struct *work) 369 { 370 struct sk_buff *skb; 371 struct net *net; 372 373 rtnl_lock(); 374 375 for_each_net(net) { 376 while ((skb = skb_dequeue(&net->wext_nlevents))) 377 rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, 378 GFP_KERNEL); 379 } 380 381 rtnl_unlock(); 382 } 383 384 static DECLARE_WORK(wireless_nlevent_work, wireless_nlevent_process); 385 386 static struct nlmsghdr *rtnetlink_ifinfo_prep(struct net_device *dev, 387 struct sk_buff *skb) 388 { 389 struct ifinfomsg *r; 390 struct nlmsghdr *nlh; 391 392 nlh = nlmsg_put(skb, 0, 0, RTM_NEWLINK, sizeof(*r), 0); 393 if (!nlh) 394 return NULL; 395 396 r = nlmsg_data(nlh); 397 r->ifi_family = AF_UNSPEC; 398 r->__ifi_pad = 0; 399 r->ifi_type = dev->type; 400 r->ifi_index = dev->ifindex; 401 r->ifi_flags = dev_get_flags(dev); 402 r->ifi_change = 0; /* Wireless changes don't affect those flags */ 403 404 NLA_PUT_STRING(skb, IFLA_IFNAME, dev->name); 405 406 return nlh; 407 nla_put_failure: 408 nlmsg_cancel(skb, nlh); 409 return NULL; 410 } 411 412 413 /* 414 * Main event dispatcher. Called from other parts and drivers. 415 * Send the event on the appropriate channels. 416 * May be called from interrupt context. 417 */ 418 void wireless_send_event(struct net_device * dev, 419 unsigned int cmd, 420 union iwreq_data * wrqu, 421 const char * extra) 422 { 423 const struct iw_ioctl_description * descr = NULL; 424 int extra_len = 0; 425 struct iw_event *event; /* Mallocated whole event */ 426 int event_len; /* Its size */ 427 int hdr_len; /* Size of the event header */ 428 int wrqu_off = 0; /* Offset in wrqu */ 429 /* Don't "optimise" the following variable, it will crash */ 430 unsigned cmd_index; /* *MUST* be unsigned */ 431 struct sk_buff *skb; 432 struct nlmsghdr *nlh; 433 struct nlattr *nla; 434 #ifdef CONFIG_COMPAT 435 struct __compat_iw_event *compat_event; 436 struct compat_iw_point compat_wrqu; 437 struct sk_buff *compskb; 438 #endif 439 440 /* 441 * Nothing in the kernel sends scan events with data, be safe. 442 * This is necessary because we cannot fix up scan event data 443 * for compat, due to being contained in 'extra', but normally 444 * applications are required to retrieve the scan data anyway 445 * and no data is included in the event, this codifies that 446 * practice. 447 */ 448 if (WARN_ON(cmd == SIOCGIWSCAN && extra)) 449 extra = NULL; 450 451 /* Get the description of the Event */ 452 if (cmd <= SIOCIWLAST) { 453 cmd_index = IW_IOCTL_IDX(cmd); 454 if (cmd_index < standard_ioctl_num) 455 descr = &(standard_ioctl[cmd_index]); 456 } else { 457 cmd_index = IW_EVENT_IDX(cmd); 458 if (cmd_index < standard_event_num) 459 descr = &(standard_event[cmd_index]); 460 } 461 /* Don't accept unknown events */ 462 if (descr == NULL) { 463 /* Note : we don't return an error to the driver, because 464 * the driver would not know what to do about it. It can't 465 * return an error to the user, because the event is not 466 * initiated by a user request. 467 * The best the driver could do is to log an error message. 468 * We will do it ourselves instead... 469 */ 470 netdev_err(dev, "(WE) : Invalid/Unknown Wireless Event (0x%04X)\n", 471 cmd); 472 return; 473 } 474 475 /* Check extra parameters and set extra_len */ 476 if (descr->header_type == IW_HEADER_TYPE_POINT) { 477 /* Check if number of token fits within bounds */ 478 if (wrqu->data.length > descr->max_tokens) { 479 netdev_err(dev, "(WE) : Wireless Event too big (%d)\n", 480 wrqu->data.length); 481 return; 482 } 483 if (wrqu->data.length < descr->min_tokens) { 484 netdev_err(dev, "(WE) : Wireless Event too small (%d)\n", 485 wrqu->data.length); 486 return; 487 } 488 /* Calculate extra_len - extra is NULL for restricted events */ 489 if (extra != NULL) 490 extra_len = wrqu->data.length * descr->token_size; 491 /* Always at an offset in wrqu */ 492 wrqu_off = IW_EV_POINT_OFF; 493 } 494 495 /* Total length of the event */ 496 hdr_len = event_type_size[descr->header_type]; 497 event_len = hdr_len + extra_len; 498 499 /* 500 * The problem for 64/32 bit. 501 * 502 * On 64-bit, a regular event is laid out as follows: 503 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 504 * | event.len | event.cmd | p a d d i n g | 505 * | wrqu data ... (with the correct size) | 506 * 507 * This padding exists because we manipulate event->u, 508 * and 'event' is not packed. 509 * 510 * An iw_point event is laid out like this instead: 511 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 512 * | event.len | event.cmd | p a d d i n g | 513 * | iwpnt.len | iwpnt.flg | p a d d i n g | 514 * | extra data ... 515 * 516 * The second padding exists because struct iw_point is extended, 517 * but this depends on the platform... 518 * 519 * On 32-bit, all the padding shouldn't be there. 520 */ 521 522 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 523 if (!skb) 524 return; 525 526 /* Send via the RtNetlink event channel */ 527 nlh = rtnetlink_ifinfo_prep(dev, skb); 528 if (WARN_ON(!nlh)) { 529 kfree_skb(skb); 530 return; 531 } 532 533 /* Add the wireless events in the netlink packet */ 534 nla = nla_reserve(skb, IFLA_WIRELESS, event_len); 535 if (!nla) { 536 kfree_skb(skb); 537 return; 538 } 539 event = nla_data(nla); 540 541 /* Fill event - first clear to avoid data leaking */ 542 memset(event, 0, hdr_len); 543 event->len = event_len; 544 event->cmd = cmd; 545 memcpy(&event->u, ((char *) wrqu) + wrqu_off, hdr_len - IW_EV_LCP_LEN); 546 if (extra_len) 547 memcpy(((char *) event) + hdr_len, extra, extra_len); 548 549 nlmsg_end(skb, nlh); 550 #ifdef CONFIG_COMPAT 551 hdr_len = compat_event_type_size[descr->header_type]; 552 event_len = hdr_len + extra_len; 553 554 compskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 555 if (!compskb) { 556 kfree_skb(skb); 557 return; 558 } 559 560 /* Send via the RtNetlink event channel */ 561 nlh = rtnetlink_ifinfo_prep(dev, compskb); 562 if (WARN_ON(!nlh)) { 563 kfree_skb(skb); 564 kfree_skb(compskb); 565 return; 566 } 567 568 /* Add the wireless events in the netlink packet */ 569 nla = nla_reserve(compskb, IFLA_WIRELESS, event_len); 570 if (!nla) { 571 kfree_skb(skb); 572 kfree_skb(compskb); 573 return; 574 } 575 compat_event = nla_data(nla); 576 577 compat_event->len = event_len; 578 compat_event->cmd = cmd; 579 if (descr->header_type == IW_HEADER_TYPE_POINT) { 580 compat_wrqu.length = wrqu->data.length; 581 compat_wrqu.flags = wrqu->data.flags; 582 memcpy(&compat_event->pointer, 583 ((char *) &compat_wrqu) + IW_EV_COMPAT_POINT_OFF, 584 hdr_len - IW_EV_COMPAT_LCP_LEN); 585 if (extra_len) 586 memcpy(((char *) compat_event) + hdr_len, 587 extra, extra_len); 588 } else { 589 /* extra_len must be zero, so no if (extra) needed */ 590 memcpy(&compat_event->pointer, wrqu, 591 hdr_len - IW_EV_COMPAT_LCP_LEN); 592 } 593 594 nlmsg_end(compskb, nlh); 595 596 skb_shinfo(skb)->frag_list = compskb; 597 #endif 598 skb_queue_tail(&dev_net(dev)->wext_nlevents, skb); 599 schedule_work(&wireless_nlevent_work); 600 } 601 EXPORT_SYMBOL(wireless_send_event); 602 603 604 605 /* IW handlers */ 606 607 struct iw_statistics *get_wireless_stats(struct net_device *dev) 608 { 609 #ifdef CONFIG_WIRELESS_EXT 610 if ((dev->wireless_handlers != NULL) && 611 (dev->wireless_handlers->get_wireless_stats != NULL)) 612 return dev->wireless_handlers->get_wireless_stats(dev); 613 #endif 614 615 #ifdef CONFIG_CFG80211_WEXT 616 if (dev->ieee80211_ptr && 617 dev->ieee80211_ptr->wiphy && 618 dev->ieee80211_ptr->wiphy->wext && 619 dev->ieee80211_ptr->wiphy->wext->get_wireless_stats) 620 return dev->ieee80211_ptr->wiphy->wext->get_wireless_stats(dev); 621 #endif 622 623 /* not found */ 624 return NULL; 625 } 626 627 static int iw_handler_get_iwstats(struct net_device * dev, 628 struct iw_request_info * info, 629 union iwreq_data * wrqu, 630 char * extra) 631 { 632 /* Get stats from the driver */ 633 struct iw_statistics *stats; 634 635 stats = get_wireless_stats(dev); 636 if (stats) { 637 /* Copy statistics to extra */ 638 memcpy(extra, stats, sizeof(struct iw_statistics)); 639 wrqu->data.length = sizeof(struct iw_statistics); 640 641 /* Check if we need to clear the updated flag */ 642 if (wrqu->data.flags != 0) 643 stats->qual.updated &= ~IW_QUAL_ALL_UPDATED; 644 return 0; 645 } else 646 return -EOPNOTSUPP; 647 } 648 649 static iw_handler get_handler(struct net_device *dev, unsigned int cmd) 650 { 651 /* Don't "optimise" the following variable, it will crash */ 652 unsigned int index; /* *MUST* be unsigned */ 653 const struct iw_handler_def *handlers = NULL; 654 655 #ifdef CONFIG_CFG80211_WEXT 656 if (dev->ieee80211_ptr && dev->ieee80211_ptr->wiphy) 657 handlers = dev->ieee80211_ptr->wiphy->wext; 658 #endif 659 #ifdef CONFIG_WIRELESS_EXT 660 if (dev->wireless_handlers) 661 handlers = dev->wireless_handlers; 662 #endif 663 664 if (!handlers) 665 return NULL; 666 667 /* Try as a standard command */ 668 index = IW_IOCTL_IDX(cmd); 669 if (index < handlers->num_standard) 670 return handlers->standard[index]; 671 672 #ifdef CONFIG_WEXT_PRIV 673 /* Try as a private command */ 674 index = cmd - SIOCIWFIRSTPRIV; 675 if (index < handlers->num_private) 676 return handlers->private[index]; 677 #endif 678 679 /* Not found */ 680 return NULL; 681 } 682 683 static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, 684 const struct iw_ioctl_description *descr, 685 iw_handler handler, struct net_device *dev, 686 struct iw_request_info *info) 687 { 688 int err, extra_size, user_length = 0, essid_compat = 0; 689 char *extra; 690 691 /* Calculate space needed by arguments. Always allocate 692 * for max space. 693 */ 694 extra_size = descr->max_tokens * descr->token_size; 695 696 /* Check need for ESSID compatibility for WE < 21 */ 697 switch (cmd) { 698 case SIOCSIWESSID: 699 case SIOCGIWESSID: 700 case SIOCSIWNICKN: 701 case SIOCGIWNICKN: 702 if (iwp->length == descr->max_tokens + 1) 703 essid_compat = 1; 704 else if (IW_IS_SET(cmd) && (iwp->length != 0)) { 705 char essid[IW_ESSID_MAX_SIZE + 1]; 706 unsigned int len; 707 len = iwp->length * descr->token_size; 708 709 if (len > IW_ESSID_MAX_SIZE) 710 return -EFAULT; 711 712 err = copy_from_user(essid, iwp->pointer, len); 713 if (err) 714 return -EFAULT; 715 716 if (essid[iwp->length - 1] == '\0') 717 essid_compat = 1; 718 } 719 break; 720 default: 721 break; 722 } 723 724 iwp->length -= essid_compat; 725 726 /* Check what user space is giving us */ 727 if (IW_IS_SET(cmd)) { 728 /* Check NULL pointer */ 729 if (!iwp->pointer && iwp->length != 0) 730 return -EFAULT; 731 /* Check if number of token fits within bounds */ 732 if (iwp->length > descr->max_tokens) 733 return -E2BIG; 734 if (iwp->length < descr->min_tokens) 735 return -EINVAL; 736 } else { 737 /* Check NULL pointer */ 738 if (!iwp->pointer) 739 return -EFAULT; 740 /* Save user space buffer size for checking */ 741 user_length = iwp->length; 742 743 /* Don't check if user_length > max to allow forward 744 * compatibility. The test user_length < min is 745 * implied by the test at the end. 746 */ 747 748 /* Support for very large requests */ 749 if ((descr->flags & IW_DESCR_FLAG_NOMAX) && 750 (user_length > descr->max_tokens)) { 751 /* Allow userspace to GET more than max so 752 * we can support any size GET requests. 753 * There is still a limit : -ENOMEM. 754 */ 755 extra_size = user_length * descr->token_size; 756 757 /* Note : user_length is originally a __u16, 758 * and token_size is controlled by us, 759 * so extra_size won't get negative and 760 * won't overflow... 761 */ 762 } 763 } 764 765 /* kzalloc() ensures NULL-termination for essid_compat. */ 766 extra = kzalloc(extra_size, GFP_KERNEL); 767 if (!extra) 768 return -ENOMEM; 769 770 /* If it is a SET, get all the extra data in here */ 771 if (IW_IS_SET(cmd) && (iwp->length != 0)) { 772 if (copy_from_user(extra, iwp->pointer, 773 iwp->length * 774 descr->token_size)) { 775 err = -EFAULT; 776 goto out; 777 } 778 779 if (cmd == SIOCSIWENCODEEXT) { 780 struct iw_encode_ext *ee = (void *) extra; 781 782 if (iwp->length < sizeof(*ee) + ee->key_len) 783 return -EFAULT; 784 } 785 } 786 787 if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) { 788 /* 789 * If this is a GET, but not NOMAX, it means that the extra 790 * data is not bounded by userspace, but by max_tokens. Thus 791 * set the length to max_tokens. This matches the extra data 792 * allocation. 793 * The driver should fill it with the number of tokens it 794 * provided, and it may check iwp->length rather than having 795 * knowledge of max_tokens. If the driver doesn't change the 796 * iwp->length, this ioctl just copies back max_token tokens 797 * filled with zeroes. Hopefully the driver isn't claiming 798 * them to be valid data. 799 */ 800 iwp->length = descr->max_tokens; 801 } 802 803 err = handler(dev, info, (union iwreq_data *) iwp, extra); 804 805 iwp->length += essid_compat; 806 807 /* If we have something to return to the user */ 808 if (!err && IW_IS_GET(cmd)) { 809 /* Check if there is enough buffer up there */ 810 if (user_length < iwp->length) { 811 err = -E2BIG; 812 goto out; 813 } 814 815 if (copy_to_user(iwp->pointer, extra, 816 iwp->length * 817 descr->token_size)) { 818 err = -EFAULT; 819 goto out; 820 } 821 } 822 823 /* Generate an event to notify listeners of the change */ 824 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 825 ((err == 0) || (err == -EIWCOMMIT))) { 826 union iwreq_data *data = (union iwreq_data *) iwp; 827 828 if (descr->flags & IW_DESCR_FLAG_RESTRICT) 829 /* If the event is restricted, don't 830 * export the payload. 831 */ 832 wireless_send_event(dev, cmd, data, NULL); 833 else 834 wireless_send_event(dev, cmd, data, extra); 835 } 836 837 out: 838 kfree(extra); 839 return err; 840 } 841 842 /* 843 * Call the commit handler in the driver 844 * (if exist and if conditions are right) 845 * 846 * Note : our current commit strategy is currently pretty dumb, 847 * but we will be able to improve on that... 848 * The goal is to try to agreagate as many changes as possible 849 * before doing the commit. Drivers that will define a commit handler 850 * are usually those that need a reset after changing parameters, so 851 * we want to minimise the number of reset. 852 * A cool idea is to use a timer : at each "set" command, we re-set the 853 * timer, when the timer eventually fires, we call the driver. 854 * Hopefully, more on that later. 855 * 856 * Also, I'm waiting to see how many people will complain about the 857 * netif_running(dev) test. I'm open on that one... 858 * Hopefully, the driver will remember to do a commit in "open()" ;-) 859 */ 860 int call_commit_handler(struct net_device *dev) 861 { 862 #ifdef CONFIG_WIRELESS_EXT 863 if ((netif_running(dev)) && 864 (dev->wireless_handlers->standard[0] != NULL)) 865 /* Call the commit handler on the driver */ 866 return dev->wireless_handlers->standard[0](dev, NULL, 867 NULL, NULL); 868 else 869 return 0; /* Command completed successfully */ 870 #else 871 /* cfg80211 has no commit */ 872 return 0; 873 #endif 874 } 875 876 /* 877 * Main IOCTl dispatcher. 878 * Check the type of IOCTL and call the appropriate wrapper... 879 */ 880 static int wireless_process_ioctl(struct net *net, struct ifreq *ifr, 881 unsigned int cmd, 882 struct iw_request_info *info, 883 wext_ioctl_func standard, 884 wext_ioctl_func private) 885 { 886 struct iwreq *iwr = (struct iwreq *) ifr; 887 struct net_device *dev; 888 iw_handler handler; 889 890 /* Permissions are already checked in dev_ioctl() before calling us. 891 * The copy_to/from_user() of ifr is also dealt with in there */ 892 893 /* Make sure the device exist */ 894 if ((dev = __dev_get_by_name(net, ifr->ifr_name)) == NULL) 895 return -ENODEV; 896 897 /* A bunch of special cases, then the generic case... 898 * Note that 'cmd' is already filtered in dev_ioctl() with 899 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */ 900 if (cmd == SIOCGIWSTATS) 901 return standard(dev, iwr, cmd, info, 902 &iw_handler_get_iwstats); 903 904 #ifdef CONFIG_WEXT_PRIV 905 if (cmd == SIOCGIWPRIV && dev->wireless_handlers) 906 return standard(dev, iwr, cmd, info, 907 iw_handler_get_private); 908 #endif 909 910 /* Basic check */ 911 if (!netif_device_present(dev)) 912 return -ENODEV; 913 914 /* New driver API : try to find the handler */ 915 handler = get_handler(dev, cmd); 916 if (handler) { 917 /* Standard and private are not the same */ 918 if (cmd < SIOCIWFIRSTPRIV) 919 return standard(dev, iwr, cmd, info, handler); 920 else if (private) 921 return private(dev, iwr, cmd, info, handler); 922 } 923 /* Old driver API : call driver ioctl handler */ 924 if (dev->netdev_ops->ndo_do_ioctl) 925 return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); 926 return -EOPNOTSUPP; 927 } 928 929 /* If command is `set a parameter', or `get the encoding parameters', 930 * check if the user has the right to do it. 931 */ 932 static int wext_permission_check(unsigned int cmd) 933 { 934 if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || 935 cmd == SIOCGIWENCODEEXT) && 936 !capable(CAP_NET_ADMIN)) 937 return -EPERM; 938 939 return 0; 940 } 941 942 /* entry point from dev ioctl */ 943 static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr, 944 unsigned int cmd, struct iw_request_info *info, 945 wext_ioctl_func standard, 946 wext_ioctl_func private) 947 { 948 int ret = wext_permission_check(cmd); 949 950 if (ret) 951 return ret; 952 953 dev_load(net, ifr->ifr_name); 954 rtnl_lock(); 955 ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private); 956 rtnl_unlock(); 957 958 return ret; 959 } 960 961 /* 962 * Wrapper to call a standard Wireless Extension handler. 963 * We do various checks and also take care of moving data between 964 * user space and kernel space. 965 */ 966 static int ioctl_standard_call(struct net_device * dev, 967 struct iwreq *iwr, 968 unsigned int cmd, 969 struct iw_request_info *info, 970 iw_handler handler) 971 { 972 const struct iw_ioctl_description * descr; 973 int ret = -EINVAL; 974 975 /* Get the description of the IOCTL */ 976 if (IW_IOCTL_IDX(cmd) >= standard_ioctl_num) 977 return -EOPNOTSUPP; 978 descr = &(standard_ioctl[IW_IOCTL_IDX(cmd)]); 979 980 /* Check if we have a pointer to user space data or not */ 981 if (descr->header_type != IW_HEADER_TYPE_POINT) { 982 983 /* No extra arguments. Trivial to handle */ 984 ret = handler(dev, info, &(iwr->u), NULL); 985 986 /* Generate an event to notify listeners of the change */ 987 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 988 ((ret == 0) || (ret == -EIWCOMMIT))) 989 wireless_send_event(dev, cmd, &(iwr->u), NULL); 990 } else { 991 ret = ioctl_standard_iw_point(&iwr->u.data, cmd, descr, 992 handler, dev, info); 993 } 994 995 /* Call commit handler if needed and defined */ 996 if (ret == -EIWCOMMIT) 997 ret = call_commit_handler(dev); 998 999 /* Here, we will generate the appropriate event if needed */ 1000 1001 return ret; 1002 } 1003 1004 1005 int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd, 1006 void __user *arg) 1007 { 1008 struct iw_request_info info = { .cmd = cmd, .flags = 0 }; 1009 int ret; 1010 1011 ret = wext_ioctl_dispatch(net, ifr, cmd, &info, 1012 ioctl_standard_call, 1013 ioctl_private_call); 1014 if (ret >= 0 && 1015 IW_IS_GET(cmd) && 1016 copy_to_user(arg, ifr, sizeof(struct iwreq))) 1017 return -EFAULT; 1018 1019 return ret; 1020 } 1021 1022 #ifdef CONFIG_COMPAT 1023 static int compat_standard_call(struct net_device *dev, 1024 struct iwreq *iwr, 1025 unsigned int cmd, 1026 struct iw_request_info *info, 1027 iw_handler handler) 1028 { 1029 const struct iw_ioctl_description *descr; 1030 struct compat_iw_point *iwp_compat; 1031 struct iw_point iwp; 1032 int err; 1033 1034 descr = standard_ioctl + IW_IOCTL_IDX(cmd); 1035 1036 if (descr->header_type != IW_HEADER_TYPE_POINT) 1037 return ioctl_standard_call(dev, iwr, cmd, info, handler); 1038 1039 iwp_compat = (struct compat_iw_point *) &iwr->u.data; 1040 iwp.pointer = compat_ptr(iwp_compat->pointer); 1041 iwp.length = iwp_compat->length; 1042 iwp.flags = iwp_compat->flags; 1043 1044 err = ioctl_standard_iw_point(&iwp, cmd, descr, handler, dev, info); 1045 1046 iwp_compat->pointer = ptr_to_compat(iwp.pointer); 1047 iwp_compat->length = iwp.length; 1048 iwp_compat->flags = iwp.flags; 1049 1050 return err; 1051 } 1052 1053 int compat_wext_handle_ioctl(struct net *net, unsigned int cmd, 1054 unsigned long arg) 1055 { 1056 void __user *argp = (void __user *)arg; 1057 struct iw_request_info info; 1058 struct iwreq iwr; 1059 char *colon; 1060 int ret; 1061 1062 if (copy_from_user(&iwr, argp, sizeof(struct iwreq))) 1063 return -EFAULT; 1064 1065 iwr.ifr_name[IFNAMSIZ-1] = 0; 1066 colon = strchr(iwr.ifr_name, ':'); 1067 if (colon) 1068 *colon = 0; 1069 1070 info.cmd = cmd; 1071 info.flags = IW_REQUEST_FLAG_COMPAT; 1072 1073 ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info, 1074 compat_standard_call, 1075 compat_private_call); 1076 1077 if (ret >= 0 && 1078 IW_IS_GET(cmd) && 1079 copy_to_user(argp, &iwr, sizeof(struct iwreq))) 1080 return -EFAULT; 1081 1082 return ret; 1083 } 1084 #endif 1085