1 /* 2 * This file implement the Wireless Extensions core API. 3 * 4 * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> 5 * Copyright (c) 1997-2007 Jean Tourrilhes, All Rights Reserved. 6 * Copyright 2009 Johannes Berg <johannes@sipsolutions.net> 7 * Copyright (C) 2024 Intel Corporation 8 * 9 * (As all part of the Linux kernel, this file is GPL) 10 */ 11 #include <linux/kernel.h> 12 #include <linux/netdevice.h> 13 #include <linux/rtnetlink.h> 14 #include <linux/slab.h> 15 #include <linux/wireless.h> 16 #include <linux/uaccess.h> 17 #include <linux/export.h> 18 #include <net/cfg80211.h> 19 #include <net/iw_handler.h> 20 #include <net/netlink.h> 21 #include <net/wext.h> 22 #include <net/net_namespace.h> 23 24 typedef int (*wext_ioctl_func)(struct net_device *, struct iwreq *, 25 unsigned int, struct iw_request_info *, 26 iw_handler); 27 28 29 /* 30 * Meta-data about all the standard Wireless Extension request we 31 * know about. 32 */ 33 static const struct iw_ioctl_description standard_ioctl[] = { 34 [IW_IOCTL_IDX(SIOCSIWCOMMIT)] = { 35 .header_type = IW_HEADER_TYPE_NULL, 36 }, 37 [IW_IOCTL_IDX(SIOCGIWNAME)] = { 38 .header_type = IW_HEADER_TYPE_CHAR, 39 .flags = IW_DESCR_FLAG_DUMP, 40 }, 41 [IW_IOCTL_IDX(SIOCSIWNWID)] = { 42 .header_type = IW_HEADER_TYPE_PARAM, 43 .flags = IW_DESCR_FLAG_EVENT, 44 }, 45 [IW_IOCTL_IDX(SIOCGIWNWID)] = { 46 .header_type = IW_HEADER_TYPE_PARAM, 47 .flags = IW_DESCR_FLAG_DUMP, 48 }, 49 [IW_IOCTL_IDX(SIOCSIWFREQ)] = { 50 .header_type = IW_HEADER_TYPE_FREQ, 51 .flags = IW_DESCR_FLAG_EVENT, 52 }, 53 [IW_IOCTL_IDX(SIOCGIWFREQ)] = { 54 .header_type = IW_HEADER_TYPE_FREQ, 55 .flags = IW_DESCR_FLAG_DUMP, 56 }, 57 [IW_IOCTL_IDX(SIOCSIWMODE)] = { 58 .header_type = IW_HEADER_TYPE_UINT, 59 .flags = IW_DESCR_FLAG_EVENT, 60 }, 61 [IW_IOCTL_IDX(SIOCGIWMODE)] = { 62 .header_type = IW_HEADER_TYPE_UINT, 63 .flags = IW_DESCR_FLAG_DUMP, 64 }, 65 [IW_IOCTL_IDX(SIOCSIWSENS)] = { 66 .header_type = IW_HEADER_TYPE_PARAM, 67 }, 68 [IW_IOCTL_IDX(SIOCGIWSENS)] = { 69 .header_type = IW_HEADER_TYPE_PARAM, 70 }, 71 [IW_IOCTL_IDX(SIOCSIWRANGE)] = { 72 .header_type = IW_HEADER_TYPE_NULL, 73 }, 74 [IW_IOCTL_IDX(SIOCGIWRANGE)] = { 75 .header_type = IW_HEADER_TYPE_POINT, 76 .token_size = 1, 77 .max_tokens = sizeof(struct iw_range), 78 .flags = IW_DESCR_FLAG_DUMP, 79 }, 80 [IW_IOCTL_IDX(SIOCSIWPRIV)] = { 81 .header_type = IW_HEADER_TYPE_NULL, 82 }, 83 [IW_IOCTL_IDX(SIOCGIWPRIV)] = { /* (handled directly by us) */ 84 .header_type = IW_HEADER_TYPE_POINT, 85 .token_size = sizeof(struct iw_priv_args), 86 .max_tokens = 16, 87 .flags = IW_DESCR_FLAG_NOMAX, 88 }, 89 [IW_IOCTL_IDX(SIOCSIWSTATS)] = { 90 .header_type = IW_HEADER_TYPE_NULL, 91 }, 92 [IW_IOCTL_IDX(SIOCGIWSTATS)] = { /* (handled directly by us) */ 93 .header_type = IW_HEADER_TYPE_POINT, 94 .token_size = 1, 95 .max_tokens = sizeof(struct iw_statistics), 96 .flags = IW_DESCR_FLAG_DUMP, 97 }, 98 [IW_IOCTL_IDX(SIOCSIWSPY)] = { 99 .header_type = IW_HEADER_TYPE_POINT, 100 .token_size = sizeof(struct sockaddr), 101 .max_tokens = IW_MAX_SPY, 102 }, 103 [IW_IOCTL_IDX(SIOCGIWSPY)] = { 104 .header_type = IW_HEADER_TYPE_POINT, 105 .token_size = sizeof(struct sockaddr) + 106 sizeof(struct iw_quality), 107 .max_tokens = IW_MAX_SPY, 108 }, 109 [IW_IOCTL_IDX(SIOCSIWTHRSPY)] = { 110 .header_type = IW_HEADER_TYPE_POINT, 111 .token_size = sizeof(struct iw_thrspy), 112 .min_tokens = 1, 113 .max_tokens = 1, 114 }, 115 [IW_IOCTL_IDX(SIOCGIWTHRSPY)] = { 116 .header_type = IW_HEADER_TYPE_POINT, 117 .token_size = sizeof(struct iw_thrspy), 118 .min_tokens = 1, 119 .max_tokens = 1, 120 }, 121 [IW_IOCTL_IDX(SIOCSIWAP)] = { 122 .header_type = IW_HEADER_TYPE_ADDR, 123 }, 124 [IW_IOCTL_IDX(SIOCGIWAP)] = { 125 .header_type = IW_HEADER_TYPE_ADDR, 126 .flags = IW_DESCR_FLAG_DUMP, 127 }, 128 [IW_IOCTL_IDX(SIOCSIWMLME)] = { 129 .header_type = IW_HEADER_TYPE_POINT, 130 .token_size = 1, 131 .min_tokens = sizeof(struct iw_mlme), 132 .max_tokens = sizeof(struct iw_mlme), 133 }, 134 [IW_IOCTL_IDX(SIOCGIWAPLIST)] = { 135 .header_type = IW_HEADER_TYPE_POINT, 136 .token_size = sizeof(struct sockaddr) + 137 sizeof(struct iw_quality), 138 .max_tokens = IW_MAX_AP, 139 .flags = IW_DESCR_FLAG_NOMAX, 140 }, 141 [IW_IOCTL_IDX(SIOCSIWSCAN)] = { 142 .header_type = IW_HEADER_TYPE_POINT, 143 .token_size = 1, 144 .min_tokens = 0, 145 .max_tokens = sizeof(struct iw_scan_req), 146 }, 147 [IW_IOCTL_IDX(SIOCGIWSCAN)] = { 148 .header_type = IW_HEADER_TYPE_POINT, 149 .token_size = 1, 150 .max_tokens = IW_SCAN_MAX_DATA, 151 .flags = IW_DESCR_FLAG_NOMAX, 152 }, 153 [IW_IOCTL_IDX(SIOCSIWESSID)] = { 154 .header_type = IW_HEADER_TYPE_POINT, 155 .token_size = 1, 156 .max_tokens = IW_ESSID_MAX_SIZE, 157 .flags = IW_DESCR_FLAG_EVENT, 158 }, 159 [IW_IOCTL_IDX(SIOCGIWESSID)] = { 160 .header_type = IW_HEADER_TYPE_POINT, 161 .token_size = 1, 162 .max_tokens = IW_ESSID_MAX_SIZE, 163 .flags = IW_DESCR_FLAG_DUMP, 164 }, 165 [IW_IOCTL_IDX(SIOCSIWNICKN)] = { 166 .header_type = IW_HEADER_TYPE_POINT, 167 .token_size = 1, 168 .max_tokens = IW_ESSID_MAX_SIZE, 169 }, 170 [IW_IOCTL_IDX(SIOCGIWNICKN)] = { 171 .header_type = IW_HEADER_TYPE_POINT, 172 .token_size = 1, 173 .max_tokens = IW_ESSID_MAX_SIZE, 174 }, 175 [IW_IOCTL_IDX(SIOCSIWRATE)] = { 176 .header_type = IW_HEADER_TYPE_PARAM, 177 }, 178 [IW_IOCTL_IDX(SIOCGIWRATE)] = { 179 .header_type = IW_HEADER_TYPE_PARAM, 180 }, 181 [IW_IOCTL_IDX(SIOCSIWRTS)] = { 182 .header_type = IW_HEADER_TYPE_PARAM, 183 }, 184 [IW_IOCTL_IDX(SIOCGIWRTS)] = { 185 .header_type = IW_HEADER_TYPE_PARAM, 186 }, 187 [IW_IOCTL_IDX(SIOCSIWFRAG)] = { 188 .header_type = IW_HEADER_TYPE_PARAM, 189 }, 190 [IW_IOCTL_IDX(SIOCGIWFRAG)] = { 191 .header_type = IW_HEADER_TYPE_PARAM, 192 }, 193 [IW_IOCTL_IDX(SIOCSIWTXPOW)] = { 194 .header_type = IW_HEADER_TYPE_PARAM, 195 }, 196 [IW_IOCTL_IDX(SIOCGIWTXPOW)] = { 197 .header_type = IW_HEADER_TYPE_PARAM, 198 }, 199 [IW_IOCTL_IDX(SIOCSIWRETRY)] = { 200 .header_type = IW_HEADER_TYPE_PARAM, 201 }, 202 [IW_IOCTL_IDX(SIOCGIWRETRY)] = { 203 .header_type = IW_HEADER_TYPE_PARAM, 204 }, 205 [IW_IOCTL_IDX(SIOCSIWENCODE)] = { 206 .header_type = IW_HEADER_TYPE_POINT, 207 .token_size = 1, 208 .max_tokens = IW_ENCODING_TOKEN_MAX, 209 .flags = IW_DESCR_FLAG_EVENT | IW_DESCR_FLAG_RESTRICT, 210 }, 211 [IW_IOCTL_IDX(SIOCGIWENCODE)] = { 212 .header_type = IW_HEADER_TYPE_POINT, 213 .token_size = 1, 214 .max_tokens = IW_ENCODING_TOKEN_MAX, 215 .flags = IW_DESCR_FLAG_DUMP | IW_DESCR_FLAG_RESTRICT, 216 }, 217 [IW_IOCTL_IDX(SIOCSIWPOWER)] = { 218 .header_type = IW_HEADER_TYPE_PARAM, 219 }, 220 [IW_IOCTL_IDX(SIOCGIWPOWER)] = { 221 .header_type = IW_HEADER_TYPE_PARAM, 222 }, 223 [IW_IOCTL_IDX(SIOCSIWGENIE)] = { 224 .header_type = IW_HEADER_TYPE_POINT, 225 .token_size = 1, 226 .max_tokens = IW_GENERIC_IE_MAX, 227 }, 228 [IW_IOCTL_IDX(SIOCGIWGENIE)] = { 229 .header_type = IW_HEADER_TYPE_POINT, 230 .token_size = 1, 231 .max_tokens = IW_GENERIC_IE_MAX, 232 }, 233 [IW_IOCTL_IDX(SIOCSIWAUTH)] = { 234 .header_type = IW_HEADER_TYPE_PARAM, 235 }, 236 [IW_IOCTL_IDX(SIOCGIWAUTH)] = { 237 .header_type = IW_HEADER_TYPE_PARAM, 238 }, 239 [IW_IOCTL_IDX(SIOCSIWENCODEEXT)] = { 240 .header_type = IW_HEADER_TYPE_POINT, 241 .token_size = 1, 242 .min_tokens = sizeof(struct iw_encode_ext), 243 .max_tokens = sizeof(struct iw_encode_ext) + 244 IW_ENCODING_TOKEN_MAX, 245 }, 246 [IW_IOCTL_IDX(SIOCGIWENCODEEXT)] = { 247 .header_type = IW_HEADER_TYPE_POINT, 248 .token_size = 1, 249 .min_tokens = sizeof(struct iw_encode_ext), 250 .max_tokens = sizeof(struct iw_encode_ext) + 251 IW_ENCODING_TOKEN_MAX, 252 }, 253 [IW_IOCTL_IDX(SIOCSIWPMKSA)] = { 254 .header_type = IW_HEADER_TYPE_POINT, 255 .token_size = 1, 256 .min_tokens = sizeof(struct iw_pmksa), 257 .max_tokens = sizeof(struct iw_pmksa), 258 }, 259 }; 260 static const unsigned int standard_ioctl_num = ARRAY_SIZE(standard_ioctl); 261 262 /* 263 * Meta-data about all the additional standard Wireless Extension events 264 * we know about. 265 */ 266 static const struct iw_ioctl_description standard_event[] = { 267 [IW_EVENT_IDX(IWEVTXDROP)] = { 268 .header_type = IW_HEADER_TYPE_ADDR, 269 }, 270 [IW_EVENT_IDX(IWEVQUAL)] = { 271 .header_type = IW_HEADER_TYPE_QUAL, 272 }, 273 [IW_EVENT_IDX(IWEVCUSTOM)] = { 274 .header_type = IW_HEADER_TYPE_POINT, 275 .token_size = 1, 276 .max_tokens = IW_CUSTOM_MAX, 277 }, 278 [IW_EVENT_IDX(IWEVREGISTERED)] = { 279 .header_type = IW_HEADER_TYPE_ADDR, 280 }, 281 [IW_EVENT_IDX(IWEVEXPIRED)] = { 282 .header_type = IW_HEADER_TYPE_ADDR, 283 }, 284 [IW_EVENT_IDX(IWEVGENIE)] = { 285 .header_type = IW_HEADER_TYPE_POINT, 286 .token_size = 1, 287 .max_tokens = IW_GENERIC_IE_MAX, 288 }, 289 [IW_EVENT_IDX(IWEVMICHAELMICFAILURE)] = { 290 .header_type = IW_HEADER_TYPE_POINT, 291 .token_size = 1, 292 .max_tokens = sizeof(struct iw_michaelmicfailure), 293 }, 294 [IW_EVENT_IDX(IWEVASSOCREQIE)] = { 295 .header_type = IW_HEADER_TYPE_POINT, 296 .token_size = 1, 297 .max_tokens = IW_GENERIC_IE_MAX, 298 }, 299 [IW_EVENT_IDX(IWEVASSOCRESPIE)] = { 300 .header_type = IW_HEADER_TYPE_POINT, 301 .token_size = 1, 302 .max_tokens = IW_GENERIC_IE_MAX, 303 }, 304 [IW_EVENT_IDX(IWEVPMKIDCAND)] = { 305 .header_type = IW_HEADER_TYPE_POINT, 306 .token_size = 1, 307 .max_tokens = sizeof(struct iw_pmkid_cand), 308 }, 309 }; 310 static const unsigned int standard_event_num = ARRAY_SIZE(standard_event); 311 312 /* Size (in bytes) of various events */ 313 static const int event_type_size[] = { 314 IW_EV_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 315 0, 316 IW_EV_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 317 0, 318 IW_EV_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 319 IW_EV_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 320 IW_EV_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 321 0, 322 IW_EV_POINT_LEN, /* Without variable payload */ 323 IW_EV_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 324 IW_EV_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 325 }; 326 327 #ifdef CONFIG_COMPAT 328 static const int compat_event_type_size[] = { 329 IW_EV_COMPAT_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 330 0, 331 IW_EV_COMPAT_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 332 0, 333 IW_EV_COMPAT_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 334 IW_EV_COMPAT_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 335 IW_EV_COMPAT_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 336 0, 337 IW_EV_COMPAT_POINT_LEN, /* Without variable payload */ 338 IW_EV_COMPAT_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 339 IW_EV_COMPAT_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 340 }; 341 #endif 342 343 344 /* IW event code */ 345 346 void wireless_nlevent_flush(void) 347 { 348 struct sk_buff *skb; 349 struct net *net; 350 351 down_read(&net_rwsem); 352 for_each_net(net) { 353 while ((skb = skb_dequeue(&net->wext_nlevents))) 354 rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, 355 GFP_KERNEL); 356 } 357 up_read(&net_rwsem); 358 } 359 EXPORT_SYMBOL_GPL(wireless_nlevent_flush); 360 361 static int wext_netdev_notifier_call(struct notifier_block *nb, 362 unsigned long state, void *ptr) 363 { 364 /* 365 * When a netdev changes state in any way, flush all pending messages 366 * to avoid them going out in a strange order, e.g. RTM_NEWLINK after 367 * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() 368 * or similar - all of which could otherwise happen due to delays from 369 * schedule_work(). 370 */ 371 wireless_nlevent_flush(); 372 373 return NOTIFY_OK; 374 } 375 376 static struct notifier_block wext_netdev_notifier = { 377 .notifier_call = wext_netdev_notifier_call, 378 }; 379 380 static int __net_init wext_pernet_init(struct net *net) 381 { 382 skb_queue_head_init(&net->wext_nlevents); 383 return 0; 384 } 385 386 static void __net_exit wext_pernet_exit(struct net *net) 387 { 388 skb_queue_purge(&net->wext_nlevents); 389 } 390 391 static struct pernet_operations wext_pernet_ops = { 392 .init = wext_pernet_init, 393 .exit = wext_pernet_exit, 394 }; 395 396 static int __init wireless_nlevent_init(void) 397 { 398 int err = register_pernet_subsys(&wext_pernet_ops); 399 400 if (err) 401 return err; 402 403 err = register_netdevice_notifier(&wext_netdev_notifier); 404 if (err) 405 unregister_pernet_subsys(&wext_pernet_ops); 406 return err; 407 } 408 409 subsys_initcall(wireless_nlevent_init); 410 411 /* Process events generated by the wireless layer or the driver. */ 412 static void wireless_nlevent_process(struct work_struct *work) 413 { 414 wireless_nlevent_flush(); 415 } 416 417 static DECLARE_WORK(wireless_nlevent_work, wireless_nlevent_process); 418 419 static struct nlmsghdr *rtnetlink_ifinfo_prep(struct net_device *dev, 420 struct sk_buff *skb) 421 { 422 struct ifinfomsg *r; 423 struct nlmsghdr *nlh; 424 425 nlh = nlmsg_put(skb, 0, 0, RTM_NEWLINK, sizeof(*r), 0); 426 if (!nlh) 427 return NULL; 428 429 r = nlmsg_data(nlh); 430 r->ifi_family = AF_UNSPEC; 431 r->__ifi_pad = 0; 432 r->ifi_type = dev->type; 433 r->ifi_index = dev->ifindex; 434 r->ifi_flags = dev_get_flags(dev); 435 r->ifi_change = 0; /* Wireless changes don't affect those flags */ 436 437 if (nla_put_string(skb, IFLA_IFNAME, dev->name)) 438 goto nla_put_failure; 439 440 return nlh; 441 nla_put_failure: 442 nlmsg_cancel(skb, nlh); 443 return NULL; 444 } 445 446 447 /* 448 * Main event dispatcher. Called from other parts and drivers. 449 * Send the event on the appropriate channels. 450 * May be called from interrupt context. 451 */ 452 void wireless_send_event(struct net_device * dev, 453 unsigned int cmd, 454 union iwreq_data * wrqu, 455 const char * extra) 456 { 457 const struct iw_ioctl_description * descr = NULL; 458 int extra_len = 0; 459 struct iw_event *event; /* Mallocated whole event */ 460 int event_len; /* Its size */ 461 int hdr_len; /* Size of the event header */ 462 int wrqu_off = 0; /* Offset in wrqu */ 463 /* Don't "optimise" the following variable, it will crash */ 464 unsigned int cmd_index; /* *MUST* be unsigned */ 465 struct sk_buff *skb; 466 struct nlmsghdr *nlh; 467 struct nlattr *nla; 468 #ifdef CONFIG_COMPAT 469 struct __compat_iw_event *compat_event; 470 struct compat_iw_point compat_wrqu; 471 struct sk_buff *compskb; 472 int ptr_len; 473 #endif 474 475 /* 476 * Nothing in the kernel sends scan events with data, be safe. 477 * This is necessary because we cannot fix up scan event data 478 * for compat, due to being contained in 'extra', but normally 479 * applications are required to retrieve the scan data anyway 480 * and no data is included in the event, this codifies that 481 * practice. 482 */ 483 if (WARN_ON(cmd == SIOCGIWSCAN && extra)) 484 extra = NULL; 485 486 /* Get the description of the Event */ 487 if (cmd <= SIOCIWLAST) { 488 cmd_index = IW_IOCTL_IDX(cmd); 489 if (cmd_index < standard_ioctl_num) 490 descr = &(standard_ioctl[cmd_index]); 491 } else { 492 cmd_index = IW_EVENT_IDX(cmd); 493 if (cmd_index < standard_event_num) 494 descr = &(standard_event[cmd_index]); 495 } 496 /* Don't accept unknown events */ 497 if (descr == NULL) { 498 /* Note : we don't return an error to the driver, because 499 * the driver would not know what to do about it. It can't 500 * return an error to the user, because the event is not 501 * initiated by a user request. 502 * The best the driver could do is to log an error message. 503 * We will do it ourselves instead... 504 */ 505 netdev_err(dev, "(WE) : Invalid/Unknown Wireless Event (0x%04X)\n", 506 cmd); 507 return; 508 } 509 510 /* Check extra parameters and set extra_len */ 511 if (descr->header_type == IW_HEADER_TYPE_POINT) { 512 /* Check if number of token fits within bounds */ 513 if (wrqu->data.length > descr->max_tokens) { 514 netdev_err(dev, "(WE) : Wireless Event (cmd=0x%04X) too big (%d)\n", 515 cmd, wrqu->data.length); 516 return; 517 } 518 if (wrqu->data.length < descr->min_tokens) { 519 netdev_err(dev, "(WE) : Wireless Event (cmd=0x%04X) too small (%d)\n", 520 cmd, wrqu->data.length); 521 return; 522 } 523 /* Calculate extra_len - extra is NULL for restricted events */ 524 if (extra != NULL) 525 extra_len = wrqu->data.length * descr->token_size; 526 /* Always at an offset in wrqu */ 527 wrqu_off = IW_EV_POINT_OFF; 528 } 529 530 /* Total length of the event */ 531 hdr_len = event_type_size[descr->header_type]; 532 event_len = hdr_len + extra_len; 533 534 /* 535 * The problem for 64/32 bit. 536 * 537 * On 64-bit, a regular event is laid out as follows: 538 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 539 * | event.len | event.cmd | p a d d i n g | 540 * | wrqu data ... (with the correct size) | 541 * 542 * This padding exists because we manipulate event->u, 543 * and 'event' is not packed. 544 * 545 * An iw_point event is laid out like this instead: 546 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 547 * | event.len | event.cmd | p a d d i n g | 548 * | iwpnt.len | iwpnt.flg | p a d d i n g | 549 * | extra data ... 550 * 551 * The second padding exists because struct iw_point is extended, 552 * but this depends on the platform... 553 * 554 * On 32-bit, all the padding shouldn't be there. 555 */ 556 557 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 558 if (!skb) 559 return; 560 561 /* Send via the RtNetlink event channel */ 562 nlh = rtnetlink_ifinfo_prep(dev, skb); 563 if (WARN_ON(!nlh)) { 564 kfree_skb(skb); 565 return; 566 } 567 568 /* Add the wireless events in the netlink packet */ 569 nla = nla_reserve(skb, IFLA_WIRELESS, event_len); 570 if (!nla) { 571 kfree_skb(skb); 572 return; 573 } 574 event = nla_data(nla); 575 576 /* Fill event - first clear to avoid data leaking */ 577 memset(event, 0, hdr_len); 578 event->len = event_len; 579 event->cmd = cmd; 580 memcpy(&event->u, ((char *) wrqu) + wrqu_off, hdr_len - IW_EV_LCP_LEN); 581 if (extra_len) 582 memcpy(((char *) event) + hdr_len, extra, extra_len); 583 584 nlmsg_end(skb, nlh); 585 #ifdef CONFIG_COMPAT 586 hdr_len = compat_event_type_size[descr->header_type]; 587 588 /* ptr_len is remaining size in event header apart from LCP */ 589 ptr_len = hdr_len - IW_EV_COMPAT_LCP_LEN; 590 event_len = hdr_len + extra_len; 591 592 compskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 593 if (!compskb) { 594 kfree_skb(skb); 595 return; 596 } 597 598 /* Send via the RtNetlink event channel */ 599 nlh = rtnetlink_ifinfo_prep(dev, compskb); 600 if (WARN_ON(!nlh)) { 601 kfree_skb(skb); 602 kfree_skb(compskb); 603 return; 604 } 605 606 /* Add the wireless events in the netlink packet */ 607 nla = nla_reserve(compskb, IFLA_WIRELESS, event_len); 608 if (!nla) { 609 kfree_skb(skb); 610 kfree_skb(compskb); 611 return; 612 } 613 compat_event = nla_data(nla); 614 615 compat_event->len = event_len; 616 compat_event->cmd = cmd; 617 if (descr->header_type == IW_HEADER_TYPE_POINT) { 618 compat_wrqu.length = wrqu->data.length; 619 compat_wrqu.flags = wrqu->data.flags; 620 memcpy(compat_event->ptr_bytes, 621 ((char *)&compat_wrqu) + IW_EV_COMPAT_POINT_OFF, 622 ptr_len); 623 if (extra_len) 624 memcpy(&compat_event->ptr_bytes[ptr_len], 625 extra, extra_len); 626 } else { 627 /* extra_len must be zero, so no if (extra) needed */ 628 memcpy(compat_event->ptr_bytes, wrqu, ptr_len); 629 } 630 631 nlmsg_end(compskb, nlh); 632 633 skb_shinfo(skb)->frag_list = compskb; 634 #endif 635 skb_queue_tail(&dev_net(dev)->wext_nlevents, skb); 636 schedule_work(&wireless_nlevent_work); 637 } 638 EXPORT_SYMBOL(wireless_send_event); 639 640 #ifdef CONFIG_CFG80211_WEXT 641 static void wireless_warn_cfg80211_wext(void) 642 { 643 pr_warn_once("warning: `%s' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211\n", 644 current->comm); 645 } 646 #endif 647 648 /* IW handlers */ 649 650 struct iw_statistics *get_wireless_stats(struct net_device *dev) 651 { 652 #ifdef CONFIG_WIRELESS_EXT 653 if ((dev->wireless_handlers != NULL) && 654 (dev->wireless_handlers->get_wireless_stats != NULL)) 655 return dev->wireless_handlers->get_wireless_stats(dev); 656 #endif 657 658 #ifdef CONFIG_CFG80211_WEXT 659 if (dev->ieee80211_ptr && 660 dev->ieee80211_ptr->wiphy && 661 dev->ieee80211_ptr->wiphy->wext && 662 dev->ieee80211_ptr->wiphy->wext->get_wireless_stats) { 663 wireless_warn_cfg80211_wext(); 664 if (dev->ieee80211_ptr->wiphy->flags & (WIPHY_FLAG_SUPPORTS_MLO | 665 WIPHY_FLAG_DISABLE_WEXT)) 666 return NULL; 667 return dev->ieee80211_ptr->wiphy->wext->get_wireless_stats(dev); 668 } 669 #endif 670 671 /* not found */ 672 return NULL; 673 } 674 675 /* noinline to avoid a bogus warning with -O3 */ 676 static noinline int iw_handler_get_iwstats(struct net_device * dev, 677 struct iw_request_info * info, 678 union iwreq_data * wrqu, 679 char * extra) 680 { 681 /* Get stats from the driver */ 682 struct iw_statistics *stats; 683 684 stats = get_wireless_stats(dev); 685 if (stats) { 686 /* Copy statistics to extra */ 687 memcpy(extra, stats, sizeof(struct iw_statistics)); 688 wrqu->data.length = sizeof(struct iw_statistics); 689 690 /* Check if we need to clear the updated flag */ 691 if (wrqu->data.flags != 0) 692 stats->qual.updated &= ~IW_QUAL_ALL_UPDATED; 693 return 0; 694 } else 695 return -EOPNOTSUPP; 696 } 697 698 static iw_handler get_handler(struct net_device *dev, unsigned int cmd) 699 { 700 /* Don't "optimise" the following variable, it will crash */ 701 unsigned int index; /* *MUST* be unsigned */ 702 const struct iw_handler_def *handlers = NULL; 703 704 #ifdef CONFIG_CFG80211_WEXT 705 if (dev->ieee80211_ptr && dev->ieee80211_ptr->wiphy) { 706 wireless_warn_cfg80211_wext(); 707 if (dev->ieee80211_ptr->wiphy->flags & (WIPHY_FLAG_SUPPORTS_MLO | 708 WIPHY_FLAG_DISABLE_WEXT)) 709 return NULL; 710 handlers = dev->ieee80211_ptr->wiphy->wext; 711 } 712 #endif 713 #ifdef CONFIG_WIRELESS_EXT 714 if (dev->wireless_handlers) 715 handlers = dev->wireless_handlers; 716 #endif 717 718 if (!handlers) 719 return NULL; 720 721 /* Try as a standard command */ 722 index = IW_IOCTL_IDX(cmd); 723 if (index < handlers->num_standard) 724 return handlers->standard[index]; 725 726 #ifdef CONFIG_WEXT_PRIV 727 /* Try as a private command */ 728 index = cmd - SIOCIWFIRSTPRIV; 729 if (index < handlers->num_private) 730 return handlers->private[index]; 731 #endif 732 733 /* Not found */ 734 return NULL; 735 } 736 737 static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, 738 const struct iw_ioctl_description *descr, 739 iw_handler handler, struct net_device *dev, 740 struct iw_request_info *info) 741 { 742 int err, extra_size, user_length = 0, essid_compat = 0; 743 char *extra; 744 745 /* Calculate space needed by arguments. Always allocate 746 * for max space. 747 */ 748 extra_size = descr->max_tokens * descr->token_size; 749 750 /* Check need for ESSID compatibility for WE < 21 */ 751 switch (cmd) { 752 case SIOCSIWESSID: 753 case SIOCGIWESSID: 754 case SIOCSIWNICKN: 755 case SIOCGIWNICKN: 756 if (iwp->length == descr->max_tokens + 1) 757 essid_compat = 1; 758 else if (IW_IS_SET(cmd) && (iwp->length != 0)) { 759 char essid[IW_ESSID_MAX_SIZE + 1]; 760 unsigned int len; 761 len = iwp->length * descr->token_size; 762 763 if (len > IW_ESSID_MAX_SIZE) 764 return -EFAULT; 765 766 err = copy_from_user(essid, iwp->pointer, len); 767 if (err) 768 return -EFAULT; 769 770 if (essid[iwp->length - 1] == '\0') 771 essid_compat = 1; 772 } 773 break; 774 default: 775 break; 776 } 777 778 iwp->length -= essid_compat; 779 780 /* Check what user space is giving us */ 781 if (IW_IS_SET(cmd)) { 782 /* Check NULL pointer */ 783 if (!iwp->pointer && iwp->length != 0) 784 return -EFAULT; 785 /* Check if number of token fits within bounds */ 786 if (iwp->length > descr->max_tokens) 787 return -E2BIG; 788 if (iwp->length < descr->min_tokens) 789 return -EINVAL; 790 } else { 791 /* Check NULL pointer */ 792 if (!iwp->pointer) 793 return -EFAULT; 794 /* Save user space buffer size for checking */ 795 user_length = iwp->length; 796 797 /* Don't check if user_length > max to allow forward 798 * compatibility. The test user_length < min is 799 * implied by the test at the end. 800 */ 801 802 /* Support for very large requests */ 803 if ((descr->flags & IW_DESCR_FLAG_NOMAX) && 804 (user_length > descr->max_tokens)) { 805 /* Allow userspace to GET more than max so 806 * we can support any size GET requests. 807 * There is still a limit : -ENOMEM. 808 */ 809 extra_size = user_length * descr->token_size; 810 811 /* Note : user_length is originally a __u16, 812 * and token_size is controlled by us, 813 * so extra_size won't get negative and 814 * won't overflow... 815 */ 816 } 817 } 818 819 /* Sanity-check to ensure we never end up _allocating_ zero 820 * bytes of data for extra. 821 */ 822 if (extra_size <= 0) 823 return -EFAULT; 824 825 /* kzalloc() ensures NULL-termination for essid_compat. */ 826 extra = kzalloc(extra_size, GFP_KERNEL); 827 if (!extra) 828 return -ENOMEM; 829 830 /* If it is a SET, get all the extra data in here */ 831 if (IW_IS_SET(cmd) && (iwp->length != 0)) { 832 if (copy_from_user(extra, iwp->pointer, 833 iwp->length * 834 descr->token_size)) { 835 err = -EFAULT; 836 goto out; 837 } 838 839 if (cmd == SIOCSIWENCODEEXT) { 840 struct iw_encode_ext *ee = (void *) extra; 841 842 if (iwp->length < sizeof(*ee) + ee->key_len) { 843 err = -EFAULT; 844 goto out; 845 } 846 } 847 } 848 849 if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) { 850 /* 851 * If this is a GET, but not NOMAX, it means that the extra 852 * data is not bounded by userspace, but by max_tokens. Thus 853 * set the length to max_tokens. This matches the extra data 854 * allocation. 855 * The driver should fill it with the number of tokens it 856 * provided, and it may check iwp->length rather than having 857 * knowledge of max_tokens. If the driver doesn't change the 858 * iwp->length, this ioctl just copies back max_token tokens 859 * filled with zeroes. Hopefully the driver isn't claiming 860 * them to be valid data. 861 */ 862 iwp->length = descr->max_tokens; 863 } 864 865 err = handler(dev, info, (union iwreq_data *) iwp, extra); 866 867 iwp->length += essid_compat; 868 869 /* If we have something to return to the user */ 870 if (!err && IW_IS_GET(cmd)) { 871 /* Check if there is enough buffer up there */ 872 if (user_length < iwp->length) { 873 err = -E2BIG; 874 goto out; 875 } 876 877 if (copy_to_user(iwp->pointer, extra, 878 iwp->length * 879 descr->token_size)) { 880 err = -EFAULT; 881 goto out; 882 } 883 } 884 885 /* Generate an event to notify listeners of the change */ 886 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 887 ((err == 0) || (err == -EIWCOMMIT))) { 888 union iwreq_data *data = (union iwreq_data *) iwp; 889 890 if (descr->flags & IW_DESCR_FLAG_RESTRICT) 891 /* If the event is restricted, don't 892 * export the payload. 893 */ 894 wireless_send_event(dev, cmd, data, NULL); 895 else 896 wireless_send_event(dev, cmd, data, extra); 897 } 898 899 out: 900 kfree(extra); 901 return err; 902 } 903 904 /* 905 * Call the commit handler in the driver 906 * (if exist and if conditions are right) 907 * 908 * Note : our current commit strategy is currently pretty dumb, 909 * but we will be able to improve on that... 910 * The goal is to try to agreagate as many changes as possible 911 * before doing the commit. Drivers that will define a commit handler 912 * are usually those that need a reset after changing parameters, so 913 * we want to minimise the number of reset. 914 * A cool idea is to use a timer : at each "set" command, we re-set the 915 * timer, when the timer eventually fires, we call the driver. 916 * Hopefully, more on that later. 917 * 918 * Also, I'm waiting to see how many people will complain about the 919 * netif_running(dev) test. I'm open on that one... 920 * Hopefully, the driver will remember to do a commit in "open()" ;-) 921 */ 922 int call_commit_handler(struct net_device *dev) 923 { 924 #ifdef CONFIG_WIRELESS_EXT 925 if (netif_running(dev) && 926 dev->wireless_handlers && 927 dev->wireless_handlers->standard[0]) 928 /* Call the commit handler on the driver */ 929 return dev->wireless_handlers->standard[0](dev, NULL, 930 NULL, NULL); 931 else 932 return 0; /* Command completed successfully */ 933 #else 934 /* cfg80211 has no commit */ 935 return 0; 936 #endif 937 } 938 939 /* 940 * Main IOCTl dispatcher. 941 * Check the type of IOCTL and call the appropriate wrapper... 942 */ 943 static int wireless_process_ioctl(struct net *net, struct iwreq *iwr, 944 unsigned int cmd, 945 struct iw_request_info *info, 946 wext_ioctl_func standard, 947 wext_ioctl_func private) 948 { 949 struct net_device *dev; 950 iw_handler handler; 951 952 /* Permissions are already checked in dev_ioctl() before calling us. 953 * The copy_to/from_user() of ifr is also dealt with in there */ 954 955 /* Make sure the device exist */ 956 if ((dev = __dev_get_by_name(net, iwr->ifr_name)) == NULL) 957 return -ENODEV; 958 959 /* A bunch of special cases, then the generic case... 960 * Note that 'cmd' is already filtered in dev_ioctl() with 961 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */ 962 if (cmd == SIOCGIWSTATS) 963 return standard(dev, iwr, cmd, info, 964 &iw_handler_get_iwstats); 965 966 #ifdef CONFIG_WEXT_PRIV 967 if (cmd == SIOCGIWPRIV && dev->wireless_handlers) 968 return standard(dev, iwr, cmd, info, 969 iw_handler_get_private); 970 #endif 971 972 /* Basic check */ 973 if (!netif_device_present(dev)) 974 return -ENODEV; 975 976 /* New driver API : try to find the handler */ 977 handler = get_handler(dev, cmd); 978 if (handler) { 979 /* Standard and private are not the same */ 980 if (cmd < SIOCIWFIRSTPRIV) 981 return standard(dev, iwr, cmd, info, handler); 982 else if (private) 983 return private(dev, iwr, cmd, info, handler); 984 } 985 return -EOPNOTSUPP; 986 } 987 988 /* If command is `set a parameter', or `get the encoding parameters', 989 * check if the user has the right to do it. 990 */ 991 static int wext_permission_check(unsigned int cmd) 992 { 993 if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || 994 cmd == SIOCGIWENCODEEXT) && 995 !capable(CAP_NET_ADMIN)) 996 return -EPERM; 997 998 return 0; 999 } 1000 1001 /* entry point from dev ioctl */ 1002 static int wext_ioctl_dispatch(struct net *net, struct iwreq *iwr, 1003 unsigned int cmd, struct iw_request_info *info, 1004 wext_ioctl_func standard, 1005 wext_ioctl_func private) 1006 { 1007 int ret = wext_permission_check(cmd); 1008 1009 if (ret) 1010 return ret; 1011 1012 dev_load(net, iwr->ifr_name); 1013 rtnl_lock(); 1014 ret = wireless_process_ioctl(net, iwr, cmd, info, standard, private); 1015 rtnl_unlock(); 1016 1017 return ret; 1018 } 1019 1020 /* 1021 * Wrapper to call a standard Wireless Extension handler. 1022 * We do various checks and also take care of moving data between 1023 * user space and kernel space. 1024 */ 1025 static int ioctl_standard_call(struct net_device * dev, 1026 struct iwreq *iwr, 1027 unsigned int cmd, 1028 struct iw_request_info *info, 1029 iw_handler handler) 1030 { 1031 const struct iw_ioctl_description * descr; 1032 int ret = -EINVAL; 1033 1034 /* Get the description of the IOCTL */ 1035 if (IW_IOCTL_IDX(cmd) >= standard_ioctl_num) 1036 return -EOPNOTSUPP; 1037 descr = &(standard_ioctl[IW_IOCTL_IDX(cmd)]); 1038 1039 /* Check if we have a pointer to user space data or not */ 1040 if (descr->header_type != IW_HEADER_TYPE_POINT) { 1041 1042 /* No extra arguments. Trivial to handle */ 1043 ret = handler(dev, info, &(iwr->u), NULL); 1044 1045 /* Generate an event to notify listeners of the change */ 1046 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 1047 ((ret == 0) || (ret == -EIWCOMMIT))) 1048 wireless_send_event(dev, cmd, &(iwr->u), NULL); 1049 } else { 1050 ret = ioctl_standard_iw_point(&iwr->u.data, cmd, descr, 1051 handler, dev, info); 1052 } 1053 1054 /* Call commit handler if needed and defined */ 1055 if (ret == -EIWCOMMIT) 1056 ret = call_commit_handler(dev); 1057 1058 /* Here, we will generate the appropriate event if needed */ 1059 1060 return ret; 1061 } 1062 1063 1064 int wext_handle_ioctl(struct net *net, unsigned int cmd, void __user *arg) 1065 { 1066 struct iw_request_info info = { .cmd = cmd, .flags = 0 }; 1067 struct iwreq iwr; 1068 int ret; 1069 1070 if (copy_from_user(&iwr, arg, sizeof(iwr))) 1071 return -EFAULT; 1072 1073 iwr.ifr_name[sizeof(iwr.ifr_name) - 1] = 0; 1074 1075 ret = wext_ioctl_dispatch(net, &iwr, cmd, &info, 1076 ioctl_standard_call, 1077 ioctl_private_call); 1078 if (ret >= 0 && 1079 IW_IS_GET(cmd) && 1080 copy_to_user(arg, &iwr, sizeof(struct iwreq))) 1081 return -EFAULT; 1082 1083 return ret; 1084 } 1085 1086 #ifdef CONFIG_COMPAT 1087 static int compat_standard_call(struct net_device *dev, 1088 struct iwreq *iwr, 1089 unsigned int cmd, 1090 struct iw_request_info *info, 1091 iw_handler handler) 1092 { 1093 const struct iw_ioctl_description *descr; 1094 struct compat_iw_point *iwp_compat; 1095 struct iw_point iwp; 1096 int err; 1097 1098 descr = standard_ioctl + IW_IOCTL_IDX(cmd); 1099 1100 if (descr->header_type != IW_HEADER_TYPE_POINT) 1101 return ioctl_standard_call(dev, iwr, cmd, info, handler); 1102 1103 iwp_compat = (struct compat_iw_point *) &iwr->u.data; 1104 iwp.pointer = compat_ptr(iwp_compat->pointer); 1105 iwp.length = iwp_compat->length; 1106 iwp.flags = iwp_compat->flags; 1107 1108 err = ioctl_standard_iw_point(&iwp, cmd, descr, handler, dev, info); 1109 1110 iwp_compat->pointer = ptr_to_compat(iwp.pointer); 1111 iwp_compat->length = iwp.length; 1112 iwp_compat->flags = iwp.flags; 1113 1114 return err; 1115 } 1116 1117 int compat_wext_handle_ioctl(struct net *net, unsigned int cmd, 1118 unsigned long arg) 1119 { 1120 void __user *argp = (void __user *)arg; 1121 struct iw_request_info info; 1122 struct iwreq iwr; 1123 char *colon; 1124 int ret; 1125 1126 if (copy_from_user(&iwr, argp, sizeof(struct iwreq))) 1127 return -EFAULT; 1128 1129 iwr.ifr_name[IFNAMSIZ-1] = 0; 1130 colon = strchr(iwr.ifr_name, ':'); 1131 if (colon) 1132 *colon = 0; 1133 1134 info.cmd = cmd; 1135 info.flags = IW_REQUEST_FLAG_COMPAT; 1136 1137 ret = wext_ioctl_dispatch(net, &iwr, cmd, &info, 1138 compat_standard_call, 1139 compat_private_call); 1140 1141 if (ret >= 0 && 1142 IW_IS_GET(cmd) && 1143 copy_to_user(argp, &iwr, sizeof(struct iwreq))) 1144 return -EFAULT; 1145 1146 return ret; 1147 } 1148 #endif 1149 1150 char *iwe_stream_add_event(struct iw_request_info *info, char *stream, 1151 char *ends, struct iw_event *iwe, int event_len) 1152 { 1153 int lcp_len = iwe_stream_lcp_len(info); 1154 1155 event_len = iwe_stream_event_len_adjust(info, event_len); 1156 1157 /* Check if it's possible */ 1158 if (likely((stream + event_len) < ends)) { 1159 iwe->len = event_len; 1160 /* Beware of alignment issues on 64 bits */ 1161 memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); 1162 memcpy(stream + lcp_len, &iwe->u, 1163 event_len - lcp_len); 1164 stream += event_len; 1165 } 1166 1167 return stream; 1168 } 1169 EXPORT_SYMBOL(iwe_stream_add_event); 1170 1171 char *iwe_stream_add_point(struct iw_request_info *info, char *stream, 1172 char *ends, struct iw_event *iwe, char *extra) 1173 { 1174 int event_len = iwe_stream_point_len(info) + iwe->u.data.length; 1175 int point_len = iwe_stream_point_len(info); 1176 int lcp_len = iwe_stream_lcp_len(info); 1177 1178 /* Check if it's possible */ 1179 if (likely((stream + event_len) < ends)) { 1180 iwe->len = event_len; 1181 memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); 1182 memcpy(stream + lcp_len, 1183 ((char *) &iwe->u) + IW_EV_POINT_OFF, 1184 IW_EV_POINT_PK_LEN - IW_EV_LCP_PK_LEN); 1185 if (iwe->u.data.length && extra) 1186 memcpy(stream + point_len, extra, iwe->u.data.length); 1187 stream += event_len; 1188 } 1189 1190 return stream; 1191 } 1192 EXPORT_SYMBOL(iwe_stream_add_point); 1193 1194 char *iwe_stream_add_value(struct iw_request_info *info, char *event, 1195 char *value, char *ends, struct iw_event *iwe, 1196 int event_len) 1197 { 1198 int lcp_len = iwe_stream_lcp_len(info); 1199 1200 /* Don't duplicate LCP */ 1201 event_len -= IW_EV_LCP_LEN; 1202 1203 /* Check if it's possible */ 1204 if (likely((value + event_len) < ends)) { 1205 /* Add new value */ 1206 memcpy(value, &iwe->u, event_len); 1207 value += event_len; 1208 /* Patch LCP */ 1209 iwe->len = value - event; 1210 memcpy(event, (char *) iwe, lcp_len); 1211 } 1212 1213 return value; 1214 } 1215 EXPORT_SYMBOL(iwe_stream_add_value); 1216