1 /* 2 * This file implement the Wireless Extensions core API. 3 * 4 * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> 5 * Copyright (c) 1997-2007 Jean Tourrilhes, All Rights Reserved. 6 * Copyright 2009 Johannes Berg <johannes@sipsolutions.net> 7 * 8 * (As all part of the Linux kernel, this file is GPL) 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netdevice.h> 12 #include <linux/rtnetlink.h> 13 #include <linux/wireless.h> 14 #include <linux/uaccess.h> 15 #include <net/cfg80211.h> 16 #include <net/iw_handler.h> 17 #include <net/netlink.h> 18 #include <net/wext.h> 19 #include <net/net_namespace.h> 20 21 typedef int (*wext_ioctl_func)(struct net_device *, struct iwreq *, 22 unsigned int, struct iw_request_info *, 23 iw_handler); 24 25 26 /* 27 * Meta-data about all the standard Wireless Extension request we 28 * know about. 29 */ 30 static const struct iw_ioctl_description standard_ioctl[] = { 31 [SIOCSIWCOMMIT - SIOCIWFIRST] = { 32 .header_type = IW_HEADER_TYPE_NULL, 33 }, 34 [SIOCGIWNAME - SIOCIWFIRST] = { 35 .header_type = IW_HEADER_TYPE_CHAR, 36 .flags = IW_DESCR_FLAG_DUMP, 37 }, 38 [SIOCSIWNWID - SIOCIWFIRST] = { 39 .header_type = IW_HEADER_TYPE_PARAM, 40 .flags = IW_DESCR_FLAG_EVENT, 41 }, 42 [SIOCGIWNWID - SIOCIWFIRST] = { 43 .header_type = IW_HEADER_TYPE_PARAM, 44 .flags = IW_DESCR_FLAG_DUMP, 45 }, 46 [SIOCSIWFREQ - SIOCIWFIRST] = { 47 .header_type = IW_HEADER_TYPE_FREQ, 48 .flags = IW_DESCR_FLAG_EVENT, 49 }, 50 [SIOCGIWFREQ - SIOCIWFIRST] = { 51 .header_type = IW_HEADER_TYPE_FREQ, 52 .flags = IW_DESCR_FLAG_DUMP, 53 }, 54 [SIOCSIWMODE - SIOCIWFIRST] = { 55 .header_type = IW_HEADER_TYPE_UINT, 56 .flags = IW_DESCR_FLAG_EVENT, 57 }, 58 [SIOCGIWMODE - SIOCIWFIRST] = { 59 .header_type = IW_HEADER_TYPE_UINT, 60 .flags = IW_DESCR_FLAG_DUMP, 61 }, 62 [SIOCSIWSENS - SIOCIWFIRST] = { 63 .header_type = IW_HEADER_TYPE_PARAM, 64 }, 65 [SIOCGIWSENS - SIOCIWFIRST] = { 66 .header_type = IW_HEADER_TYPE_PARAM, 67 }, 68 [SIOCSIWRANGE - SIOCIWFIRST] = { 69 .header_type = IW_HEADER_TYPE_NULL, 70 }, 71 [SIOCGIWRANGE - SIOCIWFIRST] = { 72 .header_type = IW_HEADER_TYPE_POINT, 73 .token_size = 1, 74 .max_tokens = sizeof(struct iw_range), 75 .flags = IW_DESCR_FLAG_DUMP, 76 }, 77 [SIOCSIWPRIV - SIOCIWFIRST] = { 78 .header_type = IW_HEADER_TYPE_NULL, 79 }, 80 [SIOCGIWPRIV - SIOCIWFIRST] = { /* (handled directly by us) */ 81 .header_type = IW_HEADER_TYPE_POINT, 82 .token_size = sizeof(struct iw_priv_args), 83 .max_tokens = 16, 84 .flags = IW_DESCR_FLAG_NOMAX, 85 }, 86 [SIOCSIWSTATS - SIOCIWFIRST] = { 87 .header_type = IW_HEADER_TYPE_NULL, 88 }, 89 [SIOCGIWSTATS - SIOCIWFIRST] = { /* (handled directly by us) */ 90 .header_type = IW_HEADER_TYPE_POINT, 91 .token_size = 1, 92 .max_tokens = sizeof(struct iw_statistics), 93 .flags = IW_DESCR_FLAG_DUMP, 94 }, 95 [SIOCSIWSPY - SIOCIWFIRST] = { 96 .header_type = IW_HEADER_TYPE_POINT, 97 .token_size = sizeof(struct sockaddr), 98 .max_tokens = IW_MAX_SPY, 99 }, 100 [SIOCGIWSPY - SIOCIWFIRST] = { 101 .header_type = IW_HEADER_TYPE_POINT, 102 .token_size = sizeof(struct sockaddr) + 103 sizeof(struct iw_quality), 104 .max_tokens = IW_MAX_SPY, 105 }, 106 [SIOCSIWTHRSPY - SIOCIWFIRST] = { 107 .header_type = IW_HEADER_TYPE_POINT, 108 .token_size = sizeof(struct iw_thrspy), 109 .min_tokens = 1, 110 .max_tokens = 1, 111 }, 112 [SIOCGIWTHRSPY - SIOCIWFIRST] = { 113 .header_type = IW_HEADER_TYPE_POINT, 114 .token_size = sizeof(struct iw_thrspy), 115 .min_tokens = 1, 116 .max_tokens = 1, 117 }, 118 [SIOCSIWAP - SIOCIWFIRST] = { 119 .header_type = IW_HEADER_TYPE_ADDR, 120 }, 121 [SIOCGIWAP - SIOCIWFIRST] = { 122 .header_type = IW_HEADER_TYPE_ADDR, 123 .flags = IW_DESCR_FLAG_DUMP, 124 }, 125 [SIOCSIWMLME - SIOCIWFIRST] = { 126 .header_type = IW_HEADER_TYPE_POINT, 127 .token_size = 1, 128 .min_tokens = sizeof(struct iw_mlme), 129 .max_tokens = sizeof(struct iw_mlme), 130 }, 131 [SIOCGIWAPLIST - SIOCIWFIRST] = { 132 .header_type = IW_HEADER_TYPE_POINT, 133 .token_size = sizeof(struct sockaddr) + 134 sizeof(struct iw_quality), 135 .max_tokens = IW_MAX_AP, 136 .flags = IW_DESCR_FLAG_NOMAX, 137 }, 138 [SIOCSIWSCAN - SIOCIWFIRST] = { 139 .header_type = IW_HEADER_TYPE_POINT, 140 .token_size = 1, 141 .min_tokens = 0, 142 .max_tokens = sizeof(struct iw_scan_req), 143 }, 144 [SIOCGIWSCAN - SIOCIWFIRST] = { 145 .header_type = IW_HEADER_TYPE_POINT, 146 .token_size = 1, 147 .max_tokens = IW_SCAN_MAX_DATA, 148 .flags = IW_DESCR_FLAG_NOMAX, 149 }, 150 [SIOCSIWESSID - SIOCIWFIRST] = { 151 .header_type = IW_HEADER_TYPE_POINT, 152 .token_size = 1, 153 .max_tokens = IW_ESSID_MAX_SIZE, 154 .flags = IW_DESCR_FLAG_EVENT, 155 }, 156 [SIOCGIWESSID - SIOCIWFIRST] = { 157 .header_type = IW_HEADER_TYPE_POINT, 158 .token_size = 1, 159 .max_tokens = IW_ESSID_MAX_SIZE, 160 .flags = IW_DESCR_FLAG_DUMP, 161 }, 162 [SIOCSIWNICKN - SIOCIWFIRST] = { 163 .header_type = IW_HEADER_TYPE_POINT, 164 .token_size = 1, 165 .max_tokens = IW_ESSID_MAX_SIZE, 166 }, 167 [SIOCGIWNICKN - SIOCIWFIRST] = { 168 .header_type = IW_HEADER_TYPE_POINT, 169 .token_size = 1, 170 .max_tokens = IW_ESSID_MAX_SIZE, 171 }, 172 [SIOCSIWRATE - SIOCIWFIRST] = { 173 .header_type = IW_HEADER_TYPE_PARAM, 174 }, 175 [SIOCGIWRATE - SIOCIWFIRST] = { 176 .header_type = IW_HEADER_TYPE_PARAM, 177 }, 178 [SIOCSIWRTS - SIOCIWFIRST] = { 179 .header_type = IW_HEADER_TYPE_PARAM, 180 }, 181 [SIOCGIWRTS - SIOCIWFIRST] = { 182 .header_type = IW_HEADER_TYPE_PARAM, 183 }, 184 [SIOCSIWFRAG - SIOCIWFIRST] = { 185 .header_type = IW_HEADER_TYPE_PARAM, 186 }, 187 [SIOCGIWFRAG - SIOCIWFIRST] = { 188 .header_type = IW_HEADER_TYPE_PARAM, 189 }, 190 [SIOCSIWTXPOW - SIOCIWFIRST] = { 191 .header_type = IW_HEADER_TYPE_PARAM, 192 }, 193 [SIOCGIWTXPOW - SIOCIWFIRST] = { 194 .header_type = IW_HEADER_TYPE_PARAM, 195 }, 196 [SIOCSIWRETRY - SIOCIWFIRST] = { 197 .header_type = IW_HEADER_TYPE_PARAM, 198 }, 199 [SIOCGIWRETRY - SIOCIWFIRST] = { 200 .header_type = IW_HEADER_TYPE_PARAM, 201 }, 202 [SIOCSIWENCODE - SIOCIWFIRST] = { 203 .header_type = IW_HEADER_TYPE_POINT, 204 .token_size = 1, 205 .max_tokens = IW_ENCODING_TOKEN_MAX, 206 .flags = IW_DESCR_FLAG_EVENT | IW_DESCR_FLAG_RESTRICT, 207 }, 208 [SIOCGIWENCODE - SIOCIWFIRST] = { 209 .header_type = IW_HEADER_TYPE_POINT, 210 .token_size = 1, 211 .max_tokens = IW_ENCODING_TOKEN_MAX, 212 .flags = IW_DESCR_FLAG_DUMP | IW_DESCR_FLAG_RESTRICT, 213 }, 214 [SIOCSIWPOWER - SIOCIWFIRST] = { 215 .header_type = IW_HEADER_TYPE_PARAM, 216 }, 217 [SIOCGIWPOWER - SIOCIWFIRST] = { 218 .header_type = IW_HEADER_TYPE_PARAM, 219 }, 220 [SIOCSIWGENIE - SIOCIWFIRST] = { 221 .header_type = IW_HEADER_TYPE_POINT, 222 .token_size = 1, 223 .max_tokens = IW_GENERIC_IE_MAX, 224 }, 225 [SIOCGIWGENIE - SIOCIWFIRST] = { 226 .header_type = IW_HEADER_TYPE_POINT, 227 .token_size = 1, 228 .max_tokens = IW_GENERIC_IE_MAX, 229 }, 230 [SIOCSIWAUTH - SIOCIWFIRST] = { 231 .header_type = IW_HEADER_TYPE_PARAM, 232 }, 233 [SIOCGIWAUTH - SIOCIWFIRST] = { 234 .header_type = IW_HEADER_TYPE_PARAM, 235 }, 236 [SIOCSIWENCODEEXT - SIOCIWFIRST] = { 237 .header_type = IW_HEADER_TYPE_POINT, 238 .token_size = 1, 239 .min_tokens = sizeof(struct iw_encode_ext), 240 .max_tokens = sizeof(struct iw_encode_ext) + 241 IW_ENCODING_TOKEN_MAX, 242 }, 243 [SIOCGIWENCODEEXT - SIOCIWFIRST] = { 244 .header_type = IW_HEADER_TYPE_POINT, 245 .token_size = 1, 246 .min_tokens = sizeof(struct iw_encode_ext), 247 .max_tokens = sizeof(struct iw_encode_ext) + 248 IW_ENCODING_TOKEN_MAX, 249 }, 250 [SIOCSIWPMKSA - SIOCIWFIRST] = { 251 .header_type = IW_HEADER_TYPE_POINT, 252 .token_size = 1, 253 .min_tokens = sizeof(struct iw_pmksa), 254 .max_tokens = sizeof(struct iw_pmksa), 255 }, 256 }; 257 static const unsigned standard_ioctl_num = ARRAY_SIZE(standard_ioctl); 258 259 /* 260 * Meta-data about all the additional standard Wireless Extension events 261 * we know about. 262 */ 263 static const struct iw_ioctl_description standard_event[] = { 264 [IWEVTXDROP - IWEVFIRST] = { 265 .header_type = IW_HEADER_TYPE_ADDR, 266 }, 267 [IWEVQUAL - IWEVFIRST] = { 268 .header_type = IW_HEADER_TYPE_QUAL, 269 }, 270 [IWEVCUSTOM - IWEVFIRST] = { 271 .header_type = IW_HEADER_TYPE_POINT, 272 .token_size = 1, 273 .max_tokens = IW_CUSTOM_MAX, 274 }, 275 [IWEVREGISTERED - IWEVFIRST] = { 276 .header_type = IW_HEADER_TYPE_ADDR, 277 }, 278 [IWEVEXPIRED - IWEVFIRST] = { 279 .header_type = IW_HEADER_TYPE_ADDR, 280 }, 281 [IWEVGENIE - IWEVFIRST] = { 282 .header_type = IW_HEADER_TYPE_POINT, 283 .token_size = 1, 284 .max_tokens = IW_GENERIC_IE_MAX, 285 }, 286 [IWEVMICHAELMICFAILURE - IWEVFIRST] = { 287 .header_type = IW_HEADER_TYPE_POINT, 288 .token_size = 1, 289 .max_tokens = sizeof(struct iw_michaelmicfailure), 290 }, 291 [IWEVASSOCREQIE - IWEVFIRST] = { 292 .header_type = IW_HEADER_TYPE_POINT, 293 .token_size = 1, 294 .max_tokens = IW_GENERIC_IE_MAX, 295 }, 296 [IWEVASSOCRESPIE - IWEVFIRST] = { 297 .header_type = IW_HEADER_TYPE_POINT, 298 .token_size = 1, 299 .max_tokens = IW_GENERIC_IE_MAX, 300 }, 301 [IWEVPMKIDCAND - IWEVFIRST] = { 302 .header_type = IW_HEADER_TYPE_POINT, 303 .token_size = 1, 304 .max_tokens = sizeof(struct iw_pmkid_cand), 305 }, 306 }; 307 static const unsigned standard_event_num = ARRAY_SIZE(standard_event); 308 309 /* Size (in bytes) of various events */ 310 static const int event_type_size[] = { 311 IW_EV_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 312 0, 313 IW_EV_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 314 0, 315 IW_EV_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 316 IW_EV_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 317 IW_EV_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 318 0, 319 IW_EV_POINT_LEN, /* Without variable payload */ 320 IW_EV_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 321 IW_EV_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 322 }; 323 324 #ifdef CONFIG_COMPAT 325 static const int compat_event_type_size[] = { 326 IW_EV_COMPAT_LCP_LEN, /* IW_HEADER_TYPE_NULL */ 327 0, 328 IW_EV_COMPAT_CHAR_LEN, /* IW_HEADER_TYPE_CHAR */ 329 0, 330 IW_EV_COMPAT_UINT_LEN, /* IW_HEADER_TYPE_UINT */ 331 IW_EV_COMPAT_FREQ_LEN, /* IW_HEADER_TYPE_FREQ */ 332 IW_EV_COMPAT_ADDR_LEN, /* IW_HEADER_TYPE_ADDR */ 333 0, 334 IW_EV_COMPAT_POINT_LEN, /* Without variable payload */ 335 IW_EV_COMPAT_PARAM_LEN, /* IW_HEADER_TYPE_PARAM */ 336 IW_EV_COMPAT_QUAL_LEN, /* IW_HEADER_TYPE_QUAL */ 337 }; 338 #endif 339 340 341 /* IW event code */ 342 343 static int __net_init wext_pernet_init(struct net *net) 344 { 345 skb_queue_head_init(&net->wext_nlevents); 346 return 0; 347 } 348 349 static void __net_exit wext_pernet_exit(struct net *net) 350 { 351 skb_queue_purge(&net->wext_nlevents); 352 } 353 354 static struct pernet_operations wext_pernet_ops = { 355 .init = wext_pernet_init, 356 .exit = wext_pernet_exit, 357 }; 358 359 static int __init wireless_nlevent_init(void) 360 { 361 return register_pernet_subsys(&wext_pernet_ops); 362 } 363 364 subsys_initcall(wireless_nlevent_init); 365 366 /* Process events generated by the wireless layer or the driver. */ 367 static void wireless_nlevent_process(struct work_struct *work) 368 { 369 struct sk_buff *skb; 370 struct net *net; 371 372 rtnl_lock(); 373 374 for_each_net(net) { 375 while ((skb = skb_dequeue(&net->wext_nlevents))) 376 rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, 377 GFP_KERNEL); 378 } 379 380 rtnl_unlock(); 381 } 382 383 static DECLARE_WORK(wireless_nlevent_work, wireless_nlevent_process); 384 385 static struct nlmsghdr *rtnetlink_ifinfo_prep(struct net_device *dev, 386 struct sk_buff *skb) 387 { 388 struct ifinfomsg *r; 389 struct nlmsghdr *nlh; 390 391 nlh = nlmsg_put(skb, 0, 0, RTM_NEWLINK, sizeof(*r), 0); 392 if (!nlh) 393 return NULL; 394 395 r = nlmsg_data(nlh); 396 r->ifi_family = AF_UNSPEC; 397 r->__ifi_pad = 0; 398 r->ifi_type = dev->type; 399 r->ifi_index = dev->ifindex; 400 r->ifi_flags = dev_get_flags(dev); 401 r->ifi_change = 0; /* Wireless changes don't affect those flags */ 402 403 NLA_PUT_STRING(skb, IFLA_IFNAME, dev->name); 404 405 return nlh; 406 nla_put_failure: 407 nlmsg_cancel(skb, nlh); 408 return NULL; 409 } 410 411 412 /* 413 * Main event dispatcher. Called from other parts and drivers. 414 * Send the event on the appropriate channels. 415 * May be called from interrupt context. 416 */ 417 void wireless_send_event(struct net_device * dev, 418 unsigned int cmd, 419 union iwreq_data * wrqu, 420 const char * extra) 421 { 422 const struct iw_ioctl_description * descr = NULL; 423 int extra_len = 0; 424 struct iw_event *event; /* Mallocated whole event */ 425 int event_len; /* Its size */ 426 int hdr_len; /* Size of the event header */ 427 int wrqu_off = 0; /* Offset in wrqu */ 428 /* Don't "optimise" the following variable, it will crash */ 429 unsigned cmd_index; /* *MUST* be unsigned */ 430 struct sk_buff *skb; 431 struct nlmsghdr *nlh; 432 struct nlattr *nla; 433 #ifdef CONFIG_COMPAT 434 struct __compat_iw_event *compat_event; 435 struct compat_iw_point compat_wrqu; 436 struct sk_buff *compskb; 437 #endif 438 439 /* 440 * Nothing in the kernel sends scan events with data, be safe. 441 * This is necessary because we cannot fix up scan event data 442 * for compat, due to being contained in 'extra', but normally 443 * applications are required to retrieve the scan data anyway 444 * and no data is included in the event, this codifies that 445 * practice. 446 */ 447 if (WARN_ON(cmd == SIOCGIWSCAN && extra)) 448 extra = NULL; 449 450 /* Get the description of the Event */ 451 if (cmd <= SIOCIWLAST) { 452 cmd_index = cmd - SIOCIWFIRST; 453 if (cmd_index < standard_ioctl_num) 454 descr = &(standard_ioctl[cmd_index]); 455 } else { 456 cmd_index = cmd - IWEVFIRST; 457 if (cmd_index < standard_event_num) 458 descr = &(standard_event[cmd_index]); 459 } 460 /* Don't accept unknown events */ 461 if (descr == NULL) { 462 /* Note : we don't return an error to the driver, because 463 * the driver would not know what to do about it. It can't 464 * return an error to the user, because the event is not 465 * initiated by a user request. 466 * The best the driver could do is to log an error message. 467 * We will do it ourselves instead... 468 */ 469 printk(KERN_ERR "%s (WE) : Invalid/Unknown Wireless Event (0x%04X)\n", 470 dev->name, cmd); 471 return; 472 } 473 474 /* Check extra parameters and set extra_len */ 475 if (descr->header_type == IW_HEADER_TYPE_POINT) { 476 /* Check if number of token fits within bounds */ 477 if (wrqu->data.length > descr->max_tokens) { 478 printk(KERN_ERR "%s (WE) : Wireless Event too big (%d)\n", dev->name, wrqu->data.length); 479 return; 480 } 481 if (wrqu->data.length < descr->min_tokens) { 482 printk(KERN_ERR "%s (WE) : Wireless Event too small (%d)\n", dev->name, wrqu->data.length); 483 return; 484 } 485 /* Calculate extra_len - extra is NULL for restricted events */ 486 if (extra != NULL) 487 extra_len = wrqu->data.length * descr->token_size; 488 /* Always at an offset in wrqu */ 489 wrqu_off = IW_EV_POINT_OFF; 490 } 491 492 /* Total length of the event */ 493 hdr_len = event_type_size[descr->header_type]; 494 event_len = hdr_len + extra_len; 495 496 /* 497 * The problem for 64/32 bit. 498 * 499 * On 64-bit, a regular event is laid out as follows: 500 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 501 * | event.len | event.cmd | p a d d i n g | 502 * | wrqu data ... (with the correct size) | 503 * 504 * This padding exists because we manipulate event->u, 505 * and 'event' is not packed. 506 * 507 * An iw_point event is laid out like this instead: 508 * | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 509 * | event.len | event.cmd | p a d d i n g | 510 * | iwpnt.len | iwpnt.flg | p a d d i n g | 511 * | extra data ... 512 * 513 * The second padding exists because struct iw_point is extended, 514 * but this depends on the platform... 515 * 516 * On 32-bit, all the padding shouldn't be there. 517 */ 518 519 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 520 if (!skb) 521 return; 522 523 /* Send via the RtNetlink event channel */ 524 nlh = rtnetlink_ifinfo_prep(dev, skb); 525 if (WARN_ON(!nlh)) { 526 kfree_skb(skb); 527 return; 528 } 529 530 /* Add the wireless events in the netlink packet */ 531 nla = nla_reserve(skb, IFLA_WIRELESS, event_len); 532 if (!nla) { 533 kfree_skb(skb); 534 return; 535 } 536 event = nla_data(nla); 537 538 /* Fill event - first clear to avoid data leaking */ 539 memset(event, 0, hdr_len); 540 event->len = event_len; 541 event->cmd = cmd; 542 memcpy(&event->u, ((char *) wrqu) + wrqu_off, hdr_len - IW_EV_LCP_LEN); 543 if (extra_len) 544 memcpy(((char *) event) + hdr_len, extra, extra_len); 545 546 nlmsg_end(skb, nlh); 547 #ifdef CONFIG_COMPAT 548 hdr_len = compat_event_type_size[descr->header_type]; 549 event_len = hdr_len + extra_len; 550 551 compskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 552 if (!compskb) { 553 kfree_skb(skb); 554 return; 555 } 556 557 /* Send via the RtNetlink event channel */ 558 nlh = rtnetlink_ifinfo_prep(dev, compskb); 559 if (WARN_ON(!nlh)) { 560 kfree_skb(skb); 561 kfree_skb(compskb); 562 return; 563 } 564 565 /* Add the wireless events in the netlink packet */ 566 nla = nla_reserve(compskb, IFLA_WIRELESS, event_len); 567 if (!nla) { 568 kfree_skb(skb); 569 kfree_skb(compskb); 570 return; 571 } 572 compat_event = nla_data(nla); 573 574 compat_event->len = event_len; 575 compat_event->cmd = cmd; 576 if (descr->header_type == IW_HEADER_TYPE_POINT) { 577 compat_wrqu.length = wrqu->data.length; 578 compat_wrqu.flags = wrqu->data.flags; 579 memcpy(&compat_event->pointer, 580 ((char *) &compat_wrqu) + IW_EV_COMPAT_POINT_OFF, 581 hdr_len - IW_EV_COMPAT_LCP_LEN); 582 if (extra_len) 583 memcpy(((char *) compat_event) + hdr_len, 584 extra, extra_len); 585 } else { 586 /* extra_len must be zero, so no if (extra) needed */ 587 memcpy(&compat_event->pointer, wrqu, 588 hdr_len - IW_EV_COMPAT_LCP_LEN); 589 } 590 591 nlmsg_end(compskb, nlh); 592 593 skb_shinfo(skb)->frag_list = compskb; 594 #endif 595 skb_queue_tail(&dev_net(dev)->wext_nlevents, skb); 596 schedule_work(&wireless_nlevent_work); 597 } 598 EXPORT_SYMBOL(wireless_send_event); 599 600 601 602 /* IW handlers */ 603 604 struct iw_statistics *get_wireless_stats(struct net_device *dev) 605 { 606 #ifdef CONFIG_WIRELESS_EXT 607 if ((dev->wireless_handlers != NULL) && 608 (dev->wireless_handlers->get_wireless_stats != NULL)) 609 return dev->wireless_handlers->get_wireless_stats(dev); 610 #endif 611 612 #ifdef CONFIG_CFG80211_WEXT 613 if (dev->ieee80211_ptr && dev->ieee80211_ptr && 614 dev->ieee80211_ptr->wiphy && 615 dev->ieee80211_ptr->wiphy->wext && 616 dev->ieee80211_ptr->wiphy->wext->get_wireless_stats) 617 return dev->ieee80211_ptr->wiphy->wext->get_wireless_stats(dev); 618 #endif 619 620 /* not found */ 621 return NULL; 622 } 623 624 static int iw_handler_get_iwstats(struct net_device * dev, 625 struct iw_request_info * info, 626 union iwreq_data * wrqu, 627 char * extra) 628 { 629 /* Get stats from the driver */ 630 struct iw_statistics *stats; 631 632 stats = get_wireless_stats(dev); 633 if (stats) { 634 /* Copy statistics to extra */ 635 memcpy(extra, stats, sizeof(struct iw_statistics)); 636 wrqu->data.length = sizeof(struct iw_statistics); 637 638 /* Check if we need to clear the updated flag */ 639 if (wrqu->data.flags != 0) 640 stats->qual.updated &= ~IW_QUAL_ALL_UPDATED; 641 return 0; 642 } else 643 return -EOPNOTSUPP; 644 } 645 646 static iw_handler get_handler(struct net_device *dev, unsigned int cmd) 647 { 648 /* Don't "optimise" the following variable, it will crash */ 649 unsigned int index; /* *MUST* be unsigned */ 650 const struct iw_handler_def *handlers = NULL; 651 652 #ifdef CONFIG_CFG80211_WEXT 653 if (dev->ieee80211_ptr && dev->ieee80211_ptr->wiphy) 654 handlers = dev->ieee80211_ptr->wiphy->wext; 655 #endif 656 #ifdef CONFIG_WIRELESS_EXT 657 if (dev->wireless_handlers) 658 handlers = dev->wireless_handlers; 659 #endif 660 661 if (!handlers) 662 return NULL; 663 664 /* Try as a standard command */ 665 index = cmd - SIOCIWFIRST; 666 if (index < handlers->num_standard) 667 return handlers->standard[index]; 668 669 #ifdef CONFIG_WEXT_PRIV 670 /* Try as a private command */ 671 index = cmd - SIOCIWFIRSTPRIV; 672 if (index < handlers->num_private) 673 return handlers->private[index]; 674 #endif 675 676 /* Not found */ 677 return NULL; 678 } 679 680 static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, 681 const struct iw_ioctl_description *descr, 682 iw_handler handler, struct net_device *dev, 683 struct iw_request_info *info) 684 { 685 int err, extra_size, user_length = 0, essid_compat = 0; 686 char *extra; 687 688 /* Calculate space needed by arguments. Always allocate 689 * for max space. 690 */ 691 extra_size = descr->max_tokens * descr->token_size; 692 693 /* Check need for ESSID compatibility for WE < 21 */ 694 switch (cmd) { 695 case SIOCSIWESSID: 696 case SIOCGIWESSID: 697 case SIOCSIWNICKN: 698 case SIOCGIWNICKN: 699 if (iwp->length == descr->max_tokens + 1) 700 essid_compat = 1; 701 else if (IW_IS_SET(cmd) && (iwp->length != 0)) { 702 char essid[IW_ESSID_MAX_SIZE + 1]; 703 unsigned int len; 704 len = iwp->length * descr->token_size; 705 706 if (len > IW_ESSID_MAX_SIZE) 707 return -EFAULT; 708 709 err = copy_from_user(essid, iwp->pointer, len); 710 if (err) 711 return -EFAULT; 712 713 if (essid[iwp->length - 1] == '\0') 714 essid_compat = 1; 715 } 716 break; 717 default: 718 break; 719 } 720 721 iwp->length -= essid_compat; 722 723 /* Check what user space is giving us */ 724 if (IW_IS_SET(cmd)) { 725 /* Check NULL pointer */ 726 if (!iwp->pointer && iwp->length != 0) 727 return -EFAULT; 728 /* Check if number of token fits within bounds */ 729 if (iwp->length > descr->max_tokens) 730 return -E2BIG; 731 if (iwp->length < descr->min_tokens) 732 return -EINVAL; 733 } else { 734 /* Check NULL pointer */ 735 if (!iwp->pointer) 736 return -EFAULT; 737 /* Save user space buffer size for checking */ 738 user_length = iwp->length; 739 740 /* Don't check if user_length > max to allow forward 741 * compatibility. The test user_length < min is 742 * implied by the test at the end. 743 */ 744 745 /* Support for very large requests */ 746 if ((descr->flags & IW_DESCR_FLAG_NOMAX) && 747 (user_length > descr->max_tokens)) { 748 /* Allow userspace to GET more than max so 749 * we can support any size GET requests. 750 * There is still a limit : -ENOMEM. 751 */ 752 extra_size = user_length * descr->token_size; 753 754 /* Note : user_length is originally a __u16, 755 * and token_size is controlled by us, 756 * so extra_size won't get negative and 757 * won't overflow... 758 */ 759 } 760 } 761 762 /* kzalloc() ensures NULL-termination for essid_compat. */ 763 extra = kzalloc(extra_size, GFP_KERNEL); 764 if (!extra) 765 return -ENOMEM; 766 767 /* If it is a SET, get all the extra data in here */ 768 if (IW_IS_SET(cmd) && (iwp->length != 0)) { 769 if (copy_from_user(extra, iwp->pointer, 770 iwp->length * 771 descr->token_size)) { 772 err = -EFAULT; 773 goto out; 774 } 775 776 if (cmd == SIOCSIWENCODEEXT) { 777 struct iw_encode_ext *ee = (void *) extra; 778 779 if (iwp->length < sizeof(*ee) + ee->key_len) 780 return -EFAULT; 781 } 782 } 783 784 err = handler(dev, info, (union iwreq_data *) iwp, extra); 785 786 iwp->length += essid_compat; 787 788 /* If we have something to return to the user */ 789 if (!err && IW_IS_GET(cmd)) { 790 /* Check if there is enough buffer up there */ 791 if (user_length < iwp->length) { 792 err = -E2BIG; 793 goto out; 794 } 795 796 if (copy_to_user(iwp->pointer, extra, 797 iwp->length * 798 descr->token_size)) { 799 err = -EFAULT; 800 goto out; 801 } 802 } 803 804 /* Generate an event to notify listeners of the change */ 805 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 806 ((err == 0) || (err == -EIWCOMMIT))) { 807 union iwreq_data *data = (union iwreq_data *) iwp; 808 809 if (descr->flags & IW_DESCR_FLAG_RESTRICT) 810 /* If the event is restricted, don't 811 * export the payload. 812 */ 813 wireless_send_event(dev, cmd, data, NULL); 814 else 815 wireless_send_event(dev, cmd, data, extra); 816 } 817 818 out: 819 kfree(extra); 820 return err; 821 } 822 823 /* 824 * Call the commit handler in the driver 825 * (if exist and if conditions are right) 826 * 827 * Note : our current commit strategy is currently pretty dumb, 828 * but we will be able to improve on that... 829 * The goal is to try to agreagate as many changes as possible 830 * before doing the commit. Drivers that will define a commit handler 831 * are usually those that need a reset after changing parameters, so 832 * we want to minimise the number of reset. 833 * A cool idea is to use a timer : at each "set" command, we re-set the 834 * timer, when the timer eventually fires, we call the driver. 835 * Hopefully, more on that later. 836 * 837 * Also, I'm waiting to see how many people will complain about the 838 * netif_running(dev) test. I'm open on that one... 839 * Hopefully, the driver will remember to do a commit in "open()" ;-) 840 */ 841 int call_commit_handler(struct net_device *dev) 842 { 843 #ifdef CONFIG_WIRELESS_EXT 844 if ((netif_running(dev)) && 845 (dev->wireless_handlers->standard[0] != NULL)) 846 /* Call the commit handler on the driver */ 847 return dev->wireless_handlers->standard[0](dev, NULL, 848 NULL, NULL); 849 else 850 return 0; /* Command completed successfully */ 851 #else 852 /* cfg80211 has no commit */ 853 return 0; 854 #endif 855 } 856 857 /* 858 * Main IOCTl dispatcher. 859 * Check the type of IOCTL and call the appropriate wrapper... 860 */ 861 static int wireless_process_ioctl(struct net *net, struct ifreq *ifr, 862 unsigned int cmd, 863 struct iw_request_info *info, 864 wext_ioctl_func standard, 865 wext_ioctl_func private) 866 { 867 struct iwreq *iwr = (struct iwreq *) ifr; 868 struct net_device *dev; 869 iw_handler handler; 870 871 /* Permissions are already checked in dev_ioctl() before calling us. 872 * The copy_to/from_user() of ifr is also dealt with in there */ 873 874 /* Make sure the device exist */ 875 if ((dev = __dev_get_by_name(net, ifr->ifr_name)) == NULL) 876 return -ENODEV; 877 878 /* A bunch of special cases, then the generic case... 879 * Note that 'cmd' is already filtered in dev_ioctl() with 880 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */ 881 if (cmd == SIOCGIWSTATS) 882 return standard(dev, iwr, cmd, info, 883 &iw_handler_get_iwstats); 884 885 #ifdef CONFIG_WEXT_PRIV 886 if (cmd == SIOCGIWPRIV && dev->wireless_handlers) 887 return standard(dev, iwr, cmd, info, 888 iw_handler_get_private); 889 #endif 890 891 /* Basic check */ 892 if (!netif_device_present(dev)) 893 return -ENODEV; 894 895 /* New driver API : try to find the handler */ 896 handler = get_handler(dev, cmd); 897 if (handler) { 898 /* Standard and private are not the same */ 899 if (cmd < SIOCIWFIRSTPRIV) 900 return standard(dev, iwr, cmd, info, handler); 901 else if (private) 902 return private(dev, iwr, cmd, info, handler); 903 } 904 /* Old driver API : call driver ioctl handler */ 905 if (dev->netdev_ops->ndo_do_ioctl) 906 return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); 907 return -EOPNOTSUPP; 908 } 909 910 /* If command is `set a parameter', or `get the encoding parameters', 911 * check if the user has the right to do it. 912 */ 913 static int wext_permission_check(unsigned int cmd) 914 { 915 if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || 916 cmd == SIOCGIWENCODEEXT) && 917 !capable(CAP_NET_ADMIN)) 918 return -EPERM; 919 920 return 0; 921 } 922 923 /* entry point from dev ioctl */ 924 static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr, 925 unsigned int cmd, struct iw_request_info *info, 926 wext_ioctl_func standard, 927 wext_ioctl_func private) 928 { 929 int ret = wext_permission_check(cmd); 930 931 if (ret) 932 return ret; 933 934 dev_load(net, ifr->ifr_name); 935 rtnl_lock(); 936 ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private); 937 rtnl_unlock(); 938 939 return ret; 940 } 941 942 /* 943 * Wrapper to call a standard Wireless Extension handler. 944 * We do various checks and also take care of moving data between 945 * user space and kernel space. 946 */ 947 static int ioctl_standard_call(struct net_device * dev, 948 struct iwreq *iwr, 949 unsigned int cmd, 950 struct iw_request_info *info, 951 iw_handler handler) 952 { 953 const struct iw_ioctl_description * descr; 954 int ret = -EINVAL; 955 956 /* Get the description of the IOCTL */ 957 if ((cmd - SIOCIWFIRST) >= standard_ioctl_num) 958 return -EOPNOTSUPP; 959 descr = &(standard_ioctl[cmd - SIOCIWFIRST]); 960 961 /* Check if we have a pointer to user space data or not */ 962 if (descr->header_type != IW_HEADER_TYPE_POINT) { 963 964 /* No extra arguments. Trivial to handle */ 965 ret = handler(dev, info, &(iwr->u), NULL); 966 967 /* Generate an event to notify listeners of the change */ 968 if ((descr->flags & IW_DESCR_FLAG_EVENT) && 969 ((ret == 0) || (ret == -EIWCOMMIT))) 970 wireless_send_event(dev, cmd, &(iwr->u), NULL); 971 } else { 972 ret = ioctl_standard_iw_point(&iwr->u.data, cmd, descr, 973 handler, dev, info); 974 } 975 976 /* Call commit handler if needed and defined */ 977 if (ret == -EIWCOMMIT) 978 ret = call_commit_handler(dev); 979 980 /* Here, we will generate the appropriate event if needed */ 981 982 return ret; 983 } 984 985 986 int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd, 987 void __user *arg) 988 { 989 struct iw_request_info info = { .cmd = cmd, .flags = 0 }; 990 int ret; 991 992 ret = wext_ioctl_dispatch(net, ifr, cmd, &info, 993 ioctl_standard_call, 994 ioctl_private_call); 995 if (ret >= 0 && 996 IW_IS_GET(cmd) && 997 copy_to_user(arg, ifr, sizeof(struct iwreq))) 998 return -EFAULT; 999 1000 return ret; 1001 } 1002 1003 #ifdef CONFIG_COMPAT 1004 static int compat_standard_call(struct net_device *dev, 1005 struct iwreq *iwr, 1006 unsigned int cmd, 1007 struct iw_request_info *info, 1008 iw_handler handler) 1009 { 1010 const struct iw_ioctl_description *descr; 1011 struct compat_iw_point *iwp_compat; 1012 struct iw_point iwp; 1013 int err; 1014 1015 descr = standard_ioctl + (cmd - SIOCIWFIRST); 1016 1017 if (descr->header_type != IW_HEADER_TYPE_POINT) 1018 return ioctl_standard_call(dev, iwr, cmd, info, handler); 1019 1020 iwp_compat = (struct compat_iw_point *) &iwr->u.data; 1021 iwp.pointer = compat_ptr(iwp_compat->pointer); 1022 iwp.length = iwp_compat->length; 1023 iwp.flags = iwp_compat->flags; 1024 1025 err = ioctl_standard_iw_point(&iwp, cmd, descr, handler, dev, info); 1026 1027 iwp_compat->pointer = ptr_to_compat(iwp.pointer); 1028 iwp_compat->length = iwp.length; 1029 iwp_compat->flags = iwp.flags; 1030 1031 return err; 1032 } 1033 1034 int compat_wext_handle_ioctl(struct net *net, unsigned int cmd, 1035 unsigned long arg) 1036 { 1037 void __user *argp = (void __user *)arg; 1038 struct iw_request_info info; 1039 struct iwreq iwr; 1040 char *colon; 1041 int ret; 1042 1043 if (copy_from_user(&iwr, argp, sizeof(struct iwreq))) 1044 return -EFAULT; 1045 1046 iwr.ifr_name[IFNAMSIZ-1] = 0; 1047 colon = strchr(iwr.ifr_name, ':'); 1048 if (colon) 1049 *colon = 0; 1050 1051 info.cmd = cmd; 1052 info.flags = IW_REQUEST_FLAG_COMPAT; 1053 1054 ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info, 1055 compat_standard_call, 1056 compat_private_call); 1057 1058 if (ret >= 0 && 1059 IW_IS_GET(cmd) && 1060 copy_to_user(argp, &iwr, sizeof(struct iwreq))) 1061 return -EFAULT; 1062 1063 return ret; 1064 } 1065 #endif 1066