xref: /linux/net/wireless/wext-core.c (revision e26207a3819684e9b4450a2d30bdd065fa92d9c7)
1 /*
2  * This file implement the Wireless Extensions core API.
3  *
4  * Authors :	Jean Tourrilhes - HPL - <jt@hpl.hp.com>
5  * Copyright (c) 1997-2007 Jean Tourrilhes, All Rights Reserved.
6  * Copyright	2009 Johannes Berg <johannes@sipsolutions.net>
7  *
8  * (As all part of the Linux kernel, this file is GPL)
9  */
10 #include <linux/kernel.h>
11 #include <linux/netdevice.h>
12 #include <linux/rtnetlink.h>
13 #include <linux/wireless.h>
14 #include <linux/uaccess.h>
15 #include <net/cfg80211.h>
16 #include <net/iw_handler.h>
17 #include <net/netlink.h>
18 #include <net/wext.h>
19 #include <net/net_namespace.h>
20 
21 typedef int (*wext_ioctl_func)(struct net_device *, struct iwreq *,
22 			       unsigned int, struct iw_request_info *,
23 			       iw_handler);
24 
25 
26 /*
27  * Meta-data about all the standard Wireless Extension request we
28  * know about.
29  */
30 static const struct iw_ioctl_description standard_ioctl[] = {
31 	[SIOCSIWCOMMIT	- SIOCIWFIRST] = {
32 		.header_type	= IW_HEADER_TYPE_NULL,
33 	},
34 	[SIOCGIWNAME	- SIOCIWFIRST] = {
35 		.header_type	= IW_HEADER_TYPE_CHAR,
36 		.flags		= IW_DESCR_FLAG_DUMP,
37 	},
38 	[SIOCSIWNWID	- SIOCIWFIRST] = {
39 		.header_type	= IW_HEADER_TYPE_PARAM,
40 		.flags		= IW_DESCR_FLAG_EVENT,
41 	},
42 	[SIOCGIWNWID	- SIOCIWFIRST] = {
43 		.header_type	= IW_HEADER_TYPE_PARAM,
44 		.flags		= IW_DESCR_FLAG_DUMP,
45 	},
46 	[SIOCSIWFREQ	- SIOCIWFIRST] = {
47 		.header_type	= IW_HEADER_TYPE_FREQ,
48 		.flags		= IW_DESCR_FLAG_EVENT,
49 	},
50 	[SIOCGIWFREQ	- SIOCIWFIRST] = {
51 		.header_type	= IW_HEADER_TYPE_FREQ,
52 		.flags		= IW_DESCR_FLAG_DUMP,
53 	},
54 	[SIOCSIWMODE	- SIOCIWFIRST] = {
55 		.header_type	= IW_HEADER_TYPE_UINT,
56 		.flags		= IW_DESCR_FLAG_EVENT,
57 	},
58 	[SIOCGIWMODE	- SIOCIWFIRST] = {
59 		.header_type	= IW_HEADER_TYPE_UINT,
60 		.flags		= IW_DESCR_FLAG_DUMP,
61 	},
62 	[SIOCSIWSENS	- SIOCIWFIRST] = {
63 		.header_type	= IW_HEADER_TYPE_PARAM,
64 	},
65 	[SIOCGIWSENS	- SIOCIWFIRST] = {
66 		.header_type	= IW_HEADER_TYPE_PARAM,
67 	},
68 	[SIOCSIWRANGE	- SIOCIWFIRST] = {
69 		.header_type	= IW_HEADER_TYPE_NULL,
70 	},
71 	[SIOCGIWRANGE	- SIOCIWFIRST] = {
72 		.header_type	= IW_HEADER_TYPE_POINT,
73 		.token_size	= 1,
74 		.max_tokens	= sizeof(struct iw_range),
75 		.flags		= IW_DESCR_FLAG_DUMP,
76 	},
77 	[SIOCSIWPRIV	- SIOCIWFIRST] = {
78 		.header_type	= IW_HEADER_TYPE_NULL,
79 	},
80 	[SIOCGIWPRIV	- SIOCIWFIRST] = { /* (handled directly by us) */
81 		.header_type	= IW_HEADER_TYPE_POINT,
82 		.token_size	= sizeof(struct iw_priv_args),
83 		.max_tokens	= 16,
84 		.flags		= IW_DESCR_FLAG_NOMAX,
85 	},
86 	[SIOCSIWSTATS	- SIOCIWFIRST] = {
87 		.header_type	= IW_HEADER_TYPE_NULL,
88 	},
89 	[SIOCGIWSTATS	- SIOCIWFIRST] = { /* (handled directly by us) */
90 		.header_type	= IW_HEADER_TYPE_POINT,
91 		.token_size	= 1,
92 		.max_tokens	= sizeof(struct iw_statistics),
93 		.flags		= IW_DESCR_FLAG_DUMP,
94 	},
95 	[SIOCSIWSPY	- SIOCIWFIRST] = {
96 		.header_type	= IW_HEADER_TYPE_POINT,
97 		.token_size	= sizeof(struct sockaddr),
98 		.max_tokens	= IW_MAX_SPY,
99 	},
100 	[SIOCGIWSPY	- SIOCIWFIRST] = {
101 		.header_type	= IW_HEADER_TYPE_POINT,
102 		.token_size	= sizeof(struct sockaddr) +
103 				  sizeof(struct iw_quality),
104 		.max_tokens	= IW_MAX_SPY,
105 	},
106 	[SIOCSIWTHRSPY	- SIOCIWFIRST] = {
107 		.header_type	= IW_HEADER_TYPE_POINT,
108 		.token_size	= sizeof(struct iw_thrspy),
109 		.min_tokens	= 1,
110 		.max_tokens	= 1,
111 	},
112 	[SIOCGIWTHRSPY	- SIOCIWFIRST] = {
113 		.header_type	= IW_HEADER_TYPE_POINT,
114 		.token_size	= sizeof(struct iw_thrspy),
115 		.min_tokens	= 1,
116 		.max_tokens	= 1,
117 	},
118 	[SIOCSIWAP	- SIOCIWFIRST] = {
119 		.header_type	= IW_HEADER_TYPE_ADDR,
120 	},
121 	[SIOCGIWAP	- SIOCIWFIRST] = {
122 		.header_type	= IW_HEADER_TYPE_ADDR,
123 		.flags		= IW_DESCR_FLAG_DUMP,
124 	},
125 	[SIOCSIWMLME	- SIOCIWFIRST] = {
126 		.header_type	= IW_HEADER_TYPE_POINT,
127 		.token_size	= 1,
128 		.min_tokens	= sizeof(struct iw_mlme),
129 		.max_tokens	= sizeof(struct iw_mlme),
130 	},
131 	[SIOCGIWAPLIST	- SIOCIWFIRST] = {
132 		.header_type	= IW_HEADER_TYPE_POINT,
133 		.token_size	= sizeof(struct sockaddr) +
134 				  sizeof(struct iw_quality),
135 		.max_tokens	= IW_MAX_AP,
136 		.flags		= IW_DESCR_FLAG_NOMAX,
137 	},
138 	[SIOCSIWSCAN	- SIOCIWFIRST] = {
139 		.header_type	= IW_HEADER_TYPE_POINT,
140 		.token_size	= 1,
141 		.min_tokens	= 0,
142 		.max_tokens	= sizeof(struct iw_scan_req),
143 	},
144 	[SIOCGIWSCAN	- SIOCIWFIRST] = {
145 		.header_type	= IW_HEADER_TYPE_POINT,
146 		.token_size	= 1,
147 		.max_tokens	= IW_SCAN_MAX_DATA,
148 		.flags		= IW_DESCR_FLAG_NOMAX,
149 	},
150 	[SIOCSIWESSID	- SIOCIWFIRST] = {
151 		.header_type	= IW_HEADER_TYPE_POINT,
152 		.token_size	= 1,
153 		.max_tokens	= IW_ESSID_MAX_SIZE,
154 		.flags		= IW_DESCR_FLAG_EVENT,
155 	},
156 	[SIOCGIWESSID	- SIOCIWFIRST] = {
157 		.header_type	= IW_HEADER_TYPE_POINT,
158 		.token_size	= 1,
159 		.max_tokens	= IW_ESSID_MAX_SIZE,
160 		.flags		= IW_DESCR_FLAG_DUMP,
161 	},
162 	[SIOCSIWNICKN	- SIOCIWFIRST] = {
163 		.header_type	= IW_HEADER_TYPE_POINT,
164 		.token_size	= 1,
165 		.max_tokens	= IW_ESSID_MAX_SIZE,
166 	},
167 	[SIOCGIWNICKN	- SIOCIWFIRST] = {
168 		.header_type	= IW_HEADER_TYPE_POINT,
169 		.token_size	= 1,
170 		.max_tokens	= IW_ESSID_MAX_SIZE,
171 	},
172 	[SIOCSIWRATE	- SIOCIWFIRST] = {
173 		.header_type	= IW_HEADER_TYPE_PARAM,
174 	},
175 	[SIOCGIWRATE	- SIOCIWFIRST] = {
176 		.header_type	= IW_HEADER_TYPE_PARAM,
177 	},
178 	[SIOCSIWRTS	- SIOCIWFIRST] = {
179 		.header_type	= IW_HEADER_TYPE_PARAM,
180 	},
181 	[SIOCGIWRTS	- SIOCIWFIRST] = {
182 		.header_type	= IW_HEADER_TYPE_PARAM,
183 	},
184 	[SIOCSIWFRAG	- SIOCIWFIRST] = {
185 		.header_type	= IW_HEADER_TYPE_PARAM,
186 	},
187 	[SIOCGIWFRAG	- SIOCIWFIRST] = {
188 		.header_type	= IW_HEADER_TYPE_PARAM,
189 	},
190 	[SIOCSIWTXPOW	- SIOCIWFIRST] = {
191 		.header_type	= IW_HEADER_TYPE_PARAM,
192 	},
193 	[SIOCGIWTXPOW	- SIOCIWFIRST] = {
194 		.header_type	= IW_HEADER_TYPE_PARAM,
195 	},
196 	[SIOCSIWRETRY	- SIOCIWFIRST] = {
197 		.header_type	= IW_HEADER_TYPE_PARAM,
198 	},
199 	[SIOCGIWRETRY	- SIOCIWFIRST] = {
200 		.header_type	= IW_HEADER_TYPE_PARAM,
201 	},
202 	[SIOCSIWENCODE	- SIOCIWFIRST] = {
203 		.header_type	= IW_HEADER_TYPE_POINT,
204 		.token_size	= 1,
205 		.max_tokens	= IW_ENCODING_TOKEN_MAX,
206 		.flags		= IW_DESCR_FLAG_EVENT | IW_DESCR_FLAG_RESTRICT,
207 	},
208 	[SIOCGIWENCODE	- SIOCIWFIRST] = {
209 		.header_type	= IW_HEADER_TYPE_POINT,
210 		.token_size	= 1,
211 		.max_tokens	= IW_ENCODING_TOKEN_MAX,
212 		.flags		= IW_DESCR_FLAG_DUMP | IW_DESCR_FLAG_RESTRICT,
213 	},
214 	[SIOCSIWPOWER	- SIOCIWFIRST] = {
215 		.header_type	= IW_HEADER_TYPE_PARAM,
216 	},
217 	[SIOCGIWPOWER	- SIOCIWFIRST] = {
218 		.header_type	= IW_HEADER_TYPE_PARAM,
219 	},
220 	[SIOCSIWGENIE	- SIOCIWFIRST] = {
221 		.header_type	= IW_HEADER_TYPE_POINT,
222 		.token_size	= 1,
223 		.max_tokens	= IW_GENERIC_IE_MAX,
224 	},
225 	[SIOCGIWGENIE	- SIOCIWFIRST] = {
226 		.header_type	= IW_HEADER_TYPE_POINT,
227 		.token_size	= 1,
228 		.max_tokens	= IW_GENERIC_IE_MAX,
229 	},
230 	[SIOCSIWAUTH	- SIOCIWFIRST] = {
231 		.header_type	= IW_HEADER_TYPE_PARAM,
232 	},
233 	[SIOCGIWAUTH	- SIOCIWFIRST] = {
234 		.header_type	= IW_HEADER_TYPE_PARAM,
235 	},
236 	[SIOCSIWENCODEEXT - SIOCIWFIRST] = {
237 		.header_type	= IW_HEADER_TYPE_POINT,
238 		.token_size	= 1,
239 		.min_tokens	= sizeof(struct iw_encode_ext),
240 		.max_tokens	= sizeof(struct iw_encode_ext) +
241 				  IW_ENCODING_TOKEN_MAX,
242 	},
243 	[SIOCGIWENCODEEXT - SIOCIWFIRST] = {
244 		.header_type	= IW_HEADER_TYPE_POINT,
245 		.token_size	= 1,
246 		.min_tokens	= sizeof(struct iw_encode_ext),
247 		.max_tokens	= sizeof(struct iw_encode_ext) +
248 				  IW_ENCODING_TOKEN_MAX,
249 	},
250 	[SIOCSIWPMKSA - SIOCIWFIRST] = {
251 		.header_type	= IW_HEADER_TYPE_POINT,
252 		.token_size	= 1,
253 		.min_tokens	= sizeof(struct iw_pmksa),
254 		.max_tokens	= sizeof(struct iw_pmksa),
255 	},
256 };
257 static const unsigned standard_ioctl_num = ARRAY_SIZE(standard_ioctl);
258 
259 /*
260  * Meta-data about all the additional standard Wireless Extension events
261  * we know about.
262  */
263 static const struct iw_ioctl_description standard_event[] = {
264 	[IWEVTXDROP	- IWEVFIRST] = {
265 		.header_type	= IW_HEADER_TYPE_ADDR,
266 	},
267 	[IWEVQUAL	- IWEVFIRST] = {
268 		.header_type	= IW_HEADER_TYPE_QUAL,
269 	},
270 	[IWEVCUSTOM	- IWEVFIRST] = {
271 		.header_type	= IW_HEADER_TYPE_POINT,
272 		.token_size	= 1,
273 		.max_tokens	= IW_CUSTOM_MAX,
274 	},
275 	[IWEVREGISTERED	- IWEVFIRST] = {
276 		.header_type	= IW_HEADER_TYPE_ADDR,
277 	},
278 	[IWEVEXPIRED	- IWEVFIRST] = {
279 		.header_type	= IW_HEADER_TYPE_ADDR,
280 	},
281 	[IWEVGENIE	- IWEVFIRST] = {
282 		.header_type	= IW_HEADER_TYPE_POINT,
283 		.token_size	= 1,
284 		.max_tokens	= IW_GENERIC_IE_MAX,
285 	},
286 	[IWEVMICHAELMICFAILURE	- IWEVFIRST] = {
287 		.header_type	= IW_HEADER_TYPE_POINT,
288 		.token_size	= 1,
289 		.max_tokens	= sizeof(struct iw_michaelmicfailure),
290 	},
291 	[IWEVASSOCREQIE	- IWEVFIRST] = {
292 		.header_type	= IW_HEADER_TYPE_POINT,
293 		.token_size	= 1,
294 		.max_tokens	= IW_GENERIC_IE_MAX,
295 	},
296 	[IWEVASSOCRESPIE	- IWEVFIRST] = {
297 		.header_type	= IW_HEADER_TYPE_POINT,
298 		.token_size	= 1,
299 		.max_tokens	= IW_GENERIC_IE_MAX,
300 	},
301 	[IWEVPMKIDCAND	- IWEVFIRST] = {
302 		.header_type	= IW_HEADER_TYPE_POINT,
303 		.token_size	= 1,
304 		.max_tokens	= sizeof(struct iw_pmkid_cand),
305 	},
306 };
307 static const unsigned standard_event_num = ARRAY_SIZE(standard_event);
308 
309 /* Size (in bytes) of various events */
310 static const int event_type_size[] = {
311 	IW_EV_LCP_LEN,			/* IW_HEADER_TYPE_NULL */
312 	0,
313 	IW_EV_CHAR_LEN,			/* IW_HEADER_TYPE_CHAR */
314 	0,
315 	IW_EV_UINT_LEN,			/* IW_HEADER_TYPE_UINT */
316 	IW_EV_FREQ_LEN,			/* IW_HEADER_TYPE_FREQ */
317 	IW_EV_ADDR_LEN,			/* IW_HEADER_TYPE_ADDR */
318 	0,
319 	IW_EV_POINT_LEN,		/* Without variable payload */
320 	IW_EV_PARAM_LEN,		/* IW_HEADER_TYPE_PARAM */
321 	IW_EV_QUAL_LEN,			/* IW_HEADER_TYPE_QUAL */
322 };
323 
324 #ifdef CONFIG_COMPAT
325 static const int compat_event_type_size[] = {
326 	IW_EV_COMPAT_LCP_LEN,		/* IW_HEADER_TYPE_NULL */
327 	0,
328 	IW_EV_COMPAT_CHAR_LEN,		/* IW_HEADER_TYPE_CHAR */
329 	0,
330 	IW_EV_COMPAT_UINT_LEN,		/* IW_HEADER_TYPE_UINT */
331 	IW_EV_COMPAT_FREQ_LEN,		/* IW_HEADER_TYPE_FREQ */
332 	IW_EV_COMPAT_ADDR_LEN,		/* IW_HEADER_TYPE_ADDR */
333 	0,
334 	IW_EV_COMPAT_POINT_LEN,		/* Without variable payload */
335 	IW_EV_COMPAT_PARAM_LEN,		/* IW_HEADER_TYPE_PARAM */
336 	IW_EV_COMPAT_QUAL_LEN,		/* IW_HEADER_TYPE_QUAL */
337 };
338 #endif
339 
340 
341 /* IW event code */
342 
343 static int __net_init wext_pernet_init(struct net *net)
344 {
345 	skb_queue_head_init(&net->wext_nlevents);
346 	return 0;
347 }
348 
349 static void __net_exit wext_pernet_exit(struct net *net)
350 {
351 	skb_queue_purge(&net->wext_nlevents);
352 }
353 
354 static struct pernet_operations wext_pernet_ops = {
355 	.init = wext_pernet_init,
356 	.exit = wext_pernet_exit,
357 };
358 
359 static int __init wireless_nlevent_init(void)
360 {
361 	return register_pernet_subsys(&wext_pernet_ops);
362 }
363 
364 subsys_initcall(wireless_nlevent_init);
365 
366 /* Process events generated by the wireless layer or the driver. */
367 static void wireless_nlevent_process(struct work_struct *work)
368 {
369 	struct sk_buff *skb;
370 	struct net *net;
371 
372 	rtnl_lock();
373 
374 	for_each_net(net) {
375 		while ((skb = skb_dequeue(&net->wext_nlevents)))
376 			rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
377 				    GFP_KERNEL);
378 	}
379 
380 	rtnl_unlock();
381 }
382 
383 static DECLARE_WORK(wireless_nlevent_work, wireless_nlevent_process);
384 
385 static struct nlmsghdr *rtnetlink_ifinfo_prep(struct net_device *dev,
386 					      struct sk_buff *skb)
387 {
388 	struct ifinfomsg *r;
389 	struct nlmsghdr  *nlh;
390 
391 	nlh = nlmsg_put(skb, 0, 0, RTM_NEWLINK, sizeof(*r), 0);
392 	if (!nlh)
393 		return NULL;
394 
395 	r = nlmsg_data(nlh);
396 	r->ifi_family = AF_UNSPEC;
397 	r->__ifi_pad = 0;
398 	r->ifi_type = dev->type;
399 	r->ifi_index = dev->ifindex;
400 	r->ifi_flags = dev_get_flags(dev);
401 	r->ifi_change = 0;	/* Wireless changes don't affect those flags */
402 
403 	NLA_PUT_STRING(skb, IFLA_IFNAME, dev->name);
404 
405 	return nlh;
406  nla_put_failure:
407 	nlmsg_cancel(skb, nlh);
408 	return NULL;
409 }
410 
411 
412 /*
413  * Main event dispatcher. Called from other parts and drivers.
414  * Send the event on the appropriate channels.
415  * May be called from interrupt context.
416  */
417 void wireless_send_event(struct net_device *	dev,
418 			 unsigned int		cmd,
419 			 union iwreq_data *	wrqu,
420 			 const char *		extra)
421 {
422 	const struct iw_ioctl_description *	descr = NULL;
423 	int extra_len = 0;
424 	struct iw_event  *event;		/* Mallocated whole event */
425 	int event_len;				/* Its size */
426 	int hdr_len;				/* Size of the event header */
427 	int wrqu_off = 0;			/* Offset in wrqu */
428 	/* Don't "optimise" the following variable, it will crash */
429 	unsigned	cmd_index;		/* *MUST* be unsigned */
430 	struct sk_buff *skb;
431 	struct nlmsghdr *nlh;
432 	struct nlattr *nla;
433 #ifdef CONFIG_COMPAT
434 	struct __compat_iw_event *compat_event;
435 	struct compat_iw_point compat_wrqu;
436 	struct sk_buff *compskb;
437 #endif
438 
439 	/*
440 	 * Nothing in the kernel sends scan events with data, be safe.
441 	 * This is necessary because we cannot fix up scan event data
442 	 * for compat, due to being contained in 'extra', but normally
443 	 * applications are required to retrieve the scan data anyway
444 	 * and no data is included in the event, this codifies that
445 	 * practice.
446 	 */
447 	if (WARN_ON(cmd == SIOCGIWSCAN && extra))
448 		extra = NULL;
449 
450 	/* Get the description of the Event */
451 	if (cmd <= SIOCIWLAST) {
452 		cmd_index = cmd - SIOCIWFIRST;
453 		if (cmd_index < standard_ioctl_num)
454 			descr = &(standard_ioctl[cmd_index]);
455 	} else {
456 		cmd_index = cmd - IWEVFIRST;
457 		if (cmd_index < standard_event_num)
458 			descr = &(standard_event[cmd_index]);
459 	}
460 	/* Don't accept unknown events */
461 	if (descr == NULL) {
462 		/* Note : we don't return an error to the driver, because
463 		 * the driver would not know what to do about it. It can't
464 		 * return an error to the user, because the event is not
465 		 * initiated by a user request.
466 		 * The best the driver could do is to log an error message.
467 		 * We will do it ourselves instead...
468 		 */
469 		printk(KERN_ERR "%s (WE) : Invalid/Unknown Wireless Event (0x%04X)\n",
470 		       dev->name, cmd);
471 		return;
472 	}
473 
474 	/* Check extra parameters and set extra_len */
475 	if (descr->header_type == IW_HEADER_TYPE_POINT) {
476 		/* Check if number of token fits within bounds */
477 		if (wrqu->data.length > descr->max_tokens) {
478 			printk(KERN_ERR "%s (WE) : Wireless Event too big (%d)\n", dev->name, wrqu->data.length);
479 			return;
480 		}
481 		if (wrqu->data.length < descr->min_tokens) {
482 			printk(KERN_ERR "%s (WE) : Wireless Event too small (%d)\n", dev->name, wrqu->data.length);
483 			return;
484 		}
485 		/* Calculate extra_len - extra is NULL for restricted events */
486 		if (extra != NULL)
487 			extra_len = wrqu->data.length * descr->token_size;
488 		/* Always at an offset in wrqu */
489 		wrqu_off = IW_EV_POINT_OFF;
490 	}
491 
492 	/* Total length of the event */
493 	hdr_len = event_type_size[descr->header_type];
494 	event_len = hdr_len + extra_len;
495 
496 	/*
497 	 * The problem for 64/32 bit.
498 	 *
499 	 * On 64-bit, a regular event is laid out as follows:
500 	 *      |  0  |  1  |  2  |  3  |  4  |  5  |  6  |  7  |
501 	 *      | event.len | event.cmd |     p a d d i n g     |
502 	 *      | wrqu data ... (with the correct size)         |
503 	 *
504 	 * This padding exists because we manipulate event->u,
505 	 * and 'event' is not packed.
506 	 *
507 	 * An iw_point event is laid out like this instead:
508 	 *      |  0  |  1  |  2  |  3  |  4  |  5  |  6  |  7  |
509 	 *      | event.len | event.cmd |     p a d d i n g     |
510 	 *      | iwpnt.len | iwpnt.flg |     p a d d i n g     |
511 	 *      | extra data  ...
512 	 *
513 	 * The second padding exists because struct iw_point is extended,
514 	 * but this depends on the platform...
515 	 *
516 	 * On 32-bit, all the padding shouldn't be there.
517 	 */
518 
519 	skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
520 	if (!skb)
521 		return;
522 
523 	/* Send via the RtNetlink event channel */
524 	nlh = rtnetlink_ifinfo_prep(dev, skb);
525 	if (WARN_ON(!nlh)) {
526 		kfree_skb(skb);
527 		return;
528 	}
529 
530 	/* Add the wireless events in the netlink packet */
531 	nla = nla_reserve(skb, IFLA_WIRELESS, event_len);
532 	if (!nla) {
533 		kfree_skb(skb);
534 		return;
535 	}
536 	event = nla_data(nla);
537 
538 	/* Fill event - first clear to avoid data leaking */
539 	memset(event, 0, hdr_len);
540 	event->len = event_len;
541 	event->cmd = cmd;
542 	memcpy(&event->u, ((char *) wrqu) + wrqu_off, hdr_len - IW_EV_LCP_LEN);
543 	if (extra_len)
544 		memcpy(((char *) event) + hdr_len, extra, extra_len);
545 
546 	nlmsg_end(skb, nlh);
547 #ifdef CONFIG_COMPAT
548 	hdr_len = compat_event_type_size[descr->header_type];
549 	event_len = hdr_len + extra_len;
550 
551 	compskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
552 	if (!compskb) {
553 		kfree_skb(skb);
554 		return;
555 	}
556 
557 	/* Send via the RtNetlink event channel */
558 	nlh = rtnetlink_ifinfo_prep(dev, compskb);
559 	if (WARN_ON(!nlh)) {
560 		kfree_skb(skb);
561 		kfree_skb(compskb);
562 		return;
563 	}
564 
565 	/* Add the wireless events in the netlink packet */
566 	nla = nla_reserve(compskb, IFLA_WIRELESS, event_len);
567 	if (!nla) {
568 		kfree_skb(skb);
569 		kfree_skb(compskb);
570 		return;
571 	}
572 	compat_event = nla_data(nla);
573 
574 	compat_event->len = event_len;
575 	compat_event->cmd = cmd;
576 	if (descr->header_type == IW_HEADER_TYPE_POINT) {
577 		compat_wrqu.length = wrqu->data.length;
578 		compat_wrqu.flags = wrqu->data.flags;
579 		memcpy(&compat_event->pointer,
580 			((char *) &compat_wrqu) + IW_EV_COMPAT_POINT_OFF,
581 			hdr_len - IW_EV_COMPAT_LCP_LEN);
582 		if (extra_len)
583 			memcpy(((char *) compat_event) + hdr_len,
584 				extra, extra_len);
585 	} else {
586 		/* extra_len must be zero, so no if (extra) needed */
587 		memcpy(&compat_event->pointer, wrqu,
588 			hdr_len - IW_EV_COMPAT_LCP_LEN);
589 	}
590 
591 	nlmsg_end(compskb, nlh);
592 
593 	skb_shinfo(skb)->frag_list = compskb;
594 #endif
595 	skb_queue_tail(&dev_net(dev)->wext_nlevents, skb);
596 	schedule_work(&wireless_nlevent_work);
597 }
598 EXPORT_SYMBOL(wireless_send_event);
599 
600 
601 
602 /* IW handlers */
603 
604 struct iw_statistics *get_wireless_stats(struct net_device *dev)
605 {
606 #ifdef CONFIG_WIRELESS_EXT
607 	if ((dev->wireless_handlers != NULL) &&
608 	   (dev->wireless_handlers->get_wireless_stats != NULL))
609 		return dev->wireless_handlers->get_wireless_stats(dev);
610 #endif
611 
612 #ifdef CONFIG_CFG80211_WEXT
613 	if (dev->ieee80211_ptr && dev->ieee80211_ptr &&
614 	    dev->ieee80211_ptr->wiphy &&
615 	    dev->ieee80211_ptr->wiphy->wext &&
616 	    dev->ieee80211_ptr->wiphy->wext->get_wireless_stats)
617 		return dev->ieee80211_ptr->wiphy->wext->get_wireless_stats(dev);
618 #endif
619 
620 	/* not found */
621 	return NULL;
622 }
623 
624 static int iw_handler_get_iwstats(struct net_device *		dev,
625 				  struct iw_request_info *	info,
626 				  union iwreq_data *		wrqu,
627 				  char *			extra)
628 {
629 	/* Get stats from the driver */
630 	struct iw_statistics *stats;
631 
632 	stats = get_wireless_stats(dev);
633 	if (stats) {
634 		/* Copy statistics to extra */
635 		memcpy(extra, stats, sizeof(struct iw_statistics));
636 		wrqu->data.length = sizeof(struct iw_statistics);
637 
638 		/* Check if we need to clear the updated flag */
639 		if (wrqu->data.flags != 0)
640 			stats->qual.updated &= ~IW_QUAL_ALL_UPDATED;
641 		return 0;
642 	} else
643 		return -EOPNOTSUPP;
644 }
645 
646 static iw_handler get_handler(struct net_device *dev, unsigned int cmd)
647 {
648 	/* Don't "optimise" the following variable, it will crash */
649 	unsigned int	index;		/* *MUST* be unsigned */
650 	const struct iw_handler_def *handlers = NULL;
651 
652 #ifdef CONFIG_CFG80211_WEXT
653 	if (dev->ieee80211_ptr && dev->ieee80211_ptr->wiphy)
654 		handlers = dev->ieee80211_ptr->wiphy->wext;
655 #endif
656 #ifdef CONFIG_WIRELESS_EXT
657 	if (dev->wireless_handlers)
658 		handlers = dev->wireless_handlers;
659 #endif
660 
661 	if (!handlers)
662 		return NULL;
663 
664 	/* Try as a standard command */
665 	index = cmd - SIOCIWFIRST;
666 	if (index < handlers->num_standard)
667 		return handlers->standard[index];
668 
669 #ifdef CONFIG_WEXT_PRIV
670 	/* Try as a private command */
671 	index = cmd - SIOCIWFIRSTPRIV;
672 	if (index < handlers->num_private)
673 		return handlers->private[index];
674 #endif
675 
676 	/* Not found */
677 	return NULL;
678 }
679 
680 static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
681 				   const struct iw_ioctl_description *descr,
682 				   iw_handler handler, struct net_device *dev,
683 				   struct iw_request_info *info)
684 {
685 	int err, extra_size, user_length = 0, essid_compat = 0;
686 	char *extra;
687 
688 	/* Calculate space needed by arguments. Always allocate
689 	 * for max space.
690 	 */
691 	extra_size = descr->max_tokens * descr->token_size;
692 
693 	/* Check need for ESSID compatibility for WE < 21 */
694 	switch (cmd) {
695 	case SIOCSIWESSID:
696 	case SIOCGIWESSID:
697 	case SIOCSIWNICKN:
698 	case SIOCGIWNICKN:
699 		if (iwp->length == descr->max_tokens + 1)
700 			essid_compat = 1;
701 		else if (IW_IS_SET(cmd) && (iwp->length != 0)) {
702 			char essid[IW_ESSID_MAX_SIZE + 1];
703 			unsigned int len;
704 			len = iwp->length * descr->token_size;
705 
706 			if (len > IW_ESSID_MAX_SIZE)
707 				return -EFAULT;
708 
709 			err = copy_from_user(essid, iwp->pointer, len);
710 			if (err)
711 				return -EFAULT;
712 
713 			if (essid[iwp->length - 1] == '\0')
714 				essid_compat = 1;
715 		}
716 		break;
717 	default:
718 		break;
719 	}
720 
721 	iwp->length -= essid_compat;
722 
723 	/* Check what user space is giving us */
724 	if (IW_IS_SET(cmd)) {
725 		/* Check NULL pointer */
726 		if (!iwp->pointer && iwp->length != 0)
727 			return -EFAULT;
728 		/* Check if number of token fits within bounds */
729 		if (iwp->length > descr->max_tokens)
730 			return -E2BIG;
731 		if (iwp->length < descr->min_tokens)
732 			return -EINVAL;
733 	} else {
734 		/* Check NULL pointer */
735 		if (!iwp->pointer)
736 			return -EFAULT;
737 		/* Save user space buffer size for checking */
738 		user_length = iwp->length;
739 
740 		/* Don't check if user_length > max to allow forward
741 		 * compatibility. The test user_length < min is
742 		 * implied by the test at the end.
743 		 */
744 
745 		/* Support for very large requests */
746 		if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
747 		    (user_length > descr->max_tokens)) {
748 			/* Allow userspace to GET more than max so
749 			 * we can support any size GET requests.
750 			 * There is still a limit : -ENOMEM.
751 			 */
752 			extra_size = user_length * descr->token_size;
753 
754 			/* Note : user_length is originally a __u16,
755 			 * and token_size is controlled by us,
756 			 * so extra_size won't get negative and
757 			 * won't overflow...
758 			 */
759 		}
760 	}
761 
762 	/* kzalloc() ensures NULL-termination for essid_compat. */
763 	extra = kzalloc(extra_size, GFP_KERNEL);
764 	if (!extra)
765 		return -ENOMEM;
766 
767 	/* If it is a SET, get all the extra data in here */
768 	if (IW_IS_SET(cmd) && (iwp->length != 0)) {
769 		if (copy_from_user(extra, iwp->pointer,
770 				   iwp->length *
771 				   descr->token_size)) {
772 			err = -EFAULT;
773 			goto out;
774 		}
775 
776 		if (cmd == SIOCSIWENCODEEXT) {
777 			struct iw_encode_ext *ee = (void *) extra;
778 
779 			if (iwp->length < sizeof(*ee) + ee->key_len)
780 				return -EFAULT;
781 		}
782 	}
783 
784 	err = handler(dev, info, (union iwreq_data *) iwp, extra);
785 
786 	iwp->length += essid_compat;
787 
788 	/* If we have something to return to the user */
789 	if (!err && IW_IS_GET(cmd)) {
790 		/* Check if there is enough buffer up there */
791 		if (user_length < iwp->length) {
792 			err = -E2BIG;
793 			goto out;
794 		}
795 
796 		if (copy_to_user(iwp->pointer, extra,
797 				 iwp->length *
798 				 descr->token_size)) {
799 			err = -EFAULT;
800 			goto out;
801 		}
802 	}
803 
804 	/* Generate an event to notify listeners of the change */
805 	if ((descr->flags & IW_DESCR_FLAG_EVENT) &&
806 	    ((err == 0) || (err == -EIWCOMMIT))) {
807 		union iwreq_data *data = (union iwreq_data *) iwp;
808 
809 		if (descr->flags & IW_DESCR_FLAG_RESTRICT)
810 			/* If the event is restricted, don't
811 			 * export the payload.
812 			 */
813 			wireless_send_event(dev, cmd, data, NULL);
814 		else
815 			wireless_send_event(dev, cmd, data, extra);
816 	}
817 
818 out:
819 	kfree(extra);
820 	return err;
821 }
822 
823 /*
824  * Call the commit handler in the driver
825  * (if exist and if conditions are right)
826  *
827  * Note : our current commit strategy is currently pretty dumb,
828  * but we will be able to improve on that...
829  * The goal is to try to agreagate as many changes as possible
830  * before doing the commit. Drivers that will define a commit handler
831  * are usually those that need a reset after changing parameters, so
832  * we want to minimise the number of reset.
833  * A cool idea is to use a timer : at each "set" command, we re-set the
834  * timer, when the timer eventually fires, we call the driver.
835  * Hopefully, more on that later.
836  *
837  * Also, I'm waiting to see how many people will complain about the
838  * netif_running(dev) test. I'm open on that one...
839  * Hopefully, the driver will remember to do a commit in "open()" ;-)
840  */
841 int call_commit_handler(struct net_device *dev)
842 {
843 #ifdef CONFIG_WIRELESS_EXT
844 	if ((netif_running(dev)) &&
845 	   (dev->wireless_handlers->standard[0] != NULL))
846 		/* Call the commit handler on the driver */
847 		return dev->wireless_handlers->standard[0](dev, NULL,
848 							   NULL, NULL);
849 	else
850 		return 0;		/* Command completed successfully */
851 #else
852 	/* cfg80211 has no commit */
853 	return 0;
854 #endif
855 }
856 
857 /*
858  * Main IOCTl dispatcher.
859  * Check the type of IOCTL and call the appropriate wrapper...
860  */
861 static int wireless_process_ioctl(struct net *net, struct ifreq *ifr,
862 				  unsigned int cmd,
863 				  struct iw_request_info *info,
864 				  wext_ioctl_func standard,
865 				  wext_ioctl_func private)
866 {
867 	struct iwreq *iwr = (struct iwreq *) ifr;
868 	struct net_device *dev;
869 	iw_handler	handler;
870 
871 	/* Permissions are already checked in dev_ioctl() before calling us.
872 	 * The copy_to/from_user() of ifr is also dealt with in there */
873 
874 	/* Make sure the device exist */
875 	if ((dev = __dev_get_by_name(net, ifr->ifr_name)) == NULL)
876 		return -ENODEV;
877 
878 	/* A bunch of special cases, then the generic case...
879 	 * Note that 'cmd' is already filtered in dev_ioctl() with
880 	 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */
881 	if (cmd == SIOCGIWSTATS)
882 		return standard(dev, iwr, cmd, info,
883 				&iw_handler_get_iwstats);
884 
885 #ifdef CONFIG_WEXT_PRIV
886 	if (cmd == SIOCGIWPRIV && dev->wireless_handlers)
887 		return standard(dev, iwr, cmd, info,
888 				iw_handler_get_private);
889 #endif
890 
891 	/* Basic check */
892 	if (!netif_device_present(dev))
893 		return -ENODEV;
894 
895 	/* New driver API : try to find the handler */
896 	handler = get_handler(dev, cmd);
897 	if (handler) {
898 		/* Standard and private are not the same */
899 		if (cmd < SIOCIWFIRSTPRIV)
900 			return standard(dev, iwr, cmd, info, handler);
901 		else if (private)
902 			return private(dev, iwr, cmd, info, handler);
903 	}
904 	/* Old driver API : call driver ioctl handler */
905 	if (dev->netdev_ops->ndo_do_ioctl)
906 		return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
907 	return -EOPNOTSUPP;
908 }
909 
910 /* If command is `set a parameter', or `get the encoding parameters',
911  * check if the user has the right to do it.
912  */
913 static int wext_permission_check(unsigned int cmd)
914 {
915 	if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE ||
916 	     cmd == SIOCGIWENCODEEXT) &&
917 	    !capable(CAP_NET_ADMIN))
918 		return -EPERM;
919 
920 	return 0;
921 }
922 
923 /* entry point from dev ioctl */
924 static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr,
925 			       unsigned int cmd, struct iw_request_info *info,
926 			       wext_ioctl_func standard,
927 			       wext_ioctl_func private)
928 {
929 	int ret = wext_permission_check(cmd);
930 
931 	if (ret)
932 		return ret;
933 
934 	dev_load(net, ifr->ifr_name);
935 	rtnl_lock();
936 	ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private);
937 	rtnl_unlock();
938 
939 	return ret;
940 }
941 
942 /*
943  * Wrapper to call a standard Wireless Extension handler.
944  * We do various checks and also take care of moving data between
945  * user space and kernel space.
946  */
947 static int ioctl_standard_call(struct net_device *	dev,
948 			       struct iwreq		*iwr,
949 			       unsigned int		cmd,
950 			       struct iw_request_info	*info,
951 			       iw_handler		handler)
952 {
953 	const struct iw_ioctl_description *	descr;
954 	int					ret = -EINVAL;
955 
956 	/* Get the description of the IOCTL */
957 	if ((cmd - SIOCIWFIRST) >= standard_ioctl_num)
958 		return -EOPNOTSUPP;
959 	descr = &(standard_ioctl[cmd - SIOCIWFIRST]);
960 
961 	/* Check if we have a pointer to user space data or not */
962 	if (descr->header_type != IW_HEADER_TYPE_POINT) {
963 
964 		/* No extra arguments. Trivial to handle */
965 		ret = handler(dev, info, &(iwr->u), NULL);
966 
967 		/* Generate an event to notify listeners of the change */
968 		if ((descr->flags & IW_DESCR_FLAG_EVENT) &&
969 		   ((ret == 0) || (ret == -EIWCOMMIT)))
970 			wireless_send_event(dev, cmd, &(iwr->u), NULL);
971 	} else {
972 		ret = ioctl_standard_iw_point(&iwr->u.data, cmd, descr,
973 					      handler, dev, info);
974 	}
975 
976 	/* Call commit handler if needed and defined */
977 	if (ret == -EIWCOMMIT)
978 		ret = call_commit_handler(dev);
979 
980 	/* Here, we will generate the appropriate event if needed */
981 
982 	return ret;
983 }
984 
985 
986 int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
987 		      void __user *arg)
988 {
989 	struct iw_request_info info = { .cmd = cmd, .flags = 0 };
990 	int ret;
991 
992 	ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
993 				  ioctl_standard_call,
994 				  ioctl_private_call);
995 	if (ret >= 0 &&
996 	    IW_IS_GET(cmd) &&
997 	    copy_to_user(arg, ifr, sizeof(struct iwreq)))
998 		return -EFAULT;
999 
1000 	return ret;
1001 }
1002 
1003 #ifdef CONFIG_COMPAT
1004 static int compat_standard_call(struct net_device	*dev,
1005 				struct iwreq		*iwr,
1006 				unsigned int		cmd,
1007 				struct iw_request_info	*info,
1008 				iw_handler		handler)
1009 {
1010 	const struct iw_ioctl_description *descr;
1011 	struct compat_iw_point *iwp_compat;
1012 	struct iw_point iwp;
1013 	int err;
1014 
1015 	descr = standard_ioctl + (cmd - SIOCIWFIRST);
1016 
1017 	if (descr->header_type != IW_HEADER_TYPE_POINT)
1018 		return ioctl_standard_call(dev, iwr, cmd, info, handler);
1019 
1020 	iwp_compat = (struct compat_iw_point *) &iwr->u.data;
1021 	iwp.pointer = compat_ptr(iwp_compat->pointer);
1022 	iwp.length = iwp_compat->length;
1023 	iwp.flags = iwp_compat->flags;
1024 
1025 	err = ioctl_standard_iw_point(&iwp, cmd, descr, handler, dev, info);
1026 
1027 	iwp_compat->pointer = ptr_to_compat(iwp.pointer);
1028 	iwp_compat->length = iwp.length;
1029 	iwp_compat->flags = iwp.flags;
1030 
1031 	return err;
1032 }
1033 
1034 int compat_wext_handle_ioctl(struct net *net, unsigned int cmd,
1035 			     unsigned long arg)
1036 {
1037 	void __user *argp = (void __user *)arg;
1038 	struct iw_request_info info;
1039 	struct iwreq iwr;
1040 	char *colon;
1041 	int ret;
1042 
1043 	if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
1044 		return -EFAULT;
1045 
1046 	iwr.ifr_name[IFNAMSIZ-1] = 0;
1047 	colon = strchr(iwr.ifr_name, ':');
1048 	if (colon)
1049 		*colon = 0;
1050 
1051 	info.cmd = cmd;
1052 	info.flags = IW_REQUEST_FLAG_COMPAT;
1053 
1054 	ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
1055 				  compat_standard_call,
1056 				  compat_private_call);
1057 
1058 	if (ret >= 0 &&
1059 	    IW_IS_GET(cmd) &&
1060 	    copy_to_user(argp, &iwr, sizeof(struct iwreq)))
1061 		return -EFAULT;
1062 
1063 	return ret;
1064 }
1065 #endif
1066