releases/4.4.14/wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch

   1 From 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 Mon Sep 17 00:00:00 2001
   2 From: Prasun Maiti <prasunmaiti87@gmail.com>
   3 Date: Mon, 6 Jun 2016 20:04:19 +0530
   4 Subject: wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel
   5
   6 From: Prasun Maiti <prasunmaiti87@gmail.com>
   7
   8 commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 upstream.
   9
  10 iwpriv app uses iw_point structure to send data to Kernel. The iw_point
  11 structure holds a pointer. For compatibility Kernel converts the pointer
  12 as required for WEXT IOCTLs (SIOCIWFIRST to SIOCIWLAST). Some drivers
  13 may use iw_handler_def.private_args to populate iwpriv commands instead
  14 of iw_handler_def.private. For those case, the IOCTLs from
  15 SIOCIWFIRSTPRIV to SIOCIWLASTPRIV will follow the path ndo_do_ioctl().
  16 Accordingly when the filled up iw_point structure comes from 32 bit
  17 iwpriv to 64 bit Kernel, Kernel will not convert the pointer and sends
  18 it to driver. So, the driver may get the invalid data.
  19
  20 The pointer conversion for the IOCTLs (SIOCIWFIRSTPRIV to
  21 SIOCIWLASTPRIV), which follow the path ndo_do_ioctl(), is mandatory.
  22 This patch adds pointer conversion from 32 bit to 64 bit and vice versa,
  23 if the ioctl comes from 32 bit iwpriv to 64 bit Kernel.
  24
  25 Signed-off-by: Prasun Maiti <prasunmaiti87@gmail.com>
  26 Signed-off-by: Ujjal Roy <royujjal@gmail.com>
  27 Tested-by: Dibyajyoti Ghosh <dibyajyotig@gmail.com>
  28 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  29 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  30
  31 ---
  32  net/wireless/wext-core.c |   25 +++++++++++++++++++++++--
  33  1 file changed, 23 insertions(+), 2 deletions(-)
  34
  35 --- a/net/wireless/wext-core.c
  36 +++ b/net/wireless/wext-core.c
  37 @@ -955,8 +955,29 @@ static int wireless_process_ioctl(struct
  38                         return private(dev, iwr, cmd, info, handler);
  39         }
  40         /* Old driver API : call driver ioctl handler */
  41 -       if (dev->netdev_ops->ndo_do_ioctl)
  42 -               return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
  43 +       if (dev->netdev_ops->ndo_do_ioctl) {
  44 +#ifdef CONFIG_COMPAT
  45 +               if (info->flags & IW_REQUEST_FLAG_COMPAT) {
  46 +                       int ret = 0;
  47 +                       struct iwreq iwr_lcl;
  48 +                       struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
  49 +
  50 +                       memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
  51 +                       iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
  52 +                       iwr_lcl.u.data.length = iwp_compat->length;
  53 +                       iwr_lcl.u.data.flags = iwp_compat->flags;
  54 +
  55 +                       ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
  56 +
  57 +                       iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
  58 +                       iwp_compat->length = iwr_lcl.u.data.length;
  59 +                       iwp_compat->flags = iwr_lcl.u.data.flags;
  60 +
  61 +                       return ret;
  62 +               } else
  63 +#endif
  64 +                       return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
  65 +       }
  66         return -EOPNOTSUPP;
  67  }
  68