kernel_5.10 no rt

hc

2023-12-11 6778948f9de86c3cfaf36725a7c87dcff9ba247f

 kernel/drivers/net/wireless/quantenna/qtnfmac/event.c
..
..
@@ -1,22 +1,10 @@
1
-/*
2
- * Copyright (c) 2015-2016 Quantenna Communications, Inc.
3
- * All rights reserved.
4
- *
5
- * This program is free software; you can redistribute it and/or
6
- * modify it under the terms of the GNU General Public License
7
- * as published by the Free Software Foundation; either version 2
8
- * of the License, or (at your option) any later version.
9
- *
10
- * This program is distributed in the hope that it will be useful,
11
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
12
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13
- * GNU General Public License for more details.
14
- *
15
- */
1
+// SPDX-License-Identifier: GPL-2.0+
2
+/* Copyright (c) 2015-2016 Quantenna Communications. All rights reserved. */
16
3
 
17
4
 #include <linux/kernel.h>
18
5
 #include <linux/module.h>
19
6
 #include <linux/slab.h>
7
+#include <linux/nospec.h>
20
8
 
21
9
 #include "cfg80211.h"
22
10
 #include "core.h"
..
..
@@ -38,7 +26,6 @@
38
26
 	size_t payload_len;
39
27
 	u16 tlv_type;
40
28
 	u16 tlv_value_len;
41
-	size_t tlv_full_len;
42
29
 	const struct qlink_tlv_hdr *tlv;
43
30
 	int ret = 0;
44
31
 
..
..
@@ -71,23 +58,17 @@
71
58
 	sinfo->generation = vif->generation;
72
59
 
73
60
 	payload_len = len - sizeof(*sta_assoc);
74
-	tlv = (const struct qlink_tlv_hdr *)sta_assoc->ies;
75
61
 
76
-	while (payload_len >= sizeof(*tlv)) {
62
+	qlink_for_each_tlv(tlv, sta_assoc->ies, payload_len) {
77
63
 		tlv_type = le16_to_cpu(tlv->type);
78
64
 		tlv_value_len = le16_to_cpu(tlv->len);
79
-		tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr);
80
-
81
-		if (tlv_full_len > payload_len) {
82
-			ret = -EINVAL;
83
-			goto out;
84
-		}
85
65
 
86
66
 		if (tlv_type == QTN_TLV_ID_IE_SET) {
87
67
 			const struct qlink_tlv_ie_set *ie_set;
88
68
 			unsigned int ie_len;
89
69
 
90
-			if (payload_len < sizeof(*ie_set)) {
70
+			if (tlv_value_len <
71
+			    (sizeof(*ie_set) - sizeof(ie_set->hdr))) {
91
72
 				ret = -EINVAL;
92
73
 				goto out;
93
74
 			}
..
..
@@ -101,12 +82,10 @@
101
82
 				sinfo->assoc_req_ies_len = ie_len;
102
83
 			}
103
84
 		}
104
-
105
-		payload_len -= tlv_full_len;
106
-		tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
107
85
 	}
108
86
 
109
-	if (payload_len) {
87
+	if (!qlink_tlv_parsing_ok(tlv, sta_assoc->ies, payload_len)) {
88
+		pr_err("Malformed TLV buffer\n");
110
89
 		ret = -EINVAL;
111
90
 		goto out;
112
91
 	}
..
..
@@ -158,6 +137,18 @@
158
137
 			   const struct qlink_event_bss_join *join_info,
159
138
 			   u16 len)
160
139
 {
140
+	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
141
+	enum ieee80211_statuscode status = le16_to_cpu(join_info->status);
142
+	struct cfg80211_chan_def chandef;
143
+	struct cfg80211_bss *bss = NULL;
144
+	u8 *ie = NULL;
145
+	size_t payload_len;
146
+	u16 tlv_type;
147
+	u16 tlv_value_len;
148
+	const struct qlink_tlv_hdr *tlv;
149
+	const u8 *rsp_ies = NULL;
150
+	size_t rsp_ies_len = 0;
151
+
161
152
 	if (unlikely(len < sizeof(*join_info))) {
162
153
 		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
163
154
 		       vif->mac->macid, vif->vifid, len,
..
..
@@ -171,25 +162,120 @@
171
162
 		return -EPROTO;
172
163
 	}
173
164
 
174
-	if (vif->sta_state != QTNF_STA_CONNECTING) {
175
-		pr_err("VIF%u.%u: BSS_JOIN event when STA is not connecting\n",
176
-		       vif->mac->macid, vif->vifid);
177
-		return -EPROTO;
165
+	pr_debug("VIF%u.%u: BSSID:%pM chan:%u status:%u\n",
166
+		 vif->mac->macid, vif->vifid, join_info->bssid,
167
+		 le16_to_cpu(join_info->chan.chan.center_freq), status);
168
+
169
+	if (status != WLAN_STATUS_SUCCESS)
170
+		goto done;
171
+
172
+	qlink_chandef_q2cfg(wiphy, &join_info->chan, &chandef);
173
+	if (!cfg80211_chandef_valid(&chandef)) {
174
+		pr_warn("MAC%u.%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n",
175
+			vif->mac->macid, vif->vifid,
176
+			chandef.chan ? chandef.chan->center_freq : 0,
177
+			chandef.center_freq1,
178
+			chandef.center_freq2,
179
+			chandef.width);
180
+		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
181
+		goto done;
178
182
 	}
179
183
 
180
-	pr_debug("VIF%u.%u: BSSID:%pM\n", vif->mac->macid, vif->vifid,
181
-		 join_info->bssid);
184
+	bss = cfg80211_get_bss(wiphy, chandef.chan, join_info->bssid,
185
+			       NULL, 0, IEEE80211_BSS_TYPE_ESS,
186
+			       IEEE80211_PRIVACY_ANY);
187
+	if (!bss) {
188
+		pr_warn("VIF%u.%u: add missing BSS:%pM chan:%u\n",
189
+			vif->mac->macid, vif->vifid,
190
+			join_info->bssid, chandef.chan->hw_value);
182
191
 
183
-	cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, NULL,
184
-				0, le16_to_cpu(join_info->status), GFP_KERNEL);
192
+		if (!vif->wdev.ssid_len) {
193
+			pr_warn("VIF%u.%u: SSID unknown for BSS:%pM\n",
194
+				vif->mac->macid, vif->vifid,
195
+				join_info->bssid);
196
+			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
197
+			goto done;
198
+		}
185
199
 
186
-	if (le16_to_cpu(join_info->status) == WLAN_STATUS_SUCCESS) {
187
-		vif->sta_state = QTNF_STA_CONNECTED;
200
+		ie = kzalloc(2 + vif->wdev.ssid_len, GFP_KERNEL);
201
+		if (!ie) {
202
+			pr_warn("VIF%u.%u: IE alloc failed for BSS:%pM\n",
203
+				vif->mac->macid, vif->vifid,
204
+				join_info->bssid);
205
+			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
206
+			goto done;
207
+		}
208
+
209
+		ie[0] = WLAN_EID_SSID;
210
+		ie[1] = vif->wdev.ssid_len;
211
+		memcpy(ie + 2, vif->wdev.ssid, vif->wdev.ssid_len);
212
+
213
+		bss = cfg80211_inform_bss(wiphy, chandef.chan,
214
+					  CFG80211_BSS_FTYPE_UNKNOWN,
215
+					  join_info->bssid, 0,
216
+					  WLAN_CAPABILITY_ESS, 100,
217
+					  ie, 2 + vif->wdev.ssid_len,
218
+					  0, GFP_KERNEL);
219
+		if (!bss) {
220
+			pr_warn("VIF%u.%u: can't connect to unknown BSS: %pM\n",
221
+				vif->mac->macid, vif->vifid,
222
+				join_info->bssid);
223
+			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
224
+			goto done;
225
+		}
226
+	}
227
+
228
+	payload_len = len - sizeof(*join_info);
229
+
230
+	qlink_for_each_tlv(tlv, join_info->ies, payload_len) {
231
+		tlv_type = le16_to_cpu(tlv->type);
232
+		tlv_value_len = le16_to_cpu(tlv->len);
233
+
234
+		if (tlv_type == QTN_TLV_ID_IE_SET) {
235
+			const struct qlink_tlv_ie_set *ie_set;
236
+			unsigned int ie_len;
237
+
238
+			if (tlv_value_len <
239
+			    (sizeof(*ie_set) - sizeof(ie_set->hdr))) {
240
+				pr_warn("invalid IE_SET TLV\n");
241
+				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
242
+				goto done;
243
+			}
244
+
245
+			ie_set = (const struct qlink_tlv_ie_set *)tlv;
246
+			ie_len = tlv_value_len -
247
+				(sizeof(*ie_set) - sizeof(ie_set->hdr));
248
+
249
+			switch (ie_set->type) {
250
+			case QLINK_IE_SET_ASSOC_RESP:
251
+				if (ie_len) {
252
+					rsp_ies = ie_set->ie_data;
253
+					rsp_ies_len = ie_len;
254
+				}
255
+				break;
256
+			default:
257
+				pr_warn("unexpected IE type: %u\n",
258
+					ie_set->type);
259
+				break;
260
+			}
261
+		}
262
+	}
263
+
264
+	if (!qlink_tlv_parsing_ok(tlv, join_info->ies, payload_len))
265
+		pr_warn("Malformed TLV buffer\n");
266
+done:
267
+	cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, rsp_ies,
268
+				rsp_ies_len, status, GFP_KERNEL);
269
+	if (bss) {
270
+		if (!ether_addr_equal(vif->bssid, join_info->bssid))
271
+			ether_addr_copy(vif->bssid, join_info->bssid);
272
+		cfg80211_put_bss(wiphy, bss);
273
+	}
274
+
275
+	if (status == WLAN_STATUS_SUCCESS)
188
276
 		netif_carrier_on(vif->netdev);
189
-	} else {
190
-		vif->sta_state = QTNF_STA_DISCONNECTED;
191
-	}
192
277
 
278
+	kfree(ie);
193
279
 	return 0;
194
280
 }
195
281
 
..
..
@@ -211,16 +297,10 @@
211
297
 		return -EPROTO;
212
298
 	}
213
299
 
214
-	if (vif->sta_state != QTNF_STA_CONNECTED)
215
-		pr_warn("VIF%u.%u: BSS_LEAVE event when STA is not connected\n",
216
-			vif->mac->macid, vif->vifid);
217
-
218
300
 	pr_debug("VIF%u.%u: disconnected\n", vif->mac->macid, vif->vifid);
219
301
 
220
302
 	cfg80211_disconnected(vif->netdev, le16_to_cpu(leave_info->reason),
221
303
 			      NULL, 0, 0, GFP_KERNEL);
222
-
223
-	vif->sta_state = QTNF_STA_DISCONNECTED;
224
304
 	netif_carrier_off(vif->netdev);
225
305
 
226
306
 	return 0;
..
..
@@ -267,7 +347,6 @@
267
347
 	size_t payload_len;
268
348
 	u16 tlv_type;
269
349
 	u16 tlv_value_len;
270
-	size_t tlv_full_len;
271
350
 	const struct qlink_tlv_hdr *tlv;
272
351
 	const u8 *ies = NULL;
273
352
 	size_t ies_len = 0;
..
..
@@ -286,21 +365,17 @@
286
365
 	}
287
366
 
288
367
 	payload_len = len - sizeof(*sr);
289
-	tlv = (struct qlink_tlv_hdr *)sr->payload;
290
368
 
291
-	while (payload_len >= sizeof(struct qlink_tlv_hdr)) {
369
+	qlink_for_each_tlv(tlv, sr->payload, payload_len) {
292
370
 		tlv_type = le16_to_cpu(tlv->type);
293
371
 		tlv_value_len = le16_to_cpu(tlv->len);
294
-		tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr);
295
-
296
-		if (tlv_full_len > payload_len)
297
-			return -EINVAL;
298
372
 
299
373
 		if (tlv_type == QTN_TLV_ID_IE_SET) {
300
374
 			const struct qlink_tlv_ie_set *ie_set;
301
375
 			unsigned int ie_len;
302
376
 
303
-			if (payload_len < sizeof(*ie_set))
377
+			if (tlv_value_len <
378
+			    (sizeof(*ie_set) - sizeof(ie_set->hdr)))
304
379
 				return -EINVAL;
305
380
 
306
381
 			ie_set = (const struct qlink_tlv_ie_set *)tlv;
..
..
@@ -323,12 +398,9 @@
323
398
 				ies_len = ie_len;
324
399
 			}
325
400
 		}
326
-
327
-		payload_len -= tlv_full_len;
328
-		tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
329
401
 	}
330
402
 
331
-	if (payload_len)
403
+	if (!qlink_tlv_parsing_ok(tlv, sr->payload, payload_len))
332
404
 		return -EINVAL;
333
405
 
334
406
 	bss = cfg80211_inform_bss(wiphy, channel, frame_type,
..
..
@@ -393,14 +465,20 @@
393
465
 
394
466
 	for (i = 0; i < QTNF_MAX_INTF; i++) {
395
467
 		vif = &mac->iflist[i];
468
+
396
469
 		if (vif->wdev.iftype == NL80211_IFTYPE_UNSPECIFIED)
397
470
 			continue;
398
471
 
399
-		if (vif->netdev) {
400
-			mutex_lock(&vif->wdev.mtx);
401
-			cfg80211_ch_switch_notify(vif->netdev, &chandef);
402
-			mutex_unlock(&vif->wdev.mtx);
403
-		}
472
+		if (vif->wdev.iftype == NL80211_IFTYPE_STATION &&
473
+		    !vif->wdev.current_bss)
474
+			continue;
475
+
476
+		if (!vif->netdev)
477
+			continue;
478
+
479
+		mutex_lock(&vif->wdev.mtx);
480
+		cfg80211_ch_switch_notify(vif->netdev, &chandef);
481
+		mutex_unlock(&vif->wdev.mtx);
404
482
 	}
405
483
 
406
484
 	return 0;
..
..
@@ -474,6 +552,125 @@
474
552
 	return 0;
475
553
 }
476
554
 
555
+static int
556
+qtnf_event_handle_external_auth(struct qtnf_vif *vif,
557
+				const struct qlink_event_external_auth *ev,
558
+				u16 len)
559
+{
560
+	struct cfg80211_external_auth_params auth = {0};
561
+	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
562
+	int ret;
563
+
564
+	if (len < sizeof(*ev)) {
565
+		pr_err("MAC%u: payload is too short\n", vif->mac->macid);
566
+		return -EINVAL;
567
+	}
568
+
569
+	if (!wiphy->registered || !vif->netdev)
570
+		return 0;
571
+
572
+	if (ev->ssid_len) {
573
+		int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN);
574
+
575
+		memcpy(auth.ssid.ssid, ev->ssid, len);
576
+		auth.ssid.ssid_len = len;
577
+	}
578
+
579
+	auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);
580
+	ether_addr_copy(auth.bssid, ev->bssid);
581
+	auth.action = ev->action;
582
+
583
+	pr_debug("%s: external SAE processing: bss=%pM action=%u akm=%u\n",
584
+		 vif->netdev->name, auth.bssid, auth.action,
585
+		 auth.key_mgmt_suite);
586
+
587
+	ret = cfg80211_external_auth_request(vif->netdev, &auth, GFP_KERNEL);
588
+	if (ret)
589
+		pr_warn("failed to offload external auth request\n");
590
+
591
+	return ret;
592
+}
593
+
594
+static int
595
+qtnf_event_handle_mic_failure(struct qtnf_vif *vif,
596
+			      const struct qlink_event_mic_failure *mic_ev,
597
+			      u16 len)
598
+{
599
+	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
600
+	u8 pairwise;
601
+
602
+	if (len < sizeof(*mic_ev)) {
603
+		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
604
+		       vif->mac->macid, vif->vifid, len,
605
+		       sizeof(struct qlink_event_mic_failure));
606
+		return -EINVAL;
607
+	}
608
+
609
+	if (!wiphy->registered || !vif->netdev)
610
+		return 0;
611
+
612
+	if (vif->wdev.iftype != NL80211_IFTYPE_STATION) {
613
+		pr_err("VIF%u.%u: MIC_FAILURE event when not in STA mode\n",
614
+		       vif->mac->macid, vif->vifid);
615
+		return -EPROTO;
616
+	}
617
+
618
+	pairwise = mic_ev->pairwise ?
619
+		NL80211_KEYTYPE_PAIRWISE : NL80211_KEYTYPE_GROUP;
620
+
621
+	pr_info("%s: MIC error: src=%pM key_index=%u pairwise=%u\n",
622
+		vif->netdev->name, mic_ev->src, mic_ev->key_index, pairwise);
623
+
624
+	cfg80211_michael_mic_failure(vif->netdev, mic_ev->src, pairwise,
625
+				     mic_ev->key_index, NULL, GFP_KERNEL);
626
+
627
+	return 0;
628
+}
629
+
630
+static int
631
+qtnf_event_handle_update_owe(struct qtnf_vif *vif,
632
+			     const struct qlink_event_update_owe *owe_ev,
633
+			     u16 len)
634
+{
635
+	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
636
+	struct cfg80211_update_owe_info owe_info = {};
637
+	const u16 ie_len = len - sizeof(*owe_ev);
638
+	u8 *ie;
639
+
640
+	if (len < sizeof(*owe_ev)) {
641
+		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
642
+		       vif->mac->macid, vif->vifid, len,
643
+		       sizeof(struct qlink_event_update_owe));
644
+		return -EINVAL;
645
+	}
646
+
647
+	if (!wiphy->registered || !vif->netdev)
648
+		return 0;
649
+
650
+	if (vif->wdev.iftype != NL80211_IFTYPE_AP) {
651
+		pr_err("VIF%u.%u: UPDATE_OWE event when not in AP mode\n",
652
+		       vif->mac->macid, vif->vifid);
653
+		return -EPROTO;
654
+	}
655
+
656
+	ie = kzalloc(ie_len, GFP_KERNEL);
657
+	if (!ie)
658
+		return -ENOMEM;
659
+
660
+	memcpy(owe_info.peer, owe_ev->peer, ETH_ALEN);
661
+	memcpy(ie, owe_ev->ies, ie_len);
662
+	owe_info.ie_len = ie_len;
663
+	owe_info.ie = ie;
664
+
665
+	pr_info("%s: external OWE processing: peer=%pM\n",
666
+		vif->netdev->name, owe_ev->peer);
667
+
668
+	cfg80211_update_owe_info_event(vif->netdev, &owe_info, GFP_KERNEL);
669
+	kfree(ie);
670
+
671
+	return 0;
672
+}
673
+
477
674
 static int qtnf_event_parse(struct qtnf_wmac *mac,
478
675
 			    const struct sk_buff *event_skb)
479
676
 {
..
..
@@ -482,17 +679,19 @@
482
679
 	int ret = -1;
483
680
 	u16 event_id;
484
681
 	u16 event_len;
682
+	u8 vifid;
485
683
 
486
684
 	event = (const struct qlink_event *)event_skb->data;
487
685
 	event_id = le16_to_cpu(event->event_id);
488
686
 	event_len = le16_to_cpu(event->mhdr.len);
489
687
 
490
-	if (likely(event->vifid < QTNF_MAX_INTF)) {
491
-		vif = &mac->iflist[event->vifid];
492
-	} else {
688
+	if (event->vifid >= QTNF_MAX_INTF) {
493
689
 		pr_err("invalid vif(%u)\n", event->vifid);
494
690
 		return -EINVAL;
495
691
 	}
692
+
693
+	vifid = array_index_nospec(event->vifid, QTNF_MAX_INTF);
694
+	vif = &mac->iflist[vifid];
496
695
 
497
696
 	switch (event_id) {
498
697
 	case QLINK_EVENT_STA_ASSOCIATED:
..
..
@@ -532,6 +731,18 @@
532
731
 		ret = qtnf_event_handle_radar(vif, (const void *)event,
533
732
 					      event_len);
534
733
 		break;
734
+	case QLINK_EVENT_EXTERNAL_AUTH:
735
+		ret = qtnf_event_handle_external_auth(vif, (const void *)event,
736
+						      event_len);
737
+		break;
738
+	case QLINK_EVENT_MIC_FAILURE:
739
+		ret = qtnf_event_handle_mic_failure(vif, (const void *)event,
740
+						    event_len);
741
+		break;
742
+	case QLINK_EVENT_UPDATE_OWE:
743
+		ret = qtnf_event_handle_update_owe(vif, (const void *)event,
744
+						   event_len);
745
+		break;
535
746
 	default:
536
747
 		pr_warn("unknown event type: %x\n", event_id);
537
748
 		break;