~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,22 +1,10 @@
1		-/*
2		- * Copyright (c) 2015-2016 Quantenna Communications, Inc.
3		- * All rights reserved.
4		- *
5		- * This program is free software; you can redistribute it and/or
6		- * modify it under the terms of the GNU General Public License
7		- * as published by the Free Software Foundation; either version 2
8		- * of the License, or (at your option) any later version.
9		- *
10		- * This program is distributed in the hope that it will be useful,
11		- * but WITHOUT ANY WARRANTY; without even the implied warranty of
12		- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13		- * GNU General Public License for more details.
14		- *
15		- */
	1	+// SPDX-License-Identifier: GPL-2.0+
	2	+/* Copyright (c) 2015-2016 Quantenna Communications. All rights reserved. */
16	3
17	4	#include <linux/kernel.h>
18	5	#include <linux/module.h>
19	6	#include <linux/slab.h>
	7	+#include <linux/nospec.h>
20	8
21	9	#include "cfg80211.h"
22	10	#include "core.h"
..	..	@@ -38,7 +26,6 @@
38	26	size_t payload_len;
39	27	u16 tlv_type;
40	28	u16 tlv_value_len;
41		- size_t tlv_full_len;
42	29	const struct qlink_tlv_hdr *tlv;
43	30	int ret = 0;
44	31
..	..	@@ -71,23 +58,17 @@
71	58	sinfo->generation = vif->generation;
72	59
73	60	payload_len = len - sizeof(*sta_assoc);
74		- tlv = (const struct qlink_tlv_hdr *)sta_assoc->ies;
75	61
76		- while (payload_len >= sizeof(*tlv)) {
	62	+ qlink_for_each_tlv(tlv, sta_assoc->ies, payload_len) {
77	63	tlv_type = le16_to_cpu(tlv->type);
78	64	tlv_value_len = le16_to_cpu(tlv->len);
79		- tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr);
80		-
81		- if (tlv_full_len > payload_len) {
82		- ret = -EINVAL;
83		- goto out;
84		- }
85	65
86	66	if (tlv_type == QTN_TLV_ID_IE_SET) {
87	67	const struct qlink_tlv_ie_set *ie_set;
88	68	unsigned int ie_len;
89	69
90		- if (payload_len < sizeof(*ie_set)) {
	70	+ if (tlv_value_len <
	71	+ (sizeof(*ie_set) - sizeof(ie_set->hdr))) {
91	72	ret = -EINVAL;
92	73	goto out;
93	74	}
..	..	@@ -101,12 +82,10 @@
101	82	sinfo->assoc_req_ies_len = ie_len;
102	83	}
103	84	}
104		-
105		- payload_len -= tlv_full_len;
106		- tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
107	85	}
108	86
109		- if (payload_len) {
	87	+ if (!qlink_tlv_parsing_ok(tlv, sta_assoc->ies, payload_len)) {
	88	+ pr_err("Malformed TLV buffer\n");
110	89	ret = -EINVAL;
111	90	goto out;
112	91	}
..	..	@@ -158,6 +137,18 @@
158	137	const struct qlink_event_bss_join *join_info,
159	138	u16 len)
160	139	{
	140	+ struct wiphy *wiphy = priv_to_wiphy(vif->mac);
	141	+ enum ieee80211_statuscode status = le16_to_cpu(join_info->status);
	142	+ struct cfg80211_chan_def chandef;
	143	+ struct cfg80211_bss *bss = NULL;
	144	+ u8 *ie = NULL;
	145	+ size_t payload_len;
	146	+ u16 tlv_type;
	147	+ u16 tlv_value_len;
	148	+ const struct qlink_tlv_hdr *tlv;
	149	+ const u8 *rsp_ies = NULL;
	150	+ size_t rsp_ies_len = 0;
	151	+
161	152	if (unlikely(len < sizeof(*join_info))) {
162	153	pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
163	154	vif->mac->macid, vif->vifid, len,
..	..	@@ -171,25 +162,120 @@
171	162	return -EPROTO;
172	163	}
173	164
174		- if (vif->sta_state != QTNF_STA_CONNECTING) {
175		- pr_err("VIF%u.%u: BSS_JOIN event when STA is not connecting\n",
176		- vif->mac->macid, vif->vifid);
177		- return -EPROTO;
	165	+ pr_debug("VIF%u.%u: BSSID:%pM chan:%u status:%u\n",
	166	+ vif->mac->macid, vif->vifid, join_info->bssid,
	167	+ le16_to_cpu(join_info->chan.chan.center_freq), status);
	168	+
	169	+ if (status != WLAN_STATUS_SUCCESS)
	170	+ goto done;
	171	+
	172	+ qlink_chandef_q2cfg(wiphy, &join_info->chan, &chandef);
	173	+ if (!cfg80211_chandef_valid(&chandef)) {
	174	+ pr_warn("MAC%u.%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n",
	175	+ vif->mac->macid, vif->vifid,
	176	+ chandef.chan ? chandef.chan->center_freq : 0,
	177	+ chandef.center_freq1,
	178	+ chandef.center_freq2,
	179	+ chandef.width);
	180	+ status = WLAN_STATUS_UNSPECIFIED_FAILURE;
	181	+ goto done;
178	182	}
179	183
180		- pr_debug("VIF%u.%u: BSSID:%pM\n", vif->mac->macid, vif->vifid,
181		- join_info->bssid);
	184	+ bss = cfg80211_get_bss(wiphy, chandef.chan, join_info->bssid,
	185	+ NULL, 0, IEEE80211_BSS_TYPE_ESS,
	186	+ IEEE80211_PRIVACY_ANY);
	187	+ if (!bss) {
	188	+ pr_warn("VIF%u.%u: add missing BSS:%pM chan:%u\n",
	189	+ vif->mac->macid, vif->vifid,
	190	+ join_info->bssid, chandef.chan->hw_value);
182	191
183		- cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, NULL,
184		- 0, le16_to_cpu(join_info->status), GFP_KERNEL);
	192	+ if (!vif->wdev.ssid_len) {
	193	+ pr_warn("VIF%u.%u: SSID unknown for BSS:%pM\n",
	194	+ vif->mac->macid, vif->vifid,
	195	+ join_info->bssid);
	196	+ status = WLAN_STATUS_UNSPECIFIED_FAILURE;
	197	+ goto done;
	198	+ }
185	199
186		- if (le16_to_cpu(join_info->status) == WLAN_STATUS_SUCCESS) {
187		- vif->sta_state = QTNF_STA_CONNECTED;
	200	+ ie = kzalloc(2 + vif->wdev.ssid_len, GFP_KERNEL);
	201	+ if (!ie) {
	202	+ pr_warn("VIF%u.%u: IE alloc failed for BSS:%pM\n",
	203	+ vif->mac->macid, vif->vifid,
	204	+ join_info->bssid);
	205	+ status = WLAN_STATUS_UNSPECIFIED_FAILURE;
	206	+ goto done;
	207	+ }
	208	+
	209	+ ie[0] = WLAN_EID_SSID;
	210	+ ie[1] = vif->wdev.ssid_len;
	211	+ memcpy(ie + 2, vif->wdev.ssid, vif->wdev.ssid_len);
	212	+
	213	+ bss = cfg80211_inform_bss(wiphy, chandef.chan,
	214	+ CFG80211_BSS_FTYPE_UNKNOWN,
	215	+ join_info->bssid, 0,
	216	+ WLAN_CAPABILITY_ESS, 100,
	217	+ ie, 2 + vif->wdev.ssid_len,
	218	+ 0, GFP_KERNEL);
	219	+ if (!bss) {
	220	+ pr_warn("VIF%u.%u: can't connect to unknown BSS: %pM\n",
	221	+ vif->mac->macid, vif->vifid,
	222	+ join_info->bssid);
	223	+ status = WLAN_STATUS_UNSPECIFIED_FAILURE;
	224	+ goto done;
	225	+ }
	226	+ }
	227	+
	228	+ payload_len = len - sizeof(*join_info);
	229	+
	230	+ qlink_for_each_tlv(tlv, join_info->ies, payload_len) {
	231	+ tlv_type = le16_to_cpu(tlv->type);
	232	+ tlv_value_len = le16_to_cpu(tlv->len);
	233	+
	234	+ if (tlv_type == QTN_TLV_ID_IE_SET) {
	235	+ const struct qlink_tlv_ie_set *ie_set;
	236	+ unsigned int ie_len;
	237	+
	238	+ if (tlv_value_len <
	239	+ (sizeof(*ie_set) - sizeof(ie_set->hdr))) {
	240	+ pr_warn("invalid IE_SET TLV\n");
	241	+ status = WLAN_STATUS_UNSPECIFIED_FAILURE;
	242	+ goto done;
	243	+ }
	244	+
	245	+ ie_set = (const struct qlink_tlv_ie_set *)tlv;
	246	+ ie_len = tlv_value_len -
	247	+ (sizeof(*ie_set) - sizeof(ie_set->hdr));
	248	+
	249	+ switch (ie_set->type) {
	250	+ case QLINK_IE_SET_ASSOC_RESP:
	251	+ if (ie_len) {
	252	+ rsp_ies = ie_set->ie_data;
	253	+ rsp_ies_len = ie_len;
	254	+ }
	255	+ break;
	256	+ default:
	257	+ pr_warn("unexpected IE type: %u\n",
	258	+ ie_set->type);
	259	+ break;
	260	+ }
	261	+ }
	262	+ }
	263	+
	264	+ if (!qlink_tlv_parsing_ok(tlv, join_info->ies, payload_len))
	265	+ pr_warn("Malformed TLV buffer\n");
	266	+done:
	267	+ cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, rsp_ies,
	268	+ rsp_ies_len, status, GFP_KERNEL);
	269	+ if (bss) {
	270	+ if (!ether_addr_equal(vif->bssid, join_info->bssid))
	271	+ ether_addr_copy(vif->bssid, join_info->bssid);
	272	+ cfg80211_put_bss(wiphy, bss);
	273	+ }
	274	+
	275	+ if (status == WLAN_STATUS_SUCCESS)
188	276	netif_carrier_on(vif->netdev);
189		- } else {
190		- vif->sta_state = QTNF_STA_DISCONNECTED;
191		- }
192	277
	278	+ kfree(ie);
193	279	return 0;
194	280	}
195	281
..	..	@@ -211,16 +297,10 @@
211	297	return -EPROTO;
212	298	}
213	299
214		- if (vif->sta_state != QTNF_STA_CONNECTED)
215		- pr_warn("VIF%u.%u: BSS_LEAVE event when STA is not connected\n",
216		- vif->mac->macid, vif->vifid);
217		-
218	300	pr_debug("VIF%u.%u: disconnected\n", vif->mac->macid, vif->vifid);
219	301
220	302	cfg80211_disconnected(vif->netdev, le16_to_cpu(leave_info->reason),
221	303	NULL, 0, 0, GFP_KERNEL);
222		-
223		- vif->sta_state = QTNF_STA_DISCONNECTED;
224	304	netif_carrier_off(vif->netdev);
225	305
226	306	return 0;
..	..	@@ -267,7 +347,6 @@
267	347	size_t payload_len;
268	348	u16 tlv_type;
269	349	u16 tlv_value_len;
270		- size_t tlv_full_len;
271	350	const struct qlink_tlv_hdr *tlv;
272	351	const u8 *ies = NULL;
273	352	size_t ies_len = 0;
..	..	@@ -286,21 +365,17 @@
286	365	}
287	366
288	367	payload_len = len - sizeof(*sr);
289		- tlv = (struct qlink_tlv_hdr *)sr->payload;
290	368
291		- while (payload_len >= sizeof(struct qlink_tlv_hdr)) {
	369	+ qlink_for_each_tlv(tlv, sr->payload, payload_len) {
292	370	tlv_type = le16_to_cpu(tlv->type);
293	371	tlv_value_len = le16_to_cpu(tlv->len);
294		- tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr);
295		-
296		- if (tlv_full_len > payload_len)
297		- return -EINVAL;
298	372
299	373	if (tlv_type == QTN_TLV_ID_IE_SET) {
300	374	const struct qlink_tlv_ie_set *ie_set;
301	375	unsigned int ie_len;
302	376
303		- if (payload_len < sizeof(*ie_set))
	377	+ if (tlv_value_len <
	378	+ (sizeof(*ie_set) - sizeof(ie_set->hdr)))
304	379	return -EINVAL;
305	380
306	381	ie_set = (const struct qlink_tlv_ie_set *)tlv;
..	..	@@ -323,12 +398,9 @@
323	398	ies_len = ie_len;
324	399	}
325	400	}
326		-
327		- payload_len -= tlv_full_len;
328		- tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
329	401	}
330	402
331		- if (payload_len)
	403	+ if (!qlink_tlv_parsing_ok(tlv, sr->payload, payload_len))
332	404	return -EINVAL;
333	405
334	406	bss = cfg80211_inform_bss(wiphy, channel, frame_type,
..	..	@@ -393,14 +465,20 @@
393	465
394	466	for (i = 0; i < QTNF_MAX_INTF; i++) {
395	467	vif = &mac->iflist[i];
	468	+
396	469	if (vif->wdev.iftype == NL80211_IFTYPE_UNSPECIFIED)
397	470	continue;
398	471
399		- if (vif->netdev) {
400		- mutex_lock(&vif->wdev.mtx);
401		- cfg80211_ch_switch_notify(vif->netdev, &chandef);
402		- mutex_unlock(&vif->wdev.mtx);
403		- }
	472	+ if (vif->wdev.iftype == NL80211_IFTYPE_STATION &&
	473	+ !vif->wdev.current_bss)
	474	+ continue;
	475	+
	476	+ if (!vif->netdev)
	477	+ continue;
	478	+
	479	+ mutex_lock(&vif->wdev.mtx);
	480	+ cfg80211_ch_switch_notify(vif->netdev, &chandef);
	481	+ mutex_unlock(&vif->wdev.mtx);
404	482	}
405	483
406	484	return 0;
..	..	@@ -474,6 +552,125 @@
474	552	return 0;
475	553	}
476	554
	555	+static int
	556	+qtnf_event_handle_external_auth(struct qtnf_vif *vif,
	557	+ const struct qlink_event_external_auth *ev,
	558	+ u16 len)
	559	+{
	560	+ struct cfg80211_external_auth_params auth = {0};
	561	+ struct wiphy *wiphy = priv_to_wiphy(vif->mac);
	562	+ int ret;
	563	+
	564	+ if (len < sizeof(*ev)) {
	565	+ pr_err("MAC%u: payload is too short\n", vif->mac->macid);
	566	+ return -EINVAL;
	567	+ }
	568	+
	569	+ if (!wiphy->registered \|\| !vif->netdev)
	570	+ return 0;
	571	+
	572	+ if (ev->ssid_len) {
	573	+ int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN);
	574	+
	575	+ memcpy(auth.ssid.ssid, ev->ssid, len);
	576	+ auth.ssid.ssid_len = len;
	577	+ }
	578	+
	579	+ auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);
	580	+ ether_addr_copy(auth.bssid, ev->bssid);
	581	+ auth.action = ev->action;
	582	+
	583	+ pr_debug("%s: external SAE processing: bss=%pM action=%u akm=%u\n",
	584	+ vif->netdev->name, auth.bssid, auth.action,
	585	+ auth.key_mgmt_suite);
	586	+
	587	+ ret = cfg80211_external_auth_request(vif->netdev, &auth, GFP_KERNEL);
	588	+ if (ret)
	589	+ pr_warn("failed to offload external auth request\n");
	590	+
	591	+ return ret;
	592	+}
	593	+
	594	+static int
	595	+qtnf_event_handle_mic_failure(struct qtnf_vif *vif,
	596	+ const struct qlink_event_mic_failure *mic_ev,
	597	+ u16 len)
	598	+{
	599	+ struct wiphy *wiphy = priv_to_wiphy(vif->mac);
	600	+ u8 pairwise;
	601	+
	602	+ if (len < sizeof(*mic_ev)) {
	603	+ pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
	604	+ vif->mac->macid, vif->vifid, len,
	605	+ sizeof(struct qlink_event_mic_failure));
	606	+ return -EINVAL;
	607	+ }
	608	+
	609	+ if (!wiphy->registered \|\| !vif->netdev)
	610	+ return 0;
	611	+
	612	+ if (vif->wdev.iftype != NL80211_IFTYPE_STATION) {
	613	+ pr_err("VIF%u.%u: MIC_FAILURE event when not in STA mode\n",
	614	+ vif->mac->macid, vif->vifid);
	615	+ return -EPROTO;
	616	+ }
	617	+
	618	+ pairwise = mic_ev->pairwise ?
	619	+ NL80211_KEYTYPE_PAIRWISE : NL80211_KEYTYPE_GROUP;
	620	+
	621	+ pr_info("%s: MIC error: src=%pM key_index=%u pairwise=%u\n",
	622	+ vif->netdev->name, mic_ev->src, mic_ev->key_index, pairwise);
	623	+
	624	+ cfg80211_michael_mic_failure(vif->netdev, mic_ev->src, pairwise,
	625	+ mic_ev->key_index, NULL, GFP_KERNEL);
	626	+
	627	+ return 0;
	628	+}
	629	+
	630	+static int
	631	+qtnf_event_handle_update_owe(struct qtnf_vif *vif,
	632	+ const struct qlink_event_update_owe *owe_ev,
	633	+ u16 len)
	634	+{
	635	+ struct wiphy *wiphy = priv_to_wiphy(vif->mac);
	636	+ struct cfg80211_update_owe_info owe_info = {};
	637	+ const u16 ie_len = len - sizeof(*owe_ev);
	638	+ u8 *ie;
	639	+
	640	+ if (len < sizeof(*owe_ev)) {
	641	+ pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
	642	+ vif->mac->macid, vif->vifid, len,
	643	+ sizeof(struct qlink_event_update_owe));
	644	+ return -EINVAL;
	645	+ }
	646	+
	647	+ if (!wiphy->registered \|\| !vif->netdev)
	648	+ return 0;
	649	+
	650	+ if (vif->wdev.iftype != NL80211_IFTYPE_AP) {
	651	+ pr_err("VIF%u.%u: UPDATE_OWE event when not in AP mode\n",
	652	+ vif->mac->macid, vif->vifid);
	653	+ return -EPROTO;
	654	+ }
	655	+
	656	+ ie = kzalloc(ie_len, GFP_KERNEL);
	657	+ if (!ie)
	658	+ return -ENOMEM;
	659	+
	660	+ memcpy(owe_info.peer, owe_ev->peer, ETH_ALEN);
	661	+ memcpy(ie, owe_ev->ies, ie_len);
	662	+ owe_info.ie_len = ie_len;
	663	+ owe_info.ie = ie;
	664	+
	665	+ pr_info("%s: external OWE processing: peer=%pM\n",
	666	+ vif->netdev->name, owe_ev->peer);
	667	+
	668	+ cfg80211_update_owe_info_event(vif->netdev, &owe_info, GFP_KERNEL);
	669	+ kfree(ie);
	670	+
	671	+ return 0;
	672	+}
	673	+
477	674	static int qtnf_event_parse(struct qtnf_wmac *mac,
478	675	const struct sk_buff *event_skb)
479	676	{
..	..	@@ -482,17 +679,19 @@
482	679	int ret = -1;
483	680	u16 event_id;
484	681	u16 event_len;
	682	+ u8 vifid;
485	683
486	684	event = (const struct qlink_event *)event_skb->data;
487	685	event_id = le16_to_cpu(event->event_id);
488	686	event_len = le16_to_cpu(event->mhdr.len);
489	687
490		- if (likely(event->vifid < QTNF_MAX_INTF)) {
491		- vif = &mac->iflist[event->vifid];
492		- } else {
	688	+ if (event->vifid >= QTNF_MAX_INTF) {
493	689	pr_err("invalid vif(%u)\n", event->vifid);
494	690	return -EINVAL;
495	691	}
	692	+
	693	+ vifid = array_index_nospec(event->vifid, QTNF_MAX_INTF);
	694	+ vif = &mac->iflist[vifid];
496	695
497	696	switch (event_id) {
498	697	case QLINK_EVENT_STA_ASSOCIATED:
..	..	@@ -532,6 +731,18 @@
532	731	ret = qtnf_event_handle_radar(vif, (const void *)event,
533	732	event_len);
534	733	break;
	734	+ case QLINK_EVENT_EXTERNAL_AUTH:
	735	+ ret = qtnf_event_handle_external_auth(vif, (const void *)event,
	736	+ event_len);
	737	+ break;
	738	+ case QLINK_EVENT_MIC_FAILURE:
	739	+ ret = qtnf_event_handle_mic_failure(vif, (const void *)event,
	740	+ event_len);
	741	+ break;
	742	+ case QLINK_EVENT_UPDATE_OWE:
	743	+ ret = qtnf_event_handle_update_owe(vif, (const void *)event,
	744	+ event_len);
	745	+ break;
535	746	default:
536	747	pr_warn("unknown event type: %x\n", event_id);
537	748	break;