1 // SPDX-License-Identifier: GPL-2.0+
2 /* Copyright (c) 2015-2016 Quantenna Communications. All rights reserved. */
4 #include <linux/kernel.h>
5 #include <linux/module.h>
6 #include <linux/slab.h>
7 #include <linux/nospec.h>
16 #include "qlink_util.h"
19 qtnf_event_handle_sta_assoc(struct qtnf_wmac *mac, struct qtnf_vif *vif,
20 const struct qlink_event_sta_assoc *sta_assoc,
25 struct station_info *sinfo;
29 const struct qlink_tlv_hdr *tlv;
32 if (unlikely(len < sizeof(*sta_assoc))) {
33 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
34 mac->macid, vif->vifid, len, sizeof(*sta_assoc));
38 if (vif->wdev.iftype != NL80211_IFTYPE_AP) {
39 pr_err("VIF%u.%u: STA_ASSOC event when not in AP mode\n",
40 mac->macid, vif->vifid);
44 sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL);
48 sta_addr = sta_assoc->sta_addr;
49 frame_control = le16_to_cpu(sta_assoc->frame_control);
51 pr_debug("VIF%u.%u: MAC:%pM FC:%x\n", mac->macid, vif->vifid, sta_addr,
54 qtnf_sta_list_add(vif, sta_addr);
56 sinfo->assoc_req_ies = NULL;
57 sinfo->assoc_req_ies_len = 0;
58 sinfo->generation = vif->generation;
60 payload_len = len - sizeof(*sta_assoc);
62 qlink_for_each_tlv(tlv, sta_assoc->ies, payload_len) {
63 tlv_type = le16_to_cpu(tlv->type);
64 tlv_value_len = le16_to_cpu(tlv->len);
66 if (tlv_type == QTN_TLV_ID_IE_SET) {
67 const struct qlink_tlv_ie_set *ie_set;
71 (sizeof(*ie_set) - sizeof(ie_set->hdr))) {
76 ie_set = (const struct qlink_tlv_ie_set *)tlv;
77 ie_len = tlv_value_len -
78 (sizeof(*ie_set) - sizeof(ie_set->hdr));
80 if (ie_set->type == QLINK_IE_SET_ASSOC_REQ && ie_len) {
81 sinfo->assoc_req_ies = ie_set->ie_data;
82 sinfo->assoc_req_ies_len = ie_len;
87 if (!qlink_tlv_parsing_ok(tlv, sta_assoc->ies, payload_len)) {
88 pr_err("Malformed TLV buffer\n");
93 cfg80211_new_sta(vif->netdev, sta_assoc->sta_addr, sinfo,
102 qtnf_event_handle_sta_deauth(struct qtnf_wmac *mac, struct qtnf_vif *vif,
103 const struct qlink_event_sta_deauth *sta_deauth,
109 if (unlikely(len < sizeof(*sta_deauth))) {
110 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
111 mac->macid, vif->vifid, len,
112 sizeof(struct qlink_event_sta_deauth));
116 if (vif->wdev.iftype != NL80211_IFTYPE_AP) {
117 pr_err("VIF%u.%u: STA_DEAUTH event when not in AP mode\n",
118 mac->macid, vif->vifid);
122 sta_addr = sta_deauth->sta_addr;
123 reason = le16_to_cpu(sta_deauth->reason);
125 pr_debug("VIF%u.%u: MAC:%pM reason:%x\n", mac->macid, vif->vifid,
128 if (qtnf_sta_list_del(vif, sta_addr))
129 cfg80211_del_sta(vif->netdev, sta_deauth->sta_addr,
136 qtnf_event_handle_bss_join(struct qtnf_vif *vif,
137 const struct qlink_event_bss_join *join_info,
140 struct wiphy *wiphy = priv_to_wiphy(vif->mac);
141 enum ieee80211_statuscode status = le16_to_cpu(join_info->status);
142 struct cfg80211_chan_def chandef;
143 struct cfg80211_bss *bss = NULL;
148 const struct qlink_tlv_hdr *tlv;
149 const u8 *rsp_ies = NULL;
150 size_t rsp_ies_len = 0;
152 if (unlikely(len < sizeof(*join_info))) {
153 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
154 vif->mac->macid, vif->vifid, len,
155 sizeof(struct qlink_event_bss_join));
159 if (vif->wdev.iftype != NL80211_IFTYPE_STATION) {
160 pr_err("VIF%u.%u: BSS_JOIN event when not in STA mode\n",
161 vif->mac->macid, vif->vifid);
165 pr_debug("VIF%u.%u: BSSID:%pM chan:%u status:%u\n",
166 vif->mac->macid, vif->vifid, join_info->bssid,
167 le16_to_cpu(join_info->chan.chan.center_freq), status);
169 if (status != WLAN_STATUS_SUCCESS)
172 qlink_chandef_q2cfg(wiphy, &join_info->chan, &chandef);
173 if (!cfg80211_chandef_valid(&chandef)) {
174 pr_warn("MAC%u.%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n",
175 vif->mac->macid, vif->vifid,
176 chandef.chan ? chandef.chan->center_freq : 0,
177 chandef.center_freq1,
178 chandef.center_freq2,
180 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
184 bss = cfg80211_get_bss(wiphy, chandef.chan, join_info->bssid,
185 NULL, 0, IEEE80211_BSS_TYPE_ESS,
186 IEEE80211_PRIVACY_ANY);
188 pr_warn("VIF%u.%u: add missing BSS:%pM chan:%u\n",
189 vif->mac->macid, vif->vifid,
190 join_info->bssid, chandef.chan->hw_value);
192 if (!vif->wdev.ssid_len) {
193 pr_warn("VIF%u.%u: SSID unknown for BSS:%pM\n",
194 vif->mac->macid, vif->vifid,
196 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
200 ie = kzalloc(2 + vif->wdev.ssid_len, GFP_KERNEL);
202 pr_warn("VIF%u.%u: IE alloc failed for BSS:%pM\n",
203 vif->mac->macid, vif->vifid,
205 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
209 ie[0] = WLAN_EID_SSID;
210 ie[1] = vif->wdev.ssid_len;
211 memcpy(ie + 2, vif->wdev.ssid, vif->wdev.ssid_len);
213 bss = cfg80211_inform_bss(wiphy, chandef.chan,
214 CFG80211_BSS_FTYPE_UNKNOWN,
216 WLAN_CAPABILITY_ESS, 100,
217 ie, 2 + vif->wdev.ssid_len,
220 pr_warn("VIF%u.%u: can't connect to unknown BSS: %pM\n",
221 vif->mac->macid, vif->vifid,
223 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
228 payload_len = len - sizeof(*join_info);
230 qlink_for_each_tlv(tlv, join_info->ies, payload_len) {
231 tlv_type = le16_to_cpu(tlv->type);
232 tlv_value_len = le16_to_cpu(tlv->len);
234 if (tlv_type == QTN_TLV_ID_IE_SET) {
235 const struct qlink_tlv_ie_set *ie_set;
239 (sizeof(*ie_set) - sizeof(ie_set->hdr))) {
240 pr_warn("invalid IE_SET TLV\n");
241 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
245 ie_set = (const struct qlink_tlv_ie_set *)tlv;
246 ie_len = tlv_value_len -
247 (sizeof(*ie_set) - sizeof(ie_set->hdr));
249 switch (ie_set->type) {
250 case QLINK_IE_SET_ASSOC_RESP:
252 rsp_ies = ie_set->ie_data;
253 rsp_ies_len = ie_len;
257 pr_warn("unexpected IE type: %u\n",
264 if (!qlink_tlv_parsing_ok(tlv, join_info->ies, payload_len))
265 pr_warn("Malformed TLV buffer\n");
267 cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, rsp_ies,
268 rsp_ies_len, status, GFP_KERNEL);
270 if (!ether_addr_equal(vif->bssid, join_info->bssid))
271 ether_addr_copy(vif->bssid, join_info->bssid);
272 cfg80211_put_bss(wiphy, bss);
275 if (status == WLAN_STATUS_SUCCESS)
276 netif_carrier_on(vif->netdev);
283 qtnf_event_handle_bss_leave(struct qtnf_vif *vif,
284 const struct qlink_event_bss_leave *leave_info,
287 if (unlikely(len < sizeof(*leave_info))) {
288 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
289 vif->mac->macid, vif->vifid, len,
290 sizeof(struct qlink_event_bss_leave));
294 if (vif->wdev.iftype != NL80211_IFTYPE_STATION) {
295 pr_err("VIF%u.%u: BSS_LEAVE event when not in STA mode\n",
296 vif->mac->macid, vif->vifid);
300 pr_debug("VIF%u.%u: disconnected\n", vif->mac->macid, vif->vifid);
302 cfg80211_disconnected(vif->netdev, le16_to_cpu(leave_info->reason),
303 NULL, 0, 0, GFP_KERNEL);
304 netif_carrier_off(vif->netdev);
310 qtnf_event_handle_mgmt_received(struct qtnf_vif *vif,
311 const struct qlink_event_rxmgmt *rxmgmt,
314 const size_t min_len = sizeof(*rxmgmt) +
315 sizeof(struct ieee80211_hdr_3addr);
316 const struct ieee80211_hdr_3addr *frame = (void *)rxmgmt->frame_data;
317 const u16 frame_len = len - sizeof(*rxmgmt);
318 enum nl80211_rxmgmt_flags flags = 0;
320 if (unlikely(len < min_len)) {
321 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
322 vif->mac->macid, vif->vifid, len, min_len);
326 if (le32_to_cpu(rxmgmt->flags) & QLINK_RXMGMT_FLAG_ANSWERED)
327 flags |= NL80211_RXMGMT_FLAG_ANSWERED;
329 pr_debug("%s LEN:%u FC:%.4X SA:%pM\n", vif->netdev->name, frame_len,
330 le16_to_cpu(frame->frame_control), frame->addr2);
332 cfg80211_rx_mgmt(&vif->wdev, le32_to_cpu(rxmgmt->freq), rxmgmt->sig_dbm,
333 rxmgmt->frame_data, frame_len, flags);
339 qtnf_event_handle_scan_results(struct qtnf_vif *vif,
340 const struct qlink_event_scan_result *sr,
343 struct cfg80211_bss *bss;
344 struct ieee80211_channel *channel;
345 struct wiphy *wiphy = priv_to_wiphy(vif->mac);
346 enum cfg80211_bss_frame_type frame_type = CFG80211_BSS_FTYPE_UNKNOWN;
350 const struct qlink_tlv_hdr *tlv;
351 const u8 *ies = NULL;
354 if (len < sizeof(*sr)) {
355 pr_err("VIF%u.%u: payload is too short\n", vif->mac->macid,
360 channel = ieee80211_get_channel(wiphy, le16_to_cpu(sr->freq));
362 pr_err("VIF%u.%u: channel at %u MHz not found\n",
363 vif->mac->macid, vif->vifid, le16_to_cpu(sr->freq));
367 payload_len = len - sizeof(*sr);
369 qlink_for_each_tlv(tlv, sr->payload, payload_len) {
370 tlv_type = le16_to_cpu(tlv->type);
371 tlv_value_len = le16_to_cpu(tlv->len);
373 if (tlv_type == QTN_TLV_ID_IE_SET) {
374 const struct qlink_tlv_ie_set *ie_set;
378 (sizeof(*ie_set) - sizeof(ie_set->hdr)))
381 ie_set = (const struct qlink_tlv_ie_set *)tlv;
382 ie_len = tlv_value_len -
383 (sizeof(*ie_set) - sizeof(ie_set->hdr));
385 switch (ie_set->type) {
386 case QLINK_IE_SET_BEACON_IES:
387 frame_type = CFG80211_BSS_FTYPE_BEACON;
389 case QLINK_IE_SET_PROBE_RESP_IES:
390 frame_type = CFG80211_BSS_FTYPE_PRESP;
393 frame_type = CFG80211_BSS_FTYPE_UNKNOWN;
397 ies = ie_set->ie_data;
403 if (!qlink_tlv_parsing_ok(tlv, sr->payload, payload_len))
406 bss = cfg80211_inform_bss(wiphy, channel, frame_type,
407 sr->bssid, get_unaligned_le64(&sr->tsf),
408 le16_to_cpu(sr->capab),
409 le16_to_cpu(sr->bintval), ies, ies_len,
410 DBM_TO_MBM(sr->sig_dbm), GFP_KERNEL);
414 cfg80211_put_bss(wiphy, bss);
420 qtnf_event_handle_scan_complete(struct qtnf_wmac *mac,
421 const struct qlink_event_scan_complete *status,
424 if (len < sizeof(*status)) {
425 pr_err("MAC%u: payload is too short\n", mac->macid);
429 qtnf_scan_done(mac, le32_to_cpu(status->flags) & QLINK_SCAN_ABORTED);
435 qtnf_event_handle_freq_change(struct qtnf_wmac *mac,
436 const struct qlink_event_freq_change *data,
439 struct wiphy *wiphy = priv_to_wiphy(mac);
440 struct cfg80211_chan_def chandef;
441 struct qtnf_vif *vif;
444 if (len < sizeof(*data)) {
445 pr_err("MAC%u: payload is too short\n", mac->macid);
449 if (!wiphy->registered)
452 qlink_chandef_q2cfg(wiphy, &data->chan, &chandef);
454 if (!cfg80211_chandef_valid(&chandef)) {
455 pr_err("MAC%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n",
456 mac->macid, chandef.chan->center_freq,
457 chandef.center_freq1, chandef.center_freq2,
462 pr_debug("MAC%d: new channel ieee=%u freq1=%u freq2=%u bw=%u\n",
463 mac->macid, chandef.chan->hw_value, chandef.center_freq1,
464 chandef.center_freq2, chandef.width);
466 for (i = 0; i < QTNF_MAX_INTF; i++) {
467 vif = &mac->iflist[i];
469 if (vif->wdev.iftype == NL80211_IFTYPE_UNSPECIFIED)
472 if (vif->wdev.iftype == NL80211_IFTYPE_STATION &&
473 !vif->wdev.current_bss)
479 mutex_lock(&vif->wdev.mtx);
480 cfg80211_ch_switch_notify(vif->netdev, &chandef);
481 mutex_unlock(&vif->wdev.mtx);
487 static int qtnf_event_handle_radar(struct qtnf_vif *vif,
488 const struct qlink_event_radar *ev,
491 struct wiphy *wiphy = priv_to_wiphy(vif->mac);
492 struct cfg80211_chan_def chandef;
494 if (len < sizeof(*ev)) {
495 pr_err("MAC%u: payload is too short\n", vif->mac->macid);
499 if (!wiphy->registered || !vif->netdev)
502 qlink_chandef_q2cfg(wiphy, &ev->chan, &chandef);
504 if (!cfg80211_chandef_valid(&chandef)) {
505 pr_err("MAC%u: bad channel f1=%u f2=%u bw=%u\n",
507 chandef.center_freq1, chandef.center_freq2,
512 pr_info("%s: radar event=%u f1=%u f2=%u bw=%u\n",
513 vif->netdev->name, ev->event,
514 chandef.center_freq1, chandef.center_freq2,
518 case QLINK_RADAR_DETECTED:
519 cfg80211_radar_event(wiphy, &chandef, GFP_KERNEL);
521 case QLINK_RADAR_CAC_FINISHED:
522 if (!vif->wdev.cac_started)
525 cfg80211_cac_event(vif->netdev, &chandef,
526 NL80211_RADAR_CAC_FINISHED, GFP_KERNEL);
528 case QLINK_RADAR_CAC_ABORTED:
529 if (!vif->wdev.cac_started)
532 cfg80211_cac_event(vif->netdev, &chandef,
533 NL80211_RADAR_CAC_ABORTED, GFP_KERNEL);
535 case QLINK_RADAR_CAC_STARTED:
536 if (vif->wdev.cac_started)
539 if (!wiphy_ext_feature_isset(wiphy,
540 NL80211_EXT_FEATURE_DFS_OFFLOAD))
543 cfg80211_cac_event(vif->netdev, &chandef,
544 NL80211_RADAR_CAC_STARTED, GFP_KERNEL);
547 pr_warn("%s: unhandled radar event %u\n",
548 vif->netdev->name, ev->event);
556 qtnf_event_handle_external_auth(struct qtnf_vif *vif,
557 const struct qlink_event_external_auth *ev,
560 struct cfg80211_external_auth_params auth = {0};
561 struct wiphy *wiphy = priv_to_wiphy(vif->mac);
564 if (len < sizeof(*ev)) {
565 pr_err("MAC%u: payload is too short\n", vif->mac->macid);
569 if (!wiphy->registered || !vif->netdev)
573 int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN);
575 memcpy(auth.ssid.ssid, ev->ssid, len);
576 auth.ssid.ssid_len = len;
579 auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);
580 ether_addr_copy(auth.bssid, ev->bssid);
581 auth.action = ev->action;
583 pr_debug("%s: external SAE processing: bss=%pM action=%u akm=%u\n",
584 vif->netdev->name, auth.bssid, auth.action,
585 auth.key_mgmt_suite);
587 ret = cfg80211_external_auth_request(vif->netdev, &auth, GFP_KERNEL);
589 pr_warn("failed to offload external auth request\n");
595 qtnf_event_handle_mic_failure(struct qtnf_vif *vif,
596 const struct qlink_event_mic_failure *mic_ev,
599 struct wiphy *wiphy = priv_to_wiphy(vif->mac);
602 if (len < sizeof(*mic_ev)) {
603 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
604 vif->mac->macid, vif->vifid, len,
605 sizeof(struct qlink_event_mic_failure));
609 if (!wiphy->registered || !vif->netdev)
612 if (vif->wdev.iftype != NL80211_IFTYPE_STATION) {
613 pr_err("VIF%u.%u: MIC_FAILURE event when not in STA mode\n",
614 vif->mac->macid, vif->vifid);
618 pairwise = mic_ev->pairwise ?
619 NL80211_KEYTYPE_PAIRWISE : NL80211_KEYTYPE_GROUP;
621 pr_info("%s: MIC error: src=%pM key_index=%u pairwise=%u\n",
622 vif->netdev->name, mic_ev->src, mic_ev->key_index, pairwise);
624 cfg80211_michael_mic_failure(vif->netdev, mic_ev->src, pairwise,
625 mic_ev->key_index, NULL, GFP_KERNEL);
631 qtnf_event_handle_update_owe(struct qtnf_vif *vif,
632 const struct qlink_event_update_owe *owe_ev,
635 struct wiphy *wiphy = priv_to_wiphy(vif->mac);
636 struct cfg80211_update_owe_info owe_info = {};
637 const u16 ie_len = len - sizeof(*owe_ev);
640 if (len < sizeof(*owe_ev)) {
641 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
642 vif->mac->macid, vif->vifid, len,
643 sizeof(struct qlink_event_update_owe));
647 if (!wiphy->registered || !vif->netdev)
650 if (vif->wdev.iftype != NL80211_IFTYPE_AP) {
651 pr_err("VIF%u.%u: UPDATE_OWE event when not in AP mode\n",
652 vif->mac->macid, vif->vifid);
656 ie = kzalloc(ie_len, GFP_KERNEL);
660 memcpy(owe_info.peer, owe_ev->peer, ETH_ALEN);
661 memcpy(ie, owe_ev->ies, ie_len);
662 owe_info.ie_len = ie_len;
665 pr_info("%s: external OWE processing: peer=%pM\n",
666 vif->netdev->name, owe_ev->peer);
668 cfg80211_update_owe_info_event(vif->netdev, &owe_info, GFP_KERNEL);
674 static int qtnf_event_parse(struct qtnf_wmac *mac,
675 const struct sk_buff *event_skb)
677 const struct qlink_event *event;
678 struct qtnf_vif *vif = NULL;
684 event = (const struct qlink_event *)event_skb->data;
685 event_id = le16_to_cpu(event->event_id);
686 event_len = le16_to_cpu(event->mhdr.len);
688 if (event->vifid >= QTNF_MAX_INTF) {
689 pr_err("invalid vif(%u)\n", event->vifid);
693 vifid = array_index_nospec(event->vifid, QTNF_MAX_INTF);
694 vif = &mac->iflist[vifid];
697 case QLINK_EVENT_STA_ASSOCIATED:
698 ret = qtnf_event_handle_sta_assoc(mac, vif, (const void *)event,
701 case QLINK_EVENT_STA_DEAUTH:
702 ret = qtnf_event_handle_sta_deauth(mac, vif,
706 case QLINK_EVENT_MGMT_RECEIVED:
707 ret = qtnf_event_handle_mgmt_received(vif, (const void *)event,
710 case QLINK_EVENT_SCAN_RESULTS:
711 ret = qtnf_event_handle_scan_results(vif, (const void *)event,
714 case QLINK_EVENT_SCAN_COMPLETE:
715 ret = qtnf_event_handle_scan_complete(mac, (const void *)event,
718 case QLINK_EVENT_BSS_JOIN:
719 ret = qtnf_event_handle_bss_join(vif, (const void *)event,
722 case QLINK_EVENT_BSS_LEAVE:
723 ret = qtnf_event_handle_bss_leave(vif, (const void *)event,
726 case QLINK_EVENT_FREQ_CHANGE:
727 ret = qtnf_event_handle_freq_change(mac, (const void *)event,
730 case QLINK_EVENT_RADAR:
731 ret = qtnf_event_handle_radar(vif, (const void *)event,
734 case QLINK_EVENT_EXTERNAL_AUTH:
735 ret = qtnf_event_handle_external_auth(vif, (const void *)event,
738 case QLINK_EVENT_MIC_FAILURE:
739 ret = qtnf_event_handle_mic_failure(vif, (const void *)event,
742 case QLINK_EVENT_UPDATE_OWE:
743 ret = qtnf_event_handle_update_owe(vif, (const void *)event,
747 pr_warn("unknown event type: %x\n", event_id);
754 static int qtnf_event_process_skb(struct qtnf_bus *bus,
755 const struct sk_buff *skb)
757 const struct qlink_event *event;
758 struct qtnf_wmac *mac;
761 if (unlikely(!skb || skb->len < sizeof(*event))) {
762 pr_err("invalid event buffer\n");
766 event = (struct qlink_event *)skb->data;
768 mac = qtnf_core_get_mac(bus, event->macid);
770 pr_debug("new event id:%x len:%u mac:%u vif:%u\n",
771 le16_to_cpu(event->event_id), le16_to_cpu(event->mhdr.len),
772 event->macid, event->vifid);
778 res = qtnf_event_parse(mac, skb);
784 void qtnf_event_work_handler(struct work_struct *work)
786 struct qtnf_bus *bus = container_of(work, struct qtnf_bus, event_work);
787 struct sk_buff_head *event_queue = &bus->trans.event_queue;
788 struct sk_buff *current_event_skb = skb_dequeue(event_queue);
790 while (current_event_skb) {
791 qtnf_event_process_skb(bus, current_event_skb);
792 dev_kfree_skb_any(current_event_skb);
793 current_event_skb = skb_dequeue(event_queue);
projects / linux.git / blob