1 // SPDX-License-Identifier: GPL-2.0+ 2 /* Copyright (c) 2015-2016 Quantenna Communications. All rights reserved. */ 3 4 #include <linux/kernel.h> 5 #include <linux/module.h> 6 #include <linux/slab.h> 7 8 #include "cfg80211.h" 9 #include "core.h" 10 #include "qlink.h" 11 #include "bus.h" 12 #include "trans.h" 13 #include "util.h" 14 #include "event.h" 15 #include "qlink_util.h" 16 17 static int 18 qtnf_event_handle_sta_assoc(struct qtnf_wmac *mac, struct qtnf_vif *vif, 19 const struct qlink_event_sta_assoc *sta_assoc, 20 u16 len) 21 { 22 const u8 *sta_addr; 23 u16 frame_control; 24 struct station_info *sinfo; 25 size_t payload_len; 26 u16 tlv_type; 27 u16 tlv_value_len; 28 size_t tlv_full_len; 29 const struct qlink_tlv_hdr *tlv; 30 int ret = 0; 31 32 if (unlikely(len < sizeof(*sta_assoc))) { 33 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 34 mac->macid, vif->vifid, len, sizeof(*sta_assoc)); 35 return -EINVAL; 36 } 37 38 if (vif->wdev.iftype != NL80211_IFTYPE_AP) { 39 pr_err("VIF%u.%u: STA_ASSOC event when not in AP mode\n", 40 mac->macid, vif->vifid); 41 return -EPROTO; 42 } 43 44 sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); 45 if (!sinfo) 46 return -ENOMEM; 47 48 sta_addr = sta_assoc->sta_addr; 49 frame_control = le16_to_cpu(sta_assoc->frame_control); 50 51 pr_debug("VIF%u.%u: MAC:%pM FC:%x\n", mac->macid, vif->vifid, sta_addr, 52 frame_control); 53 54 qtnf_sta_list_add(vif, sta_addr); 55 56 sinfo->assoc_req_ies = NULL; 57 sinfo->assoc_req_ies_len = 0; 58 sinfo->generation = vif->generation; 59 60 payload_len = len - sizeof(*sta_assoc); 61 tlv = (const struct qlink_tlv_hdr *)sta_assoc->ies; 62 63 while (payload_len >= sizeof(*tlv)) { 64 tlv_type = le16_to_cpu(tlv->type); 65 tlv_value_len = le16_to_cpu(tlv->len); 66 tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr); 67 68 if (tlv_full_len > payload_len) { 69 ret = -EINVAL; 70 goto out; 71 } 72 73 if (tlv_type == QTN_TLV_ID_IE_SET) { 74 const struct qlink_tlv_ie_set *ie_set; 75 unsigned int ie_len; 76 77 if (payload_len < sizeof(*ie_set)) { 78 ret = -EINVAL; 79 goto out; 80 } 81 82 ie_set = (const struct qlink_tlv_ie_set *)tlv; 83 ie_len = tlv_value_len - 84 (sizeof(*ie_set) - sizeof(ie_set->hdr)); 85 86 if (ie_set->type == QLINK_IE_SET_ASSOC_REQ && ie_len) { 87 sinfo->assoc_req_ies = ie_set->ie_data; 88 sinfo->assoc_req_ies_len = ie_len; 89 } 90 } 91 92 payload_len -= tlv_full_len; 93 tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len); 94 } 95 96 if (payload_len) { 97 ret = -EINVAL; 98 goto out; 99 } 100 101 cfg80211_new_sta(vif->netdev, sta_assoc->sta_addr, sinfo, 102 GFP_KERNEL); 103 104 out: 105 kfree(sinfo); 106 return ret; 107 } 108 109 static int 110 qtnf_event_handle_sta_deauth(struct qtnf_wmac *mac, struct qtnf_vif *vif, 111 const struct qlink_event_sta_deauth *sta_deauth, 112 u16 len) 113 { 114 const u8 *sta_addr; 115 u16 reason; 116 117 if (unlikely(len < sizeof(*sta_deauth))) { 118 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 119 mac->macid, vif->vifid, len, 120 sizeof(struct qlink_event_sta_deauth)); 121 return -EINVAL; 122 } 123 124 if (vif->wdev.iftype != NL80211_IFTYPE_AP) { 125 pr_err("VIF%u.%u: STA_DEAUTH event when not in AP mode\n", 126 mac->macid, vif->vifid); 127 return -EPROTO; 128 } 129 130 sta_addr = sta_deauth->sta_addr; 131 reason = le16_to_cpu(sta_deauth->reason); 132 133 pr_debug("VIF%u.%u: MAC:%pM reason:%x\n", mac->macid, vif->vifid, 134 sta_addr, reason); 135 136 if (qtnf_sta_list_del(vif, sta_addr)) 137 cfg80211_del_sta(vif->netdev, sta_deauth->sta_addr, 138 GFP_KERNEL); 139 140 return 0; 141 } 142 143 static int 144 qtnf_event_handle_bss_join(struct qtnf_vif *vif, 145 const struct qlink_event_bss_join *join_info, 146 u16 len) 147 { 148 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 149 enum ieee80211_statuscode status = le16_to_cpu(join_info->status); 150 struct cfg80211_chan_def chandef; 151 struct cfg80211_bss *bss = NULL; 152 u8 *ie = NULL; 153 154 if (unlikely(len < sizeof(*join_info))) { 155 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 156 vif->mac->macid, vif->vifid, len, 157 sizeof(struct qlink_event_bss_join)); 158 return -EINVAL; 159 } 160 161 if (vif->wdev.iftype != NL80211_IFTYPE_STATION) { 162 pr_err("VIF%u.%u: BSS_JOIN event when not in STA mode\n", 163 vif->mac->macid, vif->vifid); 164 return -EPROTO; 165 } 166 167 pr_debug("VIF%u.%u: BSSID:%pM status:%u\n", 168 vif->mac->macid, vif->vifid, join_info->bssid, status); 169 170 if (status == WLAN_STATUS_SUCCESS) { 171 qlink_chandef_q2cfg(wiphy, &join_info->chan, &chandef); 172 if (!cfg80211_chandef_valid(&chandef)) { 173 pr_warn("MAC%u.%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n", 174 vif->mac->macid, vif->vifid, 175 chandef.chan->center_freq, 176 chandef.center_freq1, 177 chandef.center_freq2, 178 chandef.width); 179 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 180 goto done; 181 } 182 183 bss = cfg80211_get_bss(wiphy, chandef.chan, join_info->bssid, 184 NULL, 0, IEEE80211_BSS_TYPE_ESS, 185 IEEE80211_PRIVACY_ANY); 186 if (!bss) { 187 pr_warn("VIF%u.%u: add missing BSS:%pM chan:%u\n", 188 vif->mac->macid, vif->vifid, 189 join_info->bssid, chandef.chan->hw_value); 190 191 if (!vif->wdev.ssid_len) { 192 pr_warn("VIF%u.%u: SSID unknown for BSS:%pM\n", 193 vif->mac->macid, vif->vifid, 194 join_info->bssid); 195 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 196 goto done; 197 } 198 199 ie = kzalloc(2 + vif->wdev.ssid_len, GFP_KERNEL); 200 if (!ie) { 201 pr_warn("VIF%u.%u: IE alloc failed for BSS:%pM\n", 202 vif->mac->macid, vif->vifid, 203 join_info->bssid); 204 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 205 goto done; 206 } 207 208 ie[0] = WLAN_EID_SSID; 209 ie[1] = vif->wdev.ssid_len; 210 memcpy(ie + 2, vif->wdev.ssid, vif->wdev.ssid_len); 211 212 bss = cfg80211_inform_bss(wiphy, chandef.chan, 213 CFG80211_BSS_FTYPE_UNKNOWN, 214 join_info->bssid, 0, 215 WLAN_CAPABILITY_ESS, 100, 216 ie, 2 + vif->wdev.ssid_len, 217 0, GFP_KERNEL); 218 if (!bss) { 219 pr_warn("VIF%u.%u: can't connect to unknown BSS: %pM\n", 220 vif->mac->macid, vif->vifid, 221 join_info->bssid); 222 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 223 goto done; 224 } 225 } 226 } 227 228 done: 229 cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, NULL, 230 0, status, GFP_KERNEL); 231 if (bss) { 232 if (!ether_addr_equal(vif->bssid, join_info->bssid)) 233 ether_addr_copy(vif->bssid, join_info->bssid); 234 cfg80211_put_bss(wiphy, bss); 235 } 236 237 if (status == WLAN_STATUS_SUCCESS) 238 netif_carrier_on(vif->netdev); 239 240 kfree(ie); 241 return 0; 242 } 243 244 static int 245 qtnf_event_handle_bss_leave(struct qtnf_vif *vif, 246 const struct qlink_event_bss_leave *leave_info, 247 u16 len) 248 { 249 if (unlikely(len < sizeof(*leave_info))) { 250 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 251 vif->mac->macid, vif->vifid, len, 252 sizeof(struct qlink_event_bss_leave)); 253 return -EINVAL; 254 } 255 256 if (vif->wdev.iftype != NL80211_IFTYPE_STATION) { 257 pr_err("VIF%u.%u: BSS_LEAVE event when not in STA mode\n", 258 vif->mac->macid, vif->vifid); 259 return -EPROTO; 260 } 261 262 pr_debug("VIF%u.%u: disconnected\n", vif->mac->macid, vif->vifid); 263 264 cfg80211_disconnected(vif->netdev, le16_to_cpu(leave_info->reason), 265 NULL, 0, 0, GFP_KERNEL); 266 netif_carrier_off(vif->netdev); 267 268 return 0; 269 } 270 271 static int 272 qtnf_event_handle_mgmt_received(struct qtnf_vif *vif, 273 const struct qlink_event_rxmgmt *rxmgmt, 274 u16 len) 275 { 276 const size_t min_len = sizeof(*rxmgmt) + 277 sizeof(struct ieee80211_hdr_3addr); 278 const struct ieee80211_hdr_3addr *frame = (void *)rxmgmt->frame_data; 279 const u16 frame_len = len - sizeof(*rxmgmt); 280 enum nl80211_rxmgmt_flags flags = 0; 281 282 if (unlikely(len < min_len)) { 283 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 284 vif->mac->macid, vif->vifid, len, min_len); 285 return -EINVAL; 286 } 287 288 if (le32_to_cpu(rxmgmt->flags) & QLINK_RXMGMT_FLAG_ANSWERED) 289 flags |= NL80211_RXMGMT_FLAG_ANSWERED; 290 291 pr_debug("%s LEN:%u FC:%.4X SA:%pM\n", vif->netdev->name, frame_len, 292 le16_to_cpu(frame->frame_control), frame->addr2); 293 294 cfg80211_rx_mgmt(&vif->wdev, le32_to_cpu(rxmgmt->freq), rxmgmt->sig_dbm, 295 rxmgmt->frame_data, frame_len, flags); 296 297 return 0; 298 } 299 300 static int 301 qtnf_event_handle_scan_results(struct qtnf_vif *vif, 302 const struct qlink_event_scan_result *sr, 303 u16 len) 304 { 305 struct cfg80211_bss *bss; 306 struct ieee80211_channel *channel; 307 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 308 enum cfg80211_bss_frame_type frame_type = CFG80211_BSS_FTYPE_UNKNOWN; 309 size_t payload_len; 310 u16 tlv_type; 311 u16 tlv_value_len; 312 size_t tlv_full_len; 313 const struct qlink_tlv_hdr *tlv; 314 const u8 *ies = NULL; 315 size_t ies_len = 0; 316 317 if (len < sizeof(*sr)) { 318 pr_err("VIF%u.%u: payload is too short\n", vif->mac->macid, 319 vif->vifid); 320 return -EINVAL; 321 } 322 323 channel = ieee80211_get_channel(wiphy, le16_to_cpu(sr->freq)); 324 if (!channel) { 325 pr_err("VIF%u.%u: channel at %u MHz not found\n", 326 vif->mac->macid, vif->vifid, le16_to_cpu(sr->freq)); 327 return -EINVAL; 328 } 329 330 payload_len = len - sizeof(*sr); 331 tlv = (struct qlink_tlv_hdr *)sr->payload; 332 333 while (payload_len >= sizeof(struct qlink_tlv_hdr)) { 334 tlv_type = le16_to_cpu(tlv->type); 335 tlv_value_len = le16_to_cpu(tlv->len); 336 tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr); 337 338 if (tlv_full_len > payload_len) 339 return -EINVAL; 340 341 if (tlv_type == QTN_TLV_ID_IE_SET) { 342 const struct qlink_tlv_ie_set *ie_set; 343 unsigned int ie_len; 344 345 if (payload_len < sizeof(*ie_set)) 346 return -EINVAL; 347 348 ie_set = (const struct qlink_tlv_ie_set *)tlv; 349 ie_len = tlv_value_len - 350 (sizeof(*ie_set) - sizeof(ie_set->hdr)); 351 352 switch (ie_set->type) { 353 case QLINK_IE_SET_BEACON_IES: 354 frame_type = CFG80211_BSS_FTYPE_BEACON; 355 break; 356 case QLINK_IE_SET_PROBE_RESP_IES: 357 frame_type = CFG80211_BSS_FTYPE_PRESP; 358 break; 359 default: 360 frame_type = CFG80211_BSS_FTYPE_UNKNOWN; 361 } 362 363 if (ie_len) { 364 ies = ie_set->ie_data; 365 ies_len = ie_len; 366 } 367 } 368 369 payload_len -= tlv_full_len; 370 tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len); 371 } 372 373 if (payload_len) 374 return -EINVAL; 375 376 bss = cfg80211_inform_bss(wiphy, channel, frame_type, 377 sr->bssid, get_unaligned_le64(&sr->tsf), 378 le16_to_cpu(sr->capab), 379 le16_to_cpu(sr->bintval), ies, ies_len, 380 DBM_TO_MBM(sr->sig_dbm), GFP_KERNEL); 381 if (!bss) 382 return -ENOMEM; 383 384 cfg80211_put_bss(wiphy, bss); 385 386 return 0; 387 } 388 389 static int 390 qtnf_event_handle_scan_complete(struct qtnf_wmac *mac, 391 const struct qlink_event_scan_complete *status, 392 u16 len) 393 { 394 if (len < sizeof(*status)) { 395 pr_err("MAC%u: payload is too short\n", mac->macid); 396 return -EINVAL; 397 } 398 399 qtnf_scan_done(mac, le32_to_cpu(status->flags) & QLINK_SCAN_ABORTED); 400 401 return 0; 402 } 403 404 static int 405 qtnf_event_handle_freq_change(struct qtnf_wmac *mac, 406 const struct qlink_event_freq_change *data, 407 u16 len) 408 { 409 struct wiphy *wiphy = priv_to_wiphy(mac); 410 struct cfg80211_chan_def chandef; 411 struct qtnf_vif *vif; 412 int i; 413 414 if (len < sizeof(*data)) { 415 pr_err("MAC%u: payload is too short\n", mac->macid); 416 return -EINVAL; 417 } 418 419 if (!wiphy->registered) 420 return 0; 421 422 qlink_chandef_q2cfg(wiphy, &data->chan, &chandef); 423 424 if (!cfg80211_chandef_valid(&chandef)) { 425 pr_err("MAC%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n", 426 mac->macid, chandef.chan->center_freq, 427 chandef.center_freq1, chandef.center_freq2, 428 chandef.width); 429 return -EINVAL; 430 } 431 432 pr_debug("MAC%d: new channel ieee=%u freq1=%u freq2=%u bw=%u\n", 433 mac->macid, chandef.chan->hw_value, chandef.center_freq1, 434 chandef.center_freq2, chandef.width); 435 436 for (i = 0; i < QTNF_MAX_INTF; i++) { 437 vif = &mac->iflist[i]; 438 if (vif->wdev.iftype == NL80211_IFTYPE_UNSPECIFIED) 439 continue; 440 441 if (vif->netdev) { 442 mutex_lock(&vif->wdev.mtx); 443 cfg80211_ch_switch_notify(vif->netdev, &chandef); 444 mutex_unlock(&vif->wdev.mtx); 445 } 446 } 447 448 return 0; 449 } 450 451 static int qtnf_event_handle_radar(struct qtnf_vif *vif, 452 const struct qlink_event_radar *ev, 453 u16 len) 454 { 455 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 456 struct cfg80211_chan_def chandef; 457 458 if (len < sizeof(*ev)) { 459 pr_err("MAC%u: payload is too short\n", vif->mac->macid); 460 return -EINVAL; 461 } 462 463 if (!wiphy->registered || !vif->netdev) 464 return 0; 465 466 qlink_chandef_q2cfg(wiphy, &ev->chan, &chandef); 467 468 if (!cfg80211_chandef_valid(&chandef)) { 469 pr_err("MAC%u: bad channel f1=%u f2=%u bw=%u\n", 470 vif->mac->macid, 471 chandef.center_freq1, chandef.center_freq2, 472 chandef.width); 473 return -EINVAL; 474 } 475 476 pr_info("%s: radar event=%u f1=%u f2=%u bw=%u\n", 477 vif->netdev->name, ev->event, 478 chandef.center_freq1, chandef.center_freq2, 479 chandef.width); 480 481 switch (ev->event) { 482 case QLINK_RADAR_DETECTED: 483 cfg80211_radar_event(wiphy, &chandef, GFP_KERNEL); 484 break; 485 case QLINK_RADAR_CAC_FINISHED: 486 if (!vif->wdev.cac_started) 487 break; 488 489 cfg80211_cac_event(vif->netdev, &chandef, 490 NL80211_RADAR_CAC_FINISHED, GFP_KERNEL); 491 break; 492 case QLINK_RADAR_CAC_ABORTED: 493 if (!vif->wdev.cac_started) 494 break; 495 496 cfg80211_cac_event(vif->netdev, &chandef, 497 NL80211_RADAR_CAC_ABORTED, GFP_KERNEL); 498 break; 499 case QLINK_RADAR_CAC_STARTED: 500 if (vif->wdev.cac_started) 501 break; 502 503 if (!wiphy_ext_feature_isset(wiphy, 504 NL80211_EXT_FEATURE_DFS_OFFLOAD)) 505 break; 506 507 cfg80211_cac_event(vif->netdev, &chandef, 508 NL80211_RADAR_CAC_STARTED, GFP_KERNEL); 509 break; 510 default: 511 pr_warn("%s: unhandled radar event %u\n", 512 vif->netdev->name, ev->event); 513 break; 514 } 515 516 return 0; 517 } 518 519 static int qtnf_event_parse(struct qtnf_wmac *mac, 520 const struct sk_buff *event_skb) 521 { 522 const struct qlink_event *event; 523 struct qtnf_vif *vif = NULL; 524 int ret = -1; 525 u16 event_id; 526 u16 event_len; 527 528 event = (const struct qlink_event *)event_skb->data; 529 event_id = le16_to_cpu(event->event_id); 530 event_len = le16_to_cpu(event->mhdr.len); 531 532 if (likely(event->vifid < QTNF_MAX_INTF)) { 533 vif = &mac->iflist[event->vifid]; 534 } else { 535 pr_err("invalid vif(%u)\n", event->vifid); 536 return -EINVAL; 537 } 538 539 switch (event_id) { 540 case QLINK_EVENT_STA_ASSOCIATED: 541 ret = qtnf_event_handle_sta_assoc(mac, vif, (const void *)event, 542 event_len); 543 break; 544 case QLINK_EVENT_STA_DEAUTH: 545 ret = qtnf_event_handle_sta_deauth(mac, vif, 546 (const void *)event, 547 event_len); 548 break; 549 case QLINK_EVENT_MGMT_RECEIVED: 550 ret = qtnf_event_handle_mgmt_received(vif, (const void *)event, 551 event_len); 552 break; 553 case QLINK_EVENT_SCAN_RESULTS: 554 ret = qtnf_event_handle_scan_results(vif, (const void *)event, 555 event_len); 556 break; 557 case QLINK_EVENT_SCAN_COMPLETE: 558 ret = qtnf_event_handle_scan_complete(mac, (const void *)event, 559 event_len); 560 break; 561 case QLINK_EVENT_BSS_JOIN: 562 ret = qtnf_event_handle_bss_join(vif, (const void *)event, 563 event_len); 564 break; 565 case QLINK_EVENT_BSS_LEAVE: 566 ret = qtnf_event_handle_bss_leave(vif, (const void *)event, 567 event_len); 568 break; 569 case QLINK_EVENT_FREQ_CHANGE: 570 ret = qtnf_event_handle_freq_change(mac, (const void *)event, 571 event_len); 572 break; 573 case QLINK_EVENT_RADAR: 574 ret = qtnf_event_handle_radar(vif, (const void *)event, 575 event_len); 576 break; 577 default: 578 pr_warn("unknown event type: %x\n", event_id); 579 break; 580 } 581 582 return ret; 583 } 584 585 static int qtnf_event_process_skb(struct qtnf_bus *bus, 586 const struct sk_buff *skb) 587 { 588 const struct qlink_event *event; 589 struct qtnf_wmac *mac; 590 int res; 591 592 if (unlikely(!skb || skb->len < sizeof(*event))) { 593 pr_err("invalid event buffer\n"); 594 return -EINVAL; 595 } 596 597 event = (struct qlink_event *)skb->data; 598 599 mac = qtnf_core_get_mac(bus, event->macid); 600 601 pr_debug("new event id:%x len:%u mac:%u vif:%u\n", 602 le16_to_cpu(event->event_id), le16_to_cpu(event->mhdr.len), 603 event->macid, event->vifid); 604 605 if (unlikely(!mac)) 606 return -ENXIO; 607 608 rtnl_lock(); 609 res = qtnf_event_parse(mac, skb); 610 rtnl_unlock(); 611 612 return res; 613 } 614 615 void qtnf_event_work_handler(struct work_struct *work) 616 { 617 struct qtnf_bus *bus = container_of(work, struct qtnf_bus, event_work); 618 struct sk_buff_head *event_queue = &bus->trans.event_queue; 619 struct sk_buff *current_event_skb = skb_dequeue(event_queue); 620 621 while (current_event_skb) { 622 qtnf_event_process_skb(bus, current_event_skb); 623 dev_kfree_skb_any(current_event_skb); 624 current_event_skb = skb_dequeue(event_queue); 625 } 626 } 627