libertas: Read buffer overflow
[linux-2.6] / drivers / net / wireless / libertas / cmdresp.c
1 /**
2   * This file contains the handling of command
3   * responses as well as events generated by firmware.
4   */
5 #include <linux/delay.h>
6 #include <linux/if_arp.h>
7 #include <linux/netdevice.h>
8 #include <asm/unaligned.h>
9 #include <net/iw_handler.h>
10
11 #include "host.h"
12 #include "decl.h"
13 #include "defs.h"
14 #include "dev.h"
15 #include "assoc.h"
16 #include "wext.h"
17
18 /**
19  *  @brief This function handles disconnect event. it
20  *  reports disconnect to upper layer, clean tx/rx packets,
21  *  reset link state etc.
22  *
23  *  @param priv    A pointer to struct lbs_private structure
24  *  @return        n/a
25  */
26 void lbs_mac_event_disconnected(struct lbs_private *priv)
27 {
28         union iwreq_data wrqu;
29
30         if (priv->connect_status != LBS_CONNECTED)
31                 return;
32
33         lbs_deb_enter(LBS_DEB_ASSOC);
34
35         memset(wrqu.ap_addr.sa_data, 0x00, ETH_ALEN);
36         wrqu.ap_addr.sa_family = ARPHRD_ETHER;
37
38         /*
39          * Cisco AP sends EAP failure and de-auth in less than 0.5 ms.
40          * It causes problem in the Supplicant
41          */
42
43         msleep_interruptible(1000);
44         wireless_send_event(priv->dev, SIOCGIWAP, &wrqu, NULL);
45
46         /* report disconnect to upper layer */
47         netif_stop_queue(priv->dev);
48         netif_carrier_off(priv->dev);
49
50         /* Free Tx and Rx packets */
51         kfree_skb(priv->currenttxskb);
52         priv->currenttxskb = NULL;
53         priv->tx_pending_len = 0;
54
55         /* reset SNR/NF/RSSI values */
56         memset(priv->SNR, 0x00, sizeof(priv->SNR));
57         memset(priv->NF, 0x00, sizeof(priv->NF));
58         memset(priv->RSSI, 0x00, sizeof(priv->RSSI));
59         memset(priv->rawSNR, 0x00, sizeof(priv->rawSNR));
60         memset(priv->rawNF, 0x00, sizeof(priv->rawNF));
61         priv->nextSNRNF = 0;
62         priv->numSNRNF = 0;
63         priv->connect_status = LBS_DISCONNECTED;
64
65         /* Clear out associated SSID and BSSID since connection is
66          * no longer valid.
67          */
68         memset(&priv->curbssparams.bssid, 0, ETH_ALEN);
69         memset(&priv->curbssparams.ssid, 0, IW_ESSID_MAX_SIZE);
70         priv->curbssparams.ssid_len = 0;
71
72         if (priv->psstate != PS_STATE_FULL_POWER) {
73                 /* make firmware to exit PS mode */
74                 lbs_deb_cmd("disconnected, so exit PS mode\n");
75                 lbs_ps_wakeup(priv, 0);
76         }
77         lbs_deb_leave(LBS_DEB_ASSOC);
78 }
79
80 /**
81  *  @brief This function handles MIC failure event.
82  *
83  *  @param priv    A pointer to struct lbs_private structure
84  *  @para  event   the event id
85  *  @return        n/a
86  */
87 static void handle_mic_failureevent(struct lbs_private *priv, u32 event)
88 {
89         char buf[50];
90
91         lbs_deb_enter(LBS_DEB_CMD);
92         memset(buf, 0, sizeof(buf));
93
94         sprintf(buf, "%s", "MLME-MICHAELMICFAILURE.indication ");
95
96         if (event == MACREG_INT_CODE_MIC_ERR_UNICAST) {
97                 strcat(buf, "unicast ");
98         } else {
99                 strcat(buf, "multicast ");
100         }
101
102         lbs_send_iwevcustom_event(priv, buf);
103         lbs_deb_leave(LBS_DEB_CMD);
104 }
105
106 static int lbs_ret_reg_access(struct lbs_private *priv,
107                                u16 type, struct cmd_ds_command *resp)
108 {
109         int ret = 0;
110
111         lbs_deb_enter(LBS_DEB_CMD);
112
113         switch (type) {
114         case CMD_RET(CMD_MAC_REG_ACCESS):
115                 {
116                         struct cmd_ds_mac_reg_access *reg = &resp->params.macreg;
117
118                         priv->offsetvalue.offset = (u32)le16_to_cpu(reg->offset);
119                         priv->offsetvalue.value = le32_to_cpu(reg->value);
120                         break;
121                 }
122
123         case CMD_RET(CMD_BBP_REG_ACCESS):
124                 {
125                         struct cmd_ds_bbp_reg_access *reg = &resp->params.bbpreg;
126
127                         priv->offsetvalue.offset = (u32)le16_to_cpu(reg->offset);
128                         priv->offsetvalue.value = reg->value;
129                         break;
130                 }
131
132         case CMD_RET(CMD_RF_REG_ACCESS):
133                 {
134                         struct cmd_ds_rf_reg_access *reg = &resp->params.rfreg;
135
136                         priv->offsetvalue.offset = (u32)le16_to_cpu(reg->offset);
137                         priv->offsetvalue.value = reg->value;
138                         break;
139                 }
140
141         default:
142                 ret = -1;
143         }
144
145         lbs_deb_leave_args(LBS_DEB_CMD, "ret %d", ret);
146         return ret;
147 }
148
149 static int lbs_ret_802_11_rssi(struct lbs_private *priv,
150                                 struct cmd_ds_command *resp)
151 {
152         struct cmd_ds_802_11_rssi_rsp *rssirsp = &resp->params.rssirsp;
153
154         lbs_deb_enter(LBS_DEB_CMD);
155
156         /* store the non average value */
157         priv->SNR[TYPE_BEACON][TYPE_NOAVG] = get_unaligned_le16(&rssirsp->SNR);
158         priv->NF[TYPE_BEACON][TYPE_NOAVG] = get_unaligned_le16(&rssirsp->noisefloor);
159
160         priv->SNR[TYPE_BEACON][TYPE_AVG] = get_unaligned_le16(&rssirsp->avgSNR);
161         priv->NF[TYPE_BEACON][TYPE_AVG] = get_unaligned_le16(&rssirsp->avgnoisefloor);
162
163         priv->RSSI[TYPE_BEACON][TYPE_NOAVG] =
164             CAL_RSSI(priv->SNR[TYPE_BEACON][TYPE_NOAVG],
165                      priv->NF[TYPE_BEACON][TYPE_NOAVG]);
166
167         priv->RSSI[TYPE_BEACON][TYPE_AVG] =
168             CAL_RSSI(priv->SNR[TYPE_BEACON][TYPE_AVG] / AVG_SCALE,
169                      priv->NF[TYPE_BEACON][TYPE_AVG] / AVG_SCALE);
170
171         lbs_deb_cmd("RSSI: beacon %d, avg %d\n",
172                priv->RSSI[TYPE_BEACON][TYPE_NOAVG],
173                priv->RSSI[TYPE_BEACON][TYPE_AVG]);
174
175         lbs_deb_leave(LBS_DEB_CMD);
176         return 0;
177 }
178
179 static int lbs_ret_802_11_bcn_ctrl(struct lbs_private * priv,
180                                         struct cmd_ds_command *resp)
181 {
182         struct cmd_ds_802_11_beacon_control *bcn_ctrl =
183             &resp->params.bcn_ctrl;
184
185         lbs_deb_enter(LBS_DEB_CMD);
186
187         if (bcn_ctrl->action == CMD_ACT_GET) {
188                 priv->beacon_enable = (u8) le16_to_cpu(bcn_ctrl->beacon_enable);
189                 priv->beacon_period = le16_to_cpu(bcn_ctrl->beacon_period);
190         }
191
192         lbs_deb_enter(LBS_DEB_CMD);
193         return 0;
194 }
195
196 static inline int handle_cmd_response(struct lbs_private *priv,
197                                       struct cmd_header *cmd_response)
198 {
199         struct cmd_ds_command *resp = (struct cmd_ds_command *) cmd_response;
200         int ret = 0;
201         unsigned long flags;
202         uint16_t respcmd = le16_to_cpu(resp->command);
203
204         lbs_deb_enter(LBS_DEB_HOST);
205
206         switch (respcmd) {
207         case CMD_RET(CMD_MAC_REG_ACCESS):
208         case CMD_RET(CMD_BBP_REG_ACCESS):
209         case CMD_RET(CMD_RF_REG_ACCESS):
210                 ret = lbs_ret_reg_access(priv, respcmd, resp);
211                 break;
212
213         case CMD_RET(CMD_802_11_SET_AFC):
214         case CMD_RET(CMD_802_11_GET_AFC):
215                 spin_lock_irqsave(&priv->driver_lock, flags);
216                 memmove((void *)priv->cur_cmd->callback_arg, &resp->params.afc,
217                         sizeof(struct cmd_ds_802_11_afc));
218                 spin_unlock_irqrestore(&priv->driver_lock, flags);
219
220                 break;
221
222         case CMD_RET(CMD_802_11_BEACON_STOP):
223                 break;
224
225         case CMD_RET(CMD_802_11_RSSI):
226                 ret = lbs_ret_802_11_rssi(priv, resp);
227                 break;
228
229         case CMD_RET(CMD_802_11D_DOMAIN_INFO):
230                 ret = lbs_ret_802_11d_domain_info(resp);
231                 break;
232
233         case CMD_RET(CMD_802_11_TPC_CFG):
234                 spin_lock_irqsave(&priv->driver_lock, flags);
235                 memmove((void *)priv->cur_cmd->callback_arg, &resp->params.tpccfg,
236                         sizeof(struct cmd_ds_802_11_tpc_cfg));
237                 spin_unlock_irqrestore(&priv->driver_lock, flags);
238                 break;
239         case CMD_RET(CMD_802_11_LED_GPIO_CTRL):
240                 spin_lock_irqsave(&priv->driver_lock, flags);
241                 memmove((void *)priv->cur_cmd->callback_arg, &resp->params.ledgpio,
242                         sizeof(struct cmd_ds_802_11_led_ctrl));
243                 spin_unlock_irqrestore(&priv->driver_lock, flags);
244                 break;
245
246         case CMD_RET(CMD_GET_TSF):
247                 spin_lock_irqsave(&priv->driver_lock, flags);
248                 memcpy((void *)priv->cur_cmd->callback_arg,
249                        &resp->params.gettsf.tsfvalue, sizeof(u64));
250                 spin_unlock_irqrestore(&priv->driver_lock, flags);
251                 break;
252         case CMD_RET(CMD_BT_ACCESS):
253                 spin_lock_irqsave(&priv->driver_lock, flags);
254                 if (priv->cur_cmd->callback_arg)
255                         memcpy((void *)priv->cur_cmd->callback_arg,
256                                &resp->params.bt.addr1, 2 * ETH_ALEN);
257                 spin_unlock_irqrestore(&priv->driver_lock, flags);
258                 break;
259         case CMD_RET(CMD_FWT_ACCESS):
260                 spin_lock_irqsave(&priv->driver_lock, flags);
261                 if (priv->cur_cmd->callback_arg)
262                         memcpy((void *)priv->cur_cmd->callback_arg, &resp->params.fwt,
263                                sizeof(resp->params.fwt));
264                 spin_unlock_irqrestore(&priv->driver_lock, flags);
265                 break;
266         case CMD_RET(CMD_802_11_BEACON_CTRL):
267                 ret = lbs_ret_802_11_bcn_ctrl(priv, resp);
268                 break;
269
270         default:
271                 lbs_pr_err("CMD_RESP: unknown cmd response 0x%04x\n",
272                            le16_to_cpu(resp->command));
273                 break;
274         }
275         lbs_deb_leave(LBS_DEB_HOST);
276         return ret;
277 }
278
279 int lbs_process_command_response(struct lbs_private *priv, u8 *data, u32 len)
280 {
281         uint16_t respcmd, curcmd;
282         struct cmd_header *resp;
283         int ret = 0;
284         unsigned long flags;
285         uint16_t result;
286
287         lbs_deb_enter(LBS_DEB_HOST);
288
289         mutex_lock(&priv->lock);
290         spin_lock_irqsave(&priv->driver_lock, flags);
291
292         if (!priv->cur_cmd) {
293                 lbs_deb_host("CMD_RESP: cur_cmd is NULL\n");
294                 ret = -1;
295                 spin_unlock_irqrestore(&priv->driver_lock, flags);
296                 goto done;
297         }
298
299         resp = (void *)data;
300         curcmd = le16_to_cpu(priv->cur_cmd->cmdbuf->command);
301         respcmd = le16_to_cpu(resp->command);
302         result = le16_to_cpu(resp->result);
303
304         lbs_deb_cmd("CMD_RESP: response 0x%04x, seq %d, size %d\n",
305                      respcmd, le16_to_cpu(resp->seqnum), len);
306         lbs_deb_hex(LBS_DEB_CMD, "CMD_RESP", (void *) resp, len);
307
308         if (resp->seqnum != priv->cur_cmd->cmdbuf->seqnum) {
309                 lbs_pr_info("Received CMD_RESP with invalid sequence %d (expected %d)\n",
310                             le16_to_cpu(resp->seqnum), le16_to_cpu(priv->cur_cmd->cmdbuf->seqnum));
311                 spin_unlock_irqrestore(&priv->driver_lock, flags);
312                 ret = -1;
313                 goto done;
314         }
315         if (respcmd != CMD_RET(curcmd) &&
316             respcmd != CMD_RET_802_11_ASSOCIATE && curcmd != CMD_802_11_ASSOCIATE) {
317                 lbs_pr_info("Invalid CMD_RESP %x to command %x!\n", respcmd, curcmd);
318                 spin_unlock_irqrestore(&priv->driver_lock, flags);
319                 ret = -1;
320                 goto done;
321         }
322
323         if (resp->result == cpu_to_le16(0x0004)) {
324                 /* 0x0004 means -EAGAIN. Drop the response, let it time out
325                    and be resubmitted */
326                 lbs_pr_info("Firmware returns DEFER to command %x. Will let it time out...\n",
327                             le16_to_cpu(resp->command));
328                 spin_unlock_irqrestore(&priv->driver_lock, flags);
329                 ret = -1;
330                 goto done;
331         }
332
333         /* Now we got response from FW, cancel the command timer */
334         del_timer(&priv->command_timer);
335         priv->cmd_timed_out = 0;
336         if (priv->nr_retries) {
337                 lbs_pr_info("Received result %x to command %x after %d retries\n",
338                             result, curcmd, priv->nr_retries);
339                 priv->nr_retries = 0;
340         }
341
342         /* Store the response code to cur_cmd_retcode. */
343         priv->cur_cmd_retcode = result;
344
345         if (respcmd == CMD_RET(CMD_802_11_PS_MODE)) {
346                 struct cmd_ds_802_11_ps_mode *psmode = (void *) &resp[1];
347                 u16 action = le16_to_cpu(psmode->action);
348
349                 lbs_deb_host(
350                        "CMD_RESP: PS_MODE cmd reply result 0x%x, action 0x%x\n",
351                        result, action);
352
353                 if (result) {
354                         lbs_deb_host("CMD_RESP: PS command failed with 0x%x\n",
355                                     result);
356                         /*
357                          * We should not re-try enter-ps command in
358                          * ad-hoc mode. It takes place in
359                          * lbs_execute_next_command().
360                          */
361                         if (priv->mode == IW_MODE_ADHOC &&
362                             action == CMD_SUBCMD_ENTER_PS)
363                                 priv->psmode = LBS802_11POWERMODECAM;
364                 } else if (action == CMD_SUBCMD_ENTER_PS) {
365                         priv->needtowakeup = 0;
366                         priv->psstate = PS_STATE_AWAKE;
367
368                         lbs_deb_host("CMD_RESP: ENTER_PS command response\n");
369                         if (priv->connect_status != LBS_CONNECTED) {
370                                 /*
371                                  * When Deauth Event received before Enter_PS command
372                                  * response, We need to wake up the firmware.
373                                  */
374                                 lbs_deb_host(
375                                        "disconnected, invoking lbs_ps_wakeup\n");
376
377                                 spin_unlock_irqrestore(&priv->driver_lock, flags);
378                                 mutex_unlock(&priv->lock);
379                                 lbs_ps_wakeup(priv, 0);
380                                 mutex_lock(&priv->lock);
381                                 spin_lock_irqsave(&priv->driver_lock, flags);
382                         }
383                 } else if (action == CMD_SUBCMD_EXIT_PS) {
384                         priv->needtowakeup = 0;
385                         priv->psstate = PS_STATE_FULL_POWER;
386                         lbs_deb_host("CMD_RESP: EXIT_PS command response\n");
387                 } else {
388                         lbs_deb_host("CMD_RESP: PS action 0x%X\n", action);
389                 }
390
391                 lbs_complete_command(priv, priv->cur_cmd, result);
392                 spin_unlock_irqrestore(&priv->driver_lock, flags);
393
394                 ret = 0;
395                 goto done;
396         }
397
398         /* If the command is not successful, cleanup and return failure */
399         if ((result != 0 || !(respcmd & 0x8000))) {
400                 lbs_deb_host("CMD_RESP: error 0x%04x in command reply 0x%04x\n",
401                        result, respcmd);
402                 /*
403                  * Handling errors here
404                  */
405                 switch (respcmd) {
406                 case CMD_RET(CMD_GET_HW_SPEC):
407                 case CMD_RET(CMD_802_11_RESET):
408                         lbs_deb_host("CMD_RESP: reset failed\n");
409                         break;
410
411                 }
412                 lbs_complete_command(priv, priv->cur_cmd, result);
413                 spin_unlock_irqrestore(&priv->driver_lock, flags);
414
415                 ret = -1;
416                 goto done;
417         }
418
419         spin_unlock_irqrestore(&priv->driver_lock, flags);
420
421         if (priv->cur_cmd && priv->cur_cmd->callback) {
422                 ret = priv->cur_cmd->callback(priv, priv->cur_cmd->callback_arg,
423                                 resp);
424         } else
425                 ret = handle_cmd_response(priv, resp);
426
427         spin_lock_irqsave(&priv->driver_lock, flags);
428
429         if (priv->cur_cmd) {
430                 /* Clean up and Put current command back to cmdfreeq */
431                 lbs_complete_command(priv, priv->cur_cmd, result);
432         }
433         spin_unlock_irqrestore(&priv->driver_lock, flags);
434
435 done:
436         mutex_unlock(&priv->lock);
437         lbs_deb_leave_args(LBS_DEB_HOST, "ret %d", ret);
438         return ret;
439 }
440
441 static int lbs_send_confirmwake(struct lbs_private *priv)
442 {
443         struct cmd_header cmd;
444         int ret = 0;
445
446         lbs_deb_enter(LBS_DEB_HOST);
447
448         cmd.command = cpu_to_le16(CMD_802_11_WAKEUP_CONFIRM);
449         cmd.size = cpu_to_le16(sizeof(cmd));
450         cmd.seqnum = cpu_to_le16(++priv->seqnum);
451         cmd.result = 0;
452
453         lbs_deb_hex(LBS_DEB_HOST, "wake confirm", (u8 *) &cmd,
454                 sizeof(cmd));
455
456         ret = priv->hw_host_to_card(priv, MVMS_CMD, (u8 *) &cmd, sizeof(cmd));
457         if (ret)
458                 lbs_pr_alert("SEND_WAKEC_CMD: Host to Card failed for Confirm Wake\n");
459
460         lbs_deb_leave_args(LBS_DEB_HOST, "ret %d", ret);
461         return ret;
462 }
463
464 int lbs_process_event(struct lbs_private *priv, u32 event)
465 {
466         int ret = 0;
467
468         lbs_deb_enter(LBS_DEB_CMD);
469
470         switch (event) {
471         case MACREG_INT_CODE_LINK_SENSED:
472                 lbs_deb_cmd("EVENT: link sensed\n");
473                 break;
474
475         case MACREG_INT_CODE_DEAUTHENTICATED:
476                 lbs_deb_cmd("EVENT: deauthenticated\n");
477                 lbs_mac_event_disconnected(priv);
478                 break;
479
480         case MACREG_INT_CODE_DISASSOCIATED:
481                 lbs_deb_cmd("EVENT: disassociated\n");
482                 lbs_mac_event_disconnected(priv);
483                 break;
484
485         case MACREG_INT_CODE_LINK_LOST_NO_SCAN:
486                 lbs_deb_cmd("EVENT: link lost\n");
487                 lbs_mac_event_disconnected(priv);
488                 break;
489
490         case MACREG_INT_CODE_PS_SLEEP:
491                 lbs_deb_cmd("EVENT: ps sleep\n");
492
493                 /* handle unexpected PS SLEEP event */
494                 if (priv->psstate == PS_STATE_FULL_POWER) {
495                         lbs_deb_cmd(
496                                "EVENT: in FULL POWER mode, ignoreing PS_SLEEP\n");
497                         break;
498                 }
499                 priv->psstate = PS_STATE_PRE_SLEEP;
500
501                 lbs_ps_confirm_sleep(priv);
502
503                 break;
504
505         case MACREG_INT_CODE_HOST_AWAKE:
506                 lbs_deb_cmd("EVENT: host awake\n");
507                 lbs_send_confirmwake(priv);
508                 break;
509
510         case MACREG_INT_CODE_PS_AWAKE:
511                 lbs_deb_cmd("EVENT: ps awake\n");
512                 /* handle unexpected PS AWAKE event */
513                 if (priv->psstate == PS_STATE_FULL_POWER) {
514                         lbs_deb_cmd(
515                                "EVENT: In FULL POWER mode - ignore PS AWAKE\n");
516                         break;
517                 }
518
519                 priv->psstate = PS_STATE_AWAKE;
520
521                 if (priv->needtowakeup) {
522                         /*
523                          * wait for the command processing to finish
524                          * before resuming sending
525                          * priv->needtowakeup will be set to FALSE
526                          * in lbs_ps_wakeup()
527                          */
528                         lbs_deb_cmd("waking up ...\n");
529                         lbs_ps_wakeup(priv, 0);
530                 }
531                 break;
532
533         case MACREG_INT_CODE_MIC_ERR_UNICAST:
534                 lbs_deb_cmd("EVENT: UNICAST MIC ERROR\n");
535                 handle_mic_failureevent(priv, MACREG_INT_CODE_MIC_ERR_UNICAST);
536                 break;
537
538         case MACREG_INT_CODE_MIC_ERR_MULTICAST:
539                 lbs_deb_cmd("EVENT: MULTICAST MIC ERROR\n");
540                 handle_mic_failureevent(priv, MACREG_INT_CODE_MIC_ERR_MULTICAST);
541                 break;
542
543         case MACREG_INT_CODE_MIB_CHANGED:
544                 lbs_deb_cmd("EVENT: MIB CHANGED\n");
545                 break;
546         case MACREG_INT_CODE_INIT_DONE:
547                 lbs_deb_cmd("EVENT: INIT DONE\n");
548                 break;
549         case MACREG_INT_CODE_ADHOC_BCN_LOST:
550                 lbs_deb_cmd("EVENT: ADHOC beacon lost\n");
551                 break;
552         case MACREG_INT_CODE_RSSI_LOW:
553                 lbs_pr_alert("EVENT: rssi low\n");
554                 break;
555         case MACREG_INT_CODE_SNR_LOW:
556                 lbs_pr_alert("EVENT: snr low\n");
557                 break;
558         case MACREG_INT_CODE_MAX_FAIL:
559                 lbs_pr_alert("EVENT: max fail\n");
560                 break;
561         case MACREG_INT_CODE_RSSI_HIGH:
562                 lbs_pr_alert("EVENT: rssi high\n");
563                 break;
564         case MACREG_INT_CODE_SNR_HIGH:
565                 lbs_pr_alert("EVENT: snr high\n");
566                 break;
567
568         case MACREG_INT_CODE_MESH_AUTO_STARTED:
569                 /* Ignore spurious autostart events if autostart is disabled */
570                 if (!priv->mesh_autostart_enabled) {
571                         lbs_pr_info("EVENT: MESH_AUTO_STARTED (ignoring)\n");
572                         break;
573                 }
574                 lbs_pr_info("EVENT: MESH_AUTO_STARTED\n");
575                 priv->mesh_connect_status = LBS_CONNECTED;
576                 if (priv->mesh_open) {
577                         netif_carrier_on(priv->mesh_dev);
578                         if (!priv->tx_pending_len)
579                                 netif_wake_queue(priv->mesh_dev);
580                 }
581                 priv->mode = IW_MODE_ADHOC;
582                 schedule_work(&priv->sync_channel);
583                 break;
584
585         default:
586                 lbs_pr_alert("EVENT: unknown event id %d\n", event);
587                 break;
588         }
589
590         lbs_deb_leave_args(LBS_DEB_CMD, "ret %d", ret);
591         return ret;
592 }