Merge "IKXCLOCK-11260 smelt: bcmdhd: security patches for Broadcom" into msm-moto-3.10
diff --git a/drivers/net/wireless/bcmdhd/bcmevent.c b/drivers/net/wireless/bcmdhd/bcmevent.c
index 59cae90..52eaac1 100644
--- a/drivers/net/wireless/bcmdhd/bcmevent.c
+++ b/drivers/net/wireless/bcmdhd/bcmevent.c
@@ -25,9 +25,11 @@
#include <typedefs.h>
#include <bcmutils.h>
+#include <bcmendian.h>
#include <proto/ethernet.h>
#include <proto/bcmeth.h>
#include <proto/bcmevent.h>
+#include <proto/802.11.h>
/* Use the actual name for event tracing */
#define BCMEVENT_NAME(_event) {(_event), #_event}
@@ -149,3 +151,120 @@
};
const int bcmevent_names_size = ARRAYSIZE(bcmevent_names);
+
+/*
+ * Validate if the event is proper and if valid copy event header to event.
+ * If proper event pointer is passed, to just validate, pass NULL to event.
+ *
+ * Return values are
+ * BCME_OK - It is a BRCM event or BRCM dongle event
+ * BCME_NOTFOUND - Not BRCM, not an event, may be okay
+ * BCME_BADLEN - Bad length, should not process, just drop
+ */
+int
+is_wlc_event_frame(void *pktdata, uint pktlen, uint16 exp_usr_subtype,
+ bcm_event_msg_u_t *out_event)
+{
+ uint16 len;
+ uint16 subtype;
+ uint16 usr_subtype;
+ bcm_event_t *bcm_event;
+ uint8 *pktend;
+ int err = BCME_OK;
+
+ pktend = (uint8 *)pktdata + pktlen;
+ bcm_event = (bcm_event_t *)pktdata;
+
+ /* only care about 16-bit subtype / length versions */
+ if ((uint8 *)&bcm_event->bcm_hdr < pktend) {
+ uint8 short_subtype = *(uint8 *)&bcm_event->bcm_hdr;
+ if (!(short_subtype & 0x80)) {
+ err = BCME_NOTFOUND;
+ goto done;
+ }
+ }
+
+ /* must have both ether_header and bcmeth_hdr */
+ if (pktlen < OFFSETOF(bcm_event_t, event)) {
+ err = BCME_BADLEN;
+ goto done;
+ }
+
+ /* check length in bcmeth_hdr */
+ len = ntoh16_ua((void *)&bcm_event->bcm_hdr.length);
+ if (((uint8 *)&bcm_event->bcm_hdr.version + len) > pktend) {
+ err = BCME_BADLEN;
+ goto done;
+ }
+
+ /* match on subtype, oui and usr subtype for BRCM events */
+ subtype = ntoh16_ua((void *)&bcm_event->bcm_hdr.subtype);
+ if (subtype != BCMILCP_SUBTYPE_VENDOR_LONG) {
+ err = BCME_NOTFOUND;
+ goto done;
+ }
+
+ if (bcmp(BRCM_OUI, &bcm_event->bcm_hdr.oui[0], DOT11_OUI_LEN)) {
+ err = BCME_NOTFOUND;
+ goto done;
+ }
+
+ /* if it is a bcm_event or bcm_dngl_event_t, validate it */
+ usr_subtype = ntoh16_ua((void *)&bcm_event->bcm_hdr.usr_subtype);
+ switch (usr_subtype) {
+ case BCMILCP_BCM_SUBTYPE_EVENT:
+ if (pktlen < sizeof(bcm_event_t)) {
+ err = BCME_BADLEN;
+ goto done;
+ }
+
+ len = sizeof(bcm_event_t) + ntoh32_ua((void *)&bcm_event->event.datalen);
+ if ((uint8 *)pktdata + len > pktend) {
+ err = BCME_BADLEN;
+ goto done;
+ }
+
+ if (exp_usr_subtype && (exp_usr_subtype != usr_subtype)) {
+ err = BCME_NOTFOUND;
+ goto done;
+ }
+
+ if (out_event) {
+ /* ensure BRCM event pkt aligned */
+ memcpy(&out_event->event, &bcm_event->event, sizeof(wl_event_msg_t));
+ }
+
+ break;
+ case BCMILCP_BCM_SUBTYPE_DNGLEVENT:
+ if (pktlen < sizeof(bcm_dngl_event_t)) {
+ err = BCME_BADLEN;
+ goto done;
+ }
+
+ len = sizeof(bcm_dngl_event_t) +
+ ntoh16_ua((void *)&((bcm_dngl_event_t *)pktdata)->dngl_event.datalen);
+ if ((uint8 *)pktdata + len > pktend) {
+ err = BCME_BADLEN;
+ goto done;
+ }
+
+ if (exp_usr_subtype && (exp_usr_subtype != usr_subtype)) {
+ err = BCME_NOTFOUND;
+ goto done;
+ }
+
+ if (out_event) {
+ /* ensure BRCM dngl event pkt aligned */
+ memcpy(&out_event->dngl_event, &((bcm_dngl_event_t *)pktdata)->dngl_event,
+ sizeof(bcm_dngl_event_msg_t));
+ }
+
+ break;
+ default:
+ err = BCME_NOTFOUND;
+ goto done;
+ }
+
+done:
+ return err;
+}
diff --git a/drivers/net/wireless/bcmdhd/dhd.h b/drivers/net/wireless/bcmdhd/dhd.h
index f2cb9b2..67a2019 100644
--- a/drivers/net/wireless/bcmdhd/dhd.h
+++ b/drivers/net/wireless/bcmdhd/dhd.h
@@ -599,9 +599,10 @@
extern int dhd_net2idx(struct dhd_info *dhd, struct net_device *net);
extern struct net_device * dhd_idx2net(void *pub, int ifidx);
extern int net_os_send_hang_message(struct net_device *dev);
-extern int wl_host_event(dhd_pub_t *dhd_pub, int *idx, void *pktdata,
+extern int wl_host_event(dhd_pub_t *dhd_pub, int *idx, void *pktdata, size_t pktlen,
wl_event_msg_t *, void **data_ptr);
extern void wl_event_to_host_order(wl_event_msg_t * evt);
+extern int wl_host_event_get_data(void *pktdata, uint pktlen, bcm_event_msg_u_t *evu);
extern int dhd_wl_ioctl(dhd_pub_t *dhd_pub, int ifindex, wl_ioctl_t *ioc, void *buf, int len);
extern int dhd_wl_ioctl_cmd(dhd_pub_t *dhd_pub, int cmd, void *arg, int len, uint8 set,
diff --git a/drivers/net/wireless/bcmdhd/dhd_common.c b/drivers/net/wireless/bcmdhd/dhd_common.c
index fbd95c7..d1177be 100644
--- a/drivers/net/wireless/bcmdhd/dhd_common.c
+++ b/drivers/net/wireless/bcmdhd/dhd_common.c
@@ -1145,8 +1145,23 @@
}
#endif /* SHOW_EVENTS */
+/* Check whether packet is a BRCM event pkt. If it is, record event data. */
int
-wl_host_event(dhd_pub_t *dhd_pub, int *ifidx, void *pktdata,
+wl_host_event_get_data(void *pktdata, uint pktlen, bcm_event_msg_u_t *evu)
+{
+ int ret;
+
+ ret = is_wlc_event_frame(pktdata, pktlen, 0, evu);
+ if (ret != BCME_OK) {
+ DHD_ERROR(("%s: Invalid event frame, err = %d\n",
+ __FUNCTION__, ret));
+ }
+
+ return ret;
+}
+
+int
+wl_host_event(dhd_pub_t *dhd_pub, int *ifidx, void *pktdata, size_t pktlen,
wl_event_msg_t *event, void **data_ptr)
{
/* check whether packet is a BRCM event pkt */
@@ -1155,24 +1170,32 @@
uint32 type, status, datalen;
uint16 flags;
int evlen;
+ int ret;
+ uint16 usr_subtype;
+ bcm_event_msg_u_t evu;
- if (bcmp(BRCM_OUI, &pvt_data->bcm_hdr.oui[0], DOT11_OUI_LEN)) {
- DHD_ERROR(("%s: mismatched OUI, bailing\n", __FUNCTION__));
- return (BCME_ERROR);
+ ret = wl_host_event_get_data(pktdata, pktlen, &evu);
+ if (ret != BCME_OK) {
+ return ret;
}
- /* BRCM event pkt may be unaligned - use xxx_ua to load user_subtype. */
- if (ntoh16_ua((void *)&pvt_data->bcm_hdr.usr_subtype) != BCMILCP_BCM_SUBTYPE_EVENT) {
- DHD_ERROR(("%s: mismatched subtype, bailing\n", __FUNCTION__));
- return (BCME_ERROR);
+ usr_subtype = ntoh16_ua((void *)&pvt_data->bcm_hdr.usr_subtype);
+ switch (usr_subtype) {
+ case BCMILCP_BCM_SUBTYPE_EVENT:
+ memcpy(event, &evu.event, sizeof(wl_event_msg_t));
+ *data_ptr = &pvt_data[1];
+ break;
+
+ case BCMILCP_BCM_SUBTYPE_DNGLEVENT:
+ return BCME_NOTFOUND;
+
+ default:
+ return BCME_NOTFOUND;
}
- *data_ptr = &pvt_data[1];
+ /* start wl_event_msg process */
event_data = *data_ptr;
- /* memcpy since BRCM event pkt may be unaligned. */
- memcpy(event, &pvt_data->event, sizeof(wl_event_msg_t));
-
type = ntoh32_ua((void *)&event->event_type);
flags = ntoh16_ua((void *)&event->flags);
status = ntoh32_ua((void *)&event->status);
diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
index 8e9f1ad..e384b9a 100644
--- a/drivers/net/wireless/bcmdhd/dhd_linux.c
+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
@@ -604,7 +604,7 @@
static int dhd_toe_set(dhd_info_t *dhd, int idx, uint32 toe_ol);
#endif /* TOE */
-static int dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata,
+static int dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata, size_t pktlen,
wl_event_msg_t *event_ptr, void **data_ptr);
#if defined(SUPPORT_P2P_GO_PS)
#ifdef PROP_TXSTATUS
@@ -1991,15 +1991,23 @@
/* Process special event packets and then discard them */
memset(&event, 0, sizeof(event));
if (ntoh16(skb->protocol) == ETHER_TYPE_BRCM) {
- dhd_wl_host_event(dhd, &ifidx,
+ int ret_event;
+
+ ret_event = dhd_wl_host_event(dhd, &ifidx,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
skb_mac_header(skb),
#else
skb->mac.raw,
#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22) */
+ len,
&event,
&data);
+ if (ret_event != BCME_OK) {
+ PKTFREE(dhdp->osh, pktbuf, FALSE);
+ continue;
+ }
+
wl_event_to_host_order(&event);
if (!tout_ctrl)
tout_ctrl = DHD_PACKET_TIMEOUT_MS;
@@ -5743,13 +5751,13 @@
#endif /* defined(WL_WIRELESS_EXT) */
static int
-dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata,
+dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata, size_t pktlen,
wl_event_msg_t *event, void **data)
{
int bcmerror = 0;
ASSERT(dhd != NULL);
- bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, event, data);
+ bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, pktlen, event, data);
if (bcmerror != BCME_OK)
return (bcmerror);
@@ -5758,12 +5766,11 @@
/*
* Wireless ext is on primary interface only
*/
-
- ASSERT(dhd->iflist[*ifidx] != NULL);
- ASSERT(dhd->iflist[*ifidx]->net != NULL);
+ ASSERT(dhd->iflist[*ifidx] != NULL);
+ ASSERT(dhd->iflist[*ifidx]->net != NULL);
if (dhd->iflist[*ifidx]->net) {
- wl_iw_event(dhd->iflist[*ifidx]->net, event, *data);
+ wl_iw_event(dhd->iflist[*ifidx]->net, event, *data);
}
}
#endif /* defined(WL_WIRELESS_EXT) */
@@ -5771,6 +5778,7 @@
#ifdef WL_CFG80211
ASSERT(dhd->iflist[*ifidx] != NULL);
ASSERT(dhd->iflist[*ifidx]->net != NULL);
+
if (dhd->iflist[*ifidx]->net)
wl_cfg80211_event(dhd->iflist[*ifidx]->net, event, *data);
#endif /* defined(WL_CFG80211) */
diff --git a/drivers/net/wireless/bcmdhd/include/proto/bcmeth.h b/drivers/net/wireless/bcmdhd/include/proto/bcmeth.h
index 1a80722..f2c10b3 100644
--- a/drivers/net/wireless/bcmdhd/include/proto/bcmeth.h
+++ b/drivers/net/wireless/bcmdhd/include/proto/bcmeth.h
@@ -90,6 +90,7 @@
*/
/* #define BCMILCP_BCM_SUBTYPE_EAPOL 3 */
#define BCMILCP_BCM_SUBTYPE_DPT 4
+#define BCMILCP_BCM_SUBTYPE_DNGLEVENT 5
#define BCMILCP_BCM_SUBTYPEHDR_MINLENGTH 8
#define BCMILCP_BCM_SUBTYPEHDR_VERSION 0
diff --git a/drivers/net/wireless/bcmdhd/include/proto/bcmevent.h b/drivers/net/wireless/bcmdhd/include/proto/bcmevent.h
index 43bd5f5..75d703d 100644
--- a/drivers/net/wireless/bcmdhd/include/proto/bcmevent.h
+++ b/drivers/net/wireless/bcmdhd/include/proto/bcmevent.h
@@ -40,6 +40,7 @@
#endif
/* #include <ethernet.h> -- TODO: req., excluded to overwhelming coupling (break up ethernet.h) */
#include <proto/bcmeth.h>
+#include <proto/dnglevent.h>
/* This marks the start of a packed structure section. */
#include <packed_section_start.h>
@@ -94,6 +95,17 @@
/* data portion follows */
} BWL_POST_PACKED_STRUCT bcm_event_t;
+/*
+ * used by host event
+ * Note: If additional event types are added, it should come on is_wlc_event_frame() as well.
+ */
+typedef union bcm_event_msg_u {
+ wl_event_msg_t event;
+ bcm_dngl_event_msg_t dngl_event;
+
+ /* add new event here */
+} bcm_event_msg_u_t;
+
#define BCM_MSG_LEN (sizeof(bcm_event_t) - sizeof(bcmeth_hdr_t) - sizeof(struct ether_header))
/* Event messages */
@@ -239,6 +251,10 @@
extern const bcmevent_name_t bcmevent_names[];
extern const int bcmevent_names_size;
+/* validate if the event is proper and if valid copy event header to event */
+extern int is_wlc_event_frame(void *pktdata, uint pktlen, uint16 exp_usr_subtype,
+ bcm_event_msg_u_t *out_event);
+
/* Event status codes */
#define WLC_E_STATUS_SUCCESS 0 /* operation was successful */
#define WLC_E_STATUS_FAIL 1 /* operation failed */
diff --git a/drivers/net/wireless/bcmdhd/include/proto/dnglevent.h b/drivers/net/wireless/bcmdhd/include/proto/dnglevent.h
new file mode 100644
index 0000000..584e9d2
--- /dev/null
+++ b/drivers/net/wireless/bcmdhd/include/proto/dnglevent.h
@@ -0,0 +1,80 @@
+/*
+ * Broadcom Event protocol definitions
+ *
+ * $Copyright Open Broadcom Corporation$
+ *
+ * Dependencies: proto/bcmeth.h
+ *
+ * $Id: dnglevent.h $
+ *
+ */
+
+/*
+ * Broadcom dngl Ethernet Events protocol defines
+ *
+ */
+
+#ifndef _DNGLEVENT_H_
+#define _DNGLEVENT_H_
+
+#ifndef _TYPEDEFS_H_
+#include <typedefs.h>
+#endif
+#include <proto/bcmeth.h>
+
+/* This marks the start of a packed structure section. */
+#include <packed_section_start.h>
+#define BCM_DNGL_EVENT_MSG_VERSION 1
+#define DNGL_E_SOCRAM_IND 0x2
+typedef BWL_PRE_PACKED_STRUCT struct
+{
+ uint16 version; /* Current version is 1 */
+ uint16 reserved; /* reserved for any future extension */
+ uint16 event_type; /* DNGL_E_SOCRAM_IND */
+ uint16 datalen; /* Length of the event payload */
+} BWL_POST_PACKED_STRUCT bcm_dngl_event_msg_t;
+
+typedef BWL_PRE_PACKED_STRUCT struct bcm_dngl_event {
+ struct ether_header eth;
+ bcmeth_hdr_t bcm_hdr;
+ bcm_dngl_event_msg_t dngl_event;
+ /* data portion follows */
+} BWL_POST_PACKED_STRUCT bcm_dngl_event_t;
+
+
+/* SOCRAM_IND type tags */
+#define SOCRAM_IND_ASSRT_TAG 0x1
+#define SOCRAM_IND_TAG_HEALTH_CHECK 0x2
+typedef BWL_PRE_PACKED_STRUCT struct bcm_dngl_socramind {
+ uint16 tag; /* data tag */
+ uint16 length; /* data length */
+ uint8 value[1]; /* data value with variable length specified by length */
+} BWL_POST_PACKED_STRUCT bcm_dngl_socramind_t;
+
+/* Health check top level module tags */
+#define HEALTH_CHECK_TOP_LEVEL_MODULE_PCIEDEV_RTE 1
+typedef BWL_PRE_PACKED_STRUCT struct bcm_dngl_healthcheck {
+ uint16 top_module_tag; /* top level module tag */
+ uint16 top_module_len; /* Type of PCIE issue indication */
+ uint8 value[1]; /* data value with variable length specified by length */
+} BWL_POST_PACKED_STRUCT bcm_dngl_healthcheck_t;
+
+#define HEALTH_CHECK_PCIEDEV_VERSION 1
+#define HEALTH_CHECK_PCIEDEV_FLAG_IN_D3_SHIFT 0
+#define HEALTH_CHECK_PCIEDEV_FLAG_IN_D3_FLAG 1 << HEALTH_CHECK_PCIEDEV_FLAG_IN_D3_SHIFT
+/* PCIE Module TAGs */
+#define HEALTH_CHECK_PCIEDEV_INDUCED_IND 0x1
+#define HEALTH_CHECK_PCIEDEV_H2D_DMA_IND 0x2
+#define HEALTH_CHECK_PCIEDEV_D2H_DMA_IND 0x3
+typedef BWL_PRE_PACKED_STRUCT struct bcm_dngl_pcie_hc {
+ uint16 version; /* HEALTH_CHECK_PCIEDEV_VERSION */
+ uint16 reserved;
+ uint16 pcie_err_ind_type; /* PCIE Module TAGs */
+ uint16 pcie_flag;
+ uint32 pcie_control_reg;
+} BWL_POST_PACKED_STRUCT bcm_dngl_pcie_hc_t;
+
+/* This marks the end of a packed structure section. */
+#include <packed_section_end.h>
+
+#endif /* _DNGLEVENT_H_ */