From e3bc2e488d03b697a7168812c6c559c4bba0b49d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Thu, 16 Aug 2018 10:19:01 +0200 Subject: [PATCH] mac80211: brcmfmac: backport important changes from the 4.13 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Rafał Miłecki --- package/kernel/mac80211/Makefile | 2 +- ...e-setting-IBSS-mode-when-stopping-AP.patch | 34 ++++++++++++ ...m_skb-leak-in-brcmf_sdiod_recv_chain.patch | 53 +++++++++++++++++++ ...arate-firmware-for-revision-0-of-the.patch | 45 ++++++++++++++++ ...lize-oob-irq-data-before-request_irq.patch | 46 ++++++++++++++++ ...emory-leak-in-error-handling-path-in.patch | 36 +++++++++++++ ...sible-buffer-overflow-in-brcmf_cfg80.patch | 41 ++++++++++++++ ...gth-check-in-brcmf_cfg80211_escan_ha.patch | 4 +- ...-register-wiphy-s-during-module_init.patch | 2 +- 9 files changed, 259 insertions(+), 4 deletions(-) create mode 100644 package/kernel/mac80211/patches/323-v4.13-0001-brcmfmac-remove-setting-IBSS-mode-when-stopping-AP.patch create mode 100644 package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch create mode 100644 package/kernel/mac80211/patches/323-v4.13-0003-brcmfmac-Use-separate-firmware-for-revision-0-of-the.patch create mode 100644 package/kernel/mac80211/patches/323-v4.13-0004-brcmfmac-initialize-oob-irq-data-before-request_irq.patch create mode 100644 package/kernel/mac80211/patches/323-v4.13-0005-brcmfmac-Fix-a-memory-leak-in-error-handling-path-in.patch create mode 100644 package/kernel/mac80211/patches/323-v4.13-0006-brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch diff --git a/package/kernel/mac80211/Makefile b/package/kernel/mac80211/Makefile index dbfb9e1a72..5a9cff60b5 100644 --- a/package/kernel/mac80211/Makefile +++ b/package/kernel/mac80211/Makefile @@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=mac80211 PKG_VERSION:=2017-01-31 -PKG_RELEASE:=7 +PKG_RELEASE:=8 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources PKG_BACKPORT_VERSION:= PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317 diff --git a/package/kernel/mac80211/patches/323-v4.13-0001-brcmfmac-remove-setting-IBSS-mode-when-stopping-AP.patch b/package/kernel/mac80211/patches/323-v4.13-0001-brcmfmac-remove-setting-IBSS-mode-when-stopping-AP.patch new file mode 100644 index 0000000000..0539014a58 --- /dev/null +++ b/package/kernel/mac80211/patches/323-v4.13-0001-brcmfmac-remove-setting-IBSS-mode-when-stopping-AP.patch @@ -0,0 +1,34 @@ +From 9029679f66d976f8c720eb03c4898274803c9923 Mon Sep 17 00:00:00 2001 +From: Chi-hsien Lin +Date: Thu, 18 May 2017 17:22:19 +0800 +Subject: [PATCH] brcmfmac: remove setting IBSS mode when stopping AP + +Upon stopping an AP interface the driver disable INFRA mode effectively +setting the interface in IBSS mode. However, this may affect other +interfaces running in INFRA mode. For instance, if user creates and stops +hostap daemon on virtual interface, then association cannot work on +primary interface because default BSS has been set to IBSS mode in +firmware side. The IBSS mode should be set when cfg80211 changes the +interface. + +Reviewed-by: Wright Feng +Signed-off-by: Chi-hsien Lin +[kvalo@codeaurora.org: rephased commit log based on discussion] +Signed-off-by: Wright Feng +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -4676,9 +4676,6 @@ static int brcmf_cfg80211_stop_ap(struct + err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 0); + if (err < 0) + brcmf_err("setting AP mode failed %d\n", err); +- err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 0); +- if (err < 0) +- brcmf_err("setting INFRA mode failed %d\n", err); + if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS)) + brcmf_fil_iovar_int_set(ifp, "mbss", 0); + brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY, diff --git a/package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch b/package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch new file mode 100644 index 0000000000..b1be6b1ec2 --- /dev/null +++ b/package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch @@ -0,0 +1,53 @@ +From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001 +From: "Peter S. Housel" +Date: Mon, 12 Jun 2017 11:46:22 +0100 +Subject: [PATCH] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain + +An earlier change to this function (3bdae810721b) fixed a leak in the +case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the +glom_skb buffer, used for emulating a scattering read, is never used +or referenced after its contents are copied into the destination +buffers, and therefore always needs to be freed by the end of the +function. + +Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain") +Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support") +Cc: stable@vger.kernel.org # 4.9.x- +Signed-off-by: Peter S. Housel +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -705,7 +705,7 @@ done: + int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev, + struct sk_buff_head *pktq, uint totlen) + { +- struct sk_buff *glom_skb; ++ struct sk_buff *glom_skb = NULL; + struct sk_buff *skb; + u32 addr = sdiodev->sbwad; + int err = 0; +@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_ + return -ENOMEM; + err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr, + glom_skb); +- if (err) { +- brcmu_pkt_buf_free_skb(glom_skb); ++ if (err) + goto done; +- } + + skb_queue_walk(pktq, skb) { + memcpy(skb->data, glom_skb->data, skb->len); +@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_ + pktq); + + done: ++ brcmu_pkt_buf_free_skb(glom_skb); + return err; + } + diff --git a/package/kernel/mac80211/patches/323-v4.13-0003-brcmfmac-Use-separate-firmware-for-revision-0-of-the.patch b/package/kernel/mac80211/patches/323-v4.13-0003-brcmfmac-Use-separate-firmware-for-revision-0-of-the.patch new file mode 100644 index 0000000000..0a118cd7a5 --- /dev/null +++ b/package/kernel/mac80211/patches/323-v4.13-0003-brcmfmac-Use-separate-firmware-for-revision-0-of-the.patch @@ -0,0 +1,45 @@ +From 1278bd149839f2281db45a910082ba143546a148 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 16 Jun 2017 15:14:49 +0200 +Subject: [PATCH] brcmfmac: Use separate firmware for revision 0 of the + brcm43430 chip + +The brcm43430 chip needs different firmware files for chip revision 0 +and 1. The file currently in linux-firmware is for revision 1 only. + +This commit makes brcmfmac request brcmfmac43430a0-sdio.bin instead +of brcmfmac43430-sdio.bin for revision 0 chips. + +Note that the behavior for revision 1 chips is not changed, ideally those +would load brcmfmac43430a1-sdio.bin, but that will break existing setups. + +Signed-off-by: Hans de Goede +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -611,7 +611,9 @@ BRCMF_FW_NVRAM_DEF(43340, "brcmfmac43340 + BRCMF_FW_NVRAM_DEF(4335, "brcmfmac4335-sdio.bin", "brcmfmac4335-sdio.txt"); + BRCMF_FW_NVRAM_DEF(43362, "brcmfmac43362-sdio.bin", "brcmfmac43362-sdio.txt"); + BRCMF_FW_NVRAM_DEF(4339, "brcmfmac4339-sdio.bin", "brcmfmac4339-sdio.txt"); +-BRCMF_FW_NVRAM_DEF(43430, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt"); ++BRCMF_FW_NVRAM_DEF(43430A0, "brcmfmac43430a0-sdio.bin", "brcmfmac43430a0-sdio.txt"); ++/* Note the names are not postfixed with a1 for backward compatibility */ ++BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt"); + BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt"); + BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt"); + BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt"); +@@ -629,7 +631,8 @@ static struct brcmf_firmware_mapping brc + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4335_CHIP_ID, 0xFFFFFFFF, 4335), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43362_CHIP_ID, 0xFFFFFFFE, 43362), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339), +- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFF, 43430), ++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0), ++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356) diff --git a/package/kernel/mac80211/patches/323-v4.13-0004-brcmfmac-initialize-oob-irq-data-before-request_irq.patch b/package/kernel/mac80211/patches/323-v4.13-0004-brcmfmac-initialize-oob-irq-data-before-request_irq.patch new file mode 100644 index 0000000000..42e43b94a9 --- /dev/null +++ b/package/kernel/mac80211/patches/323-v4.13-0004-brcmfmac-initialize-oob-irq-data-before-request_irq.patch @@ -0,0 +1,46 @@ +From 3f426c96895556bb49adfa52f3aeafdedb2d02e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Tue, 13 Jun 2017 18:02:03 +0200 +Subject: [PATCH] brcmfmac: initialize oob irq data before request_irq() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes spin-forever in irq handler when IRQ is already asserted +at request_irq() time. + +Signed-off-by: Michał Mirosław +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -107,12 +107,14 @@ int brcmf_sdiod_intr_register(struct brc + int ret = 0; + u8 data; + u32 addr, gpiocontrol; +- unsigned long flags; + + pdata = &sdiodev->settings->bus.sdio; + if (pdata->oob_irq_supported) { + brcmf_dbg(SDIO, "Enter, register OOB IRQ %d\n", + pdata->oob_irq_nr); ++ spin_lock_init(&sdiodev->irq_en_lock); ++ sdiodev->irq_en = true; ++ + ret = request_irq(pdata->oob_irq_nr, brcmf_sdiod_oob_irqhandler, + pdata->oob_irq_flags, "brcmf_oob_intr", + &sdiodev->func[1]->dev); +@@ -121,10 +123,6 @@ int brcmf_sdiod_intr_register(struct brc + return ret; + } + sdiodev->oob_irq_requested = true; +- spin_lock_init(&sdiodev->irq_en_lock); +- spin_lock_irqsave(&sdiodev->irq_en_lock, flags); +- sdiodev->irq_en = true; +- spin_unlock_irqrestore(&sdiodev->irq_en_lock, flags); + + ret = enable_irq_wake(pdata->oob_irq_nr); + if (ret != 0) { diff --git a/package/kernel/mac80211/patches/323-v4.13-0005-brcmfmac-Fix-a-memory-leak-in-error-handling-path-in.patch b/package/kernel/mac80211/patches/323-v4.13-0005-brcmfmac-Fix-a-memory-leak-in-error-handling-path-in.patch new file mode 100644 index 0000000000..a8afab76fa --- /dev/null +++ b/package/kernel/mac80211/patches/323-v4.13-0005-brcmfmac-Fix-a-memory-leak-in-error-handling-path-in.patch @@ -0,0 +1,36 @@ +From 57c00f2fac512837f8de73474ec1f54020015bae Mon Sep 17 00:00:00 2001 +From: Christophe Jaillet +Date: Wed, 21 Jun 2017 07:45:53 +0200 +Subject: [PATCH] brcmfmac: Fix a memory leak in error handling path in + 'brcmf_cfg80211_attach' + +If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error +handling path to free it in such a case. + +Cc: stable@vger.kernel.org +Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6842,7 +6842,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802 + wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info)); + if (!wiphy) { + brcmf_err("Could not allocate wiphy device\n"); +- return NULL; ++ goto ops_out; + } + memcpy(wiphy->perm_addr, drvr->mac, ETH_ALEN); + set_wiphy_dev(wiphy, busdev); +@@ -6985,6 +6985,7 @@ priv_out: + ifp->vif = NULL; + wiphy_out: + brcmf_free_wiphy(wiphy); ++ops_out: + kfree(ops); + return NULL; + } diff --git a/package/kernel/mac80211/patches/323-v4.13-0006-brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch b/package/kernel/mac80211/patches/323-v4.13-0006-brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch new file mode 100644 index 0000000000..2376eaebe1 --- /dev/null +++ b/package/kernel/mac80211/patches/323-v4.13-0006-brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch @@ -0,0 +1,41 @@ +From 8f44c9a41386729fea410e688959ddaa9d51be7c Mon Sep 17 00:00:00 2001 +From: Arend van Spriel +Date: Fri, 7 Jul 2017 21:09:06 +0100 +Subject: [PATCH] brcmfmac: fix possible buffer overflow in + brcmf_cfg80211_mgmt_tx() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The lower level nl80211 code in cfg80211 ensures that "len" is between +25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from +"len" so thats's max of 2280. However, the action_frame->data[] buffer is +only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can +overflow. + + memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], + le16_to_cpu(action_frame->len)); + +Cc: stable@vger.kernel.org # 3.9.x +Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.") +Reported-by: "freenerguo(郭大兴)" +Signed-off-by: Arend van Spriel +Signed-off-by: David S. Miller +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -4850,6 +4850,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip + cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true, + GFP_KERNEL); + } else if (ieee80211_is_action(mgmt->frame_control)) { ++ if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) { ++ brcmf_err("invalid action frame length\n"); ++ err = -EINVAL; ++ goto exit; ++ } + af_params = kzalloc(sizeof(*af_params), GFP_KERNEL); + if (af_params == NULL) { + brcmf_err("unable to allocate frame\n"); diff --git a/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch index 63c867a80c..2b16fa44f7 100644 --- a/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch +++ b/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch @@ -25,7 +25,7 @@ Signed-off-by: Kalle Valo struct brcmf_bss_info_le *bss_info_le; struct brcmf_bss_info_le *bss = NULL; u32 bi_length; -@@ -3104,11 +3105,23 @@ brcmf_cfg80211_escan_handler(struct brcm +@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm if (status == BRCMF_E_STATUS_PARTIAL) { brcmf_dbg(SCAN, "ESCAN Partial result\n"); @@ -49,7 +49,7 @@ Signed-off-by: Kalle Valo if (le16_to_cpu(escan_result_le->bss_count) != 1) { brcmf_err("Invalid bss_count %d: ignoring\n", escan_result_le->bss_count); -@@ -3125,9 +3138,8 @@ brcmf_cfg80211_escan_handler(struct brcm +@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm } bi_length = le32_to_cpu(bss_info_le->length); diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch index 9ee3e26e60..e3f70991f2 100644 --- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -1253,6 +1253,7 @@ int __init brcmf_core_init(void) +@@ -1268,6 +1268,7 @@ int __init brcmf_core_init(void) { if (!schedule_work(&brcmf_driver_work)) return -EBUSY; -- 2.30.2