mac80211: brcmfmac: backport important fixes from kernel 5.2
authorRafał Miłecki <rafal@milecki.pl>
Sun, 16 Jun 2019 19:44:51 +0000 (21:44 +0200)
committerRafał Miłecki <rafal@milecki.pl>
Sun, 16 Jun 2019 19:51:50 +0000 (21:51 +0200)
1) Crash/Oops fixes
2) One-line patch for BCM43456 support
3) Fix communication with some specific FullMAC firmwares
4) Potential fix for "Invalid packet id" errors
5) Important helper for reporting FullMAC firmware crashes

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
15 files changed:
package/kernel/mac80211/patches/450-v5.2-0001-brcmfmac-support-repeated-brcmf_fw_alloc_request-cal.patch
package/kernel/mac80211/patches/450-v5.2-0002-brcmfmac-add-a-function-designated-for-handling-firm.patch
package/kernel/mac80211/patches/451-v5.2-0001-brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch
package/kernel/mac80211/patches/451-v5.2-0002-brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch
package/kernel/mac80211/patches/453-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch [new file with mode: 0644]
package/kernel/mac80211/patches/454-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch [new file with mode: 0644]
package/kernel/mac80211/patches/455-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch [new file with mode: 0644]
package/kernel/mac80211/patches/456-v5.2-brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch [new file with mode: 0644]
package/kernel/mac80211/patches/457-v5.2-brcmfmac-Add-DMI-nvram-filename-quirk-for-ACEPC-T8-a.patch [new file with mode: 0644]
package/kernel/mac80211/patches/458-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch [new file with mode: 0644]
package/kernel/mac80211/patches/459-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch [new file with mode: 0644]
package/kernel/mac80211/patches/460-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch [new file with mode: 0644]
package/kernel/mac80211/patches/461-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch [new file with mode: 0644]
package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch

index ef694f0..9efe00c 100644 (file)
@@ -22,7 +22,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
-@@ -743,6 +743,7 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
+@@ -668,6 +668,7 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
  
        for (j = 0; j < n_fwnames; j++) {
                fwreq->items[j].path = fwnames[j].path;
index 595b894..d29a767 100644 (file)
@@ -25,7 +25,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
-@@ -262,6 +262,8 @@ void brcmf_detach(struct device *dev);
+@@ -252,6 +252,8 @@ void brcmf_detach(struct device *dev);
  void brcmf_dev_reset(struct device *dev);
  /* Request from bus module to initiate a coredump */
  void brcmf_dev_coredump(struct device *dev);
@@ -36,7 +36,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  void brcmf_bus_change_state(struct brcmf_bus *bus, enum brcmf_bus_state state);
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1294,6 +1294,16 @@ void brcmf_dev_coredump(struct device *d
+@@ -1292,6 +1292,16 @@ void brcmf_dev_coredump(struct device *d
                brcmf_dbg(TRACE, "failed to create coredump\n");
  }
  
@@ -66,7 +66,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -1090,8 +1090,8 @@ static u32 brcmf_sdio_hostmail(struct br
+@@ -1073,8 +1073,8 @@ static u32 brcmf_sdio_hostmail(struct br
  
        /* dongle indicates the firmware has halted/crashed */
        if (hmb_data & HMB_DATA_FWHALT) {
index cb4b5c9..620a585 100644 (file)
@@ -59,7 +59,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
-@@ -580,24 +580,6 @@ static bool brcmf_fws_ifidx_match(struct
+@@ -579,24 +579,6 @@ static bool brcmf_fws_ifidx_match(struct
        return ifidx == *(int *)arg;
  }
  
@@ -84,7 +84,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  static void brcmf_fws_hanger_init(struct brcmf_fws_hanger *hanger)
  {
        int i;
-@@ -669,6 +651,28 @@ static inline int brcmf_fws_hanger_poppk
+@@ -668,6 +650,28 @@ static inline int brcmf_fws_hanger_poppk
        return 0;
  }
  
@@ -113,7 +113,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  static int brcmf_fws_hanger_mark_suppressed(struct brcmf_fws_hanger *h,
                                            u32 slot_id)
  {
-@@ -2200,6 +2204,8 @@ void brcmf_fws_del_interface(struct brcm
+@@ -2174,6 +2178,8 @@ void brcmf_fws_del_interface(struct brcm
        brcmf_fws_lock(fws);
        ifp->fws_desc = NULL;
        brcmf_dbg(TRACE, "deleting %s\n", entry->name);
index e45288b..71b9487 100644 (file)
@@ -114,7 +114,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  #endif /* BRCMFMAC_BCDC_H */
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1342,6 +1342,8 @@ void brcmf_detach(struct device *dev)
+@@ -1340,6 +1340,8 @@ void brcmf_detach(struct device *dev)
  
        brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN);
  
@@ -123,7 +123,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
        /* make sure primary interface removed last */
        for (i = BRCMF_MAX_IFS-1; i > -1; i--)
                brcmf_remove_interface(drvr->iflist[i], false);
-@@ -1351,7 +1353,7 @@ void brcmf_detach(struct device *dev)
+@@ -1349,7 +1351,7 @@ void brcmf_detach(struct device *dev)
  
        brcmf_bus_stop(drvr->bus_if);
  
@@ -134,7 +134,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
        wiphy_free(drvr->wiphy);
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
-@@ -2443,17 +2443,25 @@ struct brcmf_fws_info *brcmf_fws_attach(
+@@ -2416,17 +2416,25 @@ struct brcmf_fws_info *brcmf_fws_attach(
        return fws;
  
  fail:
diff --git a/package/kernel/mac80211/patches/453-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch b/package/kernel/mac80211/patches/453-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch
new file mode 100644 (file)
index 0000000..5e34e1a
--- /dev/null
@@ -0,0 +1,123 @@
+From 24d413a31afaee9bbbf79226052c386b01780ce2 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:01 +0000
+Subject: [PATCH] brcmfmac: fix Oops when bringing up interface during USB
+ disconnect
+
+Fix a race which leads to an Oops with NULL pointer dereference.  The
+dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
+net_device structure of interface with index 0 via if2bss mapping. This
+shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
+but it's not synchronised with USB disconnect and there is a race: after
+the check the bus can be marked down and the mapping for interface 0 may be
+gone.
+
+Solve this by modifying disconnect handling so that the removal of mapping
+of ifidx to brcmf_if structure happens after netdev removal (which is
+synchronous with brcmf_netdev_open() thanks to rtln being locked in
+devinet_ioctl()). This assures brcmf_netdev_open() returns before the
+mapping is removed during disconnect.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = bcae2612
+[00000008] *pgd=8be73831
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
+iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
+nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
+u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
+usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
+udc_core [last unloaded: brcmutil]
+CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
+LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
+pc : [<7f26a91c>]    lr : [<7f26a914>]    psr: a0070013
+sp : eca99d28  ip : 00000000  fp : ee9c6c00
+r10: 00000036  r9 : 00000000  r8 : ece4002c
+r7 : edb5b800  r6 : 00000000  r5 : 80f08448  r4 : edb5b968
+r3 : ffffffff  r2 : 00000000  r1 : 00000002  r0 : 00000000
+Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
+Control: 10c5387d  Table: 7ca0c04a  DAC: 00000051
+Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
+Stack: (0xeca99d28 to 0xeca9a000)
+9d20:                   00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
+9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
+9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
+9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
+9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
+9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
+9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
+9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
+9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
+9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
+9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
+9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
+9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
+9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
+9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
+9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
+9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
+9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
+9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
+9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
+9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
+[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
+[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150)
+[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4)
+[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48)
+[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c)
+[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4)
+[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524)
+[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0)
+[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c)
+[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xeca99fa8 to 0xeca99ff0)
+9fa0:                   00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
+Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
+---[ end trace 5cbac2333f3ac5df ]---
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c    | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -861,17 +861,17 @@ static void brcmf_del_if(struct brcmf_pu
+                        bool rtnl_locked)
+ {
+       struct brcmf_if *ifp;
++      int ifidx;
+       ifp = drvr->iflist[bsscfgidx];
+-      drvr->iflist[bsscfgidx] = NULL;
+       if (!ifp) {
+               bphy_err(drvr, "Null interface, bsscfgidx=%d\n", bsscfgidx);
+               return;
+       }
+       brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx,
+                 ifp->ifidx);
+-      if (drvr->if2bss[ifp->ifidx] == bsscfgidx)
+-              drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID;
++      ifidx = ifp->ifidx;
++
+       if (ifp->ndev) {
+               if (bsscfgidx == 0) {
+                       if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
+@@ -899,6 +899,10 @@ static void brcmf_del_if(struct brcmf_pu
+               brcmf_p2p_ifp_removed(ifp, rtnl_locked);
+               kfree(ifp);
+       }
++
++      drvr->iflist[bsscfgidx] = NULL;
++      if (drvr->if2bss[ifidx] == bsscfgidx)
++              drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID;
+ }
+ void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked)
diff --git a/package/kernel/mac80211/patches/454-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch b/package/kernel/mac80211/patches/454-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch
new file mode 100644 (file)
index 0000000..2f72b72
--- /dev/null
@@ -0,0 +1,35 @@
+From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 12:04:32 -0500
+Subject: [PATCH] brcmfmac: fix missing checks for kmemdup
+
+In case kmemdup fails, the fix sets conn_info->req_ie_len and
+conn_info->resp_ie_len to zero to avoid buffer overflows.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5455,6 +5455,8 @@ static s32 brcmf_get_assoc_ies(struct br
+               conn_info->req_ie =
+                   kmemdup(cfg->extra_buf, conn_info->req_ie_len,
+                           GFP_KERNEL);
++              if (!conn_info->req_ie)
++                      conn_info->req_ie_len = 0;
+       } else {
+               conn_info->req_ie_len = 0;
+               conn_info->req_ie = NULL;
+@@ -5471,6 +5473,8 @@ static s32 brcmf_get_assoc_ies(struct br
+               conn_info->resp_ie =
+                   kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
+                           GFP_KERNEL);
++              if (!conn_info->resp_ie)
++                      conn_info->resp_ie_len = 0;
+       } else {
+               conn_info->resp_ie_len = 0;
+               conn_info->resp_ie = NULL;
diff --git a/package/kernel/mac80211/patches/455-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch b/package/kernel/mac80211/patches/455-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch
new file mode 100644 (file)
index 0000000..f7ca327
--- /dev/null
@@ -0,0 +1,35 @@
+From e3062e05e1cfe378bb9b3fa0bef46711372bcf13 Mon Sep 17 00:00:00 2001
+From: Ondrej Jirman <megous@megous.com>
+Date: Sat, 6 Apr 2019 01:45:13 +0200
+Subject: [PATCH] brcmfmac: Loading the correct firmware for brcm43456
+
+SDIO based brcm43456 is currently misdetected as brcm43455 and the wrong
+firmware name is used. Correct the detection and load the correct
+firmware file. Chiprev for brcm43456 is "9".
+
+Signed-off-by: Ondrej Jirman <megous@megous.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -615,6 +615,7 @@ BRCMF_FW_DEF(43430A0, "brcmfmac43430a0-s
+ /* Note the names are not postfixed with a1 for backward compatibility */
+ BRCMF_FW_DEF(43430A1, "brcmfmac43430-sdio");
+ BRCMF_FW_DEF(43455, "brcmfmac43455-sdio");
++BRCMF_FW_DEF(43456, "brcmfmac43456-sdio");
+ BRCMF_FW_DEF(4354, "brcmfmac4354-sdio");
+ BRCMF_FW_DEF(4356, "brcmfmac4356-sdio");
+ BRCMF_FW_DEF(4373, "brcmfmac4373-sdio");
+@@ -634,7 +635,8 @@ static const struct brcmf_firmware_mappi
+       BRCMF_FW_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339),
+       BRCMF_FW_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0),
+       BRCMF_FW_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+-      BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
++      BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0x00000200, 43456),
++      BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFDC0, 43455),
+       BRCMF_FW_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+       BRCMF_FW_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356),
+       BRCMF_FW_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
diff --git a/package/kernel/mac80211/patches/456-v5.2-brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch b/package/kernel/mac80211/patches/456-v5.2-brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch
new file mode 100644 (file)
index 0000000..a9a9d74
--- /dev/null
@@ -0,0 +1,41 @@
+From a927e8d8ab57e696800e20cf09a72b7dfe3bbebb Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 9 Apr 2019 12:43:33 +0100
+Subject: [PATCH] brcmfmac: fix leak of mypkt on error return path
+
+Currently if the call to brcmf_sdiod_set_backplane_window fails then
+error return path leaks mypkt. Fix this by returning by a new
+error path labelled 'out' that calls brcmu_pkt_buf_free_skb to free
+mypkt.  Also remove redundant check on err before calling
+brcmf_sdiod_skbuff_write.
+
+Addresses-Coverity: ("Resource Leak")
+Fixes: a7c3aa1509e2 ("brcmfmac: Remove brcmf_sdiod_addrprep()")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -617,15 +617,13 @@ int brcmf_sdiod_send_buf(struct brcmf_sd
+       err = brcmf_sdiod_set_backplane_window(sdiodev, addr);
+       if (err)
+-              return err;
++              goto out;
+       addr &= SBSDIO_SB_OFT_ADDR_MASK;
+       addr |= SBSDIO_SB_ACCESS_2_4B_FLAG;
+-      if (!err)
+-              err = brcmf_sdiod_skbuff_write(sdiodev, sdiodev->func2, addr,
+-                                             mypkt);
+-
++      err = brcmf_sdiod_skbuff_write(sdiodev, sdiodev->func2, addr, mypkt);
++out:
+       brcmu_pkt_buf_free_skb(mypkt);
+       return err;
diff --git a/package/kernel/mac80211/patches/457-v5.2-brcmfmac-Add-DMI-nvram-filename-quirk-for-ACEPC-T8-a.patch b/package/kernel/mac80211/patches/457-v5.2-brcmfmac-Add-DMI-nvram-filename-quirk-for-ACEPC-T8-a.patch
new file mode 100644 (file)
index 0000000..7865606
--- /dev/null
@@ -0,0 +1,70 @@
+From b1a0ba8f772d7a6dcb5aa3e856f5bd8274989ebe Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 22 Apr 2019 22:41:23 +0200
+Subject: [PATCH] brcmfmac: Add DMI nvram filename quirk for ACEPC T8 and T11
+ mini PCs
+
+The ACEPC T8 and T11 mini PCs contain quite generic names in the sys_vendor
+and product_name DMI strings, without this patch brcmfmac will try to load:
+"brcmfmac43455-sdio.Default string-Default string.txt" as nvram file which
+is way too generic.
+
+The DMI strings on which we are matching are somewhat generic too, but
+"To be filled by O.E.M." is less common then "Default string" and the
+system-sku and bios-version strings are pretty unique. Beside the DMI
+strings we also check the wifi-module chip-id and revision. I'm confident
+that the combination of all this is unique.
+
+Both the T8 and T11 use the same wifi-module, this commit adds DMI
+quirks for both mini PCs pointing to brcmfmac43455-sdio.acepc-t8.txt .
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1690852
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/dmi.c         | 26 +++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+@@ -31,6 +31,10 @@ struct brcmf_dmi_data {
+ /* NOTE: Please keep all entries sorted alphabetically */
++static const struct brcmf_dmi_data acepc_t8_data = {
++      BRCM_CC_4345_CHIP_ID, 6, "acepc-t8"
++};
++
+ static const struct brcmf_dmi_data gpd_win_pocket_data = {
+       BRCM_CC_4356_CHIP_ID, 2, "gpd-win-pocket"
+ };
+@@ -45,6 +49,28 @@ static const struct brcmf_dmi_data meego
+ static const struct dmi_system_id dmi_platform_data[] = {
+       {
++              /* ACEPC T8 Cherry Trail Z8350 mini PC */
++              .matches = {
++                      DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."),
++                      DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"),
++                      DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T8"),
++                      /* also match on somewhat unique bios-version */
++                      DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1.000"),
++              },
++              .driver_data = (void *)&acepc_t8_data,
++      },
++      {
++              /* ACEPC T11 Cherry Trail Z8350 mini PC, same wifi as the T8 */
++              .matches = {
++                      DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."),
++                      DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"),
++                      DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T11"),
++                      /* also match on somewhat unique bios-version */
++                      DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1.000"),
++              },
++              .driver_data = (void *)&acepc_t8_data,
++      },
++      {
+               /* Match for the GPDwin which unfortunately uses somewhat
+                * generic dmi strings, which is why we test for 4 strings.
+                * Comparing against 23 other byt/cht boards, board_vendor
diff --git a/package/kernel/mac80211/patches/458-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch b/package/kernel/mac80211/patches/458-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch
new file mode 100644 (file)
index 0000000..1fcf8c7
--- /dev/null
@@ -0,0 +1,39 @@
+From 9ef77fbedad9ea8895cd5d7fb7aee16071f527dc Mon Sep 17 00:00:00 2001
+From: Wright Feng <Wright.Feng@cypress.com>
+Date: Fri, 26 Apr 2019 03:12:32 +0000
+Subject: [PATCH] brcmfmac: send mailbox interrupt twice for specific hardware
+ device
+
+For PCIE wireless device with core revision less than 14, device may miss
+PCIE to System Backplane Interrupt via PCIEtoSBMailbox. So add sending
+mail box interrupt twice as a hardware workaround.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -675,6 +675,7 @@ static int
+ brcmf_pcie_send_mb_data(struct brcmf_pciedev_info *devinfo, u32 htod_mb_data)
+ {
+       struct brcmf_pcie_shared_info *shared;
++      struct brcmf_core *core;
+       u32 addr;
+       u32 cur_htod_mb_data;
+       u32 i;
+@@ -698,7 +699,11 @@ brcmf_pcie_send_mb_data(struct brcmf_pci
+       brcmf_pcie_write_tcm32(devinfo, addr, htod_mb_data);
+       pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
+-      pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
++
++      /* Send mailbox interrupt twice as a hardware workaround */
++      core = brcmf_chip_get_core(devinfo->ci, BCMA_CORE_PCIE2);
++      if (core->rev <= 13)
++              pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
+       return 0;
+ }
diff --git a/package/kernel/mac80211/patches/459-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch b/package/kernel/mac80211/patches/459-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch
new file mode 100644 (file)
index 0000000..b4d56c3
--- /dev/null
@@ -0,0 +1,50 @@
+From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 12:52:18 +0300
+Subject: [PATCH] brcm80211: potential NULL dereference in
+ brcmf_cfg80211_vndr_cmds_dcmd_handler()
+
+If "ret_len" is negative then it could lead to a NULL dereference.
+
+The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
+then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
+brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
+Most of the functions in that call tree check whether the buffer we pass
+is NULL but there are at least a couple places which don't such as
+brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
+from the buffer so it would result in a NULL dereference.
+
+The fix is to change the types so that "ret_len" can't be negative.  (If
+we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
+issue).
+
+Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
+@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
+       struct brcmf_if *ifp;
+       const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
+       struct sk_buff *reply;
+-      int ret, payload, ret_len;
++      unsigned int payload, ret_len;
+       void *dcmd_buf = NULL, *wr_pointer;
+       u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
++      int ret;
+       if (len < sizeof(*cmdhdr)) {
+               brcmf_err("vendor command too short: %d\n", len);
+@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
+                       brcmf_err("oversize return buffer %d\n", ret_len);
+                       ret_len = BRCMF_DCMD_MAXLEN;
+               }
+-              payload = max(ret_len, len) + 1;
++              payload = max_t(unsigned int, ret_len, len) + 1;
+               dcmd_buf = vzalloc(payload);
+               if (NULL == dcmd_buf)
+                       return -ENOMEM;
diff --git a/package/kernel/mac80211/patches/460-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch b/package/kernel/mac80211/patches/460-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch
new file mode 100644 (file)
index 0000000..6702dd5
--- /dev/null
@@ -0,0 +1,49 @@
+From 2d91c8ad068a5cad4d9e7ece8dc811a697c7176a Mon Sep 17 00:00:00 2001
+From: Wright Feng <Wright.Feng@cypress.com>
+Date: Fri, 26 Apr 2019 03:41:46 +0000
+Subject: [PATCH] brcmfmac: set txflow request id from 1 to pktids array size
+
+Some PCIE firmwares drop txstatus if pktid is 0 and make packet held in
+host side and never be released. If that packet type is 802.1x, the
+pend_8021x_cnt value will be always greater than 0 and show "Timed out
+waiting for no pending 802.1x packets" error message when sending key to
+dongle every time.
+
+To be compatible with all firmwares, host should set txflow request id
+from 1 instead of from 0.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -375,7 +375,7 @@ brcmf_msgbuf_get_pktid(struct device *de
+       struct brcmf_msgbuf_pktid *pktid;
+       struct sk_buff *skb;
+-      if (idx >= pktids->array_size) {
++      if (idx < 0 || idx >= pktids->array_size) {
+               brcmf_err("Invalid packet id %d (max %d)\n", idx,
+                         pktids->array_size);
+               return NULL;
+@@ -747,7 +747,7 @@ static void brcmf_msgbuf_txflow(struct b
+               tx_msghdr = (struct msgbuf_tx_msghdr *)ret_ptr;
+               tx_msghdr->msg.msgtype = MSGBUF_TYPE_TX_POST;
+-              tx_msghdr->msg.request_id = cpu_to_le32(pktid);
++              tx_msghdr->msg.request_id = cpu_to_le32(pktid + 1);
+               tx_msghdr->msg.ifidx = brcmf_flowring_ifidx_get(flow, flowid);
+               tx_msghdr->flags = BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3;
+               tx_msghdr->flags |= (skb->priority & 0x07) <<
+@@ -884,7 +884,7 @@ brcmf_msgbuf_process_txstatus(struct brc
+       u16 flowid;
+       tx_status = (struct msgbuf_tx_status *)buf;
+-      idx = le32_to_cpu(tx_status->msg.request_id);
++      idx = le32_to_cpu(tx_status->msg.request_id) - 1;
+       flowid = le16_to_cpu(tx_status->compl_hdr.flow_ring_id);
+       flowid -= BRCMF_H2D_MSGRING_FLOWRING_IDSTART;
+       skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
diff --git a/package/kernel/mac80211/patches/461-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch b/package/kernel/mac80211/patches/461-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch
new file mode 100644 (file)
index 0000000..ceb8505
--- /dev/null
@@ -0,0 +1,90 @@
+From 47dd82e3d25e85a7c7c4e4b0eac9d297d1e5e2d4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 28 Apr 2019 23:38:26 +0200
+Subject: [PATCH] brcmfmac: print firmware messages after a firmware crash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Normally firmware messages are printed with debugging enabled only. It's
+a good idea as firmware may print a lot of messages that normal users
+don't need to care about.
+
+However, on firmware crash, it may be very helpful to log all recent
+messages. There is almost always a backtrace available as well as rought
+info on the latest actions/state.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/pcie.c        | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -764,15 +764,22 @@ static void brcmf_pcie_bus_console_init(
+                 console->base_addr, console->buf_addr, console->bufsize);
+ }
+-
+-static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo)
++/**
++ * brcmf_pcie_bus_console_read - reads firmware messages
++ *
++ * @error: specifies if error has occurred (prints messages unconditionally)
++ */
++static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo,
++                                      bool error)
+ {
++      struct pci_dev *pdev = devinfo->pdev;
++      struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+       struct brcmf_pcie_console *console;
+       u32 addr;
+       u8 ch;
+       u32 newidx;
+-      if (!BRCMF_FWCON_ON())
++      if (!error && !BRCMF_FWCON_ON())
+               return;
+       console = &devinfo->shared.console;
+@@ -796,7 +803,10 @@ static void brcmf_pcie_bus_console_read(
+               }
+               if (ch == '\n') {
+                       console->log_str[console->log_idx] = 0;
+-                      pr_debug("CONSOLE: %s", console->log_str);
++                      if (error)
++                              brcmf_err(bus, "CONSOLE: %s", console->log_str);
++                      else
++                              pr_debug("CONSOLE: %s", console->log_str);
+                       console->log_idx = 0;
+               }
+       }
+@@ -857,7 +867,7 @@ static irqreturn_t brcmf_pcie_isr_thread
+                                                       &devinfo->pdev->dev);
+               }
+       }
+-      brcmf_pcie_bus_console_read(devinfo);
++      brcmf_pcie_bus_console_read(devinfo, false);
+       if (devinfo->state == BRCMFMAC_PCIE_STATE_UP)
+               brcmf_pcie_intr_enable(devinfo);
+       devinfo->in_irq = false;
+@@ -1426,6 +1436,8 @@ static int brcmf_pcie_reset(struct devic
+       struct brcmf_fw_request *fwreq;
+       int err;
++      brcmf_pcie_bus_console_read(devinfo, true);
++
+       brcmf_detach(dev);
+       brcmf_pcie_release_irq(devinfo);
+@@ -1818,7 +1830,7 @@ static void brcmf_pcie_setup(struct devi
+       if (brcmf_attach(&devinfo->pdev->dev, devinfo->settings) == 0)
+               return;
+-      brcmf_pcie_bus_console_read(devinfo);
++      brcmf_pcie_bus_console_read(devinfo, false);
+ fail:
+       device_release_driver(dev);
index f59102c..e738551 100644 (file)
@@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1406,6 +1406,7 @@ int __init brcmf_core_init(void)
+@@ -1434,6 +1434,7 @@ int __init brcmf_core_init(void)
  {
        if (!schedule_work(&brcmf_driver_work))
                return -EBUSY;
index 020594d..46eb0fe 100644 (file)
@@ -55,7 +55,7 @@ Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
  void brcmf_chip_detach(struct brcmf_chip *chip);
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-@@ -1727,6 +1727,12 @@ static void brcmf_pcie_setup(struct devi
+@@ -1779,6 +1779,12 @@ static void brcmf_pcie_setup(struct devi
        nvram_len = fwreq->items[BRCMF_PCIE_FW_NVRAM].nv_data.len;
        kfree(fwreq);