From 57102f6c0633e08c96c868fde69c5a095c5d1102 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Thu, 16 Aug 2018 10:48:54 +0200 Subject: [PATCH] mac80211: brcmfmac: backport important changes from the 4.15 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Two more patches that may be worth backporting in the future: fdd0bd88ceae brcmfmac: add CLM download support cc124d5cc8d8 brcmfmac: fix CLM load error for legacy chips when user helper is enabled Signed-off-by: Rafał Miłecki --- package/kernel/mac80211/Makefile | 2 +- ...ac-Avoid-possible-out-of-bounds-read.patch | 39 ++++++++++++ ...mac-handle-FWHALT-mailbox-indication.patch | 60 +++++++++++++++++++ ...er-Access-Point-Protocol-packets-by.patch} | 0 ...ac-add-support-for-BCM4366E-chipset.patch} | 0 5 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch create mode 100644 package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch rename package/kernel/mac80211/patches/{328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch => 329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch} (100%) rename package/kernel/mac80211/patches/{329-brcmfmac-add-support-for-BCM4366E-chipset.patch => 330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch} (100%) diff --git a/package/kernel/mac80211/Makefile b/package/kernel/mac80211/Makefile index 03354289ac..c3bbac1633 100644 --- a/package/kernel/mac80211/Makefile +++ b/package/kernel/mac80211/Makefile @@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=mac80211 PKG_VERSION:=2017-01-31 -PKG_RELEASE:=9 +PKG_RELEASE:=10 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources PKG_BACKPORT_VERSION:= PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317 diff --git a/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch b/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch new file mode 100644 index 0000000000..f46c0abb61 --- /dev/null +++ b/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch @@ -0,0 +1,39 @@ +From 73f2c8e933b1dcf432ac8c6965a6e67af630077f Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee +Date: Sat, 16 Sep 2017 21:08:22 -0700 +Subject: [PATCH] brcmfmac: Avoid possible out-of-bounds read + +In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before +the length of rxframe is validated. This could lead to uninitialized +data being accessed (but not printed). Since we already have a +perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec, +and ch.chspec is not modified by decchspec(), avoid the extra +assignment and use ch.chspec in the debug print. + +Suggested-by: Mattias Nissler +Signed-off-by: Kevin Cernekee +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +@@ -1853,7 +1853,6 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere + struct afx_hdl *afx_hdl = &p2p->afx_hdl; + struct brcmf_cfg80211_vif *vif = ifp->vif; + struct brcmf_rx_mgmt_data *rxframe = (struct brcmf_rx_mgmt_data *)data; +- u16 chanspec = be16_to_cpu(rxframe->chanspec); + struct brcmu_chan ch; + u8 *mgmt_frame; + u32 mgmt_frame_len; +@@ -1906,7 +1905,7 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere + cfg80211_rx_mgmt(&vif->wdev, freq, 0, mgmt_frame, mgmt_frame_len, 0); + + brcmf_dbg(INFO, "mgmt_frame_len (%d) , e->datalen (%d), chanspec (%04x), freq (%d)\n", +- mgmt_frame_len, e->datalen, chanspec, freq); ++ mgmt_frame_len, e->datalen, ch.chspec, freq); + + return 0; + } diff --git a/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch b/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch new file mode 100644 index 0000000000..4ca696fb48 --- /dev/null +++ b/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch @@ -0,0 +1,60 @@ +From 2fd3877b5bb7d39782c3205a1dcda02023b8514a Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Wed, 8 Nov 2017 14:36:31 +0100 +Subject: [PATCH] brcmfmac: handle FWHALT mailbox indication + +The firmware uses a mailbox to communicate to the host what is going +on. In the driver we validate the bit received. Various people seen +the following message: + + brcmfmac: brcmf_sdio_hostmail: Unknown mailbox data content: 0x40012 + +Bit 4 is cause of this message, but this actually indicates the firmware +has halted. Handle this bit by giving a more meaningful error message. + +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -259,10 +259,11 @@ struct rte_console { + #define I_HMB_HOST_INT I_HMB_SW3 /* Miscellaneous Interrupt */ + + /* tohostmailboxdata */ +-#define HMB_DATA_NAKHANDLED 1 /* retransmit NAK'd frame */ +-#define HMB_DATA_DEVREADY 2 /* talk to host after enable */ +-#define HMB_DATA_FC 4 /* per prio flowcontrol update flag */ +-#define HMB_DATA_FWREADY 8 /* fw ready for protocol activity */ ++#define HMB_DATA_NAKHANDLED 0x0001 /* retransmit NAK'd frame */ ++#define HMB_DATA_DEVREADY 0x0002 /* talk to host after enable */ ++#define HMB_DATA_FC 0x0004 /* per prio flowcontrol update flag */ ++#define HMB_DATA_FWREADY 0x0008 /* fw ready for protocol activity */ ++#define HMB_DATA_FWHALT 0x0010 /* firmware halted */ + + #define HMB_DATA_FCDATA_MASK 0xff000000 + #define HMB_DATA_FCDATA_SHIFT 24 +@@ -1093,6 +1094,10 @@ static u32 brcmf_sdio_hostmail(struct br + offsetof(struct sdpcmd_regs, tosbmailbox)); + bus->sdcnt.f1regdata += 2; + ++ /* dongle indicates the firmware has halted/crashed */ ++ if (hmb_data & HMB_DATA_FWHALT) ++ brcmf_err("mailbox indicates firmware halted\n"); ++ + /* Dongle recomposed rx frames, accept them again */ + if (hmb_data & HMB_DATA_NAKHANDLED) { + brcmf_dbg(SDIO, "Dongle reports NAK handled, expect rtx of %d\n", +@@ -1150,6 +1155,7 @@ static u32 brcmf_sdio_hostmail(struct br + HMB_DATA_NAKHANDLED | + HMB_DATA_FC | + HMB_DATA_FWREADY | ++ HMB_DATA_FWHALT | + HMB_DATA_FCDATA_MASK | HMB_DATA_VERSION_MASK)) + brcmf_err("Unknown mailbox data content: 0x%02x\n", + hmb_data); diff --git a/package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch b/package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch similarity index 100% rename from package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch rename to package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch diff --git a/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch b/package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch similarity index 100% rename from package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch rename to package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch -- 2.30.2