From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
Date: Tue, 26 Jan 2016 17:57:01 +0100
Subject: [PATCH] brcmfmac: analyze descriptors of current component only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

So far we were looking for address descriptors without a check for
crossing current component border. In case of dealing with unsupported
descriptor or descriptor missing at all the code would incorrectly get
data from another component.

Consider this binary-described component from BCM4366 EROM:
4bf83b01	TAG==CI		CID==0x83b
20080201	TAG==CI		PORTS==0+1	WRAPPERS==0+1
18400035	TAG==ADDR	SZ_SZD		TYPE_SLAVE
00050000
18107085	TAG==ADDR	SZ_4K		TYPE_SWRAP

Driver was assigning invalid base address to this core:
brcmfmac:  [6 ] core 0x83b:32 base 0x18109000 wrap 0x18107000
which came from totally different component defined in EROM:
43b36701	TAG==CI		CID==0x367
00000201	TAG==CI		PORTS==0+1	WRAPPERS==0+0
18109005	TAG==ADDR	SZ_4K		TYPE_SLAVE

This change will also allow us to support components without wrapper
address in the future.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---

--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
@@ -803,7 +803,14 @@ static int brcmf_chip_dmp_get_regaddr(st
 				*eromaddr -= 4;
 				return -EFAULT;
 			}
-		} while (desc != DMP_DESC_ADDRESS);
+		} while (desc != DMP_DESC_ADDRESS &&
+			 desc != DMP_DESC_COMPONENT);
+
+		/* stop if we crossed current component border */
+		if (desc == DMP_DESC_COMPONENT) {
+			*eromaddr -= 4;
+			return 0;
+		}
 
 		/* skip upper 32-bit address descriptor */
 		if (val & DMP_DESC_ADDRSIZE_GT32)