diff options
author | Rafał Miłecki <rafal@milecki.pl> | 2019-06-16 21:44:51 +0200 |
---|---|---|
committer | Rafał Miłecki <rafal@milecki.pl> | 2019-06-16 22:30:49 +0200 |
commit | af50ce32c5ce41a357b3423d098a40360bfed25e (patch) | |
tree | 91c4bcfaa27ea2b5196d8f9841791e53d6061991 | |
parent | d92713d2cfd64fda16a0545b529c8c291300a5f6 (diff) | |
download | upstream-af50ce32c5ce41a357b3423d098a40360bfed25e.tar.gz upstream-af50ce32c5ce41a357b3423d098a40360bfed25e.tar.bz2 upstream-af50ce32c5ce41a357b3423d098a40360bfed25e.zip |
mac80211: brcmfmac: backport important fixes from kernel 5.2
1) Crash/Oops fixes
2) One-line patch for BCM43456 support
3) Fix communication with some specific FullMAC firmwares
4) Potential fix for "Invalid packet id" errors
5) Important helper for reporting FullMAC firmware crashes
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 2cd234d96bd772119363a77a35bffa6a4931613e)
9 files changed, 423 insertions, 2 deletions
diff --git a/package/kernel/mac80211/patches/343-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch b/package/kernel/mac80211/patches/343-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch new file mode 100644 index 0000000000..4e8f728ad7 --- /dev/null +++ b/package/kernel/mac80211/patches/343-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch @@ -0,0 +1,123 @@ +From 24d413a31afaee9bbbf79226052c386b01780ce2 Mon Sep 17 00:00:00 2001 +From: Piotr Figiel <p.figiel@camlintechnologies.com> +Date: Wed, 13 Mar 2019 09:52:01 +0000 +Subject: [PATCH] brcmfmac: fix Oops when bringing up interface during USB + disconnect + +Fix a race which leads to an Oops with NULL pointer dereference. The +dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get +net_device structure of interface with index 0 via if2bss mapping. This +shouldn't fail because of check for bus being ready in brcmf_netdev_open(), +but it's not synchronised with USB disconnect and there is a race: after +the check the bus can be marked down and the mapping for interface 0 may be +gone. + +Solve this by modifying disconnect handling so that the removal of mapping +of ifidx to brcmf_if structure happens after netdev removal (which is +synchronous with brcmf_netdev_open() thanks to rtln being locked in +devinet_ioctl()). This assures brcmf_netdev_open() returns before the +mapping is removed during disconnect. + +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = bcae2612 +[00000008] *pgd=8be73831 +Internal error: Oops: 17 [#1] PREEMPT SMP ARM +Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit +iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 +nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis +u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc +usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs +udc_core [last unloaded: brcmutil] +CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac] +LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac] +pc : [<7f26a91c>] lr : [<7f26a914>] psr: a0070013 +sp : eca99d28 ip : 00000000 fp : ee9c6c00 +r10: 00000036 r9 : 00000000 r8 : ece4002c +r7 : edb5b800 r6 : 00000000 r5 : 80f08448 r4 : edb5b968 +r3 : ffffffff r2 : 00000000 r1 : 00000002 r0 : 00000000 +Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 7ca0c04a DAC: 00000051 +Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e) +Stack: (0xeca99d28 to 0xeca9a000) +9d20: 00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32 +9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036 +9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008 +9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001 +9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58 +9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000 +9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70 +9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043 +9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914 +9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030 +9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000 +9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32 +9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40 +9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000 +9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38 +9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00 +9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 +9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118 +9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38 +9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036 +9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364 +9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003 +9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000 +[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac]) +[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150) +[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4) +[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48) +[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c) +[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4) +[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524) +[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0) +[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c) +[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28) +Exception stack(0xeca99fa8 to 0xeca99ff0) +9fa0: 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364 +9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003 +9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc +Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008) +---[ end trace 5cbac2333f3ac5df ]--- + +Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -838,17 +838,17 @@ static void brcmf_del_if(struct brcmf_pu + bool rtnl_locked) + { + struct brcmf_if *ifp; ++ int ifidx; + + ifp = drvr->iflist[bsscfgidx]; +- drvr->iflist[bsscfgidx] = NULL; + if (!ifp) { + bphy_err(drvr, "Null interface, bsscfgidx=%d\n", bsscfgidx); + return; + } + brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx, + ifp->ifidx); +- if (drvr->if2bss[ifp->ifidx] == bsscfgidx) +- drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID; ++ ifidx = ifp->ifidx; ++ + if (ifp->ndev) { + if (bsscfgidx == 0) { + if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) { +@@ -876,6 +876,10 @@ static void brcmf_del_if(struct brcmf_pu + brcmf_p2p_ifp_removed(ifp, rtnl_locked); + kfree(ifp); + } ++ ++ drvr->iflist[bsscfgidx] = NULL; ++ if (drvr->if2bss[ifidx] == bsscfgidx) ++ drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID; + } + + void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked) diff --git a/package/kernel/mac80211/patches/344-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch b/package/kernel/mac80211/patches/344-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch new file mode 100644 index 0000000000..00759d1118 --- /dev/null +++ b/package/kernel/mac80211/patches/344-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch @@ -0,0 +1,35 @@ +From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kjlu@umn.edu> +Date: Fri, 15 Mar 2019 12:04:32 -0500 +Subject: [PATCH] brcmfmac: fix missing checks for kmemdup + +In case kmemdup fails, the fix sets conn_info->req_ie_len and +conn_info->resp_ie_len to zero to avoid buffer overflows. + +Signed-off-by: Kangjie Lu <kjlu@umn.edu> +Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -5436,6 +5436,8 @@ static s32 brcmf_get_assoc_ies(struct br + conn_info->req_ie = + kmemdup(cfg->extra_buf, conn_info->req_ie_len, + GFP_KERNEL); ++ if (!conn_info->req_ie) ++ conn_info->req_ie_len = 0; + } else { + conn_info->req_ie_len = 0; + conn_info->req_ie = NULL; +@@ -5452,6 +5454,8 @@ static s32 brcmf_get_assoc_ies(struct br + conn_info->resp_ie = + kmemdup(cfg->extra_buf, conn_info->resp_ie_len, + GFP_KERNEL); ++ if (!conn_info->resp_ie) ++ conn_info->resp_ie_len = 0; + } else { + conn_info->resp_ie_len = 0; + conn_info->resp_ie = NULL; diff --git a/package/kernel/mac80211/patches/345-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch b/package/kernel/mac80211/patches/345-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch new file mode 100644 index 0000000000..4183f977cd --- /dev/null +++ b/package/kernel/mac80211/patches/345-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch @@ -0,0 +1,35 @@ +From e3062e05e1cfe378bb9b3fa0bef46711372bcf13 Mon Sep 17 00:00:00 2001 +From: Ondrej Jirman <megous@megous.com> +Date: Sat, 6 Apr 2019 01:45:13 +0200 +Subject: [PATCH] brcmfmac: Loading the correct firmware for brcm43456 + +SDIO based brcm43456 is currently misdetected as brcm43455 and the wrong +firmware name is used. Correct the detection and load the correct +firmware file. Chiprev for brcm43456 is "9". + +Signed-off-by: Ondrej Jirman <megous@megous.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -616,6 +616,7 @@ BRCMF_FW_NVRAM_DEF(43430A0, "brcmfmac434 + /* Note the names are not postfixed with a1 for backward compatibility */ + BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt"); + BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt"); ++BRCMF_FW_NVRAM_DEF(43456, "brcmfmac43456-sdio.bin", "brcmfmac43456-sdio.txt"); + BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt"); + BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt"); + BRCMF_FW_NVRAM_DEF(4373, "brcmfmac4373-sdio.bin", "brcmfmac4373-sdio.txt"); +@@ -635,7 +636,8 @@ static struct brcmf_firmware_mapping brc + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1), +- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455), ++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0x00000200, 43456), ++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFDC0, 43455), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356), + BRCMF_FW_NVRAM_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373) diff --git a/package/kernel/mac80211/patches/346-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch b/package/kernel/mac80211/patches/346-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch new file mode 100644 index 0000000000..180c62079a --- /dev/null +++ b/package/kernel/mac80211/patches/346-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch @@ -0,0 +1,39 @@ +From 9ef77fbedad9ea8895cd5d7fb7aee16071f527dc Mon Sep 17 00:00:00 2001 +From: Wright Feng <Wright.Feng@cypress.com> +Date: Fri, 26 Apr 2019 03:12:32 +0000 +Subject: [PATCH] brcmfmac: send mailbox interrupt twice for specific hardware + device + +For PCIE wireless device with core revision less than 14, device may miss +PCIE to System Backplane Interrupt via PCIEtoSBMailbox. So add sending +mail box interrupt twice as a hardware workaround. + +Signed-off-by: Wright Feng <wright.feng@cypress.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -671,6 +671,7 @@ static int + brcmf_pcie_send_mb_data(struct brcmf_pciedev_info *devinfo, u32 htod_mb_data) + { + struct brcmf_pcie_shared_info *shared; ++ struct brcmf_core *core; + u32 addr; + u32 cur_htod_mb_data; + u32 i; +@@ -694,7 +695,11 @@ brcmf_pcie_send_mb_data(struct brcmf_pci + + brcmf_pcie_write_tcm32(devinfo, addr, htod_mb_data); + pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1); +- pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1); ++ ++ /* Send mailbox interrupt twice as a hardware workaround */ ++ core = brcmf_chip_get_core(devinfo->ci, BCMA_CORE_PCIE2); ++ if (core->rev <= 13) ++ pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1); + + return 0; + } diff --git a/package/kernel/mac80211/patches/347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch b/package/kernel/mac80211/patches/347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch new file mode 100644 index 0000000000..b4d56c34bc --- /dev/null +++ b/package/kernel/mac80211/patches/347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch @@ -0,0 +1,50 @@ +From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 24 Apr 2019 12:52:18 +0300 +Subject: [PATCH] brcm80211: potential NULL dereference in + brcmf_cfg80211_vndr_cmds_dcmd_handler() + +If "ret_len" is negative then it could lead to a NULL dereference. + +The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative +then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to +brcmf_fil_cmd_data_set() where it is cast to a very high u32 value. +Most of the functions in that call tree check whether the buffer we pass +is NULL but there are at least a couple places which don't such as +brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and +from the buffer so it would result in a NULL dereference. + +The fix is to change the types so that "ret_len" can't be negative. (If +we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an +issue). + +Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c +@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd + struct brcmf_if *ifp; + const struct brcmf_vndr_dcmd_hdr *cmdhdr = data; + struct sk_buff *reply; +- int ret, payload, ret_len; ++ unsigned int payload, ret_len; + void *dcmd_buf = NULL, *wr_pointer; + u16 msglen, maxmsglen = PAGE_SIZE - 0x100; ++ int ret; + + if (len < sizeof(*cmdhdr)) { + brcmf_err("vendor command too short: %d\n", len); +@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd + brcmf_err("oversize return buffer %d\n", ret_len); + ret_len = BRCMF_DCMD_MAXLEN; + } +- payload = max(ret_len, len) + 1; ++ payload = max_t(unsigned int, ret_len, len) + 1; + dcmd_buf = vzalloc(payload); + if (NULL == dcmd_buf) + return -ENOMEM; diff --git a/package/kernel/mac80211/patches/348-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch b/package/kernel/mac80211/patches/348-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch new file mode 100644 index 0000000000..ee4521ff71 --- /dev/null +++ b/package/kernel/mac80211/patches/348-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch @@ -0,0 +1,49 @@ +From 2d91c8ad068a5cad4d9e7ece8dc811a697c7176a Mon Sep 17 00:00:00 2001 +From: Wright Feng <Wright.Feng@cypress.com> +Date: Fri, 26 Apr 2019 03:41:46 +0000 +Subject: [PATCH] brcmfmac: set txflow request id from 1 to pktids array size + +Some PCIE firmwares drop txstatus if pktid is 0 and make packet held in +host side and never be released. If that packet type is 802.1x, the +pend_8021x_cnt value will be always greater than 0 and show "Timed out +waiting for no pending 802.1x packets" error message when sending key to +dongle every time. + +To be compatible with all firmwares, host should set txflow request id +from 1 instead of from 0. + +Signed-off-by: Wright Feng <wright.feng@cypress.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -375,7 +375,7 @@ brcmf_msgbuf_get_pktid(struct device *de + struct brcmf_msgbuf_pktid *pktid; + struct sk_buff *skb; + +- if (idx >= pktids->array_size) { ++ if (idx < 0 || idx >= pktids->array_size) { + brcmf_err("Invalid packet id %d (max %d)\n", idx, + pktids->array_size); + return NULL; +@@ -745,7 +745,7 @@ static void brcmf_msgbuf_txflow(struct b + tx_msghdr = (struct msgbuf_tx_msghdr *)ret_ptr; + + tx_msghdr->msg.msgtype = MSGBUF_TYPE_TX_POST; +- tx_msghdr->msg.request_id = cpu_to_le32(pktid); ++ tx_msghdr->msg.request_id = cpu_to_le32(pktid + 1); + tx_msghdr->msg.ifidx = brcmf_flowring_ifidx_get(flow, flowid); + tx_msghdr->flags = BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3; + tx_msghdr->flags |= (skb->priority & 0x07) << +@@ -882,7 +882,7 @@ brcmf_msgbuf_process_txstatus(struct brc + u16 flowid; + + tx_status = (struct msgbuf_tx_status *)buf; +- idx = le32_to_cpu(tx_status->msg.request_id); ++ idx = le32_to_cpu(tx_status->msg.request_id) - 1; + flowid = le16_to_cpu(tx_status->compl_hdr.flow_ring_id); + flowid -= BRCMF_H2D_MSGRING_FLOWRING_IDSTART; + skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev, diff --git a/package/kernel/mac80211/patches/349-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch b/package/kernel/mac80211/patches/349-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch new file mode 100644 index 0000000000..e8312fa31e --- /dev/null +++ b/package/kernel/mac80211/patches/349-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch @@ -0,0 +1,90 @@ +From 47dd82e3d25e85a7c7c4e4b0eac9d297d1e5e2d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl> +Date: Sun, 28 Apr 2019 23:38:26 +0200 +Subject: [PATCH] brcmfmac: print firmware messages after a firmware crash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Normally firmware messages are printed with debugging enabled only. It's +a good idea as firmware may print a lot of messages that normal users +don't need to care about. + +However, on firmware crash, it may be very helpful to log all recent +messages. There is almost always a backtrace available as well as rought +info on the latest actions/state. + +Signed-off-by: Rafał Miłecki <rafal@milecki.pl> +Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + .../broadcom/brcm80211/brcmfmac/pcie.c | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -760,15 +760,22 @@ static void brcmf_pcie_bus_console_init( + console->base_addr, console->buf_addr, console->bufsize); + } + +- +-static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo) ++/** ++ * brcmf_pcie_bus_console_read - reads firmware messages ++ * ++ * @error: specifies if error has occurred (prints messages unconditionally) ++ */ ++static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo, ++ bool error) + { ++ struct pci_dev *pdev = devinfo->pdev; ++ struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev); + struct brcmf_pcie_console *console; + u32 addr; + u8 ch; + u32 newidx; + +- if (!BRCMF_FWCON_ON()) ++ if (!error && !BRCMF_FWCON_ON()) + return; + + console = &devinfo->shared.console; +@@ -792,7 +799,10 @@ static void brcmf_pcie_bus_console_read( + } + if (ch == '\n') { + console->log_str[console->log_idx] = 0; +- pr_debug("CONSOLE: %s", console->log_str); ++ if (error) ++ brcmf_err(bus, "CONSOLE: %s", console->log_str); ++ else ++ pr_debug("CONSOLE: %s", console->log_str); + console->log_idx = 0; + } + } +@@ -847,7 +857,7 @@ static irqreturn_t brcmf_pcie_isr_thread + &devinfo->pdev->dev); + } + } +- brcmf_pcie_bus_console_read(devinfo); ++ brcmf_pcie_bus_console_read(devinfo, false); + if (devinfo->state == BRCMFMAC_PCIE_STATE_UP) + brcmf_pcie_intr_enable(devinfo); + devinfo->in_irq = false; +@@ -1398,6 +1408,8 @@ static int brcmf_pcie_reset(struct devic + u16 bus_nr; + int err; + ++ brcmf_pcie_bus_console_read(devinfo, true); ++ + brcmf_detach(dev); + + brcmf_pcie_release_irq(devinfo); +@@ -1799,7 +1811,7 @@ static void brcmf_pcie_setup(struct devi + if (brcmf_pcie_attach_bus(devinfo) == 0) + return; + +- brcmf_pcie_bus_console_read(devinfo); ++ brcmf_pcie_bus_console_read(devinfo, false); + + fail: + device_release_driver(dev); diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch index e8e2afff7b..a2e36a0b08 100644 --- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -1385,6 +1385,7 @@ int __init brcmf_core_init(void) +@@ -1411,6 +1411,7 @@ int __init brcmf_core_init(void) { if (!schedule_work(&brcmf_driver_work)) return -EBUSY; diff --git a/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch b/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch index 6fabad6f18..17a9168bed 100644 --- a/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch +++ b/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch @@ -55,7 +55,7 @@ Signed-off-by: Rafał Miłecki <rafal@milecki.pl> void brcmf_chip_detach(struct brcmf_chip *chip); --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c -@@ -1702,6 +1702,12 @@ static void brcmf_pcie_setup(struct devi +@@ -1761,6 +1761,12 @@ static void brcmf_pcie_setup(struct devi brcmf_pcie_attach(devinfo); |