diff options
Diffstat (limited to 'package/kernel/mac80211/patches')
-rw-r--r-- | package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch | 39 | ||||
-rw-r--r-- | package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch | 60 | ||||
-rw-r--r-- | package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch (renamed from package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch) | 0 | ||||
-rw-r--r-- | package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch (renamed from package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch) | 0 |
4 files changed, 99 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch b/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch new file mode 100644 index 0000000000..f46c0abb61 --- /dev/null +++ b/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch @@ -0,0 +1,39 @@ +From 73f2c8e933b1dcf432ac8c6965a6e67af630077f Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee <cernekee@chromium.org> +Date: Sat, 16 Sep 2017 21:08:22 -0700 +Subject: [PATCH] brcmfmac: Avoid possible out-of-bounds read + +In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before +the length of rxframe is validated. This could lead to uninitialized +data being accessed (but not printed). Since we already have a +perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec, +and ch.chspec is not modified by decchspec(), avoid the extra +assignment and use ch.chspec in the debug print. + +Suggested-by: Mattias Nissler <mnissler@chromium.org> +Signed-off-by: Kevin Cernekee <cernekee@chromium.org> +Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +@@ -1853,7 +1853,6 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere + struct afx_hdl *afx_hdl = &p2p->afx_hdl; + struct brcmf_cfg80211_vif *vif = ifp->vif; + struct brcmf_rx_mgmt_data *rxframe = (struct brcmf_rx_mgmt_data *)data; +- u16 chanspec = be16_to_cpu(rxframe->chanspec); + struct brcmu_chan ch; + u8 *mgmt_frame; + u32 mgmt_frame_len; +@@ -1906,7 +1905,7 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere + cfg80211_rx_mgmt(&vif->wdev, freq, 0, mgmt_frame, mgmt_frame_len, 0); + + brcmf_dbg(INFO, "mgmt_frame_len (%d) , e->datalen (%d), chanspec (%04x), freq (%d)\n", +- mgmt_frame_len, e->datalen, chanspec, freq); ++ mgmt_frame_len, e->datalen, ch.chspec, freq); + + return 0; + } diff --git a/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch b/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch new file mode 100644 index 0000000000..4ca696fb48 --- /dev/null +++ b/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch @@ -0,0 +1,60 @@ +From 2fd3877b5bb7d39782c3205a1dcda02023b8514a Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel <arend.vanspriel@broadcom.com> +Date: Wed, 8 Nov 2017 14:36:31 +0100 +Subject: [PATCH] brcmfmac: handle FWHALT mailbox indication + +The firmware uses a mailbox to communicate to the host what is going +on. In the driver we validate the bit received. Various people seen +the following message: + + brcmfmac: brcmf_sdio_hostmail: Unknown mailbox data content: 0x40012 + +Bit 4 is cause of this message, but this actually indicates the firmware +has halted. Handle this bit by giving a more meaningful error message. + +Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> +Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> +Reviewed-by: Franky Lin <franky.lin@broadcom.com> +Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -259,10 +259,11 @@ struct rte_console { + #define I_HMB_HOST_INT I_HMB_SW3 /* Miscellaneous Interrupt */ + + /* tohostmailboxdata */ +-#define HMB_DATA_NAKHANDLED 1 /* retransmit NAK'd frame */ +-#define HMB_DATA_DEVREADY 2 /* talk to host after enable */ +-#define HMB_DATA_FC 4 /* per prio flowcontrol update flag */ +-#define HMB_DATA_FWREADY 8 /* fw ready for protocol activity */ ++#define HMB_DATA_NAKHANDLED 0x0001 /* retransmit NAK'd frame */ ++#define HMB_DATA_DEVREADY 0x0002 /* talk to host after enable */ ++#define HMB_DATA_FC 0x0004 /* per prio flowcontrol update flag */ ++#define HMB_DATA_FWREADY 0x0008 /* fw ready for protocol activity */ ++#define HMB_DATA_FWHALT 0x0010 /* firmware halted */ + + #define HMB_DATA_FCDATA_MASK 0xff000000 + #define HMB_DATA_FCDATA_SHIFT 24 +@@ -1093,6 +1094,10 @@ static u32 brcmf_sdio_hostmail(struct br + offsetof(struct sdpcmd_regs, tosbmailbox)); + bus->sdcnt.f1regdata += 2; + ++ /* dongle indicates the firmware has halted/crashed */ ++ if (hmb_data & HMB_DATA_FWHALT) ++ brcmf_err("mailbox indicates firmware halted\n"); ++ + /* Dongle recomposed rx frames, accept them again */ + if (hmb_data & HMB_DATA_NAKHANDLED) { + brcmf_dbg(SDIO, "Dongle reports NAK handled, expect rtx of %d\n", +@@ -1150,6 +1155,7 @@ static u32 brcmf_sdio_hostmail(struct br + HMB_DATA_NAKHANDLED | + HMB_DATA_FC | + HMB_DATA_FWREADY | ++ HMB_DATA_FWHALT | + HMB_DATA_FCDATA_MASK | HMB_DATA_VERSION_MASK)) + brcmf_err("Unknown mailbox data content: 0x%02x\n", + hmb_data); diff --git a/package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch b/package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch index f05e23da05..f05e23da05 100644 --- a/package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch +++ b/package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch diff --git a/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch b/package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch index ddbff07839..ddbff07839 100644 --- a/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch +++ b/package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch |