From 6805e44004b7e310743a638ce826010744ad9ff6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Thu, 16 Aug 2018 10:29:56 +0200 Subject: mac80211: brcmfmac: backport important changes from the 4.14 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rafał Miłecki --- package/kernel/mac80211/Makefile | 2 +- ...d-length-check-in-brcmf_cfg80211_escan_ha.patch | 63 ---------- ...-Add-support-for-CYW4373-SDIO-USB-chipset.patch | 139 +++++++++++++++++++++ ...x-wrong-num_different_channels-when-mchan.patch | 47 +++++++ ...14-0003-brcmfmac-Log-chip-id-and-revision.patch | 27 ++++ ...d-length-check-in-brcmf_cfg80211_escan_ha.patch | 63 ++++++++++ ...rcmfmac-Add-check-for-short-event-packets.patch | 32 +++++ ...brcmfmac-add-support-for-BCM4366E-chipset.patch | 8 +- 8 files changed, 313 insertions(+), 68 deletions(-) delete mode 100644 package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch create mode 100644 package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch create mode 100644 package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch create mode 100644 package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch create mode 100644 package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch create mode 100644 package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch diff --git a/package/kernel/mac80211/Makefile b/package/kernel/mac80211/Makefile index 5a9cff60b5..03354289ac 100644 --- a/package/kernel/mac80211/Makefile +++ b/package/kernel/mac80211/Makefile @@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=mac80211 PKG_VERSION:=2017-01-31 -PKG_RELEASE:=8 +PKG_RELEASE:=9 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources PKG_BACKPORT_VERSION:= PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317 diff --git a/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch deleted file mode 100644 index 2b16fa44f7..0000000000 --- a/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Arend Van Spriel -Date: Tue, 12 Sep 2017 10:47:53 +0200 -Subject: [PATCH] brcmfmac: add length check in brcmf_cfg80211_escan_handler() - -Upon handling the firmware notification for scans the length was -checked properly and may result in corrupting kernel heap memory -due to buffer overruns. This fix addresses CVE-2017-0786. - -Cc: stable@vger.kernel.org # v4.0.x -Cc: Kevin Cernekee -Reviewed-by: Hante Meuleman -Reviewed-by: Pieter-Paul Giesberts -Reviewed-by: Franky Lin -Signed-off-by: Arend van Spriel -Signed-off-by: Kalle Valo ---- - ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -@@ -3088,6 +3088,7 @@ brcmf_cfg80211_escan_handler(struct brcm - struct brcmf_cfg80211_info *cfg = ifp->drvr->config; - s32 status; - struct brcmf_escan_result_le *escan_result_le; -+ u32 escan_buflen; - struct brcmf_bss_info_le *bss_info_le; - struct brcmf_bss_info_le *bss = NULL; - u32 bi_length; -@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm - - if (status == BRCMF_E_STATUS_PARTIAL) { - brcmf_dbg(SCAN, "ESCAN Partial result\n"); -+ if (e->datalen < sizeof(*escan_result_le)) { -+ brcmf_err("invalid event data length\n"); -+ goto exit; -+ } - escan_result_le = (struct brcmf_escan_result_le *) data; - if (!escan_result_le) { - brcmf_err("Invalid escan result (NULL pointer)\n"); - goto exit; - } -+ escan_buflen = le32_to_cpu(escan_result_le->buflen); -+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE || -+ escan_buflen > e->datalen || -+ escan_buflen < sizeof(*escan_result_le)) { -+ brcmf_err("Invalid escan buffer length: %d\n", -+ escan_buflen); -+ goto exit; -+ } - if (le16_to_cpu(escan_result_le->bss_count) != 1) { - brcmf_err("Invalid bss_count %d: ignoring\n", - escan_result_le->bss_count); -@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm - } - - bi_length = le32_to_cpu(bss_info_le->length); -- if (bi_length != (le32_to_cpu(escan_result_le->buflen) - -- WL_ESCAN_RESULTS_FIXED_SIZE)) { -- brcmf_err("Invalid bss_info length %d: ignoring\n", -+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) { -+ brcmf_err("Ignoring invalid bss_info length: %d\n", - bi_length); - goto exit; - } diff --git a/package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch b/package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch new file mode 100644 index 0000000000..cc52a797ac --- /dev/null +++ b/package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch @@ -0,0 +1,139 @@ +From 0ec9eb90feec4933637fbde9d5bfbc3b62aea218 Mon Sep 17 00:00:00 2001 +From: Chi-Hsien Lin +Date: Thu, 3 Aug 2017 17:37:58 +0800 +Subject: [PATCH] brcmfmac: Add support for CYW4373 SDIO/USB chipset + +Add support for CYW4373 SDIO/USB chipset. +CYW4373 is a 1x1 dual-band 11ac chipset with 20/40/80Mhz channel support. +It's a WiFi/BT combo device. + +Signed-off-by: Chi-Hsien Lin +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 2 ++ + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 9 ++++++++- + drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 3 +++ + include/linux/mmc/sdio_ids.h | 1 + + 6 files changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -1104,6 +1104,7 @@ static const struct sdio_device_id brcmf + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43455), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4354), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4356), ++ BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_CYPRESS_4373), + { /* end: all zeroes */ } + }; + MODULE_DEVICE_TABLE(sdio, brcmf_sdmmc_ids); +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c +@@ -690,6 +690,8 @@ static u32 brcmf_chip_tcm_rambase(struct + case BRCM_CC_4365_CHIP_ID: + case BRCM_CC_4366_CHIP_ID: + return 0x200000; ++ case CY_CC_4373_CHIP_ID: ++ return 0x160000; + default: + brcmf_err("unknown chip: %s\n", ci->pub.name); + break; +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -617,6 +617,7 @@ BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac434 + BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt"); + BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt"); + BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt"); ++BRCMF_FW_NVRAM_DEF(4373, "brcmfmac4373-sdio.bin", "brcmfmac4373-sdio.txt"); + + static struct brcmf_firmware_mapping brcmf_sdio_fwnames[] = { + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143), +@@ -635,7 +636,8 @@ static struct brcmf_firmware_mapping brc + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354), +- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356) ++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356), ++ BRCMF_FW_NVRAM_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373) + }; + + static void pkt_align(struct sk_buff *p, int len, int align) +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -49,6 +49,7 @@ BRCMF_FW_DEF(43143, "brcmfmac43143.bin") + BRCMF_FW_DEF(43236B, "brcmfmac43236b.bin"); + BRCMF_FW_DEF(43242A, "brcmfmac43242a.bin"); + BRCMF_FW_DEF(43569, "brcmfmac43569.bin"); ++BRCMF_FW_DEF(4373, "brcmfmac4373.bin"); + + static struct brcmf_firmware_mapping brcmf_usb_fwnames[] = { + BRCMF_FW_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143), +@@ -57,7 +58,8 @@ static struct brcmf_firmware_mapping brc + BRCMF_FW_ENTRY(BRCM_CC_43238_CHIP_ID, 0x00000008, 43236B), + BRCMF_FW_ENTRY(BRCM_CC_43242_CHIP_ID, 0xFFFFFFFF, 43242A), + BRCMF_FW_ENTRY(BRCM_CC_43566_CHIP_ID, 0xFFFFFFFF, 43569), +- BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569) ++ BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569), ++ BRCMF_FW_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373) + }; + + #define TRX_MAGIC 0x30524448 /* "HDR0" */ +@@ -1461,15 +1463,20 @@ static int brcmf_usb_reset_resume(struct + #define LINKSYS_USB_DEVICE(dev_id) \ + { USB_DEVICE(BRCM_USB_VENDOR_ID_LINKSYS, dev_id) } + ++#define CYPRESS_USB_DEVICE(dev_id) \ ++ { USB_DEVICE(CY_USB_VENDOR_ID_CYPRESS, dev_id) } ++ + static struct usb_device_id brcmf_usb_devid_table[] = { + BRCMF_USB_DEVICE(BRCM_USB_43143_DEVICE_ID), + BRCMF_USB_DEVICE(BRCM_USB_43236_DEVICE_ID), + BRCMF_USB_DEVICE(BRCM_USB_43242_DEVICE_ID), + BRCMF_USB_DEVICE(BRCM_USB_43569_DEVICE_ID), + LINKSYS_USB_DEVICE(BRCM_USB_43235_LINKSYS_DEVICE_ID), ++ CYPRESS_USB_DEVICE(CY_USB_4373_DEVICE_ID), + { USB_DEVICE(BRCM_USB_VENDOR_ID_LG, BRCM_USB_43242_LG_DEVICE_ID) }, + /* special entry for device with firmware loaded and running */ + BRCMF_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID), ++ CYPRESS_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID), + { /* end: all zeroes */ } + }; + +--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h ++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h +@@ -23,6 +23,7 @@ + #define BRCM_USB_VENDOR_ID_BROADCOM 0x0a5c + #define BRCM_USB_VENDOR_ID_LG 0x043e + #define BRCM_USB_VENDOR_ID_LINKSYS 0x13b1 ++#define CY_USB_VENDOR_ID_CYPRESS 0x04b4 + #define BRCM_PCIE_VENDOR_ID_BROADCOM PCI_VENDOR_ID_BROADCOM + + /* Chipcommon Core Chip IDs */ +@@ -57,6 +58,7 @@ + #define BRCM_CC_4365_CHIP_ID 0x4365 + #define BRCM_CC_4366_CHIP_ID 0x4366 + #define BRCM_CC_4371_CHIP_ID 0x4371 ++#define CY_CC_4373_CHIP_ID 0x4373 + + /* USB Device IDs */ + #define BRCM_USB_43143_DEVICE_ID 0xbd1e +@@ -66,6 +68,7 @@ + #define BRCM_USB_43242_LG_DEVICE_ID 0x3101 + #define BRCM_USB_43569_DEVICE_ID 0xbd27 + #define BRCM_USB_BCMFW_DEVICE_ID 0x0bdc ++#define CY_USB_4373_DEVICE_ID 0xbd29 + + /* PCIE Device IDs */ + #define BRCM_PCIE_4350_DEVICE_ID 0x43a3 +--- a/include/linux/mmc/sdio_ids.h ++++ b/include/linux/mmc/sdio_ids.h +@@ -39,6 +39,7 @@ + #define SDIO_DEVICE_ID_BROADCOM_43455 0xa9bf + #define SDIO_DEVICE_ID_BROADCOM_4354 0x4354 + #define SDIO_DEVICE_ID_BROADCOM_4356 0x4356 ++#define SDIO_DEVICE_ID_CYPRESS_4373 0x4373 + + #define SDIO_VENDOR_ID_INTEL 0x0089 + #define SDIO_DEVICE_ID_INTEL_IWMC3200WIMAX 0x1402 diff --git a/package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch b/package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch new file mode 100644 index 0000000000..1887e8914c --- /dev/null +++ b/package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch @@ -0,0 +1,47 @@ +From 99976fc084129e07df3a066dc15651853386da19 Mon Sep 17 00:00:00 2001 +From: Wright Feng +Date: Thu, 3 Aug 2017 17:37:59 +0800 +Subject: [PATCH] brcmfmac: fix wrong num_different_channels when mchan feature + enabled + +When the device/firmware supports multi-channel, it can have P2P +connection and regular connection with AP simultaneous. In this case, +the num_different_channels in wiphy info was not correct when firmware +supports multi-channel (The iw wiphy# info showed "#channels <= 1" in +interface combinations). It caused association failed and error message +"CTRL-EVENT-FREQ-CONFLICT error" in wpa_supplicant when P2P GO interface +was running at the same time. +The root cause is that the num_different_channels was always overridden +to 1 in brcmf_setup_ifmodes even multi-channel was enabled. +We correct the logic by moving num_different_channels setting forward. + +Signed-off-by: Wright Feng +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6311,6 +6311,8 @@ static int brcmf_setup_ifmodes(struct wi + if (p2p) { + if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MCHAN)) + combo[c].num_different_channels = 2; ++ else ++ combo[c].num_different_channels = 1; + wiphy->interface_modes |= BIT(NL80211_IFTYPE_P2P_CLIENT) | + BIT(NL80211_IFTYPE_P2P_GO) | + BIT(NL80211_IFTYPE_P2P_DEVICE); +@@ -6320,10 +6322,10 @@ static int brcmf_setup_ifmodes(struct wi + c0_limits[i++].types = BIT(NL80211_IFTYPE_P2P_CLIENT) | + BIT(NL80211_IFTYPE_P2P_GO); + } else { ++ combo[c].num_different_channels = 1; + c0_limits[i].max = 1; + c0_limits[i++].types = BIT(NL80211_IFTYPE_AP); + } +- combo[c].num_different_channels = 1; + combo[c].max_interfaces = i; + combo[c].n_limits = i; + combo[c].limits = c0_limits; diff --git a/package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch b/package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch new file mode 100644 index 0000000000..7531551fe7 --- /dev/null +++ b/package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch @@ -0,0 +1,27 @@ +From f38966a7ace842afd3a9bf5d0fb56640f49df60c Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 30 Aug 2017 15:54:49 +0200 +Subject: [PATCH] brcmfmac: Log chip id and revision + +For debugging some problems, it is useful to know the chip revision +add a brcmf_info message logging this. + +Signed-off-by: Hans de Goede +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +@@ -602,6 +602,9 @@ int brcmf_fw_map_chip_to_name(u32 chip, + if ((nvram_name) && (mapping_table[i].nvram)) + strlcat(nvram_name, mapping_table[i].nvram, BRCMF_FW_NAME_LEN); + ++ brcmf_info("using %s for chip %#08x(%d) rev %#08x\n", ++ fw_name, chip, chip, chiprev); ++ + return 0; + } + diff --git a/package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch new file mode 100644 index 0000000000..2b16fa44f7 --- /dev/null +++ b/package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch @@ -0,0 +1,63 @@ +From: Arend Van Spriel +Date: Tue, 12 Sep 2017 10:47:53 +0200 +Subject: [PATCH] brcmfmac: add length check in brcmf_cfg80211_escan_handler() + +Upon handling the firmware notification for scans the length was +checked properly and may result in corrupting kernel heap memory +due to buffer overruns. This fix addresses CVE-2017-0786. + +Cc: stable@vger.kernel.org # v4.0.x +Cc: Kevin Cernekee +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -3088,6 +3088,7 @@ brcmf_cfg80211_escan_handler(struct brcm + struct brcmf_cfg80211_info *cfg = ifp->drvr->config; + s32 status; + struct brcmf_escan_result_le *escan_result_le; ++ u32 escan_buflen; + struct brcmf_bss_info_le *bss_info_le; + struct brcmf_bss_info_le *bss = NULL; + u32 bi_length; +@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm + + if (status == BRCMF_E_STATUS_PARTIAL) { + brcmf_dbg(SCAN, "ESCAN Partial result\n"); ++ if (e->datalen < sizeof(*escan_result_le)) { ++ brcmf_err("invalid event data length\n"); ++ goto exit; ++ } + escan_result_le = (struct brcmf_escan_result_le *) data; + if (!escan_result_le) { + brcmf_err("Invalid escan result (NULL pointer)\n"); + goto exit; + } ++ escan_buflen = le32_to_cpu(escan_result_le->buflen); ++ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE || ++ escan_buflen > e->datalen || ++ escan_buflen < sizeof(*escan_result_le)) { ++ brcmf_err("Invalid escan buffer length: %d\n", ++ escan_buflen); ++ goto exit; ++ } + if (le16_to_cpu(escan_result_le->bss_count) != 1) { + brcmf_err("Invalid bss_count %d: ignoring\n", + escan_result_le->bss_count); +@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm + } + + bi_length = le32_to_cpu(bss_info_le->length); +- if (bi_length != (le32_to_cpu(escan_result_le->buflen) - +- WL_ESCAN_RESULTS_FIXED_SIZE)) { +- brcmf_err("Invalid bss_info length %d: ignoring\n", ++ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) { ++ brcmf_err("Ignoring invalid bss_info length: %d\n", + bi_length); + goto exit; + } diff --git a/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch b/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch new file mode 100644 index 0000000000..27b3bcdfee --- /dev/null +++ b/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch @@ -0,0 +1,32 @@ +From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee +Date: Sat, 16 Sep 2017 21:08:24 -0700 +Subject: [PATCH] brcmfmac: Add check for short event packets + +The length of the data in the received skb is currently passed into +brcmf_fweh_process_event() as packet_len, but this value is not checked. +event_packet should be followed by DATALEN bytes of additional event +data. Ensure that the received packet actually contains at least +DATALEN bytes of additional data, to avoid copying uninitialized memory +into event->data. + +Cc: # v3.8 +Suggested-by: Mattias Nissler +Signed-off-by: Kevin Cernekee +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc + if (code != BRCMF_E_IF && !fweh->evt_handler[code]) + return; + +- if (datalen > BRCMF_DCMD_MAXLEN) ++ if (datalen > BRCMF_DCMD_MAXLEN || ++ datalen + sizeof(*event_packet) > packet_len) + return; + + if (in_interrupt()) diff --git a/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch b/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch index 5a78ee489f..ddbff07839 100644 --- a/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch +++ b/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch @@ -22,8 +22,8 @@ Signed-off-by: Arend van Spriel case BRCM_CC_4366_CHIP_ID: + case BRCM_CC_43664_CHIP_ID: return 0x200000; - default: - brcmf_err("unknown chip: %s\n", ci->pub.name); + case CY_CC_4373_CHIP_ID: + return 0x160000; --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c @@ -75,6 +75,7 @@ static struct brcmf_firmware_mapping brc @@ -36,11 +36,11 @@ Signed-off-by: Arend van Spriel --- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h +++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h -@@ -56,6 +56,7 @@ +@@ -57,6 +57,7 @@ #define BRCM_CC_43602_CHIP_ID 43602 #define BRCM_CC_4365_CHIP_ID 0x4365 #define BRCM_CC_4366_CHIP_ID 0x4366 +#define BRCM_CC_43664_CHIP_ID 43664 #define BRCM_CC_4371_CHIP_ID 0x4371 + #define CY_CC_4373_CHIP_ID 0x4373 - /* USB Device IDs */ -- cgit v1.2.3