From c3aa33bf705027751b344bc668541e5d08ed9495 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Thu, 19 Dec 2019 08:40:12 +0100 Subject: mac80211: brcm: backport 5.5 and 5.6 kernel patches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This update doesn't include: 3b1e0a7bdfee brcmfmac: add support for SAE authentication offload be898fed355e brcmfmac: send port authorized event for FT-802.1X due to nl80211 dependencies. Signed-off-by: Rafał Miłecki --- ...-disable-PCIe-interrupts-before-bus-reset.patch | 54 ---------- ...c-remove-monitor-interface-when-detaching.patch | 30 ------ ...mac-don-t-WARN-when-there-are-no-requests.patch | 28 ++++++ ...-fix-suspend-resume-when-power-is-cut-off.patch | 109 +++++++++++++++++++++ ...move-set-but-not-used-variable-mpnum-nsp-.patch | 58 +++++++++++ ...-disable-PCIe-interrupts-before-bus-reset.patch | 54 ++++++++++ ...c-remove-monitor-interface-when-detaching.patch | 30 ++++++ ...ix-memory-leak-in-brcmf_p2p_create_p2pdev.patch | 29 ++++++ ...x-use-after-free-in-brcmf_sdio_readframes.patch | 31 ++++++ ...c-set-interface-carrier-to-off-by-default.patch | 29 ++++++ ...-v5.6-brcmfmac-fix-interface-sanity-check.patch | 40 ++++++++ ...mfmac-register-wiphy-s-during-module_init.patch | 2 +- 12 files changed, 409 insertions(+), 85 deletions(-) delete mode 100644 package/kernel/mac80211/patches/brcm/100-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch delete mode 100644 package/kernel/mac80211/patches/brcm/101-brcmfmac-remove-monitor-interface-when-detaching.patch create mode 100644 package/kernel/mac80211/patches/brcm/101-v5.5-0001-brcmfmac-don-t-WARN-when-there-are-no-requests.patch create mode 100644 package/kernel/mac80211/patches/brcm/101-v5.5-0002-brcmfmac-fix-suspend-resume-when-power-is-cut-off.patch create mode 100644 package/kernel/mac80211/patches/brcm/103-v5.5-brcmfmac-remove-set-but-not-used-variable-mpnum-nsp-.patch create mode 100644 package/kernel/mac80211/patches/brcm/104-v5.5-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch create mode 100644 package/kernel/mac80211/patches/brcm/105-v5.5-brcmfmac-remove-monitor-interface-when-detaching.patch create mode 100644 package/kernel/mac80211/patches/brcm/110-v5.6-brcmfmac-Fix-memory-leak-in-brcmf_p2p_create_p2pdev.patch create mode 100644 package/kernel/mac80211/patches/brcm/111-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch create mode 100644 package/kernel/mac80211/patches/brcm/112-v5.6-brcmfmac-set-interface-carrier-to-off-by-default.patch create mode 100644 package/kernel/mac80211/patches/brcm/113-v5.6-brcmfmac-fix-interface-sanity-check.patch diff --git a/package/kernel/mac80211/patches/brcm/100-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch b/package/kernel/mac80211/patches/brcm/100-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch deleted file mode 100644 index a92118a19a..0000000000 --- a/package/kernel/mac80211/patches/brcm/100-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= -Date: Mon, 18 Nov 2019 11:52:41 +0100 -Subject: [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Keeping interrupts on could result in brcmfmac freeing some resources -and then IRQ handlers trying to use them. That was obviously a straight -path for crashing a kernel. - -Example: -CPU0 CPU1 ----- ---- -brcmf_pcie_reset - brcmf_pcie_bus_console_read - brcmf_detach - ... - brcmf_fweh_detach - brcmf_proto_detach - brcmf_pcie_isr_thread - ... - brcmf_proto_msgbuf_rx_trigger - ... - drvr->proto->pd - brcmf_pcie_release_irq - -[ 363.789218] Unable to handle kernel NULL pointer dereference at virtual address 00000038 -[ 363.797339] pgd = c0004000 -[ 363.800050] [00000038] *pgd=00000000 -[ 363.803635] Internal error: Oops: 17 [#1] SMP ARM -(...) -[ 364.029209] Backtrace: -[ 364.031725] [] (brcmf_proto_msgbuf_rx_trigger [brcmfmac]) from [] (brcmf_pcie_isr_thread+0x228/0x274 [brcmfmac]) -[ 364.043662] r7:00000001 r6:c8ca0000 r5:00010000 r4:c7b4f800 - -Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash") -Cc: stable@vger.kernel.org # v5.2+ -Signed-off-by: Rafał Miłecki ---- - drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c -@@ -1427,6 +1427,8 @@ static int brcmf_pcie_reset(struct devic - struct brcmf_fw_request *fwreq; - int err; - -+ brcmf_pcie_intr_disable(devinfo); -+ - brcmf_pcie_bus_console_read(devinfo, true); - - brcmf_detach(dev); diff --git a/package/kernel/mac80211/patches/brcm/101-brcmfmac-remove-monitor-interface-when-detaching.patch b/package/kernel/mac80211/patches/brcm/101-brcmfmac-remove-monitor-interface-when-detaching.patch deleted file mode 100644 index 6c325ee844..0000000000 --- a/package/kernel/mac80211/patches/brcm/101-brcmfmac-remove-monitor-interface-when-detaching.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= -Date: Mon, 18 Nov 2019 13:35:20 +0100 -Subject: [PATCH 5.5] brcmfmac: remove monitor interface when detaching -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This fixes a minor WARNING in the cfg80211: -[ 130.658034] ------------[ cut here ]------------ -[ 130.662805] WARNING: CPU: 1 PID: 610 at net/wireless/core.c:954 wiphy_unregister+0xb4/0x198 [cfg80211] - -Signed-off-by: Rafał Miłecki ---- - drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -1371,6 +1371,11 @@ void brcmf_detach(struct device *dev) - brcmf_fweh_detach(drvr); - brcmf_proto_detach(drvr); - -+ if (drvr->mon_if) { -+ brcmf_net_detach(drvr->mon_if->ndev, false); -+ drvr->mon_if = NULL; -+ } -+ - /* make sure primary interface removed last */ - for (i = BRCMF_MAX_IFS - 1; i > -1; i--) { - if (drvr->iflist[i]) diff --git a/package/kernel/mac80211/patches/brcm/101-v5.5-0001-brcmfmac-don-t-WARN-when-there-are-no-requests.patch b/package/kernel/mac80211/patches/brcm/101-v5.5-0001-brcmfmac-don-t-WARN-when-there-are-no-requests.patch new file mode 100644 index 0000000000..a1311e0a49 --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/101-v5.5-0001-brcmfmac-don-t-WARN-when-there-are-no-requests.patch @@ -0,0 +1,28 @@ +From 1524cbf3621576c639405e7aabeac415f9617c8d Mon Sep 17 00:00:00 2001 +From: Adrian Ratiu +Date: Wed, 25 Sep 2019 16:44:57 +0300 +Subject: [PATCH] brcmfmac: don't WARN when there are no requests + +When n_reqs == 0 there is nothing to do so it doesn't make sense to +search for requests and issue a warning because none is found. + +Signed-off-by: Martyn Welch +Signed-off-by: Adrian Ratiu +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c +@@ -57,6 +57,10 @@ static int brcmf_pno_remove_request(stru + + mutex_lock(&pi->req_lock); + ++ /* Nothing to do if we have no requests */ ++ if (pi->n_reqs == 0) ++ goto done; ++ + /* find request */ + for (i = 0; i < pi->n_reqs; i++) { + if (pi->reqs[i]->reqid == reqid) diff --git a/package/kernel/mac80211/patches/brcm/101-v5.5-0002-brcmfmac-fix-suspend-resume-when-power-is-cut-off.patch b/package/kernel/mac80211/patches/brcm/101-v5.5-0002-brcmfmac-fix-suspend-resume-when-power-is-cut-off.patch new file mode 100644 index 0000000000..eafc96b901 --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/101-v5.5-0002-brcmfmac-fix-suspend-resume-when-power-is-cut-off.patch @@ -0,0 +1,109 @@ +From e0ae4bac22effbd644add326f658a3aeeb8d45ee Mon Sep 17 00:00:00 2001 +From: Adrian Ratiu +Date: Wed, 25 Sep 2019 16:44:58 +0300 +Subject: [PATCH] brcmfmac: fix suspend/resume when power is cut off + +brcmfmac assumed the wifi device always remains powered on and thus +hardcoded the MMC_PM_KEEP_POWER flag expecting the wifi device to +remain on even during suspend/resume cycles. + +This is not always the case, some appliances cut power to everything +connected via SDIO for efficiency reasons and this leads to wifi not +being usable after coming out of suspend because the device was not +correctly reinitialized. + +So we check for the keep_power capability and if it's not present then +we remove the device and probe it again during resume to mirror what's +happening in hardware and ensure correct reinitialization in the case +when MMC_PM_KEEP_POWER is not supported. + +Suggested-by: Gustavo Padovan +Signed-off-by: Adrian Ratiu +Signed-off-by: Kalle Valo +--- + .../broadcom/brcm80211/brcmfmac/bcmsdh.c | 53 ++++++++++++++----- + 1 file changed, 39 insertions(+), 14 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -1108,7 +1108,8 @@ static int brcmf_ops_sdio_suspend(struct + struct sdio_func *func; + struct brcmf_bus *bus_if; + struct brcmf_sdio_dev *sdiodev; +- mmc_pm_flag_t sdio_flags; ++ mmc_pm_flag_t pm_caps, sdio_flags; ++ int ret = 0; + + func = container_of(dev, struct sdio_func, dev); + brcmf_dbg(SDIO, "Enter: F%d\n", func->num); +@@ -1119,19 +1120,33 @@ static int brcmf_ops_sdio_suspend(struct + bus_if = dev_get_drvdata(dev); + sdiodev = bus_if->bus_priv.sdio; + +- brcmf_sdiod_freezer_on(sdiodev); +- brcmf_sdio_wd_timer(sdiodev->bus, 0); ++ pm_caps = sdio_get_host_pm_caps(func); + +- sdio_flags = MMC_PM_KEEP_POWER; +- if (sdiodev->wowl_enabled) { +- if (sdiodev->settings->bus.sdio.oob_irq_supported) +- enable_irq_wake(sdiodev->settings->bus.sdio.oob_irq_nr); +- else +- sdio_flags |= MMC_PM_WAKE_SDIO_IRQ; ++ if (pm_caps & MMC_PM_KEEP_POWER) { ++ /* preserve card power during suspend */ ++ brcmf_sdiod_freezer_on(sdiodev); ++ brcmf_sdio_wd_timer(sdiodev->bus, 0); ++ ++ sdio_flags = MMC_PM_KEEP_POWER; ++ if (sdiodev->wowl_enabled) { ++ if (sdiodev->settings->bus.sdio.oob_irq_supported) ++ enable_irq_wake(sdiodev->settings->bus.sdio.oob_irq_nr); ++ else ++ sdio_flags |= MMC_PM_WAKE_SDIO_IRQ; ++ } ++ ++ if (sdio_set_host_pm_flags(sdiodev->func1, sdio_flags)) ++ brcmf_err("Failed to set pm_flags %x\n", sdio_flags); ++ ++ } else { ++ /* power will be cut so remove device, probe again in resume */ ++ brcmf_sdiod_intr_unregister(sdiodev); ++ ret = brcmf_sdiod_remove(sdiodev); ++ if (ret) ++ brcmf_err("Failed to remove device on suspend\n"); + } +- if (sdio_set_host_pm_flags(sdiodev->func1, sdio_flags)) +- brcmf_err("Failed to set pm_flags %x\n", sdio_flags); +- return 0; ++ ++ return ret; + } + + static int brcmf_ops_sdio_resume(struct device *dev) +@@ -1139,13 +1154,23 @@ static int brcmf_ops_sdio_resume(struct + struct brcmf_bus *bus_if = dev_get_drvdata(dev); + struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio; + struct sdio_func *func = container_of(dev, struct sdio_func, dev); ++ mmc_pm_flag_t pm_caps = sdio_get_host_pm_caps(func); ++ int ret = 0; + + brcmf_dbg(SDIO, "Enter: F%d\n", func->num); + if (func->num != 2) + return 0; + +- brcmf_sdiod_freezer_off(sdiodev); +- return 0; ++ if (!(pm_caps & MMC_PM_KEEP_POWER)) { ++ /* bus was powered off and device removed, probe again */ ++ ret = brcmf_sdiod_probe(sdiodev); ++ if (ret) ++ brcmf_err("Failed to probe device on resume\n"); ++ } else { ++ brcmf_sdiod_freezer_off(sdiodev); ++ } ++ ++ return ret; + } + + static const struct dev_pm_ops brcmf_sdio_pm_ops = { diff --git a/package/kernel/mac80211/patches/brcm/103-v5.5-brcmfmac-remove-set-but-not-used-variable-mpnum-nsp-.patch b/package/kernel/mac80211/patches/brcm/103-v5.5-brcmfmac-remove-set-but-not-used-variable-mpnum-nsp-.patch new file mode 100644 index 0000000000..25b3ceb959 --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/103-v5.5-brcmfmac-remove-set-but-not-used-variable-mpnum-nsp-.patch @@ -0,0 +1,58 @@ +From 7af496b9eb0433bc4cb478c9a46f85509cdb5541 Mon Sep 17 00:00:00 2001 +From: zhengbin +Date: Sat, 16 Nov 2019 15:22:47 +0800 +Subject: [PATCH] brcmfmac: remove set but not used variable + 'mpnum','nsp','nmp' + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c: In function brcmf_chip_dmp_get_regaddr: +drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:790:5: warning: variable mpnum set but not used [-Wunused-but-set-variable] +drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c: In function brcmf_chip_dmp_erom_scan: +drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:866:10: warning: variable nsp set but not used [-Wunused-but-set-variable] +drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c: In function brcmf_chip_dmp_erom_scan: +drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:866:5: warning: variable nmp set but not used [-Wunused-but-set-variable] + +Reported-by: Hulk Robot +Signed-off-by: zhengbin +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c +@@ -778,7 +778,6 @@ static int brcmf_chip_dmp_get_regaddr(st + { + u8 desc; + u32 val, szdesc; +- u8 mpnum = 0; + u8 stype, sztype, wraptype; + + *regbase = 0; +@@ -786,7 +785,6 @@ static int brcmf_chip_dmp_get_regaddr(st + + val = brcmf_chip_dmp_get_desc(ci, eromaddr, &desc); + if (desc == DMP_DESC_MASTER_PORT) { +- mpnum = (val & DMP_MASTER_PORT_NUM) >> DMP_MASTER_PORT_NUM_S; + wraptype = DMP_SLAVE_TYPE_MWRAP; + } else if (desc == DMP_DESC_ADDRESS) { + /* revert erom address */ +@@ -854,7 +852,7 @@ int brcmf_chip_dmp_erom_scan(struct brcm + u8 desc_type = 0; + u32 val; + u16 id; +- u8 nmp, nsp, nmw, nsw, rev; ++ u8 nmw, nsw, rev; + u32 base, wrap; + int err; + +@@ -880,8 +878,6 @@ int brcmf_chip_dmp_erom_scan(struct brcm + return -EFAULT; + + /* only look at cores with master port(s) */ +- nmp = (val & DMP_COMP_NUM_MPORT) >> DMP_COMP_NUM_MPORT_S; +- nsp = (val & DMP_COMP_NUM_SPORT) >> DMP_COMP_NUM_SPORT_S; + nmw = (val & DMP_COMP_NUM_MWRAP) >> DMP_COMP_NUM_MWRAP_S; + nsw = (val & DMP_COMP_NUM_SWRAP) >> DMP_COMP_NUM_SWRAP_S; + rev = (val & DMP_COMP_REVISION) >> DMP_COMP_REVISION_S; diff --git a/package/kernel/mac80211/patches/brcm/104-v5.5-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch b/package/kernel/mac80211/patches/brcm/104-v5.5-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch new file mode 100644 index 0000000000..a92118a19a --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/104-v5.5-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch @@ -0,0 +1,54 @@ +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Mon, 18 Nov 2019 11:52:41 +0100 +Subject: [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Keeping interrupts on could result in brcmfmac freeing some resources +and then IRQ handlers trying to use them. That was obviously a straight +path for crashing a kernel. + +Example: +CPU0 CPU1 +---- ---- +brcmf_pcie_reset + brcmf_pcie_bus_console_read + brcmf_detach + ... + brcmf_fweh_detach + brcmf_proto_detach + brcmf_pcie_isr_thread + ... + brcmf_proto_msgbuf_rx_trigger + ... + drvr->proto->pd + brcmf_pcie_release_irq + +[ 363.789218] Unable to handle kernel NULL pointer dereference at virtual address 00000038 +[ 363.797339] pgd = c0004000 +[ 363.800050] [00000038] *pgd=00000000 +[ 363.803635] Internal error: Oops: 17 [#1] SMP ARM +(...) +[ 364.029209] Backtrace: +[ 364.031725] [] (brcmf_proto_msgbuf_rx_trigger [brcmfmac]) from [] (brcmf_pcie_isr_thread+0x228/0x274 [brcmfmac]) +[ 364.043662] r7:00000001 r6:c8ca0000 r5:00010000 r4:c7b4f800 + +Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Rafał Miłecki +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -1427,6 +1427,8 @@ static int brcmf_pcie_reset(struct devic + struct brcmf_fw_request *fwreq; + int err; + ++ brcmf_pcie_intr_disable(devinfo); ++ + brcmf_pcie_bus_console_read(devinfo, true); + + brcmf_detach(dev); diff --git a/package/kernel/mac80211/patches/brcm/105-v5.5-brcmfmac-remove-monitor-interface-when-detaching.patch b/package/kernel/mac80211/patches/brcm/105-v5.5-brcmfmac-remove-monitor-interface-when-detaching.patch new file mode 100644 index 0000000000..6c325ee844 --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/105-v5.5-brcmfmac-remove-monitor-interface-when-detaching.patch @@ -0,0 +1,30 @@ +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Mon, 18 Nov 2019 13:35:20 +0100 +Subject: [PATCH 5.5] brcmfmac: remove monitor interface when detaching +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes a minor WARNING in the cfg80211: +[ 130.658034] ------------[ cut here ]------------ +[ 130.662805] WARNING: CPU: 1 PID: 610 at net/wireless/core.c:954 wiphy_unregister+0xb4/0x198 [cfg80211] + +Signed-off-by: Rafał Miłecki +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -1371,6 +1371,11 @@ void brcmf_detach(struct device *dev) + brcmf_fweh_detach(drvr); + brcmf_proto_detach(drvr); + ++ if (drvr->mon_if) { ++ brcmf_net_detach(drvr->mon_if->ndev, false); ++ drvr->mon_if = NULL; ++ } ++ + /* make sure primary interface removed last */ + for (i = BRCMF_MAX_IFS - 1; i > -1; i--) { + if (drvr->iflist[i]) diff --git a/package/kernel/mac80211/patches/brcm/110-v5.6-brcmfmac-Fix-memory-leak-in-brcmf_p2p_create_p2pdev.patch b/package/kernel/mac80211/patches/brcm/110-v5.6-brcmfmac-Fix-memory-leak-in-brcmf_p2p_create_p2pdev.patch new file mode 100644 index 0000000000..5bf4ad278a --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/110-v5.6-brcmfmac-Fix-memory-leak-in-brcmf_p2p_create_p2pdev.patch @@ -0,0 +1,29 @@ +From 5cc509aa83c6acd2c5cd94f99065c39d2bd0a490 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 22 Nov 2019 13:19:48 -0600 +Subject: [PATCH] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() + +In the implementation of brcmf_p2p_create_p2pdev() the allocated memory +for p2p_vif is leaked when the mac address is the same as primary +interface. To fix this, go to error path to release p2p_vif via +brcmf_free_vif(). + +Fixes: cb746e47837a ("brcmfmac: check p2pdev mac address uniqueness") +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +@@ -2092,7 +2092,8 @@ static struct wireless_dev *brcmf_p2p_cr + /* firmware requires unique mac address for p2pdev interface */ + if (addr && ether_addr_equal(addr, pri_ifp->mac_addr)) { + bphy_err(drvr, "discovery vif must be different from primary interface\n"); +- return ERR_PTR(-EINVAL); ++ err = -EINVAL; ++ goto fail; + } + + brcmf_p2p_generate_bss_mac(p2p, addr); diff --git a/package/kernel/mac80211/patches/brcm/111-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch b/package/kernel/mac80211/patches/brcm/111-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch new file mode 100644 index 0000000000..1b56f6d7ce --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/111-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch @@ -0,0 +1,31 @@ +From 216b44000ada87a63891a8214c347e05a4aea8fe Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 3 Dec 2019 12:58:55 +0300 +Subject: [PATCH] brcmfmac: Fix use after free in brcmf_sdio_readframes() + +The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a +static checker warning: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() + error: dereferencing freed memory 'pkt' + +It looks like there was supposed to be a continue after we free "pkt". + +Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") +Signed-off-by: Dan Carpenter +Acked-by: Franky Lin +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -1935,6 +1935,7 @@ static uint brcmf_sdio_readframes(struct + BRCMF_SDIO_FT_NORMAL)) { + rd->len = 0; + brcmu_pkt_buf_free_skb(pkt); ++ continue; + } + bus->sdcnt.rx_readahead_cnt++; + if (rd->len != roundup(rd_new.len, 16)) { diff --git a/package/kernel/mac80211/patches/brcm/112-v5.6-brcmfmac-set-interface-carrier-to-off-by-default.patch b/package/kernel/mac80211/patches/brcm/112-v5.6-brcmfmac-set-interface-carrier-to-off-by-default.patch new file mode 100644 index 0000000000..bb4782a7a4 --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/112-v5.6-brcmfmac-set-interface-carrier-to-off-by-default.patch @@ -0,0 +1,29 @@ +From 8d9627b05b2c33e4468e65739eb7caf9c3f274d8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Tue, 10 Dec 2019 12:35:55 +0100 +Subject: [PATCH] brcmfmac: set interface carrier to off by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It's important as brcmfmac creates one main interface for each PHY and +doesn't allow deleting it. Not setting carrier could result in other +subsystems misbehaving (e.g. LEDs "netdev" trigger turning LED on). + +Signed-off-by: Rafał Miłecki +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -678,6 +678,8 @@ int brcmf_net_attach(struct brcmf_if *if + goto fail; + } + ++ netif_carrier_off(ndev); ++ + netdev_set_priv_destructor(ndev, brcmf_cfg80211_free_netdev); + brcmf_dbg(INFO, "%s: Broadcom Dongle Host Driver\n", ndev->name); + return 0; diff --git a/package/kernel/mac80211/patches/brcm/113-v5.6-brcmfmac-fix-interface-sanity-check.patch b/package/kernel/mac80211/patches/brcm/113-v5.6-brcmfmac-fix-interface-sanity-check.patch new file mode 100644 index 0000000000..e1dfe84c97 --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/113-v5.6-brcmfmac-fix-interface-sanity-check.patch @@ -0,0 +1,40 @@ +From 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:22 +0100 +Subject: [PATCH] brcmfmac: fix interface sanity check + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Cc: stable # 3.4 +Cc: Arend van Spriel +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -1348,7 +1348,7 @@ brcmf_usb_probe(struct usb_interface *in + goto fail; + } + +- desc = &intf->altsetting[0].desc; ++ desc = &intf->cur_altsetting->desc; + if ((desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) || + (desc->bInterfaceSubClass != 2) || + (desc->bInterfaceProtocol != 0xff)) { +@@ -1361,7 +1361,7 @@ brcmf_usb_probe(struct usb_interface *in + + num_of_eps = desc->bNumEndpoints; + for (ep = 0; ep < num_of_eps; ep++) { +- endpoint = &intf->altsetting[0].endpoint[ep].desc; ++ endpoint = &intf->cur_altsetting->endpoint[ep].desc; + endpoint_num = usb_endpoint_num(endpoint); + if (!usb_endpoint_xfer_bulk(endpoint)) + continue; diff --git a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch index 8194c07695..f64167b1c3 100644 --- a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -1477,6 +1477,7 @@ int __init brcmf_core_init(void) +@@ -1479,6 +1479,7 @@ int __init brcmf_core_init(void) { if (!schedule_work(&brcmf_driver_work)) return -EBUSY; -- cgit v1.2.3