From 57102f6c0633e08c96c868fde69c5a095c5d1102 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Thu, 16 Aug 2018 10:48:54 +0200 Subject: mac80211: brcmfmac: backport important changes from the 4.15 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two more patches that may be worth backporting in the future: fdd0bd88ceae brcmfmac: add CLM download support cc124d5cc8d8 brcmfmac: fix CLM load error for legacy chips when user helper is enabled Signed-off-by: Rafał Miłecki --- package/kernel/mac80211/Makefile | 2 +- ...rcmfmac-Avoid-possible-out-of-bounds-read.patch | 39 +++++ ...brcmfmac-handle-FWHALT-mailbox-indication.patch | 60 ++++++++ ...op-Inter-Access-Point-Protocol-packets-by.patch | 157 --------------------- ...brcmfmac-add-support-for-BCM4366E-chipset.patch | 46 ------ ...op-Inter-Access-Point-Protocol-packets-by.patch | 157 +++++++++++++++++++++ ...brcmfmac-add-support-for-BCM4366E-chipset.patch | 46 ++++++ 7 files changed, 303 insertions(+), 204 deletions(-) create mode 100644 package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch create mode 100644 package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch delete mode 100644 package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch delete mode 100644 package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch create mode 100644 package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch create mode 100644 package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch (limited to 'package/kernel') diff --git a/package/kernel/mac80211/Makefile b/package/kernel/mac80211/Makefile index 03354289ac..c3bbac1633 100644 --- a/package/kernel/mac80211/Makefile +++ b/package/kernel/mac80211/Makefile @@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=mac80211 PKG_VERSION:=2017-01-31 -PKG_RELEASE:=9 +PKG_RELEASE:=10 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources PKG_BACKPORT_VERSION:= PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317 diff --git a/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch b/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch new file mode 100644 index 0000000000..f46c0abb61 --- /dev/null +++ b/package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch @@ -0,0 +1,39 @@ +From 73f2c8e933b1dcf432ac8c6965a6e67af630077f Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee +Date: Sat, 16 Sep 2017 21:08:22 -0700 +Subject: [PATCH] brcmfmac: Avoid possible out-of-bounds read + +In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before +the length of rxframe is validated. This could lead to uninitialized +data being accessed (but not printed). Since we already have a +perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec, +and ch.chspec is not modified by decchspec(), avoid the extra +assignment and use ch.chspec in the debug print. + +Suggested-by: Mattias Nissler +Signed-off-by: Kevin Cernekee +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +@@ -1853,7 +1853,6 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere + struct afx_hdl *afx_hdl = &p2p->afx_hdl; + struct brcmf_cfg80211_vif *vif = ifp->vif; + struct brcmf_rx_mgmt_data *rxframe = (struct brcmf_rx_mgmt_data *)data; +- u16 chanspec = be16_to_cpu(rxframe->chanspec); + struct brcmu_chan ch; + u8 *mgmt_frame; + u32 mgmt_frame_len; +@@ -1906,7 +1905,7 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere + cfg80211_rx_mgmt(&vif->wdev, freq, 0, mgmt_frame, mgmt_frame_len, 0); + + brcmf_dbg(INFO, "mgmt_frame_len (%d) , e->datalen (%d), chanspec (%04x), freq (%d)\n", +- mgmt_frame_len, e->datalen, chanspec, freq); ++ mgmt_frame_len, e->datalen, ch.chspec, freq); + + return 0; + } diff --git a/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch b/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch new file mode 100644 index 0000000000..4ca696fb48 --- /dev/null +++ b/package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch @@ -0,0 +1,60 @@ +From 2fd3877b5bb7d39782c3205a1dcda02023b8514a Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Wed, 8 Nov 2017 14:36:31 +0100 +Subject: [PATCH] brcmfmac: handle FWHALT mailbox indication + +The firmware uses a mailbox to communicate to the host what is going +on. In the driver we validate the bit received. Various people seen +the following message: + + brcmfmac: brcmf_sdio_hostmail: Unknown mailbox data content: 0x40012 + +Bit 4 is cause of this message, but this actually indicates the firmware +has halted. Handle this bit by giving a more meaningful error message. + +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -259,10 +259,11 @@ struct rte_console { + #define I_HMB_HOST_INT I_HMB_SW3 /* Miscellaneous Interrupt */ + + /* tohostmailboxdata */ +-#define HMB_DATA_NAKHANDLED 1 /* retransmit NAK'd frame */ +-#define HMB_DATA_DEVREADY 2 /* talk to host after enable */ +-#define HMB_DATA_FC 4 /* per prio flowcontrol update flag */ +-#define HMB_DATA_FWREADY 8 /* fw ready for protocol activity */ ++#define HMB_DATA_NAKHANDLED 0x0001 /* retransmit NAK'd frame */ ++#define HMB_DATA_DEVREADY 0x0002 /* talk to host after enable */ ++#define HMB_DATA_FC 0x0004 /* per prio flowcontrol update flag */ ++#define HMB_DATA_FWREADY 0x0008 /* fw ready for protocol activity */ ++#define HMB_DATA_FWHALT 0x0010 /* firmware halted */ + + #define HMB_DATA_FCDATA_MASK 0xff000000 + #define HMB_DATA_FCDATA_SHIFT 24 +@@ -1093,6 +1094,10 @@ static u32 brcmf_sdio_hostmail(struct br + offsetof(struct sdpcmd_regs, tosbmailbox)); + bus->sdcnt.f1regdata += 2; + ++ /* dongle indicates the firmware has halted/crashed */ ++ if (hmb_data & HMB_DATA_FWHALT) ++ brcmf_err("mailbox indicates firmware halted\n"); ++ + /* Dongle recomposed rx frames, accept them again */ + if (hmb_data & HMB_DATA_NAKHANDLED) { + brcmf_dbg(SDIO, "Dongle reports NAK handled, expect rtx of %d\n", +@@ -1150,6 +1155,7 @@ static u32 brcmf_sdio_hostmail(struct br + HMB_DATA_NAKHANDLED | + HMB_DATA_FC | + HMB_DATA_FWREADY | ++ HMB_DATA_FWHALT | + HMB_DATA_FCDATA_MASK | HMB_DATA_VERSION_MASK)) + brcmf_err("Unknown mailbox data content: 0x%02x\n", + hmb_data); diff --git a/package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch b/package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch deleted file mode 100644 index f05e23da05..0000000000 --- a/package/kernel/mac80211/patches/328-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 1259055170287a350cad453e9eac139c81609860 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= -Date: Thu, 15 Mar 2018 08:29:09 +0100 -Subject: [PATCH] brcmfmac: drop Inter-Access Point Protocol packets by default -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Testing brcmfmac with more recent firmwares resulted in AP interfaces -not working in some specific setups. Debugging resulted in discovering -support for IAPP in Broadcom's firmwares. - -Older firmwares were only generating 802.11f frames. Newer ones like: -1) 10.10 (TOB) (r663589) -2) 10.10.122.20 (r683106) -for 4366b1 and 4366c0 respectively seem to also /respect/ 802.11f frames -in the Tx path by performing a STA disassociation. - -This obsoleted standard and its implementation is something that: -1) Most people don't need / want to use -2) Can allow local DoS attacks -3) Breaks AP interfaces in some specific bridge setups - -To solve issues it can cause this commit modifies brcmfmac to drop IAPP -packets. If affects: -1) Rx path: driver won't be sending these unwanted packets up. -2) Tx path: driver will reject packets that would trigger STA - disassociation perfromed by a firmware (possible local DoS attack). - -It appears there are some Broadcom's clients/users who care about this -feature despite the drawbacks. They can switch it on using a new module -param. - -This change results in only two more comparisons (check for module param -and check for Ethernet packet length) for 99.9% of packets. Its overhead -should be very minimal. - -Signed-off-by: Rafał Miłecki -Acked-by: Arend van Spriel -Signed-off-by: Kalle Valo ---- - .../wireless/broadcom/brcm80211/brcmfmac/common.c | 5 ++ - .../wireless/broadcom/brcm80211/brcmfmac/common.h | 1 + - .../wireless/broadcom/brcm80211/brcmfmac/core.c | 57 ++++++++++++++++++++++ - 3 files changed, 63 insertions(+) - ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c -@@ -73,6 +73,10 @@ static int brcmf_roamoff; - module_param_named(roamoff, brcmf_roamoff, int, S_IRUSR); - MODULE_PARM_DESC(roamoff, "Do not use internal roaming engine"); - -+static int brcmf_iapp_enable; -+module_param_named(iapp, brcmf_iapp_enable, int, 0); -+MODULE_PARM_DESC(iapp, "Enable partial support for the obsoleted Inter-Access Point Protocol"); -+ - #ifdef DEBUG - /* always succeed brcmf_bus_started() */ - static int brcmf_ignore_probe_fail; -@@ -287,6 +291,7 @@ struct brcmf_mp_device *brcmf_get_module - settings->feature_disable = brcmf_feature_disable; - settings->fcmode = brcmf_fcmode; - settings->roamoff = !!brcmf_roamoff; -+ settings->iapp = !!brcmf_iapp_enable; - #ifdef DEBUG - settings->ignore_probe_fail = !!brcmf_ignore_probe_fail; - #endif ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h -@@ -58,6 +58,7 @@ struct brcmf_mp_device { - unsigned int feature_disable; - int fcmode; - bool roamoff; -+ bool iapp; - bool ignore_probe_fail; - struct brcmfmac_pd_cc *country_codes; - union { ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -192,6 +192,37 @@ static void brcmf_netdev_set_multicast_l - schedule_work(&ifp->multicast_work); - } - -+/** -+ * brcmf_skb_is_iapp - checks if skb is an IAPP packet -+ * -+ * @skb: skb to check -+ */ -+static bool brcmf_skb_is_iapp(struct sk_buff *skb) -+{ -+ static const u8 iapp_l2_update_packet[6] __aligned(2) = { -+ 0x00, 0x01, 0xaf, 0x81, 0x01, 0x00, -+ }; -+ unsigned char *eth_data; -+#if !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) -+ const u16 *a, *b; -+#endif -+ -+ if (skb->len - skb->mac_len != 6 || -+ !is_multicast_ether_addr(eth_hdr(skb)->h_dest)) -+ return false; -+ -+ eth_data = skb_mac_header(skb) + ETH_HLEN; -+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) -+ return !(((*(const u32 *)eth_data) ^ (*(const u32 *)iapp_l2_update_packet)) | -+ ((*(const u16 *)(eth_data + 4)) ^ (*(const u16 *)(iapp_l2_update_packet + 4)))); -+#else -+ a = (const u16 *)eth_data; -+ b = (const u16 *)iapp_l2_update_packet; -+ -+ return !((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2])); -+#endif -+} -+ - static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, - struct net_device *ndev) - { -@@ -211,6 +242,23 @@ static netdev_tx_t brcmf_netdev_start_xm - goto done; - } - -+ /* Some recent Broadcom's firmwares disassociate STA when they receive -+ * an 802.11f ADD frame. This behavior can lead to a local DoS security -+ * issue. Attacker may trigger disassociation of any STA by sending a -+ * proper Ethernet frame to the wireless interface. -+ * -+ * Moreover this feature may break AP interfaces in some specific -+ * setups. This applies e.g. to the bridge with hairpin mode enabled and -+ * IFLA_BRPORT_MCAST_TO_UCAST set. IAPP packet generated by a firmware -+ * will get passed back to the wireless interface and cause immediate -+ * disassociation of a just-connected STA. -+ */ -+ if (!drvr->settings->iapp && brcmf_skb_is_iapp(skb)) { -+ dev_kfree_skb(skb); -+ ret = -EINVAL; -+ goto done; -+ } -+ - /* Make sure there's enough writable headroom*/ - ret = skb_cow_head(skb, drvr->hdrlen); - if (ret < 0) { -@@ -288,6 +336,15 @@ void brcmf_txflowblock(struct device *de - - void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb) - { -+ /* Most of Broadcom's firmwares send 802.11f ADD frame every time a new -+ * STA connects to the AP interface. This is an obsoleted standard most -+ * users don't use, so don't pass these frames up unless requested. -+ */ -+ if (!ifp->drvr->settings->iapp && brcmf_skb_is_iapp(skb)) { -+ brcmu_pkt_buf_free_skb(skb); -+ return; -+ } -+ - if (skb->pkt_type == PACKET_MULTICAST) - ifp->stats.multicast++; - diff --git a/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch b/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch deleted file mode 100644 index ddbff07839..0000000000 --- a/package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Dan Haab -Date: Tue, 3 Apr 2018 10:21:56 +0200 -Subject: [PATCH] brcmfmac: add support for BCM4366E chipset - -BCM4366E is a wireless chipset with a BCM43664 ChipCommon. It's -supported by the same firmware as 4366c0. - -Signed-off-by: Dan Haab -[arend: rebase patch and remove unnecessary definition] -Signed-off-by: Arend van Spriel ---- - drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 1 + - drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 1 + - drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 1 + - 3 files changed, 3 insertions(+) - ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c -@@ -689,6 +689,7 @@ static u32 brcmf_chip_tcm_rambase(struct - case BRCM_CC_43525_CHIP_ID: - case BRCM_CC_4365_CHIP_ID: - case BRCM_CC_4366_CHIP_ID: -+ case BRCM_CC_43664_CHIP_ID: - return 0x200000; - case CY_CC_4373_CHIP_ID: - return 0x160000; ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c -@@ -75,6 +75,7 @@ static struct brcmf_firmware_mapping brc - BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4365_CHIP_ID, 0xFFFFFFF0, 4365C), - BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0x0000000F, 4366B), - BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0xFFFFFFF0, 4366C), -+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43664_CHIP_ID, 0xFFFFFFF0, 4366C), - BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4371_CHIP_ID, 0xFFFFFFFF, 4371), - }; - ---- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h -+++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h -@@ -57,6 +57,7 @@ - #define BRCM_CC_43602_CHIP_ID 43602 - #define BRCM_CC_4365_CHIP_ID 0x4365 - #define BRCM_CC_4366_CHIP_ID 0x4366 -+#define BRCM_CC_43664_CHIP_ID 43664 - #define BRCM_CC_4371_CHIP_ID 0x4371 - #define CY_CC_4373_CHIP_ID 0x4373 - diff --git a/package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch b/package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch new file mode 100644 index 0000000000..f05e23da05 --- /dev/null +++ b/package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch @@ -0,0 +1,157 @@ +From 1259055170287a350cad453e9eac139c81609860 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Thu, 15 Mar 2018 08:29:09 +0100 +Subject: [PATCH] brcmfmac: drop Inter-Access Point Protocol packets by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Testing brcmfmac with more recent firmwares resulted in AP interfaces +not working in some specific setups. Debugging resulted in discovering +support for IAPP in Broadcom's firmwares. + +Older firmwares were only generating 802.11f frames. Newer ones like: +1) 10.10 (TOB) (r663589) +2) 10.10.122.20 (r683106) +for 4366b1 and 4366c0 respectively seem to also /respect/ 802.11f frames +in the Tx path by performing a STA disassociation. + +This obsoleted standard and its implementation is something that: +1) Most people don't need / want to use +2) Can allow local DoS attacks +3) Breaks AP interfaces in some specific bridge setups + +To solve issues it can cause this commit modifies brcmfmac to drop IAPP +packets. If affects: +1) Rx path: driver won't be sending these unwanted packets up. +2) Tx path: driver will reject packets that would trigger STA + disassociation perfromed by a firmware (possible local DoS attack). + +It appears there are some Broadcom's clients/users who care about this +feature despite the drawbacks. They can switch it on using a new module +param. + +This change results in only two more comparisons (check for module param +and check for Ethernet packet length) for 99.9% of packets. Its overhead +should be very minimal. + +Signed-off-by: Rafał Miłecki +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + .../wireless/broadcom/brcm80211/brcmfmac/common.c | 5 ++ + .../wireless/broadcom/brcm80211/brcmfmac/common.h | 1 + + .../wireless/broadcom/brcm80211/brcmfmac/core.c | 57 ++++++++++++++++++++++ + 3 files changed, 63 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +@@ -73,6 +73,10 @@ static int brcmf_roamoff; + module_param_named(roamoff, brcmf_roamoff, int, S_IRUSR); + MODULE_PARM_DESC(roamoff, "Do not use internal roaming engine"); + ++static int brcmf_iapp_enable; ++module_param_named(iapp, brcmf_iapp_enable, int, 0); ++MODULE_PARM_DESC(iapp, "Enable partial support for the obsoleted Inter-Access Point Protocol"); ++ + #ifdef DEBUG + /* always succeed brcmf_bus_started() */ + static int brcmf_ignore_probe_fail; +@@ -287,6 +291,7 @@ struct brcmf_mp_device *brcmf_get_module + settings->feature_disable = brcmf_feature_disable; + settings->fcmode = brcmf_fcmode; + settings->roamoff = !!brcmf_roamoff; ++ settings->iapp = !!brcmf_iapp_enable; + #ifdef DEBUG + settings->ignore_probe_fail = !!brcmf_ignore_probe_fail; + #endif +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h +@@ -58,6 +58,7 @@ struct brcmf_mp_device { + unsigned int feature_disable; + int fcmode; + bool roamoff; ++ bool iapp; + bool ignore_probe_fail; + struct brcmfmac_pd_cc *country_codes; + union { +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -192,6 +192,37 @@ static void brcmf_netdev_set_multicast_l + schedule_work(&ifp->multicast_work); + } + ++/** ++ * brcmf_skb_is_iapp - checks if skb is an IAPP packet ++ * ++ * @skb: skb to check ++ */ ++static bool brcmf_skb_is_iapp(struct sk_buff *skb) ++{ ++ static const u8 iapp_l2_update_packet[6] __aligned(2) = { ++ 0x00, 0x01, 0xaf, 0x81, 0x01, 0x00, ++ }; ++ unsigned char *eth_data; ++#if !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) ++ const u16 *a, *b; ++#endif ++ ++ if (skb->len - skb->mac_len != 6 || ++ !is_multicast_ether_addr(eth_hdr(skb)->h_dest)) ++ return false; ++ ++ eth_data = skb_mac_header(skb) + ETH_HLEN; ++#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) ++ return !(((*(const u32 *)eth_data) ^ (*(const u32 *)iapp_l2_update_packet)) | ++ ((*(const u16 *)(eth_data + 4)) ^ (*(const u16 *)(iapp_l2_update_packet + 4)))); ++#else ++ a = (const u16 *)eth_data; ++ b = (const u16 *)iapp_l2_update_packet; ++ ++ return !((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2])); ++#endif ++} ++ + static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + struct net_device *ndev) + { +@@ -211,6 +242,23 @@ static netdev_tx_t brcmf_netdev_start_xm + goto done; + } + ++ /* Some recent Broadcom's firmwares disassociate STA when they receive ++ * an 802.11f ADD frame. This behavior can lead to a local DoS security ++ * issue. Attacker may trigger disassociation of any STA by sending a ++ * proper Ethernet frame to the wireless interface. ++ * ++ * Moreover this feature may break AP interfaces in some specific ++ * setups. This applies e.g. to the bridge with hairpin mode enabled and ++ * IFLA_BRPORT_MCAST_TO_UCAST set. IAPP packet generated by a firmware ++ * will get passed back to the wireless interface and cause immediate ++ * disassociation of a just-connected STA. ++ */ ++ if (!drvr->settings->iapp && brcmf_skb_is_iapp(skb)) { ++ dev_kfree_skb(skb); ++ ret = -EINVAL; ++ goto done; ++ } ++ + /* Make sure there's enough writable headroom*/ + ret = skb_cow_head(skb, drvr->hdrlen); + if (ret < 0) { +@@ -288,6 +336,15 @@ void brcmf_txflowblock(struct device *de + + void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb) + { ++ /* Most of Broadcom's firmwares send 802.11f ADD frame every time a new ++ * STA connects to the AP interface. This is an obsoleted standard most ++ * users don't use, so don't pass these frames up unless requested. ++ */ ++ if (!ifp->drvr->settings->iapp && brcmf_skb_is_iapp(skb)) { ++ brcmu_pkt_buf_free_skb(skb); ++ return; ++ } ++ + if (skb->pkt_type == PACKET_MULTICAST) + ifp->stats.multicast++; + diff --git a/package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch b/package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch new file mode 100644 index 0000000000..ddbff07839 --- /dev/null +++ b/package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch @@ -0,0 +1,46 @@ +From: Dan Haab +Date: Tue, 3 Apr 2018 10:21:56 +0200 +Subject: [PATCH] brcmfmac: add support for BCM4366E chipset + +BCM4366E is a wireless chipset with a BCM43664 ChipCommon. It's +supported by the same firmware as 4366c0. + +Signed-off-by: Dan Haab +[arend: rebase patch and remove unnecessary definition] +Signed-off-by: Arend van Spriel +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 1 + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 1 + + drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 1 + + 3 files changed, 3 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c +@@ -689,6 +689,7 @@ static u32 brcmf_chip_tcm_rambase(struct + case BRCM_CC_43525_CHIP_ID: + case BRCM_CC_4365_CHIP_ID: + case BRCM_CC_4366_CHIP_ID: ++ case BRCM_CC_43664_CHIP_ID: + return 0x200000; + case CY_CC_4373_CHIP_ID: + return 0x160000; +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -75,6 +75,7 @@ static struct brcmf_firmware_mapping brc + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4365_CHIP_ID, 0xFFFFFFF0, 4365C), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0x0000000F, 4366B), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0xFFFFFFF0, 4366C), ++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43664_CHIP_ID, 0xFFFFFFF0, 4366C), + BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4371_CHIP_ID, 0xFFFFFFFF, 4371), + }; + +--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h ++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h +@@ -57,6 +57,7 @@ + #define BRCM_CC_43602_CHIP_ID 43602 + #define BRCM_CC_4365_CHIP_ID 0x4365 + #define BRCM_CC_4366_CHIP_ID 0x4366 ++#define BRCM_CC_43664_CHIP_ID 43664 + #define BRCM_CC_4371_CHIP_ID 0x4371 + #define CY_CC_4373_CHIP_ID 0x4373 + -- cgit v1.2.3