mac80211: brcmfmac: backport important changes from the 4.14
authorRafał Miłecki <rafal@milecki.pl>
Thu, 16 Aug 2018 08:29:56 +0000 (10:29 +0200)
committerRafał Miłecki <rafal@milecki.pl>
Thu, 16 Aug 2018 11:15:05 +0000 (13:15 +0200)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
package/kernel/mac80211/Makefile
package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch [deleted file]
package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch [new file with mode: 0644]
package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch [new file with mode: 0644]
package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch [new file with mode: 0644]
package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch [new file with mode: 0644]
package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch [new file with mode: 0644]
package/kernel/mac80211/patches/329-brcmfmac-add-support-for-BCM4366E-chipset.patch

index 5a9cff60b547991fc914d8cca33f6bf4cf87af49..03354289accb1b6887433c5cb375f0819ff08191 100644 (file)
@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=2017-01-31
-PKG_RELEASE:=8
+PKG_RELEASE:=9
 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
 PKG_BACKPORT_VERSION:=
 PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317
diff --git a/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
deleted file mode 100644 (file)
index 2b16fa4..0000000
+++ /dev/null
@@ -1,63 +0,0 @@
-From: Arend Van Spriel <arend.vanspriel@broadcom.com>
-Date: Tue, 12 Sep 2017 10:47:53 +0200
-Subject: [PATCH] brcmfmac: add length check in brcmf_cfg80211_escan_handler()
-
-Upon handling the firmware notification for scans the length was
-checked properly and may result in corrupting kernel heap memory
-due to buffer overruns. This fix addresses CVE-2017-0786.
-
-Cc: stable@vger.kernel.org # v4.0.x
-Cc: Kevin Cernekee <cernekee@chromium.org>
-Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
-Reviewed-by: Franky Lin <franky.lin@broadcom.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3088,6 +3088,7 @@ brcmf_cfg80211_escan_handler(struct brcm
-       struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
-       s32 status;
-       struct brcmf_escan_result_le *escan_result_le;
-+      u32 escan_buflen;
-       struct brcmf_bss_info_le *bss_info_le;
-       struct brcmf_bss_info_le *bss = NULL;
-       u32 bi_length;
-@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm
-       if (status == BRCMF_E_STATUS_PARTIAL) {
-               brcmf_dbg(SCAN, "ESCAN Partial result\n");
-+              if (e->datalen < sizeof(*escan_result_le)) {
-+                      brcmf_err("invalid event data length\n");
-+                      goto exit;
-+              }
-               escan_result_le = (struct brcmf_escan_result_le *) data;
-               if (!escan_result_le) {
-                       brcmf_err("Invalid escan result (NULL pointer)\n");
-                       goto exit;
-               }
-+              escan_buflen = le32_to_cpu(escan_result_le->buflen);
-+              if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
-+                  escan_buflen > e->datalen ||
-+                  escan_buflen < sizeof(*escan_result_le)) {
-+                      brcmf_err("Invalid escan buffer length: %d\n",
-+                                escan_buflen);
-+                      goto exit;
-+              }
-               if (le16_to_cpu(escan_result_le->bss_count) != 1) {
-                       brcmf_err("Invalid bss_count %d: ignoring\n",
-                                 escan_result_le->bss_count);
-@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm
-               }
-               bi_length = le32_to_cpu(bss_info_le->length);
--              if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
--                                      WL_ESCAN_RESULTS_FIXED_SIZE)) {
--                      brcmf_err("Invalid bss_info length %d: ignoring\n",
-+              if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
-+                      brcmf_err("Ignoring invalid bss_info length: %d\n",
-                                 bi_length);
-                       goto exit;
-               }
diff --git a/package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch b/package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch
new file mode 100644 (file)
index 0000000..cc52a79
--- /dev/null
@@ -0,0 +1,139 @@
+From 0ec9eb90feec4933637fbde9d5bfbc3b62aea218 Mon Sep 17 00:00:00 2001
+From: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Date: Thu, 3 Aug 2017 17:37:58 +0800
+Subject: [PATCH] brcmfmac: Add support for CYW4373 SDIO/USB chipset
+
+Add support for CYW4373 SDIO/USB chipset.
+CYW4373 is a 1x1 dual-band 11ac chipset with 20/40/80Mhz channel support.
+It's a WiFi/BT combo device.
+
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c     | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c       | 2 ++
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c       | 4 +++-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c        | 9 ++++++++-
+ drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 3 +++
+ include/linux/mmc/sdio_ids.h                                  | 1 +
+ 6 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1104,6 +1104,7 @@ static const struct sdio_device_id brcmf
+       BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43455),
+       BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4354),
+       BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4356),
++      BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_CYPRESS_4373),
+       { /* end: all zeroes */ }
+ };
+ MODULE_DEVICE_TABLE(sdio, brcmf_sdmmc_ids);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+@@ -690,6 +690,8 @@ static u32 brcmf_chip_tcm_rambase(struct
+       case BRCM_CC_4365_CHIP_ID:
+       case BRCM_CC_4366_CHIP_ID:
+               return 0x200000;
++      case CY_CC_4373_CHIP_ID:
++              return 0x160000;
+       default:
+               brcmf_err("unknown chip: %s\n", ci->pub.name);
+               break;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -617,6 +617,7 @@ BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac434
+ BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt");
++BRCMF_FW_NVRAM_DEF(4373, "brcmfmac4373-sdio.bin", "brcmfmac4373-sdio.txt");
+ static struct brcmf_firmware_mapping brcmf_sdio_fwnames[] = {
+       BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143),
+@@ -635,7 +636,8 @@ static struct brcmf_firmware_mapping brc
+       BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+       BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
+       BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+-      BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356)
++      BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356),
++      BRCMF_FW_NVRAM_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
+ };
+ static void pkt_align(struct sk_buff *p, int len, int align)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -49,6 +49,7 @@ BRCMF_FW_DEF(43143, "brcmfmac43143.bin")
+ BRCMF_FW_DEF(43236B, "brcmfmac43236b.bin");
+ BRCMF_FW_DEF(43242A, "brcmfmac43242a.bin");
+ BRCMF_FW_DEF(43569, "brcmfmac43569.bin");
++BRCMF_FW_DEF(4373, "brcmfmac4373.bin");
+ static struct brcmf_firmware_mapping brcmf_usb_fwnames[] = {
+       BRCMF_FW_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143),
+@@ -57,7 +58,8 @@ static struct brcmf_firmware_mapping brc
+       BRCMF_FW_ENTRY(BRCM_CC_43238_CHIP_ID, 0x00000008, 43236B),
+       BRCMF_FW_ENTRY(BRCM_CC_43242_CHIP_ID, 0xFFFFFFFF, 43242A),
+       BRCMF_FW_ENTRY(BRCM_CC_43566_CHIP_ID, 0xFFFFFFFF, 43569),
+-      BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569)
++      BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569),
++      BRCMF_FW_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
+ };
+ #define TRX_MAGIC             0x30524448      /* "HDR0" */
+@@ -1461,15 +1463,20 @@ static int brcmf_usb_reset_resume(struct
+ #define LINKSYS_USB_DEVICE(dev_id)    \
+       { USB_DEVICE(BRCM_USB_VENDOR_ID_LINKSYS, dev_id) }
++#define CYPRESS_USB_DEVICE(dev_id)    \
++      { USB_DEVICE(CY_USB_VENDOR_ID_CYPRESS, dev_id) }
++
+ static struct usb_device_id brcmf_usb_devid_table[] = {
+       BRCMF_USB_DEVICE(BRCM_USB_43143_DEVICE_ID),
+       BRCMF_USB_DEVICE(BRCM_USB_43236_DEVICE_ID),
+       BRCMF_USB_DEVICE(BRCM_USB_43242_DEVICE_ID),
+       BRCMF_USB_DEVICE(BRCM_USB_43569_DEVICE_ID),
+       LINKSYS_USB_DEVICE(BRCM_USB_43235_LINKSYS_DEVICE_ID),
++      CYPRESS_USB_DEVICE(CY_USB_4373_DEVICE_ID),
+       { USB_DEVICE(BRCM_USB_VENDOR_ID_LG, BRCM_USB_43242_LG_DEVICE_ID) },
+       /* special entry for device with firmware loaded and running */
+       BRCMF_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID),
++      CYPRESS_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID),
+       { /* end: all zeroes */ }
+ };
+--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
+@@ -23,6 +23,7 @@
+ #define BRCM_USB_VENDOR_ID_BROADCOM   0x0a5c
+ #define BRCM_USB_VENDOR_ID_LG         0x043e
+ #define BRCM_USB_VENDOR_ID_LINKSYS    0x13b1
++#define CY_USB_VENDOR_ID_CYPRESS      0x04b4
+ #define BRCM_PCIE_VENDOR_ID_BROADCOM  PCI_VENDOR_ID_BROADCOM
+ /* Chipcommon Core Chip IDs */
+@@ -57,6 +58,7 @@
+ #define BRCM_CC_4365_CHIP_ID          0x4365
+ #define BRCM_CC_4366_CHIP_ID          0x4366
+ #define BRCM_CC_4371_CHIP_ID          0x4371
++#define CY_CC_4373_CHIP_ID            0x4373
+ /* USB Device IDs */
+ #define BRCM_USB_43143_DEVICE_ID      0xbd1e
+@@ -66,6 +68,7 @@
+ #define BRCM_USB_43242_LG_DEVICE_ID   0x3101
+ #define BRCM_USB_43569_DEVICE_ID      0xbd27
+ #define BRCM_USB_BCMFW_DEVICE_ID      0x0bdc
++#define CY_USB_4373_DEVICE_ID         0xbd29
+ /* PCIE Device IDs */
+ #define BRCM_PCIE_4350_DEVICE_ID      0x43a3
+--- a/include/linux/mmc/sdio_ids.h
++++ b/include/linux/mmc/sdio_ids.h
+@@ -39,6 +39,7 @@
+ #define SDIO_DEVICE_ID_BROADCOM_43455         0xa9bf
+ #define SDIO_DEVICE_ID_BROADCOM_4354          0x4354
+ #define SDIO_DEVICE_ID_BROADCOM_4356          0x4356
++#define SDIO_DEVICE_ID_CYPRESS_4373           0x4373
+ #define SDIO_VENDOR_ID_INTEL                  0x0089
+ #define SDIO_DEVICE_ID_INTEL_IWMC3200WIMAX    0x1402
diff --git a/package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch b/package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch
new file mode 100644 (file)
index 0000000..1887e89
--- /dev/null
@@ -0,0 +1,47 @@
+From 99976fc084129e07df3a066dc15651853386da19 Mon Sep 17 00:00:00 2001
+From: Wright Feng <wright.feng@cypress.com>
+Date: Thu, 3 Aug 2017 17:37:59 +0800
+Subject: [PATCH] brcmfmac: fix wrong num_different_channels when mchan feature
+ enabled
+
+When the device/firmware supports multi-channel, it can have P2P
+connection and regular connection with AP simultaneous. In this case,
+the num_different_channels in wiphy info was not correct when firmware
+supports multi-channel (The iw wiphy# info showed "#channels <= 1" in
+interface combinations). It caused association failed and error message
+"CTRL-EVENT-FREQ-CONFLICT error" in wpa_supplicant when P2P GO interface
+was running at the same time.
+The root cause is that the num_different_channels was always overridden
+to 1 in brcmf_setup_ifmodes even multi-channel was enabled.
+We correct the logic by moving num_different_channels setting forward.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6311,6 +6311,8 @@ static int brcmf_setup_ifmodes(struct wi
+       if (p2p) {
+               if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MCHAN))
+                       combo[c].num_different_channels = 2;
++              else
++                      combo[c].num_different_channels = 1;
+               wiphy->interface_modes |= BIT(NL80211_IFTYPE_P2P_CLIENT) |
+                                         BIT(NL80211_IFTYPE_P2P_GO) |
+                                         BIT(NL80211_IFTYPE_P2P_DEVICE);
+@@ -6320,10 +6322,10 @@ static int brcmf_setup_ifmodes(struct wi
+               c0_limits[i++].types = BIT(NL80211_IFTYPE_P2P_CLIENT) |
+                                      BIT(NL80211_IFTYPE_P2P_GO);
+       } else {
++              combo[c].num_different_channels = 1;
+               c0_limits[i].max = 1;
+               c0_limits[i++].types = BIT(NL80211_IFTYPE_AP);
+       }
+-      combo[c].num_different_channels = 1;
+       combo[c].max_interfaces = i;
+       combo[c].n_limits = i;
+       combo[c].limits = c0_limits;
diff --git a/package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch b/package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch
new file mode 100644 (file)
index 0000000..7531551
--- /dev/null
@@ -0,0 +1,27 @@
+From f38966a7ace842afd3a9bf5d0fb56640f49df60c Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 30 Aug 2017 15:54:49 +0200
+Subject: [PATCH] brcmfmac: Log chip id and revision
+
+For debugging some problems, it is useful to know the chip revision
+add a brcmf_info message logging this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -602,6 +602,9 @@ int brcmf_fw_map_chip_to_name(u32 chip,
+       if ((nvram_name) && (mapping_table[i].nvram))
+               strlcat(nvram_name, mapping_table[i].nvram, BRCMF_FW_NAME_LEN);
++      brcmf_info("using %s for chip %#08x(%d) rev %#08x\n",
++                 fw_name, chip, chip, chiprev);
++
+       return 0;
+ }
diff --git a/package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
new file mode 100644 (file)
index 0000000..2b16fa4
--- /dev/null
@@ -0,0 +1,63 @@
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 12 Sep 2017 10:47:53 +0200
+Subject: [PATCH] brcmfmac: add length check in brcmf_cfg80211_escan_handler()
+
+Upon handling the firmware notification for scans the length was
+checked properly and may result in corrupting kernel heap memory
+due to buffer overruns. This fix addresses CVE-2017-0786.
+
+Cc: stable@vger.kernel.org # v4.0.x
+Cc: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3088,6 +3088,7 @@ brcmf_cfg80211_escan_handler(struct brcm
+       struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
+       s32 status;
+       struct brcmf_escan_result_le *escan_result_le;
++      u32 escan_buflen;
+       struct brcmf_bss_info_le *bss_info_le;
+       struct brcmf_bss_info_le *bss = NULL;
+       u32 bi_length;
+@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm
+       if (status == BRCMF_E_STATUS_PARTIAL) {
+               brcmf_dbg(SCAN, "ESCAN Partial result\n");
++              if (e->datalen < sizeof(*escan_result_le)) {
++                      brcmf_err("invalid event data length\n");
++                      goto exit;
++              }
+               escan_result_le = (struct brcmf_escan_result_le *) data;
+               if (!escan_result_le) {
+                       brcmf_err("Invalid escan result (NULL pointer)\n");
+                       goto exit;
+               }
++              escan_buflen = le32_to_cpu(escan_result_le->buflen);
++              if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
++                  escan_buflen > e->datalen ||
++                  escan_buflen < sizeof(*escan_result_le)) {
++                      brcmf_err("Invalid escan buffer length: %d\n",
++                                escan_buflen);
++                      goto exit;
++              }
+               if (le16_to_cpu(escan_result_le->bss_count) != 1) {
+                       brcmf_err("Invalid bss_count %d: ignoring\n",
+                                 escan_result_le->bss_count);
+@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm
+               }
+               bi_length = le32_to_cpu(bss_info_le->length);
+-              if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
+-                                      WL_ESCAN_RESULTS_FIXED_SIZE)) {
+-                      brcmf_err("Invalid bss_info length %d: ignoring\n",
++              if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
++                      brcmf_err("Ignoring invalid bss_info length: %d\n",
+                                 bi_length);
+                       goto exit;
+               }
diff --git a/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch b/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch
new file mode 100644 (file)
index 0000000..27b3bcd
--- /dev/null
@@ -0,0 +1,32 @@
+From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:24 -0700
+Subject: [PATCH] brcmfmac: Add check for short event packets
+
+The length of the data in the received skb is currently passed into
+brcmf_fweh_process_event() as packet_len, but this value is not checked.
+event_packet should be followed by DATALEN bytes of additional event
+data.  Ensure that the received packet actually contains at least
+DATALEN bytes of additional data, to avoid copying uninitialized memory
+into event->data.
+
+Cc: <stable@vger.kernel.org> # v3.8
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
+       if (code != BRCMF_E_IF && !fweh->evt_handler[code])
+               return;
+-      if (datalen > BRCMF_DCMD_MAXLEN)
++      if (datalen > BRCMF_DCMD_MAXLEN ||
++          datalen + sizeof(*event_packet) > packet_len)
+               return;
+       if (in_interrupt())
index 5a78ee489fc6c76e05e40965403e89dfe939abcf..ddbff078392d281a2dc8f8b5ce98fb4138ee04d2 100644 (file)
@@ -22,8 +22,8 @@ Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
        case BRCM_CC_4366_CHIP_ID:
 +      case BRCM_CC_43664_CHIP_ID:
                return 0x200000;
-       default:
-               brcmf_err("unknown chip: %s\n", ci->pub.name);
+       case CY_CC_4373_CHIP_ID:
+               return 0x160000;
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
 @@ -75,6 +75,7 @@ static struct brcmf_firmware_mapping brc
@@ -36,11 +36,11 @@ Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
  
 --- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
 +++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
-@@ -56,6 +56,7 @@
+@@ -57,6 +57,7 @@
  #define BRCM_CC_43602_CHIP_ID         43602
  #define BRCM_CC_4365_CHIP_ID          0x4365
  #define BRCM_CC_4366_CHIP_ID          0x4366
 +#define BRCM_CC_43664_CHIP_ID         43664
  #define BRCM_CC_4371_CHIP_ID          0x4371
+ #define CY_CC_4373_CHIP_ID            0x4373
  
- /* USB Device IDs */