PKG_NAME:=mac80211
PKG_VERSION:=2017-01-31
-PKG_RELEASE:=8
+PKG_RELEASE:=9
PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
PKG_BACKPORT_VERSION:=
PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317
+++ /dev/null
-From: Arend Van Spriel <arend.vanspriel@broadcom.com>
-Date: Tue, 12 Sep 2017 10:47:53 +0200
-Subject: [PATCH] brcmfmac: add length check in brcmf_cfg80211_escan_handler()
-
-Upon handling the firmware notification for scans the length was
-checked properly and may result in corrupting kernel heap memory
-due to buffer overruns. This fix addresses CVE-2017-0786.
-
-Cc: stable@vger.kernel.org # v4.0.x
-Cc: Kevin Cernekee <cernekee@chromium.org>
-Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
-Reviewed-by: Franky Lin <franky.lin@broadcom.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3088,6 +3088,7 @@ brcmf_cfg80211_escan_handler(struct brcm
- struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
- s32 status;
- struct brcmf_escan_result_le *escan_result_le;
-+ u32 escan_buflen;
- struct brcmf_bss_info_le *bss_info_le;
- struct brcmf_bss_info_le *bss = NULL;
- u32 bi_length;
-@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm
-
- if (status == BRCMF_E_STATUS_PARTIAL) {
- brcmf_dbg(SCAN, "ESCAN Partial result\n");
-+ if (e->datalen < sizeof(*escan_result_le)) {
-+ brcmf_err("invalid event data length\n");
-+ goto exit;
-+ }
- escan_result_le = (struct brcmf_escan_result_le *) data;
- if (!escan_result_le) {
- brcmf_err("Invalid escan result (NULL pointer)\n");
- goto exit;
- }
-+ escan_buflen = le32_to_cpu(escan_result_le->buflen);
-+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
-+ escan_buflen > e->datalen ||
-+ escan_buflen < sizeof(*escan_result_le)) {
-+ brcmf_err("Invalid escan buffer length: %d\n",
-+ escan_buflen);
-+ goto exit;
-+ }
- if (le16_to_cpu(escan_result_le->bss_count) != 1) {
- brcmf_err("Invalid bss_count %d: ignoring\n",
- escan_result_le->bss_count);
-@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm
- }
-
- bi_length = le32_to_cpu(bss_info_le->length);
-- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
-- WL_ESCAN_RESULTS_FIXED_SIZE)) {
-- brcmf_err("Invalid bss_info length %d: ignoring\n",
-+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
-+ brcmf_err("Ignoring invalid bss_info length: %d\n",
- bi_length);
- goto exit;
- }
--- /dev/null
+From 0ec9eb90feec4933637fbde9d5bfbc3b62aea218 Mon Sep 17 00:00:00 2001
+From: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Date: Thu, 3 Aug 2017 17:37:58 +0800
+Subject: [PATCH] brcmfmac: Add support for CYW4373 SDIO/USB chipset
+
+Add support for CYW4373 SDIO/USB chipset.
+CYW4373 is a 1x1 dual-band 11ac chipset with 20/40/80Mhz channel support.
+It's a WiFi/BT combo device.
+
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 2 ++
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 9 ++++++++-
+ drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 3 +++
+ include/linux/mmc/sdio_ids.h | 1 +
+ 6 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1104,6 +1104,7 @@ static const struct sdio_device_id brcmf
+ BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43455),
+ BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4354),
+ BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4356),
++ BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_CYPRESS_4373),
+ { /* end: all zeroes */ }
+ };
+ MODULE_DEVICE_TABLE(sdio, brcmf_sdmmc_ids);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+@@ -690,6 +690,8 @@ static u32 brcmf_chip_tcm_rambase(struct
+ case BRCM_CC_4365_CHIP_ID:
+ case BRCM_CC_4366_CHIP_ID:
+ return 0x200000;
++ case CY_CC_4373_CHIP_ID:
++ return 0x160000;
+ default:
+ brcmf_err("unknown chip: %s\n", ci->pub.name);
+ break;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -617,6 +617,7 @@ BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac434
+ BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt");
++BRCMF_FW_NVRAM_DEF(4373, "brcmfmac4373-sdio.bin", "brcmfmac4373-sdio.txt");
+
+ static struct brcmf_firmware_mapping brcmf_sdio_fwnames[] = {
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143),
+@@ -635,7 +636,8 @@ static struct brcmf_firmware_mapping brc
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356)
++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356),
++ BRCMF_FW_NVRAM_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
+ };
+
+ static void pkt_align(struct sk_buff *p, int len, int align)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -49,6 +49,7 @@ BRCMF_FW_DEF(43143, "brcmfmac43143.bin")
+ BRCMF_FW_DEF(43236B, "brcmfmac43236b.bin");
+ BRCMF_FW_DEF(43242A, "brcmfmac43242a.bin");
+ BRCMF_FW_DEF(43569, "brcmfmac43569.bin");
++BRCMF_FW_DEF(4373, "brcmfmac4373.bin");
+
+ static struct brcmf_firmware_mapping brcmf_usb_fwnames[] = {
+ BRCMF_FW_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143),
+@@ -57,7 +58,8 @@ static struct brcmf_firmware_mapping brc
+ BRCMF_FW_ENTRY(BRCM_CC_43238_CHIP_ID, 0x00000008, 43236B),
+ BRCMF_FW_ENTRY(BRCM_CC_43242_CHIP_ID, 0xFFFFFFFF, 43242A),
+ BRCMF_FW_ENTRY(BRCM_CC_43566_CHIP_ID, 0xFFFFFFFF, 43569),
+- BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569)
++ BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569),
++ BRCMF_FW_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
+ };
+
+ #define TRX_MAGIC 0x30524448 /* "HDR0" */
+@@ -1461,15 +1463,20 @@ static int brcmf_usb_reset_resume(struct
+ #define LINKSYS_USB_DEVICE(dev_id) \
+ { USB_DEVICE(BRCM_USB_VENDOR_ID_LINKSYS, dev_id) }
+
++#define CYPRESS_USB_DEVICE(dev_id) \
++ { USB_DEVICE(CY_USB_VENDOR_ID_CYPRESS, dev_id) }
++
+ static struct usb_device_id brcmf_usb_devid_table[] = {
+ BRCMF_USB_DEVICE(BRCM_USB_43143_DEVICE_ID),
+ BRCMF_USB_DEVICE(BRCM_USB_43236_DEVICE_ID),
+ BRCMF_USB_DEVICE(BRCM_USB_43242_DEVICE_ID),
+ BRCMF_USB_DEVICE(BRCM_USB_43569_DEVICE_ID),
+ LINKSYS_USB_DEVICE(BRCM_USB_43235_LINKSYS_DEVICE_ID),
++ CYPRESS_USB_DEVICE(CY_USB_4373_DEVICE_ID),
+ { USB_DEVICE(BRCM_USB_VENDOR_ID_LG, BRCM_USB_43242_LG_DEVICE_ID) },
+ /* special entry for device with firmware loaded and running */
+ BRCMF_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID),
++ CYPRESS_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID),
+ { /* end: all zeroes */ }
+ };
+
+--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
+@@ -23,6 +23,7 @@
+ #define BRCM_USB_VENDOR_ID_BROADCOM 0x0a5c
+ #define BRCM_USB_VENDOR_ID_LG 0x043e
+ #define BRCM_USB_VENDOR_ID_LINKSYS 0x13b1
++#define CY_USB_VENDOR_ID_CYPRESS 0x04b4
+ #define BRCM_PCIE_VENDOR_ID_BROADCOM PCI_VENDOR_ID_BROADCOM
+
+ /* Chipcommon Core Chip IDs */
+@@ -57,6 +58,7 @@
+ #define BRCM_CC_4365_CHIP_ID 0x4365
+ #define BRCM_CC_4366_CHIP_ID 0x4366
+ #define BRCM_CC_4371_CHIP_ID 0x4371
++#define CY_CC_4373_CHIP_ID 0x4373
+
+ /* USB Device IDs */
+ #define BRCM_USB_43143_DEVICE_ID 0xbd1e
+@@ -66,6 +68,7 @@
+ #define BRCM_USB_43242_LG_DEVICE_ID 0x3101
+ #define BRCM_USB_43569_DEVICE_ID 0xbd27
+ #define BRCM_USB_BCMFW_DEVICE_ID 0x0bdc
++#define CY_USB_4373_DEVICE_ID 0xbd29
+
+ /* PCIE Device IDs */
+ #define BRCM_PCIE_4350_DEVICE_ID 0x43a3
+--- a/include/linux/mmc/sdio_ids.h
++++ b/include/linux/mmc/sdio_ids.h
+@@ -39,6 +39,7 @@
+ #define SDIO_DEVICE_ID_BROADCOM_43455 0xa9bf
+ #define SDIO_DEVICE_ID_BROADCOM_4354 0x4354
+ #define SDIO_DEVICE_ID_BROADCOM_4356 0x4356
++#define SDIO_DEVICE_ID_CYPRESS_4373 0x4373
+
+ #define SDIO_VENDOR_ID_INTEL 0x0089
+ #define SDIO_DEVICE_ID_INTEL_IWMC3200WIMAX 0x1402
--- /dev/null
+From 99976fc084129e07df3a066dc15651853386da19 Mon Sep 17 00:00:00 2001
+From: Wright Feng <wright.feng@cypress.com>
+Date: Thu, 3 Aug 2017 17:37:59 +0800
+Subject: [PATCH] brcmfmac: fix wrong num_different_channels when mchan feature
+ enabled
+
+When the device/firmware supports multi-channel, it can have P2P
+connection and regular connection with AP simultaneous. In this case,
+the num_different_channels in wiphy info was not correct when firmware
+supports multi-channel (The iw wiphy# info showed "#channels <= 1" in
+interface combinations). It caused association failed and error message
+"CTRL-EVENT-FREQ-CONFLICT error" in wpa_supplicant when P2P GO interface
+was running at the same time.
+The root cause is that the num_different_channels was always overridden
+to 1 in brcmf_setup_ifmodes even multi-channel was enabled.
+We correct the logic by moving num_different_channels setting forward.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6311,6 +6311,8 @@ static int brcmf_setup_ifmodes(struct wi
+ if (p2p) {
+ if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MCHAN))
+ combo[c].num_different_channels = 2;
++ else
++ combo[c].num_different_channels = 1;
+ wiphy->interface_modes |= BIT(NL80211_IFTYPE_P2P_CLIENT) |
+ BIT(NL80211_IFTYPE_P2P_GO) |
+ BIT(NL80211_IFTYPE_P2P_DEVICE);
+@@ -6320,10 +6322,10 @@ static int brcmf_setup_ifmodes(struct wi
+ c0_limits[i++].types = BIT(NL80211_IFTYPE_P2P_CLIENT) |
+ BIT(NL80211_IFTYPE_P2P_GO);
+ } else {
++ combo[c].num_different_channels = 1;
+ c0_limits[i].max = 1;
+ c0_limits[i++].types = BIT(NL80211_IFTYPE_AP);
+ }
+- combo[c].num_different_channels = 1;
+ combo[c].max_interfaces = i;
+ combo[c].n_limits = i;
+ combo[c].limits = c0_limits;
--- /dev/null
+From f38966a7ace842afd3a9bf5d0fb56640f49df60c Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 30 Aug 2017 15:54:49 +0200
+Subject: [PATCH] brcmfmac: Log chip id and revision
+
+For debugging some problems, it is useful to know the chip revision
+add a brcmf_info message logging this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -602,6 +602,9 @@ int brcmf_fw_map_chip_to_name(u32 chip,
+ if ((nvram_name) && (mapping_table[i].nvram))
+ strlcat(nvram_name, mapping_table[i].nvram, BRCMF_FW_NAME_LEN);
+
++ brcmf_info("using %s for chip %#08x(%d) rev %#08x\n",
++ fw_name, chip, chip, chiprev);
++
+ return 0;
+ }
+
--- /dev/null
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 12 Sep 2017 10:47:53 +0200
+Subject: [PATCH] brcmfmac: add length check in brcmf_cfg80211_escan_handler()
+
+Upon handling the firmware notification for scans the length was
+checked properly and may result in corrupting kernel heap memory
+due to buffer overruns. This fix addresses CVE-2017-0786.
+
+Cc: stable@vger.kernel.org # v4.0.x
+Cc: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3088,6 +3088,7 @@ brcmf_cfg80211_escan_handler(struct brcm
+ struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
+ s32 status;
+ struct brcmf_escan_result_le *escan_result_le;
++ u32 escan_buflen;
+ struct brcmf_bss_info_le *bss_info_le;
+ struct brcmf_bss_info_le *bss = NULL;
+ u32 bi_length;
+@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm
+
+ if (status == BRCMF_E_STATUS_PARTIAL) {
+ brcmf_dbg(SCAN, "ESCAN Partial result\n");
++ if (e->datalen < sizeof(*escan_result_le)) {
++ brcmf_err("invalid event data length\n");
++ goto exit;
++ }
+ escan_result_le = (struct brcmf_escan_result_le *) data;
+ if (!escan_result_le) {
+ brcmf_err("Invalid escan result (NULL pointer)\n");
+ goto exit;
+ }
++ escan_buflen = le32_to_cpu(escan_result_le->buflen);
++ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
++ escan_buflen > e->datalen ||
++ escan_buflen < sizeof(*escan_result_le)) {
++ brcmf_err("Invalid escan buffer length: %d\n",
++ escan_buflen);
++ goto exit;
++ }
+ if (le16_to_cpu(escan_result_le->bss_count) != 1) {
+ brcmf_err("Invalid bss_count %d: ignoring\n",
+ escan_result_le->bss_count);
+@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm
+ }
+
+ bi_length = le32_to_cpu(bss_info_le->length);
+- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
+- WL_ESCAN_RESULTS_FIXED_SIZE)) {
+- brcmf_err("Invalid bss_info length %d: ignoring\n",
++ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
++ brcmf_err("Ignoring invalid bss_info length: %d\n",
+ bi_length);
+ goto exit;
+ }
--- /dev/null
+From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:24 -0700
+Subject: [PATCH] brcmfmac: Add check for short event packets
+
+The length of the data in the received skb is currently passed into
+brcmf_fweh_process_event() as packet_len, but this value is not checked.
+event_packet should be followed by DATALEN bytes of additional event
+data. Ensure that the received packet actually contains at least
+DATALEN bytes of additional data, to avoid copying uninitialized memory
+into event->data.
+
+Cc: <stable@vger.kernel.org> # v3.8
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
+ if (code != BRCMF_E_IF && !fweh->evt_handler[code])
+ return;
+
+- if (datalen > BRCMF_DCMD_MAXLEN)
++ if (datalen > BRCMF_DCMD_MAXLEN ||
++ datalen + sizeof(*event_packet) > packet_len)
+ return;
+
+ if (in_interrupt())
case BRCM_CC_4366_CHIP_ID:
+ case BRCM_CC_43664_CHIP_ID:
return 0x200000;
- default:
- brcmf_err("unknown chip: %s\n", ci->pub.name);
+ case CY_CC_4373_CHIP_ID:
+ return 0x160000;
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -75,6 +75,7 @@ static struct brcmf_firmware_mapping brc
--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
+++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
-@@ -56,6 +56,7 @@
+@@ -57,6 +57,7 @@
#define BRCM_CC_43602_CHIP_ID 43602
#define BRCM_CC_4365_CHIP_ID 0x4365
#define BRCM_CC_4366_CHIP_ID 0x4366
+#define BRCM_CC_43664_CHIP_ID 43664
#define BRCM_CC_4371_CHIP_ID 0x4371
+ #define CY_CC_4373_CHIP_ID 0x4373
- /* USB Device IDs */