From 2cd234d96bd772119363a77a35bffa6a4931613e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Sun, 16 Jun 2019 21:44:51 +0200 Subject: [PATCH] mac80211: brcmfmac: backport important fixes from kernel 5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit 1) Crash/Oops fixes 2) One-line patch for BCM43456 support 3) Fix communication with some specific FullMAC firmwares 4) Potential fix for "Invalid packet id" errors 5) Important helper for reporting FullMAC firmware crashes Signed-off-by: Rafał Miłecki --- ...-repeated-brcmf_fw_alloc_request-cal.patch | 2 +- ...unction-designated-for-handling-firm.patch | 6 +- ...NING-during-USB-disconnect-in-case-o.patch | 6 +- ...L-pointer-derefence-during-USB-disco.patch | 6 +- ...s-when-bringing-up-interface-during-.patch | 123 ++++++++++++++++++ ...mfmac-fix-missing-checks-for-kmemdup.patch | 35 +++++ ...g-the-correct-firmware-for-brcm43456.patch | 35 +++++ ...x-leak-of-mypkt-on-error-return-path.patch | 41 ++++++ ...-nvram-filename-quirk-for-ACEPC-T8-a.patch | 70 ++++++++++ ...ilbox-interrupt-twice-for-specific-h.patch | 39 ++++++ ...ial-NULL-dereference-in-brcmf_cfg802.patch | 50 +++++++ ...low-request-id-from-1-to-pktids-arra.patch | 49 +++++++ ...irmware-messages-after-a-firmware-cr.patch | 90 +++++++++++++ ...-register-wiphy-s-during-module_init.patch | 2 +- ...-info-right-before-downloading-PCIe-.patch | 2 +- 15 files changed, 544 insertions(+), 12 deletions(-) create mode 100644 package/kernel/mac80211/patches/453-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch create mode 100644 package/kernel/mac80211/patches/454-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch create mode 100644 package/kernel/mac80211/patches/455-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch create mode 100644 package/kernel/mac80211/patches/456-v5.2-brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch create mode 100644 package/kernel/mac80211/patches/457-v5.2-brcmfmac-Add-DMI-nvram-filename-quirk-for-ACEPC-T8-a.patch create mode 100644 package/kernel/mac80211/patches/458-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch create mode 100644 package/kernel/mac80211/patches/459-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch create mode 100644 package/kernel/mac80211/patches/460-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch create mode 100644 package/kernel/mac80211/patches/461-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch diff --git a/package/kernel/mac80211/patches/450-v5.2-0001-brcmfmac-support-repeated-brcmf_fw_alloc_request-cal.patch b/package/kernel/mac80211/patches/450-v5.2-0001-brcmfmac-support-repeated-brcmf_fw_alloc_request-cal.patch index ef694f079f..9efe00c9b5 100644 --- a/package/kernel/mac80211/patches/450-v5.2-0001-brcmfmac-support-repeated-brcmf_fw_alloc_request-cal.patch +++ b/package/kernel/mac80211/patches/450-v5.2-0001-brcmfmac-support-repeated-brcmf_fw_alloc_request-cal.patch @@ -22,7 +22,7 @@ Signed-off-by: Kalle Valo --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c -@@ -743,6 +743,7 @@ brcmf_fw_alloc_request(u32 chip, u32 chi +@@ -668,6 +668,7 @@ brcmf_fw_alloc_request(u32 chip, u32 chi for (j = 0; j < n_fwnames; j++) { fwreq->items[j].path = fwnames[j].path; diff --git a/package/kernel/mac80211/patches/450-v5.2-0002-brcmfmac-add-a-function-designated-for-handling-firm.patch b/package/kernel/mac80211/patches/450-v5.2-0002-brcmfmac-add-a-function-designated-for-handling-firm.patch index 595b8948c7..d29a767b5f 100644 --- a/package/kernel/mac80211/patches/450-v5.2-0002-brcmfmac-add-a-function-designated-for-handling-firm.patch +++ b/package/kernel/mac80211/patches/450-v5.2-0002-brcmfmac-add-a-function-designated-for-handling-firm.patch @@ -25,7 +25,7 @@ Signed-off-by: Kalle Valo --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h -@@ -262,6 +262,8 @@ void brcmf_detach(struct device *dev); +@@ -252,6 +252,8 @@ void brcmf_detach(struct device *dev); void brcmf_dev_reset(struct device *dev); /* Request from bus module to initiate a coredump */ void brcmf_dev_coredump(struct device *dev); @@ -36,7 +36,7 @@ Signed-off-by: Kalle Valo void brcmf_bus_change_state(struct brcmf_bus *bus, enum brcmf_bus_state state); --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -1294,6 +1294,16 @@ void brcmf_dev_coredump(struct device *d +@@ -1292,6 +1292,16 @@ void brcmf_dev_coredump(struct device *d brcmf_dbg(TRACE, "failed to create coredump\n"); } @@ -66,7 +66,7 @@ Signed-off-by: Kalle Valo --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c -@@ -1090,8 +1090,8 @@ static u32 brcmf_sdio_hostmail(struct br +@@ -1073,8 +1073,8 @@ static u32 brcmf_sdio_hostmail(struct br /* dongle indicates the firmware has halted/crashed */ if (hmb_data & HMB_DATA_FWHALT) { diff --git a/package/kernel/mac80211/patches/451-v5.2-0001-brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch b/package/kernel/mac80211/patches/451-v5.2-0001-brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch index cb4b5c924f..620a58533c 100644 --- a/package/kernel/mac80211/patches/451-v5.2-0001-brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch +++ b/package/kernel/mac80211/patches/451-v5.2-0001-brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch @@ -59,7 +59,7 @@ Signed-off-by: Kalle Valo --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c -@@ -580,24 +580,6 @@ static bool brcmf_fws_ifidx_match(struct +@@ -579,24 +579,6 @@ static bool brcmf_fws_ifidx_match(struct return ifidx == *(int *)arg; } @@ -84,7 +84,7 @@ Signed-off-by: Kalle Valo static void brcmf_fws_hanger_init(struct brcmf_fws_hanger *hanger) { int i; -@@ -669,6 +651,28 @@ static inline int brcmf_fws_hanger_poppk +@@ -668,6 +650,28 @@ static inline int brcmf_fws_hanger_poppk return 0; } @@ -113,7 +113,7 @@ Signed-off-by: Kalle Valo static int brcmf_fws_hanger_mark_suppressed(struct brcmf_fws_hanger *h, u32 slot_id) { -@@ -2200,6 +2204,8 @@ void brcmf_fws_del_interface(struct brcm +@@ -2174,6 +2178,8 @@ void brcmf_fws_del_interface(struct brcm brcmf_fws_lock(fws); ifp->fws_desc = NULL; brcmf_dbg(TRACE, "deleting %s\n", entry->name); diff --git a/package/kernel/mac80211/patches/451-v5.2-0002-brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch b/package/kernel/mac80211/patches/451-v5.2-0002-brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch index e45288b63b..71b9487892 100644 --- a/package/kernel/mac80211/patches/451-v5.2-0002-brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch +++ b/package/kernel/mac80211/patches/451-v5.2-0002-brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch @@ -114,7 +114,7 @@ Signed-off-by: Kalle Valo #endif /* BRCMFMAC_BCDC_H */ --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -1342,6 +1342,8 @@ void brcmf_detach(struct device *dev) +@@ -1340,6 +1340,8 @@ void brcmf_detach(struct device *dev) brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN); @@ -123,7 +123,7 @@ Signed-off-by: Kalle Valo /* make sure primary interface removed last */ for (i = BRCMF_MAX_IFS-1; i > -1; i--) brcmf_remove_interface(drvr->iflist[i], false); -@@ -1351,7 +1353,7 @@ void brcmf_detach(struct device *dev) +@@ -1349,7 +1351,7 @@ void brcmf_detach(struct device *dev) brcmf_bus_stop(drvr->bus_if); @@ -134,7 +134,7 @@ Signed-off-by: Kalle Valo wiphy_free(drvr->wiphy); --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c -@@ -2443,17 +2443,25 @@ struct brcmf_fws_info *brcmf_fws_attach( +@@ -2416,17 +2416,25 @@ struct brcmf_fws_info *brcmf_fws_attach( return fws; fail: diff --git a/package/kernel/mac80211/patches/453-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch b/package/kernel/mac80211/patches/453-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch new file mode 100644 index 0000000000..5e34e1aca3 --- /dev/null +++ b/package/kernel/mac80211/patches/453-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch @@ -0,0 +1,123 @@ +From 24d413a31afaee9bbbf79226052c386b01780ce2 Mon Sep 17 00:00:00 2001 +From: Piotr Figiel +Date: Wed, 13 Mar 2019 09:52:01 +0000 +Subject: [PATCH] brcmfmac: fix Oops when bringing up interface during USB + disconnect + +Fix a race which leads to an Oops with NULL pointer dereference. The +dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get +net_device structure of interface with index 0 via if2bss mapping. This +shouldn't fail because of check for bus being ready in brcmf_netdev_open(), +but it's not synchronised with USB disconnect and there is a race: after +the check the bus can be marked down and the mapping for interface 0 may be +gone. + +Solve this by modifying disconnect handling so that the removal of mapping +of ifidx to brcmf_if structure happens after netdev removal (which is +synchronous with brcmf_netdev_open() thanks to rtln being locked in +devinet_ioctl()). This assures brcmf_netdev_open() returns before the +mapping is removed during disconnect. + +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = bcae2612 +[00000008] *pgd=8be73831 +Internal error: Oops: 17 [#1] PREEMPT SMP ARM +Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit +iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 +nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis +u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc +usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs +udc_core [last unloaded: brcmutil] +CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac] +LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac] +pc : [<7f26a91c>] lr : [<7f26a914>] psr: a0070013 +sp : eca99d28 ip : 00000000 fp : ee9c6c00 +r10: 00000036 r9 : 00000000 r8 : ece4002c +r7 : edb5b800 r6 : 00000000 r5 : 80f08448 r4 : edb5b968 +r3 : ffffffff r2 : 00000000 r1 : 00000002 r0 : 00000000 +Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 7ca0c04a DAC: 00000051 +Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e) +Stack: (0xeca99d28 to 0xeca9a000) +9d20: 00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32 +9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036 +9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008 +9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001 +9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58 +9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000 +9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70 +9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043 +9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914 +9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030 +9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000 +9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32 +9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40 +9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000 +9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38 +9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00 +9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 +9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118 +9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38 +9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036 +9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364 +9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003 +9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000 +[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac]) +[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150) +[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4) +[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48) +[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c) +[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4) +[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524) +[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0) +[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c) +[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28) +Exception stack(0xeca99fa8 to 0xeca99ff0) +9fa0: 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364 +9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003 +9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc +Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008) +---[ end trace 5cbac2333f3ac5df ]--- + +Signed-off-by: Piotr Figiel +Signed-off-by: Kalle Valo +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -861,17 +861,17 @@ static void brcmf_del_if(struct brcmf_pu + bool rtnl_locked) + { + struct brcmf_if *ifp; ++ int ifidx; + + ifp = drvr->iflist[bsscfgidx]; +- drvr->iflist[bsscfgidx] = NULL; + if (!ifp) { + bphy_err(drvr, "Null interface, bsscfgidx=%d\n", bsscfgidx); + return; + } + brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx, + ifp->ifidx); +- if (drvr->if2bss[ifp->ifidx] == bsscfgidx) +- drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID; ++ ifidx = ifp->ifidx; ++ + if (ifp->ndev) { + if (bsscfgidx == 0) { + if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) { +@@ -899,6 +899,10 @@ static void brcmf_del_if(struct brcmf_pu + brcmf_p2p_ifp_removed(ifp, rtnl_locked); + kfree(ifp); + } ++ ++ drvr->iflist[bsscfgidx] = NULL; ++ if (drvr->if2bss[ifidx] == bsscfgidx) ++ drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID; + } + + void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked) diff --git a/package/kernel/mac80211/patches/454-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch b/package/kernel/mac80211/patches/454-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch new file mode 100644 index 0000000000..2f72b72cc2 --- /dev/null +++ b/package/kernel/mac80211/patches/454-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch @@ -0,0 +1,35 @@ +From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 15 Mar 2019 12:04:32 -0500 +Subject: [PATCH] brcmfmac: fix missing checks for kmemdup + +In case kmemdup fails, the fix sets conn_info->req_ie_len and +conn_info->resp_ie_len to zero to avoid buffer overflows. + +Signed-off-by: Kangjie Lu +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -5455,6 +5455,8 @@ static s32 brcmf_get_assoc_ies(struct br + conn_info->req_ie = + kmemdup(cfg->extra_buf, conn_info->req_ie_len, + GFP_KERNEL); ++ if (!conn_info->req_ie) ++ conn_info->req_ie_len = 0; + } else { + conn_info->req_ie_len = 0; + conn_info->req_ie = NULL; +@@ -5471,6 +5473,8 @@ static s32 brcmf_get_assoc_ies(struct br + conn_info->resp_ie = + kmemdup(cfg->extra_buf, conn_info->resp_ie_len, + GFP_KERNEL); ++ if (!conn_info->resp_ie) ++ conn_info->resp_ie_len = 0; + } else { + conn_info->resp_ie_len = 0; + conn_info->resp_ie = NULL; diff --git a/package/kernel/mac80211/patches/455-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch b/package/kernel/mac80211/patches/455-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch new file mode 100644 index 0000000000..f7ca327517 --- /dev/null +++ b/package/kernel/mac80211/patches/455-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch @@ -0,0 +1,35 @@ +From e3062e05e1cfe378bb9b3fa0bef46711372bcf13 Mon Sep 17 00:00:00 2001 +From: Ondrej Jirman +Date: Sat, 6 Apr 2019 01:45:13 +0200 +Subject: [PATCH] brcmfmac: Loading the correct firmware for brcm43456 + +SDIO based brcm43456 is currently misdetected as brcm43455 and the wrong +firmware name is used. Correct the detection and load the correct +firmware file. Chiprev for brcm43456 is "9". + +Signed-off-by: Ondrej Jirman +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -615,6 +615,7 @@ BRCMF_FW_DEF(43430A0, "brcmfmac43430a0-s + /* Note the names are not postfixed with a1 for backward compatibility */ + BRCMF_FW_DEF(43430A1, "brcmfmac43430-sdio"); + BRCMF_FW_DEF(43455, "brcmfmac43455-sdio"); ++BRCMF_FW_DEF(43456, "brcmfmac43456-sdio"); + BRCMF_FW_DEF(4354, "brcmfmac4354-sdio"); + BRCMF_FW_DEF(4356, "brcmfmac4356-sdio"); + BRCMF_FW_DEF(4373, "brcmfmac4373-sdio"); +@@ -634,7 +635,8 @@ static const struct brcmf_firmware_mappi + BRCMF_FW_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339), + BRCMF_FW_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0), + BRCMF_FW_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1), +- BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455), ++ BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0x00000200, 43456), ++ BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFDC0, 43455), + BRCMF_FW_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354), + BRCMF_FW_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356), + BRCMF_FW_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373) diff --git a/package/kernel/mac80211/patches/456-v5.2-brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch b/package/kernel/mac80211/patches/456-v5.2-brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch new file mode 100644 index 0000000000..a9a9d74c10 --- /dev/null +++ b/package/kernel/mac80211/patches/456-v5.2-brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch @@ -0,0 +1,41 @@ +From a927e8d8ab57e696800e20cf09a72b7dfe3bbebb Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 9 Apr 2019 12:43:33 +0100 +Subject: [PATCH] brcmfmac: fix leak of mypkt on error return path + +Currently if the call to brcmf_sdiod_set_backplane_window fails then +error return path leaks mypkt. Fix this by returning by a new +error path labelled 'out' that calls brcmu_pkt_buf_free_skb to free +mypkt. Also remove redundant check on err before calling +brcmf_sdiod_skbuff_write. + +Addresses-Coverity: ("Resource Leak") +Fixes: a7c3aa1509e2 ("brcmfmac: Remove brcmf_sdiod_addrprep()") +Signed-off-by: Colin Ian King +Reviewed-by: Mukesh Ojha +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -617,15 +617,13 @@ int brcmf_sdiod_send_buf(struct brcmf_sd + + err = brcmf_sdiod_set_backplane_window(sdiodev, addr); + if (err) +- return err; ++ goto out; + + addr &= SBSDIO_SB_OFT_ADDR_MASK; + addr |= SBSDIO_SB_ACCESS_2_4B_FLAG; + +- if (!err) +- err = brcmf_sdiod_skbuff_write(sdiodev, sdiodev->func2, addr, +- mypkt); +- ++ err = brcmf_sdiod_skbuff_write(sdiodev, sdiodev->func2, addr, mypkt); ++out: + brcmu_pkt_buf_free_skb(mypkt); + + return err; diff --git a/package/kernel/mac80211/patches/457-v5.2-brcmfmac-Add-DMI-nvram-filename-quirk-for-ACEPC-T8-a.patch b/package/kernel/mac80211/patches/457-v5.2-brcmfmac-Add-DMI-nvram-filename-quirk-for-ACEPC-T8-a.patch new file mode 100644 index 0000000000..7865606f94 --- /dev/null +++ b/package/kernel/mac80211/patches/457-v5.2-brcmfmac-Add-DMI-nvram-filename-quirk-for-ACEPC-T8-a.patch @@ -0,0 +1,70 @@ +From b1a0ba8f772d7a6dcb5aa3e856f5bd8274989ebe Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 22 Apr 2019 22:41:23 +0200 +Subject: [PATCH] brcmfmac: Add DMI nvram filename quirk for ACEPC T8 and T11 + mini PCs + +The ACEPC T8 and T11 mini PCs contain quite generic names in the sys_vendor +and product_name DMI strings, without this patch brcmfmac will try to load: +"brcmfmac43455-sdio.Default string-Default string.txt" as nvram file which +is way too generic. + +The DMI strings on which we are matching are somewhat generic too, but +"To be filled by O.E.M." is less common then "Default string" and the +system-sku and bios-version strings are pretty unique. Beside the DMI +strings we also check the wifi-module chip-id and revision. I'm confident +that the combination of all this is unique. + +Both the T8 and T11 use the same wifi-module, this commit adds DMI +quirks for both mini PCs pointing to brcmfmac43455-sdio.acepc-t8.txt . + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1690852 +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Kalle Valo +--- + .../broadcom/brcm80211/brcmfmac/dmi.c | 26 +++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c +@@ -31,6 +31,10 @@ struct brcmf_dmi_data { + + /* NOTE: Please keep all entries sorted alphabetically */ + ++static const struct brcmf_dmi_data acepc_t8_data = { ++ BRCM_CC_4345_CHIP_ID, 6, "acepc-t8" ++}; ++ + static const struct brcmf_dmi_data gpd_win_pocket_data = { + BRCM_CC_4356_CHIP_ID, 2, "gpd-win-pocket" + }; +@@ -45,6 +49,28 @@ static const struct brcmf_dmi_data meego + + static const struct dmi_system_id dmi_platform_data[] = { + { ++ /* ACEPC T8 Cherry Trail Z8350 mini PC */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T8"), ++ /* also match on somewhat unique bios-version */ ++ DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1.000"), ++ }, ++ .driver_data = (void *)&acepc_t8_data, ++ }, ++ { ++ /* ACEPC T11 Cherry Trail Z8350 mini PC, same wifi as the T8 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T11"), ++ /* also match on somewhat unique bios-version */ ++ DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1.000"), ++ }, ++ .driver_data = (void *)&acepc_t8_data, ++ }, ++ { + /* Match for the GPDwin which unfortunately uses somewhat + * generic dmi strings, which is why we test for 4 strings. + * Comparing against 23 other byt/cht boards, board_vendor diff --git a/package/kernel/mac80211/patches/458-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch b/package/kernel/mac80211/patches/458-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch new file mode 100644 index 0000000000..1fcf8c70c7 --- /dev/null +++ b/package/kernel/mac80211/patches/458-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch @@ -0,0 +1,39 @@ +From 9ef77fbedad9ea8895cd5d7fb7aee16071f527dc Mon Sep 17 00:00:00 2001 +From: Wright Feng +Date: Fri, 26 Apr 2019 03:12:32 +0000 +Subject: [PATCH] brcmfmac: send mailbox interrupt twice for specific hardware + device + +For PCIE wireless device with core revision less than 14, device may miss +PCIE to System Backplane Interrupt via PCIEtoSBMailbox. So add sending +mail box interrupt twice as a hardware workaround. + +Signed-off-by: Wright Feng +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -675,6 +675,7 @@ static int + brcmf_pcie_send_mb_data(struct brcmf_pciedev_info *devinfo, u32 htod_mb_data) + { + struct brcmf_pcie_shared_info *shared; ++ struct brcmf_core *core; + u32 addr; + u32 cur_htod_mb_data; + u32 i; +@@ -698,7 +699,11 @@ brcmf_pcie_send_mb_data(struct brcmf_pci + + brcmf_pcie_write_tcm32(devinfo, addr, htod_mb_data); + pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1); +- pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1); ++ ++ /* Send mailbox interrupt twice as a hardware workaround */ ++ core = brcmf_chip_get_core(devinfo->ci, BCMA_CORE_PCIE2); ++ if (core->rev <= 13) ++ pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1); + + return 0; + } diff --git a/package/kernel/mac80211/patches/459-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch b/package/kernel/mac80211/patches/459-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch new file mode 100644 index 0000000000..b4d56c34bc --- /dev/null +++ b/package/kernel/mac80211/patches/459-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch @@ -0,0 +1,50 @@ +From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 24 Apr 2019 12:52:18 +0300 +Subject: [PATCH] brcm80211: potential NULL dereference in + brcmf_cfg80211_vndr_cmds_dcmd_handler() + +If "ret_len" is negative then it could lead to a NULL dereference. + +The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative +then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to +brcmf_fil_cmd_data_set() where it is cast to a very high u32 value. +Most of the functions in that call tree check whether the buffer we pass +is NULL but there are at least a couple places which don't such as +brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and +from the buffer so it would result in a NULL dereference. + +The fix is to change the types so that "ret_len" can't be negative. (If +we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an +issue). + +Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c +@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd + struct brcmf_if *ifp; + const struct brcmf_vndr_dcmd_hdr *cmdhdr = data; + struct sk_buff *reply; +- int ret, payload, ret_len; ++ unsigned int payload, ret_len; + void *dcmd_buf = NULL, *wr_pointer; + u16 msglen, maxmsglen = PAGE_SIZE - 0x100; ++ int ret; + + if (len < sizeof(*cmdhdr)) { + brcmf_err("vendor command too short: %d\n", len); +@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd + brcmf_err("oversize return buffer %d\n", ret_len); + ret_len = BRCMF_DCMD_MAXLEN; + } +- payload = max(ret_len, len) + 1; ++ payload = max_t(unsigned int, ret_len, len) + 1; + dcmd_buf = vzalloc(payload); + if (NULL == dcmd_buf) + return -ENOMEM; diff --git a/package/kernel/mac80211/patches/460-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch b/package/kernel/mac80211/patches/460-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch new file mode 100644 index 0000000000..6702dd57b6 --- /dev/null +++ b/package/kernel/mac80211/patches/460-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch @@ -0,0 +1,49 @@ +From 2d91c8ad068a5cad4d9e7ece8dc811a697c7176a Mon Sep 17 00:00:00 2001 +From: Wright Feng +Date: Fri, 26 Apr 2019 03:41:46 +0000 +Subject: [PATCH] brcmfmac: set txflow request id from 1 to pktids array size + +Some PCIE firmwares drop txstatus if pktid is 0 and make packet held in +host side and never be released. If that packet type is 802.1x, the +pend_8021x_cnt value will be always greater than 0 and show "Timed out +waiting for no pending 802.1x packets" error message when sending key to +dongle every time. + +To be compatible with all firmwares, host should set txflow request id +from 1 instead of from 0. + +Signed-off-by: Wright Feng +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -375,7 +375,7 @@ brcmf_msgbuf_get_pktid(struct device *de + struct brcmf_msgbuf_pktid *pktid; + struct sk_buff *skb; + +- if (idx >= pktids->array_size) { ++ if (idx < 0 || idx >= pktids->array_size) { + brcmf_err("Invalid packet id %d (max %d)\n", idx, + pktids->array_size); + return NULL; +@@ -747,7 +747,7 @@ static void brcmf_msgbuf_txflow(struct b + tx_msghdr = (struct msgbuf_tx_msghdr *)ret_ptr; + + tx_msghdr->msg.msgtype = MSGBUF_TYPE_TX_POST; +- tx_msghdr->msg.request_id = cpu_to_le32(pktid); ++ tx_msghdr->msg.request_id = cpu_to_le32(pktid + 1); + tx_msghdr->msg.ifidx = brcmf_flowring_ifidx_get(flow, flowid); + tx_msghdr->flags = BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3; + tx_msghdr->flags |= (skb->priority & 0x07) << +@@ -884,7 +884,7 @@ brcmf_msgbuf_process_txstatus(struct brc + u16 flowid; + + tx_status = (struct msgbuf_tx_status *)buf; +- idx = le32_to_cpu(tx_status->msg.request_id); ++ idx = le32_to_cpu(tx_status->msg.request_id) - 1; + flowid = le16_to_cpu(tx_status->compl_hdr.flow_ring_id); + flowid -= BRCMF_H2D_MSGRING_FLOWRING_IDSTART; + skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev, diff --git a/package/kernel/mac80211/patches/461-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch b/package/kernel/mac80211/patches/461-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch new file mode 100644 index 0000000000..ceb85055d5 --- /dev/null +++ b/package/kernel/mac80211/patches/461-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch @@ -0,0 +1,90 @@ +From 47dd82e3d25e85a7c7c4e4b0eac9d297d1e5e2d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Sun, 28 Apr 2019 23:38:26 +0200 +Subject: [PATCH] brcmfmac: print firmware messages after a firmware crash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Normally firmware messages are printed with debugging enabled only. It's +a good idea as firmware may print a lot of messages that normal users +don't need to care about. + +However, on firmware crash, it may be very helpful to log all recent +messages. There is almost always a backtrace available as well as rought +info on the latest actions/state. + +Signed-off-by: Rafał Miłecki +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +--- + .../broadcom/brcm80211/brcmfmac/pcie.c | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -764,15 +764,22 @@ static void brcmf_pcie_bus_console_init( + console->base_addr, console->buf_addr, console->bufsize); + } + +- +-static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo) ++/** ++ * brcmf_pcie_bus_console_read - reads firmware messages ++ * ++ * @error: specifies if error has occurred (prints messages unconditionally) ++ */ ++static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo, ++ bool error) + { ++ struct pci_dev *pdev = devinfo->pdev; ++ struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev); + struct brcmf_pcie_console *console; + u32 addr; + u8 ch; + u32 newidx; + +- if (!BRCMF_FWCON_ON()) ++ if (!error && !BRCMF_FWCON_ON()) + return; + + console = &devinfo->shared.console; +@@ -796,7 +803,10 @@ static void brcmf_pcie_bus_console_read( + } + if (ch == '\n') { + console->log_str[console->log_idx] = 0; +- pr_debug("CONSOLE: %s", console->log_str); ++ if (error) ++ brcmf_err(bus, "CONSOLE: %s", console->log_str); ++ else ++ pr_debug("CONSOLE: %s", console->log_str); + console->log_idx = 0; + } + } +@@ -857,7 +867,7 @@ static irqreturn_t brcmf_pcie_isr_thread + &devinfo->pdev->dev); + } + } +- brcmf_pcie_bus_console_read(devinfo); ++ brcmf_pcie_bus_console_read(devinfo, false); + if (devinfo->state == BRCMFMAC_PCIE_STATE_UP) + brcmf_pcie_intr_enable(devinfo); + devinfo->in_irq = false; +@@ -1426,6 +1436,8 @@ static int brcmf_pcie_reset(struct devic + struct brcmf_fw_request *fwreq; + int err; + ++ brcmf_pcie_bus_console_read(devinfo, true); ++ + brcmf_detach(dev); + + brcmf_pcie_release_irq(devinfo); +@@ -1818,7 +1830,7 @@ static void brcmf_pcie_setup(struct devi + if (brcmf_attach(&devinfo->pdev->dev, devinfo->settings) == 0) + return; + +- brcmf_pcie_bus_console_read(devinfo); ++ brcmf_pcie_bus_console_read(devinfo, false); + + fail: + device_release_driver(dev); diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch index f59102cdf0..e7385513db 100644 --- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -1406,6 +1406,7 @@ int __init brcmf_core_init(void) +@@ -1434,6 +1434,7 @@ int __init brcmf_core_init(void) { if (!schedule_work(&brcmf_driver_work)) return -EBUSY; diff --git a/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch b/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch index 020594dcbc..46eb0fe2de 100644 --- a/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch +++ b/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch @@ -55,7 +55,7 @@ Signed-off-by: Rafał Miłecki void brcmf_chip_detach(struct brcmf_chip *chip); --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c -@@ -1727,6 +1727,12 @@ static void brcmf_pcie_setup(struct devi +@@ -1779,6 +1779,12 @@ static void brcmf_pcie_setup(struct devi nvram_len = fwreq->items[BRCMF_PCIE_FW_NVRAM].nv_data.len; kfree(fwreq); -- 2.25.1