--- /dev/null
+From 73f2c8e933b1dcf432ac8c6965a6e67af630077f Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:22 -0700
+Subject: [PATCH] brcmfmac: Avoid possible out-of-bounds read
+
+In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before
+the length of rxframe is validated. This could lead to uninitialized
+data being accessed (but not printed). Since we already have a
+perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec,
+and ch.chspec is not modified by decchspec(), avoid the extra
+assignment and use ch.chspec in the debug print.
+
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -1853,7 +1853,6 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
+ struct afx_hdl *afx_hdl = &p2p->afx_hdl;
+ struct brcmf_cfg80211_vif *vif = ifp->vif;
+ struct brcmf_rx_mgmt_data *rxframe = (struct brcmf_rx_mgmt_data *)data;
+- u16 chanspec = be16_to_cpu(rxframe->chanspec);
+ struct brcmu_chan ch;
+ u8 *mgmt_frame;
+ u32 mgmt_frame_len;
+@@ -1906,7 +1905,7 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
+ cfg80211_rx_mgmt(&vif->wdev, freq, 0, mgmt_frame, mgmt_frame_len, 0);
+
+ brcmf_dbg(INFO, "mgmt_frame_len (%d) , e->datalen (%d), chanspec (%04x), freq (%d)\n",
+- mgmt_frame_len, e->datalen, chanspec, freq);
++ mgmt_frame_len, e->datalen, ch.chspec, freq);
+
+ return 0;
+ }
--- /dev/null
+From 2fd3877b5bb7d39782c3205a1dcda02023b8514a Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 8 Nov 2017 14:36:31 +0100
+Subject: [PATCH] brcmfmac: handle FWHALT mailbox indication
+
+The firmware uses a mailbox to communicate to the host what is going
+on. In the driver we validate the bit received. Various people seen
+the following message:
+
+ brcmfmac: brcmf_sdio_hostmail: Unknown mailbox data content: 0x40012
+
+Bit 4 is cause of this message, but this actually indicates the firmware
+has halted. Handle this bit by giving a more meaningful error message.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -259,10 +259,11 @@ struct rte_console {
+ #define I_HMB_HOST_INT I_HMB_SW3 /* Miscellaneous Interrupt */
+
+ /* tohostmailboxdata */
+-#define HMB_DATA_NAKHANDLED 1 /* retransmit NAK'd frame */
+-#define HMB_DATA_DEVREADY 2 /* talk to host after enable */
+-#define HMB_DATA_FC 4 /* per prio flowcontrol update flag */
+-#define HMB_DATA_FWREADY 8 /* fw ready for protocol activity */
++#define HMB_DATA_NAKHANDLED 0x0001 /* retransmit NAK'd frame */
++#define HMB_DATA_DEVREADY 0x0002 /* talk to host after enable */
++#define HMB_DATA_FC 0x0004 /* per prio flowcontrol update flag */
++#define HMB_DATA_FWREADY 0x0008 /* fw ready for protocol activity */
++#define HMB_DATA_FWHALT 0x0010 /* firmware halted */
+
+ #define HMB_DATA_FCDATA_MASK 0xff000000
+ #define HMB_DATA_FCDATA_SHIFT 24
+@@ -1093,6 +1094,10 @@ static u32 brcmf_sdio_hostmail(struct br
+ offsetof(struct sdpcmd_regs, tosbmailbox));
+ bus->sdcnt.f1regdata += 2;
+
++ /* dongle indicates the firmware has halted/crashed */
++ if (hmb_data & HMB_DATA_FWHALT)
++ brcmf_err("mailbox indicates firmware halted\n");
++
+ /* Dongle recomposed rx frames, accept them again */
+ if (hmb_data & HMB_DATA_NAKHANDLED) {
+ brcmf_dbg(SDIO, "Dongle reports NAK handled, expect rtx of %d\n",
+@@ -1150,6 +1155,7 @@ static u32 brcmf_sdio_hostmail(struct br
+ HMB_DATA_NAKHANDLED |
+ HMB_DATA_FC |
+ HMB_DATA_FWREADY |
++ HMB_DATA_FWHALT |
+ HMB_DATA_FCDATA_MASK | HMB_DATA_VERSION_MASK))
+ brcmf_err("Unknown mailbox data content: 0x%02x\n",
+ hmb_data);
projects / users / dwmw2 / openwrt.git / commitdiff