mac80211: backport today's brcmfmac changes

This fixes various problems with parsing platform NVRAM. It's required to get BCM43602 working in most cases. Signed-off-by: Rafał Miłecki <zajec5@gmail.com> SVN-Revision: 45802
9 years ago · c1cc2217c2
parent 597d2060c5
commit c1cc2217c2
5 changed files with 323 additions and 0 deletions
--- a/package/kernel/mac80211/patches/373-brcmfmac-avoid-null-pointer-access-when-brcmf_msgbuf.patch
+++ b/package/kernel/mac80211/patches/373-brcmfmac-avoid-null-pointer-access-when-brcmf_msgbuf.patch
@ -0,0 +1,102 @@
+From: Arend van Spriel <arend@broadcom.com>
+Date: Tue, 26 May 2015 13:19:46 +0200
+Subject: [PATCH] brcmfmac: avoid null pointer access when
+ brcmf_msgbuf_get_pktid() fails
+
+The function brcmf_msgbuf_get_pktid() may return a NULL pointer so
+the callers should check the return pointer before accessing it to
+avoid the crash below (see [1]):
+
+brcmfmac: brcmf_msgbuf_get_pktid: Invalid packet id 273 (not in use)
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
+IP: [<ffffffff8145b225>] skb_pull+0x5/0x50
+PGD 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in: pci_stub vboxpci(O) vboxnetflt(O) vboxnetadp(O) vboxdrv(O)
+ snd_hda_codec_hdmi bnep mousedev hid_generic ushwmon msr ext4 crc16 mbcache
+ jbd2 sd_mod uas usb_storage ahci libahci libata scsi_mod xhci_pci xhci_hcd
+ usbcore usb_common
+CPU: 0 PID: 1661 Comm: irq/61-brcmf_pc Tainted: G O    4.0.1-MacbookPro-ARCH #1
+Hardware name: Apple Inc. MacBookPro12,1/Mac-E43C1C25D4880AD6,
+ BIOS MBP121.88Z.0167.B02.1503241251 03/24/2015
+task: ffff880264203cc0 ti: ffff88025ffe4000 task.ti: ffff88025ffe4000
+RIP: 0010:[<ffffffff8145b225>]  [<ffffffff8145b225>] skb_pull+0x5/0x50
+RSP: 0018:ffff88025ffe7d40  EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffff88008a33c000 RCX: 0000000000000044
+RDX: 0000000000000000 RSI: 000000000000004a RDI: 0000000000000000
+RBP: ffff88025ffe7da8 R08: 0000000000000096 R09: 000000000000004a
+R10: 0000000000000000 R11: 000000000000048e R12: ffff88025ff14f00
+R13: 0000000000000000 R14: ffff880263b48200 R15: ffff88008a33c000
+FS:  0000000000000000(0000) GS:ffff88026ec00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000080 CR3: 000000000180b000 CR4: 00000000003407f0
+Stack:
+ ffffffffa06aed74 ffff88025ffe7dc8 ffff880263b48270 ffff880263b48278
+ 05ea88020000004a 0002ffff81014635 000000001720b2f6 ffff88026ec116c0
+ ffff880263b48200 0000000000010000 ffff880263b4ae00 ffff880264203cc0
+Call Trace:
+ [<ffffffffa06aed74>] ? brcmf_msgbuf_process_rx+0x404/0x480 [brcmfmac]
+ [<ffffffff810cea60>] ? irq_finalize_oneshot.part.30+0xf0/0xf0
+ [<ffffffffa06afb55>] brcmf_proto_msgbuf_rx_trigger+0x35/0xf0 [brcmfmac]
+ [<ffffffffa06baf2a>] brcmf_pcie_isr_thread_v2+0x8a/0x130 [brcmfmac]
+ [<ffffffff810cea80>] irq_thread_fn+0x20/0x50
+ [<ffffffff810ceddf>] irq_thread+0x13f/0x170
+ [<ffffffff810cebf0>] ? wake_threads_waitq+0x30/0x30
+ [<ffffffff810ceca0>] ? irq_thread_dtor+0xb0/0xb0
+ [<ffffffff81092a08>] kthread+0xd8/0xf0
+ [<ffffffff81092930>] ? kthread_create_on_node+0x1c0/0x1c0
+ [<ffffffff8156d898>] ret_from_fork+0x58/0x90
+ [<ffffffff81092930>] ? kthread_create_on_node+0x1c0/0x1c0
+Code: 01 83 e2 f7 88 50 01 48 83 c4 08 5b 5d f3 c3 0f 1f 80 00 00 00 00 83 e2
+ f7 88 50 01 c3 66 0f 1f 84 00 00 00 00 00 0f 1f
+RIP  [<ffffffff8145b225>] skb_pull+0x5/0x50
+ RSP <ffff88025ffe7d40>
+CR2: 0000000000000080
+---[ end trace b074c0f90e7c997d ]---
+
+[1] http://mid.gmane.org/20150430193259.GA5630@googlemail.com
+
+Cc: <stable@vger.kernel.org> # v3.18, v3.19, v4.0, v4.1
+Reported-by: Michael Hornung <mhornung.linux@gmail.com>
+Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+---
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
+@@ -500,11 +500,9 @@ static int brcmf_msgbuf_query_dcmd(struc
+ 				     msgbuf->rx_pktids,
+ 				     msgbuf->ioctl_resp_pktid);
+ 	if (msgbuf->ioctl_resp_ret_len != 0) {
+-		if (!skb) {
+-			brcmf_err("Invalid packet id idx recv'd %d\n",
+-				  msgbuf->ioctl_resp_pktid);
+		if (!skb)
+ 			return -EBADF;
+-		}
+
+ 		memcpy(buf, skb->data, (len < msgbuf->ioctl_resp_ret_len) ?
+ 				       len : msgbuf->ioctl_resp_ret_len);
+ 	}
+@@ -866,10 +864,8 @@ brcmf_msgbuf_process_txstatus(struct brc
+ 	flowid -= BRCMF_NROF_H2D_COMMON_MSGRINGS;
+ 	skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
+ 				     msgbuf->tx_pktids, idx);
+-	if (!skb) {
+-		brcmf_err("Invalid packet id idx recv'd %d\n", idx);
+	if (!skb)
+ 		return;
+-	}
+ 
+ 	set_bit(flowid, msgbuf->txstatus_done_map);
+ 	commonring = msgbuf->flowrings[flowid];
+@@ -1148,6 +1144,8 @@ brcmf_msgbuf_process_rx_complete(struct
+ 
+ 	skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
+ 				     msgbuf->rx_pktids, idx);
+	if (!skb)
+		return;
+ 
+ 	if (data_offset)
+ 		skb_pull(skb, data_offset);
--- a/package/kernel/mac80211/patches/374-brcmfmac-fix-invalid-access-to-struct-acpi_device-fi.patch
+++ b/package/kernel/mac80211/patches/374-brcmfmac-fix-invalid-access-to-struct-acpi_device-fi.patch
@ -0,0 +1,63 @@
+From: Arend van Spriel <arend@broadcom.com>
+Date: Wed, 27 May 2015 19:31:41 +0200
+Subject: [PATCH] brcmfmac: fix invalid access to struct acpi_device fields
+
+The fields of struct acpi_device are only known when CONFIG_ACPI is
+defined. Fix this by using a helper function. This will resolve the
+issue found in linux-next:
+
+ ../brcmfmac/bcmsdh.c: In function 'brcmf_ops_sdio_probe':
+ ../brcmfmac/bcmsdh.c:1139:7: error: dereferencing pointer to incomplete type
+   adev->flags.power_manageable = 0;
+       ^
+
+Fixes: f0992ace680c ("brcmfmac: prohibit ACPI power management ...")
+Cc: Fu, Zhonghui <zhonghui.fu@linux.intel.com>
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
+@@ -1117,6 +1117,18 @@ MODULE_DEVICE_TABLE(sdio, brcmf_sdmmc_id
+ static struct brcmfmac_sdio_platform_data *brcmfmac_sdio_pdata;
+ 
+ 
+static void brcmf_sdiod_acpi_set_power_manageable(struct device *dev,
+						  int val)
+{
+#if IS_ENABLED(CONFIG_ACPI)
+	struct acpi_device *adev;
+
+	adev = ACPI_COMPANION(dev);
+	if (adev)
+		adev->flags.power_manageable = 0;
+#endif
+}
+
+ static int brcmf_ops_sdio_probe(struct sdio_func *func,
+ 				const struct sdio_device_id *id)
+ {
+@@ -1124,7 +1136,6 @@ static int brcmf_ops_sdio_probe(struct s
+ 	struct brcmf_sdio_dev *sdiodev;
+ 	struct brcmf_bus *bus_if;
+ 	struct device *dev;
+-	struct acpi_device *adev;
+ 
+ 	brcmf_dbg(SDIO, "Enter\n");
+ 	brcmf_dbg(SDIO, "Class=%x\n", func->class);
+@@ -1132,11 +1143,9 @@ static int brcmf_ops_sdio_probe(struct s
+ 	brcmf_dbg(SDIO, "sdio device ID: 0x%04x\n", func->device);
+ 	brcmf_dbg(SDIO, "Function#: %d\n", func->num);
+ 
+-	/* prohibit ACPI power management for this device */
+ 	dev = &func->dev;
+-	adev = ACPI_COMPANION(dev);
+-	if (adev)
+-		adev->flags.power_manageable = 0;
+	/* prohibit ACPI power management for this device */
+	brcmf_sdiod_acpi_set_power_manageable(dev, 0);
+ 
+ 	/* Consume func num 1 but dont do anything with it. */
+ 	if (func->num == 1)
--- a/package/kernel/mac80211/patches/375-brcmfmac-simplify-check-stripping-v2-NVRAM.patch
+++ b/package/kernel/mac80211/patches/375-brcmfmac-simplify-check-stripping-v2-NVRAM.patch
@ -0,0 +1,56 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
+Date: Wed, 20 May 2015 09:34:21 +0200
+Subject: [PATCH] brcmfmac: simplify check stripping v2 NVRAM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Comparing NVRAM entry with a full filtering string is simpler than
+comparing it with a short prefix and then checking random chars at magic
+offsets. The cost of snprintf relatively low, we execute it just once.
+Tested on BCM43602 with NVRAM hacked to use V2 format.
+
+Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
+@@ -25,7 +25,7 @@
+ 
+ #define BRCMF_FW_MAX_NVRAM_SIZE			64000
+ #define BRCMF_FW_NVRAM_DEVPATH_LEN		19	/* devpath0=pcie/1/4/ */
+-#define BRCMF_FW_NVRAM_PCIEDEV_LEN		9	/* pcie/1/4/ */
+#define BRCMF_FW_NVRAM_PCIEDEV_LEN		10	/* pcie/1/4/ + \0 */
+ 
+ char brcmf_firmware_path[BRCMF_FW_PATH_LEN];
+ module_param_string(firmware_path, brcmf_firmware_path,
+@@ -297,6 +297,8 @@ fail:
+ static void brcmf_fw_strip_multi_v2(struct nvram_parser *nvp, u16 domain_nr,
+ 				    u16 bus_nr)
+ {
+	char prefix[BRCMF_FW_NVRAM_PCIEDEV_LEN];
+	size_t len;
+ 	u32 i, j;
+ 	u8 *nvram;
+ 
+@@ -308,14 +310,13 @@ static void brcmf_fw_strip_multi_v2(stru
+ 	 * Valid entries are of type pcie/X/Y/ where X = domain_nr and
+ 	 * Y = bus_nr.
+ 	 */
+	snprintf(prefix, sizeof(prefix), "pcie/%d/%d/", domain_nr, bus_nr);
+	len = strlen(prefix);
+ 	i = 0;
+ 	j = 0;
+-	while (i < nvp->nvram_len - BRCMF_FW_NVRAM_PCIEDEV_LEN) {
+-		if ((strncmp(&nvp->nvram[i], "pcie/", 5) == 0) &&
+-		    (nvp->nvram[i + 6] == '/') && (nvp->nvram[i + 8] == '/') &&
+-		    ((nvp->nvram[i + 5] - '0') == domain_nr) &&
+-		    ((nvp->nvram[i + 7] - '0') == bus_nr)) {
+-			i += BRCMF_FW_NVRAM_PCIEDEV_LEN;
+	while (i < nvp->nvram_len - len) {
+		if (strncmp(&nvp->nvram[i], prefix, len) == 0) {
+			i += len;
+ 			while (nvp->nvram[i] != 0) {
+ 				nvram[j] = nvp->nvram[i];
+ 				i++;
--- a/package/kernel/mac80211/patches/376-brcmfmac-simplify-check-finding-NVRAM-v1-device-path.patch
+++ b/package/kernel/mac80211/patches/376-brcmfmac-simplify-check-finding-NVRAM-v1-device-path.patch
@ -0,0 +1,57 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
+Date: Wed, 20 May 2015 11:01:08 +0200
+Subject: [PATCH] brcmfmac: simplify check finding NVRAM v1 device path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With a simple use of snprintf and small buffer we can compare NVRAM
+entry value with a full string. This way we avoid checking random chars
+at magic offsets.
+Tested on BCM43602 with NVRAM hacked to use v1 format.
+
+Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
+@@ -222,6 +222,10 @@ static int brcmf_init_nvram_parser(struc
+ static void brcmf_fw_strip_multi_v1(struct nvram_parser *nvp, u16 domain_nr,
+ 				    u16 bus_nr)
+ {
+	/* Device path with a leading '=' key-value separator */
+	char pcie_path[] = "=pcie/?/?";
+	size_t pcie_len;
+
+ 	u32 i, j;
+ 	bool found;
+ 	u8 *nvram;
+@@ -238,6 +242,9 @@ static void brcmf_fw_strip_multi_v1(stru
+ 	/* First search for the devpathX and see if it is the configuration
+ 	 * for domain_nr/bus_nr. Search complete nvp
+ 	 */
+	snprintf(pcie_path, sizeof(pcie_path), "=pcie/%d/%d", domain_nr,
+		 bus_nr);
+	pcie_len = strlen(pcie_path);
+ 	found = false;
+ 	i = 0;
+ 	while (i < nvp->nvram_len - BRCMF_FW_NVRAM_DEVPATH_LEN) {
+@@ -245,13 +252,10 @@ static void brcmf_fw_strip_multi_v1(stru
+ 		 * Y = domain_nr, Z = bus_nr, X = virtual ID
+ 		 */
+ 		if ((strncmp(&nvp->nvram[i], "devpath", 7) == 0) &&
+-		    (strncmp(&nvp->nvram[i + 8], "=pcie/", 6) == 0)) {
+-			if (((nvp->nvram[i + 14] - '0') == domain_nr) &&
+-			    ((nvp->nvram[i + 16] - '0') == bus_nr)) {
+-				id = nvp->nvram[i + 7] - '0';
+-				found = true;
+-				break;
+-			}
+		    (strncmp(&nvp->nvram[i + 8], pcie_path, pcie_len) == 0)) {
+			id = nvp->nvram[i + 7] - '0';
+			found = true;
+			break;
+ 		}
+ 		while (nvp->nvram[i] != 0)
+ 			i++;
--- a/package/kernel/mac80211/patches/377-brcmfmac-treat-0-as-end-of-comment-when-parsing-NVRA.patch
+++ b/package/kernel/mac80211/patches/377-brcmfmac-treat-0-as-end-of-comment-when-parsing-NVRA.patch
@ -0,0 +1,45 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
+Date: Wed, 20 May 2015 13:59:54 +0200
+Subject: [PATCH] brcmfmac: treat \0 as end of comment when parsing NVRAM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes brcmfmac dealing with NVRAM coming from platform e.g. from a
+flash MTD partition. In such cases entries are separated by \0 instead
+of \n which caused ignoring whole content after the first "comment".
+While platform NVRAM doesn't usually contain comments, we switch to
+COMMENT state after e.g. finding an unexpected char in key name.
+
+Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
+@@ -162,17 +162,20 @@ brcmf_nvram_handle_value(struct nvram_pa
+ static enum nvram_parser_state
+ brcmf_nvram_handle_comment(struct nvram_parser *nvp)
+ {
+-	char *eol, *sol;
+	char *eoc, *sol;
+ 
+ 	sol = (char *)&nvp->fwnv->data[nvp->pos];
+-	eol = strchr(sol, '\n');
+-	if (eol == NULL)
+-		return END;
+	eoc = strchr(sol, '\n');
+	if (!eoc) {
+		eoc = strchr(sol, '\0');
+		if (!eoc)
+			return END;
+	}
+ 
+ 	/* eat all moving to next line */
+ 	nvp->line++;
+ 	nvp->column = 1;
+-	nvp->pos += (eol - sol) + 1;
+	nvp->pos += (eoc - sol) + 1;
+ 	return IDLE;
+ }
+