kernel/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c, branch linux-6.2.y

wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()

2022-11-04T10:58:48Z

This patch fixes a shift-out-of-bounds in brcmfmac that occurs in BIT(chiprev) when a 'chiprev' provided by the device is too large. It should also not be equal to or greater than BITS_PER_TYPE(u32) as we do bitwise AND with a u32 variable and BIT(chiprev). The patch adds a check that makes the function return NULL if that is the case. Note that the NULL case is later handled by the bus-specific caller, brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example. Found by a modified version of syzkaller. UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c shift exponent 151055786 is too large for 64-bit type 'long unsigned int' CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x57/0x7d ubsan_epilogue+0x5/0x40 __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb ? lock_chain_count+0x20/0x20 brcmf_fw_alloc_request.cold+0x19/0x3ea ? brcmf_fw_get_firmwares+0x250/0x250 ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0 brcmf_usb_get_fwname+0x114/0x1a0 ? brcmf_usb_reset_resume+0x120/0x120 ? number+0x6c4/0x9a0 brcmf_c_process_clm_blob+0x168/0x590 ? put_dec+0x90/0x90 ? enable_ptr_key_workfn+0x20/0x20 ? brcmf_common_pd_remove+0x50/0x50 ? rcu_read_lock_sched_held+0xa1/0xd0 brcmf_c_preinit_dcmds+0x673/0xc40 ? brcmf_c_set_joinpref_default+0x100/0x100 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lock_acquire+0x19d/0x4e0 ? find_held_lock+0x2d/0x110 ? brcmf_usb_deq+0x1cc/0x260 ? mark_held_locks+0x9f/0xe0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? _raw_spin_unlock_irqrestore+0x47/0x50 ? trace_hardirqs_on+0x1c/0x120 ? brcmf_usb_deq+0x1a7/0x260 ? brcmf_usb_rx_fill_all+0x5a/0xf0 brcmf_attach+0x246/0xd40 ? wiphy_new_nm+0x1476/0x1d50 ? kmemdup+0x30/0x40 brcmf_usb_probe+0x12de/0x1690 ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 ? usb_match_id.part.0+0x88/0xc0 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 ? driver_allows_async_probing+0x120/0x120 bus_for_each_drv+0x123/0x1a0 ? bus_rescan_devices+0x20/0x20 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x1c/0x120 __device_attach+0x207/0x330 ? device_bind_driver+0xb0/0xb0 ? kobject_uevent_env+0x230/0x12c0 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 ? __mutex_unlock_slowpath+0xe7/0x660 ? __fw_devlink_link_to_suppliers+0x550/0x550 usb_set_configuration+0x984/0x1770 ? kernfs_create_link+0x175/0x230 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 ? driver_allows_async_probing+0x120/0x120 bus_for_each_drv+0x123/0x1a0 ? bus_rescan_devices+0x20/0x20 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x1c/0x120 __device_attach+0x207/0x330 ? device_bind_driver+0xb0/0xb0 ? kobject_uevent_env+0x230/0x12c0 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 ? __fw_devlink_link_to_suppliers+0x550/0x550 usb_new_device.cold+0x463/0xf66 ? hub_disconnect+0x400/0x400 ? _raw_spin_unlock_irq+0x24/0x30 hub_event+0x10d5/0x3330 ? hub_port_debounce+0x280/0x280 ? __lock_acquire+0x1671/0x5790 ? wq_calc_node_cpumask+0x170/0x2a0 ? lock_release+0x640/0x640 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x873/0x13e0 ? lock_release+0x640/0x640 ? pwq_dec_nr_in_flight+0x320/0x320 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x8b/0xd10 ? __kthread_parkme+0xd9/0x1d0 ? process_one_work+0x13e0/0x13e0 kthread+0x379/0x450 ? _raw_spin_unlock_irq+0x24/0x30 ? set_kthread_struct+0x100/0x100 ret_from_fork+0x1f/0x30 Reported-by: Dokyung Song Reported-by: Jisoo Jang Reported-by: Minsuk Kang Signed-off-by: Minsuk Kang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221024071329.504277-1-linuxlovemin@yonsei.ac.kr

wifi: brcmfmac: firmware: Allow platform to override macaddr

2022-09-19T09:59:34Z

On Device Tree platforms, it is customary to be able to set the MAC address via the Device Tree, as it is often stored in system firmware. This is particularly relevant for Apple ARM64 platforms, where this information comes from system configuration and passed through by the bootloader into the DT. Implement support for this by fetching the platform MAC address and adding or replacing the macaddr= property in nvram. This becomes the dongle's default MAC address. On platforms with an SROM MAC address, this overrides it. On platforms without one, such as Apple ARM64 devices, this is required for the firmware to boot (it will fail if it does not have a valid MAC at all). Reviewed-by: Linus Walleij Signed-off-by: Hector Martin Reviewed-by: Alvin Šipraga Signed-off-by: Russell King (Oracle) Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/E1oZDnx-0077ae-VK@rmk-PC.armlinux.org.uk

wifi: brcmfmac: firmware: Support passing in multiple board_types

2022-09-19T09:59:33Z

Apple platforms have firmware and config files identified with multiple dimensions. We want to be able to find the most specific firmware available for any given platform, progressively trying more general firmwares. To do this, first add support for passing in multiple board_types, which will be tried in sequence. Since this will cause more log spam due to missing firmwares, also switch the secondary firmware fecthes to use the _nowarn variant, which will not log if the firmware is not found. Signed-off-by: Hector Martin Reviewed-by: Alvin Šipraga Signed-off-by: Russell King (Oracle) Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/E1oZDnd-0077aG-Dk@rmk-PC.armlinux.org.uk

wifi: brcmfmac: firmware: Handle per-board clm_blob files

2022-09-19T09:59:33Z

Teach brcm_alt_fw_paths to correctly split off variable length extensions, and enable alt firmware lookups for the CLM blob firmware requests. Apple platforms have per-board CLM blob files. Acked-by: Linus Walleij Reviewed-by: Arend van Spriel Signed-off-by: Hector Martin Reviewed-by: Alvin Šipraga Signed-off-by: Russell King (Oracle) Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/E1oZDnT-0077a4-4k@rmk-PC.armlinux.org.uk

wifi: move from strlcpy with unused retval to strscpy

2022-09-02T08:47:22Z

Follow the advice of the below link and prefer 'strscpy' in this subsystem. Conversion is 1:1 because the return value is not used. Generated by a coccinelle script. Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/ Signed-off-by: Wolfram Sang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220830201457.7984-2-wsa+renesas@sang-engineering.com

brcmfmac: Switch to appropriate helper to load EFI variable contents

2022-06-20T10:43:25Z

Avoid abusing the efivar layer by invoking it with locally constructed efivar_entry instances, and instead, just call the EFI routines directly if available. Acked-by: Kalle Valo Signed-off-by: Ard Biesheuvel

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2022-02-17T19:44:20Z

No conflicts. Signed-off-by: Jakub Kicinski

brcmfmac: firmware: Allocate space for default boardrev in nvram

2022-02-01T12:27:04Z

If boardrev is missing from the NVRAM we add a default one, but this might need more space in the output buffer than was allocated. Ensure we have enough padding for this in the buffer. Fixes: 46f2b38a91b0 ("brcmfmac: insert default boardrev in nvram data if missing") Reviewed-by: Arend van Spriel Cc: stable@vger.kernel.org Signed-off-by: Hector Martin Reviewed-by: Andy Shevchenko Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220131160713.245637-3-marcan@marcan.st

brcmfmac: firmware: Fix crash in brcm_alt_fw_path

2022-01-28T14:06:04Z

The call to brcm_alt_fw_path in brcmf_fw_get_firmwares is not protected by a check to the validity of the fwctx->req->board_type pointer. This results in a crash in strlcat when, for example, the WLAN chip is found in a USB dongle. Prevent the crash by adding the necessary check. See: https://github.com/raspberrypi/linux/issues/4833 Fixes: 5ff013914c62 ("brcmfmac: firmware: Allow per-board firmware binaries") Signed-off-by: Phil Elwell Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220118154514.3245524-1-phil@raspberrypi.com

brcmfmac: firmware: Fix firmware loading

2021-08-21T15:45:30Z

The patch that would first try the board-specific firmware had a bug because the fallback would not be called: the asynchronous interface is used meaning request_firmware_nowait() returns 0 immediately. Harden the firmware loading like this: - If we cannot build an alt_path (like if no board_type is specified) just request the first firmware without any suffix, like in the past. - If the lookup of a board specific firmware fails, we get a NULL fw in the async callback, so just try again without the alt_path from a dedicated brcm_fw_request_done_alt_path callback. - Drop the unnecessary prototype of brcm_fw_request_done. - Added MODULE_FIRMWARE match for per-board SDIO bins, making userspace tools to pull all the relevant firmware files. Fixes: 5ff013914c62 ("brcmfmac: firmware: Allow per-board firmware binaries") Cc: Stefan Hansson Signed-off-by: Linus Walleij Signed-off-by: Dmitry Osipenko Reviewed-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210808180510.8753-1-digetx@gmail.com