mac80211: brcmfmac: backport important changes from the 4.13

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

package/kernel/mac80211/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=2017-01-31
-PKG_RELEASE:=7
+PKG_RELEASE:=8
 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
 PKG_BACKPORT_VERSION:=
 PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317

package/kernel/mac80211/patches/323-v4.13-0001-brcmfmac-remove-setting-IBSS-mode-when-stopping-AP.patch

@@ -0,0 +1,34 @@
+From 9029679f66d976f8c720eb03c4898274803c9923 Mon Sep 17 00:00:00 2001
+From: Chi-hsien Lin <Chi-Hsien.Lin@cypress.com>
+Date: Thu, 18 May 2017 17:22:19 +0800
+Subject: [PATCH] brcmfmac: remove setting IBSS mode when stopping AP
+
+Upon stopping an AP interface the driver disable INFRA mode effectively
+setting the interface in IBSS mode. However, this may affect other
+interfaces running in INFRA mode. For instance, if user creates and stops
+hostap daemon on virtual interface, then association cannot work on
+primary interface because default BSS has been set to IBSS mode in
+firmware side. The IBSS mode should be set when cfg80211 changes the
+interface.
+
+Reviewed-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Chi-hsien Lin <Chi-Hsien.Lin@cypress.com>
+[kvalo@codeaurora.org: rephased commit log based on discussion]
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4676,9 +4676,6 @@ static int brcmf_cfg80211_stop_ap(struct
+ 		err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 0);
+ 		if (err < 0)
+ 			brcmf_err("setting AP mode failed %d\n", err);
+-		err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 0);
+-		if (err < 0)
+-			brcmf_err("setting INFRA mode failed %d\n", err);
+ 		if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS))
+ 			brcmf_fil_iovar_int_set(ifp, "mbss", 0);
+ 		brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY,

package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch

@@ -0,0 +1,53 @@
+From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001
+From: "Peter S. Housel" <housel@acm.org>
+Date: Mon, 12 Jun 2017 11:46:22 +0100
+Subject: [PATCH] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
+
+An earlier change to this function (3bdae810721b) fixed a leak in the
+case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
+glom_skb buffer, used for emulating a scattering read, is never used
+or referenced after its contents are copied into the destination
+buffers, and therefore always needs to be freed by the end of the
+function.
+
+Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Cc: stable@vger.kernel.org # 4.9.x-
+Signed-off-by: Peter S. Housel <housel@acm.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -705,7 +705,7 @@ done:
+ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+ 			   struct sk_buff_head *pktq, uint totlen)
+ {
+-	struct sk_buff *glom_skb;
++	struct sk_buff *glom_skb = NULL;
+ 	struct sk_buff *skb;
+ 	u32 addr = sdiodev->sbwad;
+ 	int err = 0;
+@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 			return -ENOMEM;
+ 		err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+ 					 glom_skb);
+-		if (err) {
+-			brcmu_pkt_buf_free_skb(glom_skb);
++		if (err)
+ 			goto done;
+-		}
+ 
+ 		skb_queue_walk(pktq, skb) {
+ 			memcpy(skb->data, glom_skb->data, skb->len);
+@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 					    pktq);
+ 
+ done:
++	brcmu_pkt_buf_free_skb(glom_skb);
+ 	return err;
+ }
+ 

package/kernel/mac80211/patches/323-v4.13-0003-brcmfmac-Use-separate-firmware-for-revision-0-of-the.patch

@@ -0,0 +1,45 @@
+From 1278bd149839f2281db45a910082ba143546a148 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 16 Jun 2017 15:14:49 +0200
+Subject: [PATCH] brcmfmac: Use separate firmware for revision 0 of the
+ brcm43430 chip
+
+The brcm43430 chip needs different firmware files for chip revision 0
+and 1. The file currently in linux-firmware is for revision 1 only.
+
+This commit makes brcmfmac request brcmfmac43430a0-sdio.bin instead
+of brcmfmac43430-sdio.bin for revision 0 chips.
+
+Note that the behavior for revision 1 chips is not changed, ideally those
+would load brcmfmac43430a1-sdio.bin, but that will break existing setups.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -611,7 +611,9 @@ BRCMF_FW_NVRAM_DEF(43340, "brcmfmac43340
+ BRCMF_FW_NVRAM_DEF(4335, "brcmfmac4335-sdio.bin", "brcmfmac4335-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(43362, "brcmfmac43362-sdio.bin", "brcmfmac43362-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4339, "brcmfmac4339-sdio.bin", "brcmfmac4339-sdio.txt");
+-BRCMF_FW_NVRAM_DEF(43430, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt");
++BRCMF_FW_NVRAM_DEF(43430A0, "brcmfmac43430a0-sdio.bin", "brcmfmac43430a0-sdio.txt");
++/* Note the names are not postfixed with a1 for backward compatibility */
++BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt");
+@@ -629,7 +631,8 @@ static struct brcmf_firmware_mapping brc
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4335_CHIP_ID, 0xFFFFFFFF, 4335),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43362_CHIP_ID, 0xFFFFFFFE, 43362),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339),
+-	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFF, 43430),
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0),
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356)

package/kernel/mac80211/patches/323-v4.13-0004-brcmfmac-initialize-oob-irq-data-before-request_irq.patch

@@ -0,0 +1,46 @@
+From 3f426c96895556bb49adfa52f3aeafdedb2d02e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl>
+Date: Tue, 13 Jun 2017 18:02:03 +0200
+Subject: [PATCH] brcmfmac: initialize oob irq data before request_irq()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes spin-forever in irq handler when IRQ is already asserted
+at request_irq() time.
+
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -107,12 +107,14 @@ int brcmf_sdiod_intr_register(struct brc
+ 	int ret = 0;
+ 	u8 data;
+ 	u32 addr, gpiocontrol;
+-	unsigned long flags;
+ 
+ 	pdata = &sdiodev->settings->bus.sdio;
+ 	if (pdata->oob_irq_supported) {
+ 		brcmf_dbg(SDIO, "Enter, register OOB IRQ %d\n",
+ 			  pdata->oob_irq_nr);
++		spin_lock_init(&sdiodev->irq_en_lock);
++		sdiodev->irq_en = true;
++
+ 		ret = request_irq(pdata->oob_irq_nr, brcmf_sdiod_oob_irqhandler,
+ 				  pdata->oob_irq_flags, "brcmf_oob_intr",
+ 				  &sdiodev->func[1]->dev);
+@@ -121,10 +123,6 @@ int brcmf_sdiod_intr_register(struct brc
+ 			return ret;
+ 		}
+ 		sdiodev->oob_irq_requested = true;
+-		spin_lock_init(&sdiodev->irq_en_lock);
+-		spin_lock_irqsave(&sdiodev->irq_en_lock, flags);
+-		sdiodev->irq_en = true;
+-		spin_unlock_irqrestore(&sdiodev->irq_en_lock, flags);
+ 
+ 		ret = enable_irq_wake(pdata->oob_irq_nr);
+ 		if (ret != 0) {

package/kernel/mac80211/patches/323-v4.13-0005-brcmfmac-Fix-a-memory-leak-in-error-handling-path-in.patch

@@ -0,0 +1,36 @@
+From 57c00f2fac512837f8de73474ec1f54020015bae Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Wed, 21 Jun 2017 07:45:53 +0200
+Subject: [PATCH] brcmfmac: Fix a memory leak in error handling path in
+ 'brcmf_cfg80211_attach'
+
+If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error
+handling path to free it in such a case.
+
+Cc: stable@vger.kernel.org
+Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6842,7 +6842,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+ 	wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info));
+ 	if (!wiphy) {
+ 		brcmf_err("Could not allocate wiphy device\n");
+-		return NULL;
++		goto ops_out;
+ 	}
+ 	memcpy(wiphy->perm_addr, drvr->mac, ETH_ALEN);
+ 	set_wiphy_dev(wiphy, busdev);
+@@ -6985,6 +6985,7 @@ priv_out:
+ 	ifp->vif = NULL;
+ wiphy_out:
+ 	brcmf_free_wiphy(wiphy);
++ops_out:
+ 	kfree(ops);
+ 	return NULL;
+ }

package/kernel/mac80211/patches/323-v4.13-0006-brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch

@@ -0,0 +1,41 @@
+From 8f44c9a41386729fea410e688959ddaa9d51be7c Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Fri, 7 Jul 2017 21:09:06 +0100
+Subject: [PATCH] brcmfmac: fix possible buffer overflow in
+ brcmf_cfg80211_mgmt_tx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The lower level nl80211 code in cfg80211 ensures that "len" is between
+25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
+"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
+only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
+overflow.
+
+	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
+	       le16_to_cpu(action_frame->len));
+
+Cc: stable@vger.kernel.org # 3.9.x
+Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
+Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4850,6 +4850,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
+ 		cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
+ 					GFP_KERNEL);
+ 	} else if (ieee80211_is_action(mgmt->frame_control)) {
++		if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
++			brcmf_err("invalid action frame length\n");
++			err = -EINVAL;
++			goto exit;
++		}
+ 		af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
+ 		if (af_params == NULL) {
+ 			brcmf_err("unable to allocate frame\n");

package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch

@@ -25,7 +25,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  	struct brcmf_bss_info_le *bss_info_le;
  	struct brcmf_bss_info_le *bss = NULL;
  	u32 bi_length;
-@@ -3104,11 +3105,23 @@ brcmf_cfg80211_escan_handler(struct brcm
+@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm
  
  	if (status == BRCMF_E_STATUS_PARTIAL) {
  		brcmf_dbg(SCAN, "ESCAN Partial result\n");
@@ -49,7 +49,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  		if (le16_to_cpu(escan_result_le->bss_count) != 1) {
  			brcmf_err("Invalid bss_count %d: ignoring\n",
  				  escan_result_le->bss_count);
-@@ -3125,9 +3138,8 @@ brcmf_cfg80211_escan_handler(struct brcm
+@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm
  		}
  
  		bi_length = le32_to_cpu(bss_info_le->length);

package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch

@@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1253,6 +1253,7 @@ int __init brcmf_core_init(void)
+@@ -1268,6 +1268,7 @@ int __init brcmf_core_init(void)
  {
  	if (!schedule_work(&brcmf_driver_work))
  		return -EBUSY;