[PATCH 1/5] brcmfmac: analyze descriptors of current component only
From: Rafał Miłecki <zajec5@gmail.com>
Date: 2016-01-26 16:57:22
Subsystem:
broadcom brcm80211 ieee802.11 wireless drivers, the rest · Maintainers:
Arend van Spriel, Linus Torvalds
So far we were looking for address descriptors without a check for crossing current component border. In case of dealing with unsupported descriptor or descriptor missing at all the code would incorrectly get data from another component. Consider this binary-described component from BCM4366 EROM: 4bf83b01 TAG==CI CID==0x83b 20080201 TAG==CI PORTS==0+1 WRAPPERS==0+1 18400035 TAG==ADDR SZ_SZD TYPE_SLAVE 00050000 18107085 TAG==ADDR SZ_4K TYPE_SWRAP Driver was assigning invalid base address to this core: brcmfmac: [6 ] core 0x83b:32 base 0x18109000 wrap 0x18107000 which came from totally different component defined in EROM: 43b36701 TAG==CI CID==0x367 00000201 TAG==CI PORTS==0+1 WRAPPERS==0+0 18109005 TAG==ADDR SZ_4K TYPE_SLAVE This change will also allow us to support components without wrapper address in the future. Signed-off-by: Rafał Miłecki <zajec5@gmail.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
index 82e4382..e434e2a 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c@@ -803,7 +803,14 @@ static int brcmf_chip_dmp_get_regaddr(struct brcmf_chip_priv *ci, u32 *eromaddr, *eromaddr -= 4; return -EFAULT; } - } while (desc != DMP_DESC_ADDRESS); + } while (desc != DMP_DESC_ADDRESS && + desc != DMP_DESC_COMPONENT); + + /* stop if we crossed current component border */ + if (desc == DMP_DESC_COMPONENT) { + *eromaddr -= 4; + return 0; + } /* skip upper 32-bit address descriptor */ if (val & DMP_DESC_ADDRSIZE_GT32)
--
1.8.4.5