<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless/broadcom, branch linux-6.5.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>wifi: brcmfmac: Replace 1-element arrays with flexible arrays</title>
<updated>2023-10-10T20:02:56+00:00</updated>
<author>
<name>Juerg Haefliger</name>
<email>juerg.haefliger@canonical.com</email>
</author>
<published>2023-09-14T07:02:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9a9c17c7c5548efcf6318987baa7099a13a9efd1'/>
<id>9a9c17c7c5548efcf6318987baa7099a13a9efd1</id>
<content type='text'>
commit 4fed494abcd4fde5c24de19160e93814f912fdb3 upstream.

Since commit 2d47c6956ab3 ("ubsan: Tighten UBSAN_BOUNDS on GCC"),
UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking
'element' and 'channel_list' will trigger warnings, so make them proper
flexible arrays.

False positive warnings were:

  UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:6984:20
  index 1 is out of range for type '__le32 [1]'

  UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1126:27
  index 1 is out of range for type '__le16 [1]'

for these lines of code:

  6884  ch.chspec = (u16)le32_to_cpu(list-&gt;element[i]);

  1126  params_le-&gt;channel_list[i] = cpu_to_le16(chanspec);

Cc: stable@vger.kernel.org # 6.5+
Signed-off-by: Juerg Haefliger &lt;juerg.haefliger@canonical.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Gustavo A. R. Silva &lt;gustavoars@kernel.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230914070227.12028-1-juerg.haefliger@canonical.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4fed494abcd4fde5c24de19160e93814f912fdb3 upstream.

Since commit 2d47c6956ab3 ("ubsan: Tighten UBSAN_BOUNDS on GCC"),
UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking
'element' and 'channel_list' will trigger warnings, so make them proper
flexible arrays.

False positive warnings were:

  UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:6984:20
  index 1 is out of range for type '__le32 [1]'

  UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1126:27
  index 1 is out of range for type '__le16 [1]'

for these lines of code:

  6884  ch.chspec = (u16)le32_to_cpu(list-&gt;element[i]);

  1126  params_le-&gt;channel_list[i] = cpu_to_le16(chanspec);

Cc: stable@vger.kernel.org # 6.5+
Signed-off-by: Juerg Haefliger &lt;juerg.haefliger@canonical.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Gustavo A. R. Silva &lt;gustavoars@kernel.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230914070227.12028-1-juerg.haefliger@canonical.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>wifi: brcm80211: handle params_v1 allocation failure</title>
<updated>2023-08-08T10:47:37+00:00</updated>
<author>
<name>Petr Tesarik</name>
<email>petr.tesarik.ext@huawei.com</email>
</author>
<published>2023-08-02T16:34:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=07d698324110339b420deebab7a7805815340b4f'/>
<id>07d698324110339b420deebab7a7805815340b4f</id>
<content type='text'>
Return -ENOMEM from brcmf_run_escan() if kzalloc() fails for v1 params.

Fixes: 398ce273d6b1 ("wifi: brcmfmac: cfg80211: Add support for scan params v2")
Signed-off-by: Petr Tesarik &lt;petr.tesarik.ext@huawei.com&gt;
Link: https://lore.kernel.org/r/20230802163430.1656-1-petrtesarik@huaweicloud.com
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Return -ENOMEM from brcmf_run_escan() if kzalloc() fails for v1 params.

Fixes: 398ce273d6b1 ("wifi: brcmfmac: cfg80211: Add support for scan params v2")
Signed-off-by: Petr Tesarik &lt;petr.tesarik.ext@huawei.com&gt;
Link: https://lore.kernel.org/r/20230802163430.1656-1-petrtesarik@huaweicloud.com
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1()</title>
<updated>2023-08-02T10:34:16+00:00</updated>
<author>
<name>Hans de Goede</name>
<email>hdegoede@redhat.com</email>
</author>
<published>2023-07-29T14:05:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=16e455a465fca91907af0108f3d013150386df30'/>
<id>16e455a465fca91907af0108f3d013150386df30</id>
<content type='text'>
Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
a backtrace caused by the following field-spanning warning:

memcpy: detected field-spanning write (size 120) of single field
  "&amp;params_le-&gt;channel_list[0]" at
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)

The driver still works after this warning. The warning was introduced by the
new field-spanning write checks which were enabled recently.

Fix this by replacing the channel_list[1] declaration at the end of
the struct with a flexible array declaration.

Most users of struct brcmf_scan_params_le calculate the size to alloc
using the size of the non flex-array part of the struct + needed extra
space, so they do not care about sizeof(struct brcmf_scan_params_le).

brcmf_notify_escan_complete() however uses the struct on the stack,
expecting there to be room for at least 1 entry in the channel-list
to store the special -1 abort channel-id.

To make this work use an anonymous union with a padding member
added + the actual channel_list flexible array.

Cc: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Hans de Goede &lt;hdegoede@redhat.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Franky Lin &lt;franky.lin@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230729140500.27892-1-hdegoede@redhat.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
a backtrace caused by the following field-spanning warning:

memcpy: detected field-spanning write (size 120) of single field
  "&amp;params_le-&gt;channel_list[0]" at
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)

The driver still works after this warning. The warning was introduced by the
new field-spanning write checks which were enabled recently.

Fix this by replacing the channel_list[1] declaration at the end of
the struct with a flexible array declaration.

Most users of struct brcmf_scan_params_le calculate the size to alloc
using the size of the non flex-array part of the struct + needed extra
space, so they do not care about sizeof(struct brcmf_scan_params_le).

brcmf_notify_escan_complete() however uses the struct on the stack,
expecting there to be room for at least 1 entry in the channel-list
to store the special -1 abort channel-id.

To make this work use an anonymous union with a padding member
added + the actual channel_list flexible array.

Cc: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Hans de Goede &lt;hdegoede@redhat.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Franky Lin &lt;franky.lin@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230729140500.27892-1-hdegoede@redhat.com
</pre>
</div>
</content>
</entry>
<entry>
<title>wifi: brcmsmac: fix gnu_printf warnings</title>
<updated>2023-06-16T09:24:15+00:00</updated>
<author>
<name>Kalle Valo</name>
<email>kvalo@kernel.org</email>
</author>
<published>2023-06-13T14:09:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4b6ec74ec476c775b44d49ecd8cd48334db8e798'/>
<id>4b6ec74ec476c775b44d49ecd8cd48334db8e798</id>
<content type='text'>
With GCC 13.1 and W=1 brcmsmac has warnings like this:

./include/trace/stages/stage5_get_offsets.h:23:31: warning: function 'trace_event_get_offsets_brcms_dbg' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]

Add a workaround which disables -Wsuggest-attribute=format in
brcms_trace_brcmsmac_msg.h. I see similar workarounds in other drivers as well.

Compile tested only.

Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230613140918.389690-3-kvalo@kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
With GCC 13.1 and W=1 brcmsmac has warnings like this:

./include/trace/stages/stage5_get_offsets.h:23:31: warning: function 'trace_event_get_offsets_brcms_dbg' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]

Add a workaround which disables -Wsuggest-attribute=format in
brcms_trace_brcmsmac_msg.h. I see similar workarounds in other drivers as well.

Compile tested only.

Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230613140918.389690-3-kvalo@kernel.org
</pre>
</div>
</content>
</entry>
<entry>
<title>wifi: brcmfmac: fix gnu_printf warnings</title>
<updated>2023-06-16T09:24:15+00:00</updated>
<author>
<name>Kalle Valo</name>
<email>kvalo@kernel.org</email>
</author>
<published>2023-06-13T14:09:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=56714e5f1255fc318b65b6b338a0d8ebc44c920c'/>
<id>56714e5f1255fc318b65b6b338a0d8ebc44c920c</id>
<content type='text'>
With GCC 13.1 and W=1 brcmfmac has warnings like this:

./include/trace/perf.h:26:16: warning: function 'perf_trace_brcmf_dbg' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]

Add a workaround which disables -Wsuggest-attribute=format in tracepoint.h. I
see similar workarounds in other drivers as well.

Compile tested only.

Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230613140918.389690-2-kvalo@kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
With GCC 13.1 and W=1 brcmfmac has warnings like this:

./include/trace/perf.h:26:16: warning: function 'perf_trace_brcmf_dbg' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]

Add a workaround which disables -Wsuggest-attribute=format in tracepoint.h. I
see similar workarounds in other drivers as well.

Compile tested only.

Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230613140918.389690-2-kvalo@kernel.org
</pre>
</div>
</content>
</entry>
<entry>
<title>wifi: brcmfmac: Detect corner error case earlier with log</title>
<updated>2023-06-08T16:00:00+00:00</updated>
<author>
<name>Neal Sidhwaney</name>
<email>nealsid@gmail.com</email>
</author>
<published>2023-06-03T06:00:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f8f912bf69a021c8cfff23e69e59c7c975a47c1a'/>
<id>f8f912bf69a021c8cfff23e69e59c7c975a47c1a</id>
<content type='text'>
In brcmf_chip_recognition(), the return value from an MMIO read is
interpreted as various fields without checking if it failed, which is
harmless today, as the interpreted fields are checked for validity a
few lines below.  However, in corner cases (on my MacbookPro 14,1,
sometimes after waking from sleep or soft reboot), when this happens,
it causes the logging to be misleading, because the message indicates
an unsupported chip type ("brcmfmac: brcmf_chip_recognition: chip
backplane type 15 is not supported").  This patch detects this case
slightly earlier and logs an appropriate message, with the same return
result as is the case today.

Signed-off-by: Neal Sidhwaney &lt;nealsid@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230603060021.57225-1-nealsid@gmail.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In brcmf_chip_recognition(), the return value from an MMIO read is
interpreted as various fields without checking if it failed, which is
harmless today, as the interpreted fields are checked for validity a
few lines below.  However, in corner cases (on my MacbookPro 14,1,
sometimes after waking from sleep or soft reboot), when this happens,
it causes the logging to be misleading, because the message indicates
an unsupported chip type ("brcmfmac: brcmf_chip_recognition: chip
backplane type 15 is not supported").  This patch detects this case
slightly earlier and logs an appropriate message, with the same return
result as is the case today.

Signed-off-by: Neal Sidhwaney &lt;nealsid@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230603060021.57225-1-nealsid@gmail.com
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge wireless into wireless-next</title>
<updated>2023-06-07T17:49:36+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2023-06-07T17:43:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=10f5ae21940cc754f82828d81b8009f2e8ae2c64'/>
<id>10f5ae21940cc754f82828d81b8009f2e8ae2c64</id>
<content type='text'>
There are a number of upcoming things in both the stack and
drivers that would otherwise conflict, so merge wireless to
wireless-next to be able to avoid those conflicts.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There are a number of upcoming things in both the stack and
drivers that would otherwise conflict, so merge wireless to
wireless-next to be able to avoid those conflicts.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>wifi: brcmutil: use helper function pktq_empty() instead of open code</title>
<updated>2023-06-01T13:14:43+00:00</updated>
<author>
<name>Juhee Kang</name>
<email>claudiajkang@gmail.com</email>
</author>
<published>2023-05-27T11:49:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8012ec4a0e64b60d4d782950296e6fb217c6758f'/>
<id>8012ec4a0e64b60d4d782950296e6fb217c6758f</id>
<content type='text'>
pktq_empty was added in commit 5b435de0d786 ("net: wireless: add brcm80211
drivers") but it is currently not being utilized in some areas. This commit
replaces the open code with the pktq_empty() function.

Signed-off-by: Juhee Kang &lt;claudiajkang@gmail.com&gt;
Reviewed-by: Simon Horman &lt;simon.horman@corigine.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230527114954.3281-2-claudiajkang@gmail.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
pktq_empty was added in commit 5b435de0d786 ("net: wireless: add brcm80211
drivers") but it is currently not being utilized in some areas. This commit
replaces the open code with the pktq_empty() function.

Signed-off-by: Juhee Kang &lt;claudiajkang@gmail.com&gt;
Reviewed-by: Simon Horman &lt;simon.horman@corigine.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230527114954.3281-2-claudiajkang@gmail.com
</pre>
</div>
</content>
</entry>
<entry>
<title>wifi: b43: fix incorrect __packed annotation</title>
<updated>2023-05-17T06:24:09+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2023-05-16T18:34:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=212457ccbd60dba34f965e4ffbe62f0e4f970538'/>
<id>212457ccbd60dba34f965e4ffbe62f0e4f970538</id>
<content type='text'>
clang warns about an unpacked structure inside of a packed one:

drivers/net/wireless/broadcom/b43/b43.h:654:4: error: field data within 'struct b43_iv' is less aligned than 'union (unnamed union at /home/arnd/arm-soc/drivers/net/wireless/broadcom/b43/b43.h:651:2)' and is usually due to 'struct b43_iv' being packed, which can lead to unaligned accesses [-Werror,-Wunaligned-access]

The problem here is that the anonymous union has the default alignment
from its members, apparently because the original author mixed up the
placement of the __packed attribute by placing it next to the struct
member rather than the union definition. As the struct itself is
also marked as __packed, there is no need to mark its members, so just
move the annotation to the inner type instead.

As Michael noted, the same problem is present in b43legacy, so
change both at the same time.

Acked-by: Michael Büsch &lt;m@bues.ch&gt;
Reported-by: kernel test robot &lt;lkp@intel.com&gt;
Reviewed-by: Simon Horman &lt;simon.horman@corigine.com&gt;
Tested-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Link: https://lore.kernel.org/oe-kbuild-all/202305160749.ay1HAoyP-lkp@intel.com/
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230516183442.536589-1-arnd@kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
clang warns about an unpacked structure inside of a packed one:

drivers/net/wireless/broadcom/b43/b43.h:654:4: error: field data within 'struct b43_iv' is less aligned than 'union (unnamed union at /home/arnd/arm-soc/drivers/net/wireless/broadcom/b43/b43.h:651:2)' and is usually due to 'struct b43_iv' being packed, which can lead to unaligned accesses [-Werror,-Wunaligned-access]

The problem here is that the anonymous union has the default alignment
from its members, apparently because the original author mixed up the
placement of the __packed attribute by placing it next to the struct
member rather than the union definition. As the struct itself is
also marked as __packed, there is no need to mark its members, so just
move the annotation to the inner type instead.

As Michael noted, the same problem is present in b43legacy, so
change both at the same time.

Acked-by: Michael Büsch &lt;m@bues.ch&gt;
Reported-by: kernel test robot &lt;lkp@intel.com&gt;
Reviewed-by: Simon Horman &lt;simon.horman@corigine.com&gt;
Tested-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Link: https://lore.kernel.org/oe-kbuild-all/202305160749.ay1HAoyP-lkp@intel.com/
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230516183442.536589-1-arnd@kernel.org
</pre>
</div>
</content>
</entry>
<entry>
<title>wifi: brcmfmac: wcc: Add debug messages</title>
<updated>2023-05-15T18:25:11+00:00</updated>
<author>
<name>Matthias Brugger</name>
<email>mbrugger@suse.com</email>
</author>
<published>2023-05-09T10:04:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=87807f77a03d0271211b75f84b2a8b88f4e8e5d4'/>
<id>87807f77a03d0271211b75f84b2a8b88f4e8e5d4</id>
<content type='text'>
The message is attach and detach function are merly for debugging,
change them from pr_err to pr_debug.

Signed-off-by: Matthias Brugger &lt;mbrugger@suse.com&gt;
Reviewed-by: Hans de Goede &lt;hdegoede@redhat.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230509100420.26094-1-matthias.bgg@kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The message is attach and detach function are merly for debugging,
change them from pr_err to pr_debug.

Signed-off-by: Matthias Brugger &lt;mbrugger@suse.com&gt;
Reviewed-by: Hans de Goede &lt;hdegoede@redhat.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@kernel.org&gt;
Link: https://lore.kernel.org/r/20230509100420.26094-1-matthias.bgg@kernel.org
</pre>
</div>
</content>
</entry>
</feed>
