From owner-dev-commits-src-main@freebsd.org Wed Dec 30 23:21:58 2020 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3B1334D2BCE; Wed, 30 Dec 2020 23:21:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D5nP21C2jz4rhm; Wed, 30 Dec 2020 23:21:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1C59026264; Wed, 30 Dec 2020 23:21:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 0BUNLwWj078520; Wed, 30 Dec 2020 23:21:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 0BUNLwPo078519; Wed, 30 Dec 2020 23:21:58 GMT (envelope-from git) Date: Wed, 30 Dec 2020 23:21:58 GMT Message-Id: <202012302321.0BUNLwPo078519@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: 282381aa53a3 - main - rsu: Don't modify read-only firmware block. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 282381aa53a3cb21de8e855797f61c27cbb73884 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Commit messages for the main branch of the src repository." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2020 23:21:58 -0000 The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=282381aa53a3cb21de8e855797f61c27cbb73884 commit 282381aa53a3cb21de8e855797f61c27cbb73884 Author: John Baldwin AuthorDate: 2020-12-30 23:18:02 +0000 Commit: John Baldwin CommitDate: 2020-12-30 23:21:35 +0000 rsu: Don't modify read-only firmware block. The firmware header loaded into an rsu(4) device has to be customized to reflect device settings. The driver was overwriting the header from the shared firmware image before sending it to the device. If two devices attached at the same time with different settings, one device could potentially get a corrupted header. The recent changes in a095390344fb1795c1b118a2f84da8f6a7f254ab exposed this bug in the form of a panic as the firmware blobs are now marked read-only in object files and mapped read-only by the kernel. To avoid the bug, change the driver to allocate a copy of the firmware header on the stack that is initialized before writing it to the device. PR: 252163 Reported by: vidwer+fbsdbugs@gmail.com Tested by: vidwer+fbsdbugs@gmail.com Reviewed by: hselasky, bz, emaste Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D27850 --- sys/dev/usb/wlan/if_rsu.c | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/sys/dev/usb/wlan/if_rsu.c b/sys/dev/usb/wlan/if_rsu.c index 0505af9ae941..f2dc6657026e 100644 --- a/sys/dev/usb/wlan/if_rsu.c +++ b/sys/dev/usb/wlan/if_rsu.c @@ -3343,7 +3343,7 @@ static int rsu_load_firmware(struct rsu_softc *sc) { const struct r92s_fw_hdr *hdr; - struct r92s_fw_priv *dmem; + struct r92s_fw_priv dmem; struct ieee80211com *ic = &sc->sc_ic; const uint8_t *imem, *emem; uint32_t imemsz, ememsz; @@ -3389,7 +3389,7 @@ rsu_load_firmware(struct rsu_softc *sc) hdr->minute); /* Make sure that driver and firmware are in sync. */ - if (hdr->privsz != htole32(sizeof(*dmem))) { + if (hdr->privsz != htole32(sizeof(dmem))) { device_printf(sc->sc_dev, "unsupported firmware image\n"); error = EINVAL; goto fail; @@ -3475,24 +3475,23 @@ rsu_load_firmware(struct rsu_softc *sc) } /* Update DMEM section before loading. */ - dmem = __DECONST(struct r92s_fw_priv *, &hdr->priv); - memset(dmem, 0, sizeof(*dmem)); - dmem->hci_sel = R92S_HCI_SEL_USB | R92S_HCI_SEL_8172; - dmem->nendpoints = sc->sc_nendpoints; - dmem->chip_version = sc->cut; - dmem->rf_config = sc->sc_rftype; - dmem->vcs_type = R92S_VCS_TYPE_AUTO; - dmem->vcs_mode = R92S_VCS_MODE_RTS_CTS; - dmem->turbo_mode = 0; - dmem->bw40_en = !! (ic->ic_htcaps & IEEE80211_HTCAP_CHWIDTH40); - dmem->amsdu2ampdu_en = !! (sc->sc_ht); - dmem->ampdu_en = !! (sc->sc_ht); - dmem->agg_offload = !! (sc->sc_ht); - dmem->qos_en = 1; - dmem->ps_offload = 1; - dmem->lowpower_mode = 1; /* XXX TODO: configurable? */ + memset(&dmem, 0, sizeof(dmem)); + dmem.hci_sel = R92S_HCI_SEL_USB | R92S_HCI_SEL_8172; + dmem.nendpoints = sc->sc_nendpoints; + dmem.chip_version = sc->cut; + dmem.rf_config = sc->sc_rftype; + dmem.vcs_type = R92S_VCS_TYPE_AUTO; + dmem.vcs_mode = R92S_VCS_MODE_RTS_CTS; + dmem.turbo_mode = 0; + dmem.bw40_en = !! (ic->ic_htcaps & IEEE80211_HTCAP_CHWIDTH40); + dmem.amsdu2ampdu_en = !! (sc->sc_ht); + dmem.ampdu_en = !! (sc->sc_ht); + dmem.agg_offload = !! (sc->sc_ht); + dmem.qos_en = 1; + dmem.ps_offload = 1; + dmem.lowpower_mode = 1; /* XXX TODO: configurable? */ /* Load DMEM section. */ - error = rsu_fw_loadsection(sc, (uint8_t *)dmem, sizeof(*dmem)); + error = rsu_fw_loadsection(sc, (uint8_t *)&dmem, sizeof(dmem)); if (error != 0) { device_printf(sc->sc_dev, "could not load firmware section %s\n", "DMEM");