linux/drivers/net/wireless/broadcom, branch v6.17

wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work

2025-08-26T11:46:18Z

The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shutdown_sync(). 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info worker after the cancel_work_sync() has been executed, resulting in use-after-free bugs. The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmf_btcoex_info struct is freed relative to the execution of its worker thread. Scenario 1: Freed before the worker is scheduled The brcmf_btcoex_info is deallocated before the worker is scheduled. A race condition can occur when schedule_work(&bt_local->work) is called after the target memory has been freed. The sequence of events is detailed below: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | kfree(cfg->btcoex); // FREE | | schedule_work(&bt_local->work); // USE Scenario 2: Freed after the worker is scheduled The brcmf_btcoex_info is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmf_btcoex_handler() — such as the container_of macro and subsequent dereferences of the brcmf_btcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | schedule_work(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ | To resolve the race conditions, drop the conditional check and call timer_shutdown_sync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false. Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP") Acked-by: Arend van Spriel Signed-off-by: Duoming Zhou Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn Signed-off-by: Johannes Berg

wifi: Fix typos

2025-07-24T07:05:31Z

Fix typos in comments and error messages. Signed-off-by: Bjorn Helgaas Link: https://patch.msgid.link/20250723201741.2908456-1-helgaas@kernel.org Signed-off-by: Johannes Berg

wifi: brcmsmac: Use str_true_false() helper

2025-07-23T12:11:28Z

Remove hard-coded strings by using the str_true_false() helper function. Signed-off-by: Liu Song Acked-by: Arend van Spriel > Link: https://patch.msgid.link/20250723173004776P6QSjcW7NrlpGYLTFM-yP@zte.com.cn Signed-off-by: Johannes Berg

wifi: brcmfmac: fix EXTSAE WPA3 connection failure due to AUTH TX failure

2025-07-23T12:11:16Z

For WPA3-SAE Connection in EXTSAE mode, the userspace daemon is allowed to generate the SAE Auth frames. The driver uses the "mgmt_frame" FW IOVAR to transmit this MGMT frame. Before sending the IOVAR, the Driver is incorrectly treating the channel number read from the FW as a frequency value and again attempts to convert this into a channel number using ieee80211_frequency_to_channel(). This added an invalid channel number as part of the IOVAR request to the FW And some FW which strictly expects a valid channel would return BAD_CHAN error, while failing to transmit the driver requested SAE Auth MGMT frame. Fix this in the CYW vendor specific MGMT TX cfg80211 ops handler, by not treating the channel number read from the FW as frequency value and skip the attempt to convert it again into a channel number. Also fix this in the generic MGMT TX cfg80211 ops handler. Fixes: c2ff8cad6423 ("brcm80211: make mgmt_tx in brcmfmac accept a NULL channel") Fixes: 66f909308a7c ("wifi: brcmfmac: cyw: support external SAE authentication in station mode") Signed-off-by: Ting-Ying Li Signed-off-by: Gokul Sivakumar Acked-by: Arend van Spriel > Link: https://patch.msgid.link/20250723105918.5229-1-gokulkumar.sivakumar@infineon.com Signed-off-by: Johannes Berg

wifi: brcm80211: Remove yet more unused functions

2025-07-23T12:11:02Z

This is a subset of unused functions in bcrmsmac phy_cmn.c, They're unused since the original 2010 commit a9533e7ea3c4 ("Staging: Add initial release of brcm80211 - Broadcom 802.11n wireless LAN driver.") Remove them. Signed-off-by: Dr. David Alan Gilbert Acked-by: Arend van Spriel > Link: https://patch.msgid.link/20250626140812.56700-4-linux@treblig.org Signed-off-by: Johannes Berg

wifi: brcm80211: Remove more unused functions

2025-07-23T12:10:59Z

wifi: brcm80211: Remove unused functions

2025-07-23T12:10:55Z

This is a subset of unused functions in bcrmsmac phy_cmn.c, They're unused since the original 2010 commit a9533e7ea3c4 ("Staging: Add initial release of brcm80211 - Broadcom 802.11n wireless LAN driver.") Remove them. Then remove two more functions in phy_n.c that were only used by the ones just removed. Signed-off-by: Dr. David Alan Gilbert Acked-by: Arend van Spriel > Link: https://patch.msgid.link/20250626140812.56700-2-linux@treblig.org Signed-off-by: Johannes Berg

wifi: brcmfmac: cyw: Fix __counted_by to be LE variant

2025-07-23T10:29:03Z

In brcmf_cyw_mgmt_tx() the "len" counter of the struct brcmf_mf_params_le::data flexible array is stored as little-endian via cpu_to_le16() so the __counted_by_le() variant must be used: struct brcmf_mf_params_le *mf_params; ... mf_params_len = offsetof(struct brcmf_mf_params_le, data) + (len - DOT11_MGMT_HDR_LEN); mf_params = kzalloc(mf_params_len, GFP_KERNEL); ... mf_params->len = cpu_to_le16(len - DOT11_MGMT_HDR_LEN); Fixes: 66f909308a7c ("wifi: brcmfmac: cyw: support external SAE authentication in station mode") Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Acked-by: Arend van Spriel > Link: https://patch.msgid.link/20250721181810.work.575-kees@kernel.org Signed-off-by: Johannes Berg

wifi: brcmfmac: support CYW54591 PCIE device

2025-07-21T17:36:09Z

CYW54591 is a variant of BCM4355 silicon with the same chipid. In the chipid-fwname mapping table, apply chiprev 13 to identify CYW54591. Skip reading OTP process for CYW chip since it contains vendor specific information which is not common for cypress. Signed-off-by: Double Lo Signed-off-by: Chi-hsien Lin Signed-off-by: Ian Lin Acked-by: Arend van Spriel Link: https://patch.msgid.link/20250624093453.7264-1-ian.lin@infineon.com Signed-off-by: Johannes Berg

wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE

2025-07-21T17:35:58Z

After commit bd99a3013bdc ("brcmfmac: move configuration of probe request IEs"), the probe request MGMT IE addition operation brcmf_vif_set_mgmt_ie() got moved from the brcmf_p2p_scan_prep() to the brcmf_cfg80211_scan(). Because of this, as part of the scan request handler for the P2P Discovery, vif struct used for adding the Probe Request P2P IE in firmware got changed from the P2PAPI_BSSCFG_DEVICE vif to P2PAPI_BSSCFG_PRIMARY vif incorrectly. So the firmware stopped adding P2P IE to the outgoing P2P Discovery probe requests frames and the other P2P peers were unable to discover this device causing a regression on the P2P feature. To fix this, while setting the P2P IE in firmware, properly use the vif of the P2P discovery wdev on which the driver received the P2P scan request. This is done by not changing the vif pointer, until brcmf_vif_set_mgmt_ie() is completed. Fixes: bd99a3013bdc ("brcmfmac: move configuration of probe request IEs") Signed-off-by: Gokul Sivakumar Acked-by: Arend van Spriel Link: https://patch.msgid.link/20250626050706.7271-1-gokulkumar.sivakumar@infineon.com Signed-off-by: Johannes Berg