From patchwork Mon Feb 17 06:43:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ping-Ke Shih X-Patchwork-Id: 866429 Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 902AD18DB3A for ; Mon, 17 Feb 2025 06:43:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=211.75.126.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774640; cv=none; b=X6OqAYdLUzLLwwiLaKA2iXs9v1UAfpmjAjDopAji602TYKxO66yMEPdBc0ZztXLu5MwFTSDzGcw6b0ZUdtKk9hVKO2csiuQamKyE8rvjUIbdCp47Np1q2HKVs3WhZar7Fq76iJMPsPoNj8dPVv16/ECKhaKCQXKhn0rHyUrQthA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774640; c=relaxed/simple; bh=QzDhFC+qjq5po4vKdM5rekFhw+66eb3zvX0TJ76zaNw=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=KTAozW7aQFtOWL2bpoqL8ylzUB50LCpXHNojmmjWP4bEMxcdIFqkj8U2UHS3Rw8knd6jZ7wgRsiI1gvxNejlBsAgCnvEFhkHCHOkltT7uzywMlo/wjMT/kGhTwpVkwOzDcQPfqo5WbCDrR8vKTTOdOmtiF5+l8Pj2LQE4YPd9Oo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com; spf=pass smtp.mailfrom=realtek.com; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b=In6wUvwf; arc=none smtp.client-ip=211.75.126.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=realtek.com Authentication-Results: smtp.subspace.kernel.org; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b="In6wUvwf" X-SpamFilter-By: ArmorX SpamTrap 5.78 with qID 51H6htSbB2646680, This message is accepted by code: ctloc85258 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=realtek.com; s=dkim; t=1739774636; bh=QzDhFC+qjq5po4vKdM5rekFhw+66eb3zvX0TJ76zaNw=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=In6wUvwfddsgh4wky2DJuZ6axLO/Q/01p8vP4uo0Z2c8eaxAwtMiNpT5yzDTIIf9k o7gJ7zZV77zCLYIN3jJvYFDUQLASQDCU3lZzCQHInMkO972yQO+R/P75ZoSiJRRAG9 HZ48hligExY5xZXTRgHrMXBbSzxngIOw2aa4EzlTUs72tfO2GP+Dt/aKYwmclabRgm pyVSsYeVItHW3Z8ZuAoIYpS3hJeMDL295SOHVcYvfj+ue7IPKOyHTIlpICpGQ2INHH b4DCM/XI3LiNcJz5twA3v0TUZymCQqdiD2URBM9tJjZqa5td9ij7/Z5G9L8OtvhYIb WSkfXMrZWv6eA== Received: from mail.realtek.com (rtexh36505.realtek.com.tw[172.21.6.25]) by rtits2.realtek.com.tw (8.15.2/3.06/5.92) with ESMTPS id 51H6htSbB2646680 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 17 Feb 2025 14:43:55 +0800 Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by RTEXH36505.realtek.com.tw (172.21.6.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 17 Feb 2025 14:43:56 +0800 Received: from [127.0.1.1] (172.21.69.94) by RTEXMBS04.realtek.com.tw (172.21.6.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 17 Feb 2025 14:43:56 +0800 From: Ping-Ke Shih To: Subject: [PATCH 1/5] wifi: rtw89: fw: add blacklist to avoid obsolete secure firmware Date: Mon, 17 Feb 2025 14:43:04 +0800 Message-ID: <20250217064308.43559-2-pkshih@realtek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250217064308.43559-1-pkshih@realtek.com> References: <20250217064308.43559-1-pkshih@realtek.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: RTEXMBS02.realtek.com.tw (172.21.6.95) To RTEXMBS04.realtek.com.tw (172.21.6.97) To ensure secure chip only runs expected secure firmware, stop using obsolete firmware in blacklist which weakness or flaw was found. Signed-off-by: Ping-Ke Shih --- drivers/net/wireless/realtek/rtw89/core.h | 2 + drivers/net/wireless/realtek/rtw89/fw.c | 52 ++++++++++++++++++- drivers/net/wireless/realtek/rtw89/fw.h | 12 +++++ drivers/net/wireless/realtek/rtw89/rtw8851b.c | 1 + drivers/net/wireless/realtek/rtw89/rtw8852a.c | 1 + drivers/net/wireless/realtek/rtw89/rtw8852b.c | 1 + .../net/wireless/realtek/rtw89/rtw8852bt.c | 1 + drivers/net/wireless/realtek/rtw89/rtw8852c.c | 1 + drivers/net/wireless/realtek/rtw89/rtw8922a.c | 1 + 9 files changed, 71 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index b3fdd8eded21..5044d78435b8 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -17,6 +17,7 @@ struct rtw89_dev; struct rtw89_pci_info; struct rtw89_mac_gen_def; struct rtw89_phy_gen_def; +struct rtw89_fw_blacklist; struct rtw89_efuse_block_cfg; struct rtw89_h2c_rf_tssi; struct rtw89_fw_txpwr_track_cfg; @@ -4257,6 +4258,7 @@ struct rtw89_chip_info { bool try_ce_fw; u8 bbmcu_nr; u32 needed_fw_elms; + const struct rtw89_fw_blacklist *fw_blacklist; u32 fifo_size; bool small_fifo_size; u32 dle_scc_rsvd_size; diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index 35b86970db2a..17f80f1f23df 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -38,6 +38,16 @@ struct rtw89_arp_rsp { static const u8 mss_signature[] = {0x4D, 0x53, 0x53, 0x4B, 0x50, 0x4F, 0x4F, 0x4C}; +const struct rtw89_fw_blacklist rtw89_fw_blacklist_default = { + .ver = 0x00, + .list = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + }, +}; +EXPORT_SYMBOL(rtw89_fw_blacklist_default); + union rtw89_fw_element_arg { size_t offset; enum rtw89_rf_path rf_path; @@ -344,6 +354,46 @@ static int __parse_formatted_mssc(struct rtw89_dev *rtwdev, return 0; } +static int __check_secure_blacklist(struct rtw89_dev *rtwdev, + struct rtw89_fw_bin_info *info, + struct rtw89_fw_hdr_section_info *section_info, + const void *content) +{ + const struct rtw89_fw_blacklist *chip_blacklist = rtwdev->chip->fw_blacklist; + const union rtw89_fw_section_mssc_content *section_content = content; + struct rtw89_fw_secure *sec = &rtwdev->fw.sec; + u8 byte_idx; + u8 bit_mask; + + if (!sec->secure_boot) + return 0; + + if (!info->secure_section_exist || section_info->ignore) + return 0; + + if (!chip_blacklist) { + rtw89_err(rtwdev, "chip no blacklist for secure firmware\n"); + return -ENOENT; + } + + byte_idx = section_content->blacklist.bit_in_chip_list >> 3; + bit_mask = BIT(section_content->blacklist.bit_in_chip_list & 0x7); + + if (section_content->blacklist.ver > chip_blacklist->ver) { + rtw89_err(rtwdev, "chip blacklist out of date (%u, %u)\n", + section_content->blacklist.ver, chip_blacklist->ver); + return -EINVAL; + } + + if (chip_blacklist->list[byte_idx] & bit_mask) { + rtw89_err(rtwdev, "firmware %u in chip blacklist\n", + section_content->blacklist.ver); + return -EPERM; + } + + return 0; +} + static int __parse_security_section(struct rtw89_dev *rtwdev, struct rtw89_fw_bin_info *info, struct rtw89_fw_hdr_section_info *section_info, @@ -374,7 +424,7 @@ static int __parse_security_section(struct rtw89_dev *rtwdev, info->secure_section_exist = true; } - return 0; + return __check_secure_blacklist(rtwdev, info, section_info, content); } static int rtw89_fw_hdr_parser_v1(struct rtw89_dev *rtwdev, const u8 *fw, u32 len, diff --git a/drivers/net/wireless/realtek/rtw89/fw.h b/drivers/net/wireless/realtek/rtw89/fw.h index 994d109a9c3c..31d44513b181 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.h +++ b/drivers/net/wireless/realtek/rtw89/fw.h @@ -663,6 +663,11 @@ struct rtw89_fw_mss_pool_hdr { } __packed; union rtw89_fw_section_mssc_content { + struct { + u8 pad[0x20]; + u8 bit_in_chip_list; + u8 ver; + } __packed blacklist; struct { u8 pad[58]; __le32 v; @@ -673,6 +678,13 @@ union rtw89_fw_section_mssc_content { } __packed key_sign_len; } __packed; +struct rtw89_fw_blacklist { + u8 ver; + u8 list[32]; +}; + +extern const struct rtw89_fw_blacklist rtw89_fw_blacklist_default; + static inline void SET_CTRL_INFO_MACID(void *table, u32 val) { le32p_replace_bits((__le32 *)(table) + 0, val, GENMASK(6, 0)); diff --git a/drivers/net/wireless/realtek/rtw89/rtw8851b.c b/drivers/net/wireless/realtek/rtw89/rtw8851b.c index 82289dbad1f4..8fba6413a5cb 100644 --- a/drivers/net/wireless/realtek/rtw89/rtw8851b.c +++ b/drivers/net/wireless/realtek/rtw89/rtw8851b.c @@ -2458,6 +2458,7 @@ const struct rtw89_chip_info rtw8851b_chip_info = { .try_ce_fw = true, .bbmcu_nr = 0, .needed_fw_elms = 0, + .fw_blacklist = NULL, .fifo_size = 196608, .small_fifo_size = true, .dle_scc_rsvd_size = 98304, diff --git a/drivers/net/wireless/realtek/rtw89/rtw8852a.c b/drivers/net/wireless/realtek/rtw89/rtw8852a.c index 2046832d021f..1b958c559aac 100644 --- a/drivers/net/wireless/realtek/rtw89/rtw8852a.c +++ b/drivers/net/wireless/realtek/rtw89/rtw8852a.c @@ -2175,6 +2175,7 @@ const struct rtw89_chip_info rtw8852a_chip_info = { .try_ce_fw = false, .bbmcu_nr = 0, .needed_fw_elms = 0, + .fw_blacklist = NULL, .fifo_size = 458752, .small_fifo_size = false, .dle_scc_rsvd_size = 0, diff --git a/drivers/net/wireless/realtek/rtw89/rtw8852b.c b/drivers/net/wireless/realtek/rtw89/rtw8852b.c index 652914a36245..780fc19d617f 100644 --- a/drivers/net/wireless/realtek/rtw89/rtw8852b.c +++ b/drivers/net/wireless/realtek/rtw89/rtw8852b.c @@ -811,6 +811,7 @@ const struct rtw89_chip_info rtw8852b_chip_info = { .try_ce_fw = true, .bbmcu_nr = 0, .needed_fw_elms = 0, + .fw_blacklist = &rtw89_fw_blacklist_default, .fifo_size = 196608, .small_fifo_size = true, .dle_scc_rsvd_size = 98304, diff --git a/drivers/net/wireless/realtek/rtw89/rtw8852bt.c b/drivers/net/wireless/realtek/rtw89/rtw8852bt.c index 6f15245b2f74..1173496a075d 100644 --- a/drivers/net/wireless/realtek/rtw89/rtw8852bt.c +++ b/drivers/net/wireless/realtek/rtw89/rtw8852bt.c @@ -745,6 +745,7 @@ const struct rtw89_chip_info rtw8852bt_chip_info = { .try_ce_fw = true, .bbmcu_nr = 0, .needed_fw_elms = RTW89_AX_GEN_DEF_NEEDED_FW_ELEMENTS_NO_6GHZ, + .fw_blacklist = &rtw89_fw_blacklist_default, .fifo_size = 458752, .small_fifo_size = true, .dle_scc_rsvd_size = 98304, diff --git a/drivers/net/wireless/realtek/rtw89/rtw8852c.c b/drivers/net/wireless/realtek/rtw89/rtw8852c.c index ecc1ff358583..c61e4953bc97 100644 --- a/drivers/net/wireless/realtek/rtw89/rtw8852c.c +++ b/drivers/net/wireless/realtek/rtw89/rtw8852c.c @@ -2967,6 +2967,7 @@ const struct rtw89_chip_info rtw8852c_chip_info = { .try_ce_fw = false, .bbmcu_nr = 0, .needed_fw_elms = 0, + .fw_blacklist = &rtw89_fw_blacklist_default, .fifo_size = 458752, .small_fifo_size = false, .dle_scc_rsvd_size = 0, diff --git a/drivers/net/wireless/realtek/rtw89/rtw8922a.c b/drivers/net/wireless/realtek/rtw89/rtw8922a.c index 898a65a721dc..da26ba22e7e6 100644 --- a/drivers/net/wireless/realtek/rtw89/rtw8922a.c +++ b/drivers/net/wireless/realtek/rtw89/rtw8922a.c @@ -2728,6 +2728,7 @@ const struct rtw89_chip_info rtw8922a_chip_info = { .try_ce_fw = false, .bbmcu_nr = 1, .needed_fw_elms = RTW89_BE_GEN_DEF_NEEDED_FW_ELEMENTS, + .fw_blacklist = &rtw89_fw_blacklist_default, .fifo_size = 589824, .small_fifo_size = false, .dle_scc_rsvd_size = 0, From patchwork Mon Feb 17 06:43:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ping-Ke Shih X-Patchwork-Id: 866082 Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B495C18DB3A for ; Mon, 17 Feb 2025 06:44:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=211.75.126.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774644; cv=none; b=dqzovaOUAWXp3Maq9/5mxjspH2VIeH/ajdXCB4q5tLb2iXi3QS5sPxBX8FGN1nnCzM1AXYTlBaJTR74k2fGn4iWQG8/kBbRcxcLuoUDmmtrI7+RDCKjZvgxShotwu0+3oec72y7lOcmFzyMgzLHihyMhjdrloa9JTCeAopihYUo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774644; c=relaxed/simple; bh=0MJUI2BXR43+gA3+wdie390XOzYSm1KOBLoHr2UTJ+s=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=bhxMxCMDNvGafc5lBwstHZQtV+oBeJvolFxqEjVdc7kn3WnZPgF0NXR1TxjeQaWhZLBjpLsNfvpeTBUurDYutv/yLZsa3jIXplvZIjgIHIjGQtwTRf4Sd/5U1A+u+9UUJkoazxuwKKxcO0nL4bwH9Afp8cbSbJwknqgU8nwRYro= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com; spf=pass smtp.mailfrom=realtek.com; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b=qfOKpa+v; arc=none smtp.client-ip=211.75.126.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=realtek.com Authentication-Results: smtp.subspace.kernel.org; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b="qfOKpa+v" X-SpamFilter-By: ArmorX SpamTrap 5.78 with qID 51H6i0BM12646770, This message is accepted by code: ctloc85258 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=realtek.com; s=dkim; t=1739774640; bh=0MJUI2BXR43+gA3+wdie390XOzYSm1KOBLoHr2UTJ+s=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=qfOKpa+vfG2JJ3S3GeDKIJL2dHY5QMS0aqE6tqXYusBYi17FwdX7YVLk0waO1/q8D R66/T4OEXFGZkuRZoH6tkTUHtxP+e+mADfOZLSpoQKeEV8LG+i8F0KdIXXYTpf5bQE PhUXq9E4M5Lu/dNErkKgPxSUUZxOva4EQcm59mIZAxj40NzBq0hhxSm/8b8ALjFN0/ kifEeGQ/ZkO/6bjnnxrCFrbaHi/q/Q6esBVT+Ui8GhGBGI9yWcWpuSacGOzoUuVPKS cR8LGxgXg2jQPOnMPj25jAYfH0HaFT2k4pD3thmUF3empRSao7ljahZkKhhLc2N3HD TXcAsS4v+wIrQ== Received: from mail.realtek.com (rtexh36506.realtek.com.tw[172.21.6.27]) by rtits2.realtek.com.tw (8.15.2/3.06/5.92) with ESMTPS id 51H6i0BM12646770 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 17 Feb 2025 14:44:00 +0800 Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by RTEXH36506.realtek.com.tw (172.21.6.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 17 Feb 2025 14:44:00 +0800 Received: from [127.0.1.1] (172.21.69.94) by RTEXMBS04.realtek.com.tw (172.21.6.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 17 Feb 2025 14:44:00 +0800 From: Ping-Ke Shih To: Subject: [PATCH 2/5] wifi: rtw89: fw: get sb_sel_ver via get_unaligned_le32() Date: Mon, 17 Feb 2025 14:43:05 +0800 Message-ID: <20250217064308.43559-3-pkshih@realtek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250217064308.43559-1-pkshih@realtek.com> References: <20250217064308.43559-1-pkshih@realtek.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: RTEXMBS02.realtek.com.tw (172.21.6.95) To RTEXMBS04.realtek.com.tw (172.21.6.97) The sb_sel_ver is selection version for secure boot recorded in firmware binary data, and its size is 4 and offset is 58 (not natural alignment). Use get_unaligned_le32() to get this value safely. Find this by reviewing. Signed-off-by: Ping-Ke Shih --- drivers/net/wireless/realtek/rtw89/fw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index 17f80f1f23df..abbf420463bd 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -324,7 +324,7 @@ static int __parse_formatted_mssc(struct rtw89_dev *rtwdev, if (!sec->secure_boot) goto out; - sb_sel_ver = le32_to_cpu(section_content->sb_sel_ver.v); + sb_sel_ver = get_unaligned_le32(§ion_content->sb_sel_ver.v); if (sb_sel_ver && sb_sel_ver != sec->sb_sel_mgn) goto ignore; From patchwork Mon Feb 17 06:43:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ping-Ke Shih X-Patchwork-Id: 866428 Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C5E318DB3A for ; Mon, 17 Feb 2025 06:44:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=211.75.126.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774649; cv=none; b=fAJSCdUrp6IPh7imGk2cpsD24JsVg26cn3qEUhOpgF2W5+BGDeFVucI8p0hrt3kHDwLD3Ojcv0FrbZLO8x/SxERUVeYTSE6mx29KxPBqjf1vY9/2M/tRHcANuHLVj8vb8C/waxDViFwuOYYO9JE7F7Au8fYEMvGY/wKGfCbzJ+4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774649; c=relaxed/simple; bh=9/elhzY3yCQ8Ag603J2ZU/bstqs9/hhoPGfOihW6oWQ=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=M1MNTBF2GfjCGX4pE+Z7NNwP+jA/KqEcglr6wIp5gFq/UF0mGRpmX6F7z37Hhu+i6ImJK5Rp5FLQHulLjv0ik+HznGs8dNVpn4bvIwVqy7eEO9+AlKMI9sr4I4TND9LotVI+wJBwWE/MGO3dNwxhUpG91HDdcAD0euLbd+2y+kI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com; spf=pass smtp.mailfrom=realtek.com; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b=wD9Rr34A; arc=none smtp.client-ip=211.75.126.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=realtek.com Authentication-Results: smtp.subspace.kernel.org; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b="wD9Rr34A" X-SpamFilter-By: ArmorX SpamTrap 5.78 with qID 51H6i45n92646803, This message is accepted by code: ctloc85258 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=realtek.com; s=dkim; t=1739774644; bh=9/elhzY3yCQ8Ag603J2ZU/bstqs9/hhoPGfOihW6oWQ=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=wD9Rr34A1Sf9Rh1kar+khR8ZDLVmKne3Ncmnfg21c0+TdiZ0hS95ZGRDau10MAYeM 1X6gOK8la5mJNw6LW3gLdEdf6DyLFZSvlqMAO8YPVBBe5Rwyz9pBYvLWgI81PGU0r6 Khip8fYYaTmXwRKGGJrvP5x7gZbuJF6rBYa/XbDNBnYgPc7olFKdlkxoBKtRUOXVY4 NAIJnRUd7QbTJWpfSpwHJW83/hYEJMi0RMu5VcfU0K9MY9H26UBlhd0Vzyf3BkNSFc e5vNDUZihjmESEQ7Hvf8Ri0e+XDcPOiKw1YXYpoRSeEXm00V+/CLG1Rsbw/I8rNJfo R48HFSHiAFRWg== Received: from mail.realtek.com (rtexh36505.realtek.com.tw[172.21.6.25]) by rtits2.realtek.com.tw (8.15.2/3.06/5.92) with ESMTPS id 51H6i45n92646803 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 17 Feb 2025 14:44:04 +0800 Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by RTEXH36505.realtek.com.tw (172.21.6.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 17 Feb 2025 14:44:05 +0800 Received: from [127.0.1.1] (172.21.69.94) by RTEXMBS04.realtek.com.tw (172.21.6.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 17 Feb 2025 14:44:04 +0800 From: Ping-Ke Shih To: Subject: [PATCH 3/5] wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() Date: Mon, 17 Feb 2025 14:43:06 +0800 Message-ID: <20250217064308.43559-4-pkshih@realtek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250217064308.43559-1-pkshih@realtek.com> References: <20250217064308.43559-1-pkshih@realtek.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: RTEXMBS02.realtek.com.tw (172.21.6.95) To RTEXMBS04.realtek.com.tw (172.21.6.97) The error code should be propagated to callers during downloading firmware header and body. Remove unnecessary assignment of -1. Signed-off-by: Ping-Ke Shih --- drivers/net/wireless/realtek/rtw89/fw.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index abbf420463bd..d9efe14fc687 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -1510,7 +1510,6 @@ static int __rtw89_fw_download_hdr(struct rtw89_dev *rtwdev, ret = rtw89_h2c_tx(rtwdev, skb, false); if (ret) { rtw89_err(rtwdev, "failed to send h2c\n"); - ret = -1; goto fail; } @@ -1597,7 +1596,6 @@ static int __rtw89_fw_download_main(struct rtw89_dev *rtwdev, ret = rtw89_h2c_tx(rtwdev, skb, true); if (ret) { rtw89_err(rtwdev, "failed to send h2c\n"); - ret = -1; goto fail; } From patchwork Mon Feb 17 06:43:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ping-Ke Shih X-Patchwork-Id: 866081 Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD00A18DB3A for ; Mon, 17 Feb 2025 06:44:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=211.75.126.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774654; cv=none; b=eV5coaw7SBnmOzPVNNP2mcEH5KgvNnaX5Az5/bGZytBD70szvRfzWPT3iS6cIpjhO3Opo4sNIjECRpSznnI3RF5rhzTQ/mdRyE4B0h5ivbDhe7pY3WDJ8sNe5MJXpAjcAB3Bf18hGignz896uxzeGyBGfwjRIwVtS/SPkwZgcIg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774654; c=relaxed/simple; bh=AK6yU/v+ak5QYi8qA1gg9We545yBpYD6ZFfM15pMCk8=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=BL39ZRsgmAa9HjaOfek/2LXNJwmybPl3jJwV59OiiwpV785ttPyXlfoTuOd/FxtV2ltGekl6ScBcluLrcAhXepTai5VOAIYuNpY6bg7a5tfOZqDWQmSsPz7zNT5gMm5xlX1/TCjmPb8JT/jUiErXT7GDo1NTB0/Nfnl5QZVLItk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com; spf=pass smtp.mailfrom=realtek.com; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b=qfBbk76o; arc=none smtp.client-ip=211.75.126.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=realtek.com Authentication-Results: smtp.subspace.kernel.org; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b="qfBbk76o" X-SpamFilter-By: ArmorX SpamTrap 5.78 with qID 51H6iAvT52646847, This message is accepted by code: ctloc85258 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=realtek.com; s=dkim; t=1739774650; bh=AK6yU/v+ak5QYi8qA1gg9We545yBpYD6ZFfM15pMCk8=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=qfBbk76omhkJ64fGiKdEE0Ui+BFGhLIGW/jb1ABaoQX6NS77I9EeVfDIwsOFTmjK2 IVp3q3xVLv2uC1C/CLCQBI4k5vVhmc7DJoioYVjig7BMWQzlGuZs6JnO9mX4n8uF4R 1qRBYq+TTKa2v6LnOn4kdQyj3bleDusB3oHM1QHYp9BfuRaNHoq5H0dYM8xs0ENXHI dbaHM6YEigKvO8FjRpMeGdALuESv9hd5A//Pj3Uftq9FAlHMPlNxx8w/pYeHrCIuIB OjAa3kJqzTHYtHvHteX4kLLWdU1KWlu85MZ/5B+Sd7nvSWBuFTuqy4NLtUj/CE2UnZ ChQe0GACXwWLQ== Received: from mail.realtek.com (rtexh36506.realtek.com.tw[172.21.6.27]) by rtits2.realtek.com.tw (8.15.2/3.06/5.92) with ESMTPS id 51H6iAvT52646847 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 17 Feb 2025 14:44:10 +0800 Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by RTEXH36506.realtek.com.tw (172.21.6.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 17 Feb 2025 14:44:10 +0800 Received: from [127.0.1.1] (172.21.69.94) by RTEXMBS04.realtek.com.tw (172.21.6.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 17 Feb 2025 14:44:09 +0800 From: Ping-Ke Shih To: Subject: [PATCH 4/5] wifi: rtw89: fw: add debug message for unexpected secure firmware Date: Mon, 17 Feb 2025 14:43:07 +0800 Message-ID: <20250217064308.43559-5-pkshih@realtek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250217064308.43559-1-pkshih@realtek.com> References: <20250217064308.43559-1-pkshih@realtek.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: RTEXMBS02.realtek.com.tw (172.21.6.95) To RTEXMBS04.realtek.com.tw (172.21.6.97) If failed to load a non-secure firmware with a secure chip, it only throws a unclear message: rtw89_8922ae 0000:03:00.0: parse fw header fail To address this case simpler, add a message to point out this. Signed-off-by: Ping-Ke Shih --- drivers/net/wireless/realtek/rtw89/fw.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index d9efe14fc687..abbf406a202d 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -414,8 +414,11 @@ static int __parse_security_section(struct rtw89_dev *rtwdev, *mssc_len += section_info->mssc * FWDL_SECURITY_CHKSUM_LEN; if (sec->secure_boot) { - if (sec->mss_idx >= section_info->mssc) + if (sec->mss_idx >= section_info->mssc) { + rtw89_err(rtwdev, "unexpected MSS %d >= %d\n", + sec->mss_idx, section_info->mssc); return -EFAULT; + } section_info->key_addr = content + section_info->len + sec->mss_idx * FWDL_SECURITY_SIGLEN; section_info->key_len = FWDL_SECURITY_SIGLEN; From patchwork Mon Feb 17 06:43:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ping-Ke Shih X-Patchwork-Id: 866427 Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E04CD18DB3A for ; Mon, 17 Feb 2025 06:44:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=211.75.126.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774657; cv=none; b=A/GXUqni7f8cOuRnGRtiMIudHPFZlXKm6JJd5O4kLAPnjHQKtBMmji0hXhn8aeJK5NnK8TJ71DW8Xwhbi/guIXOwRqBOfp8X5kvWJaGYFozpb1VHeh12FDw+7vMsE9KK4XqjDEztvXR8s9Z4uOrwV5rjnds0ZesN8u7dxrPudWA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739774657; c=relaxed/simple; bh=i6LML01k6ox02Cmep8wWm/EbJHTch9V8ckb/pf+uh9Y=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=fLraZ05OD+m3hmffy70bDgzZwEJHyXeryVTcBgQdhhku+Zd91rpNcEm1MTA4Q5rkUekcfdhgiuhMW76rSABRs/mSGxaekBuDWTpBncx+1dibuJj/RHhqcD3vjHSVrqTXaKko03byhOjixayq9Do8CBAWoDnzZeeaGHzZau4U7uM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com; spf=pass smtp.mailfrom=realtek.com; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b=NvDBsMU3; arc=none smtp.client-ip=211.75.126.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=realtek.com Authentication-Results: smtp.subspace.kernel.org; dkim=temperror (0-bit key) header.d=realtek.com header.i=@realtek.com header.b="NvDBsMU3" X-SpamFilter-By: ArmorX SpamTrap 5.78 with qID 51H6iDdwD2646958, This message is accepted by code: ctloc85258 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=realtek.com; s=dkim; t=1739774653; bh=i6LML01k6ox02Cmep8wWm/EbJHTch9V8ckb/pf+uh9Y=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=NvDBsMU3OTeC/c/2+GTOORdhTC7rOFhv8j9VbLaTLbSbn2MvcRz48MwhFjsZQh3pu aFurYDaXJwX8tnzrvSKYUclejdkOEz9cEgnzJHdoWXzWF8Mvb0zYfek+SdM801mvfp BrOx71d0z2ZMZF7ZTk8KHV4EYxX6tIk/lxOmZCP5zJNgnLJCL9qMRsI4Dw788MVV3Q PuF+ZBDtvJxMQ/U3mMl2bpkWS2uet5OwwogdTgDc7/aPeWuolSn9ygqXhoRKATXHHS dHxHuIuvMIYwbpB6/1QvzpCUD2M9O4s1vE3ICeuSdiV29E8XgjJnnfw2JYuRZM9oMh xjZ2cLeoIEQMA== Received: from mail.realtek.com (rtexh36506.realtek.com.tw[172.21.6.27]) by rtits2.realtek.com.tw (8.15.2/3.06/5.92) with ESMTPS id 51H6iDdwD2646958 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 17 Feb 2025 14:44:13 +0800 Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by RTEXH36506.realtek.com.tw (172.21.6.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 17 Feb 2025 14:44:14 +0800 Received: from [127.0.1.1] (172.21.69.94) by RTEXMBS04.realtek.com.tw (172.21.6.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 17 Feb 2025 14:44:14 +0800 From: Ping-Ke Shih To: Subject: [PATCH 5/5] wifi: rtw89: fw: safely cast mfw_hdr pointer from firmware->data Date: Mon, 17 Feb 2025 14:43:08 +0800 Message-ID: <20250217064308.43559-6-pkshih@realtek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250217064308.43559-1-pkshih@realtek.com> References: <20250217064308.43559-1-pkshih@realtek.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: RTEXMBS02.realtek.com.tw (172.21.6.95) To RTEXMBS04.realtek.com.tw (172.21.6.97) Check size of struct mfw_hdr within firmware->size before type casting to ensure to validly dereference fields from mfm_hdr pointer. Then, check if signature field is equal to RTW89_MFW_SIG to assert current is multi-firmware. Addresses-Coverity-ID: 1494046 ("Untrusted loop bound") Addresses-Coverity-ID: 1544385 ("Untrusted array index read") Signed-off-by: Ping-Ke Shih --- drivers/net/wireless/realtek/rtw89/fw.c | 30 ++++++++++++++++++++----- 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index abbf406a202d..7a591ddb910f 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -542,6 +542,23 @@ static int rtw89_fw_hdr_parser(struct rtw89_dev *rtwdev, } } +static +const struct rtw89_mfw_hdr *rtw89_mfw_get_hdr_ptr(struct rtw89_dev *rtwdev, + const struct firmware *firmware) +{ + const struct rtw89_mfw_hdr *mfw_hdr; + + if (sizeof(*mfw_hdr) > firmware->size) + return NULL; + + mfw_hdr = (const struct rtw89_mfw_hdr *)firmware->data; + + if (mfw_hdr->sig != RTW89_MFW_SIG) + return NULL; + + return mfw_hdr; +} + static int rtw89_mfw_validate_hdr(struct rtw89_dev *rtwdev, const struct firmware *firmware, const struct rtw89_mfw_hdr *mfw_hdr) @@ -572,14 +589,15 @@ int rtw89_mfw_recognize(struct rtw89_dev *rtwdev, enum rtw89_fw_type type, { struct rtw89_fw_info *fw_info = &rtwdev->fw; const struct firmware *firmware = fw_info->req.firmware; + const struct rtw89_mfw_info *mfw_info = NULL, *tmp; + const struct rtw89_mfw_hdr *mfw_hdr; const u8 *mfw = firmware->data; u32 mfw_len = firmware->size; - const struct rtw89_mfw_hdr *mfw_hdr = (const struct rtw89_mfw_hdr *)mfw; - const struct rtw89_mfw_info *mfw_info = NULL, *tmp; int ret; int i; - if (mfw_hdr->sig != RTW89_MFW_SIG) { + mfw_hdr = rtw89_mfw_get_hdr_ptr(rtwdev, firmware); + if (!mfw_hdr) { rtw89_debug(rtwdev, RTW89_DBG_FW, "use legacy firmware\n"); /* legacy firmware support normal type only */ if (type != RTW89_FW_NORMAL) @@ -635,13 +653,13 @@ static u32 rtw89_mfw_get_size(struct rtw89_dev *rtwdev) { struct rtw89_fw_info *fw_info = &rtwdev->fw; const struct firmware *firmware = fw_info->req.firmware; - const struct rtw89_mfw_hdr *mfw_hdr = - (const struct rtw89_mfw_hdr *)firmware->data; const struct rtw89_mfw_info *mfw_info; + const struct rtw89_mfw_hdr *mfw_hdr; u32 size; int ret; - if (mfw_hdr->sig != RTW89_MFW_SIG) { + mfw_hdr = rtw89_mfw_get_hdr_ptr(rtwdev, firmware); + if (!mfw_hdr) { rtw89_warn(rtwdev, "not mfw format\n"); return 0; }