The firmware replaces the last 32-bit on RAM with a shared DRAM address.

While the for-loop checks that thie value has changed since we wrote to
it, the timeout-condition checked for non-zero, which is wrong.  This
means that we didn't realize the firmware wasn't started.  While there,
make sure the shared DRAM address is inside the chip's address space.

diff --git a/sys/dev/pci/if_bwfm_pci.c b/sys/dev/pci/if_bwfm_pci.c
index 8488696..079b984 100644 (file)
--- a/sys/dev/pci/if_bwfm_pci.c
+++ b/sys/dev/pci/if_bwfm_pci.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_bwfm_pci.c,v 1.42 2021/02/25 23:55:41 patrick Exp $        */
+/*     $OpenBSD: if_bwfm_pci.c,v 1.43 2021/02/25 23:59:54 patrick Exp $        */
 /*
  * Copyright (c) 2010-2016 Broadcom Corporation
  * Copyright (c) 2017 Patrick Wildt <patrick@blueri.se>
@@ -788,10 +788,16 @@ bwfm_pci_load_microcode(struct bwfm_pci_softc *sc, const u_char *ucode, size_t s
                if (shared != written)
                        break;
        }
-       if (!shared) {
+       if (shared == written) {
                printf("%s: firmware did not come up\n", DEVNAME(sc));
                return 1;
        }
+       if (shared < bwfm->sc_chip.ch_rambase ||
+           shared >= bwfm->sc_chip.ch_rambase + bwfm->sc_chip.ch_ramsize) {
+               printf("%s: invalid shared RAM address 0x%08x\n", DEVNAME(sc),
+                   shared);
+               return 1;
+       }
 
        sc->sc_shared_address = shared;
        return 0;