Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp223655pxb; Thu, 21 Jan 2021 05:46:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJzQvP2B5gBXpjS9hacH/q98WDe1IuXZSkZQDBnKzSN8SdOBZY2EVm6OesH326addxx2CIcp X-Received: by 2002:a17:907:7255:: with SMTP id ds21mr9385262ejc.258.1611236796554; Thu, 21 Jan 2021 05:46:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611236796; cv=none; d=google.com; s=arc-20160816; b=R4CZXDzOTGFlHyfbpTrQFLsApB6+8bZVtajh7qpxlaXuDGX553On8IxzcM6G1VvtgJ e8zbXLU11lU5GVPuWsIzsx5B0vE55FVv4oVdbe8lLRHnY37GYLsKEwpYWnXlCg9y06jH ysD6ALQtYhvQNZssxC/Av6ihGvsMYbcBg6TJoqqk0iXxTQe+VsYUiIaLSdYVARSynni1 2XOMo0G1IuastoAhBbRO9F3CtsqXISUlvjd01oZ87xTcgXX3pTHqTPJArrTBD98sF5bf UbwHObMZ4/SuLn9x0FaivhaI/xHUO5yQQH8is7xVAFeiyO8tbY87LTC8KYUHrmEneY3D +ZzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:user-agent:date:message-id:cc:subject:from:to; bh=UUiCXFOSqjAdUvC0wdNT72TPUZ0us785diWKGNau67U=; b=pBo8K1m9sMhAkX+WbcJLh2QuRDdnmRNXi2KPRJf/EsAtFrz6nM9n41pqwGa2H5avYH eEEjaKkqn/HWjhfrtfTFa+kdVhYVkubC6hqs1A2n9vOZBABPfD777DG9HSISJYIVlyal 0dEhD8hVfjj8W10q+4uC6pFmyRGU0qOV7+51mnzbXe3DMySO6FeyVVKKR0MZxTWKDKEY 2Q9cprYljX+WS7MeTm3SnI+2TSHJw72d40bRX2hnm6Dm67taQ8mb+m+xL3hXH0Ju6GBO x//yUFS32QNyyzQzNiTgcpkNPvp8cuRVlCxEHmi3QINUNmkJAmSp+qEPPtDDcdbVIHHO gsKA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b40si2347803edf.251.2021.01.21.05.46.12; Thu, 21 Jan 2021 05:46:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728942AbhAUNnB (ORCPT + 99 others); Thu, 21 Jan 2021 08:43:01 -0500 Received: from mail-pf1-f170.google.com ([209.85.210.170]:34900 "EHLO mail-pf1-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727114AbhAUNh5 (ORCPT ); Thu, 21 Jan 2021 08:37:57 -0500 Received: by mail-pf1-f170.google.com with SMTP id w14so1516014pfi.2; Thu, 21 Jan 2021 05:37:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:cc:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=UUiCXFOSqjAdUvC0wdNT72TPUZ0us785diWKGNau67U=; b=adl9o12y/CgGMozjQrScnzyDArrOBpch+XzKVCE5zuSJ4ox39Kw7mp6ozBLrYG28+c i36ubnze3YsUclaEEloh7yqjTMvAaWrg8qu9I34KaLaBYfJ1YaNocm31W0UaTTQGaYhx Pfj5HRiLKDVMPm/IpZhaFJpEJx+1zDCrJsyE2nGB9BI3KZmsJCxSPKH7+YN/fKc08Xzs 8IYekaofdrbvcK4vyJ8eutmQqEnNALh4MwVvD/7dNnBY2kfrRa0/1Wr+WNVFbcCubyfM qQ0ZjFLC23Kcw0OicuHjSMhE5Olam6U/pD92c6fTSMQLpp8QNBtaR1cdQMdhSclgdjUd nZWw== X-Gm-Message-State: AOAM530qt/ZqpEQkNeQGqI5u1R7hrpFL8CQ7u+kYOSW6clWuVG/COmjM y20HpXOpioZTKSIepnmun0Y= X-Received: by 2002:a63:f109:: with SMTP id f9mr14587480pgi.390.1611236216077; Thu, 21 Jan 2021 05:36:56 -0800 (PST) Received: from [10.101.46.154] (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37]) by smtp.gmail.com with ESMTPSA id w186sm1795614pfc.182.2021.01.21.05.36.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 21 Jan 2021 05:36:54 -0800 (PST) To: Luca Coelho , Ihab Zhaika From: You-Sheng Yang Subject: iwlwifi may wrongly cast a iwl_cfg_trans_params to iwl_cfg Cc: "David S. Miller\"" , Kalle Valo , Jakub Kicinski , netdev@vger.kernel.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, You-Sheng Yang Message-ID: Date: Thu, 21 Jan 2021 21:36:48 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, With an Intel AX201 Wi-Fi [8086:43f0] subsystem [1a56:1652] pcie card, device fails to load firmware with following error messages: Intel(R) Wireless WiFi driver for Linux iwlwifi 0000:00:14.3: enabling device (0000 -> 0002) iwlwifi 0000:00:14.3: Direct firmware load for (efault)128.ucode failed with error -2 iwlwifi 0000:00:14.3: Direct firmware load for (efault)127.ucode failed with error -2 ... iwlwifi 0000:00:14.3: Direct firmware load for (efault)0.ucode failed with error -2 iwlwifi 0000:00:14.3: no suitable firmware found! iwlwifi 0000:00:14.3: minimum version required: (efault)0 iwlwifi 0000:00:14.3: maximum version supported: (efault)128 This is also reported on some public forums: * https://askubuntu.com/questions/1297311/ubuntu-20-04-wireless-not-working-for-intel-ax1650i-lenovo-thinkpad * https://www.reddit.com/r/pop_os/comments/jxmnre/wifi_and_bluetooth_issues_in_2010/ In drivers/net/wireless/intel/iwlwifi/pcie/drv.c: static const struct pci_device_id iwl_hw_card_ids[] = { {IWL_PCI_DEVICE(0x4232, 0x1201, iwl5100_agn_cfg)}, ... {IWL_PCI_DEVICE(0x43F0, PCI_ANY_ID, iwl_qu_long_latency_trans_cfg)}, ... }; The third argument to IWL_PCI_DEVICE macro will be assigned to driver_data field of struct pci_device_id. However, iwl5100_agn_cfg has type struct iwl_cfg, and yet iwl_qu_long_latency_trans_cfg is typed struct iwl_cfg_trans_params. struct iwl_cfg_trans_params { ... }; struct iwl_cfg { struct iwl_cfg_trans_params trans; const char *name; const char *fw_name_pre; ... }; It's fine to cast a pointer to struct iwl_cfg, but it's not always valid to cast a struct iwl_cfg_trans_params to struct iwl_cfg. In function iwl_pci_probe, it tries to find an alternative cfg by iterating throughout iwl_dev_info_table, but in our case, [8086:43f0] subsystem [1a56:1652], there will be no match in all of the candidates, and iwl_qu_long_latency_trans_cfg will be assigned as the ultimate struct iwl_cfg, which will be certainly wrong when you're trying to dereference anything beyond sizeof(struct iwl_cfg_trans_params), e.g. cfg->fw_name_pre. In this case, ((struct iwl_cfg_trans_params*)&iwl_qu_long_latency_trans_cfg)->name will be "'", and ((struct iwl_cfg_trans_params*)&iwl_qu_long_latency_trans_cfg)->fw_name_pre gives "(efault)", pure garbage data. So is there something missed in the iwl_dev_info_table, or better, just find another solid safe way to handle such trans/cfg mix? Regards, You-Sheng Yang