Hello,
Using v4.17-rc5, on a laptop with an "Intel Corporation Wireless 3165 (rev 79)"
using the iwlwifi driver, I get a NULL pointer dereference immediately after
boot. Apparently, the 'regdb' variable in net/wireless/reg.c is NULL, yet
reg_query_regdb_wmm() is checking for IS_ERR(). It goes away if I revert commit
77e30e10ee28a5 ("iwlwifi: mvm: query regdb for wmm rule if needed"). The
symbolized crash report is:
BUG: unable to handle kernel NULL pointer dereference at 000000000000000a
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
Modules linked in: kvm_intel kvm irqbypass joydev
CPU: 2 PID: 371 Comm: NetworkManager Tainted: G T 4.17.0-rc5-00140-g0b449a441dac #5
Hardware name: Dell Inc. Inspiron 15-7568/0M5YMV, BIOS 01.00.00 08/07/2015
RIP: 0010:reg_query_regdb_wmm+0x14/0x160 net/wireless/reg.c:919
RSP: 0018:ffffad458102b4f0 EFLAGS: 00010207
RAX: ffff96a8e7b350a0 RBX: ffff96a8e7b35000 RCX: ffff96a8e7b35638
RDX: ffff96a8e14ee408 RSI: 000000000000143c RDI: ffff96a8e7b35018
RBP: 0000000000000005 R08: 0000000000013088 R09: 0000000000000000
R10: 0000000000000004 R11: 000000000000143c R12: ffffffff93ebd7a0
R13: ffff96a8e14ee400 R14: 0000000000000040 R15: 000000000000000e
FS: 00007f29f1311880(0000) GS:ffff96a8f2500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000a CR3: 0000000260e9c005 CR4: 00000000003606e0
Call Trace:
iwl_parse_nvm_mcc_info+0x267/0x4e0 drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c:962
iwl_mvm_get_regdomain+0x67/0xb0 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:311
iwl_mvm_init_mcc+0x6f/0x1f0 drivers/net/wireless/intel/iwlwifi/mvm/nvm.c:783
iwl_mvm_up+0x79f/0x840 drivers/net/wireless/intel/iwlwifi/mvm/fw.c:1089
__iwl_mvm_mac_start+0x225/0x290 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:1108
iwl_mvm_mac_start+0x4e/0x120 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:1141
? inetdev_event+0x72/0x4d0 net/ipv4/devinet.c:1533
drv_start+0x2d/0x50 net/mac80211/driver-ops.c:26
ieee80211_do_open+0x453/0x880 net/mac80211/iface.c:558
__dev_open+0xb4/0x130 net/core/dev.c:1392
__dev_change_flags+0x1a1/0x210 net/core/dev.c:6955
? call_netdevice_notifiers net/core/dev.c:1752 [inline]
? __dev_notify_flags+0x56/0xf0 net/core/dev.c:6993
dev_change_flags+0x1e/0x60 net/core/dev.c:7024
? nla_put_ifalias+0x2e/0x90 net/core/rtnetlink.c:1459
do_setlink+0x656/0xd80 net/core/rtnetlink.c:2362
? new_slab_objects mm/slub.c:2452 [inline]
? ___slab_alloc+0x48a/0x560 mm/slub.c:2604
? memset include/linux/string.h:330 [inline]
? __nla_reserve+0x38/0x50 lib/nlattr.c:437
? __nla_put+0xc/0x20 lib/nlattr.c:568
? nla_put+0x2f/0x40 lib/nlattr.c:627
? nla_put_u8 include/net/netlink.h:780 [inline]
? rtnl_xdp_fill+0x172/0x1d0 net/core/rtnetlink.c:1379
? memset include/linux/string.h:330 [inline]
? __nla_reserve+0x38/0x50 lib/nlattr.c:437
? memset include/linux/string.h:330 [inline]
? __nla_reserve+0x38/0x50 lib/nlattr.c:437
? inet_fill_link_af+0x1c/0x50 net/ipv4/devinet.c:1738
? rtnl_newlink+0x793/0x930 net/core/rtnetlink.c:2970
? spin_unlock_irqrestore include/linux/spinlock.h:365 [inline]
? __wake_up_common_lock+0x84/0xb0 kernel/sched/wait.c:120
? rtnetlink_rcv_msg+0x121/0x390 net/core/rtnetlink.c:4646
? fast_dput fs/dcache.c:716 [inline]
? dput.part.5+0x92/0x120 fs/dcache.c:837
? __lookup_slow+0x137/0x160 fs/namei.c:1633
? rtnl_calcit.isra.14+0x110/0x110 net/core/rtnetlink.c:3188
? netlink_rcv_skb+0x44/0x110 net/netlink/af_netlink.c:2448
? netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
? netlink_unicast+0x18b/0x230 net/netlink/af_netlink.c:1336
? netlink_sendmsg+0x1f0/0x3b0 net/netlink/af_netlink.c:1901
? sock_sendmsg_nosec net/socket.c:629 [inline]
? sock_sendmsg+0x14/0x20 net/socket.c:639
? ___sys_sendmsg+0x28e/0x2f0 net/socket.c:2117
? try_to_wake_up+0x26a/0x360 kernel/sched/core.c:2060
? __check_object_size+0xf9/0x180 mm/usercopy.c:262
? rcu_read_unlock include/linux/rcupdate.h:687 [inline]
? __fget+0x67/0xa0 fs/file.c:697
? __sys_sendmsg+0x52/0xa0 net/socket.c:2155
? do_syscall_64+0x43/0xd0 arch/x86/entry/common.c:287
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: ff ff 0f 1f 44 00 00 eb ae 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 4c 8b 0d 89 41 fd 00 49 81 f9 00 f0 ff ff 0f 87 12 01 00 00 <45> 0f b7 41 0a 49 89 d2 b8 c3 ff ff ff 49 8d 51 08 66 45 85 c0
RIP: reg_query_regdb_wmm+0x14/0x160 net/wireless/reg.c:919 RSP: ffffad458102b4f0
CR2: 000000000000000a
---[ end trace 0940319c2377625e ]---
You can use the following link if you find it suitable for you
https://wireless.wiki.kernel.org/en/users/drivers/iwlwifi/debugging#tracing
cheers
Dreyfuss
-----Original Message-----
From: Dreyfuss, Haim
Sent: Monday, May 21, 2018 1:10 PM
To: 'Eric Biggers' <[email protected]>; linuxwifi <[email protected]>; [email protected]; Coelho, Luciano <[email protected]>; Kalle Valo <[email protected]>
Subject: RE: [4.17 iwlwifi regression] NULL pointer dereference in reg_query_regdb_wmm()
Hello,
Can you provide the following information?
1. The *boot* you mentioned is from clean shutdown or from Sx state?
2. Do you know which MCC the driver is trying to update?
I will appreciate if you could reproduce it with trace-cmd (recording at least iwlwifi , iwlwifi_msg -and iwlwifi_ucode) Or if you can't, just send dmesg but make sure to set iwlwifi.debug in the kernel parameters to 0x4000
Cheers
Dreyfuss
-----Original Message-----
From: Eric Biggers [mailto:[email protected]]
Sent: Saturday, May 19, 2018 9:34 PM
To: linuxwifi <[email protected]>; [email protected]; Dreyfuss, Haim <[email protected]>; Coelho, Luciano <[email protected]>; Kalle Valo <[email protected]>
Subject: [4.17 iwlwifi regression] NULL pointer dereference in reg_query_regdb_wmm()
Hello,
Using v4.17-rc5, on a laptop with an "Intel Corporation Wireless 3165 (rev 79)"
using the iwlwifi driver, I get a NULL pointer dereference immediately after boot. Apparently, the 'regdb' variable in net/wireless/reg.c is NULL, yet
reg_query_regdb_wmm() is checking for IS_ERR(). It goes away if I revert commit
77e30e10ee28a5 ("iwlwifi: mvm: query regdb for wmm rule if needed"). The symbolized crash report is:
BUG: unable to handle kernel NULL pointer dereference at 000000000000000a PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
Modules linked in: kvm_intel kvm irqbypass joydev
CPU: 2 PID: 371 Comm: NetworkManager Tainted: G T 4.17.0-rc5-00140-g0b449a441dac #5
Hardware name: Dell Inc. Inspiron 15-7568/0M5YMV, BIOS 01.00.00 08/07/2015
RIP: 0010:reg_query_regdb_wmm+0x14/0x160 net/wireless/reg.c:919
RSP: 0018:ffffad458102b4f0 EFLAGS: 00010207
RAX: ffff96a8e7b350a0 RBX: ffff96a8e7b35000 RCX: ffff96a8e7b35638
RDX: ffff96a8e14ee408 RSI: 000000000000143c RDI: ffff96a8e7b35018
RBP: 0000000000000005 R08: 0000000000013088 R09: 0000000000000000
R10: 0000000000000004 R11: 000000000000143c R12: ffffffff93ebd7a0
R13: ffff96a8e14ee400 R14: 0000000000000040 R15: 000000000000000e
FS: 00007f29f1311880(0000) GS:ffff96a8f2500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000a CR3: 0000000260e9c005 CR4: 00000000003606e0 Call Trace:
iwl_parse_nvm_mcc_info+0x267/0x4e0 drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c:962
iwl_mvm_get_regdomain+0x67/0xb0 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:311
iwl_mvm_init_mcc+0x6f/0x1f0 drivers/net/wireless/intel/iwlwifi/mvm/nvm.c:783
iwl_mvm_up+0x79f/0x840 drivers/net/wireless/intel/iwlwifi/mvm/fw.c:1089
__iwl_mvm_mac_start+0x225/0x290 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:1108
iwl_mvm_mac_start+0x4e/0x120 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:1141
? inetdev_event+0x72/0x4d0 net/ipv4/devinet.c:1533
drv_start+0x2d/0x50 net/mac80211/driver-ops.c:26
ieee80211_do_open+0x453/0x880 net/mac80211/iface.c:558
__dev_open+0xb4/0x130 net/core/dev.c:1392
__dev_change_flags+0x1a1/0x210 net/core/dev.c:6955 ? call_netdevice_notifiers net/core/dev.c:1752 [inline] ? __dev_notify_flags+0x56/0xf0 net/core/dev.c:6993
dev_change_flags+0x1e/0x60 net/core/dev.c:7024 ? nla_put_ifalias+0x2e/0x90 net/core/rtnetlink.c:1459
do_setlink+0x656/0xd80 net/core/rtnetlink.c:2362 ? new_slab_objects mm/slub.c:2452 [inline] ? ___slab_alloc+0x48a/0x560 mm/slub.c:2604 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? __nla_put+0xc/0x20 lib/nlattr.c:568 ? nla_put+0x2f/0x40 lib/nlattr.c:627 ? nla_put_u8 include/net/netlink.h:780 [inline] ? rtnl_xdp_fill+0x172/0x1d0 net/core/rtnetlink.c:1379 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? inet_fill_link_af+0x1c/0x50 net/ipv4/devinet.c:1738 ? rtnl_newlink+0x793/0x930 net/core/rtnetlink.c:2970 ? spin_unlock_irqrestore include/linux/spinlock.h:365 [inline] ? __wake_up_common_lock+0x84/0xb0 kernel/sched/wait.c:120 ? rtnetlink_rcv_msg+0x121/0x390 net/core/rtnetlink.c:4646 ? fast_dput fs/dcache.c:716 [inline] ? dput.part.5+0x92/0x120 fs/dcache.c:837 ? __lookup_slow+0x137/0x160 fs/namei.c:1633 ? rtnl_calcit.isra.14+0x110/0x110 net/core/rtnetlink.c:3188 ? netlink_rcv_skb+0x44/0x110 net/netlink/af_netlink.c:2448 ? netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] ? netlink_unicast+0x18b/0x230 net/netlink/af_netlink.c:1336 ? netlink_sendmsg+0x1f0/0x3b0 net/netlink/af_netlink.c:1901 ? sock_sendmsg_nosec net/socket.c:629 [inline] ? sock_sendmsg+0x14/0x20 net/socket.c:639 ? ___sys_sendmsg+0x28e/0x2f0 net/socket.c:2117 ? try_to_wake_up+0x26a/0x360 kernel/sched/core.c:2060 ? __check_object_size+0xf9/0x180 mm/usercopy.c:262 ? rcu_read_unlock include/linux/rcupdate.h:687 [inline] ? __fget+0x67/0xa0 fs/file.c:697 ? __sys_sendmsg+0x52/0xa0 net/socket.c:2155 ? do_syscall_64+0x43/0xd0 arch/x86/entry/common.c:287 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: ff ff 0f 1f 44 00 00 eb ae 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 4c 8b 0d 89 41 fd 00 49 81 f9 00 f0 ff ff 0f 87 12 01 00 00 <45> 0f b7 41 0a 49 89 d2 b8 c3 ff ff ff 49 8d 51 08 66 45 85 c0
RIP: reg_query_regdb_wmm+0x14/0x160 net/wireless/reg.c:919 RSP: ffffad458102b4f0
CR2: 000000000000000a
---[ end trace 0940319c2377625e ]---
Hi Haim,
On Mon, May 21, 2018 at 10:10:09AM +0000, Dreyfuss, Haim wrote:
> Hello,
>
> Can you provide the following information?
> 1. The *boot* you mentioned is from clean shutdown or from Sx state?
> 2. Do you know which MCC the driver is trying to update?
> I will appreciate if you could reproduce it with trace-cmd (recording at least iwlwifi , iwlwifi_msg -and iwlwifi_ucode)
> Or if you can't, just send dmesg but make sure to set iwlwifi.debug in the kernel parameters to 0x4000
>
It's a clean boot, from powered off.
I built an v4.17-rc6 kernel with CONFIG_IWLWIFI_DEBUG=y and booted with
iwlwifi.debug=0x4000. I've attached the dmesg output and kernel config.
The crash happens right away, so there's no time to easily run trace-cmd.
But if the other stuff still isn't enough, I can try booting with the
NetworkManager service disabled, then enabling it at runtime.
- Eric
Thanks Eric,
I will look into it
Cheers
Dreyfuss
-----Original Message-----
From: Eric Biggers [mailto:[email protected]]
Sent: Tuesday, May 22, 2018 7:59 AM
To: Dreyfuss, Haim <[email protected]>
Cc: linuxwifi <[email protected]>; [email protected]; Coelho, Luciano <[email protected]>; Kalle Valo <[email protected]>
Subject: Re: [4.17 iwlwifi regression] NULL pointer dereference in reg_query_regdb_wmm()
On Mon, May 21, 2018 at 09:47:12PM -0700, Eric Biggers wrote:
> Hi Haim,
>
> On Mon, May 21, 2018 at 10:10:09AM +0000, Dreyfuss, Haim wrote:
> > Hello,
> >
> > Can you provide the following information?
> > 1. The *boot* you mentioned is from clean shutdown or from Sx state?
> > 2. Do you know which MCC the driver is trying to update?
> > I will appreciate if you could reproduce it with trace-cmd (recording at least iwlwifi , iwlwifi_msg -and iwlwifi_ucode)
> > Or if you can't, just send dmesg but make sure to set iwlwifi.debug in the kernel parameters to 0x4000
> >
>
> It's a clean boot, from powered off.
>
> I built an v4.17-rc6 kernel with CONFIG_IWLWIFI_DEBUG=y and booted with
> iwlwifi.debug=0x4000. I've attached the dmesg output and kernel config.
>
> The crash happens right away, so there's no time to easily run trace-cmd.
> But if the other stuff still isn't enough, I can try booting with the
> NetworkManager service disabled, then enabling it at runtime.
>
> - Eric
The crash goes away if I replace iwlwifi-7265D-27.ucode in CONFIG_EXTRA_FIRMWARE
with iwlwifi-7265D-29.ucode. I don't know how well supported using old iwlwifi
firmware versions is supposed to be, but it shouldn't crash the kernel.
- Eric
On Sat, 2018-05-19 at 11:33 -0700, Eric Biggers wrote:
> Hello,
>
> Using v4.17-rc5, on a laptop with an "Intel Corporation Wireless 3165
> (rev 79)"
> using the iwlwifi driver, I get a NULL pointer dereference
> immediately after
> boot. Apparently, the 'regdb' variable in net/wireless/reg.c is
> NULL, yet
> reg_query_regdb_wmm() is checking for IS_ERR(). It goes away if I
> revert commit
> 77e30e10ee28a5 ("iwlwifi: mvm: query regdb for wmm rule if
> needed"). The
> symbolized crash report is:
>
> BUG: unable to handle kernel NULL pointer dereference at
> 000000000000000a
Thanks for the report and analysis! Haim is working on a fix and I will
send it out later today.
--
Cheers,
Luca.
From: Haim Dreyfuss <[email protected]>
Some drivers may call this function when regdb is not initialized yet,
so we need to make sure regdb is valid before trying to access it.
Make sure regdb is initialized before trying to access it in
reg_query_regdb_wmm() and query_regdb().
Reported-by: Eric Biggers <[email protected]>
Signed-off-by: Haim Dreyfuss <[email protected]>
Signed-off-by: Luca Coelho <[email protected]>
---
net/wireless/reg.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 9806380ec671..91ebe2425b0d 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -916,6 +916,9 @@ int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
const struct fwdb_header *hdr = regdb;
const struct fwdb_country *country;
+ if (!regdb)
+ return -ENODATA;
+
if (IS_ERR(regdb))
return PTR_ERR(regdb);
--
2.17.0
Luca Coelho <[email protected]> writes:
> On Mon, 2018-05-21 at 19:25 +0300, Kalle Valo wrote:
>> Luca Coelho <[email protected]> writes:
>>
>> > On Sat, 2018-05-19 at 11:33 -0700, Eric Biggers wrote:
>> > > Hello,
>> > >
>> > > Using v4.17-rc5, on a laptop with an "Intel Corporation Wireless
>> > > 3165
>> > > (rev 79)"
>> > > using the iwlwifi driver, I get a NULL pointer dereference
>> > > immediately after
>> > > boot. Apparently, the 'regdb' variable in net/wireless/reg.c is
>> > > NULL, yet
>> > > reg_query_regdb_wmm() is checking for IS_ERR(). It goes away if
>> > > I
>> > > revert commit
>> > > 77e30e10ee28a5 ("iwlwifi: mvm: query regdb for wmm rule if
>> > > needed"). The
>> > > symbolized crash report is:
>> > >
>> > > BUG: unable to handle kernel NULL pointer dereference at
>> > > 000000000000000a
>> >
>> > Thanks for the report and analysis! Haim is working on a fix and I
>> > will
>> > send it out later today.
>>
>> We are on -rc6 already and getting close to the final v4.17 release.
>> I
>> wonder should we just revert 77e30e10ee28a5 for now?
>
> I don't think we should revert it, this implements the new ETSI
> requirements for the WMM settings and this will be enforced in all new
> devices sold after mid-June (IIRC).
>
> We haven't seen this problem and cfg80211 should not crash if the
> driver does stupid things, so we should just reject the call if regdb
> is still NULL. It's a simple fix for the crash and the driver should
> recover from the issue later on.
>
> I'll push the patch for cfg80211 later this evening.
Very good that we have a quick fix, and I assume that will go through
mac80211 tree so I can send my w-d pull request tomorrow.
--
Kalle Valo
Yeah, MCC stands for Mobile Country Code.
You can find it in the dmesg
"iwl_mvm_get_regdomain Getting regdomain data for ZZ from FW "
" iwl_mvm_update_mcc send MCC update to FW with 'ZZ' src = 16"
Cheers
Dreyfuss
-----Original Message-----
From: Kalle Valo [mailto:[email protected]]
Sent: Monday, May 21, 2018 7:28 PM
To: Dreyfuss, Haim <[email protected]>
Cc: Eric Biggers <[email protected]>; linuxwifi <[email protected]>; [email protected]; Coelho, Luciano <[email protected]>
Subject: Re: [4.17 iwlwifi regression] NULL pointer dereference in reg_query_regdb_wmm()
"Dreyfuss, Haim" <[email protected]> writes:
> Can you provide the following information?
> 1. The *boot* you mentioned is from clean shutdown or from Sx state?
> 2. Do you know which MCC the driver is trying to update?
You could also give some hints how to find the MCC and even tell what it means. Is it Mobile Country Code or what?
--
Kalle Valo
Luca Coelho <[email protected]> writes:
> On Sat, 2018-05-19 at 11:33 -0700, Eric Biggers wrote:
>> Hello,
>>
>> Using v4.17-rc5, on a laptop with an "Intel Corporation Wireless 3165
>> (rev 79)"
>> using the iwlwifi driver, I get a NULL pointer dereference
>> immediately after
>> boot. Apparently, the 'regdb' variable in net/wireless/reg.c is
>> NULL, yet
>> reg_query_regdb_wmm() is checking for IS_ERR(). It goes away if I
>> revert commit
>> 77e30e10ee28a5 ("iwlwifi: mvm: query regdb for wmm rule if
>> needed"). The
>> symbolized crash report is:
>>
>> BUG: unable to handle kernel NULL pointer dereference at
>> 000000000000000a
>
> Thanks for the report and analysis! Haim is working on a fix and I will
> send it out later today.
We are on -rc6 already and getting close to the final v4.17 release. I
wonder should we just revert 77e30e10ee28a5 for now?
--
Kalle Valo
On Mon, 2018-05-21 at 19:25 +0300, Kalle Valo wrote:
> Luca Coelho <[email protected]> writes:
>
> > On Sat, 2018-05-19 at 11:33 -0700, Eric Biggers wrote:
> > > Hello,
> > >
> > > Using v4.17-rc5, on a laptop with an "Intel Corporation Wireless
> > > 3165
> > > (rev 79)"
> > > using the iwlwifi driver, I get a NULL pointer dereference
> > > immediately after
> > > boot. Apparently, the 'regdb' variable in net/wireless/reg.c is
> > > NULL, yet
> > > reg_query_regdb_wmm() is checking for IS_ERR(). It goes away if
> > > I
> > > revert commit
> > > 77e30e10ee28a5 ("iwlwifi: mvm: query regdb for wmm rule if
> > > needed"). The
> > > symbolized crash report is:
> > >
> > > BUG: unable to handle kernel NULL pointer dereference at
> > > 000000000000000a
> >
> > Thanks for the report and analysis! Haim is working on a fix and I
> > will
> > send it out later today.
>
> We are on -rc6 already and getting close to the final v4.17 release.
> I
> wonder should we just revert 77e30e10ee28a5 for now?
I don't think we should revert it, this implements the new ETSI
requirements for the WMM settings and this will be enforced in all new
devices sold after mid-June (IIRC).
We haven't seen this problem and cfg80211 should not crash if the
driver does stupid things, so we should just reject the call if regdb
is still NULL. It's a simple fix for the crash and the driver should
recover from the issue later on.
I'll push the patch for cfg80211 later this evening. Haim is still
working on fixing it in the driver side.
--
Cheers,
Luca.
On Mon, May 21, 2018 at 09:47:12PM -0700, Eric Biggers wrote:
> Hi Haim,
>
> On Mon, May 21, 2018 at 10:10:09AM +0000, Dreyfuss, Haim wrote:
> > Hello,
> >
> > Can you provide the following information?
> > 1. The *boot* you mentioned is from clean shutdown or from Sx state?
> > 2. Do you know which MCC the driver is trying to update?
> > I will appreciate if you could reproduce it with trace-cmd (recording at least iwlwifi , iwlwifi_msg -and iwlwifi_ucode)
> > Or if you can't, just send dmesg but make sure to set iwlwifi.debug in the kernel parameters to 0x4000
> >
>
> It's a clean boot, from powered off.
>
> I built an v4.17-rc6 kernel with CONFIG_IWLWIFI_DEBUG=y and booted with
> iwlwifi.debug=0x4000. I've attached the dmesg output and kernel config.
>
> The crash happens right away, so there's no time to easily run trace-cmd.
> But if the other stuff still isn't enough, I can try booting with the
> NetworkManager service disabled, then enabling it at runtime.
>
> - Eric
The crash goes away if I replace iwlwifi-7265D-27.ucode in CONFIG_EXTRA_FIRMWARE
with iwlwifi-7265D-29.ucode. I don't know how well supported using old iwlwifi
firmware versions is supposed to be, but it shouldn't crash the kernel.
- Eric
Hello,
Can you provide the following information?
1. The *boot* you mentioned is from clean shutdown or from Sx state?
2. Do you know which MCC the driver is trying to update?
I will appreciate if you could reproduce it with trace-cmd (recording at least iwlwifi , iwlwifi_msg -and iwlwifi_ucode)
Or if you can't, just send dmesg but make sure to set iwlwifi.debug in the kernel parameters to 0x4000
Cheers
Dreyfuss
-----Original Message-----
From: Eric Biggers [mailto:[email protected]]
Sent: Saturday, May 19, 2018 9:34 PM
To: linuxwifi <[email protected]>; [email protected]; Dreyfuss, Haim <[email protected]>; Coelho, Luciano <[email protected]>; Kalle Valo <[email protected]>
Subject: [4.17 iwlwifi regression] NULL pointer dereference in reg_query_regdb_wmm()
Hello,
Using v4.17-rc5, on a laptop with an "Intel Corporation Wireless 3165 (rev 79)"
using the iwlwifi driver, I get a NULL pointer dereference immediately after boot. Apparently, the 'regdb' variable in net/wireless/reg.c is NULL, yet
reg_query_regdb_wmm() is checking for IS_ERR(). It goes away if I revert commit
77e30e10ee28a5 ("iwlwifi: mvm: query regdb for wmm rule if needed"). The symbolized crash report is:
BUG: unable to handle kernel NULL pointer dereference at 000000000000000a PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
Modules linked in: kvm_intel kvm irqbypass joydev
CPU: 2 PID: 371 Comm: NetworkManager Tainted: G T 4.17.0-rc5-00140-g0b449a441dac #5
Hardware name: Dell Inc. Inspiron 15-7568/0M5YMV, BIOS 01.00.00 08/07/2015
RIP: 0010:reg_query_regdb_wmm+0x14/0x160 net/wireless/reg.c:919
RSP: 0018:ffffad458102b4f0 EFLAGS: 00010207
RAX: ffff96a8e7b350a0 RBX: ffff96a8e7b35000 RCX: ffff96a8e7b35638
RDX: ffff96a8e14ee408 RSI: 000000000000143c RDI: ffff96a8e7b35018
RBP: 0000000000000005 R08: 0000000000013088 R09: 0000000000000000
R10: 0000000000000004 R11: 000000000000143c R12: ffffffff93ebd7a0
R13: ffff96a8e14ee400 R14: 0000000000000040 R15: 000000000000000e
FS: 00007f29f1311880(0000) GS:ffff96a8f2500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000a CR3: 0000000260e9c005 CR4: 00000000003606e0 Call Trace:
iwl_parse_nvm_mcc_info+0x267/0x4e0 drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c:962
iwl_mvm_get_regdomain+0x67/0xb0 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:311
iwl_mvm_init_mcc+0x6f/0x1f0 drivers/net/wireless/intel/iwlwifi/mvm/nvm.c:783
iwl_mvm_up+0x79f/0x840 drivers/net/wireless/intel/iwlwifi/mvm/fw.c:1089
__iwl_mvm_mac_start+0x225/0x290 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:1108
iwl_mvm_mac_start+0x4e/0x120 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:1141
? inetdev_event+0x72/0x4d0 net/ipv4/devinet.c:1533
drv_start+0x2d/0x50 net/mac80211/driver-ops.c:26
ieee80211_do_open+0x453/0x880 net/mac80211/iface.c:558
__dev_open+0xb4/0x130 net/core/dev.c:1392
__dev_change_flags+0x1a1/0x210 net/core/dev.c:6955 ? call_netdevice_notifiers net/core/dev.c:1752 [inline] ? __dev_notify_flags+0x56/0xf0 net/core/dev.c:6993
dev_change_flags+0x1e/0x60 net/core/dev.c:7024 ? nla_put_ifalias+0x2e/0x90 net/core/rtnetlink.c:1459
do_setlink+0x656/0xd80 net/core/rtnetlink.c:2362 ? new_slab_objects mm/slub.c:2452 [inline] ? ___slab_alloc+0x48a/0x560 mm/slub.c:2604 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? __nla_put+0xc/0x20 lib/nlattr.c:568 ? nla_put+0x2f/0x40 lib/nlattr.c:627 ? nla_put_u8 include/net/netlink.h:780 [inline] ? rtnl_xdp_fill+0x172/0x1d0 net/core/rtnetlink.c:1379 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? inet_fill_link_af+0x1c/0x50 net/ipv4/devinet.c:1738 ? rtnl_newlink+0x793/0x930 net/core/rtnetlink.c:2970 ? spin_unlock_irqrestore include/linux/spinlock.h:365 [inline] ? __wake_up_common_lock+0x84/0xb0 kernel/sched/wait.c:120 ? rtnetlink_rcv_msg+0x121/0x390 net/core/rtnetlink.c:4646 ? fast_dput fs/dcache.c:716 [inline] ? dput.part.5+0x92/0x120 fs/dcache.c:837 ? __lookup_slow+0x137/0x160 fs/namei.c:1633 ? rtnl_calcit.isra.14+0x110/0x110 net/core/rtnetlink.c:3188 ? netlink_rcv_skb+0x44/0x110 net/netlink/af_netlink.c:2448 ? netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] ? netlink_unicast+0x18b/0x230 net/netlink/af_netlink.c:1336 ? netlink_sendmsg+0x1f0/0x3b0 net/netlink/af_netlink.c:1901 ? sock_sendmsg_nosec net/socket.c:629 [inline] ? sock_sendmsg+0x14/0x20 net/socket.c:639 ? ___sys_sendmsg+0x28e/0x2f0 net/socket.c:2117 ? try_to_wake_up+0x26a/0x360 kernel/sched/core.c:2060 ? __check_object_size+0xf9/0x180 mm/usercopy.c:262 ? rcu_read_unlock include/linux/rcupdate.h:687 [inline] ? __fget+0x67/0xa0 fs/file.c:697 ? __sys_sendmsg+0x52/0xa0 net/socket.c:2155 ? do_syscall_64+0x43/0xd0 arch/x86/entry/common.c:287 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: ff ff 0f 1f 44 00 00 eb ae 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 4c 8b 0d 89 41 fd 00 49 81 f9 00 f0 ff ff 0f 87 12 01 00 00 <45> 0f b7 41 0a 49 89 d2 b8 c3 ff ff ff 49 8d 51 08 66 45 85 c0
RIP: reg_query_regdb_wmm+0x14/0x160 net/wireless/reg.c:919 RSP: ffffad458102b4f0
CR2: 000000000000000a
---[ end trace 0940319c2377625e ]---
"Dreyfuss, Haim" <[email protected]> writes:
> Yeah, MCC stands for Mobile Country Code.
> You can find it in the dmesg
> "iwl_mvm_get_regdomain Getting regdomain data for ZZ from FW "
> " iwl_mvm_update_mcc send MCC update to FW with 'ZZ' src = 16"
Please do not top post:
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches#do_not_top_post_and_edit_your_quotes
--
Kalle Valo
"Dreyfuss, Haim" <[email protected]> writes:
> Can you provide the following information?
> 1. The *boot* you mentioned is from clean shutdown or from Sx state?
> 2. Do you know which MCC the driver is trying to update?
You could also give some hints how to find the MCC and even tell what it
means. Is it Mobile Country Code or what?
--
Kalle Valo