Return-path: Received: from mail-pf0-f196.google.com ([209.85.192.196]:41550 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752451AbeESSbX (ORCPT ); Sat, 19 May 2018 14:31:23 -0400 Received: by mail-pf0-f196.google.com with SMTP id v63-v6so5207002pfk.8 for ; Sat, 19 May 2018 11:31:23 -0700 (PDT) Date: Sat, 19 May 2018 11:33:45 -0700 From: Eric Biggers To: Intel Linux Wireless , linux-wireless@vger.kernel.org, Haim Dreyfuss , Luca Coelho , Kalle Valo Subject: [4.17 iwlwifi regression] NULL pointer dereference in reg_query_regdb_wmm() Message-ID: <20180519183345.GA701@sol.localdomain> (sfid-20180519_203127_730661_E84C5E41) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-wireless-owner@vger.kernel.org List-ID: Hello, Using v4.17-rc5, on a laptop with an "Intel Corporation Wireless 3165 (rev 79)" using the iwlwifi driver, I get a NULL pointer dereference immediately after boot. Apparently, the 'regdb' variable in net/wireless/reg.c is NULL, yet reg_query_regdb_wmm() is checking for IS_ERR(). It goes away if I revert commit 77e30e10ee28a5 ("iwlwifi: mvm: query regdb for wmm rule if needed"). The symbolized crash report is: BUG: unable to handle kernel NULL pointer dereference at 000000000000000a PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI Modules linked in: kvm_intel kvm irqbypass joydev CPU: 2 PID: 371 Comm: NetworkManager Tainted: G T 4.17.0-rc5-00140-g0b449a441dac #5 Hardware name: Dell Inc. Inspiron 15-7568/0M5YMV, BIOS 01.00.00 08/07/2015 RIP: 0010:reg_query_regdb_wmm+0x14/0x160 net/wireless/reg.c:919 RSP: 0018:ffffad458102b4f0 EFLAGS: 00010207 RAX: ffff96a8e7b350a0 RBX: ffff96a8e7b35000 RCX: ffff96a8e7b35638 RDX: ffff96a8e14ee408 RSI: 000000000000143c RDI: ffff96a8e7b35018 RBP: 0000000000000005 R08: 0000000000013088 R09: 0000000000000000 R10: 0000000000000004 R11: 000000000000143c R12: ffffffff93ebd7a0 R13: ffff96a8e14ee400 R14: 0000000000000040 R15: 000000000000000e FS: 00007f29f1311880(0000) GS:ffff96a8f2500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000a CR3: 0000000260e9c005 CR4: 00000000003606e0 Call Trace: iwl_parse_nvm_mcc_info+0x267/0x4e0 drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c:962 iwl_mvm_get_regdomain+0x67/0xb0 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:311 iwl_mvm_init_mcc+0x6f/0x1f0 drivers/net/wireless/intel/iwlwifi/mvm/nvm.c:783 iwl_mvm_up+0x79f/0x840 drivers/net/wireless/intel/iwlwifi/mvm/fw.c:1089 __iwl_mvm_mac_start+0x225/0x290 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:1108 iwl_mvm_mac_start+0x4e/0x120 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c:1141 ? inetdev_event+0x72/0x4d0 net/ipv4/devinet.c:1533 drv_start+0x2d/0x50 net/mac80211/driver-ops.c:26 ieee80211_do_open+0x453/0x880 net/mac80211/iface.c:558 __dev_open+0xb4/0x130 net/core/dev.c:1392 __dev_change_flags+0x1a1/0x210 net/core/dev.c:6955 ? call_netdevice_notifiers net/core/dev.c:1752 [inline] ? __dev_notify_flags+0x56/0xf0 net/core/dev.c:6993 dev_change_flags+0x1e/0x60 net/core/dev.c:7024 ? nla_put_ifalias+0x2e/0x90 net/core/rtnetlink.c:1459 do_setlink+0x656/0xd80 net/core/rtnetlink.c:2362 ? new_slab_objects mm/slub.c:2452 [inline] ? ___slab_alloc+0x48a/0x560 mm/slub.c:2604 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? __nla_put+0xc/0x20 lib/nlattr.c:568 ? nla_put+0x2f/0x40 lib/nlattr.c:627 ? nla_put_u8 include/net/netlink.h:780 [inline] ? rtnl_xdp_fill+0x172/0x1d0 net/core/rtnetlink.c:1379 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? memset include/linux/string.h:330 [inline] ? __nla_reserve+0x38/0x50 lib/nlattr.c:437 ? inet_fill_link_af+0x1c/0x50 net/ipv4/devinet.c:1738 ? rtnl_newlink+0x793/0x930 net/core/rtnetlink.c:2970 ? spin_unlock_irqrestore include/linux/spinlock.h:365 [inline] ? __wake_up_common_lock+0x84/0xb0 kernel/sched/wait.c:120 ? rtnetlink_rcv_msg+0x121/0x390 net/core/rtnetlink.c:4646 ? fast_dput fs/dcache.c:716 [inline] ? dput.part.5+0x92/0x120 fs/dcache.c:837 ? __lookup_slow+0x137/0x160 fs/namei.c:1633 ? rtnl_calcit.isra.14+0x110/0x110 net/core/rtnetlink.c:3188 ? netlink_rcv_skb+0x44/0x110 net/netlink/af_netlink.c:2448 ? netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] ? netlink_unicast+0x18b/0x230 net/netlink/af_netlink.c:1336 ? netlink_sendmsg+0x1f0/0x3b0 net/netlink/af_netlink.c:1901 ? sock_sendmsg_nosec net/socket.c:629 [inline] ? sock_sendmsg+0x14/0x20 net/socket.c:639 ? ___sys_sendmsg+0x28e/0x2f0 net/socket.c:2117 ? try_to_wake_up+0x26a/0x360 kernel/sched/core.c:2060 ? __check_object_size+0xf9/0x180 mm/usercopy.c:262 ? rcu_read_unlock include/linux/rcupdate.h:687 [inline] ? __fget+0x67/0xa0 fs/file.c:697 ? __sys_sendmsg+0x52/0xa0 net/socket.c:2155 ? do_syscall_64+0x43/0xd0 arch/x86/entry/common.c:287 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 Code: ff ff 0f 1f 44 00 00 eb ae 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 4c 8b 0d 89 41 fd 00 49 81 f9 00 f0 ff ff 0f 87 12 01 00 00 <45> 0f b7 41 0a 49 89 d2 b8 c3 ff ff ff 49 8d 51 08 66 45 85 c0 RIP: reg_query_regdb_wmm+0x14/0x160 net/wireless/reg.c:919 RSP: ffffad458102b4f0 CR2: 000000000000000a ---[ end trace 0940319c2377625e ]---