Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp276637ybg; Fri, 12 Jun 2020 00:57:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxF//8QErUaO0RlJsMy9nyCNxEqjtFqmsiGw5NLjwz127uMp3A8oTeHBaiyG+EPpYuF7flE X-Received: by 2002:a05:6402:b87:: with SMTP id cf7mr11116216edb.282.1591948620496; Fri, 12 Jun 2020 00:57:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591948620; cv=none; d=google.com; s=arc-20160816; b=pVA1kiCkl6FJdf9qTtyaWjfuRDzz1Ol+/KwW6uYiciPRLdKXMZyqJEExWZGek2ZflX ht+CIcb6ZHRiiu9Hof8/D3i921OJbR7Tr4ylXKqqQ7Aj2KQPGS1iOJZoYScOH/cbbuNR CZgKQRGgM2kfx96YfnibF8B68EX8AcPD/XUyTcmvCWeJU1BcUSMaVTnbwodJvz6w2u/C KNMK6SMhLa1f0iel2h8KwqZt7nppZJ1vnQZOYgBQpFZKA9Hakvm8Q0wp/xbtjqFYo3cR L8eXyfg/3MNbPMtFr0a0a55TwyWT+Xq9N05gKIeg+I+Ce4NHq3xKbjGpISzAAEfR6pk5 g6mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:message-id:in-reply-to:date:references:subject:cc:to :from:dmarc-filter:dkim-signature; bh=ZzC1af5/kY0rXx9fkoh5glgUBaUWdA6Gl4BLFlZ9AEk=; b=FcTx/V9sK2A0l0YvJ+7aDLAQ56ns6SIuLs/OxffctMgkjOHq0DBeo0KcGPXBs994cP 8t0hNm4Dj29qt7ZxSDIQ3330pM9aNhoc+G8oyWndRbgnX9pH9EyA9gRA4KpH3io39kzS 9ODXzBFRgnSaKv/bD58/DNFmeDpDoPSXbvfNRjJd6He21gbILrySfuMBKN1IuiV3jiVe fcAYJNhEyzdg6ocsMrwaX3ir2+LZb/RR6e3uh/NnTpDzTaVfvyOaT29yV9tg1LdleJ74 PTXosI3bHleJJab0kD6z3YoEyyOMcFwNBde/rz/2Co6+9ekZ1xhHeTOJ6H9szmn4w1Kh 1PVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=mcuhwtx6; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n25si3640591ejs.551.2020.06.12.00.56.35; Fri, 12 Jun 2020 00:57:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=mcuhwtx6; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726483AbgFLH4F (ORCPT + 99 others); Fri, 12 Jun 2020 03:56:05 -0400 Received: from mail27.static.mailgun.info ([104.130.122.27]:30331 "EHLO mail27.static.mailgun.info" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726297AbgFLH4E (ORCPT ); Fri, 12 Jun 2020 03:56:04 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1591948563; h=Content-Transfer-Encoding: Content-Type: MIME-Version: Message-ID: In-Reply-To: Date: References: Subject: Cc: To: From: Sender; bh=ZzC1af5/kY0rXx9fkoh5glgUBaUWdA6Gl4BLFlZ9AEk=; b=mcuhwtx6+63eL1yo1QnuyXIJ+F7GfXBemWd3dmwVB+xuRIlh8eTCk6BaAYSHWkVhI77hPhcm 1gAgJeCg49js9GdfYQTfJoSdpiiBZrJWoulY97qWGGrq2pSXzbfjJ/p24O6vSqenyhPc6fFr jkpyhMdK+0wO2nDeJH8HIDUm32o= X-Mailgun-Sending-Ip: 104.130.122.27 X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0= Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n13.prod.us-east-1.postgun.com with SMTP id 5ee3350586de6ccd44d26340 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Fri, 12 Jun 2020 07:55:49 GMT Received: by smtp.codeaurora.org (Postfix, from userid 1001) id C3B66C43391; Fri, 12 Jun 2020 07:55:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,SPF_NONE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from potku.adurom.net (88-114-240-156.elisa-laajakaista.fi [88.114.240.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: kvalo) by smtp.codeaurora.org (Postfix) with ESMTPSA id D8066C433CB; Fri, 12 Jun 2020 07:55:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org D8066C433CB Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=none smtp.mailfrom=kvalo@codeaurora.org From: Kalle Valo To: Jiri Slaby Cc: johannes.berg@intel.com, linux-kernel@vger.kernel.org, Dieter =?utf-8?Q?N=C3=BCtzel?= , Emmanuel Grumbach , Luca Coelho , Intel Linux Wireless , "David S. Miller" , Jakub Kicinski , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH] iwl: fix crash in iwl_dbg_tlv_alloc_trigger References: <20200612073800.27742-1-jslaby@suse.cz> Date: Fri, 12 Jun 2020 10:55:42 +0300 In-Reply-To: <20200612073800.27742-1-jslaby@suse.cz> (Jiri Slaby's message of "Fri, 12 Jun 2020 09:38:00 +0200") Message-ID: <87d064k9a9.fsf@codeaurora.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Jiri Slaby writes: > The tlv passed to iwl_dbg_tlv_alloc_trigger comes from a loaded firmware > file. The memory can be marked as read-only as firmware could be > shared. In anyway, writing to this memory is not expected. So, > iwl_dbg_tlv_alloc_trigger can crash now: > > BUG: unable to handle page fault for address: ffffae2c01bfa794 > PF: supervisor write access in kernel mode > PF: error_code(0x0003) - permissions violation > PGD 107d51067 P4D 107d51067 PUD 107d52067 PMD 659ad2067 PTE 80000006622= 98161 > CPU: 2 PID: 161 Comm: kworker/2:1 Not tainted 5.7.0-3.gad96a07-default = #1 openSUSE Tumbleweed (unreleased) > RIP: 0010:iwl_dbg_tlv_alloc_trigger+0x25/0x60 [iwlwifi] > Code: eb f2 0f 1f 00 66 66 66 66 90 83 7e 04 33 48 89 f8 44 8b 46 10 48= 89 f7 76 40 41 8d 50 ff 83 fa 19 77 23 8b 56 20 85 d2 75 07 46 20 ff = ff ff ff 4b 8d 14 40 48 c1 e2 04 48 8d b4 10 00 05 00 > RSP: 0018:ffffae2c00417ce8 EFLAGS: 00010246 > RAX: ffff8f0522334018 RBX: ffff8f0522334018 RCX: ffffffffc0fc26c0 > RDX: 0000000000000000 RSI: ffffae2c01bfa774 RDI: ffffae2c01bfa774 > RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001 > R10: 0000000000000034 R11: ffffae2c01bfa77c R12: ffff8f0522334230 > R13: 0000000001000009 R14: ffff8f0523fdbc00 R15: ffff8f051f395800 > FS: 0000000000000000(0000) GS:ffff8f0527c80000(0000) knlGS:00000000000= 00000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: ffffae2c01bfa794 CR3: 0000000389eba000 CR4: 00000000000006e0 > Call Trace: > iwl_dbg_tlv_alloc+0x79/0x120 [iwlwifi] > iwl_parse_tlv_firmware.isra.0+0x57d/0x1550 [iwlwifi] > iwl_req_fw_callback+0x3f8/0x6a0 [iwlwifi] > request_firmware_work_func+0x47/0x90 > process_one_work+0x1e3/0x3b0 > worker_thread+0x46/0x340 > kthread+0x115/0x140 > ret_from_fork+0x1f/0x40 > > As can be seen, write bit is not set in the PTE. Read of > trig->occurrences succeeds in iwl_dbg_tlv_alloc_trigger, but > trig->occurrences =3D cpu_to_le32(-1); fails there, obviously. > > This is likely because we (at SUSE) use compressed firmware and that is > marked as RO after decompression (see fw_map_paged_buf). > > Fix it by creating a temporary buffer in case we need to change the > memory. > > Signed-off-by: Jiri Slaby > Reported-by: Dieter N=C3=BCtzel > Tested-by: Dieter N=C3=BCtzel > Cc: Johannes Berg > Cc: Emmanuel Grumbach > Cc: Luca Coelho > Cc: Intel Linux Wireless > Cc: Kalle Valo > Cc: "David S. Miller" > Cc: Jakub Kicinski > Cc: linux-wireless@vger.kernel.org > Cc: netdev@vger.kernel.org > --- > drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 16 ++++++++++++++-- The prefix should be "iwlwifi: ", I can fix that. Luca, should I take this to wireless-drivers? --=20 https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatc= hes