Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2606664pxb; Fri, 5 Nov 2021 01:14:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLodyFgXKX7TQKf8apGGTOO+hwd6GyJni+HxTdes7dyaoMSkPvJnnjjlzx6Z1du+AOdvN+ X-Received: by 2002:a17:906:c156:: with SMTP id dp22mr32263444ejc.168.1636100069722; Fri, 05 Nov 2021 01:14:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636100069; cv=none; d=google.com; s=arc-20160816; b=ybGaH1U8RoywvBlbQQVwuPJciXlhvYjP89/luDTwhrhjGSMWa7TZSkQR11AJfoecJp KLUpTvgJrCNRxBXXAK0ZU8Z9slGlQvSHBFsleXDELVFET7vuhNF5uGKpB2XS3pLuz7ff Q5Q82MrNfdQ32x3BRfahrMXPF9xZDyGPA8NqPN4GvOeWY1VweEjuin1q8BxOelr97C4T xheAKbudMWluIZI7IFo/oOU1vYzdm1nilD5gg7RTq6elD1V65L3NnYoTN1vZ5s1X3iBa 9I5bhfFvCUo4e5l+a+aNhMtYHbM8ePM5if+L8muTWHdDeFUqtwmN/MSSAT3bBLk7MNjX tdyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature; bh=e1uQhXPX+zzruPAHU7gkgLZXfsixCcLzIGp+XeLr+fE=; b=d43EzjRZkjs5c4SJrmFdw03Nu9DgLuTFNu9cuQjVOb49PskoU6SO8nRkofusEirrp5 1dOSkN5RSEiYWFq+K55nmGFPHx25n/Wbas5STc4VLes/yhPJtW9Y1CcKokrMTDF5hyhT v/5V+4eGf8QFsByCyoS35UsKOa8MdsHo2yYGTzg7jZAzooMWng5V2i173nyqQ65ktdlN ud7rrvFgZrhq82QRhmh1f8T8As8MXFsmNYhVZ47s/d/nT5MnDEouWSXKTKq71SbdBpDI y090RVGnkMzBmz4MZH9wzdZNa0xrcF4HLx+WIpsCg67nO8wnWCXC56NhNf267/l3SaAx 9+CQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=hYeJYqHN; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=Znel2je8; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b14si13464448edd.623.2021.11.05.01.14.13; Fri, 05 Nov 2021 01:14:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=hYeJYqHN; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=Znel2je8; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232568AbhKEHYZ (ORCPT + 67 others); Fri, 5 Nov 2021 03:24:25 -0400 Received: from smtp-out1.suse.de ([195.135.220.28]:44616 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232308AbhKEHYY (ORCPT ); Fri, 5 Nov 2021 03:24:24 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id C7A83212C0; Fri, 5 Nov 2021 07:21:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1636096904; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=e1uQhXPX+zzruPAHU7gkgLZXfsixCcLzIGp+XeLr+fE=; b=hYeJYqHN0X99Sw++eEveknJEhWBFMGoWVHARibot017IrDVfsIx3yPIfaJ3pWgS0cgPW1q kTKm+HmYcBK9NasZXLTvGAH/xJ0r+E3qG4qU5rc8yJsOha9C2CCUiblIMc9CbRGohvZwfE SZnPuw/4OB7tg7bcbPoeIO5SILT6Anw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1636096904; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=e1uQhXPX+zzruPAHU7gkgLZXfsixCcLzIGp+XeLr+fE=; b=Znel2je89do3/Krncx9XFNKmvfHd6dUWF19hAK8uywyPLh1P1ufFbjf/jh4bxGMh6AZcVt HsQObf1zd+bvR9Ag== Received: from alsa1.suse.de (alsa1.suse.de [10.160.4.42]) by relay2.suse.de (Postfix) with ESMTP id C18462C144; Fri, 5 Nov 2021 07:21:44 +0000 (UTC) Date: Fri, 05 Nov 2021 08:21:44 +0100 Message-ID: From: Takashi Iwai To: Ping-Ke Shih Cc: Kalle Valo , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Larry Finger Subject: Re: [PATCH] rtw89: Fix crash by loading compressed firmware file In-Reply-To: <20211105071725.31539-1-tiwai@suse.de> References: <20211105071725.31539-1-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Fri, 05 Nov 2021 08:17:25 +0100, Takashi Iwai wrote: > > When a firmware is loaded in the compressed format or via user-mode > helper, it's mapped in read-only, and the rtw89 driver crashes at > rtw89_fw_download() when it tries to modify some data. > > This patch is an attemp to avoid the crash by re-allocating the data > via vmalloc() for the data modification. Alternatively, we may drop the code that modifies the loaded firmware data? At least SET_FW_HDR_PART_SIZE() in rtw89_fw_hdr_parser() looks writing it, and I have no idea why this overwrite is needed. thanks, Takashi > > Buglink: https://bugzilla.opensuse.org/show_bug.cgi?id=1188303 > Signed-off-by: Takashi Iwai > > --- > drivers/net/wireless/realtek/rtw89/core.h | 3 ++- > drivers/net/wireless/realtek/rtw89/fw.c | 15 ++++++++++----- > 2 files changed, 12 insertions(+), 6 deletions(-) > > diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h > index c2885e4dd882..048855e05697 100644 > --- a/drivers/net/wireless/realtek/rtw89/core.h > +++ b/drivers/net/wireless/realtek/rtw89/core.h > @@ -2309,7 +2309,8 @@ struct rtw89_fw_suit { > RTW89_FW_VER_CODE((s)->major_ver, (s)->minor_ver, (s)->sub_ver, (s)->sub_idex) > > struct rtw89_fw_info { > - const struct firmware *firmware; > + const void *firmware; > + size_t firmware_size; > struct rtw89_dev *rtwdev; > struct completion completion; > u8 h2c_seq; > diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c > index 212aaf577d3c..b59fecaeea25 100644 > --- a/drivers/net/wireless/realtek/rtw89/fw.c > +++ b/drivers/net/wireless/realtek/rtw89/fw.c > @@ -124,8 +124,8 @@ int rtw89_mfw_recognize(struct rtw89_dev *rtwdev, enum rtw89_fw_type type, > struct rtw89_fw_suit *fw_suit) > { > struct rtw89_fw_info *fw_info = &rtwdev->fw; > - const u8 *mfw = fw_info->firmware->data; > - u32 mfw_len = fw_info->firmware->size; > + const u8 *mfw = fw_info->firmware; > + u32 mfw_len = fw_info->firmware_size; > const struct rtw89_mfw_hdr *mfw_hdr = (const struct rtw89_mfw_hdr *)mfw; > const struct rtw89_mfw_info *mfw_info; > int i; > @@ -489,7 +489,10 @@ static void rtw89_load_firmware_cb(const struct firmware *firmware, void *contex > return; > } > > - fw->firmware = firmware; > + fw->firmware = vmalloc(firmware->size); > + if (fw->firmware) > + memcpy((void *)fw->firmware, firmware->data, firmware->size); > + release_firmware(firmware); > complete_all(&fw->completion); > } > > @@ -518,8 +521,10 @@ void rtw89_unload_firmware(struct rtw89_dev *rtwdev) > > rtw89_wait_firmware_completion(rtwdev); > > - if (fw->firmware) > - release_firmware(fw->firmware); > + if (fw->firmware) { > + vfree(fw->firmware); > + fw->firmware = NULL; > + } > } > > #define H2C_CAM_LEN 60 > -- > 2.26.2 >