From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BB95C433F5 for ; Fri, 5 Nov 2021 07:21:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E3C2A611AE for ; Fri, 5 Nov 2021 07:21:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232568AbhKEHYZ (ORCPT ); Fri, 5 Nov 2021 03:24:25 -0400 Received: from smtp-out1.suse.de ([195.135.220.28]:44616 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232308AbhKEHYY (ORCPT ); Fri, 5 Nov 2021 03:24:24 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id C7A83212C0; Fri, 5 Nov 2021 07:21:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1636096904; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=e1uQhXPX+zzruPAHU7gkgLZXfsixCcLzIGp+XeLr+fE=; b=hYeJYqHN0X99Sw++eEveknJEhWBFMGoWVHARibot017IrDVfsIx3yPIfaJ3pWgS0cgPW1q kTKm+HmYcBK9NasZXLTvGAH/xJ0r+E3qG4qU5rc8yJsOha9C2CCUiblIMc9CbRGohvZwfE SZnPuw/4OB7tg7bcbPoeIO5SILT6Anw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1636096904; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=e1uQhXPX+zzruPAHU7gkgLZXfsixCcLzIGp+XeLr+fE=; b=Znel2je89do3/Krncx9XFNKmvfHd6dUWF19hAK8uywyPLh1P1ufFbjf/jh4bxGMh6AZcVt HsQObf1zd+bvR9Ag== Received: from alsa1.suse.de (alsa1.suse.de [10.160.4.42]) by relay2.suse.de (Postfix) with ESMTP id C18462C144; Fri, 5 Nov 2021 07:21:44 +0000 (UTC) Date: Fri, 05 Nov 2021 08:21:44 +0100 Message-ID: From: Takashi Iwai To: Ping-Ke Shih Cc: Kalle Valo , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Larry Finger Subject: Re: [PATCH] rtw89: Fix crash by loading compressed firmware file In-Reply-To: <20211105071725.31539-1-tiwai@suse.de> References: <20211105071725.31539-1-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Fri, 05 Nov 2021 08:17:25 +0100, Takashi Iwai wrote: > > When a firmware is loaded in the compressed format or via user-mode > helper, it's mapped in read-only, and the rtw89 driver crashes at > rtw89_fw_download() when it tries to modify some data. > > This patch is an attemp to avoid the crash by re-allocating the data > via vmalloc() for the data modification. Alternatively, we may drop the code that modifies the loaded firmware data? At least SET_FW_HDR_PART_SIZE() in rtw89_fw_hdr_parser() looks writing it, and I have no idea why this overwrite is needed. thanks, Takashi > > Buglink: https://bugzilla.opensuse.org/show_bug.cgi?id=1188303 > Signed-off-by: Takashi Iwai > > --- > drivers/net/wireless/realtek/rtw89/core.h | 3 ++- > drivers/net/wireless/realtek/rtw89/fw.c | 15 ++++++++++----- > 2 files changed, 12 insertions(+), 6 deletions(-) > > diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h > index c2885e4dd882..048855e05697 100644 > --- a/drivers/net/wireless/realtek/rtw89/core.h > +++ b/drivers/net/wireless/realtek/rtw89/core.h > @@ -2309,7 +2309,8 @@ struct rtw89_fw_suit { > RTW89_FW_VER_CODE((s)->major_ver, (s)->minor_ver, (s)->sub_ver, (s)->sub_idex) > > struct rtw89_fw_info { > - const struct firmware *firmware; > + const void *firmware; > + size_t firmware_size; > struct rtw89_dev *rtwdev; > struct completion completion; > u8 h2c_seq; > diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c > index 212aaf577d3c..b59fecaeea25 100644 > --- a/drivers/net/wireless/realtek/rtw89/fw.c > +++ b/drivers/net/wireless/realtek/rtw89/fw.c > @@ -124,8 +124,8 @@ int rtw89_mfw_recognize(struct rtw89_dev *rtwdev, enum rtw89_fw_type type, > struct rtw89_fw_suit *fw_suit) > { > struct rtw89_fw_info *fw_info = &rtwdev->fw; > - const u8 *mfw = fw_info->firmware->data; > - u32 mfw_len = fw_info->firmware->size; > + const u8 *mfw = fw_info->firmware; > + u32 mfw_len = fw_info->firmware_size; > const struct rtw89_mfw_hdr *mfw_hdr = (const struct rtw89_mfw_hdr *)mfw; > const struct rtw89_mfw_info *mfw_info; > int i; > @@ -489,7 +489,10 @@ static void rtw89_load_firmware_cb(const struct firmware *firmware, void *contex > return; > } > > - fw->firmware = firmware; > + fw->firmware = vmalloc(firmware->size); > + if (fw->firmware) > + memcpy((void *)fw->firmware, firmware->data, firmware->size); > + release_firmware(firmware); > complete_all(&fw->completion); > } > > @@ -518,8 +521,10 @@ void rtw89_unload_firmware(struct rtw89_dev *rtwdev) > > rtw89_wait_firmware_completion(rtwdev); > > - if (fw->firmware) > - release_firmware(fw->firmware); > + if (fw->firmware) { > + vfree(fw->firmware); > + fw->firmware = NULL; > + } > } > > #define H2C_CAM_LEN 60 > -- > 2.26.2 >