| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <313b36d3-e1b4-4e80-8d5d-d65981abb34b@ixit.cz>
Date: Tue, 25 Nov 2025 10:27:33 +0100
From: David Heidelberg <david@...t.cz>
To: Jeff Johnson <jjohnson@...nel.org>, Bjorn Andersson
<andersson@...nel.org>, Konrad Dybcio <konradybcio@...nel.org>,
Rob Herring <robh@...nel.org>, Krzysztof Kozlowski <krzk+dt@...nel.org>,
Conor Dooley <conor+dt@...nel.org>, Joel Selvaraj <foss@...lselvaraj.com>
Cc: linux-wireless@...r.kernel.org, ath10k@...ts.infradead.org,
linux-kernel@...r.kernel.org, linux-arm-msm@...r.kernel.org,
devicetree@...r.kernel.org, phone-devel@...r.kernel.org,
Dmitry Baryshkov <dmitry.baryshkov@....qualcomm.com>
Subject: Re: [PATCH 1/2] ath10k: Introduce a firmware quirk to skip host cap
QMI requests
Sadly, this is too early in the initialization process and we get NULL
deref, similar to [1].
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000058
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000010f838000
[0000000000000058] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] SMP
Modules linked in: qrtr_smd fastrpc rpmsg_ctrl des_generic
algif_skcipher md5 md4 algif_hash snd_soc_sdm845 snd_soc_rt5663
snd_soc_qcom_sdw snd_soc_qcom_common snd_soc_rl6231 hci_uart
snd_soc_core nft_reject_inet nf_reject_ipv4 btqca nf_reject_ipv6
nft_reject btbcm snd_compress nft_ct bluetooth nf_conntrack nxp_nci_i2c
snd_pcm nxp_nci nf_defrag_ipv6 ecdh_generic nf_defrag_ipv4 nci snd_timer
ecc soundwire_bus nfc pwrseq_core rmi_i2c snd nf_tables qcom_camss
venus_core qcom_spmi_haptics soundcore rmi_core leds_qcom_flash
videobuf2_dma_sg qcom_spmi_rradc ath10k_snoc bq27xxx_battery_i2c
videobuf2_memops v4l2_mem2mem qcom_smbx bq27xxx_battery rtc_pm8xxx
v4l2_fwnode videobuf2_v4l2 ath10k_core videobuf2_common v4l2_async ath
qcom_refgen_regulator qcom_stats videodev reset_qcom_pdc mac80211 mc
camcc_sdm845 i2c_qcom_cci coresight_tmc qcom_rng coresight_stm stm_core
coresight_replicator coresight_funnel qcom_q6v5_mss coresight cfg80211
qrtr ipa qcom_q6v5_pas slim_qcom_ngd_ctrl rfkill qcom_pil_info qcom_wdt
qcom_q6v5
qcom_sysmon qcom_common qcom_glink_smem icc_bwmon uhid uinput zram
zsmalloc fuse nfnetlink ipv6
CPU: 4 UID: 0 PID: 154 Comm: kworker/u32:7 Tainted: G W
6.18.0-rc5-next-20251111-sdm845-00134-gfb2106976a5c-dirty #2 PREEMPT
Tainted: [W]=WARN
Hardware name: OnePlus 6T (DT)
Workqueue: ath10k_qmi_driver_event ath10k_qmi_driver_event_work
[ath10k_snoc]
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ath10k_qmi_driver_event_work+0x1ec/0x440 [ath10k_snoc]
lr : ath10k_qmi_driver_event_work+0x1dc/0x440 [ath10k_snoc]
sp : ffff8000819b3cf0
x29: ffff8000819b3d40 x28: ffff00008d823c00 x27: dead000000000122
x26: 0000000000000000 x25: ffff00008fab2060 x24: dead000000000100
x23: ffff00008d823d50 x22: ffff00008d81bd28 x21: ffff00008d823d28
x20: ffff00008d823d28 x19: ffff0000901c5120 x18: ffff56858e1da000
x17: ffff56858e1da000 x16: ffffa97c6467f1b8 x15: ffffa97c6569dbd0
x14: ffffa97c655a1440 x13: 0000000000000000 x12: ffff00008a12e4a8
x11: ffff00008d823cd8 x10: ffff00008a12e480 x9 : ffffa97c640314c4
x8 : ffff00008d823cd8 x7 : 0000000000000000 x6 : ffff00008a12e6a8
x5 : fffffffffffffffe x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
ath10k_qmi_driver_event_work+0x1ec/0x440 [ath10k_snoc] (P)
process_one_work+0x15c/0x3c0
worker_thread+0x2d0/0x400
kthread+0x148/0x208
ret_from_fork+0x10/0x20
Code: 350001a0 39488380 37000de0 f9487b20 (f9402c00)
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
If no objection raised, I would go back to the original device-tree
property way then (as also another device in need of this quirk showed up).
David
[1]
https://lore.kernel.org/ath10k/54ac2295-36b4-49fc-9583-a10db8d9d5d6@freebox.fr/
On 11/11/2025 13:34, David Heidelberg via B4 Relay wrote:
> From: David Heidelberg <david@...t.cz>
>
> There are firmware versions which do not support host capability
> QMI request. We suspect either the host cap is not implemented or
> there may be firmware specific issues, but apparently there seem
> to be a generation of firmware that has this particular behavior.
>
> For example, firmware build on Xiaomi Poco F1 (sdm845) phone:
> "QC_IMAGE_VERSION_STRING=WLAN.HL.2.0.c3-00257-QCAHLSWMTPLZ-1"
>
> If we do not skip the host cap QMI request on Xiaomi Poco F1,
> then we get a QMI_ERR_MALFORMED_MSG_V01 error message in the
> ath10k_qmi_host_cap_send_sync(). But this error message is not
> fatal to the firmware nor to the ath10k driver and we can still
> bring up the WiFi services successfully if we just ignore it.
>
> Hence introducing this firmware quirk to skip host capability
> QMI request for the firmware versions which do not support this
> feature.
>
> Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@....qualcomm.com>
> Signed-off-by: David Heidelberg <david@...t.cz>
> ---
> drivers/net/wireless/ath/ath10k/core.c | 1 +
> drivers/net/wireless/ath/ath10k/core.h | 3 +++
> drivers/net/wireless/ath/ath10k/qmi.c | 13 ++++++++++---
> 3 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
> index 7c2939cbde5f0..7602631696798 100644
> --- a/drivers/net/wireless/ath/ath10k/core.c
> +++ b/drivers/net/wireless/ath/ath10k/core.c
> @@ -773,6 +773,7 @@ static const char *const ath10k_core_fw_feature_str[] = {
> [ATH10K_FW_FEATURE_SINGLE_CHAN_INFO_PER_CHANNEL] = "single-chan-info-per-channel",
> [ATH10K_FW_FEATURE_PEER_FIXED_RATE] = "peer-fixed-rate",
> [ATH10K_FW_FEATURE_IRAM_RECOVERY] = "iram-recovery",
> + [ATH10K_FW_FEATURE_NO_HOST_CAP_QMI_REQ] = "no-host-cap-qmi-req",
> };
>
> static unsigned int ath10k_core_get_fw_feature_str(char *buf,
> diff --git a/drivers/net/wireless/ath/ath10k/core.h b/drivers/net/wireless/ath/ath10k/core.h
> index 73a9db302245d..b20541e4046f8 100644
> --- a/drivers/net/wireless/ath/ath10k/core.h
> +++ b/drivers/net/wireless/ath/ath10k/core.h
> @@ -838,6 +838,9 @@ enum ath10k_fw_features {
> /* Firmware support IRAM recovery */
> ATH10K_FW_FEATURE_IRAM_RECOVERY = 22,
>
> + /* Firmware does not support host capability QMI request */
> + ATH10K_FW_FEATURE_NO_HOST_CAP_QMI_REQ = 23,
> +
> /* keep last */
> ATH10K_FW_FEATURE_COUNT,
> };
> diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c
> index 8275345631a0b..5dc8ea39372c1 100644
> --- a/drivers/net/wireless/ath/ath10k/qmi.c
> +++ b/drivers/net/wireless/ath/ath10k/qmi.c
> @@ -819,9 +819,16 @@ static void ath10k_qmi_event_server_arrive(struct ath10k_qmi *qmi)
> return;
> }
>
> - ret = ath10k_qmi_host_cap_send_sync(qmi);
> - if (ret)
> - return;
> + /*
> + * Skip the host capability request for the firmware versions which
> + * do not support this feature.
> + */
> + if (!test_bit(ATH10K_FW_FEATURE_NO_HOST_CAP_QMI_REQ,
> + ar->running_fw->fw_file.fw_features)) {
> + ret = ath10k_qmi_host_cap_send_sync(qmi);
> + if (ret)
> + return;
> + }
>
> ret = ath10k_qmi_msa_mem_info_send_sync_msg(qmi);
> if (ret)
>
--
David Heidelberg
Powered by blists - more mailing lists