detected buffer overflow in strlen

[Bernhard40]

It happens early after boot with CONFIG_FORTIFY_SOURCE_STRICT_STRING=y. Kernel 4.15.2

kernel: detected buffer overflow in strlen
kernel: ------------[ cut here ]------------
kernel: kernel BUG at lib/string.c:1052!
kernel: invalid opcode: 0000 [#1] SMP PTI
kernel: Modules linked in: xt_mark xt_owner ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_tcpudp arc4 xt_conntrack iwlmvm iptable_mangle mac80211 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c crc32c_generic iwlwifi iptable_filter snd_soc_skl nls_iso8859_1 hid_sensor_accel_3d nls_cp437 hid_sensor_rotation hid_sensor_gyro_3d snd_soc_core vfat hid_sensor_als fat hid_sensor_magn_3d hid_sensor_trigger hid_sensor_iio_common industrialio_triggered_buffer kfifo_buf snd_hda_codec_hdmi industrialio cfg80211 snd_hda_codec_conexant snd_hda_codec_generic snd_soc_skl_ipc snd_soc_sst_ipc rtsx_pci_ms snd_soc_sst_dsp mei_wdt snd_hda_ext_core snd_soc_acpi hid_sensor_hub memstick intel_ishtp_hid joydev wmi_bmof intel_wmi_thunderbolt intel_rapl x86_pkg_temp_thermal
kernel:  intel_powerclamp kvm_intel kvm irqbypass intel_cstate intel_uncore psmouse intel_rapl_perf mousedev snd_pcsp snd_hda_intel cdc_mbim cdc_wdm snd_hda_codec cdc_ncm qcserial snd_hwdep usb_wwan wacom snd_hda_core usbnet input_leds snd_pcm usbserial i2c_i801 mii snd_timer mei_me mei shpchp intel_pch_thermal thinkpad_acpi intel_ish_ipc intel_ishtp nvram ucsi_acpi typec_ucsi snd typec wmi tpm_crb soundcore led_class rfkill ac battery rtc_cmos tpm_tis i2c_hid tpm_tis_core tpm evdev mac_hid loop coretemp msr tun ip_tables x_tables ext4 crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod crct10dif_pclmul crc32_pclmul rtsx_pci_sdmmc crc32c_intel ghash_clmulni_intel pcbc mmc_core serio_raw atkbd libps2 aesni_intel aes_x86_64
kernel:  crypto_simd cryptd glue_helper rtsx_pci xhci_pci i8042 serio xhci_hcd usbcore usb_common i915 intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart
kernel: CPU: 3 PID: 29 Comm: kworker/3:0 Tainted: G     U           4.15.2 #1
kernel: Workqueue: events reg_todo [cfg80211]
kernel: RIP: 0010:fortify_panic+0x13/0x23
kernel: RSP: 0000:ffffa2b540163d68 EFLAGS: 00010282
kernel: RAX: 0000000000000022 RBX: ffffffffc0e461d8 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffff8977a15956d8 RDI: ffff8977a15956d8
kernel: RBP: ffff8977738fa024 R08: 0000000000000354 R09: 0000000000000004
kernel: R10: 0000000000001008 R11: 0000000000000030 R12: ffffa2b540163dc0
kernel: R13: ffffa2b540163ddc R14: 0000000000000000 R15: 0000000000000025
kernel: FS:  0000000000000000(0000) GS:ffff8977a1580000(0000) knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 000007598d9b4c88 CR3: 0000000206008001 CR4: 00000000003606e0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kernel: Call Trace:
kernel:  nl80211_common_reg_change_event+0x23e/0x250 [cfg80211]
kernel:  reg_process_self_managed_hints+0x14b/0x1b0 [cfg80211]
kernel:  ? reg_todo+0x260/0x2a0 [cfg80211]
kernel:  reg_todo+0x260/0x2a0 [cfg80211]
kernel:  process_one_work+0x193/0x3b0
kernel:  worker_thread+0x31/0x3a0
kernel:  ? process_one_work+0x3b0/0x3b0
kernel:  kthread+0x113/0x130
kernel:  ? kthread_create_on_node+0x90/0x90
kernel:  ret_from_fork+0x35/0x40
kernel: Code: 48 89 c2 e8 f3 71 00 00 c6 04 2b 00 4c 89 e8 5b 5d 41 5c 41 5d c3 0f 0b 53 48 89 fb 48 89 de 48 c7 c7 a8 81 e7 a1 e8 32 82 a0 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 48 89 fd 53 
kernel: RIP: fortify_panic+0x13/0x23 RSP: ffffa2b540163d68
kernel: ---[ end trace eff1928b12b9769a ]---

[thestinger]

FWIW, you probably only want to enable CONFIG_FORTIFY_SOURCE=y without that for production use right now rather than for finding bugs.

[Bernhard40]

Yes, I know that. My goal was exactly to find some bugs and I was successful. :smile: I don't know however what to do next with that. Is that useful for you?

[thestinger]

Can you try with CONFIG_DEBUG_INFO=y so there are line numbers?

[Bernhard40]

I tried with CONFIG_DEBUG_INFO=y and CONFIG_CFG80211_DEBUGFS=y but the results were similar:

kernel: detected buffer overflow in strlen
kernel: ------------[ cut here ]------------
kernel: kernel BUG at lib/string.c:1052!
kernel: invalid opcode: 0000 [#1] SMP PTI
kernel: Modules linked in: ccm arc4 iwlmvm mac80211 snd_soc_skl snd_soc_core iwlwifi intel_rapl x86_pkg_temp_thermal intel_powerclamp kvm_intel snd_soc_skl_ipc kvm snd_soc_sst_ipc hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_rotation snd_soc_sst_dsp hid_sensor_als cdc_mbim qcserial hid_sensor_gyro_3d hid_sensor_trigger cdc_wdm snd_hda_ext_core usb_wwan hid_sensor_iio_common cdc_ncm industrialio_triggered_buffer joydev kfifo_buf usbserial snd_hda_codec_hdmi industrialio cfg80211 usbnet snd_soc_acpi wacom snd_hda_codec_conexant snd_hda_codec_generic xt_mark mii xt_owner mousedev snd_hda_intel ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common hid_sensor_hub xt_LOG snd_hda_codec xt_tcpudp mei_wdt intel_ishtp_hid xt_conntrack snd_hwdep snd_hda_core iptable_mangle snd_pcm iptable_nat nf_conntrack_ipv4
kernel:  nf_defrag_ipv4 wmi_bmof intel_wmi_thunderbolt nf_nat_ipv4 nf_nat irqbypass nf_conntrack psmouse intel_cstate intel_uncore snd_timer libcrc32c crc32c_generic iptable_filter mei_me nls_iso8859_1 mei nls_cp437 intel_rapl_perf vfat tpm_crb fat tpm_tis intel_ish_ipc rtsx_pci_ms tpm_tis_core thinkpad_acpi memstick nvram snd input_leds tpm ucsi_acpi intel_ishtp shpchp typec_ucsi i2c_i801 intel_pch_thermal typec soundcore led_class wmi rfkill rtc_cmos i2c_hid evdev battery ac mac_hid loop coretemp msr tun ip_tables x_tables ext4 crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod rtsx_pci_sdmmc crct10dif_pclmul crc32_pclmul mmc_core crc32c_intel ghash_clmulni_intel pcbc serio_raw atkbd libps2 aesni_intel aes_x86_64 crypto_simd
kernel:  cryptd rtsx_pci glue_helper xhci_pci i8042 serio xhci_hcd usbcore usb_common i915 intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart
kernel: CPU: 3 PID: 568 Comm: kworker/3:2 Not tainted 4.15.2 #1
kernel: Workqueue: events reg_todo [cfg80211]
kernel: RIP: 0010:fortify_panic+0x13/0x23
kernel: RSP: 0018:ffffb4e9c06d3d68 EFLAGS: 00010282
kernel: RAX: 0000000000000022 RBX: ffffffffc0ae31d8 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffff9aac615956d8 RDI: ffff9aac615956d8
kernel: RBP: ffff9aac46c9302c R08: 000000000000035d R09: 0000000000000004
kernel: R10: 0000000000006030 R11: 0000000000000030 R12: ffffb4e9c06d3dc0
kernel: R13: ffffb4e9c06d3ddc R14: 0000000000000000 R15: 0000000000000025
kernel: FS:  0000000000000000(0000) GS:ffff9aac61580000(0000) knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000679374104000 CR3: 0000000062008003 CR4: 00000000003606e0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kernel: Call Trace:
kernel:  nl80211_common_reg_change_event+0x23e/0x250 [cfg80211]
kernel:  reg_process_self_managed_hints+0x14b/0x1b0 [cfg80211]
kernel:  ? reg_todo+0x260/0x2a0 [cfg80211]
kernel:  reg_todo+0x260/0x2a0 [cfg80211]
kernel:  process_one_work+0x193/0x3b0
kernel:  worker_thread+0x31/0x3a0
kernel:  ? process_one_work+0x3b0/0x3b0
kernel:  kthread+0x113/0x130
kernel:  ? kthread_create_on_node+0x90/0x90
kernel:  ret_from_fork+0x35/0x40
kernel: Code: 48 89 c2 e8 e3 71 00 00 c6 04 2b 00 4c 89 e8 5b 5d 41 5c 41 5d c3 0f 0b 53 48 89 fb 48 89 de 48 c7 c7 e8 88 e7 87 e8 d2 7e a0 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 48 89 fd 53 
kernel: RIP: fortify_panic+0x13/0x23 RSP: ffffb4e9c06d3d68
kernel: ---[ end trace d7823b7c4dda1c42 ]---

As for additional info I have CONFIG_IPV6=n.

If that leads us to nowhere feel free to ignore this. Sorry for bothering.

[thestinger]

You might be able to get useful debug info with addr2line / gdb. I won't have time to work on this in the near future unfortunately.

[thestinger]

It could be this bit:

        if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
                   NL80211_REGDOM_TYPE_COUNTRY) ||
            nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
                   request->alpha2))
            goto nla_put_failure;

[Bernhard40]

Yeah, I was thinking that this can be related to regdb which I don't have installed. I have following info in logs:

platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
cfg80211: failed to load regulatory.db

[Bernhard40]

Installing crda make this error worse as it crash boot:

kernel: platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
kernel: detected buffer overflow in strlen
kernel: ------------[ cut here ]------------
kernel: kernel BUG at lib/string.c:1052!
kernel: invalid opcode: 0000 [#1] SMP PTI
kernel: Modules linked in: snd_hda_ext_core qcserial(+) cdc_wdm usb_wwan snd_hda_codec_hdmi cfg80211 snd_hda_codec_conexant snd_hda_codec_generic cdc_ncm snd_soc_acpi joydev xt_mark mousedev xt_owner snd_hda_intel intel_rapl hid_sensor_rotation usbserial hid_sensor_magn_3d ipt_REJECT x86_pkg_temp_thermal hid_sensor_gyro_3d nf_reject_ipv4 usbnet nf_log_ipv4 hid_sensor_als hid_sensor_accel_3d nf_log_common intel_powerclamp hid_sensor_trigger wacom mii xt_LOG hid_sensor_iio_common industrialio_triggered_buffer xt_tcpudp snd_hda_codec kfifo_buf kvm_intel industrialio xt_conntrack hid_sensor_hub iptable_mangle kvm intel_ishtp_hid iptable_nat snd_hwdep snd_hda_core nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack snd_pcm psmouse mei_wdt libcrc32c crc32c_generic wmi_bmof iptable_filter
kernel:  intel_wmi_thunderbolt nls_iso8859_1 nls_cp437 vfat intel_ish_ipc fat snd_timer irqbypass intel_cstate thinkpad_acpi intel_uncore mei_me nvram snd rtsx_pci_ms mei intel_ishtp memstick shpchp intel_rapl_perf input_leds i2c_i801 intel_pch_thermal wmi soundcore tpm_crb led_class rfkill tpm_tis battery tpm_tis_core ac tpm rtc_cmos i2c_hid loop evdev coretemp mac_hid msr tun fuse ip_tables x_tables ext4 crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel rtsx_pci_sdmmc pcbc mmc_core serio_raw atkbd libps2 aesni_intel aes_x86_64 crypto_simd cryptd rtsx_pci glue_helper xhci_pci i8042 serio xhci_hcd usbcore usb_common i915 intel_gtt i2c_algo_bit drm_kms_helper
kernel:  syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart
kernel: CPU: 2 PID: 989 Comm: crda Not tainted 4.15.2 #1
kernel: RIP: 0010:fortify_panic+0x13/0x23
kernel: RSP: 0000:ffffa5be0072b9b8 EFLAGS: 00010286
kernel: RAX: 0000000000000022 RBX: ffffffffc0bdc1d8 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffff8ec7215156d8 RDI: ffff8ec7215156d8
kernel: RBP: ffff8ec716750014 R08: 0000000000000333 R09: 0000000000000000
kernel: R10: 0000000000001008 R11: ffff8ec717861faf R12: ffff8ec714d9d750
kernel: R13: ffff8ec714d9d76c R14: 0000000000000000 R15: ffff8ec71634297c
kernel: FS:  00006cd727cb5740(0000) GS:ffff8ec721500000(0000) knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 00000affca69d008 CR3: 00000002144b8001 CR4: 00000000003606e0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kernel: Call Trace:
kernel:  nl80211_common_reg_change_event+0x23e/0x250 [cfg80211]
kernel:  set_regdom+0x25e/0x5c0 [cfg80211]
kernel:  nl80211_set_reg+0x282/0x2b0 [cfg80211]
kernel:  genl_family_rcv_msg+0x33c/0x400
kernel:  genl_rcv_msg+0x47/0x90
kernel:  ? genl_family_rcv_msg+0x400/0x400
kernel:  netlink_rcv_skb+0x77/0x140
kernel:  genl_rcv+0x24/0x40
kernel:  netlink_unicast+0x1b1/0x230
kernel:  netlink_sendmsg+0x377/0x3c0
kernel:  sock_sendmsg+0x39/0x50
kernel:  ___sys_sendmsg+0x2c2/0x320
kernel:  ? __sys_sendmsg+0x6c/0xb0
kernel:  __sys_sendmsg+0x6c/0xb0
kernel:  do_syscall_64+0x75/0x180
kernel:  entry_SYSCALL_64_after_hwframe+0x21/0x86
kernel: RIP: 0033:0x6cd7271f2097
kernel: RSP: 002b:00007fc08053f158 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
kernel: RAX: ffffffffffffffda RBX: 00000000086c45f0 RCX: 00006cd7271f2097
kernel: RDX: 0000000000000000 RSI: 00007fc08053f190 RDI: 0000000000000000
kernel: RBP: 00000000086c9240 R08: 0000000000000000 R09: 00006cd7274ad200
kernel: R10: 0000000000000059 R11: 0000000000000246 R12: 00000000086c4500
kernel: R13: 00007fc08053f190 R14: 00000000086c4460 R15: 00000000086c98c0
kernel: Code: 48 89 c2 e8 e3 71 00 00 c6 04 2b 00 4c 89 e8 5b 5d 41 5c 41 5d c3 0f 0b 53 48 89 fb 48 89 de 48 c7 c7 e8 88 e7 8a e8 d2 7e a0 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 48 89 fd 53 
kernel: RIP: fortify_panic+0x13/0x23 RSP: ffffa5be0072b9b8
kernel: ---[ end trace a71e1b62a5a662d3 ]---

I tried it on 4.16rc1 with CONFIG_CFG80211_CRDA_SUPPORT=n but it still breaks:

kernel: platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
kernel: detected buffer overflow in strlen
kernel: ------------[ cut here ]------------
kernel: kernel BUG at lib/string.c:1052!
kernel: invalid opcode: 0000 [#1] SMP PTI
kernel: Modules linked in: arc4 xt_mark xt_owner qcserial cdc_mbim ipt_REJECT cdc_wdm nf_reject_ipv4 cdc_ncm usb_wwan usbnet nf_log_ipv4 wacom usbserial nf_log_common mii xt_LOG iwlmvm xt_tcpudp xt_conntrack mac80211 iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c crc32c_generic iptable_filter iwlwifi nls_iso8859_1 nls_cp437 snd_soc_skl vfat fat snd_soc_acpi cfg80211 hid_sensor_als hid_sensor_accel_3d snd_soc_core hid_sensor_gyro_3d hid_sensor_rotation hid_sensor_magn_3d hid_sensor_trigger snd_hda_codec_hdmi hid_sensor_iio_common industrialio_triggered_buffer kfifo_buf industrialio snd_hda_codec_conexant snd_hda_codec_generic snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core mei_wdt hid_sensor_hub intel_ishtp_hid joydev mousedev
kernel:  wmi_bmof intel_wmi_thunderbolt intel_rapl x86_pkg_temp_thermal intel_powerclamp kvm_intel kvm irqbypass intel_cstate intel_uncore snd_hda_intel snd_hda_codec snd_hwdep psmouse snd_hda_core input_leds mei_me intel_rapl_perf snd_pcm mei intel_pch_thermal snd_timer thinkpad_acpi i2c_i801 shpchp intel_ish_ipc intel_ishtp wmi ac battery nvram snd tpm_crb soundcore led_class rfkill rtc_cmos i2c_hid tpm_tis tpm_tis_core tpm evdev mac_hid loop coretemp msr tun fuse ip_tables x_tables ext4 crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel serio_raw pcbc atkbd libps2 aesni_intel aes_x86_64 crypto_simd cryptd glue_helper xhci_pci i8042 serio xhci_hcd usbcore usb_common
kernel:  i915 intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart
kernel: CPU: 0 PID: 563 Comm: kworker/0:3 Not tainted 4.16.0 #2
kernel: Workqueue: events reg_todo [cfg80211]
kernel: RIP: 0010:fortify_panic+0x13/0x1a
kernel: RSP: 0018:ffffb4750042fd68 EFLAGS: 00010282
kernel: RAX: 0000000000000022 RBX: ffffffffc0c85f98 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffff8b2f214156d8 RDI: ffff8b2f214156d8
kernel: RBP: ffff8b2ef0468014 R08: 0000000000000350 R09: 0000000000000004
kernel: R10: 0000000000005028 R11: 0000000000000030 R12: ffffb4750042fdc0
kernel: R13: ffffb4750042fddc R14: 0000000000000000 R15: 0000000000000025
kernel: FS:  0000000000000000(0000) GS:ffff8b2f21400000(0000) knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 000006fca1936828 CR3: 00000000b8008003 CR4: 00000000003606f0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kernel: Call Trace:
kernel:  nl80211_common_reg_change_event+0x23e/0x250 [cfg80211]
kernel:  reg_process_self_managed_hints+0x14b/0x1b0 [cfg80211]
kernel:  ? reg_todo+0x260/0x2b0 [cfg80211]
kernel:  reg_todo+0x260/0x2b0 [cfg80211]
kernel:  process_one_work+0x193/0x3a0
kernel:  worker_thread+0x2e/0x390
kernel:  ? process_one_work+0x3a0/0x3a0
kernel:  kthread+0x113/0x130
kernel:  ? kthread_create_on_node+0x90/0x90
kernel:  ret_from_fork+0x35/0x40
kernel: Code: 49 39 ec 76 e1 31 c0 5b 5d 41 5c 41 5d c3 48 89 d8 5b 5d 41 5c 41 5d c3 53 48 89 fb 48 89 de 48 c7 c7 90 1f e5 95 e8 d9 8a 9f ff <0f> 0b 90 90 90 90 90 55 48 89 fd 53 48 89 f3 48 89 ea 31 c9 48 
kernel: RIP: fortify_panic+0x13/0x1a RSP: ffffb4750042fd68
kernel: ---[ end trace e6cd075f36da39d1 ]---

I don't see option to disable regulatory database firmware loading to test if this bug dissapears.

[kees]

struct regulatory_request { ... char alpha2[2]; ...

static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { ... [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 }, ...

AIUI, only NLA_NUL_STRING has a trailing NULL byte. Working with NLA_STRING needs nla_strlcpy() to "extract" them.

However: /**

• nla_put_string - Add a string netlink attribute to a socket buffer
• @skb: socket buffer to add attribute to
• @attrtype: attribute type
• @str: NUL terminated string / static inline int nla_put_string(struct sk_buff skb, int attrtype, const char *str) { return nla_put(skb, attrtype, strlen(str) + 1, str); }

It looks like nla_put_string() must have NULL-terminated strings...

[Bernhard40]

I installed new version of wireless-regdb and now firmware is correctly loaded by kernel and this bug doesn't trigger then. It triggers when firmware isn't available as described above.

[Bernhard40]

This issue doesn't occur anymore on 4.16-rc3. Probably fixed with https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=657308f73e674e86b60509a430a46e569bf02846