From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tamizh chelvam <tamizhr@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Sasha Levin <sashal@kernel.org>, ath10k@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.9 01/64] ath10k: fix kernel panic by moving pci flush after napi_disable Date: Fri, 8 Nov 2019 06:44:42 -0500 [thread overview] Message-ID: <20191108114545.15351-1-sashal@kernel.org> (raw) From: Tamizh chelvam <tamizhr@codeaurora.org> [ Upstream commit bd1d395070cca4f42a93e520b0597274789274a4 ] When continuously running wifi up/down sequence, the napi poll can be scheduled after the CE buffers being freed by ath10k_pci_flush Steps: In a certain condition, during wifi down below scenario might occur. ath10k_stop->ath10k_hif_stop->napi_schedule->ath10k_pci_flush->napi_poll(napi_synchronize). In the above scenario, CE buffer entries will be freed up and become NULL in ath10k_pci_flush. And the napi_poll has been invoked after the flush process and it will try to get the skb from the CE buffer entry and perform some action on that. Since the CE buffer already cleaned by pci flush this action will create NULL pointer dereference and trigger below kernel panic. Unable to handle kernel NULL pointer dereference at virtual address 0000005c PC is at ath10k_pci_htt_rx_cb+0x64/0x3ec [ath10k_pci] ath10k_pci_htt_rx_cb [ath10k_pci] ath10k_ce_per_engine_service+0x74/0xc4 [ath10k_pci] ath10k_ce_per_engine_service [ath10k_pci] ath10k_ce_per_engine_service_any+0x74/0x80 [ath10k_pci] ath10k_ce_per_engine_service_any [ath10k_pci] ath10k_pci_napi_poll+0x48/0xec [ath10k_pci] ath10k_pci_napi_poll [ath10k_pci] net_rx_action+0xac/0x160 net_rx_action __do_softirq+0xdc/0x208 __do_softirq irq_exit+0x84/0xe0 irq_exit __handle_domain_irq+0x80/0xa0 __handle_domain_irq gic_handle_irq+0x38/0x5c gic_handle_irq __irq_usr+0x44/0x60 Tested on QCA4019 and firmware version 10.4.3.2.1.1-00010 Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/net/wireless/ath/ath10k/ahb.c | 4 ++-- drivers/net/wireless/ath/ath10k/pci.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/ahb.c b/drivers/net/wireless/ath/ath10k/ahb.c index da770af830369..125b5c31b2b0a 100644 --- a/drivers/net/wireless/ath/ath10k/ahb.c +++ b/drivers/net/wireless/ath/ath10k/ahb.c @@ -658,10 +658,10 @@ static void ath10k_ahb_hif_stop(struct ath10k *ar) ath10k_ahb_irq_disable(ar); synchronize_irq(ar_ahb->irq); - ath10k_pci_flush(ar); - napi_synchronize(&ar->napi); napi_disable(&ar->napi); + + ath10k_pci_flush(ar); } static int ath10k_ahb_hif_power_up(struct ath10k *ar) diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c index 25b8d501d437e..b7bac14d1487b 100644 --- a/drivers/net/wireless/ath/ath10k/pci.c +++ b/drivers/net/wireless/ath/ath10k/pci.c @@ -1781,9 +1781,9 @@ static void ath10k_pci_hif_stop(struct ath10k *ar) ath10k_pci_irq_disable(ar); ath10k_pci_irq_sync(ar); - ath10k_pci_flush(ar); napi_synchronize(&ar->napi); napi_disable(&ar->napi); + ath10k_pci_flush(ar); spin_lock_irqsave(&ar_pci->ps_lock, flags); WARN_ON(ar_pci->ps_wake_refcount > 0); -- 2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sasha Levin <sashal@kernel.org>, netdev@vger.kernel.org, linux-wireless@vger.kernel.org, ath10k@lists.infradead.org, Tamizh chelvam <tamizhr@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org> Subject: [PATCH AUTOSEL 4.9 01/64] ath10k: fix kernel panic by moving pci flush after napi_disable Date: Fri, 8 Nov 2019 06:44:42 -0500 [thread overview] Message-ID: <20191108114545.15351-1-sashal@kernel.org> (raw) From: Tamizh chelvam <tamizhr@codeaurora.org> [ Upstream commit bd1d395070cca4f42a93e520b0597274789274a4 ] When continuously running wifi up/down sequence, the napi poll can be scheduled after the CE buffers being freed by ath10k_pci_flush Steps: In a certain condition, during wifi down below scenario might occur. ath10k_stop->ath10k_hif_stop->napi_schedule->ath10k_pci_flush->napi_poll(napi_synchronize). In the above scenario, CE buffer entries will be freed up and become NULL in ath10k_pci_flush. And the napi_poll has been invoked after the flush process and it will try to get the skb from the CE buffer entry and perform some action on that. Since the CE buffer already cleaned by pci flush this action will create NULL pointer dereference and trigger below kernel panic. Unable to handle kernel NULL pointer dereference at virtual address 0000005c PC is at ath10k_pci_htt_rx_cb+0x64/0x3ec [ath10k_pci] ath10k_pci_htt_rx_cb [ath10k_pci] ath10k_ce_per_engine_service+0x74/0xc4 [ath10k_pci] ath10k_ce_per_engine_service [ath10k_pci] ath10k_ce_per_engine_service_any+0x74/0x80 [ath10k_pci] ath10k_ce_per_engine_service_any [ath10k_pci] ath10k_pci_napi_poll+0x48/0xec [ath10k_pci] ath10k_pci_napi_poll [ath10k_pci] net_rx_action+0xac/0x160 net_rx_action __do_softirq+0xdc/0x208 __do_softirq irq_exit+0x84/0xe0 irq_exit __handle_domain_irq+0x80/0xa0 __handle_domain_irq gic_handle_irq+0x38/0x5c gic_handle_irq __irq_usr+0x44/0x60 Tested on QCA4019 and firmware version 10.4.3.2.1.1-00010 Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/net/wireless/ath/ath10k/ahb.c | 4 ++-- drivers/net/wireless/ath/ath10k/pci.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/ahb.c b/drivers/net/wireless/ath/ath10k/ahb.c index da770af830369..125b5c31b2b0a 100644 --- a/drivers/net/wireless/ath/ath10k/ahb.c +++ b/drivers/net/wireless/ath/ath10k/ahb.c @@ -658,10 +658,10 @@ static void ath10k_ahb_hif_stop(struct ath10k *ar) ath10k_ahb_irq_disable(ar); synchronize_irq(ar_ahb->irq); - ath10k_pci_flush(ar); - napi_synchronize(&ar->napi); napi_disable(&ar->napi); + + ath10k_pci_flush(ar); } static int ath10k_ahb_hif_power_up(struct ath10k *ar) diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c index 25b8d501d437e..b7bac14d1487b 100644 --- a/drivers/net/wireless/ath/ath10k/pci.c +++ b/drivers/net/wireless/ath/ath10k/pci.c @@ -1781,9 +1781,9 @@ static void ath10k_pci_hif_stop(struct ath10k *ar) ath10k_pci_irq_disable(ar); ath10k_pci_irq_sync(ar); - ath10k_pci_flush(ar); napi_synchronize(&ar->napi); napi_disable(&ar->napi); + ath10k_pci_flush(ar); spin_lock_irqsave(&ar_pci->ps_lock, flags); WARN_ON(ar_pci->ps_wake_refcount > 0); -- 2.20.1 _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k
next reply other threads:[~2019-11-08 11:55 UTC|newest] Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-08 11:44 Sasha Levin [this message] 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 01/64] ath10k: fix kernel panic by moving pci flush after napi_disable Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 02/64] iio: dac: mcp4922: fix error handling in mcp4922_write_raw Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 03/64] ALSA: pcm: signedness bug in snd_pcm_plug_alloc() Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 04/64] arm64: dts: tegra210-p2180: Correct sdmmc4 vqmmc-supply Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 05/64] ARM: dts: at91/trivial: Fix USART1 definition for at91sam9g45 Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 06/64] cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 07/64] ALSA: seq: Do error checks at creating system ports Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 08/64] ath9k: fix tx99 with monitor mode interface Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 09/64] gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated Sasha Levin 2019-11-08 11:44 ` [Cluster-devel] " Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 10/64] ASoC: dpcm: Properly initialise hw->rate_max Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 11/64] MIPS: BCM47XX: Enable USB power on Netgear WNDR3400v3 Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 12/64] ARM: dts: exynos: Fix sound in Snow-rev5 Chromebook Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 13/64] ARM: dts: exynos: Fix regulators configuration on Peach Pi/Pit Chromebooks Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 14/64] i40e: use correct length for strncpy Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 15/64] i40e: hold the rtnl lock on clearing interrupt scheme Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 16/64] i40e: Prevent deleting MAC address from VF when set by PF Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 17/64] IB/rxe: fixes for rdma read retry Sasha Levin 2019-11-08 11:44 ` [PATCH AUTOSEL 4.9 18/64] iwlwifi: mvm: avoid sending too many BARs Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 19/64] ARM: dts: pxa: fix power i2c base address Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 20/64] rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 21/64] net: lan78xx: Bail out if lan78xx_get_endpoints fails Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 22/64] ASoC: sgtl5000: avoid division by zero if lo_vag is zero Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 23/64] ARM: dts: exynos: Disable pull control for S5M8767 PMIC Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 24/64] ath10k: wmi: disable softirq's while calling ieee80211_rx Sasha Levin 2019-11-08 11:45 ` Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 25/64] mips: txx9: fix iounmap related issue Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 26/64] ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 27/64] of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 28/64] ARM: dts: omap3-gta04: give spi_lcd node a label so that we can overwrite in other DTS files Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 29/64] ARM: dts: omap3-gta04: fixes for tvout / venc Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 30/64] ARM: dts: omap3-gta04: tvout: enable as display1 alias Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 31/64] ARM: dts: omap3-gta04: fix touchscreen tsc2007 Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 32/64] ARM: dts: omap3-gta04: make NAND partitions compatible with recent U-Boot Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 33/64] ARM: dts: omap3-gta04: keep vpll2 always on Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 34/64] dmaengine: dma-jz4780: Don't depend on MACH_JZ4780 Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 35/64] dmaengine: dma-jz4780: Further residue status fix Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 36/64] ath9k: add back support for using active monitor interfaces for tx99 Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 37/64] signal: Always ignore SIGKILL and SIGSTOP sent to the global init Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 38/64] signal: Properly deliver SIGILL from uprobes Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 39/64] signal: Properly deliver SIGSEGV from x86 uprobes Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 40/64] f2fs: fix memory leak of percpu counter in fill_super() Sasha Levin 2019-11-08 11:45 ` [f2fs-dev] " Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 41/64] scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 42/64] ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 43/64] scsi: pm80xx: Corrected dma_unmap_sg() parameter Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 44/64] scsi: pm80xx: Fixed system hang issue during kexec boot Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 45/64] kprobes: Don't call BUG_ON() if there is a kprobe in use on free list Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 46/64] nvmem: core: return error code instead of NULL from nvmem_device_get Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 47/64] media: fix: media: pci: meye: validate offset to avoid arbitrary access Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 48/64] media: dvb: fix compat ioctl translation Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 49/64] ALSA: intel8x0m: Register irq handler after register initializations Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 50/64] pinctrl: at91-pio4: fix has_config check in atmel_pctl_dt_subnode_to_map() Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 51/64] llc: avoid blocking in llc_sap_close() Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 52/64] ARM: dts: qcom: ipq4019: fix cpu0's qcom,saw2 reg value Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 53/64] powerpc/vdso: Correct call frame information Sasha Levin 2019-11-08 11:45 ` Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 54/64] ARM: dts: socfpga: Fix I2C bus unit-address error Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 55/64] pinctrl: at91: don't use the same irqchip with multiple gpiochips Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 56/64] cxgb4: Fix endianness issue in t4_fwcache() Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 57/64] power: supply: ab8500_fg: silence uninitialized variable warnings Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 58/64] power: reset: at91-poweroff: do not procede if at91_shdwc is allocated Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 59/64] power: supply: max8998-charger: Fix platform data retrieval Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 60/64] component: fix loop condition to call unbind() if bind() fails Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 61/64] kernfs: Fix range checks in kernfs_get_target_path Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 62/64] ip_gre: fix parsing gre header in ipgre_err Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 63/64] ARM: dts: rockchip: Fix erroneous SPI bus dtc warnings on rk3036 Sasha Levin 2019-11-08 11:45 ` Sasha Levin 2019-11-08 11:45 ` [PATCH AUTOSEL 4.9 64/64] ath9k: Fix a locking bug in ath9k_add_interface() Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20191108114545.15351-1-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=ath10k@lists.infradead.org \ --cc=kvalo@codeaurora.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-wireless@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=stable@vger.kernel.org \ --cc=tamizhr@codeaurora.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.