All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kalle Valo <kvalo@codeaurora.org>
To: Karthikeyan Periyasamy <periyasa@codeaurora.org>
Cc: linux-wireless@vger.kernel.org, ath10k@lists.infradead.org
Subject: Re: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)
Date: Mon, 26 Mar 2018 15:14:59 +0000 (UTC)	[thread overview]
Message-ID: <20180326151459.7FA78603AF@smtp.codeaurora.org> (raw)
In-Reply-To: <1520854780-11823-1-git-send-email-periyasa@codeaurora.org>

Karthikeyan Periyasamy <periyasa@codeaurora.org> wrote:

> When attempt to run worker (ath10k_sta_rc_update_wk) after the station object
> (ieee80211_sta) delete will trigger the kernel panic.
> 
> This problem arise in AP + Mesh configuration, Where the current node AP VAP
> and neighbor node mesh VAP MAC address are same. When the current mesh node
> try to establish the mesh link with neighbor node, driver peer creation for
> the neighbor mesh node fails due to duplication MAC address. Already the AP
> VAP created with same MAC address.
> 
> It is caused by the following scenario steps.
> 
> Steps:
> 1. In above condition, ath10k driver sta_state callback (ath10k_sta_state)
>    fails to do the state change for a station from IEEE80211_STA_NOTEXIST
>    to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is
>    called from ieee80211_add_station() to handle the new station
>    (neighbor mesh node) request from the wpa_supplicant.
> 2. Concurrently ath10k receive the sta_rc_update callback notification from
>    the mesh_neighbour_update() to handle the beacon frames of the above
>    neighbor mesh node. since its atomic callback, ath10k driver queue the
>    work (ath10k_sta_rc_update_wk) to handle rc update.
> 3. Due to driver sta_state callback fails (step 1), mac80211 free the station
>    object.
> 4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access
>    the station object which is already deleted. so it will trigger kernel
>    panic.
> 
> Added the peer exist check in sta_rc_update callback before queue the work.
> 
> Kernel Panic log:
> 
> Unable to handle kernel NULL pointer dereference at virtual address 00000000
> pgd = c0204000
> [00000000] *pgd=00000000
> Internal error: Oops: 17 [#1] PREEMPT SMP ARM
> CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1
> task: dcef0000 ti: d72b6000 task.ti: d72b6000
> PC is at pwq_activate_delayed_work+0x10/0x40
> LR is at pwq_activate_delayed_work+0xc/0x40
> pc : [<c023f988>]    lr : [<c023f984>]    psr: 40000193
> sp : d72b7f18  ip : 0000007a  fp : d72b6000
> r10: 00000000  r9 : dd404414  r8 : d8c31998
> r7 : d72b6038  r6 : 00000004  r5 : d4907ec8  r4 : dcee1300
> r3 : ffffffe0  r2 : 00000000  r1 : 00000001  r0 : 00000000
> Flags: nZcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
> Control: 10c5787d  Table: 595bc06a  DAC: 00000015
> ...
> Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238)
> Stack: (0xd72b7f18 to 0xd72b8000)
> 7f00:                                                       00000001 dcee1300
> 7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089
> 7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000
> 7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000
> 7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340
> 7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000
> 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
> [<c023f988>] (pwq_activate_delayed_work) from [<c02410dc>] (pwq_dec_nr_in_flight+0x58/0xc4)
> [<c02410dc>] (pwq_dec_nr_in_flight) from [<c0242790>] (worker_thread+0x228/0x360)
> [<c0242790>] (worker_thread) from [<c02474dc>] (kthread+0xd8/0xec)
> [<c02474dc>] (kthread) from [<c0208d20>] (ret_from_fork+0x14/0x34)
> Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs
> Rebooting in 3 seconds..
> 
> Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath-next branch of ath.git, thanks.

8b2d93dd2261 ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)

-- 
https://patchwork.kernel.org/patch/10276043/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k

      parent reply	other threads:[~2018-03-26 15:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-12 11:39 [PATCH] ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) Karthikeyan Periyasamy
2018-03-12 11:39 ` Karthikeyan Periyasamy
2018-03-26 15:14 ` Kalle Valo
2018-03-26 15:14 ` Kalle Valo [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180326151459.7FA78603AF@smtp.codeaurora.org \
    --to=kvalo@codeaurora.org \
    --cc=ath10k@lists.infradead.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=periyasa@codeaurora.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.