From: Sven Eckelmann <sven@narfation.org>
To: ath11k@lists.infradead.org, Wen Gong <quic_wgong@quicinc.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH] ath11k: enable IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN6855
Date: Mon, 06 Dec 2021 21:03:02 +0100 [thread overview]
Message-ID: <7286726.fyvdfvlfLW@ripper> (raw)
In-Reply-To: <71ee85b5-8d8c-c6e5-20a2-d225800de2ba@quicinc.com>
[-- Attachment #1.1.1: Type: text/plain, Size: 13345 bytes --]
On Monday, 6 December 2021 08:10:40 CET Wen Gong wrote:
> > On Monday, 6 December 2021 04:29:39 CET Wen Gong wrote:
> > [...]
> >> I did test in my setup, not see the crash.
> >>
> >> I am afraid you also need this patch("ath11k: change to use dynamic
> >> memory for channel list of scan",
> >>
> >> https://patchwork.kernel.org/project/linux-wireless/patch/20211129110939.15711-1-quic_wgong@quicinc.com
> >> )
> >>
> >> Could you apply this patch and try again?
> > Tried it and I see the same problem.
> Could you tell what is your test steps?
Start kernel with commit a93789ae541c ("ath11k: Avoid NULL ptr
access during mgmt tx cleanup") + patches:
* ath11k: enable IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN6855
* ath11k: change to use dynamic memory for channel list of scan
You can find the config in the first mail. But I have now enabled KASAN inline
to hopefully create some better error messages.
The firmware + board data (see mail "ath11k: incorrect board_id retrieval")
was prepared like this:
git clone https://github.com/kvalo/ath11k-firmware /root/ath11k-firmware
mkdir -p /lib/firmware/ath11k/WCN6855/hw2.0/
cp /root/ath11k-firmware/WCN6855/hw2.0/*.bin /lib/firmware/ath11k/WCN6855/hw2.0/
cp /root/ath11k-firmware/WCN6855/hw2.0/1.1/WLAN.HSP.1.1-02892.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1/*.bin /lib/firmware/ath11k/WCN6855/hw2.0/
git clone https://github.com/qca/qca-swiss-army-knife /root/qca-swiss-army-knife
apt install python2
python2 /root/qca-swiss-army-knife/tools/scripts/ath11k/ath11k-bdencoder -e /lib/firmware/ath11k/WCN6855/hw2.0/board-2.bin
rm /lib/firmware/ath11k/WCN6855/hw2.0/board-2.bin
cp 'bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=266.bin' /lib/firmware/ath11k/WCN6855/hw2.0/board.bin
Then I am just starting up the device as usual, and start wpa_supplicant (with
defconfig + CONFIG_MESH=y) from commit 14ab4a816c68 ("Reject
ap_vendor_elements if its length is odd")
cat << "EOF" > station_test.cfg
network={
ssid="MyTestAP"
key_mgmt=WPA-PSK FT-PSK
proto=RSN
psk="testtest"
}
EOF
ip link set up dev wlp6s0
~/hostap/wpa_supplicant/wpa_supplicant -D nl80211 -i wlp6s0 -c station_test.cfg
The actual SSID + PSK is valid and multiple access points (4) have this BSS on
2.4GHz + 5GHz.
So you are basically always calling dev_kfree_skb_any in ath11k_ce_tx_process_cb
because wcn6855 hw2.0 has credit_flow has set. But it seems like one of the
entries returned by ath11k_ce_completed_send_next is bogus and causes this
problems during the ath11k_ce_tx_process_cb. And for some reason, this is
triggered here by this firmware feature.
./scripts/faddr2line --list vmlinux consume_skb+0x9f/0x1c0
consume_skb+0x9f/0x1c0:
__kfree_skb at net/core/skbuff.c:757
752 */
753
754 void __kfree_skb(struct sk_buff *skb)
755 {
756 skb_release_all(skb);
>757< kfree_skbmem(skb);
758 }
759 EXPORT_SYMBOL(__kfree_skb);
760
761 /**
762 * kfree_skb - free an sk_buff
(inlined by) consume_skb at net/core/skbuff.c:912
907 {
908 if (!skb_unref(skb))
909 return;
910
911 trace_consume_skb(skb);
>912< __kfree_skb(skb);
913 }
914 EXPORT_SYMBOL(consume_skb);
915 #endif
916
917 /**
(inlined by) consume_skb at net/core/skbuff.c:906
901 *
902 * Drop a ref to the buffer and free it if the usage count has hit zero
903 * Functions identically to kfree_skb, but kfree_skb assumes that the frame
904 * is being dropped after a failure and notes that
905 */
>906< void consume_skb(struct sk_buff *skb)
907 {
908 if (!skb_unref(skb))
909 return;
910
911 trace_consume_skb(skb);
./scripts/faddr2line --list vmlinux skb_release_data+0x1b0/0x5c0
skb_release_data+0x1b0/0x5c0:
skb_zcopy_clear at include/linux/skbuff.h:1549
1544 {
1545 struct ubuf_info *uarg = skb_zcopy(skb);
1546
1547 if (uarg) {
1548 if (!skb_zcopy_is_nouarg(skb))
>1549< uarg->callback(skb, uarg, zerocopy_success);
1550
1551 skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
1552 }
1553 }
1554
(inlined by) skb_release_data at net/core/skbuff.c:669
664 if (skb->cloned &&
665 atomic_sub_return(skb->nohdr ? (1 << SKB_DATAREF_SHIFT) + 1 : 1,
666 &shinfo->dataref))
667 goto exit;
668
>669< skb_zcopy_clear(skb, true);
670
671 for (i = 0; i < shinfo->nr_frags; i++)
672 __skb_frag_unref(&shinfo->frags[i], skb->pp_recycle);
673
674 if (shinfo->frag_list)
But I didn't like the inlined code. So I've changed the compilation flags
slightly:
diff --git a/net/core/Makefile b/net/core/Makefile
index 6bdcb2cafed8..5eda226c5f27 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -37,3 +37,4 @@ obj-$(CONFIG_NET_SOCK_MSG) += skmsg.o
obj-$(CONFIG_BPF_SYSCALL) += sock_map.o
obj-$(CONFIG_BPF_SYSCALL) += bpf_sk_storage.o
obj-$(CONFIG_OF) += of_net.o
+ccflags-y += -fno-inline -O1 -fno-optimize-sibling-calls
Now the stacktrace is a lot more readable. And the returned
crash location makes a lot more sense:
./scripts/faddr2line --list vmlinux 'skb_zcopy_clear+0x34/0x8f'
skb_zcopy_clear+0x34/0x8f:
skb_zcopy_clear at include/linux/skbuff.h:1549
1544 {
1545 struct ubuf_info *uarg = skb_zcopy(skb);
1546
1547 if (uarg) {
1548 if (!skb_zcopy_is_nouarg(skb))
>1549< uarg->callback(skb, uarg, zerocopy_success);
1550
1551 skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
1552 }
1553 }
1554
Or with the assembler:
(gdb) disassemble /m *(skb_zcopy_clear+0x34/0x8f)
Dump of assembler code for function skb_zcopy_clear:
1544 {
0x000000000000072a <+0>: push %r12
0x000000000000072c <+2>: push %rbp
0x000000000000072d <+3>: push %rbx
0x000000000000072e <+4>: mov %rdi,%rbx
0x0000000000000731 <+7>: mov %esi,%r12d
1545 struct ubuf_info *uarg = skb_zcopy(skb);
0x0000000000000734 <+10>: call 0x5d3 <skb_zcopy>
1546
1547 if (uarg) {
0x0000000000000739 <+15>: test %rax,%rax
0x000000000000073c <+18>: je 0x7a0 <skb_zcopy_clear+118>
0x000000000000073e <+20>: mov %rax,%rbp
1548 if (!skb_zcopy_is_nouarg(skb))
0x0000000000000741 <+23>: mov %rbx,%rdi
0x0000000000000744 <+26>: call 0x6f6 <skb_zcopy_is_nouarg>
0x0000000000000749 <+31>: test %al,%al
0x000000000000074b <+33>: jne 0x777 <skb_zcopy_clear+77>
1549 uarg->callback(skb, uarg, zerocopy_success);
0x000000000000074d <+35>: mov %rbp,%rdx
0x0000000000000750 <+38>: shr $0x3,%rdx
0x0000000000000754 <+42>: movabs $0xdffffc0000000000,%rax
0x000000000000075e <+52>: cmpb $0x0,(%rdx,%rax,1)
0x0000000000000762 <+56>: jne 0x7a5 <skb_zcopy_clear+123>
0x0000000000000764 <+58>: movzbl %r12b,%edx
0x0000000000000768 <+62>: mov 0x0(%rbp),%rax
0x000000000000076c <+66>: mov %rbp,%rsi
0x000000000000076f <+69>: mov %rbx,%rdi
0x0000000000000772 <+72>: call 0x777 <skb_zcopy_clear+77>
0x00000000000007a5 <+123>: mov %rbp,%rdi
0x00000000000007a8 <+126>: call 0x7ad <skb_zcopy_clear+131>
0x00000000000007ad <+131>: jmp 0x764 <skb_zcopy_clear+58>
1550
1551 skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
0x0000000000000777 <+77>: mov %rbx,%rdi
0x000000000000077a <+80>: call 0x518 <skb_end_pointer>
0x000000000000077f <+85>: mov %rax,%rbx
0x0000000000000782 <+88>: mov %rax,%rdx
0x0000000000000785 <+91>: shr $0x3,%rdx
0x0000000000000789 <+95>: movabs $0xdffffc0000000000,%rax
0x0000000000000793 <+105>: movzbl (%rdx,%rax,1),%eax
0x0000000000000797 <+109>: test %al,%al
0x0000000000000799 <+111>: je 0x79d <skb_zcopy_clear+115>
0x000000000000079b <+113>: jle 0x7af <skb_zcopy_clear+133>
0x000000000000079d <+115>: andb $0xf8,(%rbx)
0x00000000000007af <+133>: mov %rbx,%rdi
0x00000000000007b2 <+136>: call 0x7b7 <skb_zcopy_clear+141>
0x00000000000007b7 <+141>: jmp 0x79d <skb_zcopy_clear+115>
1552 }
1553 }
0x00000000000007a0 <+118>: pop %rbx
0x00000000000007a1 <+119>: pop %rbp
0x00000000000007a2 <+120>: pop %r12
0x00000000000007a4 <+122>: ret
End of assembler dump.
To make it even easier to read, just disable the inline KASAN and reduce the
optimization level for this for it:
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 059b6266dcd7..819cc58ab051 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1540,6 +1540,8 @@ static inline void net_zcopy_put_abort(struct ubuf_info *uarg, bool have_uref)
}
/* Release a reference on a zerocopy structure */
+#pragma GCC push_options
+#pragma GCC optimize ("O0")
static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy_success)
{
struct ubuf_info *uarg = skb_zcopy(skb);
@@ -1551,6 +1553,7 @@ static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy_success)
skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
}
}
+#pragma GCC pop_options
static inline void skb_mark_not_on_list(struct sk_buff *skb)
{
This creates this nice, unoptimized function which crashes at +63:
$ gdb net/core/skbuff.o -q
Reading symbols from net/core/skbuff.o...
(gdb) disassemble /m *(skb_zcopy_clear+0x3f/0x70)
Dump of assembler code for function skb_zcopy_clear:
1546 {
0x0000000000000000 <+0>: push %rbp
0x0000000000000001 <+1>: mov %rsp,%rbp
0x0000000000000004 <+4>: sub $0x18,%rsp
0x0000000000000008 <+8>: mov %rdi,-0x10(%rbp)
0x000000000000000c <+12>: mov %esi,%eax
0x000000000000000e <+14>: mov %al,-0x14(%rbp)
1547 struct ubuf_info *uarg = skb_zcopy(skb);
0x0000000000000011 <+17>: mov -0x10(%rbp),%rax
0x0000000000000015 <+21>: mov %rax,%rdi
0x0000000000000018 <+24>: call 0x29e <skb_zcopy>
0x000000000000001d <+29>: mov %rax,-0x8(%rbp)
1548
1549 if (uarg) {
0x0000000000000021 <+33>: cmpq $0x0,-0x8(%rbp)
0x0000000000000026 <+38>: je 0x6d <skb_zcopy_clear+109>
1550 if (!skb_zcopy_is_nouarg(skb))
0x0000000000000028 <+40>: mov -0x10(%rbp),%rax
0x000000000000002c <+44>: mov %rax,%rdi
0x000000000000002f <+47>: call 0x2df <skb_zcopy_is_nouarg>
0x0000000000000034 <+52>: xor $0x1,%eax
0x0000000000000037 <+55>: test %al,%al
0x0000000000000039 <+57>: je 0x59 <skb_zcopy_clear+89>
1551 uarg->callback(skb, uarg, zerocopy_success);
0x000000000000003b <+59>: mov -0x8(%rbp),%rax
0x000000000000003f <+63>: mov (%rax),%r8
0x0000000000000042 <+66>: movzbl -0x14(%rbp),%edx
0x0000000000000046 <+70>: mov -0x8(%rbp),%rcx
0x000000000000004a <+74>: mov -0x10(%rbp),%rax
0x000000000000004e <+78>: mov %rcx,%rsi
0x0000000000000051 <+81>: mov %rax,%rdi
0x0000000000000054 <+84>: call 0x59 <skb_zcopy_clear+89>
1552
1553 skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
0x0000000000000059 <+89>: mov -0x10(%rbp),%rax
0x000000000000005d <+93>: mov %rax,%rdi
0x0000000000000060 <+96>: call 0x27f <skb_end_pointer>
0x0000000000000065 <+101>: movzbl (%rax),%edx
0x0000000000000068 <+104>: and $0xfffffff8,%edx
0x000000000000006b <+107>: mov %dl,(%rax)
1554 }
1555 }
0x000000000000006d <+109>: nop
0x000000000000006e <+110>: leave
0x000000000000006f <+111>: ret
End of assembler dump.
The question now: What is causing the unclean state of the skb and thus
doesn't let it get rejected by skb_zcopy_is_nouarg before the uarg
callback is tried.
Kind regards,
Sven
[-- Attachment #1.1.2: screenlog.0.zip --]
[-- Type: application/zip, Size: 20103 bytes --]
[-- Attachment #1.1.3: station_connect_crash_decoded.txt --]
[-- Type: text/plain, Size: 9293 bytes --]
general protection fault, probably for non-canonical address 0xe0080c4200016463: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0x00408210000b2318-0x00408210000b231f]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #3
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_release_data (./include/linux/skbuff.h:1549 net/core/skbuff.c:669)
Code: 00 00 48 8b 75 28 48 85 f6 0f 84 d2 00 00 00 40 f6 c6 01 0f 85 a3 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 d3 03 00 00 48 8b 06 ba 01 00 00 00 48 89 df 0f
All code
========
0: 00 00 add %al,(%rax)
2: 48 8b 75 28 mov 0x28(%rbp),%rsi
6: 48 85 f6 test %rsi,%rsi
9: 0f 84 d2 00 00 00 je 0xe1
f: 40 f6 c6 01 test $0x1,%sil
13: 0f 85 a3 00 00 00 jne 0xbc
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 f2 mov %rsi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 d3 03 00 00 jne 0x407
34: 48 8b 06 mov (%rsi),%rax
37: ba 01 00 00 00 mov $0x1,%edx
3c: 48 89 df mov %rbx,%rdi
3f: 0f .byte 0xf
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 d3 03 00 00 jne 0x3dd
a: 48 8b 06 mov (%rsi),%rax
d: ba 01 00 00 00 mov $0x1,%edx
12: 48 89 df mov %rbx,%rdi
15: 0f .byte 0xf
RSP: 0018:ffff8880c7c09c50 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff888004c6bdc0 RCX: 1ffff1100076945d
RDX: 0008104200016463 RSI: 00408210000b231a RDI: ffff888003b4a2e8
RBP: ffff888003b4a2c0 R08: 0000000000000000 R09: ffff888004c6be97
R10: ffffed100098d7d2 R11: 0000000000000001 R12: ffff888003b4a2c0
R13: ffff888004c6be7c R14: ffff88800c641e58 R15: ffff888004c6be80
FS: 0000000000000000(0000) GS:ffff8880c7c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3a95f6778 CR3: 0000000017c20000 CR4: 00000000000006f0
Call Trace:
<IRQ>
? _raw_write_lock_irq (kernel/locking/spinlock.c:177)
consume_skb (net/core/skbuff.c:757 net/core/skbuff.c:912 net/core/skbuff.c:906)
ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:515) ath11k
? __local_bh_enable_ip (./arch/x86/include/asm/preempt.h:103 kernel/softirq.c:390)
? ath11k_ce_alloc_pipes (drivers/net/wireless/ath/ath11k/ce.c:500) ath11k
? ath11k_hal_srng_access_end (drivers/net/wireless/ath/ath11k/hal.c:849) ath11k
ath11k_ce_per_engine_service (drivers/net/wireless/ath/ath11k/ce.c:694) ath11k
? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:513 ./include/asm-generic/qspinlock.h:82 ./include/linux/spinlock.h:185 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
? __lock_text_start (kernel/locking/spinlock.c:161)
? ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:689) ath11k
? __wake_up_bit (kernel/sched/wait_bit.c:192)
? __irq_put_desc_unlock (kernel/irq/irqdesc.c:819)
ath11k_pci_ce_tasklet (drivers/net/wireless/ath/ath11k/pci.c:637) ath11k_pci
? tasklet_clear_sched (kernel/softirq.c:752)
tasklet_action_common.constprop.0 (kernel/softirq.c:783)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/irq.h:142 kernel/softirq.c:559)
__irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636)
common_interrupt (arch/x86/kernel/irq.c:240 (discriminator 14))
</IRQ>
<TASK>
asm_common_interrupt (./arch/x86/include/asm/idtentry.h:629)
RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:259)
Code: ff e8 8e 95 db fe 80 3c 24 00 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 8e 06 00 00 31 ff e8 a1 b9 ef fe fb 66 0f 1f 44 00 00 <45> 85 ed 0f 88 52 03 00 00 4d 63 e5 4b 8d 04 64 49 8d 04 84 48 8d
All code
========
0: ff (bad)
1: e8 8e 95 db fe callq 0xfffffffffedb9594
6: 80 3c 24 00 cmpb $0x0,(%rsp)
a: 74 17 je 0x23
c: 9c pushfq
d: 58 pop %rax
e: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
13: f6 c4 02 test $0x2,%ah
16: 0f 85 8e 06 00 00 jne 0x6aa
1c: 31 ff xor %edi,%edi
1e: e8 a1 b9 ef fe callq 0xfffffffffeefb9c4
23: fb sti
24: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
2a:* 45 85 ed test %r13d,%r13d <-- trapping instruction
2d: 0f 88 52 03 00 00 js 0x385
33: 4d 63 e5 movslq %r13d,%r12
36: 4b 8d 04 64 lea (%r12,%r12,2),%rax
3a: 49 8d 04 84 lea (%r12,%rax,4),%rax
3e: 48 rex.W
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 45 85 ed test %r13d,%r13d
3: 0f 88 52 03 00 00 js 0x35b
9: 4d 63 e5 movslq %r13d,%r12
c: 4b 8d 04 64 lea (%r12,%r12,2),%rax
10: 49 8d 04 84 lea (%r12,%rax,4),%rax
14: 48 rex.W
15: 8d .byte 0x8d
RSP: 0018:ffffffff89a07de0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff888003b44000 RCX: 1ffffffff129775c
RDX: 1ffff11018f88331 RSI: ffffffff89031b00 RDI: ffff8880c7c41988
RBP: ffffffff89ee0d20 R08: 0000000000000002 R09: ffff8880c7c41c2b
R10: ffffed1018f88385 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000002 R14: 00000024aa5bda97 R15: ffffffff89ee0e08
? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
? tick_nohz_idle_stop_tick (./include/linux/hrtimer.h:419 kernel/time/tick-sched.c:920 kernel/time/tick-sched.c:1062 kernel/time/tick-sched.c:1083)
cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
do_idle (kernel/sched/idle.c:158 kernel/sched/idle.c:239 kernel/sched/idle.c:306)
? arch_cpu_idle_exit+0x40/0x40
cpu_startup_entry (kernel/sched/idle.c:402 (discriminator 1))
start_kernel (init/main.c:1137)
secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:283)
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 kvm_amd btusb btrtl ccp btbcm rng_core btintel libarc4 evdev leds_apu bluetooth kvm snd_pcm snd_timer jitterentropy_rng cfg80211 snd sha512_ssse3 sha512_generic sg soundcore irqbypass ctr pcspkr drbg ansi_cprng k10temp ecdh_generic rfkill ecc sp5100_tco watchdog acpi_cpufreq button drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci ohci_hcd ehci_pci ehci_hcd libata r8169 realtek mdio_devres usbcore scsi_mod i2c_piix4 usb_common scsi_common libphy
---[ end trace dc622588d92d6988 ]---
RIP: 0010:skb_release_data (./include/linux/skbuff.h:1549 net/core/skbuff.c:669)
Code: 00 00 48 8b 75 28 48 85 f6 0f 84 d2 00 00 00 40 f6 c6 01 0f 85 a3 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 d3 03 00 00 48 8b 06 ba 01 00 00 00 48 89 df 0f
All code
========
0: 00 00 add %al,(%rax)
2: 48 8b 75 28 mov 0x28(%rbp),%rsi
6: 48 85 f6 test %rsi,%rsi
9: 0f 84 d2 00 00 00 je 0xe1
f: 40 f6 c6 01 test $0x1,%sil
13: 0f 85 a3 00 00 00 jne 0xbc
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 f2 mov %rsi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 d3 03 00 00 jne 0x407
34: 48 8b 06 mov (%rsi),%rax
37: ba 01 00 00 00 mov $0x1,%edx
3c: 48 89 df mov %rbx,%rdi
3f: 0f .byte 0xf
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 d3 03 00 00 jne 0x3dd
a: 48 8b 06 mov (%rsi),%rax
d: ba 01 00 00 00 mov $0x1,%edx
12: 48 89 df mov %rbx,%rdi
15: 0f .byte 0xf
RSP: 0018:ffff8880c7c09c50 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff888004c6bdc0 RCX: 1ffff1100076945d
RDX: 0008104200016463 RSI: 00408210000b231a RDI: ffff888003b4a2e8
RBP: ffff888003b4a2c0 R08: 0000000000000000 R09: ffff888004c6be97
R10: ffffed100098d7d2 R11: 0000000000000001 R12: ffff888003b4a2c0
R13: ffff888004c6be7c R14: ffff88800c641e58 R15: ffff888004c6be80
FS: 0000000000000000(0000) GS:ffff8880c7c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3a95f6778 CR3: 0000000017c20000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x5c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.1.4: station_connect_crash2_decoded.txt --]
[-- Type: text/plain, Size: 9902 bytes --]
general protection fault, probably for non-canonical address 0xe0080c4200016463: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0x00408210000b2318-0x00408210000b231f]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_zcopy_clear (./include/linux/skbuff.h:1549)
Code: e8 9a fe ff ff 48 85 c0 74 62 48 89 c5 48 89 df e8 ad ff ff ff 84 c0 75 2a 48 89 ea 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 41 41 0f b6 d4 48 8b 45 00 48 89 ee 48 89 df 0f ae
All code
========
0: e8 9a fe ff ff callq 0xfffffffffffffe9f
5: 48 85 c0 test %rax,%rax
8: 74 62 je 0x6c
a: 48 89 c5 mov %rax,%rbp
d: 48 89 df mov %rbx,%rdi
10: e8 ad ff ff ff callq 0xffffffffffffffc2
15: 84 c0 test %al,%al
17: 75 2a jne 0x43
19: 48 89 ea mov %rbp,%rdx
1c: 48 c1 ea 03 shr $0x3,%rdx
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 41 jne 0x71
30: 41 0f b6 d4 movzbl %r12b,%edx
34: 48 8b 45 00 mov 0x0(%rbp),%rax
38: 48 89 ee mov %rbp,%rsi
3b: 48 89 df mov %rbx,%rdi
3e: 0f .byte 0xf
3f: ae scas %es:(%rdi),%al
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 75 41 jne 0x47
6: 41 0f b6 d4 movzbl %r12b,%edx
a: 48 8b 45 00 mov 0x0(%rbp),%rax
e: 48 89 ee mov %rbp,%rsi
11: 48 89 df mov %rbx,%rdi
14: 0f .byte 0xf
15: ae scas %es:(%rdi),%al
RSP: 0018:ffff8880c3a09c30 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff88800c233b40 RCX: ffffffff9fce961b
RDX: 0008104200016463 RSI: 0000000000000001 RDI: ffff888015edeae8
RBP: 00408210000b231a R08: 0000000000000000 R09: ffff88800c233c17
R10: ffffed1001846782 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88800c233bbe R14: ffff88800b701e58 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880c3a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdccf1c75c0 CR3: 00000000063a4000 CR4: 00000000000006f0
Call Trace:
<IRQ>
skb_release_data (net/core/skbuff.c:671)
skb_release_all (net/core/skbuff.c:743)
__kfree_skb (net/core/skbuff.c:757)
consume_skb (net/core/skbuff.c:912)
__dev_kfree_skb_any (net/core/dev.c:3038)
ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:515) ath11k
? __local_bh_enable_ip (./arch/x86/include/asm/preempt.h:103 kernel/softirq.c:390)
? ath11k_ce_alloc_pipes (drivers/net/wireless/ath/ath11k/ce.c:500) ath11k
? ath11k_hal_srng_access_end (drivers/net/wireless/ath/ath11k/hal.c:849) ath11k
ath11k_ce_per_engine_service (drivers/net/wireless/ath/ath11k/ce.c:694) ath11k
? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:513 ./include/asm-generic/qspinlock.h:82 ./include/linux/spinlock.h:185 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
? __lock_text_start (kernel/locking/spinlock.c:161)
? ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:689) ath11k
? __wake_up_bit (kernel/sched/wait_bit.c:192)
? __irq_put_desc_unlock (kernel/irq/irqdesc.c:819)
ath11k_pci_ce_tasklet (drivers/net/wireless/ath/ath11k/pci.c:637) ath11k_pci
? tasklet_clear_sched (kernel/softirq.c:752)
tasklet_action_common.constprop.0 (kernel/softirq.c:783)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/irq.h:142 kernel/softirq.c:559)
__irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636)
common_interrupt (arch/x86/kernel/irq.c:240 (discriminator 14))
</IRQ>
<TASK>
asm_common_interrupt (./arch/x86/include/asm/idtentry.h:629)
RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:259)
Code: ff e8 8e 95 db fe 80 3c 24 00 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 8e 06 00 00 31 ff e8 a1 b9 ef fe fb 66 0f 1f 44 00 00 <45> 85 ed 0f 88 52 03 00 00 4d 63 e5 4b 8d 04 64 49 8d 04 84 48 8d
All code
========
0: ff (bad)
1: e8 8e 95 db fe callq 0xfffffffffedb9594
6: 80 3c 24 00 cmpb $0x0,(%rsp)
a: 74 17 je 0x23
c: 9c pushfq
d: 58 pop %rax
e: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
13: f6 c4 02 test $0x2,%ah
16: 0f 85 8e 06 00 00 jne 0x6aa
1c: 31 ff xor %edi,%edi
1e: e8 a1 b9 ef fe callq 0xfffffffffeefb9c4
23: fb sti
24: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
2a:* 45 85 ed test %r13d,%r13d <-- trapping instruction
2d: 0f 88 52 03 00 00 js 0x385
33: 4d 63 e5 movslq %r13d,%r12
36: 4b 8d 04 64 lea (%r12,%r12,2),%rax
3a: 49 8d 04 84 lea (%r12,%rax,4),%rax
3e: 48 rex.W
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 45 85 ed test %r13d,%r13d
3: 0f 88 52 03 00 00 js 0x35b
9: 4d 63 e5 movslq %r13d,%r12
c: 4b 8d 04 64 lea (%r12,%r12,2),%rax
10: 49 8d 04 84 lea (%r12,%rax,4),%rax
14: 48 rex.W
15: 8d .byte 0x8d
RSP: 0018:ffffffffa1407de0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff888003b20800 RCX: 1ffffffff41d935c
RDX: 1ffff11018748331 RSI: ffffffffa0a31b00 RDI: ffff8880c3a41988
RBP: ffffffffa18e0d20 R08: 0000000000000002 R09: ffff8880c3a41c2b
R10: ffffed1018748385 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000002 R14: 0000001dfc72dae5 R15: ffffffffa18e0e08
? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
? tick_nohz_idle_stop_tick (./include/linux/hrtimer.h:419 kernel/time/tick-sched.c:920 kernel/time/tick-sched.c:1062 kernel/time/tick-sched.c:1083)
cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
do_idle (kernel/sched/idle.c:158 kernel/sched/idle.c:239 kernel/sched/idle.c:306)
? arch_cpu_idle_exit+0x40/0x40
cpu_startup_entry (kernel/sched/idle.c:402 (discriminator 1))
start_kernel (init/main.c:1137)
secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:283)
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 kvm_amd btusb btrtl btbcm ccp btintel libarc4 rng_core evdev bluetooth cfg80211 kvm leds_apu jitterentropy_rng sha512_ssse3 sha512_generic snd_pcm ctr sg drbg snd_timer irqbypass ansi_cprng snd ecdh_generic rfkill soundcore ecc pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci libata ehci_pci ohci_hcd r8169 ehci_hcd realtek mdio_devres scsi_mod usbcore i2c_piix4 usb_common scsi_common libphy
---[ end trace bd73d57ff2669c03 ]---
RIP: 0010:skb_zcopy_clear (./include/linux/skbuff.h:1549)
Code: e8 9a fe ff ff 48 85 c0 74 62 48 89 c5 48 89 df e8 ad ff ff ff 84 c0 75 2a 48 89 ea 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 41 41 0f b6 d4 48 8b 45 00 48 89 ee 48 89 df 0f ae
All code
========
0: e8 9a fe ff ff callq 0xfffffffffffffe9f
5: 48 85 c0 test %rax,%rax
8: 74 62 je 0x6c
a: 48 89 c5 mov %rax,%rbp
d: 48 89 df mov %rbx,%rdi
10: e8 ad ff ff ff callq 0xffffffffffffffc2
15: 84 c0 test %al,%al
17: 75 2a jne 0x43
19: 48 89 ea mov %rbp,%rdx
1c: 48 c1 ea 03 shr $0x3,%rdx
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 41 jne 0x71
30: 41 0f b6 d4 movzbl %r12b,%edx
34: 48 8b 45 00 mov 0x0(%rbp),%rax
38: 48 89 ee mov %rbp,%rsi
3b: 48 89 df mov %rbx,%rdi
3e: 0f .byte 0xf
3f: ae scas %es:(%rdi),%al
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 75 41 jne 0x47
6: 41 0f b6 d4 movzbl %r12b,%edx
a: 48 8b 45 00 mov 0x0(%rbp),%rax
e: 48 89 ee mov %rbp,%rsi
11: 48 89 df mov %rbx,%rdi
14: 0f .byte 0xf
15: ae scas %es:(%rdi),%al
RSP: 0018:ffff8880c3a09c30 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff88800c233b40 RCX: ffffffff9fce961b
RDX: 0008104200016463 RSI: 0000000000000001 RDI: ffff888015edeae8
RBP: 00408210000b231a R08: 0000000000000000 R09: ffff88800c233c17
R10: ffffed1001846782 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88800c233bbe R14: ffff88800b701e58 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880c3a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdccf1c75c0 CR3: 00000000063a4000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x1d800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.1.5: station_connect_crash2.txt --]
[-- Type: text/plain, Size: 4538 bytes --]
general protection fault, probably for non-canonical address 0xe0080c4200016463: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0x00408210000b2318-0x00408210000b231f]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_zcopy_clear+0x34/0x8f
Code: e8 9a fe ff ff 48 85 c0 74 62 48 89 c5 48 89 df e8 ad ff ff ff 84 c0 75 2a 48 89 ea 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 41 41 0f b6 d4 48 8b 45 00 48 89 ee 48 89 df 0f ae
RSP: 0018:ffff8880c3a09c30 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff88800c233b40 RCX: ffffffff9fce961b
RDX: 0008104200016463 RSI: 0000000000000001 RDI: ffff888015edeae8
RBP: 00408210000b231a R08: 0000000000000000 R09: ffff88800c233c17
R10: ffffed1001846782 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88800c233bbe R14: ffff88800b701e58 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880c3a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdccf1c75c0 CR3: 00000000063a4000 CR4: 00000000000006f0
Call Trace:
<IRQ>
skb_release_data+0x91/0x1de
skb_release_all+0x3e/0x47
__kfree_skb+0xe/0x18
consume_skb+0x24/0x26
__dev_kfree_skb_any+0x2a/0x2b
ath11k_ce_tx_process_cb+0x3ef/0x8d0 [ath11k]
? __local_bh_enable_ip+0x37/0x80
? ath11k_ce_alloc_pipes+0x5c0/0x5c0 [ath11k]
? ath11k_hal_srng_access_end+0x1d7/0x5d0 [ath11k]
ath11k_ce_per_engine_service+0x96b/0xc60 [ath11k]
? _raw_spin_lock_irqsave+0x9a/0xf0
? __lock_text_start+0x8/0x8
? ath11k_ce_tx_process_cb+0x8d0/0x8d0 [ath11k]
? __wake_up_bit+0x100/0x100
? __irq_put_desc_unlock+0x18/0x90
ath11k_pci_ce_tasklet+0x64/0x100 [ath11k_pci]
? tasklet_clear_sched+0x47/0xe0
tasklet_action_common.constprop.0+0x240/0x2d0
__do_softirq+0x1b0/0x5b9
__irq_exit_rcu+0xc6/0x170
common_interrupt+0xa9/0xc0
</IRQ>
<TASK>
asm_common_interrupt+0x1e/0x40
RIP: 0010:cpuidle_enter_state+0x196/0xa60
Code: ff e8 8e 95 db fe 80 3c 24 00 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 8e 06 00 00 31 ff e8 a1 b9 ef fe fb 66 0f 1f 44 00 00 <45> 85 ed 0f 88 52 03 00 00 4d 63 e5 4b 8d 04 64 49 8d 04 84 48 8d
RSP: 0018:ffffffffa1407de0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff888003b20800 RCX: 1ffffffff41d935c
RDX: 1ffff11018748331 RSI: ffffffffa0a31b00 RDI: ffff8880c3a41988
RBP: ffffffffa18e0d20 R08: 0000000000000002 R09: ffff8880c3a41c2b
R10: ffffed1018748385 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000002 R14: 0000001dfc72dae5 R15: ffffffffa18e0e08
? _raw_spin_unlock_irqrestore+0x25/0x40
? tick_nohz_idle_stop_tick+0x599/0xa60
cpuidle_enter+0x4a/0xa0
do_idle+0x3d7/0x530
? arch_cpu_idle_exit+0x40/0x40
cpu_startup_entry+0x19/0x20
start_kernel+0x38d/0x3ab
secondary_startup_64_no_verify+0xb0/0xbb
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 kvm_amd btusb btrtl btbcm ccp btintel libarc4 rng_core evdev bluetooth cfg80211 kvm leds_apu jitterentropy_rng sha512_ssse3 sha512_generic snd_pcm ctr sg drbg snd_timer irqbypass ansi_cprng snd ecdh_generic rfkill soundcore ecc pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci libata ehci_pci ohci_hcd r8169 ehci_hcd realtek mdio_devres scsi_mod usbcore i2c_piix4 usb_common scsi_common libphy
---[ end trace bd73d57ff2669c03 ]---
RIP: 0010:skb_zcopy_clear+0x34/0x8f
Code: e8 9a fe ff ff 48 85 c0 74 62 48 89 c5 48 89 df e8 ad ff ff ff 84 c0 75 2a 48 89 ea 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 41 41 0f b6 d4 48 8b 45 00 48 89 ee 48 89 df 0f ae
RSP: 0018:ffff8880c3a09c30 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff88800c233b40 RCX: ffffffff9fce961b
RDX: 0008104200016463 RSI: 0000000000000001 RDI: ffff888015edeae8
RBP: 00408210000b231a R08: 0000000000000000 R09: ffff88800c233c17
R10: ffffed1001846782 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88800c233bbe R14: ffff88800b701e58 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880c3a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdccf1c75c0 CR3: 00000000063a4000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x1d800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.1.6: station_connect_crash3.txt --]
[-- Type: text/plain, Size: 4024 bytes --]
general protection fault, probably for non-canonical address 0x408210000b231a: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_zcopy_clear+0x3f/0x70
Code: 48 89 c7 e8 81 02 00 00 48 89 45 f8 48 83 7d f8 00 74 45 48 8b 45 f0 48 89 c7 e8 ab 02 00 00 83 f0 01 84 c0 74 1e 48 8b 45 f8 <4c> 8b 00 0f b6 55 ec 48 8b 4d f8 48 8b 45 f0 48 89 ce 48 89 c7 e8
RSP: 0018:ffffb58e80003de8 EFLAGS: 00010202
RAX: 00408210000b231a RBX: ffff8aa303097b00 RCX: 0000000000000000
RDX: 0000000000000102 RSI: 0000000000000001 RDI: ffff8aa303097b00
RBP: ffffb58e80003e00 R08: 0000000000000212 R09: ffffffff922d24e8
R10: 0000000000000000 R11: 00000000db69d000 R12: ffff8aa310c69ac0
R13: ffff8aa303097b00 R14: ffff8aa3062235d8 R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8aa31ac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dac9d55408 CR3: 00000001090fa000 CR4: 00000000000006f0
Call Trace:
<IRQ>
skb_release_data+0x4b/0xa2
skb_release_all+0x20/0x22
__kfree_skb+0xe/0x18
consume_skb+0x24/0x26
__dev_kfree_skb_any+0x2a/0x2b
ath11k_ce_tx_process_cb+0x157/0x220 [ath11k]
ath11k_ce_per_engine_service+0x3c0/0x3d0 [ath11k]
? _raw_spin_lock_irqsave+0x26/0x50
ath11k_pci_ce_tasklet+0x1c/0x40 [ath11k_pci]
tasklet_action_common.constprop.0+0xaf/0xe0
__do_softirq+0xec/0x2e9
__irq_exit_rcu+0xbc/0x110
common_interrupt+0xb8/0xd0
</IRQ>
<TASK>
asm_common_interrupt+0x1e/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x370
Code: 31 ff e8 d9 c6 9e ff 45 84 ff 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 78 02 00 00 31 ff e8 bd 97 a5 ff fb 66 0f 1f 44 00 00 <45> 85 f6 0f 88 11 01 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d
RSP: 0018:ffffffff92203e60 EFLAGS: 00000246
RAX: ffff8aa31ac00000 RBX: 0000000000000002 RCX: 000000000000001f
RDX: 0000000000000000 RSI: ffffffff91b70667 RDI: ffffffff91b55729
RBP: ffff8aa300906c00 R08: 0000000955084e02 R09: 0000000000000018
R10: 0000000000000001 R11: 0000000000001015 R12: ffffffff923d05c0
R13: 0000000955084e02 R14: 0000000000000002 R15: 0000000000000000
cpuidle_enter+0x29/0x40
do_idle+0x200/0x2b0
cpu_startup_entry+0x19/0x20
start_kernel+0x6b7/0x6dc
secondary_startup_64_no_verify+0xb0/0xbb
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 btusb btrtl btbcm btintel bluetooth libarc4 kvm_amd cfg80211 ccp rng_core jitterentropy_rng kvm sha512_ssse3 sha512_generic evdev ctr snd_pcm drbg sg snd_timer ansi_cprng leds_apu irqbypass ecdh_generic snd rfkill ecc soundcore pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci ohci_hcd ehci_pci ehci_hcd libata r8169 realtek mdio_devres scsi_mod usbcore i2c_piix4 usb_common scsi_common libphy
---[ end trace 23d792ef4816c4de ]---
RIP: 0010:skb_zcopy_clear+0x3f/0x70
Code: 48 89 c7 e8 81 02 00 00 48 89 45 f8 48 83 7d f8 00 74 45 48 8b 45 f0 48 89 c7 e8 ab 02 00 00 83 f0 01 84 c0 74 1e 48 8b 45 f8 <4c> 8b 00 0f b6 55 ec 48 8b 4d f8 48 8b 45 f0 48 89 ce 48 89 c7 e8
RSP: 0018:ffffb58e80003de8 EFLAGS: 00010202
RAX: 00408210000b231a RBX: ffff8aa303097b00 RCX: 0000000000000000
RDX: 0000000000000102 RSI: 0000000000000001 RDI: ffff8aa303097b00
RBP: ffffb58e80003e00 R08: 0000000000000212 R09: ffffffff922d24e8
R10: 0000000000000000 R11: 00000000db69d000 R12: ffff8aa310c69ac0
R13: ffff8aa303097b00 R14: ffff8aa3062235d8 R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8aa31ac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dac9d55408 CR3: 00000001090fa000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0xfa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.1.7: station_connect_crash3_decoded.txt --]
[-- Type: text/plain, Size: 8959 bytes --]
general protection fault, probably for non-canonical address 0x408210000b231a: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_zcopy_clear (./include/linux/skbuff.h:1551)
Code: 48 89 c7 e8 81 02 00 00 48 89 45 f8 48 83 7d f8 00 74 45 48 8b 45 f0 48 89 c7 e8 ab 02 00 00 83 f0 01 84 c0 74 1e 48 8b 45 f8 <4c> 8b 00 0f b6 55 ec 48 8b 4d f8 48 8b 45 f0 48 89 ce 48 89 c7 e8
All code
========
0: 48 89 c7 mov %rax,%rdi
3: e8 81 02 00 00 callq 0x289
8: 48 89 45 f8 mov %rax,-0x8(%rbp)
c: 48 83 7d f8 00 cmpq $0x0,-0x8(%rbp)
11: 74 45 je 0x58
13: 48 8b 45 f0 mov -0x10(%rbp),%rax
17: 48 89 c7 mov %rax,%rdi
1a: e8 ab 02 00 00 callq 0x2ca
1f: 83 f0 01 xor $0x1,%eax
22: 84 c0 test %al,%al
24: 74 1e je 0x44
26: 48 8b 45 f8 mov -0x8(%rbp),%rax
2a:* 4c 8b 00 mov (%rax),%r8 <-- trapping instruction
2d: 0f b6 55 ec movzbl -0x14(%rbp),%edx
31: 48 8b 4d f8 mov -0x8(%rbp),%rcx
35: 48 8b 45 f0 mov -0x10(%rbp),%rax
39: 48 89 ce mov %rcx,%rsi
3c: 48 89 c7 mov %rax,%rdi
3f: e8 .byte 0xe8
Code starting with the faulting instruction
===========================================
0: 4c 8b 00 mov (%rax),%r8
3: 0f b6 55 ec movzbl -0x14(%rbp),%edx
7: 48 8b 4d f8 mov -0x8(%rbp),%rcx
b: 48 8b 45 f0 mov -0x10(%rbp),%rax
f: 48 89 ce mov %rcx,%rsi
12: 48 89 c7 mov %rax,%rdi
15: e8 .byte 0xe8
RSP: 0018:ffffb58e80003de8 EFLAGS: 00010202
RAX: 00408210000b231a RBX: ffff8aa303097b00 RCX: 0000000000000000
RDX: 0000000000000102 RSI: 0000000000000001 RDI: ffff8aa303097b00
RBP: ffffb58e80003e00 R08: 0000000000000212 R09: ffffffff922d24e8
R10: 0000000000000000 R11: 00000000db69d000 R12: ffff8aa310c69ac0
R13: ffff8aa303097b00 R14: ffff8aa3062235d8 R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8aa31ac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dac9d55408 CR3: 00000001090fa000 CR4: 00000000000006f0
Call Trace:
<IRQ>
skb_release_data (net/core/skbuff.c:671)
skb_release_all (net/core/skbuff.c:743)
__kfree_skb (net/core/skbuff.c:757)
consume_skb (net/core/skbuff.c:912)
__dev_kfree_skb_any (net/core/dev.c:3038)
ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:515) ath11k
ath11k_ce_per_engine_service (drivers/net/wireless/ath/ath11k/ce.c:694) ath11k
? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:513 ./include/asm-generic/qspinlock.h:82 ./include/linux/spinlock.h:185 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
ath11k_pci_ce_tasklet (drivers/net/wireless/ath/ath11k/pci.c:637) ath11k_pci
tasklet_action_common.constprop.0 (./arch/x86/include/asm/bitops.h:75 ./include/asm-generic/bitops/instrumented-atomic.h:42 kernel/softirq.c:879 kernel/softirq.c:787)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/irq.h:142 kernel/softirq.c:559)
__irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636)
common_interrupt (arch/x86/kernel/irq.c:240 (discriminator 14))
</IRQ>
<TASK>
asm_common_interrupt (./arch/x86/include/asm/idtentry.h:629)
RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:259)
Code: 31 ff e8 d9 c6 9e ff 45 84 ff 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 78 02 00 00 31 ff e8 bd 97 a5 ff fb 66 0f 1f 44 00 00 <45> 85 f6 0f 88 11 01 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d
All code
========
0: 31 ff xor %edi,%edi
2: e8 d9 c6 9e ff callq 0xffffffffff9ec6e0
7: 45 84 ff test %r15b,%r15b
a: 74 17 je 0x23
c: 9c pushfq
d: 58 pop %rax
e: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
13: f6 c4 02 test $0x2,%ah
16: 0f 85 78 02 00 00 jne 0x294
1c: 31 ff xor %edi,%edi
1e: e8 bd 97 a5 ff callq 0xffffffffffa597e0
23: fb sti
24: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
2a:* 45 85 f6 test %r14d,%r14d <-- trapping instruction
2d: 0f 88 11 01 00 00 js 0x144
33: 49 63 c6 movslq %r14d,%rax
36: 4c 2b 2c 24 sub (%rsp),%r13
3a: 48 8d 14 40 lea (%rax,%rax,2),%rdx
3e: 48 rex.W
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 45 85 f6 test %r14d,%r14d
3: 0f 88 11 01 00 00 js 0x11a
9: 49 63 c6 movslq %r14d,%rax
c: 4c 2b 2c 24 sub (%rsp),%r13
10: 48 8d 14 40 lea (%rax,%rax,2),%rdx
14: 48 rex.W
15: 8d .byte 0x8d
RSP: 0018:ffffffff92203e60 EFLAGS: 00000246
RAX: ffff8aa31ac00000 RBX: 0000000000000002 RCX: 000000000000001f
RDX: 0000000000000000 RSI: ffffffff91b70667 RDI: ffffffff91b55729
RBP: ffff8aa300906c00 R08: 0000000955084e02 R09: 0000000000000018
R10: 0000000000000001 R11: 0000000000001015 R12: ffffffff923d05c0
R13: 0000000955084e02 R14: 0000000000000002 R15: 0000000000000000
cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
do_idle (kernel/sched/idle.c:158 kernel/sched/idle.c:239 kernel/sched/idle.c:306)
cpu_startup_entry (kernel/sched/idle.c:402 (discriminator 1))
start_kernel (init/main.c:1137)
secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:283)
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 btusb btrtl btbcm btintel bluetooth libarc4 kvm_amd cfg80211 ccp rng_core jitterentropy_rng kvm sha512_ssse3 sha512_generic evdev ctr snd_pcm drbg sg snd_timer ansi_cprng leds_apu irqbypass ecdh_generic snd rfkill ecc soundcore pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci ohci_hcd ehci_pci ehci_hcd libata r8169 realtek mdio_devres scsi_mod usbcore i2c_piix4 usb_common scsi_common libphy
---[ end trace 23d792ef4816c4de ]---
RIP: 0010:skb_zcopy_clear (./include/linux/skbuff.h:1551)
Code: 48 89 c7 e8 81 02 00 00 48 89 45 f8 48 83 7d f8 00 74 45 48 8b 45 f0 48 89 c7 e8 ab 02 00 00 83 f0 01 84 c0 74 1e 48 8b 45 f8 <4c> 8b 00 0f b6 55 ec 48 8b 4d f8 48 8b 45 f0 48 89 ce 48 89 c7 e8
All code
========
0: 48 89 c7 mov %rax,%rdi
3: e8 81 02 00 00 callq 0x289
8: 48 89 45 f8 mov %rax,-0x8(%rbp)
c: 48 83 7d f8 00 cmpq $0x0,-0x8(%rbp)
11: 74 45 je 0x58
13: 48 8b 45 f0 mov -0x10(%rbp),%rax
17: 48 89 c7 mov %rax,%rdi
1a: e8 ab 02 00 00 callq 0x2ca
1f: 83 f0 01 xor $0x1,%eax
22: 84 c0 test %al,%al
24: 74 1e je 0x44
26: 48 8b 45 f8 mov -0x8(%rbp),%rax
2a:* 4c 8b 00 mov (%rax),%r8 <-- trapping instruction
2d: 0f b6 55 ec movzbl -0x14(%rbp),%edx
31: 48 8b 4d f8 mov -0x8(%rbp),%rcx
35: 48 8b 45 f0 mov -0x10(%rbp),%rax
39: 48 89 ce mov %rcx,%rsi
3c: 48 89 c7 mov %rax,%rdi
3f: e8 .byte 0xe8
Code starting with the faulting instruction
===========================================
0: 4c 8b 00 mov (%rax),%r8
3: 0f b6 55 ec movzbl -0x14(%rbp),%edx
7: 48 8b 4d f8 mov -0x8(%rbp),%rcx
b: 48 8b 45 f0 mov -0x10(%rbp),%rax
f: 48 89 ce mov %rcx,%rsi
12: 48 89 c7 mov %rax,%rdi
15: e8 .byte 0xe8
RSP: 0018:ffffb58e80003de8 EFLAGS: 00010202
RAX: 00408210000b231a RBX: ffff8aa303097b00 RCX: 0000000000000000
RDX: 0000000000000102 RSI: 0000000000000001 RDI: ffff8aa303097b00
RBP: ffffb58e80003e00 R08: 0000000000000212 R09: ffffffff922d24e8
R10: 0000000000000000 R11: 00000000db69d000 R12: ffff8aa310c69ac0
R13: ffff8aa303097b00 R14: ffff8aa3062235d8 R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8aa31ac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dac9d55408 CR3: 00000001090fa000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0xfa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
WARNING: multiple messages have this Message-ID (diff)
From: Sven Eckelmann <sven@narfation.org>
To: ath11k@lists.infradead.org, Wen Gong <quic_wgong@quicinc.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH] ath11k: enable IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN6855
Date: Mon, 06 Dec 2021 21:03:02 +0100 [thread overview]
Message-ID: <7286726.fyvdfvlfLW@ripper> (raw)
In-Reply-To: <71ee85b5-8d8c-c6e5-20a2-d225800de2ba@quicinc.com>
[-- Attachment #1.1: Type: text/plain, Size: 13345 bytes --]
On Monday, 6 December 2021 08:10:40 CET Wen Gong wrote:
> > On Monday, 6 December 2021 04:29:39 CET Wen Gong wrote:
> > [...]
> >> I did test in my setup, not see the crash.
> >>
> >> I am afraid you also need this patch("ath11k: change to use dynamic
> >> memory for channel list of scan",
> >>
> >> https://patchwork.kernel.org/project/linux-wireless/patch/20211129110939.15711-1-quic_wgong@quicinc.com
> >> )
> >>
> >> Could you apply this patch and try again?
> > Tried it and I see the same problem.
> Could you tell what is your test steps?
Start kernel with commit a93789ae541c ("ath11k: Avoid NULL ptr
access during mgmt tx cleanup") + patches:
* ath11k: enable IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN6855
* ath11k: change to use dynamic memory for channel list of scan
You can find the config in the first mail. But I have now enabled KASAN inline
to hopefully create some better error messages.
The firmware + board data (see mail "ath11k: incorrect board_id retrieval")
was prepared like this:
git clone https://github.com/kvalo/ath11k-firmware /root/ath11k-firmware
mkdir -p /lib/firmware/ath11k/WCN6855/hw2.0/
cp /root/ath11k-firmware/WCN6855/hw2.0/*.bin /lib/firmware/ath11k/WCN6855/hw2.0/
cp /root/ath11k-firmware/WCN6855/hw2.0/1.1/WLAN.HSP.1.1-02892.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1/*.bin /lib/firmware/ath11k/WCN6855/hw2.0/
git clone https://github.com/qca/qca-swiss-army-knife /root/qca-swiss-army-knife
apt install python2
python2 /root/qca-swiss-army-knife/tools/scripts/ath11k/ath11k-bdencoder -e /lib/firmware/ath11k/WCN6855/hw2.0/board-2.bin
rm /lib/firmware/ath11k/WCN6855/hw2.0/board-2.bin
cp 'bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=266.bin' /lib/firmware/ath11k/WCN6855/hw2.0/board.bin
Then I am just starting up the device as usual, and start wpa_supplicant (with
defconfig + CONFIG_MESH=y) from commit 14ab4a816c68 ("Reject
ap_vendor_elements if its length is odd")
cat << "EOF" > station_test.cfg
network={
ssid="MyTestAP"
key_mgmt=WPA-PSK FT-PSK
proto=RSN
psk="testtest"
}
EOF
ip link set up dev wlp6s0
~/hostap/wpa_supplicant/wpa_supplicant -D nl80211 -i wlp6s0 -c station_test.cfg
The actual SSID + PSK is valid and multiple access points (4) have this BSS on
2.4GHz + 5GHz.
So you are basically always calling dev_kfree_skb_any in ath11k_ce_tx_process_cb
because wcn6855 hw2.0 has credit_flow has set. But it seems like one of the
entries returned by ath11k_ce_completed_send_next is bogus and causes this
problems during the ath11k_ce_tx_process_cb. And for some reason, this is
triggered here by this firmware feature.
./scripts/faddr2line --list vmlinux consume_skb+0x9f/0x1c0
consume_skb+0x9f/0x1c0:
__kfree_skb at net/core/skbuff.c:757
752 */
753
754 void __kfree_skb(struct sk_buff *skb)
755 {
756 skb_release_all(skb);
>757< kfree_skbmem(skb);
758 }
759 EXPORT_SYMBOL(__kfree_skb);
760
761 /**
762 * kfree_skb - free an sk_buff
(inlined by) consume_skb at net/core/skbuff.c:912
907 {
908 if (!skb_unref(skb))
909 return;
910
911 trace_consume_skb(skb);
>912< __kfree_skb(skb);
913 }
914 EXPORT_SYMBOL(consume_skb);
915 #endif
916
917 /**
(inlined by) consume_skb at net/core/skbuff.c:906
901 *
902 * Drop a ref to the buffer and free it if the usage count has hit zero
903 * Functions identically to kfree_skb, but kfree_skb assumes that the frame
904 * is being dropped after a failure and notes that
905 */
>906< void consume_skb(struct sk_buff *skb)
907 {
908 if (!skb_unref(skb))
909 return;
910
911 trace_consume_skb(skb);
./scripts/faddr2line --list vmlinux skb_release_data+0x1b0/0x5c0
skb_release_data+0x1b0/0x5c0:
skb_zcopy_clear at include/linux/skbuff.h:1549
1544 {
1545 struct ubuf_info *uarg = skb_zcopy(skb);
1546
1547 if (uarg) {
1548 if (!skb_zcopy_is_nouarg(skb))
>1549< uarg->callback(skb, uarg, zerocopy_success);
1550
1551 skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
1552 }
1553 }
1554
(inlined by) skb_release_data at net/core/skbuff.c:669
664 if (skb->cloned &&
665 atomic_sub_return(skb->nohdr ? (1 << SKB_DATAREF_SHIFT) + 1 : 1,
666 &shinfo->dataref))
667 goto exit;
668
>669< skb_zcopy_clear(skb, true);
670
671 for (i = 0; i < shinfo->nr_frags; i++)
672 __skb_frag_unref(&shinfo->frags[i], skb->pp_recycle);
673
674 if (shinfo->frag_list)
But I didn't like the inlined code. So I've changed the compilation flags
slightly:
diff --git a/net/core/Makefile b/net/core/Makefile
index 6bdcb2cafed8..5eda226c5f27 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -37,3 +37,4 @@ obj-$(CONFIG_NET_SOCK_MSG) += skmsg.o
obj-$(CONFIG_BPF_SYSCALL) += sock_map.o
obj-$(CONFIG_BPF_SYSCALL) += bpf_sk_storage.o
obj-$(CONFIG_OF) += of_net.o
+ccflags-y += -fno-inline -O1 -fno-optimize-sibling-calls
Now the stacktrace is a lot more readable. And the returned
crash location makes a lot more sense:
./scripts/faddr2line --list vmlinux 'skb_zcopy_clear+0x34/0x8f'
skb_zcopy_clear+0x34/0x8f:
skb_zcopy_clear at include/linux/skbuff.h:1549
1544 {
1545 struct ubuf_info *uarg = skb_zcopy(skb);
1546
1547 if (uarg) {
1548 if (!skb_zcopy_is_nouarg(skb))
>1549< uarg->callback(skb, uarg, zerocopy_success);
1550
1551 skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
1552 }
1553 }
1554
Or with the assembler:
(gdb) disassemble /m *(skb_zcopy_clear+0x34/0x8f)
Dump of assembler code for function skb_zcopy_clear:
1544 {
0x000000000000072a <+0>: push %r12
0x000000000000072c <+2>: push %rbp
0x000000000000072d <+3>: push %rbx
0x000000000000072e <+4>: mov %rdi,%rbx
0x0000000000000731 <+7>: mov %esi,%r12d
1545 struct ubuf_info *uarg = skb_zcopy(skb);
0x0000000000000734 <+10>: call 0x5d3 <skb_zcopy>
1546
1547 if (uarg) {
0x0000000000000739 <+15>: test %rax,%rax
0x000000000000073c <+18>: je 0x7a0 <skb_zcopy_clear+118>
0x000000000000073e <+20>: mov %rax,%rbp
1548 if (!skb_zcopy_is_nouarg(skb))
0x0000000000000741 <+23>: mov %rbx,%rdi
0x0000000000000744 <+26>: call 0x6f6 <skb_zcopy_is_nouarg>
0x0000000000000749 <+31>: test %al,%al
0x000000000000074b <+33>: jne 0x777 <skb_zcopy_clear+77>
1549 uarg->callback(skb, uarg, zerocopy_success);
0x000000000000074d <+35>: mov %rbp,%rdx
0x0000000000000750 <+38>: shr $0x3,%rdx
0x0000000000000754 <+42>: movabs $0xdffffc0000000000,%rax
0x000000000000075e <+52>: cmpb $0x0,(%rdx,%rax,1)
0x0000000000000762 <+56>: jne 0x7a5 <skb_zcopy_clear+123>
0x0000000000000764 <+58>: movzbl %r12b,%edx
0x0000000000000768 <+62>: mov 0x0(%rbp),%rax
0x000000000000076c <+66>: mov %rbp,%rsi
0x000000000000076f <+69>: mov %rbx,%rdi
0x0000000000000772 <+72>: call 0x777 <skb_zcopy_clear+77>
0x00000000000007a5 <+123>: mov %rbp,%rdi
0x00000000000007a8 <+126>: call 0x7ad <skb_zcopy_clear+131>
0x00000000000007ad <+131>: jmp 0x764 <skb_zcopy_clear+58>
1550
1551 skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
0x0000000000000777 <+77>: mov %rbx,%rdi
0x000000000000077a <+80>: call 0x518 <skb_end_pointer>
0x000000000000077f <+85>: mov %rax,%rbx
0x0000000000000782 <+88>: mov %rax,%rdx
0x0000000000000785 <+91>: shr $0x3,%rdx
0x0000000000000789 <+95>: movabs $0xdffffc0000000000,%rax
0x0000000000000793 <+105>: movzbl (%rdx,%rax,1),%eax
0x0000000000000797 <+109>: test %al,%al
0x0000000000000799 <+111>: je 0x79d <skb_zcopy_clear+115>
0x000000000000079b <+113>: jle 0x7af <skb_zcopy_clear+133>
0x000000000000079d <+115>: andb $0xf8,(%rbx)
0x00000000000007af <+133>: mov %rbx,%rdi
0x00000000000007b2 <+136>: call 0x7b7 <skb_zcopy_clear+141>
0x00000000000007b7 <+141>: jmp 0x79d <skb_zcopy_clear+115>
1552 }
1553 }
0x00000000000007a0 <+118>: pop %rbx
0x00000000000007a1 <+119>: pop %rbp
0x00000000000007a2 <+120>: pop %r12
0x00000000000007a4 <+122>: ret
End of assembler dump.
To make it even easier to read, just disable the inline KASAN and reduce the
optimization level for this for it:
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 059b6266dcd7..819cc58ab051 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1540,6 +1540,8 @@ static inline void net_zcopy_put_abort(struct ubuf_info *uarg, bool have_uref)
}
/* Release a reference on a zerocopy structure */
+#pragma GCC push_options
+#pragma GCC optimize ("O0")
static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy_success)
{
struct ubuf_info *uarg = skb_zcopy(skb);
@@ -1551,6 +1553,7 @@ static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy_success)
skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
}
}
+#pragma GCC pop_options
static inline void skb_mark_not_on_list(struct sk_buff *skb)
{
This creates this nice, unoptimized function which crashes at +63:
$ gdb net/core/skbuff.o -q
Reading symbols from net/core/skbuff.o...
(gdb) disassemble /m *(skb_zcopy_clear+0x3f/0x70)
Dump of assembler code for function skb_zcopy_clear:
1546 {
0x0000000000000000 <+0>: push %rbp
0x0000000000000001 <+1>: mov %rsp,%rbp
0x0000000000000004 <+4>: sub $0x18,%rsp
0x0000000000000008 <+8>: mov %rdi,-0x10(%rbp)
0x000000000000000c <+12>: mov %esi,%eax
0x000000000000000e <+14>: mov %al,-0x14(%rbp)
1547 struct ubuf_info *uarg = skb_zcopy(skb);
0x0000000000000011 <+17>: mov -0x10(%rbp),%rax
0x0000000000000015 <+21>: mov %rax,%rdi
0x0000000000000018 <+24>: call 0x29e <skb_zcopy>
0x000000000000001d <+29>: mov %rax,-0x8(%rbp)
1548
1549 if (uarg) {
0x0000000000000021 <+33>: cmpq $0x0,-0x8(%rbp)
0x0000000000000026 <+38>: je 0x6d <skb_zcopy_clear+109>
1550 if (!skb_zcopy_is_nouarg(skb))
0x0000000000000028 <+40>: mov -0x10(%rbp),%rax
0x000000000000002c <+44>: mov %rax,%rdi
0x000000000000002f <+47>: call 0x2df <skb_zcopy_is_nouarg>
0x0000000000000034 <+52>: xor $0x1,%eax
0x0000000000000037 <+55>: test %al,%al
0x0000000000000039 <+57>: je 0x59 <skb_zcopy_clear+89>
1551 uarg->callback(skb, uarg, zerocopy_success);
0x000000000000003b <+59>: mov -0x8(%rbp),%rax
0x000000000000003f <+63>: mov (%rax),%r8
0x0000000000000042 <+66>: movzbl -0x14(%rbp),%edx
0x0000000000000046 <+70>: mov -0x8(%rbp),%rcx
0x000000000000004a <+74>: mov -0x10(%rbp),%rax
0x000000000000004e <+78>: mov %rcx,%rsi
0x0000000000000051 <+81>: mov %rax,%rdi
0x0000000000000054 <+84>: call 0x59 <skb_zcopy_clear+89>
1552
1553 skb_shinfo(skb)->flags &= ~SKBFL_ALL_ZEROCOPY;
0x0000000000000059 <+89>: mov -0x10(%rbp),%rax
0x000000000000005d <+93>: mov %rax,%rdi
0x0000000000000060 <+96>: call 0x27f <skb_end_pointer>
0x0000000000000065 <+101>: movzbl (%rax),%edx
0x0000000000000068 <+104>: and $0xfffffff8,%edx
0x000000000000006b <+107>: mov %dl,(%rax)
1554 }
1555 }
0x000000000000006d <+109>: nop
0x000000000000006e <+110>: leave
0x000000000000006f <+111>: ret
End of assembler dump.
The question now: What is causing the unclean state of the skb and thus
doesn't let it get rejected by skb_zcopy_is_nouarg before the uarg
callback is tried.
Kind regards,
Sven
[-- Attachment #1.2: screenlog.0.zip --]
[-- Type: application/zip, Size: 20103 bytes --]
[-- Attachment #1.3: station_connect_crash_decoded.txt --]
[-- Type: text/plain, Size: 9293 bytes --]
general protection fault, probably for non-canonical address 0xe0080c4200016463: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0x00408210000b2318-0x00408210000b231f]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #3
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_release_data (./include/linux/skbuff.h:1549 net/core/skbuff.c:669)
Code: 00 00 48 8b 75 28 48 85 f6 0f 84 d2 00 00 00 40 f6 c6 01 0f 85 a3 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 d3 03 00 00 48 8b 06 ba 01 00 00 00 48 89 df 0f
All code
========
0: 00 00 add %al,(%rax)
2: 48 8b 75 28 mov 0x28(%rbp),%rsi
6: 48 85 f6 test %rsi,%rsi
9: 0f 84 d2 00 00 00 je 0xe1
f: 40 f6 c6 01 test $0x1,%sil
13: 0f 85 a3 00 00 00 jne 0xbc
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 f2 mov %rsi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 d3 03 00 00 jne 0x407
34: 48 8b 06 mov (%rsi),%rax
37: ba 01 00 00 00 mov $0x1,%edx
3c: 48 89 df mov %rbx,%rdi
3f: 0f .byte 0xf
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 d3 03 00 00 jne 0x3dd
a: 48 8b 06 mov (%rsi),%rax
d: ba 01 00 00 00 mov $0x1,%edx
12: 48 89 df mov %rbx,%rdi
15: 0f .byte 0xf
RSP: 0018:ffff8880c7c09c50 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff888004c6bdc0 RCX: 1ffff1100076945d
RDX: 0008104200016463 RSI: 00408210000b231a RDI: ffff888003b4a2e8
RBP: ffff888003b4a2c0 R08: 0000000000000000 R09: ffff888004c6be97
R10: ffffed100098d7d2 R11: 0000000000000001 R12: ffff888003b4a2c0
R13: ffff888004c6be7c R14: ffff88800c641e58 R15: ffff888004c6be80
FS: 0000000000000000(0000) GS:ffff8880c7c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3a95f6778 CR3: 0000000017c20000 CR4: 00000000000006f0
Call Trace:
<IRQ>
? _raw_write_lock_irq (kernel/locking/spinlock.c:177)
consume_skb (net/core/skbuff.c:757 net/core/skbuff.c:912 net/core/skbuff.c:906)
ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:515) ath11k
? __local_bh_enable_ip (./arch/x86/include/asm/preempt.h:103 kernel/softirq.c:390)
? ath11k_ce_alloc_pipes (drivers/net/wireless/ath/ath11k/ce.c:500) ath11k
? ath11k_hal_srng_access_end (drivers/net/wireless/ath/ath11k/hal.c:849) ath11k
ath11k_ce_per_engine_service (drivers/net/wireless/ath/ath11k/ce.c:694) ath11k
? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:513 ./include/asm-generic/qspinlock.h:82 ./include/linux/spinlock.h:185 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
? __lock_text_start (kernel/locking/spinlock.c:161)
? ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:689) ath11k
? __wake_up_bit (kernel/sched/wait_bit.c:192)
? __irq_put_desc_unlock (kernel/irq/irqdesc.c:819)
ath11k_pci_ce_tasklet (drivers/net/wireless/ath/ath11k/pci.c:637) ath11k_pci
? tasklet_clear_sched (kernel/softirq.c:752)
tasklet_action_common.constprop.0 (kernel/softirq.c:783)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/irq.h:142 kernel/softirq.c:559)
__irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636)
common_interrupt (arch/x86/kernel/irq.c:240 (discriminator 14))
</IRQ>
<TASK>
asm_common_interrupt (./arch/x86/include/asm/idtentry.h:629)
RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:259)
Code: ff e8 8e 95 db fe 80 3c 24 00 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 8e 06 00 00 31 ff e8 a1 b9 ef fe fb 66 0f 1f 44 00 00 <45> 85 ed 0f 88 52 03 00 00 4d 63 e5 4b 8d 04 64 49 8d 04 84 48 8d
All code
========
0: ff (bad)
1: e8 8e 95 db fe callq 0xfffffffffedb9594
6: 80 3c 24 00 cmpb $0x0,(%rsp)
a: 74 17 je 0x23
c: 9c pushfq
d: 58 pop %rax
e: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
13: f6 c4 02 test $0x2,%ah
16: 0f 85 8e 06 00 00 jne 0x6aa
1c: 31 ff xor %edi,%edi
1e: e8 a1 b9 ef fe callq 0xfffffffffeefb9c4
23: fb sti
24: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
2a:* 45 85 ed test %r13d,%r13d <-- trapping instruction
2d: 0f 88 52 03 00 00 js 0x385
33: 4d 63 e5 movslq %r13d,%r12
36: 4b 8d 04 64 lea (%r12,%r12,2),%rax
3a: 49 8d 04 84 lea (%r12,%rax,4),%rax
3e: 48 rex.W
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 45 85 ed test %r13d,%r13d
3: 0f 88 52 03 00 00 js 0x35b
9: 4d 63 e5 movslq %r13d,%r12
c: 4b 8d 04 64 lea (%r12,%r12,2),%rax
10: 49 8d 04 84 lea (%r12,%rax,4),%rax
14: 48 rex.W
15: 8d .byte 0x8d
RSP: 0018:ffffffff89a07de0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff888003b44000 RCX: 1ffffffff129775c
RDX: 1ffff11018f88331 RSI: ffffffff89031b00 RDI: ffff8880c7c41988
RBP: ffffffff89ee0d20 R08: 0000000000000002 R09: ffff8880c7c41c2b
R10: ffffed1018f88385 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000002 R14: 00000024aa5bda97 R15: ffffffff89ee0e08
? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
? tick_nohz_idle_stop_tick (./include/linux/hrtimer.h:419 kernel/time/tick-sched.c:920 kernel/time/tick-sched.c:1062 kernel/time/tick-sched.c:1083)
cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
do_idle (kernel/sched/idle.c:158 kernel/sched/idle.c:239 kernel/sched/idle.c:306)
? arch_cpu_idle_exit+0x40/0x40
cpu_startup_entry (kernel/sched/idle.c:402 (discriminator 1))
start_kernel (init/main.c:1137)
secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:283)
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 kvm_amd btusb btrtl ccp btbcm rng_core btintel libarc4 evdev leds_apu bluetooth kvm snd_pcm snd_timer jitterentropy_rng cfg80211 snd sha512_ssse3 sha512_generic sg soundcore irqbypass ctr pcspkr drbg ansi_cprng k10temp ecdh_generic rfkill ecc sp5100_tco watchdog acpi_cpufreq button drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci ohci_hcd ehci_pci ehci_hcd libata r8169 realtek mdio_devres usbcore scsi_mod i2c_piix4 usb_common scsi_common libphy
---[ end trace dc622588d92d6988 ]---
RIP: 0010:skb_release_data (./include/linux/skbuff.h:1549 net/core/skbuff.c:669)
Code: 00 00 48 8b 75 28 48 85 f6 0f 84 d2 00 00 00 40 f6 c6 01 0f 85 a3 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 d3 03 00 00 48 8b 06 ba 01 00 00 00 48 89 df 0f
All code
========
0: 00 00 add %al,(%rax)
2: 48 8b 75 28 mov 0x28(%rbp),%rsi
6: 48 85 f6 test %rsi,%rsi
9: 0f 84 d2 00 00 00 je 0xe1
f: 40 f6 c6 01 test $0x1,%sil
13: 0f 85 a3 00 00 00 jne 0xbc
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 f2 mov %rsi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 d3 03 00 00 jne 0x407
34: 48 8b 06 mov (%rsi),%rax
37: ba 01 00 00 00 mov $0x1,%edx
3c: 48 89 df mov %rbx,%rdi
3f: 0f .byte 0xf
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 d3 03 00 00 jne 0x3dd
a: 48 8b 06 mov (%rsi),%rax
d: ba 01 00 00 00 mov $0x1,%edx
12: 48 89 df mov %rbx,%rdi
15: 0f .byte 0xf
RSP: 0018:ffff8880c7c09c50 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff888004c6bdc0 RCX: 1ffff1100076945d
RDX: 0008104200016463 RSI: 00408210000b231a RDI: ffff888003b4a2e8
RBP: ffff888003b4a2c0 R08: 0000000000000000 R09: ffff888004c6be97
R10: ffffed100098d7d2 R11: 0000000000000001 R12: ffff888003b4a2c0
R13: ffff888004c6be7c R14: ffff88800c641e58 R15: ffff888004c6be80
FS: 0000000000000000(0000) GS:ffff8880c7c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3a95f6778 CR3: 0000000017c20000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x5c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.4: station_connect_crash2_decoded.txt --]
[-- Type: text/plain, Size: 9902 bytes --]
general protection fault, probably for non-canonical address 0xe0080c4200016463: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0x00408210000b2318-0x00408210000b231f]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_zcopy_clear (./include/linux/skbuff.h:1549)
Code: e8 9a fe ff ff 48 85 c0 74 62 48 89 c5 48 89 df e8 ad ff ff ff 84 c0 75 2a 48 89 ea 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 41 41 0f b6 d4 48 8b 45 00 48 89 ee 48 89 df 0f ae
All code
========
0: e8 9a fe ff ff callq 0xfffffffffffffe9f
5: 48 85 c0 test %rax,%rax
8: 74 62 je 0x6c
a: 48 89 c5 mov %rax,%rbp
d: 48 89 df mov %rbx,%rdi
10: e8 ad ff ff ff callq 0xffffffffffffffc2
15: 84 c0 test %al,%al
17: 75 2a jne 0x43
19: 48 89 ea mov %rbp,%rdx
1c: 48 c1 ea 03 shr $0x3,%rdx
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 41 jne 0x71
30: 41 0f b6 d4 movzbl %r12b,%edx
34: 48 8b 45 00 mov 0x0(%rbp),%rax
38: 48 89 ee mov %rbp,%rsi
3b: 48 89 df mov %rbx,%rdi
3e: 0f .byte 0xf
3f: ae scas %es:(%rdi),%al
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 75 41 jne 0x47
6: 41 0f b6 d4 movzbl %r12b,%edx
a: 48 8b 45 00 mov 0x0(%rbp),%rax
e: 48 89 ee mov %rbp,%rsi
11: 48 89 df mov %rbx,%rdi
14: 0f .byte 0xf
15: ae scas %es:(%rdi),%al
RSP: 0018:ffff8880c3a09c30 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff88800c233b40 RCX: ffffffff9fce961b
RDX: 0008104200016463 RSI: 0000000000000001 RDI: ffff888015edeae8
RBP: 00408210000b231a R08: 0000000000000000 R09: ffff88800c233c17
R10: ffffed1001846782 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88800c233bbe R14: ffff88800b701e58 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880c3a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdccf1c75c0 CR3: 00000000063a4000 CR4: 00000000000006f0
Call Trace:
<IRQ>
skb_release_data (net/core/skbuff.c:671)
skb_release_all (net/core/skbuff.c:743)
__kfree_skb (net/core/skbuff.c:757)
consume_skb (net/core/skbuff.c:912)
__dev_kfree_skb_any (net/core/dev.c:3038)
ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:515) ath11k
? __local_bh_enable_ip (./arch/x86/include/asm/preempt.h:103 kernel/softirq.c:390)
? ath11k_ce_alloc_pipes (drivers/net/wireless/ath/ath11k/ce.c:500) ath11k
? ath11k_hal_srng_access_end (drivers/net/wireless/ath/ath11k/hal.c:849) ath11k
ath11k_ce_per_engine_service (drivers/net/wireless/ath/ath11k/ce.c:694) ath11k
? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:513 ./include/asm-generic/qspinlock.h:82 ./include/linux/spinlock.h:185 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
? __lock_text_start (kernel/locking/spinlock.c:161)
? ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:689) ath11k
? __wake_up_bit (kernel/sched/wait_bit.c:192)
? __irq_put_desc_unlock (kernel/irq/irqdesc.c:819)
ath11k_pci_ce_tasklet (drivers/net/wireless/ath/ath11k/pci.c:637) ath11k_pci
? tasklet_clear_sched (kernel/softirq.c:752)
tasklet_action_common.constprop.0 (kernel/softirq.c:783)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/irq.h:142 kernel/softirq.c:559)
__irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636)
common_interrupt (arch/x86/kernel/irq.c:240 (discriminator 14))
</IRQ>
<TASK>
asm_common_interrupt (./arch/x86/include/asm/idtentry.h:629)
RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:259)
Code: ff e8 8e 95 db fe 80 3c 24 00 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 8e 06 00 00 31 ff e8 a1 b9 ef fe fb 66 0f 1f 44 00 00 <45> 85 ed 0f 88 52 03 00 00 4d 63 e5 4b 8d 04 64 49 8d 04 84 48 8d
All code
========
0: ff (bad)
1: e8 8e 95 db fe callq 0xfffffffffedb9594
6: 80 3c 24 00 cmpb $0x0,(%rsp)
a: 74 17 je 0x23
c: 9c pushfq
d: 58 pop %rax
e: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
13: f6 c4 02 test $0x2,%ah
16: 0f 85 8e 06 00 00 jne 0x6aa
1c: 31 ff xor %edi,%edi
1e: e8 a1 b9 ef fe callq 0xfffffffffeefb9c4
23: fb sti
24: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
2a:* 45 85 ed test %r13d,%r13d <-- trapping instruction
2d: 0f 88 52 03 00 00 js 0x385
33: 4d 63 e5 movslq %r13d,%r12
36: 4b 8d 04 64 lea (%r12,%r12,2),%rax
3a: 49 8d 04 84 lea (%r12,%rax,4),%rax
3e: 48 rex.W
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 45 85 ed test %r13d,%r13d
3: 0f 88 52 03 00 00 js 0x35b
9: 4d 63 e5 movslq %r13d,%r12
c: 4b 8d 04 64 lea (%r12,%r12,2),%rax
10: 49 8d 04 84 lea (%r12,%rax,4),%rax
14: 48 rex.W
15: 8d .byte 0x8d
RSP: 0018:ffffffffa1407de0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff888003b20800 RCX: 1ffffffff41d935c
RDX: 1ffff11018748331 RSI: ffffffffa0a31b00 RDI: ffff8880c3a41988
RBP: ffffffffa18e0d20 R08: 0000000000000002 R09: ffff8880c3a41c2b
R10: ffffed1018748385 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000002 R14: 0000001dfc72dae5 R15: ffffffffa18e0e08
? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
? tick_nohz_idle_stop_tick (./include/linux/hrtimer.h:419 kernel/time/tick-sched.c:920 kernel/time/tick-sched.c:1062 kernel/time/tick-sched.c:1083)
cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
do_idle (kernel/sched/idle.c:158 kernel/sched/idle.c:239 kernel/sched/idle.c:306)
? arch_cpu_idle_exit+0x40/0x40
cpu_startup_entry (kernel/sched/idle.c:402 (discriminator 1))
start_kernel (init/main.c:1137)
secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:283)
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 kvm_amd btusb btrtl btbcm ccp btintel libarc4 rng_core evdev bluetooth cfg80211 kvm leds_apu jitterentropy_rng sha512_ssse3 sha512_generic snd_pcm ctr sg drbg snd_timer irqbypass ansi_cprng snd ecdh_generic rfkill soundcore ecc pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci libata ehci_pci ohci_hcd r8169 ehci_hcd realtek mdio_devres scsi_mod usbcore i2c_piix4 usb_common scsi_common libphy
---[ end trace bd73d57ff2669c03 ]---
RIP: 0010:skb_zcopy_clear (./include/linux/skbuff.h:1549)
Code: e8 9a fe ff ff 48 85 c0 74 62 48 89 c5 48 89 df e8 ad ff ff ff 84 c0 75 2a 48 89 ea 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 41 41 0f b6 d4 48 8b 45 00 48 89 ee 48 89 df 0f ae
All code
========
0: e8 9a fe ff ff callq 0xfffffffffffffe9f
5: 48 85 c0 test %rax,%rax
8: 74 62 je 0x6c
a: 48 89 c5 mov %rax,%rbp
d: 48 89 df mov %rbx,%rdi
10: e8 ad ff ff ff callq 0xffffffffffffffc2
15: 84 c0 test %al,%al
17: 75 2a jne 0x43
19: 48 89 ea mov %rbp,%rdx
1c: 48 c1 ea 03 shr $0x3,%rdx
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 41 jne 0x71
30: 41 0f b6 d4 movzbl %r12b,%edx
34: 48 8b 45 00 mov 0x0(%rbp),%rax
38: 48 89 ee mov %rbp,%rsi
3b: 48 89 df mov %rbx,%rdi
3e: 0f .byte 0xf
3f: ae scas %es:(%rdi),%al
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 75 41 jne 0x47
6: 41 0f b6 d4 movzbl %r12b,%edx
a: 48 8b 45 00 mov 0x0(%rbp),%rax
e: 48 89 ee mov %rbp,%rsi
11: 48 89 df mov %rbx,%rdi
14: 0f .byte 0xf
15: ae scas %es:(%rdi),%al
RSP: 0018:ffff8880c3a09c30 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff88800c233b40 RCX: ffffffff9fce961b
RDX: 0008104200016463 RSI: 0000000000000001 RDI: ffff888015edeae8
RBP: 00408210000b231a R08: 0000000000000000 R09: ffff88800c233c17
R10: ffffed1001846782 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88800c233bbe R14: ffff88800b701e58 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880c3a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdccf1c75c0 CR3: 00000000063a4000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x1d800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.5: station_connect_crash2.txt --]
[-- Type: text/plain, Size: 4538 bytes --]
general protection fault, probably for non-canonical address 0xe0080c4200016463: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0x00408210000b2318-0x00408210000b231f]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_zcopy_clear+0x34/0x8f
Code: e8 9a fe ff ff 48 85 c0 74 62 48 89 c5 48 89 df e8 ad ff ff ff 84 c0 75 2a 48 89 ea 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 41 41 0f b6 d4 48 8b 45 00 48 89 ee 48 89 df 0f ae
RSP: 0018:ffff8880c3a09c30 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff88800c233b40 RCX: ffffffff9fce961b
RDX: 0008104200016463 RSI: 0000000000000001 RDI: ffff888015edeae8
RBP: 00408210000b231a R08: 0000000000000000 R09: ffff88800c233c17
R10: ffffed1001846782 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88800c233bbe R14: ffff88800b701e58 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880c3a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdccf1c75c0 CR3: 00000000063a4000 CR4: 00000000000006f0
Call Trace:
<IRQ>
skb_release_data+0x91/0x1de
skb_release_all+0x3e/0x47
__kfree_skb+0xe/0x18
consume_skb+0x24/0x26
__dev_kfree_skb_any+0x2a/0x2b
ath11k_ce_tx_process_cb+0x3ef/0x8d0 [ath11k]
? __local_bh_enable_ip+0x37/0x80
? ath11k_ce_alloc_pipes+0x5c0/0x5c0 [ath11k]
? ath11k_hal_srng_access_end+0x1d7/0x5d0 [ath11k]
ath11k_ce_per_engine_service+0x96b/0xc60 [ath11k]
? _raw_spin_lock_irqsave+0x9a/0xf0
? __lock_text_start+0x8/0x8
? ath11k_ce_tx_process_cb+0x8d0/0x8d0 [ath11k]
? __wake_up_bit+0x100/0x100
? __irq_put_desc_unlock+0x18/0x90
ath11k_pci_ce_tasklet+0x64/0x100 [ath11k_pci]
? tasklet_clear_sched+0x47/0xe0
tasklet_action_common.constprop.0+0x240/0x2d0
__do_softirq+0x1b0/0x5b9
__irq_exit_rcu+0xc6/0x170
common_interrupt+0xa9/0xc0
</IRQ>
<TASK>
asm_common_interrupt+0x1e/0x40
RIP: 0010:cpuidle_enter_state+0x196/0xa60
Code: ff e8 8e 95 db fe 80 3c 24 00 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 8e 06 00 00 31 ff e8 a1 b9 ef fe fb 66 0f 1f 44 00 00 <45> 85 ed 0f 88 52 03 00 00 4d 63 e5 4b 8d 04 64 49 8d 04 84 48 8d
RSP: 0018:ffffffffa1407de0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff888003b20800 RCX: 1ffffffff41d935c
RDX: 1ffff11018748331 RSI: ffffffffa0a31b00 RDI: ffff8880c3a41988
RBP: ffffffffa18e0d20 R08: 0000000000000002 R09: ffff8880c3a41c2b
R10: ffffed1018748385 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000002 R14: 0000001dfc72dae5 R15: ffffffffa18e0e08
? _raw_spin_unlock_irqrestore+0x25/0x40
? tick_nohz_idle_stop_tick+0x599/0xa60
cpuidle_enter+0x4a/0xa0
do_idle+0x3d7/0x530
? arch_cpu_idle_exit+0x40/0x40
cpu_startup_entry+0x19/0x20
start_kernel+0x38d/0x3ab
secondary_startup_64_no_verify+0xb0/0xbb
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 kvm_amd btusb btrtl btbcm ccp btintel libarc4 rng_core evdev bluetooth cfg80211 kvm leds_apu jitterentropy_rng sha512_ssse3 sha512_generic snd_pcm ctr sg drbg snd_timer irqbypass ansi_cprng snd ecdh_generic rfkill soundcore ecc pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci libata ehci_pci ohci_hcd r8169 ehci_hcd realtek mdio_devres scsi_mod usbcore i2c_piix4 usb_common scsi_common libphy
---[ end trace bd73d57ff2669c03 ]---
RIP: 0010:skb_zcopy_clear+0x34/0x8f
Code: e8 9a fe ff ff 48 85 c0 74 62 48 89 c5 48 89 df e8 ad ff ff ff 84 c0 75 2a 48 89 ea 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 41 41 0f b6 d4 48 8b 45 00 48 89 ee 48 89 df 0f ae
RSP: 0018:ffff8880c3a09c30 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffff88800c233b40 RCX: ffffffff9fce961b
RDX: 0008104200016463 RSI: 0000000000000001 RDI: ffff888015edeae8
RBP: 00408210000b231a R08: 0000000000000000 R09: ffff88800c233c17
R10: ffffed1001846782 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88800c233bbe R14: ffff88800b701e58 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880c3a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdccf1c75c0 CR3: 00000000063a4000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x1d800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.6: station_connect_crash3.txt --]
[-- Type: text/plain, Size: 4024 bytes --]
general protection fault, probably for non-canonical address 0x408210000b231a: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_zcopy_clear+0x3f/0x70
Code: 48 89 c7 e8 81 02 00 00 48 89 45 f8 48 83 7d f8 00 74 45 48 8b 45 f0 48 89 c7 e8 ab 02 00 00 83 f0 01 84 c0 74 1e 48 8b 45 f8 <4c> 8b 00 0f b6 55 ec 48 8b 4d f8 48 8b 45 f0 48 89 ce 48 89 c7 e8
RSP: 0018:ffffb58e80003de8 EFLAGS: 00010202
RAX: 00408210000b231a RBX: ffff8aa303097b00 RCX: 0000000000000000
RDX: 0000000000000102 RSI: 0000000000000001 RDI: ffff8aa303097b00
RBP: ffffb58e80003e00 R08: 0000000000000212 R09: ffffffff922d24e8
R10: 0000000000000000 R11: 00000000db69d000 R12: ffff8aa310c69ac0
R13: ffff8aa303097b00 R14: ffff8aa3062235d8 R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8aa31ac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dac9d55408 CR3: 00000001090fa000 CR4: 00000000000006f0
Call Trace:
<IRQ>
skb_release_data+0x4b/0xa2
skb_release_all+0x20/0x22
__kfree_skb+0xe/0x18
consume_skb+0x24/0x26
__dev_kfree_skb_any+0x2a/0x2b
ath11k_ce_tx_process_cb+0x157/0x220 [ath11k]
ath11k_ce_per_engine_service+0x3c0/0x3d0 [ath11k]
? _raw_spin_lock_irqsave+0x26/0x50
ath11k_pci_ce_tasklet+0x1c/0x40 [ath11k_pci]
tasklet_action_common.constprop.0+0xaf/0xe0
__do_softirq+0xec/0x2e9
__irq_exit_rcu+0xbc/0x110
common_interrupt+0xb8/0xd0
</IRQ>
<TASK>
asm_common_interrupt+0x1e/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x370
Code: 31 ff e8 d9 c6 9e ff 45 84 ff 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 78 02 00 00 31 ff e8 bd 97 a5 ff fb 66 0f 1f 44 00 00 <45> 85 f6 0f 88 11 01 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d
RSP: 0018:ffffffff92203e60 EFLAGS: 00000246
RAX: ffff8aa31ac00000 RBX: 0000000000000002 RCX: 000000000000001f
RDX: 0000000000000000 RSI: ffffffff91b70667 RDI: ffffffff91b55729
RBP: ffff8aa300906c00 R08: 0000000955084e02 R09: 0000000000000018
R10: 0000000000000001 R11: 0000000000001015 R12: ffffffff923d05c0
R13: 0000000955084e02 R14: 0000000000000002 R15: 0000000000000000
cpuidle_enter+0x29/0x40
do_idle+0x200/0x2b0
cpu_startup_entry+0x19/0x20
start_kernel+0x6b7/0x6dc
secondary_startup_64_no_verify+0xb0/0xbb
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 btusb btrtl btbcm btintel bluetooth libarc4 kvm_amd cfg80211 ccp rng_core jitterentropy_rng kvm sha512_ssse3 sha512_generic evdev ctr snd_pcm drbg sg snd_timer ansi_cprng leds_apu irqbypass ecdh_generic snd rfkill ecc soundcore pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci ohci_hcd ehci_pci ehci_hcd libata r8169 realtek mdio_devres scsi_mod usbcore i2c_piix4 usb_common scsi_common libphy
---[ end trace 23d792ef4816c4de ]---
RIP: 0010:skb_zcopy_clear+0x3f/0x70
Code: 48 89 c7 e8 81 02 00 00 48 89 45 f8 48 83 7d f8 00 74 45 48 8b 45 f0 48 89 c7 e8 ab 02 00 00 83 f0 01 84 c0 74 1e 48 8b 45 f8 <4c> 8b 00 0f b6 55 ec 48 8b 4d f8 48 8b 45 f0 48 89 ce 48 89 c7 e8
RSP: 0018:ffffb58e80003de8 EFLAGS: 00010202
RAX: 00408210000b231a RBX: ffff8aa303097b00 RCX: 0000000000000000
RDX: 0000000000000102 RSI: 0000000000000001 RDI: ffff8aa303097b00
RBP: ffffb58e80003e00 R08: 0000000000000212 R09: ffffffff922d24e8
R10: 0000000000000000 R11: 00000000db69d000 R12: ffff8aa310c69ac0
R13: ffff8aa303097b00 R14: ffff8aa3062235d8 R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8aa31ac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dac9d55408 CR3: 00000001090fa000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0xfa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #1.7: station_connect_crash3_decoded.txt --]
[-- Type: text/plain, Size: 8959 bytes --]
general protection fault, probably for non-canonical address 0x408210000b231a: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
RIP: 0010:skb_zcopy_clear (./include/linux/skbuff.h:1551)
Code: 48 89 c7 e8 81 02 00 00 48 89 45 f8 48 83 7d f8 00 74 45 48 8b 45 f0 48 89 c7 e8 ab 02 00 00 83 f0 01 84 c0 74 1e 48 8b 45 f8 <4c> 8b 00 0f b6 55 ec 48 8b 4d f8 48 8b 45 f0 48 89 ce 48 89 c7 e8
All code
========
0: 48 89 c7 mov %rax,%rdi
3: e8 81 02 00 00 callq 0x289
8: 48 89 45 f8 mov %rax,-0x8(%rbp)
c: 48 83 7d f8 00 cmpq $0x0,-0x8(%rbp)
11: 74 45 je 0x58
13: 48 8b 45 f0 mov -0x10(%rbp),%rax
17: 48 89 c7 mov %rax,%rdi
1a: e8 ab 02 00 00 callq 0x2ca
1f: 83 f0 01 xor $0x1,%eax
22: 84 c0 test %al,%al
24: 74 1e je 0x44
26: 48 8b 45 f8 mov -0x8(%rbp),%rax
2a:* 4c 8b 00 mov (%rax),%r8 <-- trapping instruction
2d: 0f b6 55 ec movzbl -0x14(%rbp),%edx
31: 48 8b 4d f8 mov -0x8(%rbp),%rcx
35: 48 8b 45 f0 mov -0x10(%rbp),%rax
39: 48 89 ce mov %rcx,%rsi
3c: 48 89 c7 mov %rax,%rdi
3f: e8 .byte 0xe8
Code starting with the faulting instruction
===========================================
0: 4c 8b 00 mov (%rax),%r8
3: 0f b6 55 ec movzbl -0x14(%rbp),%edx
7: 48 8b 4d f8 mov -0x8(%rbp),%rcx
b: 48 8b 45 f0 mov -0x10(%rbp),%rax
f: 48 89 ce mov %rcx,%rsi
12: 48 89 c7 mov %rax,%rdi
15: e8 .byte 0xe8
RSP: 0018:ffffb58e80003de8 EFLAGS: 00010202
RAX: 00408210000b231a RBX: ffff8aa303097b00 RCX: 0000000000000000
RDX: 0000000000000102 RSI: 0000000000000001 RDI: ffff8aa303097b00
RBP: ffffb58e80003e00 R08: 0000000000000212 R09: ffffffff922d24e8
R10: 0000000000000000 R11: 00000000db69d000 R12: ffff8aa310c69ac0
R13: ffff8aa303097b00 R14: ffff8aa3062235d8 R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8aa31ac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dac9d55408 CR3: 00000001090fa000 CR4: 00000000000006f0
Call Trace:
<IRQ>
skb_release_data (net/core/skbuff.c:671)
skb_release_all (net/core/skbuff.c:743)
__kfree_skb (net/core/skbuff.c:757)
consume_skb (net/core/skbuff.c:912)
__dev_kfree_skb_any (net/core/dev.c:3038)
ath11k_ce_tx_process_cb (drivers/net/wireless/ath/ath11k/ce.c:515) ath11k
ath11k_ce_per_engine_service (drivers/net/wireless/ath/ath11k/ce.c:694) ath11k
? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:513 ./include/asm-generic/qspinlock.h:82 ./include/linux/spinlock.h:185 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
ath11k_pci_ce_tasklet (drivers/net/wireless/ath/ath11k/pci.c:637) ath11k_pci
tasklet_action_common.constprop.0 (./arch/x86/include/asm/bitops.h:75 ./include/asm-generic/bitops/instrumented-atomic.h:42 kernel/softirq.c:879 kernel/softirq.c:787)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/irq.h:142 kernel/softirq.c:559)
__irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636)
common_interrupt (arch/x86/kernel/irq.c:240 (discriminator 14))
</IRQ>
<TASK>
asm_common_interrupt (./arch/x86/include/asm/idtentry.h:629)
RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:259)
Code: 31 ff e8 d9 c6 9e ff 45 84 ff 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 78 02 00 00 31 ff e8 bd 97 a5 ff fb 66 0f 1f 44 00 00 <45> 85 f6 0f 88 11 01 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d
All code
========
0: 31 ff xor %edi,%edi
2: e8 d9 c6 9e ff callq 0xffffffffff9ec6e0
7: 45 84 ff test %r15b,%r15b
a: 74 17 je 0x23
c: 9c pushfq
d: 58 pop %rax
e: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
13: f6 c4 02 test $0x2,%ah
16: 0f 85 78 02 00 00 jne 0x294
1c: 31 ff xor %edi,%edi
1e: e8 bd 97 a5 ff callq 0xffffffffffa597e0
23: fb sti
24: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
2a:* 45 85 f6 test %r14d,%r14d <-- trapping instruction
2d: 0f 88 11 01 00 00 js 0x144
33: 49 63 c6 movslq %r14d,%rax
36: 4c 2b 2c 24 sub (%rsp),%r13
3a: 48 8d 14 40 lea (%rax,%rax,2),%rdx
3e: 48 rex.W
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 45 85 f6 test %r14d,%r14d
3: 0f 88 11 01 00 00 js 0x11a
9: 49 63 c6 movslq %r14d,%rax
c: 4c 2b 2c 24 sub (%rsp),%r13
10: 48 8d 14 40 lea (%rax,%rax,2),%rdx
14: 48 rex.W
15: 8d .byte 0x8d
RSP: 0018:ffffffff92203e60 EFLAGS: 00000246
RAX: ffff8aa31ac00000 RBX: 0000000000000002 RCX: 000000000000001f
RDX: 0000000000000000 RSI: ffffffff91b70667 RDI: ffffffff91b55729
RBP: ffff8aa300906c00 R08: 0000000955084e02 R09: 0000000000000018
R10: 0000000000000001 R11: 0000000000001015 R12: ffffffff923d05c0
R13: 0000000955084e02 R14: 0000000000000002 R15: 0000000000000000
cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
do_idle (kernel/sched/idle.c:158 kernel/sched/idle.c:239 kernel/sched/idle.c:306)
cpu_startup_entry (kernel/sched/idle.c:402 (discriminator 1))
start_kernel (init/main.c:1137)
secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:283)
</TASK>
Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 btusb btrtl btbcm btintel bluetooth libarc4 kvm_amd cfg80211 ccp rng_core jitterentropy_rng kvm sha512_ssse3 sha512_generic evdev ctr snd_pcm drbg sg snd_timer ansi_cprng leds_apu irqbypass ecdh_generic snd rfkill ecc soundcore pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci ohci_hcd ehci_pci ehci_hcd libata r8169 realtek mdio_devres scsi_mod usbcore i2c_piix4 usb_common scsi_common libphy
---[ end trace 23d792ef4816c4de ]---
RIP: 0010:skb_zcopy_clear (./include/linux/skbuff.h:1551)
Code: 48 89 c7 e8 81 02 00 00 48 89 45 f8 48 83 7d f8 00 74 45 48 8b 45 f0 48 89 c7 e8 ab 02 00 00 83 f0 01 84 c0 74 1e 48 8b 45 f8 <4c> 8b 00 0f b6 55 ec 48 8b 4d f8 48 8b 45 f0 48 89 ce 48 89 c7 e8
All code
========
0: 48 89 c7 mov %rax,%rdi
3: e8 81 02 00 00 callq 0x289
8: 48 89 45 f8 mov %rax,-0x8(%rbp)
c: 48 83 7d f8 00 cmpq $0x0,-0x8(%rbp)
11: 74 45 je 0x58
13: 48 8b 45 f0 mov -0x10(%rbp),%rax
17: 48 89 c7 mov %rax,%rdi
1a: e8 ab 02 00 00 callq 0x2ca
1f: 83 f0 01 xor $0x1,%eax
22: 84 c0 test %al,%al
24: 74 1e je 0x44
26: 48 8b 45 f8 mov -0x8(%rbp),%rax
2a:* 4c 8b 00 mov (%rax),%r8 <-- trapping instruction
2d: 0f b6 55 ec movzbl -0x14(%rbp),%edx
31: 48 8b 4d f8 mov -0x8(%rbp),%rcx
35: 48 8b 45 f0 mov -0x10(%rbp),%rax
39: 48 89 ce mov %rcx,%rsi
3c: 48 89 c7 mov %rax,%rdi
3f: e8 .byte 0xe8
Code starting with the faulting instruction
===========================================
0: 4c 8b 00 mov (%rax),%r8
3: 0f b6 55 ec movzbl -0x14(%rbp),%edx
7: 48 8b 4d f8 mov -0x8(%rbp),%rcx
b: 48 8b 45 f0 mov -0x10(%rbp),%rax
f: 48 89 ce mov %rcx,%rsi
12: 48 89 c7 mov %rax,%rdi
15: e8 .byte 0xe8
RSP: 0018:ffffb58e80003de8 EFLAGS: 00010202
RAX: 00408210000b231a RBX: ffff8aa303097b00 RCX: 0000000000000000
RDX: 0000000000000102 RSI: 0000000000000001 RDI: ffff8aa303097b00
RBP: ffffb58e80003e00 R08: 0000000000000212 R09: ffffffff922d24e8
R10: 0000000000000000 R11: 00000000db69d000 R12: ffff8aa310c69ac0
R13: ffff8aa303097b00 R14: ffff8aa3062235d8 R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8aa31ac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dac9d55408 CR3: 00000001090fa000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0xfa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-12-07 9:08 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-29 10:13 [PATCH] ath11k: enable IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN6855 Wen Gong
2021-11-29 10:13 ` Wen Gong
2021-12-03 14:09 ` Sven Eckelmann
2021-12-03 14:09 ` Sven Eckelmann
2021-12-06 3:29 ` Wen Gong
2021-12-06 3:29 ` Wen Gong
2021-12-06 6:56 ` Sven Eckelmann
2021-12-06 6:56 ` Sven Eckelmann
2021-12-06 7:10 ` Wen Gong
2021-12-06 7:10 ` Wen Gong
2021-12-06 20:03 ` Sven Eckelmann [this message]
2021-12-06 20:03 ` Sven Eckelmann
2021-12-07 4:35 ` Wen Gong
2021-12-07 4:35 ` Wen Gong
2021-12-07 14:30 ` Sven Eckelmann
2021-12-07 14:30 ` Sven Eckelmann
2021-12-08 3:43 ` Wen Gong
2021-12-08 3:43 ` Wen Gong
2021-12-08 8:16 ` Kalle Valo
2021-12-08 8:16 ` Kalle Valo
2021-12-08 8:19 ` Wen Gong
2021-12-08 8:19 ` Wen Gong
2021-12-08 9:12 ` Sven Eckelmann
2021-12-08 9:12 ` Sven Eckelmann
2021-12-08 9:48 ` Kalle Valo
2021-12-08 9:48 ` Kalle Valo
2021-12-09 7:59 ` Kalle Valo
2021-12-09 7:59 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7286726.fyvdfvlfLW@ripper \
--to=sven@narfation.org \
--cc=ath11k@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_wgong@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.