[BUG] Atheros AR9280: NULL-deref during P2P setup

[BUG] Atheros AR9280: NULL-deref during P2P setup

[David Herrmann]

Hi

I'm testing wifi-P2P with an ath9k_htc device. The relevant log from wpa_cli is:

> p2p_find
OK
<3>P2P-DEVICE-FOUND 12:68:3f:4e:39:f2 p2p_dev_addr=12:68:3f:4e:39:f2
pri_dev_type=10-0050F204-5 name='dvdhrm-nx' config_methods=0x188
dev_capab=0x25 group_capab=0x0
<3>P2P-PROV-DISC-SHOW-PIN 12:68:3f:4e:39:f2 33413853
p2p_dev_addr=12:68:3f:4e:39:f2 pri_dev_type=10-0050F204-5
name='dvdhrm-nx' config_methods=0x188 dev_capab=0x25 group_capab=0x0
> p2p_connect 12:68:3f:4e:39:f2 pin
98344376
<3>P2P-FIND-STOPPED
<3>P2P-GO-NEG-SUCCESS role=GO freq=2462 ht40=0
peer_dev=12:68:3f:4e:39:f2 peer_iface=12:68:3f:4e:b9:f2
wps_method=Display

After the P2P-GO-NEG-SUCCESS I get a NULL-deref in the ath9k-htc
driver, logs appended below. Kernel is 3.12.2 but I also get this with
3.11. I can test any -git trees if you want, but bisecting won't work
as I don't know any working revision.

Any hints are welcome!
Thanks
David


Dec 05 11:13:46 david-ub kernel: BUG: unable to handle kernel NULL
pointer dereference at 000000000000000c
Dec 05 11:13:46 david-ub kernel: IP: [<ffffffffa0b6d9e2>]
ar9002_hw_calibrate+0x3b2/0x430 [ath9k_hw]
Dec 05 11:13:46 david-ub kernel: PGD 0.
Dec 05 11:13:46 david-ub kernel: Oops: 0002 [#1] PREEMPT SMP.
Dec 05 11:13:46 david-ub kernel: Modules linked in: ath9k_htc
ath9k_common ath9k_hw ath btusb bluetooth crc16 uvcvideo
videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media
x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
crct10dif_pclmul crct10dif_common crc32_pclmul ghash_clmulni_intel
aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd
joydev arc4 hid_sensor_hub nls_cp437 vfat fat hid_generic
microread_mei microread crc_ccitt mei_phy hid_multitouch hci nfc
iwldvm iTCO_wdt iTCO_vendor_support mac80211 iwlwifi microcode psmouse
evdev snd_hda_codec_hdmi ums_realtek usbhid usb_storage serio_raw hid
cfg80211 pcspkr i2c_i801 snd_hda_codec_realtek rfkill i915 fan thermal
snd_hda_intel intel_agp intel_gtt drm_kms_helper snd_hda_codec drm
battery video snd_hwdep snd_pcm i2c_algo_bit i2c_core
Dec 05 11:13:46 david-ub kernel:  snd_page_alloc ac mei_me snd_timer
snd mei button soundcore shpchp lpc_ich processor usbip_host(C)
usbip_core(C) btrfs libcrc32c xor raid6_pq sd_mod crc32c_intel ahci
libahci libata ehci_pci xhci_hcd ehci_hcd scsi_mod usbcore usb_common
Dec 05 11:13:46 david-ub kernel: CPU: 1 PID: 6 Comm: kworker/u32:0
Tainted: G         C   3.12.2-1-ARCH #1
Dec 05 11:13:46 david-ub kernel: Hardware name: Intel Corporation 2012
Client Platform/Latexo FFRD, BIOS ACRVMBY1.86C.0094.P02.1207301240
07/30/2012
Dec 05 11:13:46 david-ub kernel: Workqueue: phy2 ath9k_htc_ani_work
[ath9k_htc]
Dec 05 11:13:46 david-ub kernel: task: ffff8801492dab70 ti:
ffff880149352000 task.ti: ffff880149352000
Dec 05 11:13:46 david-ub kernel: RIP: 0010:[<ffffffffa0b6d9e2>]
[<ffffffffa0b6d9e2>] ar9002_hw_calibrate+0x3b2/0x430 [ath9k_hw]
Dec 05 11:13:46 david-ub kernel: RSP: 0018:ffff880149353db0  EFLAGS:
00010286
Dec 05 11:13:46 david-ub kernel: RAX: 0000000000000001 RBX:
ffff880149294000 RCX: 00000000ffffffff
Dec 05 11:13:46 david-ub kernel: RDX: 0000000000000000 RSI:
0000000000000046 RDI: 0000000000000246
Dec 05 11:13:46 david-ub kernel: RBP: ffff880149353de8 R08:
0000000000000000 R09: 0000000000000001
Dec 05 11:13:46 david-ub kernel: R10: 0000000000000002 R11:
0000000000000000 R12: 0000000000000000
Dec 05 11:13:46 david-ub kernel: R13: ffff880149294220 R14:
ffff8801492955c0 R15: 0000000000000000
Dec 05 11:13:46 david-ub kernel: FS:  0000000000000000(0000)
GS:ffff88014f220000(0000) knlGS:0000000000000000
Dec 05 11:13:46 david-ub kernel: CS:  0010 DS: 0000 ES: 0000 CR0:
0000000080050033
Dec 05 11:13:46 david-ub kernel: CR2: 000000000000000c CR3:
000000000280d000 CR4: 00000000001407e0
Dec 05 11:13:46 david-ub kernel: Stack:
Dec 05 11:13:46 david-ub kernel:  00000000a0bdba8e ffff880100000000
ffff880149294000 ffff88013e42dde0
Dec 05 11:13:46 david-ub kernel:  0000000055554fb8 ffff88013e42d7c0
0000000000000000 ffff880149353e20
Dec 05 11:13:46 david-ub kernel:  ffffffffa0bda99a ffff88014925db00
ffff88014a811800 ffff88013e42dde0
Dec 05 11:13:46 david-ub kernel: Call Trace:
Dec 05 11:13:46 david-ub kernel:  [<ffffffffa0bda99a>]
ath9k_htc_ani_work+0xea/0x1a0 [ath9k_htc]
Dec 05 11:13:46 david-ub kernel:  [<ffffffff8107daf7>]
process_one_work+0x167/0x450
Dec 05 11:13:46 david-ub kernel:  [<ffffffff8107e501>] worker_thread+0x121/0x3a0
Dec 05 11:13:46 david-ub kernel:  [<ffffffff8107e3e0>] ?
manage_workers.isra.23+0x2b0/0x2b0
Dec 05 11:13:46 david-ub kernel:  [<ffffffff81084e90>] kthread+0xc0/0xd0
Dec 05 11:13:46 david-ub kernel:  [<ffffffff81084dd0>] ?
kthread_create_on_node+0x120/0x120
Dec 05 11:13:46 david-ub kernel:  [<ffffffff814fc33c>] ret_from_fork+0x7c/0xb0
Dec 05 11:13:46 david-ub kernel:  [<ffffffff81084dd0>] ?
kthread_create_on_node+0x120/0x120
Dec 05 11:13:46 david-ub kernel: Code: d3 f8 83 e0 01 83 f8 01 83 de
ff 83 c1 01 83 f9 03 75 eb 44 89 45 d0 40 0f b6 f6 48 89 df 41 ff 51
18 49 8b 06 44 8b 45 d0 8b 00 <41> 09 47 0c 49 8b 76 10 41 c7 46 08 03
00 00 00 48 89 b3 00 16.
Dec 05 11:13:46 david-ub kernel: RIP  [<ffffffffa0b6d9e2>]
ar9002_hw_calibrate+0x3b2/0x430 [ath9k_hw]
Dec 05 11:13:46 david-ub kernel:  RSP <ffff880149353db0>
Dec 05 11:13:46 david-ub kernel: CR2: 000000000000000c
Dec 05 11:13:46 david-ub kernel: ---[ end trace 568b2b5d97c813d2 ]---
Dec 05 11:13:46 david-ub kernel: BUG: unable to handle kernel paging
request at ffffffffffffffd8
Dec 05 11:13:46 david-ub kernel: IP: [<ffffffff810854f0>] kthread_data+0x10/0x20


The log before the oops is just the USB-hotplug information:

Dec 05 11:12:59 david-ub kernel: usb 1-3: new high-speed USB device
number 3 using xhci_hcd
Dec 05 11:12:59 david-ub kernel: usbip-host 1-3:1.0: 1-3 is not in
match_busid table... skip!
Dec 05 11:12:59 david-ub kernel: usb 1-3: ath9k_htc: Firmware
htc_7010.fw requested
Dec 05 11:12:59 david-ub kernel: usb 1-3: ath9k_htc: Transferred FW:
htc_7010.fw, size: 72992
Dec 05 11:12:59 david-ub kernel: ath9k_htc 1-3:1.0: ath9k_htc: HTC
initialized with 45 credits
Dec 05 11:13:00 david-ub kernel: ath9k_htc 1-3:1.0: ath9k_htc: FW Version: 1.3
Dec 05 11:13:00 david-ub kernel: ath: EEPROM regdomain: 0x6a
Dec 05 11:13:00 david-ub kernel: ath: EEPROM indicates we should
expect a direct regpair map
Dec 05 11:13:00 david-ub kernel: ath: Country alpha2 being used: 00
Dec 05 11:13:00 david-ub kernel: ath: Regpair used: 0x6a
Dec 05 11:13:00 david-ub kernel: ieee80211 phy2: Atheros AR9280 Rev:2
Dec 05 11:13:02 david-ub kernel: IPv6: ADDRCONF(NETDEV_UP): wlan1:
link is not ready
Dec 05 11:13:46 david-ub kernel: IPv6: ADDRCONF(NETDEV_UP):
p2p-wlan1-0: link is not ready
Dec 05 11:13:46 david-ub kernel: IPv6: ADDRCONF(NETDEV_UP):
p2p-wlan1-0: link is not ready

Re: [BUG] Atheros AR9280: NULL-deref during P2P setup

[Oleksij Rempel]

[-- Attachment #1: Type: text/plain, Size: 7602 bytes --]

Hi David,

currently i work on other ath9k_htc related issue. If you or some body
else can work on this one it will be great.

Am 05.12.2013 11:31, schrieb David Herrmann:
> Hi
> 
> I'm testing wifi-P2P with an ath9k_htc device. The relevant log from wpa_cli is:
> 
>> p2p_find
> OK
> <3>P2P-DEVICE-FOUND 12:68:3f:4e:39:f2 p2p_dev_addr=12:68:3f:4e:39:f2
> pri_dev_type=10-0050F204-5 name='dvdhrm-nx' config_methods=0x188
> dev_capab=0x25 group_capab=0x0
> <3>P2P-PROV-DISC-SHOW-PIN 12:68:3f:4e:39:f2 33413853
> p2p_dev_addr=12:68:3f:4e:39:f2 pri_dev_type=10-0050F204-5
> name='dvdhrm-nx' config_methods=0x188 dev_capab=0x25 group_capab=0x0
>> p2p_connect 12:68:3f:4e:39:f2 pin
> 98344376
> <3>P2P-FIND-STOPPED
> <3>P2P-GO-NEG-SUCCESS role=GO freq=2462 ht40=0
> peer_dev=12:68:3f:4e:39:f2 peer_iface=12:68:3f:4e:b9:f2
> wps_method=Display
> 
> After the P2P-GO-NEG-SUCCESS I get a NULL-deref in the ath9k-htc
> driver, logs appended below. Kernel is 3.12.2 but I also get this with
> 3.11. I can test any -git trees if you want, but bisecting won't work
> as I don't know any working revision.
> 
> Any hints are welcome!
> Thanks
> David
> 
> 
> Dec 05 11:13:46 david-ub kernel: BUG: unable to handle kernel NULL
> pointer dereference at 000000000000000c
> Dec 05 11:13:46 david-ub kernel: IP: [<ffffffffa0b6d9e2>]
> ar9002_hw_calibrate+0x3b2/0x430 [ath9k_hw]
> Dec 05 11:13:46 david-ub kernel: PGD 0.
> Dec 05 11:13:46 david-ub kernel: Oops: 0002 [#1] PREEMPT SMP.
> Dec 05 11:13:46 david-ub kernel: Modules linked in: ath9k_htc
> ath9k_common ath9k_hw ath btusb bluetooth crc16 uvcvideo
> videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media
> x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
> crct10dif_pclmul crct10dif_common crc32_pclmul ghash_clmulni_intel
> aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd
> joydev arc4 hid_sensor_hub nls_cp437 vfat fat hid_generic
> microread_mei microread crc_ccitt mei_phy hid_multitouch hci nfc
> iwldvm iTCO_wdt iTCO_vendor_support mac80211 iwlwifi microcode psmouse
> evdev snd_hda_codec_hdmi ums_realtek usbhid usb_storage serio_raw hid
> cfg80211 pcspkr i2c_i801 snd_hda_codec_realtek rfkill i915 fan thermal
> snd_hda_intel intel_agp intel_gtt drm_kms_helper snd_hda_codec drm
> battery video snd_hwdep snd_pcm i2c_algo_bit i2c_core
> Dec 05 11:13:46 david-ub kernel:  snd_page_alloc ac mei_me snd_timer
> snd mei button soundcore shpchp lpc_ich processor usbip_host(C)
> usbip_core(C) btrfs libcrc32c xor raid6_pq sd_mod crc32c_intel ahci
> libahci libata ehci_pci xhci_hcd ehci_hcd scsi_mod usbcore usb_common
> Dec 05 11:13:46 david-ub kernel: CPU: 1 PID: 6 Comm: kworker/u32:0
> Tainted: G         C   3.12.2-1-ARCH #1
> Dec 05 11:13:46 david-ub kernel: Hardware name: Intel Corporation 2012
> Client Platform/Latexo FFRD, BIOS ACRVMBY1.86C.0094.P02.1207301240
> 07/30/2012
> Dec 05 11:13:46 david-ub kernel: Workqueue: phy2 ath9k_htc_ani_work
> [ath9k_htc]
> Dec 05 11:13:46 david-ub kernel: task: ffff8801492dab70 ti:
> ffff880149352000 task.ti: ffff880149352000
> Dec 05 11:13:46 david-ub kernel: RIP: 0010:[<ffffffffa0b6d9e2>]
> [<ffffffffa0b6d9e2>] ar9002_hw_calibrate+0x3b2/0x430 [ath9k_hw]
> Dec 05 11:13:46 david-ub kernel: RSP: 0018:ffff880149353db0  EFLAGS:
> 00010286
> Dec 05 11:13:46 david-ub kernel: RAX: 0000000000000001 RBX:
> ffff880149294000 RCX: 00000000ffffffff
> Dec 05 11:13:46 david-ub kernel: RDX: 0000000000000000 RSI:
> 0000000000000046 RDI: 0000000000000246
> Dec 05 11:13:46 david-ub kernel: RBP: ffff880149353de8 R08:
> 0000000000000000 R09: 0000000000000001
> Dec 05 11:13:46 david-ub kernel: R10: 0000000000000002 R11:
> 0000000000000000 R12: 0000000000000000
> Dec 05 11:13:46 david-ub kernel: R13: ffff880149294220 R14:
> ffff8801492955c0 R15: 0000000000000000
> Dec 05 11:13:46 david-ub kernel: FS:  0000000000000000(0000)
> GS:ffff88014f220000(0000) knlGS:0000000000000000
> Dec 05 11:13:46 david-ub kernel: CS:  0010 DS: 0000 ES: 0000 CR0:
> 0000000080050033
> Dec 05 11:13:46 david-ub kernel: CR2: 000000000000000c CR3:
> 000000000280d000 CR4: 00000000001407e0
> Dec 05 11:13:46 david-ub kernel: Stack:
> Dec 05 11:13:46 david-ub kernel:  00000000a0bdba8e ffff880100000000
> ffff880149294000 ffff88013e42dde0
> Dec 05 11:13:46 david-ub kernel:  0000000055554fb8 ffff88013e42d7c0
> 0000000000000000 ffff880149353e20
> Dec 05 11:13:46 david-ub kernel:  ffffffffa0bda99a ffff88014925db00
> ffff88014a811800 ffff88013e42dde0
> Dec 05 11:13:46 david-ub kernel: Call Trace:
> Dec 05 11:13:46 david-ub kernel:  [<ffffffffa0bda99a>]
> ath9k_htc_ani_work+0xea/0x1a0 [ath9k_htc]
> Dec 05 11:13:46 david-ub kernel:  [<ffffffff8107daf7>]
> process_one_work+0x167/0x450
> Dec 05 11:13:46 david-ub kernel:  [<ffffffff8107e501>] worker_thread+0x121/0x3a0
> Dec 05 11:13:46 david-ub kernel:  [<ffffffff8107e3e0>] ?
> manage_workers.isra.23+0x2b0/0x2b0
> Dec 05 11:13:46 david-ub kernel:  [<ffffffff81084e90>] kthread+0xc0/0xd0
> Dec 05 11:13:46 david-ub kernel:  [<ffffffff81084dd0>] ?
> kthread_create_on_node+0x120/0x120
> Dec 05 11:13:46 david-ub kernel:  [<ffffffff814fc33c>] ret_from_fork+0x7c/0xb0
> Dec 05 11:13:46 david-ub kernel:  [<ffffffff81084dd0>] ?
> kthread_create_on_node+0x120/0x120
> Dec 05 11:13:46 david-ub kernel: Code: d3 f8 83 e0 01 83 f8 01 83 de
> ff 83 c1 01 83 f9 03 75 eb 44 89 45 d0 40 0f b6 f6 48 89 df 41 ff 51
> 18 49 8b 06 44 8b 45 d0 8b 00 <41> 09 47 0c 49 8b 76 10 41 c7 46 08 03
> 00 00 00 48 89 b3 00 16.
> Dec 05 11:13:46 david-ub kernel: RIP  [<ffffffffa0b6d9e2>]
> ar9002_hw_calibrate+0x3b2/0x430 [ath9k_hw]
> Dec 05 11:13:46 david-ub kernel:  RSP <ffff880149353db0>
> Dec 05 11:13:46 david-ub kernel: CR2: 000000000000000c
> Dec 05 11:13:46 david-ub kernel: ---[ end trace 568b2b5d97c813d2 ]---
> Dec 05 11:13:46 david-ub kernel: BUG: unable to handle kernel paging
> request at ffffffffffffffd8
> Dec 05 11:13:46 david-ub kernel: IP: [<ffffffff810854f0>] kthread_data+0x10/0x20
> 
> 
> The log before the oops is just the USB-hotplug information:
> 
> Dec 05 11:12:59 david-ub kernel: usb 1-3: new high-speed USB device
> number 3 using xhci_hcd
> Dec 05 11:12:59 david-ub kernel: usbip-host 1-3:1.0: 1-3 is not in
> match_busid table... skip!
> Dec 05 11:12:59 david-ub kernel: usb 1-3: ath9k_htc: Firmware
> htc_7010.fw requested
> Dec 05 11:12:59 david-ub kernel: usb 1-3: ath9k_htc: Transferred FW:
> htc_7010.fw, size: 72992
> Dec 05 11:12:59 david-ub kernel: ath9k_htc 1-3:1.0: ath9k_htc: HTC
> initialized with 45 credits
> Dec 05 11:13:00 david-ub kernel: ath9k_htc 1-3:1.0: ath9k_htc: FW Version: 1.3
> Dec 05 11:13:00 david-ub kernel: ath: EEPROM regdomain: 0x6a
> Dec 05 11:13:00 david-ub kernel: ath: EEPROM indicates we should
> expect a direct regpair map
> Dec 05 11:13:00 david-ub kernel: ath: Country alpha2 being used: 00
> Dec 05 11:13:00 david-ub kernel: ath: Regpair used: 0x6a
> Dec 05 11:13:00 david-ub kernel: ieee80211 phy2: Atheros AR9280 Rev:2
> Dec 05 11:13:02 david-ub kernel: IPv6: ADDRCONF(NETDEV_UP): wlan1:
> link is not ready
> Dec 05 11:13:46 david-ub kernel: IPv6: ADDRCONF(NETDEV_UP):
> p2p-wlan1-0: link is not ready
> Dec 05 11:13:46 david-ub kernel: IPv6: ADDRCONF(NETDEV_UP):
> p2p-wlan1-0: link is not ready
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


-- 
Regards,
Oleksij


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 295 bytes --]

Re: [BUG] Atheros AR9280: NULL-deref during P2P setup

[David Herrmann]

Hi

On Thu, Dec 5, 2013 at 3:52 PM, Oleksij Rempel <linux@rempel-privat.de> wrote:
> Hi David,
>
> currently i work on other ath9k_htc related issue. If you or some body
> else can work on this one it will be great.

It's weird, now I cannot reproduce the issue. I am actually trying to
make my Nexus-4 and my linux host connect via wifi-p2p. If I initiate
the connection via standard Android Wifi-Direct menu, it all works.
However, doing that via the Wifi-Display menu hasn't worked, yet. I
correctly set the WFD IE subelements and can see the device, but
initiating the connection from the Android device just sends an
P2P_INVITATION. If I follow up via P2P_CONNECT, nothing happens. Just
nothing..

All I get is this:
<3>P2P-DEVICE-FOUND 12:68:3f:4e:39:f2 p2p_dev_addr=12:68:3f:4e:39:f2
pri_dev_type=10-0050F204-5 name='dvdhrm-nx' config_methods=0x188
dev_capab=0x25 group_capab=0x0
<3>P2P-INVITATION-RECEIVED sa=12:68:3f:4e:39:f2
go_dev_addr=12:68:3f:4e:39:f2 bssid=12:68:3f:4e:b9:f2 unknown-network

I tried all available pin-methods.. I will check the wpa_supplicant
log later, but it's usually overly verbose that I cannot find anything
useful in it.

Note that after the android device timed-out, it gets the incoming
p2p-connection from my linux host. But it gets it as standard
P2P-connection, not as WFD connection. So somehow it ignores all
incoming requests.

Weird thing is, earlier today I got a P2P-PROV-DISC-REQ instead of the
P2P-INVITATION-RECEIVED. cannot figure out why.. same kernel, same
config. Tried it like 20 times each..

Any hints welcome! Especially if someone knows more about Android wifi
debugging.

Thanks
David