From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ben Greear Subject: Re: [PATCH v2] net-fq: Add WARN_ON check for null flow. Date: Fri, 8 Jun 2018 07:10:19 -0700 Message-ID: <99455a63-4a19-e172-a9b4-e7d8935cb1e0@candelatech.com> References: <1528415316-6379-1-git-send-email-greearb@candelatech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Linux Kernel Network Developers To: Cong Wang Return-path: Received: from mail2.candelatech.com ([208.74.158.173]:59710 "EHLO mail2.candelatech.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751265AbeFHOKZ (ORCPT ); Fri, 8 Jun 2018 10:10:25 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On 06/07/2018 05:13 PM, Cong Wang wrote: > On Thu, Jun 7, 2018 at 4:48 PM, wrote: >> From: Ben Greear >> >> While testing an ath10k firmware that often crashed under load, >> I was seeing kernel crashes as well. One of them appeared to >> be a dereference of a NULL flow object in fq_tin_dequeue. >> >> I have since fixed the firmware flaw, but I think it would be >> worth adding the WARN_ON in case the problem appears again. >> >> BUG: unable to handle kernel NULL pointer dereference at 000000000000003c >> IP: ieee80211_tx_dequeue+0xfb/0xb10 [mac80211] > > Instead of adding WARN_ON(), you need to think about > the locking there, it is suspicious: > > fq is from struct ieee80211_local: > > struct fq *fq = &local->fq; > > tin is from struct txq_info: > > struct fq_tin *tin = &txqi->tin; > > I don't know if fq and tin are supposed to be 1:1, if not there is > a bug in the locking, because ->new_flows and ->old_flows are > both inside tin instead of fq, but they are protected by fq->lock.... Maybe whoever put this code together can take a stab at it. Thanks, Ben -- Ben Greear Candela Technologies Inc http://www.candelatech.com