QCN9074 monitor-mode crash

Robert Hodaszi robert.hodaszi at digi.com
Mon Sep 19 11:25:30 PDT 2022 

Hi,

I'm trying to make the monitor-mode working on a QCN9074 module, but it 
is crashing with the following log:

    # BUG: kernel NULL pointer dereference, address: 0000000000000064
    #PF: supervisor read access in kernel mode
    #PF: error_code(0x0000) - not-present page
    PGD 0 P4D 0
    Oops: 0000 [#1] SMP
    CPU: 0 PID: 11 Comm: ksoftirqd/0 Not tainted 5.19.0-ac0 #21
    Hardware name: Digi International TransPort WR64/TransPort WR64,
    BIOS MV64-001 11/07/2018
    RIP: 0010:ath11k_dbring_buf_cleanup+0xcb0/0xd50 [ath11k]
    Code: 0d 83 e0 03 c3 0f 1f 44 00 00 8b 47 70 48 c1 e8 0f 83 e0 0f c3
    0f 1f 44 00 00 8b 47 70 48 c1 e8 13 83 e0 03 c3 0f 1f 44 00 00 <8b>
    47 64 48 c1 e8 08 83
      e0 03 c3 0f 1f 44 00 00 8b 47 64 48 c1 e8
    RSP: 0018:ffffa8cec0073c98 EFLAGS: 00010246
    RAX: ffffffffc04dc100 RBX: ffff88cc54fe2270 RCX: 0300000000000000
    RDX: ffff88cc54273e00 RSI: ffff88cc5900ad60 RDI: 0000000000000000
    RBP: ffff88cc54fe1fc0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: ffffffffa99c6ba0 R12: ffff88cc54273e00
    R13: ffff88cc5900ad60 R14: 0000000000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff88ccb9000000(0000)
    knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000064 CR3: 000000005c40a000 CR4: 00000000001006b0
    Call Trace:
      <TASK>
      ath11k_dp_tx_htt_monitor_mode_ring_config+0x969/0x3a00 [ath11k]
      ath11k_dp_tx_htt_monitor_mode_ring_config+0x1f3a/0x3a00 [ath11k]
      ath11k_dp_rx_process_mon_rings+0x2c3/0x4f0 [ath11k]
      ath11k_dp_service_srng+0x15b/0x720 [ath11k]
      ath11k_pcic_ce_irqs_enable+0x10c/0x160 [ath11k]
      __napi_poll+0x1f/0x100
      net_rx_action+0x12d/0x250
      __do_softirq+0xaa/0x1d2
      ? sort_range+0x20/0x20
      run_ksoftirqd+0x15/0x20
      smpboot_thread_fn+0x9d/0x130
      kthread+0xae/0xd0
      ? kthread_complete_and_exit+0x20/0x20
      ret_from_fork+0x1f/0x30
      </TASK>
    Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers
    nf_conntrack_netlink arptable_filter arp_tables ip6table_mangle
    ip6table_raw ip6table_nat
    ip6t_ah ip6table_filter ip6_tables xt_TCPMSS xt_mark xt_connmark
    iptable_mangle xt_CT iptable_raw iptable_nat xt_set xt_tcpudp
    xt_conntrack xt_LOG nf_log_sys
    log xt_limit xt_addrtype ip_set_hash_netiface ip_set_hash_net
    ip_set_hash_ip ip_set nfnetlink nf_nat_pptp nf_conntrack_pptp
    nf_nat_tftp nf_conntrack_tftp nf_
    nat_ftp nf_conntrack_ftp nf_nat nf_conntrack nf_defrag_ipv6
    nf_defrag_ipv4 iptable_filter ip_tables x_tables ath10k_pci
    ath10k_core ath i2c_designware_pci i2
    c_ccgx_ucsi i2c_designware_core
    CR2: 0000000000000064
    ---[ end trace 0000000000000000 ]---
    RIP: 0010:ath11k_dbring_buf_cleanup+0xcb0/0xd50 [ath11k]
    Code: 0d 83 e0 03 c3 0f 1f 44 00 00 8b 47 70 48 c1 e8 0f 83 e0 0f c3
    0f 1f 44 00 00 8b 47 70 48 c1 e8 13 83 e0 03 c3 0f 1f 44 00 00 <8b>
    47 64 48 c1 e8 08 83
      e0 03 c3 0f 1f 44 00 00 8b 47 64 48 c1 e8
    RSP: 0018:ffffa8cec0073c98 EFLAGS: 00010246
    RAX: ffffffffc04dc100 RBX: ffff88cc54fe2270 RCX: 0300000000000000
    RDX: ffff88cc54273e00 RSI: ffff88cc5900ad60 RDI: 0000000000000000
    RBP: ffff88cc54fe1fc0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: ffffffffa99c6ba0 R12: ffff88cc54273e00
    R13: ffff88cc5900ad60 R14: 0000000000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff88ccb9000000(0000)
    knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000064 CR3: 000000005c40a000 CR4: 00000000001006b0
    Kernel panic - not syncing: Fatal exception in interrupt
    Kernel Offset: 0x27000000 from 0xffffffff81000000 (relocation range:
    0xffffffff80000000-0xffffffffbfffffff)


This is with the 5.19 kernel. The NULL pointer exception is happening here:

    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/ath/ath11k/hw.c#n444

desc is NULL, and it is called from here:

    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/ath/ath11k/dp_rx.c?h=v5.19#n2459


I found this commit in the history:

    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/net/wireless/ath/ath11k/dp_rx.c?h=v5.19&id=01d2f285e3e5b629df9c61514e7ee07a54d0eed9

This removed setting the RX_FLAG_ONLY_MONITOR flag in 
ath11k_dp_rx_mon_deliver(), so that flag is not set anymore anywhere, 
but ath11k_dp_rx_deliver_msdu() checks that, and calls 
ath11k_dp_rx_h_msdu_start_decap_type(), if it is not set (so basically 
always?). If I add that flag setting back, seems crash is gone, and the 
driver is working as expected. But I don't have deep enough knowledge to 
know, why it was removed.

Please advice!

Thanks,
Robert

More information about the ath11k mailing list