[OpenWrt-Devel] Kernel crash in skb_put caused by ath10k_htt_t2h_msg_handler

Ben Greear greearb at candelatech.com
Wed Apr 24 09:30:51 EDT 2019


On 4/23/19 11:56 PM, Petr Štetiar wrote:
> Petr Štetiar <ynezz at true.cz> [2019-04-05 18:03:11]:
> 
> Hi Ben,
> 
>>> Can you use gdb to print out the lines of code around that crash site in
>>> t2h_msg_handler?
>>
>>>>   [<87622780>] ath10k_htt_t2h_msg_handler+0x27e0/0x31dc [ath10k_core]
>> (gdb) l *ath10k_htt_t2h_msg_handler+0x27e0
>> 0x227b0 is in ath10k_htt_rx_handle_amsdu (/ath10k-ct-2019-03-25-2e917efb/ath10k-4.19/htt_rx.c:374).
>> 369	
>> 370			/* FIXME: we must report msdu payload since this is what caller
>> 371			 * expects now
>> 372			 */
>> 373			skb_put(msdu, offsetof(struct htt_rx_desc, msdu_payload));
>> 374			skb_pull(msdu, offsetof(struct htt_rx_desc, msdu_payload));
>> 375	
>> 376			/*
>> 377			 * Sanity check - confirm the HW is finished filling in the
>> 378			 * rx data.
>>
>>>>   [<8764901c>] ath10k_ce_rx_update_write_idx+0x9c/0xc4 [ath10k_core]
>> (gdb) l* ath10k_ce_rx_update_write_idx+0x9c
>> 0x4904c is in ath10k_ce_rx_update_write_idx (/ath10k-ct-2019-03-25-2e917efb/ath10k-4.19/ce.c:763).
>> 758		if (((cur_write_idx + nentries) & nentries_mask) == dest_ring->sw_index)
>> 759			nentries -= 1;
>> 760	
>> 761		write_index = CE_RING_IDX_ADD(nentries_mask, write_index, nentries);
>> 762		ath10k_ce_dest_ring_write_index_set(ar, ctrl_addr, write_index);
>> 763		dest_ring->write_index = write_index;
>> 764	}
>> 765	EXPORT_SYMBOL(ath10k_ce_rx_update_write_idx);
>> 766	
>> 767	int ath10k_ce_rx_post_buf(struct ath10k_ce_pipe *pipe, void *ctx,
>>
>>> I can figure out which message caused it I can add debugging and/or protective code.
>>
>> Thanks and good luck!
>>
>> 1. http://lists.infradead.org/pipermail/ath10k/2019-April/013138.html
> 
> any luck with this bug? While doing some development on my Archer c7v5, I'm
> hitting this bug several times a day, so I'm wondering if I could do something
> in order to help fixing this. Thanks!

Thanks for the reminder, I had forgotten about this.

Please try this patch and see if you hit the new BUG_ON, let me know the
splat and ath10k_err output if so.  Also interesting if you hit the original
bug w/out hitting this new BUG_ON.

diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index 108da3ceeff6..9ad21f3bb1d5 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -328,6 +328,12 @@ static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
         htt->rx_ring.netbufs_ring[idx] = NULL;
         ath10k_htt_reset_paddrs_ring(htt, idx);

+       if (!msdu->data) {
+               ath10k_err(ar, "htt-rx-netbuf-pop, msdu: %p has null data.  idx: %i  ring-size: %i  fill-count: %i",
+                          msdu, idx, htt->rx_ring.size_mask, htt->rx_ring.fill_cnt);
+               BUG_ON(1);
+       }
+
         idx++;
         idx &= htt->rx_ring.size_mask;
         htt->rx_ring.sw_rd_idx.msdu_payld = idx;

Thanks,
Ben

> 
> -- ynezz
> 


-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list