From nobody Thu Dec 18 05:13:57 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 483141CEABC for ; Thu, 10 Oct 2024 17:51:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728582693; cv=none; b=Qarge+8UK0of+CWSeTW5+2sybhjbCz+fRX8ruvC914YMAt7pBgCuUYA5CQApgCQKpG9YibwsqVf6so3X3CKCl7qqsuWhSYV7fn8TCW7rNDk8ni1msYU+wm6WbQtrRHtxdeIUq+IFwwnhDad+aFXJ4/TnhAf7Z0DyxYVRFOW4GHo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728582693; c=relaxed/simple; bh=M177ZQ3lIBnkSDrzM36F6JvPQp5yDBTBIIpUSbZRcNM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZvqzGrlKzZuen08RmP9w21uZa3TBV2gF2GrmdoF19DciEydhXb5padFkPA3oCBTA90DTQEzT8ZeFwOmKT7XlhKyyZsoEwMgbBeL0E3fhQiCkaomrh0TbmUvY9H/+QOL62J6r+e99Gg2rVc8QrzDJZUDXTBRX/mn9sdP9xuH39N4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=cOwnGxbL; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="cOwnGxbL" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728582691; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7Gb1BwKfIxaY+dbMG9eas+a4Kjiwo1RWgPzR3C1gqhg=; b=cOwnGxbLl+brMm5v1UO/S67oX8jNWu2rOpsJLGwWduQjCEe4+mIwjUh9zZ2+MJ7oFyl3G5 fHqEiZvoFCSafTBKW6bsJYkeBSchXScKOR0rKdFnJHss3A42FnFVtlH9kaKjHv7zOuvmKy ENkrrEKcbeq9OKq4yYiVrvum6yJuacg= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-635-NruEGn_LPAqakU6cyBdkGQ-1; Thu, 10 Oct 2024 13:51:28 -0400 X-MC-Unique: NruEGn_LPAqakU6cyBdkGQ-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 40DDE1955EAB; Thu, 10 Oct 2024 17:51:27 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.39.192.239]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 47C1F19560B2; Thu, 10 Oct 2024 17:51:24 +0000 (UTC) From: Jose Ignacio Tornos Martinez To: kvalo@kernel.org, jjohnson@kernel.org, linux-wireless@vger.kernel.org, ath12k@lists.infradead.org, linux-kernel@vger.kernel.org Cc: jtornosm@redhat.com, stable@vger.kernel.org Subject: [PATCH 1/2] wifi: ath12k: fix crash when unbinding Date: Thu, 10 Oct 2024 19:48:58 +0200 Message-ID: <20241010175102.207324-2-jtornosm@redhat.com> In-Reply-To: <20241010175102.207324-1-jtornosm@redhat.com> References: <20241010175102.207324-1-jtornosm@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" If there is an error during some initialization realated to firmware, the funcion ath12k_dp_cc_cleanup is already call to release resources. However this is released again when the device is unbinded (ath12k_pci), and we get: [ 382.050650] BUG: kernel NULL pointer dereference, address: 0000000000000= 020 [ 382.050656] #PF: supervisor read access in kernel mode [ 382.050657] #PF: error_code(0x0000) - not-present page [ 382.050659] PGD 0 P4D 0 [ 382.050661] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 382.050664] CPU: 0 UID: 0 PID: 6541 Comm: bash Kdump: loaded Not tainted= 6.12.0-rc1+ #14 [ 382.050666] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.1= 6.3-2.fc40 04/01/2014 [ 382.050667] RIP: 0010:ath12k_dp_cc_cleanup.part.0+0xb6/0x500 [ath12k] [ 382.050688] Code: 8b 76 28 48 8b 7b 10 45 31 c0 b9 02 00 00 00 e8 30 3d = 35 c2 be 02 00 00 00 4c 89 f7 e8 e3 00 fb c2 49 83 c7 28 49 39 ef 74 31 <41= > f6 47 20 01 75 ab 4c 89 ff e8 2b de a2 c2 84 c0 74 0e 49 8b 17 [ 382.050689] RSP: 0018:ffffa3e3c0e83990 EFLAGS: 00010297 [ 382.050691] RAX: 0000000000000000 RBX: ffff90de08750000 RCX: 00000000000= 00000 [ 382.050692] RDX: 0000000000000001 RSI: ffff90de08751178 RDI: ffff90de087= 51970 [ 382.050693] RBP: 0000000000005000 R08: 0000000000000200 R09: 00000000004= 0003f [ 382.050694] R10: 000000000040003f R11: 0000000000000000 R12: dead0000000= 00122 [ 382.050695] R13: dead000000000100 R14: ffffffffc0b6f948 R15: 00000000000= 00000 [ 382.050696] FS: 00007f216b1ab740(0000) GS:ffff90de5fc00000(0000) knlGS:= 0000000000000000 [ 382.050698] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 382.050699] CR2: 0000000000000020 CR3: 000000001a26c000 CR4: 00000000007= 52ef0 [ 382.050702] PKRU: 55555554 [ 382.050703] Call Trace: [ 382.050705] [ 382.050707] ? __die_body.cold+0x19/0x27 [ 382.050719] ? page_fault_oops+0x15a/0x2f0 [ 382.050723] ? exc_page_fault+0x7e/0x180 [ 382.050724] ? asm_exc_page_fault+0x26/0x30 [ 382.050729] ? ath12k_dp_cc_cleanup.part.0+0xb6/0x500 [ath12k] [ 382.050740] ? delay_halt_tpause+0x1a/0x20 [ 382.050742] ath12k_dp_free+0x67/0x110 [ath12k] [ 382.050753] ath12k_core_deinit+0x8d/0xb0 [ath12k] [ 382.050762] ath12k_pci_remove+0x50/0xf0 [ath12k] [ 382.050771] pci_device_remove+0x3f/0xb0 [ 382.050773] device_release_driver_internal+0x19c/0x200 [ 382.050777] unbind_store+0xa1/0xb0 ... The issue is always reproducible from a VM because the MSI addressing initialization is failing. In order to fix the issue, just set to NULL the relaeased structure in ath12k_dp_cc_cleanup at the end. cc: stable@vger.kernel.org Fixes: d889913205cf7 ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Signed-off-by: Jose Ignacio Tornos Martinez --- drivers/net/wireless/ath/ath12k/dp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/at= h/ath12k/dp.c index 61aa78d8bd8c..789d430e4455 100644 --- a/drivers/net/wireless/ath/ath12k/dp.c +++ b/drivers/net/wireless/ath/ath12k/dp.c @@ -1241,6 +1241,7 @@ static void ath12k_dp_cc_cleanup(struct ath12k_base *= ab) } =20 kfree(dp->spt_info); + dp->spt_info =3D NULL; } =20 static void ath12k_dp_reoq_lut_cleanup(struct ath12k_base *ab) --=20 2.46.2 From nobody Thu Dec 18 05:13:57 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38DD71CF7B2 for ; Thu, 10 Oct 2024 17:51:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728582697; cv=none; b=UPQpIme7w02rZ1wQjwBfkI/MX1wvyN/l8dYuYsEWUONxSm7C8045+3at5LK95DFVbK8Fr3QoAtIfLDE8qffvKtAWcJYLS2zsW3TbSXy86ipMsA/HQgOHIAd3i9em3O5A9Y9OTmPbGCjTyrlm6kCjGWkuY6tPYN9L7yMAHQYaMtI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728582697; c=relaxed/simple; bh=IywaZWF+g2PbDc1VwQqvpFLC3+ytyFGpwFePV11UE3c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ker6VdIgd8KMpGy44MjZCzwjENVmFsfOs2VPsvRDPF5ReqA94u/Nzs8ck8vInEtRtY5e99ZVRSZbDya+NBK6/9w4rEPKC95vfBPgDU9bQxAakoi2aK1t6qHgCGqDt2Ezpr8itr9KliRPkoLosyOdxyGZBcRkmwBR/+siI5sTSrI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=F4Pt5mpl; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="F4Pt5mpl" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728582695; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fUwkPzApTD7NhHibkGSsv7YC+83MOmdVz2KjAeVYO1o=; b=F4Pt5mpluwgFNcK6qoIQSOpp+TO4kbhSEDObG8KHdl5XHlCo3l76BFU5En/wJYxBazdEsI DLUvChrK9tUhJ9vKnhQKDRfOGJyf41ra1HGd2jEybdhltcfqhS3yx+dD43YJ0p6e1itMEZ 5hQj9662kiRJXme9683vX0q2lQo4KXk= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-145-OWOItd8oNAiTynnGMLP7ow-1; Thu, 10 Oct 2024 13:51:34 -0400 X-MC-Unique: OWOItd8oNAiTynnGMLP7ow-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CD3581955BE1; Thu, 10 Oct 2024 17:51:32 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.39.192.239]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E65E519560A2; Thu, 10 Oct 2024 17:51:29 +0000 (UTC) From: Jose Ignacio Tornos Martinez To: kvalo@kernel.org, jjohnson@kernel.org, linux-wireless@vger.kernel.org, ath12k@lists.infradead.org, linux-kernel@vger.kernel.org Cc: jtornosm@redhat.com, stable@vger.kernel.org Subject: [PATCH 2/2] wifi: ath12k: fix warning when unbinding Date: Thu, 10 Oct 2024 19:48:59 +0200 Message-ID: <20241010175102.207324-3-jtornosm@redhat.com> In-Reply-To: <20241010175102.207324-1-jtornosm@redhat.com> References: <20241010175102.207324-1-jtornosm@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" If there is an error during some initialization realated to firmware, the buffers dp->tx_ring[i].tx_status are released. However this is released again when the device is unbinded (ath12k_pci), and we get: [ 41.271233] WARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmall= oc+0x4d/0x80 [ 41.271246] Modules linked in: uinput snd_seq_dummy snd_hrtimer nft_fib_= inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_re= ject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv= 6 nf_defrag_ipv4 ip_set nf_tables nfnetlink sunrpc qrtr_mhi intel_rapl_msr = intel_rapl_common intel_uncore_frequency_common intel_pmc_core intel_vsec p= mt_telemetry pmt_class kvm_intel kvm rapl qrtr snd_hda_codec_generic ath12k= qmi_helpers snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi iTCO_wdt int= el_pmc_bxt mac80211 snd_hda_codec iTCO_vendor_support libarc4 snd_hda_core = snd_hwdep snd_seq snd_seq_device cfg80211 snd_pcm pcspkr i2c_i801 snd_timer= i2c_smbus snd rfkill soundcore lpc_ich mhi virtio_balloon joydev xfs crct1= 0dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ghash= _clmulni_intel sha512_ssse3 sha256_ssse3 sha1_ssse3 virtio_net virtio_blk v= irtio_console virtio_gpu net_failover failover virtio_dma_buf serio_raw fus= e qemu_fw_cfg [ 41.271284] CPU: 0 UID: 0 PID: 2098 Comm: bash Kdump: loaded Not tainted= 6.12.0-rc1+ #29 [ 41.271286] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.1= 6.3-2.fc40 04/01/2014 [ 41.271287] RIP: 0010:free_large_kmalloc+0x4d/0x80 [ 41.271289] Code: 00 10 00 00 48 d3 e0 f7 d8 81 e2 c0 00 00 00 75 2f 89 = c6 48 89 df e8 82 ff ff ff f0 ff 4b 34 0f 85 59 0e ce 00 e9 5b 0e ce 00 <0f= > 0b 80 3d c8 29 3c 02 00 0f 84 2d 0e ce 00 b8 00 f0 ff ff eb d1 [ 41.271290] RSP: 0018:ffffa40881a33c50 EFLAGS: 00010246 [ 41.271292] RAX: 000fffffc0000000 RBX: ffffe697c0278000 RCX: 00000000000= 00000 [ 41.271293] RDX: ffffe697c0b60008 RSI: ffff8d00c9e00000 RDI: ffffe697c02= 78000 [ 41.271294] RBP: ffff8d00c3af0000 R08: ffff8d00f215d0c0 R09: 00000000804= 00038 [ 41.271294] R10: 0000000080400038 R11: 0000000000000000 R12: 00000000000= 00001 [ 41.271295] R13: ffffffffc0ef8948 R14: ffffffffc0ef8948 R15: ffff8d00c12= 77560 [ 41.271296] FS: 00007fd31e556740(0000) GS:ffff8d011e400000(0000) knlGS:= 0000000000000000 [ 41.271297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.271298] CR2: 00007f778d3ffb38 CR3: 00000000065dc000 CR4: 00000000007= 52ef0 [ 41.271301] PKRU: 55555554 [ 41.271302] Call Trace: [ 41.271304] [ 41.271304] ? free_large_kmalloc+0x4d/0x80 [ 41.271306] ? __warn.cold+0x93/0xfa [ 41.271308] ? free_large_kmalloc+0x4d/0x80 [ 41.271311] ? report_bug+0xff/0x140 [ 41.271314] ? handle_bug+0x58/0x90 [ 41.271316] ? exc_invalid_op+0x17/0x70 [ 41.271317] ? asm_exc_invalid_op+0x1a/0x20 [ 41.271321] ? free_large_kmalloc+0x4d/0x80 [ 41.271323] ath12k_dp_free+0xdc/0x110 [ath12k] [ 41.271337] ath12k_core_deinit+0x8d/0xb0 [ath12k] [ 41.271345] ath12k_pci_remove+0x50/0xf0 [ath12k] [ 41.271354] pci_device_remove+0x3f/0xb0 [ 41.271356] device_release_driver_internal+0x19c/0x200 [ 41.271359] unbind_store+0xa1/0xb0 ... The issue is always reproducible from a VM because the MSI addressing initialization is failing. In order to fix the issue, just check if the buffers were already released and if they need to be released, in addition set to NULL for the checking. cc: stable@vger.kernel.org Fixes: d889913205cf7 ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Signed-off-by: Jose Ignacio Tornos Martinez --- drivers/net/wireless/ath/ath12k/dp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/at= h/ath12k/dp.c index 789d430e4455..9d878d815f3c 100644 --- a/drivers/net/wireless/ath/ath12k/dp.c +++ b/drivers/net/wireless/ath/ath12k/dp.c @@ -1277,8 +1277,12 @@ void ath12k_dp_free(struct ath12k_base *ab) =20 ath12k_dp_rx_reo_cmd_list_cleanup(ab); =20 - for (i =3D 0; i < ab->hw_params->max_tx_ring; i++) - kfree(dp->tx_ring[i].tx_status); + for (i =3D 0; i < ab->hw_params->max_tx_ring; i++) { + if (dp->tx_ring[i].tx_status) { + kfree(dp->tx_ring[i].tx_status); + dp->tx_ring[i].tx_status =3D NULL; + } + } =20 ath12k_dp_rx_free(ab); /* Deinit any SOC level resource */ --=20 2.46.2