From nobody Sun Jun 21 09:03:10 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CC1F4331A4C for ; Sat, 4 Apr 2026 04:31:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775277065; cv=none; b=h+yYuTWLy90wKoUTUOLMG2xspgjwSRGhniBRwloa4pcEXiBGMc3xxjgMbL3Vem5/zuZnDHmQttYW6Szv2Dtspl80gJ0pd61kXkHKZrQ4iHYzboB4CyzjlCy4rZIaBddBBnsCu2t4hWtx+r4C2Jp1uZTdYImE3hNw6jFngGOJHdY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775277065; c=relaxed/simple; bh=kRkpjAcqLpyGH48sEgcrZnCkiwnJnMX+6jvmkTspUhc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ciFUdocT3rwCl7kTFktq+kZ6xXZLJMV0pVxKe77bR0zRDxGeDr3yqb8TqyjskJ+lUcpU3X6gW4gatxlNDQGIuyQcMNjcazF4oRZskedO6izh4cxWSkM5Kclx0qj+gebv9k7sTjVluzSEPXRTOhtFRrLSlUh87o48XKPJioyJWRs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=Rhra5k4J; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=iw7GpMP6; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="Rhra5k4J"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="iw7GpMP6" Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6343QOYQ3673709 for ; Sat, 4 Apr 2026 04:31:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=IBOjD1SCE/uWKPBO1BDvYmWOu32r5baQpc1 YaXyTiMM=; b=Rhra5k4JaJGSlN/R3BdhSADj2gpyni/r1udJO1qbq7DAHk58suk dM71Vo4+w3hqg0vYyjM2v7RPAIi4ezwmMMR6VbwNgivDMOPyCRMygOb4oTAX35Mk 1zseK9l80iIELX2nlFYtWMZGzsL6CiqFkM04Es7KNtscmdiVAmocYhte+hUOWCYN HxerNXwnWE7qhqNkS8Ut+u1phuK8ECzjjZkz7bmhsNV2mCzStgMpDoRkDuIxc/QN buKrRDyl+Sv2ZTA05wm7YQrB7KrQP2W/LPPLD6/R3Ma3QA6tBWN/ql7zAiVHABDM hlTHVj9d1fP36Vw94Xzc6ZCXENTJHxE7Lpg== Received: from mail-dy1-f197.google.com (mail-dy1-f197.google.com [74.125.82.197]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4datqsg30n-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Sat, 04 Apr 2026 04:31:02 +0000 (GMT) Received: by mail-dy1-f197.google.com with SMTP id 5a478bee46e88-2b81ff82e3cso2245679eec.0 for ; Fri, 03 Apr 2026 21:31:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1775277062; x=1775881862; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=IBOjD1SCE/uWKPBO1BDvYmWOu32r5baQpc1YaXyTiMM=; b=iw7GpMP6u5nLgjbcb++a8LwB/2OoE4dwkPMrQrXKT97ZBRclHlE0mcN7AQdKYVFOLB MJNlzkYwemQ+dfQo9HI2DfyI6FjsEHyWZC5sJZH5XMDkdcQWcpfnCD26YpUlTQylwnVp kfXzGAbyF7QM6FeserN2iOmQpH8sxOc2iRSaMAIVeJjlFSvzCCbx0wOdCH13aKVCOUI/ igu8iqyhe6uQLKTCthYySzjFytbWdqa5qH9mxIRrK3Gmo28H1YhfXze6chCP/d0DRtQE d9pjkav9uaHqf3kj7X4+shlpVX9bFfh/6+ezVLcZWx4J2yxqJKLTj7m4Fds795AXqUPC 8GsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775277062; x=1775881862; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=IBOjD1SCE/uWKPBO1BDvYmWOu32r5baQpc1YaXyTiMM=; b=rxJC2F+PMOniGZoe8PJeXt9r9KNocPZFgYfGNfALpAiomazSuk1v9zbcoJMyfY8K9Y NmEV7ZwuNDDGS3XOMdDxegs9LAQTHgnXeLbUU2/Nzo/IRtk94rCS56fC+oLd/dxtwvTK GilfJu0Jtkt+BLR/nJh70J32iYfPM3eoeisdJs8KEwz2O6HZztCKEoWSPdL6HZ7vgz1u ZdcH5SXQhFSB5JnDanaMPnkW3PZ5s148HKucqffQHk+qp9Pk77EMVET9RREwKhvBPREa BSnUJNDTHWHd9YMsLoEz96Kl4xmV7fg0miaOLpgEZ9oujJIJZ+gsPISBiJAN5D+Mizhk 1w8A== X-Forwarded-Encrypted: i=1; AJvYcCX3kR7474juc2B3sO7yvYz9J3nLaa60mF5y4sD2kPIW/HTMnXJnVSpv4UybsXsw1Srd9FzSIRguMV301BU=@vger.kernel.org X-Gm-Message-State: AOJu0YxnWSUPgP29drFjz0v+pj4kgHgzpb8QhBI/PCPg/AHFLyxt/QYE Mi6up1r8TRC+4ybd/oxIY8BWwTUrJGtk33AjxpLfI4JE6/J3UyQ0NV7BaE4pSVAHMs6jr9AN6Xm rPboXQP+P/IyFCsyZFYEeA7Ssx0dZ/K4Tht8lT5DLXxuLnCqQMxhrSD11G3d+ulmR/h0= X-Gm-Gg: AeBDiet+oGkdzdAowaC+h+v6MxcHZUHF6r41fAyVSEIoDH4xoqni6ASyRiBTt2lTDaF N7bu3jnTfbSufRweN6ygMz6JEcu2XAf9ey76P7r6GwgdLl0wOh0/OFGI2q+q3zXoBO5/y1YpzPF ehh9+vlblZ6zS3BfyJEdyIU96hNUSY7fYVGRkKUZLKsEof/glL46+NQyUQA9aLENy/YgHniQlVK /9JzbLMANeMtiGWQi8+yJRTxJGpbzfmbOI6M+OOCl+CfutYL1DIcBgOZ3epLCiZuRd9lbn5n5Ac xrYdqDoZQajT2nNc3nKe1sDpRwyCAZQHakM1MO1zY4B8+9MY2FnqOWAb+3+0QCgQXCFI3V3QKAV owizscncJCTtiUiLJFCM+/XL3JBAYrfXVxKdZkBd6o9LLvfxHLSaYj6/RO/23pXXmzRrDKrgCTr WNbw== X-Received: by 2002:a05:7022:2219:b0:123:2de5:346e with SMTP id a92af1059eb24-12bfa9cddfbmr2202722c88.0.1775277061444; Fri, 03 Apr 2026 21:31:01 -0700 (PDT) X-Received: by 2002:a05:7022:2219:b0:123:2de5:346e with SMTP id a92af1059eb24-12bfa9cddfbmr2202704c88.0.1775277060868; Fri, 03 Apr 2026 21:31:00 -0700 (PDT) Received: from san-w175-na3-01.qualcomm.com (i-global254.qualcomm.com. [199.106.103.254]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-12bede7f085sm6271622c88.12.2026.04.03.21.31.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Apr 2026 21:31:00 -0700 (PDT) From: Wei Zhang To: jeff.johnson@oss.qualcomm.com Cc: ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Wei Zhang Subject: [PATCH ath-next] wifi: ath11k: cancel SSR work items during PCI shutdown Date: Fri, 3 Apr 2026 21:30:50 -0700 Message-ID: <20260404043050.3433754-1-wei.zhang@oss.qualcomm.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Authority-Analysis: v=2.4 cv=ari/yCZV c=1 sm=1 tr=0 ts=69d09406 cx=c_pps a=Uww141gWH0fZj/3QKPojxA==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17 a=A5OVakUREuEA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=gowsoOTTUOVcmtlkKump:22 a=EUspDBNiAAAA:8 a=2AV42wVkYpmhdkL2cwwA:9 a=PxkB5W3o20Ba91AHUih5:22 X-Proofpoint-ORIG-GUID: R1dYEA2S9Qknqgx7XjtCMIbkfwSugrEw X-Proofpoint-GUID: R1dYEA2S9Qknqgx7XjtCMIbkfwSugrEw X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA0MDAzNiBTYWx0ZWRfX+7roLq+9WGy2 kQbkq7OUMXeVI+zoaTwk+gI9BqEb+NHGtjOwoodUhqm14v3UJox+qmjcJ3GB8KBw8F6/sErLOAF xailwLwwvLbiwA6vHUS2BGFu7N7px4wy4TuxTL7hiC9uc2tj/xUbp9EeFvjd/CeVXy90aio7sA0 NfmlmADQxUwwlVr8M9WJb+WsifbaVKINb5sgjJgvuE+nIJfFlh1A5jcWUxf5a/lOACfdyE8I5n/ 8X+g7KbKgatpD1lH41eqalLaGVOTBhPpjvXIDUcfOsctev9C75PERbzlzI1Qlq9/1Cf5nPAOQk6 2D56/pl0xYCz58VMkmGwzw+iwQ+NZAVsrlKecUFfBCKuOnmtoF8HjaRukHNd9OCgO7BM9LTG0L0 KM/YUBtP1M3efqYqwH0sok2ZhnwB3mnjK7aYgZhg70CixENZmKJNgbeznDWOUnynoJOBiWmSOEl 3qHhoK68G2O4koD7x4Q== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-03_07,2026-04-03_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 clxscore=1015 malwarescore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 priorityscore=1501 spamscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604040036 Content-Type: text/plain; charset="utf-8" A reboot can crash the kernel if it overlaps with WLAN firmware crash recovery (SSR). The crash is a NULL pointer dereference in the MHI teardown path while freeing DMA-backed MHI contexts. Simplified trace: dma_free_attrs mhi_deinit_dev_ctxt [mhi] ath11k_pci_power_down [ath11k_pci] ath11k_pci_shutdown [ath11k_pci] device_shutdown kernel_restart On the host side, SSR is driven by the MHI RDDM callback, which queues reset_work to perform device recovery. reset_work power-cycles the device by calling ath11k_hif_power_down() followed by ath11k_hif_power_up(). The power-down phase deinitializes MHI and frees DMA resources. Shutdown/reboot runs fully asynchronously with this RDDM-driven SSR recovery flow. As a result, the shutdown path (ath11k_pci_shutdown() -> ath11k_pci_power_down()) can race with the SSR recovery sequence. Fix this by canceling SSR-related work items during PCI shutdown, marking the device as unregistering, and serializing the RDDM callback path that checks and queues reset_work. This ensures that no new SSR recovery work can be queued once teardown has started, and that any in-flight recovery work is fully synchronized before device power-down, preventing MHI teardown and DMA resource freeing from running more than once. Note: This issue only affects PCI/MHI-based devices. AHB-based ath11k devices do not queue reset_work in normal SSR flows. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-04866.5-QCAHSPSWPL_V1_V2_SILICONZ= _IOE-1 Fixes: 13da397f884d ("ath11k: add support for device recovery for QCA6390/W= CN6855") Fixes: 5edbb148bc57 ("wifi: ath11k: Add firmware coredump collection suppor= t") Signed-off-by: Wei Zhang Reviewed-by: Baochen Qiang Reviewed-by: Rameshkumar Sundaram --- drivers/net/wireless/ath/ath11k/mhi.c | 4 +++- drivers/net/wireless/ath/ath11k/pci.c | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/a= th/ath11k/mhi.c index f994233df2bb..a6c9ff112c68 100644 --- a/drivers/net/wireless/ath/ath11k/mhi.c +++ b/drivers/net/wireless/ath/ath11k/mhi.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: BSD-3-Clause-Clear /* * Copyright (c) 2020 The Linux Foundation. All rights reserved. - * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights res= erved. + * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. */ =20 #include @@ -282,8 +282,10 @@ static void ath11k_mhi_op_status_cb(struct mhi_control= ler *mhi_cntrl, break; } =20 + spin_lock_bh(&ab->base_lock); if (!(test_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags))) queue_work(ab->workqueue_aux, &ab->reset_work); + spin_unlock_bh(&ab->base_lock); =20 break; default: diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/a= th/ath11k/pci.c index 7114eca8810d..35bb9e7a63a2 100644 --- a/drivers/net/wireless/ath/ath11k/pci.c +++ b/drivers/net/wireless/ath/ath11k/pci.c @@ -1210,6 +1210,14 @@ static void ath11k_pci_shutdown(struct pci_dev *pdev) struct ath11k_pci *ab_pci =3D ath11k_pci_priv(ab); =20 ath11k_pci_set_irq_affinity_hint(ab_pci, NULL); + + spin_lock_bh(&ab->base_lock); + set_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags); + spin_unlock_bh(&ab->base_lock); + + cancel_work_sync(&ab->reset_work); + cancel_work_sync(&ab->dump_work); + ath11k_pci_power_down(ab, false); } =20 base-commit: 15551ababf6d4e857f2101366a0c3eaa86dd822c --=20 2.34.1