[46587.818791] Unable to handle kernel paging request at virtual address 400005c0
[46587.820733] pgd = af60097d
[46587.827972] [400005c0] *pgd=00000000
[46587.830605] Internal error: Oops: 2805 [#1] PREEMPT SMP ARM
[46587.834338] Modules linked in: pppoe pppox ppp_generic slhc iptable_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_tables ath11k_ahb(O) ath11k(O) mac80211(O) cfg80211(O) compat(O) traffic(O) nss_dp(O) ssd
k(O)
[46587.839651] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 5.15.38+ #1
[46587.860465] Hardware name: Generic DT based system
[46587.867841] PC is at b15_dma_inv_range+0x20/0x50
[46587.872528] LR is at __dma_page_dev_to_cpu+0x2c/0xb4
[46587.877303] pc : [<81318c7c>] lr : [<813155c8>] psr: 00070113
[46587.882252] sp : 81c01cd8 ip : 81318dd0 fp : 82ce0000
[46587.888240] r10: 848da020 r9 : 00000010 r8 : 000005d6
[46587.893447] r7 : 848d9fc0 r6 : 00000000 r5 : 000006fc r4 : 8f5f9000
[46587.898658] r3 : 0000003f r2 : 00000040 r1 : 40000cd2 r0 : 400005c0
[46587.905256] Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[46587.911768] Control: 10c0383d Table: 4850c06a DAC: 00000051
[46587.918970] Register r0 information: non-paged memory
[46587.924699] Register r1 information: non-paged memory
[46587.929733] Register r2 information: non-paged memory
[46587.934768] Register r3 information: non-paged memory
[46587.939803] Register r4 information: non-slab/vmalloc memory
[46587.944838] Register r5 information: non-paged memory
[46587.950566] Register r6 information: NULL pointer
[46587.955514] Register r7 information: non-slab/vmalloc memory
[46587.960203] Register r8 information: non-paged memory
[46587.965932] Register r9 information: zero-size pointer
[46587.970878] Register r10 information: non-slab/vmalloc memory
[46587.975915] Register r11 information: non-slab/vmalloc memory
[46587.981730] Register r12 information: non-slab/vmalloc memory
[46587.987460] Process swapper/0 (pid: 0, stack limit = 0x57c27cef)
[46587.993189] Stack: (0x81c01cd8 to 0x81c02000)
[46587.999268] 1cc0: 81318dd0 84991400
[46588.003527] 1ce0: 82d0d9c0 84991400 00000000 848d9fc0 00000065 7f26d92c 00000000 81c01cfc
[46588.011687] 1d00: 81c01cfc 00000000 0000000f 82ce37b0 00000001 00000040 00000000 82ce37e4
[46588.019846] 1d20: 82cea858 82ce101c 82a18000 0000000f 00000000 00000000 87032400 87033800
[46588.028006] 1d40: 87033400 865af0c0 8620a240 0000000f 848d9fc0 81c01d54 81c01d54 00000000
[46588.036166] 1d60: 82a18734 81c01d64 81c01d64 00000000 81c05e50 998674d9 80973d00 82cea858
[46588.044325] 1d80: 82ced000 00000040 00000005 0e273000 82ce0000 00000000 82cea858 7f26320c
[46588.052485] 1da0: 9440101c 00000000 81c01e2c 00000000 0000012c 82cea858 00000040 00000040
[46588.060646] 1dc0: 81c01e1b 0e273000 82cea800 81c01e24 0000012c 7f2f3394 00000001 82cea858
[46588.068805] 1de0: 00000040 81c01e1b 0e273000 81c01e1c 81c01e24 817e0bc8 82cea858 8fdbe000
[46588.076965] 1e00: 81b4b000 81c03d00 0e273000 817e0fb4 81b4b000 0046a163 00cea804 81c01e1c
[46588.085124] 1e20: 81c01e1c 81c01e24 81c01e24 998674d9 81cbc140 81c0308c 00000004 00000003
[46588.093284] 1e40: 00000008 81c00000 81cbc120 00000101 81c01e58 81301364 00000044 816cdb78
[46588.101444] 1e60: 81c03080 81b43368 81b4a240 0000000a 81b432e0 81a5cc78 0046a162 81c03d00
[46588.109603] 1e80: 80a16d00 04200002 00000001 81b4a240 00000000 80830000 0000015b 00000000
[46588.117764] 1ea0: 81c01ef8 81c01eb8 81a40014 81326eec 81b49380 8137c754 81c0557c 81c97650
[46588.125924] 1ec0: 90802000 81b4938c 9080200c 81c01ed8 81c01ef8 8163d1b0 81307f18 60070013
[46588.134082] 1ee0: ffffffff 81c01f2c 00000000 81c00000 00000000 81300b7c 03544d66 81a3a41c
[46588.142242] 1f00: 00000000 81319560 81cbce00 00000000 ffffe000 81c04f60 00000000 81b49830
[46588.150402] 1f20: 00000000 81a40014 81c00000 81c01f48 81307f14 81307f18 60070013 ffffffff
[46588.158562] 1f40: 00000051 00000000 81cbce00 81962bd8 81c00000 00000000 81c04f10 81357514
[46588.166722] 1f60: 00000000 81c01f60 81c04ec0 81c00000 81b33a54 998674d9 8fffce00 000000e4
[46588.174880] 1f80: 81b33a54 81c04ec0 8fffce00 ffffffff 00000000 10c0387d 00000000 81357904
[46588.183041] 1fa0: 81cc4040 81b01150 ffffffff ffffffff 00000000 81b0070c 00000000 00000000
[46588.191201] 1fc0: 00000000 81b33a54 99837bff 00000000 00000000 81b004b0 00000051 10c0387d
[46588.199360] 1fe0: 08040000 4a3f2000 51af8014 10c0387d 00000000 00000000 00000000 00000000
[46588.207520] [<81318c7c>] (b15_dma_inv_range) from [<813155c8>] (__dma_page_dev_to_cpu+0x2c/0xb4)
[46588.215678] [<813155c8>] (__dma_page_dev_to_cpu) from [<7f26d92c>] (ath11k_dp_process_rx+0x19c/0x48c [ath11k])
[46588.224542] [<7f26d92c>] (ath11k_dp_process_rx [ath11k]) from [<7f26320c>] (ath11k_dp_service_srng+0x80/0x30c [ath11k])
[46588.234348] [<7f26320c>] (ath11k_dp_service_srng [ath11k]) from [<7f2f3394>] (ath11k_ahb_ext_grp_napi_poll+0x20/0x88 [ath11k_ahb])
[46588.245027] [<7f2f3394>] (ath11k_ahb_ext_grp_napi_poll [ath11k_ahb]) from [<817e0bc8>] (__napi_poll+0x28/0x208)
[46588.256826] [<817e0bc8>] (__napi_poll) from [<817e0fb4>] (net_rx_action+0xe4/0x270)
[46588.266802] [<817e0fb4>] (net_rx_action) from [<81301364>] (__do_softirq+0x13c/0x444)
[46588.274444] [<81301364>] (__do_softirq) from [<81326eec>] (irq_exit+0xd4/0x12c)
[46588.282429] [<81326eec>] (irq_exit) from [<8137c754>] (handle_domain_irq+0x80/0xb0)
[46588.289548] [<8137c754>] (handle_domain_irq) from [<8163d1b0>] (gic_handle_irq+0x7c/0x90)
[46588.297187] [<8163d1b0>] (gic_handle_irq) from [<81300b7c>] (__irq_svc+0x5c/0x90)
[46588.305518] Exception stack(0x81c01ef8 to 0x81c01f40)
[46588.312983] 1ee0: 03544d66 81a3a41c
[46588.318024] 1f00: 00000000 81319560 81cbce00 00000000 ffffe000 81c04f60 00000000 81b49830
[46588.326183] 1f20: 00000000 81a40014 81c00000 81c01f48 81307f14 81307f18 60070013 ffffffff
[46588.334341] [<81300b7c>] (__irq_svc) from [<81307f18>] (arch_cpu_idle+0x38/0x3c)
[46588.342498] [<81307f18>] (arch_cpu_idle) from [<81962bd8>] (default_idle_call+0x44/0x160)
[46588.349966] [<81962bd8>] (default_idle_call) from [<81357514>] (do_idle+0x234/0x2d8)
[46588.358036] [<81357514>] (do_idle) from [<81357904>] (cpu_startup_entry+0x18/0x1c)
[46588.365848] [<81357904>] (cpu_startup_entry) from [<81b01150>] (start_kernel+0x654/0x6a0)
[46588.373234] Code: e1a02312 e2423001 e1100003 e1c00003 (1e070f3e)
[46588.381544] ---[ end trace a2b75f24a1169fea ]---
[46588.387579] Kernel panic - not syncing: Fatal exception in interrupt
[46588.392244] CPU1: stopping
[46588.398571] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G D O 5.15.38+ #1
[46588.401091] Hardware name: Generic DT based system
[46588.408646] [<81310018>] (unwind_backtrace) from [<8130b488>] (show_stack+0x10/0x14)
[46588.413333] [<8130b488>] (show_stack) from [<81955ee8>] (dump_stack_lvl+0x40/0x4c)
[46588.421232] [<81955ee8>] (dump_stack_lvl) from [<8130eaa4>] (do_handle_IPI+0x34c/0x378)
[46588.428609] [<8130eaa4>] (do_handle_IPI) from [<8130eae8>] (ipi_handler+0x18/0x20)
[46588.436508] [<8130eae8>] (ipi_handler) from [<81382ec0>] (handle_percpu_devid_irq+0xa4/0x278)
[46588.444148] [<81382ec0>] (handle_percpu_devid_irq) from [<8137c750>] (handle_domain_irq+0x7c/0xb0)
[46588.452742] [<8137c750>] (handle_domain_irq) from [<8163d1b0>] (gic_handle_irq+0x7c/0x90)
[46588.461596] [<8163d1b0>] (gic_handle_irq) from [<81300b7c>] (__irq_svc+0x5c/0x90)
[46588.469840] Exception stack(0x808c1f48 to 0x808c1f90)
[46588.477308] 1f40: 00521a04 81a3a41c 00000000 81319560 81cbce00 00000000
[46588.482346] 1f60: ffffe000 81c04f60 00000000 81b49830 00000000 81a40014 808c0000 808c1f98
[46588.490504] 1f80: 81307f14 81307f18 60000013 ffffffff
[46588.498659] [<81300b7c>] (__irq_svc) from [<81307f18>] (arch_cpu_idle+0x38/0x3c)
[46588.503695] [<81307f18>] (arch_cpu_idle) from [<81962bd8>] (default_idle_call+0x44/0x160)
[46588.511161] [<81962bd8>] (default_idle_call) from [<81357514>] (do_idle+0x234/0x2d8)
[46588.519235] [<81357514>] (do_idle) from [<81357904>] (cpu_startup_entry+0x18/0x1c)
[46588.527045] [<81357904>] (cpu_startup_entry) from [<41301710>] (0x41301710)
[46588.534457] Rebooting in 3 seconds..
反汇编
3295 int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id,
3296 struct napi_struct *napi, int budget)
3297 {
3356 rxcb = ATH11K_SKB_RXCB(msdu);
3357
3358 dma_unmap_single(ab->dev, rxcb->paddr,
3359 msdu->len + skb_tailroom(msdu),
3360 DMA_FROM_DEVICE);
克隆ath代码仓库
https://git.codelinaro.org/clo/qsdk/kvalo/ath.git
找到一个修复
commit f9fff67d2d7ca6fa8066132003a3deef654c55b1
Author: Nagarajan Maran <quic_nmaran@quicinc.com>
Date: Mon Apr 17 13:35:02 2023 +0300
wifi: ath11k: Fix SKB corruption in REO destination ring
While running traffics for a long time, randomly an RX descriptor
filled with value "0" from REO destination ring is received.
This descriptor which is invalid causes the wrong SKB (SKB stored in
the IDR lookup with buffer id "0") to be fetched which in turn
causes SKB memory corruption issue and the same leads to crash
after some time.
Changed the start id for idr allocation to "1" and the buffer id "0"
is reserved for error validation. Introduced Sanity check to validate
the descriptor, before processing the SKB.
Crash Signature :
Unable to handle kernel paging request at virtual address 3f004900
PC points to "b15_dma_inv_range+0x30/0x50"
LR points to "dma_cache_maint_page+0x8c/0x128".
The Backtrace obtained is as follows:
[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128)
[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc)
[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])
[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])
[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])
[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8)
[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280)
[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280)
[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4)
[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4)
[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90)
[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230403191533.28114-1-quic_nmaran@quicinc.com
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index a4934bd79969..f67ce62b2b48 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -389,10 +389,10 @@ int ath11k_dp_rxbufs_replenish(struct ath11k_base *ab, int mac_id,
goto fail_free_skb;
spin_lock_bh(&rx_ring->idr_lock);
- buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 0,
- rx_ring->bufs_max * 3, GFP_ATOMIC);
+ buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 1,
+ (rx_ring->bufs_max * 3) + 1, GFP_ATOMIC);
spin_unlock_bh(&rx_ring->idr_lock);
- if (buf_id < 0)
+ if (buf_id <= 0)
goto fail_dma_unmap;
desc = ath11k_hal_srng_src_get_next_entry(ab, srng);
@@ -2665,6 +2665,9 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id,
cookie);
mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie);
+ if (unlikely(buf_id == 0))
+ continue;
+
ar = ab->pdevs[mac_id].ar;
rx_ring = &ar->dp.rx_refill_buf_ring;
spin_lock_bh(&rx_ring->idr_lock);