Tamizh chelvam <tamizhr@xxxxxxxxxxxxxx> wrote: > When continuously running wifi up/down sequence, the napi poll > can be scheduled after the CE buffers being freed by ath10k_pci_flush > > Steps: > In a certain condition, during wifi down below scenario might occur. > > ath10k_stop->ath10k_hif_stop->napi_schedule->ath10k_pci_flush->napi_poll(napi_synchronize). > > In the above scenario, CE buffer entries will be freed up and become NULL in > ath10k_pci_flush. And the napi_poll has been invoked after the flush process > and it will try to get the skb from the CE buffer entry and perform some action on that. > Since the CE buffer already cleaned by pci flush this action will create NULL > pointer dereference and trigger below kernel panic. > > Unable to handle kernel NULL pointer dereference at virtual address 0000005c > PC is at ath10k_pci_htt_rx_cb+0x64/0x3ec [ath10k_pci] > ath10k_pci_htt_rx_cb [ath10k_pci] > ath10k_ce_per_engine_service+0x74/0xc4 [ath10k_pci] > ath10k_ce_per_engine_service [ath10k_pci] > ath10k_ce_per_engine_service_any+0x74/0x80 [ath10k_pci] > ath10k_ce_per_engine_service_any [ath10k_pci] > ath10k_pci_napi_poll+0x48/0xec [ath10k_pci] > ath10k_pci_napi_poll [ath10k_pci] > net_rx_action+0xac/0x160 > net_rx_action > __do_softirq+0xdc/0x208 > __do_softirq > irq_exit+0x84/0xe0 > irq_exit > __handle_domain_irq+0x80/0xa0 > __handle_domain_irq > gic_handle_irq+0x38/0x5c > gic_handle_irq > __irq_usr+0x44/0x60 > > Tested on QCA4019 and firmware version 10.4.3.2.1.1-00010 > > Signed-off-by: Tamizh chelvam <tamizhr@xxxxxxxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> Patch applied to ath-next branch of ath.git, thanks. bd1d395070cc ath10k: fix kernel panic by moving pci flush after napi_disable -- https://patchwork.kernel.org/patch/10548453/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
