Re: [PATCH] ath11k: enable IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN6855

Sven Eckelmann <sven@xxxxxxxxxxxxx> · Fri, 03 Dec 2021 15:09:30 +0100

On Monday, 29 November 2021 11:13:09 CET Wen Gong wrote:
> Currently mac80211 will send 3 scan request for each scan of WCN6855,
> they are 2.4 GHz/5 GHz/6 GHz band scan. Firmware of WCN6855 will
> cache the RNR IE(Reduced Neighbor Report element) which exist in the
> beacon of 2.4 GHz/5 GHz of the AP which is co-located with 6 GHz,
> and then use the cache to scan in 6 GHz band scan if the 6 GHz scan
> is in the same scan with the 2.4 GHz/5 GHz band, this will helpful to
> search more AP of 6 GHz. Also it will decrease the time cost of scan
> because firmware will use dual-band scan for the 2.4 GHz/5 GHz, it
> means the 2.4 GHz and 5 GHz scans are doing simultaneously.
> 
> Set the flag IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN6855 since
> it supports 2.4 GHz/5 GHz/6 GHz and it is single pdev which means
> all the 2.4 GHz/5 GHz/6 GHz exist in the same wiphy/ieee80211_hw.
> 
> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1

I've tested this on ath-next on commit a93789ae541c ("ath11k: Avoid NULL ptr 
access during mgmt tx cleanup") with a WCN6856 card (EmWicon/jjplus WMX7205) 
with firmware WLAN.HSP.1.1-02892.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1. ath-next 
was required for me because 32 MSI vectors are not available on the 
used system.

Without this patch, it works fine. With patch, I just have to connect to an AP 
via wpa_supplicant to crash the system. See the attached x86-64 .config, the 
stacktrace and the decoded stacktrace.

Kind regards,
	Sven
[   51.095079] general protection fault, probably for non-canonical address 0x408210000b231a: 0000 [#1] PREEMPT SMP NOPTI
[   51.105795] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
[   51.112157] Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
[   51.118339] RIP: 0010:skb_release_data (./include/linux/skbuff.h:1549 net/core/skbuff.c:669) 
[ 51.123061] Code: 4d 85 ed 74 4b 41 8b 85 bc 00 00 00 49 03 85 c0 00 00 00 0f b6 10 f6 c2 01 74 35 48 8b 70 28 48 85 f6 74 2c 40 f6 c6 01 75 21 <48> 8b 06 ba 01 00 00 00 4c 89 ef 0f ae e8 ff d0 41 8b 85 bc 00 00
All code
========
   0:	4d 85 ed             	test   %r13,%r13
   3:	74 4b                	je     0x50
   5:	41 8b 85 bc 00 00 00 	mov    0xbc(%r13),%eax
   c:	49 03 85 c0 00 00 00 	add    0xc0(%r13),%rax
  13:	0f b6 10             	movzbl (%rax),%edx
  16:	f6 c2 01             	test   $0x1,%dl
  19:	74 35                	je     0x50
  1b:	48 8b 70 28          	mov    0x28(%rax),%rsi
  1f:	48 85 f6             	test   %rsi,%rsi
  22:	74 2c                	je     0x50
  24:	40 f6 c6 01          	test   $0x1,%sil
  28:	75 21                	jne    0x4b
  2a:*	48 8b 06             	mov    (%rsi),%rax		<-- trapping instruction
  2d:	ba 01 00 00 00       	mov    $0x1,%edx
  32:	4c 89 ef             	mov    %r13,%rdi
  35:	0f ae e8             	lfence 
  38:	ff d0                	callq  *%rax
  3a:	41                   	rex.B
  3b:	8b                   	.byte 0x8b
  3c:	85                   	.byte 0x85
  3d:	bc                   	.byte 0xbc
	...

Code starting with the faulting instruction
===========================================
   0:	48 8b 06             	mov    (%rsi),%rax
   3:	ba 01 00 00 00       	mov    $0x1,%edx
   8:	4c 89 ef             	mov    %r13,%rdi
   b:	0f ae e8             	lfence 
   e:	ff d0                	callq  *%rax
  10:	41                   	rex.B
  11:	8b                   	.byte 0x8b
  12:	85                   	.byte 0x85
  13:	bc                   	.byte 0xbc
	...
[   51.141815] RSP: 0018:ffffbec4c0003e30 EFLAGS: 00010246
[   51.147049] RAX: ffff9a9d11a6c2c0 RBX: ffff9a9d08341a68 RCX: 0000000000000000
[   51.154189] RDX: 0000000000000003 RSI: 00408210000b231a RDI: ffff9a9d01162900
[   51.161323] RBP: ffff9a9d01162900 R08: 0000000000000212 R09: ffffffffb4ed24e8
[   51.168465] R10: 0000000000000000 R11: 00000000dca23000 R12: ffff9a9d11a6c2c0
[   51.175605] R13: ffff9a9d01162900 R14: ffff9a9d083435d8 R15: 0000000000000005
[   51.182740] FS:  0000000000000000(0000) GS:ffff9a9d1ac00000(0000) knlGS:0000000000000000
[   51.190832] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   51.196578] CR2: 000055b14ef3a778 CR3: 0000000108c6e000 CR4: 00000000000006f0
[   51.203713] Call Trace:
[   51.206170]  <IRQ>
[   51.208196] consume_skb (net/core/skbuff.c:757 net/core/skbuff.c:912 net/core/skbuff.c:906) 
[   51.211620] ath11k_ce_tx_process_cb+0x157/0x220 ath11k
[   51.217177] ath11k_ce_per_engine_service (drivers/net/wireless/ath/ath11k/ce.c:437 drivers/net/wireless/ath/ath11k/ce.c:675) ath11k
[   51.223130] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:513 ./include/asm-generic/qspinlock.h:82 ./include/linux/spinlock.h:185 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[   51.227680] ath11k_pci_ce_tasklet (drivers/net/wireless/ath/ath11k/pci.c:633) ath11k_pci
[   51.233095] tasklet_action_common.constprop.0 (./arch/x86/include/asm/bitops.h:75 ./include/asm-generic/bitops/instrumented-atomic.h:42 kernel/softirq.c:879 kernel/softirq.c:787) 
[   51.238425] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/irq.h:142 kernel/softirq.c:559) 
[   51.242023] __irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636) 
[   51.245780] common_interrupt (arch/x86/kernel/irq.c:240 (discriminator 14)) 
[   51.249638]  </IRQ>
[   51.251743]  <TASK>
[   51.253850] asm_common_interrupt (./arch/x86/include/asm/idtentry.h:629) 
[   51.258044] RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:259) 
[ 51.263026] Code: 31 ff e8 d9 c6 9e ff 45 84 ff 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 78 02 00 00 31 ff e8 bd 97 a5 ff fb 66 0f 1f 44 00 00 <45> 85 f6 0f 88 11 01 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d
All code
========
   0:	31 ff                	xor    %edi,%edi
   2:	e8 d9 c6 9e ff       	callq  0xffffffffff9ec6e0
   7:	45 84 ff             	test   %r15b,%r15b
   a:	74 17                	je     0x23
   c:	9c                   	pushfq 
   d:	58                   	pop    %rax
   e:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  13:	f6 c4 02             	test   $0x2,%ah
  16:	0f 85 78 02 00 00    	jne    0x294
  1c:	31 ff                	xor    %edi,%edi
  1e:	e8 bd 97 a5 ff       	callq  0xffffffffffa597e0
  23:	fb                   	sti    
  24:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  2a:*	45 85 f6             	test   %r14d,%r14d		<-- trapping instruction
  2d:	0f 88 11 01 00 00    	js     0x144
  33:	49 63 c6             	movslq %r14d,%rax
  36:	4c 2b 2c 24          	sub    (%rsp),%r13
  3a:	48 8d 14 40          	lea    (%rax,%rax,2),%rdx
  3e:	48                   	rex.W
  3f:	8d                   	.byte 0x8d

Code starting with the faulting instruction
===========================================
   0:	45 85 f6             	test   %r14d,%r14d
   3:	0f 88 11 01 00 00    	js     0x11a
   9:	49 63 c6             	movslq %r14d,%rax
   c:	4c 2b 2c 24          	sub    (%rsp),%r13
  10:	48 8d 14 40          	lea    (%rax,%rax,2),%rdx
  14:	48                   	rex.W
  15:	8d                   	.byte 0x8d
[   51.281781] RSP: 0018:ffffffffb4e03e60 EFLAGS: 00000246
[   51.287017] RAX: ffff9a9d1ac00000 RBX: 0000000000000002 RCX: 000000000000001f
[   51.294157] RDX: 0000000000000000 RSI: ffffffffb494bd50 RDI: ffffffffb4927def
[   51.301290] RBP: ffff9a9d0151b000 R08: 0000000be57e1147 R09: 0000000000000018
[   51.308424] R10: 0000000000000ed3 R11: 0000000000002406 R12: ffffffffb4fd05c0
[   51.315565] R13: 0000000be57e1147 R14: 0000000000000002 R15: 0000000000000000
[   51.322716] cpuidle_enter (drivers/cpuidle/cpuidle.c:353) 
[   51.326305] do_idle (kernel/sched/idle.c:158 kernel/sched/idle.c:239 kernel/sched/idle.c:306) 
[   51.329547] cpu_startup_entry (kernel/sched/idle.c:402 (discriminator 1)) 
[   51.333479] start_kernel (init/main.c:1137) 
[   51.337156] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:283) 
[   51.342228]  </TASK>
[   51.344424] Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 btusb btrtl btbcm btintel bluetooth libarc4 kvm_amd ccp cfg80211 jitterentropy_rng rng_core sha512_ssse3 evdev sha512_generic kvm snd_pcm snd_timer ctr leds_apu drbg snd ansi_cprng sg irqbypass ecdh_generic rfkill soundcore ecc pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci libata ehci_pci ohci_hcd ehci_hcd r8169 realtek mdio_devres usbcore scsi_mod i2c_piix4 usb_common scsi_common libphy
[   51.403181] ---[ end trace 5511b9c3dbb0841e ]---
[   51.407861] RIP: 0010:skb_release_data (./include/linux/skbuff.h:1549 net/core/skbuff.c:669) 
[ 51.412592] Code: 4d 85 ed 74 4b 41 8b 85 bc 00 00 00 49 03 85 c0 00 00 00 0f b6 10 f6 c2 01 74 35 48 8b 70 28 48 85 f6 74 2c 40 f6 c6 01 75 21 <48> 8b 06 ba 01 00 00 00 4c 89 ef 0f ae e8 ff d0 41 8b 85 bc 00 00
All code
========
   0:	4d 85 ed             	test   %r13,%r13
   3:	74 4b                	je     0x50
   5:	41 8b 85 bc 00 00 00 	mov    0xbc(%r13),%eax
   c:	49 03 85 c0 00 00 00 	add    0xc0(%r13),%rax
  13:	0f b6 10             	movzbl (%rax),%edx
  16:	f6 c2 01             	test   $0x1,%dl
  19:	74 35                	je     0x50
  1b:	48 8b 70 28          	mov    0x28(%rax),%rsi
  1f:	48 85 f6             	test   %rsi,%rsi
  22:	74 2c                	je     0x50
  24:	40 f6 c6 01          	test   $0x1,%sil
  28:	75 21                	jne    0x4b
  2a:*	48 8b 06             	mov    (%rsi),%rax		<-- trapping instruction
  2d:	ba 01 00 00 00       	mov    $0x1,%edx
  32:	4c 89 ef             	mov    %r13,%rdi
  35:	0f ae e8             	lfence 
  38:	ff d0                	callq  *%rax
  3a:	41                   	rex.B
  3b:	8b                   	.byte 0x8b
  3c:	85                   	.byte 0x85
  3d:	bc                   	.byte 0xbc
	...

Code starting with the faulting instruction
===========================================
   0:	48 8b 06             	mov    (%rsi),%rax
   3:	ba 01 00 00 00       	mov    $0x1,%edx
   8:	4c 89 ef             	mov    %r13,%rdi
   b:	0f ae e8             	lfence 
   e:	ff d0                	callq  *%rax
  10:	41                   	rex.B
  11:	8b                   	.byte 0x8b
  12:	85                   	.byte 0x85
  13:	bc                   	.byte 0xbc
	...
[   51.431366] RSP: 0018:ffffbec4c0003e30 EFLAGS: 00010246
[   51.436623] RAX: ffff9a9d11a6c2c0 RBX: ffff9a9d08341a68 RCX: 0000000000000000
[   51.443782] RDX: 0000000000000003 RSI: 00408210000b231a RDI: ffff9a9d01162900
[   51.450939] RBP: ffff9a9d01162900 R08: 0000000000000212 R09: ffffffffb4ed24e8
[   51.458099] R10: 0000000000000000 R11: 00000000dca23000 R12: ffff9a9d11a6c2c0
[   51.465256] R13: ffff9a9d01162900 R14: ffff9a9d083435d8 R15: 0000000000000005
[   51.472416] FS:  0000000000000000(0000) GS:ffff9a9d1ac00000(0000) knlGS:0000000000000000
[   51.480528] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   51.486299] CR2: 000055b14ef3a778 CR3: 0000000108c6e000 CR4: 00000000000006f0
[   51.493459] Kernel panic - not syncing: Fatal exception in interrupt
[   51.499831] Kernel Offset: 0x32800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   51.510610] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
[   51.095079] general protection fault, probably for non-canonical address 0x408210000b231a: 0000 [#1] PREEMPT SMP NOPTI
[   51.105795] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc1+ #1
[   51.112157] Hardware name: PC Engines APU/APU, BIOS 4.0 09/08/2014
[   51.118339] RIP: 0010:skb_release_data+0x81/0x170
[   51.123061] Code: 4d 85 ed 74 4b 41 8b 85 bc 00 00 00 49 03 85 c0 00 00 00 0f b6 10 f6 c2 01 74 35 48 8b 70 28 48 85 f6 74 2c 40 f6 c6 01 75 21 <48> 8b 06 ba 01 00 00 00 4c 89 ef 0f ae e8 ff d0 41 8b 85 bc 00 00
[   51.141815] RSP: 0018:ffffbec4c0003e30 EFLAGS: 00010246
[   51.147049] RAX: ffff9a9d11a6c2c0 RBX: ffff9a9d08341a68 RCX: 0000000000000000
[   51.154189] RDX: 0000000000000003 RSI: 00408210000b231a RDI: ffff9a9d01162900
[   51.161323] RBP: ffff9a9d01162900 R08: 0000000000000212 R09: ffffffffb4ed24e8
[   51.168465] R10: 0000000000000000 R11: 00000000dca23000 R12: ffff9a9d11a6c2c0
[   51.175605] R13: ffff9a9d01162900 R14: ffff9a9d083435d8 R15: 0000000000000005
[   51.182740] FS:  0000000000000000(0000) GS:ffff9a9d1ac00000(0000) knlGS:0000000000000000
[   51.190832] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   51.196578] CR2: 000055b14ef3a778 CR3: 0000000108c6e000 CR4: 00000000000006f0
[   51.203713] Call Trace:
[   51.206170]  <IRQ>
[   51.208196]  consume_skb+0x39/0xb0
[   51.211620]  ath11k_ce_tx_process_cb+0x157/0x220 [ath11k]
[   51.217177]  ath11k_ce_per_engine_service+0x3c0/0x3d0 [ath11k]
[   51.223130]  ? _raw_spin_lock_irqsave+0x26/0x50
[   51.227680]  ath11k_pci_ce_tasklet+0x1c/0x40 [ath11k_pci]
[   51.233095]  tasklet_action_common.constprop.0+0xaf/0xe0
[   51.238425]  __do_softirq+0xec/0x2e9
[   51.242023]  __irq_exit_rcu+0xbc/0x110
[   51.245780]  common_interrupt+0xb8/0xd0
[   51.249638]  </IRQ>
[   51.251743]  <TASK>
[   51.253850]  asm_common_interrupt+0x1e/0x40
[   51.258044] RIP: 0010:cpuidle_enter_state+0xda/0x370
[   51.263026] Code: 31 ff e8 d9 c6 9e ff 45 84 ff 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 78 02 00 00 31 ff e8 bd 97 a5 ff fb 66 0f 1f 44 00 00 <45> 85 f6 0f 88 11 01 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d
[   51.281781] RSP: 0018:ffffffffb4e03e60 EFLAGS: 00000246
[   51.287017] RAX: ffff9a9d1ac00000 RBX: 0000000000000002 RCX: 000000000000001f
[   51.294157] RDX: 0000000000000000 RSI: ffffffffb494bd50 RDI: ffffffffb4927def
[   51.301290] RBP: ffff9a9d0151b000 R08: 0000000be57e1147 R09: 0000000000000018
[   51.308424] R10: 0000000000000ed3 R11: 0000000000002406 R12: ffffffffb4fd05c0
[   51.315565] R13: 0000000be57e1147 R14: 0000000000000002 R15: 0000000000000000
[   51.322716]  cpuidle_enter+0x29/0x40
[   51.326305]  do_idle+0x200/0x2b0
[   51.329547]  cpu_startup_entry+0x19/0x20
[   51.333479]  start_kernel+0x6b7/0x6dc
[   51.337156]  secondary_startup_64_no_verify+0xb0/0xbb
[   51.342228]  </TASK>
[   51.344424] Modules linked in: qrtr_mhi qrtr ath11k_pci mhi ath11k qmi_helpers mac80211 btusb btrtl btbcm btintel bluetooth libarc4 kvm_amd ccp cfg80211 jitterentropy_rng rng_core sha512_ssse3 evdev sha512_generic kvm snd_pcm snd_timer ctr leds_apu drbg snd ansi_cprng sg irqbypass ecdh_generic rfkill soundcore ecc pcspkr k10temp sp5100_tco watchdog button acpi_cpufreq drm fuse configfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common uas usb_storage ohci_pci ahci libahci libata ehci_pci ohci_hcd ehci_hcd r8169 realtek mdio_devres usbcore scsi_mod i2c_piix4 usb_common scsi_common libphy
[   51.403181] ---[ end trace 5511b9c3dbb0841e ]---
[   51.407861] RIP: 0010:skb_release_data+0x81/0x170
[   51.412592] Code: 4d 85 ed 74 4b 41 8b 85 bc 00 00 00 49 03 85 c0 00 00 00 0f b6 10 f6 c2 01 74 35 48 8b 70 28 48 85 f6 74 2c 40 f6 c6 01 75 21 <48> 8b 06 ba 01 00 00 00 4c 89 ef 0f ae e8 ff d0 41 8b 85 bc 00 00
[   51.431366] RSP: 0018:ffffbec4c0003e30 EFLAGS: 00010246
[   51.436623] RAX: ffff9a9d11a6c2c0 RBX: ffff9a9d08341a68 RCX: 0000000000000000
[   51.443782] RDX: 0000000000000003 RSI: 00408210000b231a RDI: ffff9a9d01162900
[   51.450939] RBP: ffff9a9d01162900 R08: 0000000000000212 R09: ffffffffb4ed24e8
[   51.458099] R10: 0000000000000000 R11: 00000000dca23000 R12: ffff9a9d11a6c2c0
[   51.465256] R13: ffff9a9d01162900 R14: ffff9a9d083435d8 R15: 0000000000000005
[   51.472416] FS:  0000000000000000(0000) GS:ffff9a9d1ac00000(0000) knlGS:0000000000000000
[   51.480528] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   51.486299] CR2: 000055b14ef3a778 CR3: 0000000108c6e000 CR4: 00000000000006f0
[   51.493459] Kernel panic - not syncing: Fatal exception in interrupt
[   51.499831] Kernel Offset: 0x32800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   51.510610] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
Attachment:
.config.xz

Description: application/xz