Return-path: Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.217]:13720 "EHLO mo4-p00-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751166AbcHIFZM convert rfc822-to-8bit (ORCPT ); Tue, 9 Aug 2016 01:25:12 -0400 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: [Letux-kernel] [BUG] 4.8-rc1: wlcore: NULL pointer dereference in wlcore_op_get_expected_throughput From: "H. Nikolaus Schaller" In-Reply-To: <20160808234959.47us7rukzpwplsdo@zver> Date: Tue, 9 Aug 2016 07:25:05 +0200 Cc: linux-wireless@vger.kernel.org, LKML Message-Id: <7417EDFF-A857-4728-81BF-75F87769018D@goldelico.com> (sfid-20160809_072529_470941_88C91DD1) References: <4FEB5780-826B-49C3-81E9-D361CD12DD4A@goldelico.com> <20160808234959.47us7rukzpwplsdo@zver> To: Discussions about the Letux Kernel Sender: linux-wireless-owner@vger.kernel.org List-ID: Hi Andrey, > Am 09.08.2016 um 01:49 schrieb Andrey Utkin : > > On Mon, Aug 08, 2016 at 11:26:38PM +0200, H. Nikolaus Schaller wrote: >> Here is what I see in 4.8-rc1 on Pyra device after typing "poweroff". >> I hope someone knows what it means. >> >> BR and thanks, >> Nikolaus >> >> root@letux:~# poweroff >> >> Broadcast message from root@letux (pts/0) (Mon Aug 8 21:19:21 2016): >> >> The system is going down for system halt NOW! >> >> xinit: unexpected signal 15 >> [info] Using makefile-style concurrent boot in runlevel 0. >> [....] Stopping ISC DHCP server: dhcpd failed! >> [....] Stopping bluetooth: /usr/sbin/bluetoothd. ok >> [....] Stopping automount.... ok >> [....] Not running dhcpcd because /etc/network/interfaces ... failed! >> [....] defines some interfaces that will use a DHCP client ... failed! >> [....] Shutting down ALSA...done. >> [....] Asking all remaining processes to terminate...done. >> [....] All processes ended within 1 seconds...done. >> [....] Stopping enhanced syslogd: rsyslogd. ok >> [....] Deconfiguring network interfaces...SIOCDELRT: No such process >> Device "usb0" does not exist. >> Cannot find device "usb0" >> done. >> [info] Saving the system clock. >> [info] Hardware Clock updated to Mon Aug 8 21:19:30 UTC 2016. >> [....] Unmounting temporary filesystems...done. >> [....] Deactivating swap...done. >> [....] Unmounting local filesystems...done. >> [ 613.196751] EXT4-fs (mmcblk1p2): re-mounted. Opts: (null) >> [info] Will now halt. >> [ 615.348870] wlan0: deauthenticating from 00:12:bf:7d:ce:e6 by local choice (Reason: 3=DEAUTH_LEAVING) >> [ 615.589721] Unable to handle kernel NULL pointer dereference at virtual address 00000a2a >> [ 615.598249] pgd = ec3a4000 >> [ 615.601220] [00000a2a] *pgd=ab60f835, *pte=00000000, *ppte=00000000 >> [ 615.607868] Internal error: Oops: 17 [#1] PREEMPT SMP ARM >> [ 615.613551] Modules linked in: hci_uart bnep bluetooth autofs4 usb_f_ecm usb_f_rndis u_ether libcomposite configfs ipv6 cdc_ether usbnet cdc_acm arc4 wl18xx wlcore mac80211 omapdrm cfg80211 drm_kms_helper cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea snd_soc_omap_hdmi_audio panel_mipi_debug drm dwc3 connector_hdmi encoder_tpd12s015 w2cbw003_bluetooth snd_soc_omap_abe_twl6040 snd_soc_twl6040 wwan_on_off leds_gpio omapdss pwm_omap_dmtimer pwm_bl ehci_omap wlcore_sdio dwc3_omap leds_is31fl319x snd_soc_ts3a225e gpio_twl6040 bq27xxx_battery_i2c tsc2007 bq27xxx_battery leds_tca6507 crtouch_mt bq2429x_charger twl6040_vibra ina2xx palmas_pwrbutton palmas_gpadc as5013 tca8418_keypad usb3503 bma150 bmg160_i2c bno055 bmg160_core input_polldev snd_soc_omap_mcpdm snd_soc_omap_mcbsp snd_soc_omap snd_pcm_dmaengine [last unloaded: g_ether] >> [ 615.694303] CPU: 0 PID: 3788 Comm: halt Tainted: G B W 4.8.0-rc1-letux+ #655 >> [ 615.702727] Hardware name: Generic OMAP5 (Flattened Device Tree) >> [ 615.709052] task: eb2564c0 task.stack: ec456000 >> [ 615.713913] PC is at wlcore_op_get_expected_throughput+0x14/0x20 [wlcore] >> [ 615.721357] LR is at sta_set_sinfo+0xc18/0x1110 [mac80211] >> [ 615.727145] pc : [] lr : [] psr: a00f0013 >> [ 615.727145] sp : ec457c48 ip : 00000000 fp : 400f0013 >> [ 615.739237] r10: ec414620 r9 : eb604b30 r8 : eb604c90 >> [ 615.744735] r7 : c0b02554 r6 : bf4815c4 r5 : bf4de03c r4 : ec823400 >> [ 615.751613] r3 : 00000000 r2 : 00000000 r1 : 000000c8 r0 : 000003e8 >> [ 615.758492] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none >> [ 615.766008] Control: 10c5387d Table: ac3a406a DAC: 00000051 >> [ 615.772062] Process halt (pid: 3788, stack limit = 0xec456218) >> [ 615.778208] Stack: (0xec457c48 to 0xec458000) >> [ 615.782806] 7c40: 00000001 00000000 bf40d540 c0a76630 eb604f3c bf40d540 >> [ 615.791434] 7c60: ec414620 00000000 00000000 eb604a8c eb604c90 00000000 00000001 eb604800 >> [ 615.800049] 7c80: ec823400 ec45a600 ec45a600 ec414b2c 00000001 ec414b94 00000000 bf40d540 >> [ 615.808682] 7ca0: 00000000 00000003 ec457cb0 ec414b94 ec457cb8 bf40d75c eb604808 eb604808 >> [ 615.817308] 7cc0: 00000000 ec45a600 00000000 ec414620 ec45ac50 ec457d1e 000000c0 00000003 >> [ 615.825940] 7ce0: ffffffff bf4629e8 00000001 ec457d1e ec45a600 ec457d60 ec457d1e 00000001 >> [ 615.834563] 7d00: bf38707c bf386c94 00000003 bf4680cc ec457d1e 00000000 ec45a67c 00c00000 >> [ 615.843178] 7d20: 12000000 e6ce7dbf efbeadde 12000000 e6ce7dbf 00030000 00000001 ec892bd4 >> [ 615.851801] 7d40: ec45a000 c0b02554 ec4142a0 bf38707c bf386c94 00000003 ffffffff bf352b58 >> [ 615.860428] 7d60: ec892bd4 00000000 00000000 00000003 ec45a648 ec45a608 ec414000 ec414000 >> [ 615.869051] 7d80: ec414000 ec45a000 00000003 bf3590c0 00000000 00000003 00000000 ec45a000 >> [ 615.877674] 7da0: ec414000 ec45a648 ec45a608 ec414000 ec414000 00000009 ec96cc0c 00000000 >> [ 615.886300] 7dc0: ffffffff bf31cba8 ec45a608 ec4142a0 ec45a000 bf31cd70 00000000 00000000 >> [ 615.894918] 7de0: c06d0594 c06da874 c0b98444 fffffff7 00000000 00000009 ec457e3c bf47bb38 >> [ 615.903540] 7e00: ec96cc0c 00000000 ffffffff c0152df8 ec45a000 ec457e58 00001042 00001003 >> [ 615.912162] 7e20: 00000000 c0152e40 00000000 00000009 ec457e3c c0620eb4 00000009 ec45a000 >> [ 615.920786] 7e40: c062b690 c0620fd0 ec45a04c ec45a000 00000001 c0621134 ec45a04c ec45a04c >> [ 615.929410] 7e60: c062b690 c062b97c ec45a000 00001003 ec45a150 ec45a000 00000000 c062ba38 >> [ 615.938027] 7e80: ec8f7600 00000000 ec96cc00 ec45a000 00000000 c0697f8c 00000000 beabc47c >> [ 615.946652] 7ea0: 00000020 00000000 6e616c77 00000030 00000000 00000000 00001042 8202a8c0 >> [ 615.955275] 7ec0: 00000000 00000000 00000000 00008914 ed5014a0 beabc47c c0b90c80 ed501480 >> [ 615.963900] 7ee0: 00000003 00000000 00000001 c0609a30 beabc47c ed5014a0 eb34b140 c026560c >> [ 615.972524] 7f00: 00000003 c0264ac4 0000c000 c02654a4 600f0013 c135c654 c08a43f4 eb2dccb4 >> [ 615.981145] 7f20: ec456000 00000000 00000003 eb34b140 ec456000 00000000 00000001 c0271cd8 >> [ 615.989769] 7f40: 00000000 00000000 c0271a44 c0255308 c0b03bc0 00000000 ed501480 c0609684 >> [ 615.998389] 7f60: ed813710 00000000 eb34b140 eb34b140 beabc47c 00008914 00000003 00000000 >> [ 616.007012] 7f80: 00000001 c026560c 00001042 beabc47c 00000000 beabc49c 00000036 c0107204 >> [ 616.015636] 7fa0: ec456000 c0107060 beabc47c 00000000 00000003 00008914 beabc47c 00001042 >> [ 616.024253] 7fc0: beabc47c 00000000 beabc49c 00000036 000230f0 00023100 00000003 00000001 >> [ 616.032875] 7fe0: 00023054 beabc44c 0001135b b6e83206 a00f0030 00000003 00000000 00000000 >> [ 616.041894] [] (wlcore_op_get_expected_throughput [wlcore]) from [] (sta_set_sinfo+0xc18/0x1110 [mac80211]) >> [ 616.054542] [] (sta_set_sinfo [mac80211]) from [] (__sta_info_destroy_part2+0x128/0x194 [mac80211]) >> [ 616.066426] [] (__sta_info_destroy_part2 [mac80211]) from [] (__sta_info_flush+0xf8/0x13c [mac80211]) >> [ 616.078513] [] (__sta_info_flush [mac80211]) from [] (ieee80211_set_disassoc+0x168/0x2f8 [mac80211]) >> [ 616.090512] [] (ieee80211_set_disassoc [mac80211]) from [] (ieee80211_mgd_deauth+0x3dc/0x9fc [mac80211]) >> [ 616.102861] [] (ieee80211_mgd_deauth [mac80211]) from [] (cfg80211_mlme_deauth+0x1f4/0x458 [cfg80211]) >> [ 616.114978] [] (cfg80211_mlme_deauth [cfg80211]) from [] (cfg80211_disconnect+0xa0/0x4a4 [cfg80211]) >> [ 616.126880] [] (cfg80211_disconnect [cfg80211]) from [] (cfg80211_leave+0x28/0x34 [cfg80211]) >> [ 616.138137] [] (cfg80211_leave [cfg80211]) from [] (cfg80211_netdev_notifier_call+0x1bc/0x84c [cfg80211]) >> [ 616.150287] [] (cfg80211_netdev_notifier_call [cfg80211]) from [] (notifier_call_chain+0x40/0x68) >> [ 616.161479] [] (notifier_call_chain) from [] (raw_notifier_call_chain+0x14/0x1c) >> [ 616.171111] [] (raw_notifier_call_chain) from [] (call_netdevice_notifiers+0xc/0x14) >> [ 616.181108] [] (call_netdevice_notifiers) from [] (__dev_close_many+0x48/0xb8) >> [ 616.190551] [] (__dev_close_many) from [] (__dev_close+0x20/0x34) >> [ 616.198806] [] (__dev_close) from [] (__dev_change_flags+0x8c/0x130) >> [ 616.207347] [] (__dev_change_flags) from [] (dev_change_flags+0x18/0x48) >> [ 616.216255] [] (dev_change_flags) from [] (devinet_ioctl+0x338/0x704) >> [ 616.224883] [] (devinet_ioctl) from [] (sock_ioctl+0x288/0x2d8) >> [ 616.232959] [] (sock_ioctl) from [] (vfs_ioctl+0x20/0x34) >> [ 616.240482] [] (vfs_ioctl) from [] (do_vfs_ioctl+0x854/0x970) >> [ 616.248369] [] (do_vfs_ioctl) from [] (SyS_ioctl+0x4c/0x74) >> [ 616.256078] [] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x1c) >> [ 616.264075] Code: e3a010c8 e5d02098 e3a00ffa e0233291 (e5d33a2a) >> [ 616.272268] ---[ end trace 00ab29170ed628ed ]--- >> Segmentation fault >> [....] startpar: service(s) skipped, program is not configured: dhcpcd ... (warning). >> INIT: no more processes left in this runlevel > > Just curious - in which way did you get this log? netconsole, serial line or what? serial port. > > Does this happen with older kernels? I guess yes. No, I didn't see it before moving to 4.8-rc1 > > Looks like insanity in net/mac80211/sta_info.c to me. The module is > going to destroy sta_info (whatever it means), then it calls again > sta_set_sinfo() which seems doing a lot of initialization work, which in > turn involves calling a routine from hardware-specific driver (wlcore), > which apparently doesn't expect to be run in context of shutdown, so to > say. My speculation is very rough, but I think this worth forwarding to > net/mac80211/sta_info.c maintainers. I haven't CCed them for now, but I > would do so. Yes, please do so! > > $ ./scripts/get_maintainer.pl -f net/mac80211/sta_info.c > Johannes Berg (maintainer:MAC80211) > "David S. Miller" (maintainer:NETWORKING [GENERAL]) > linux-wireless@vger.kernel.org (open list:MAC80211) > netdev@vger.kernel.org (open list:NETWORKING [GENERAL]) > linux-kernel@vger.kernel.org (open list) > > $ ./scripts/get_maintainer.pl -f drivers/net/wireless/ti/wlcore > Kalle Valo (maintainer:NETWORKING DRIVERS (WIRELESS),commit_signer:24/31=77%) > Eliad Peller (commit_signer:6/31=19%,authored:5/31=16%) > Guy Mishol (commit_signer:4/31=13%,authored:3/31=10%) > Uri Mashiach (commit_signer:4/31=13%,authored:4/31=13%) > Johannes Berg (commit_signer:4/31=13%) > "Reizer, Eyal" (authored:2/31=6%) > Maxim Altshul (authored:2/31=6%) > linux-wireless@vger.kernel.org (open list:TI WILINK WIRELESS DRIVERS) > netdev@vger.kernel.org (open list:NETWORKING DRIVERS) > linux-kernel@vger.kernel.org (open list) BR and thanks, Nikolaus