Bug 198701

Summary:	[ath9k_htc] WARNING: CPU: 1 PID: 0 at net/mac80211/rx.c:629 ieee80211_rx_napi+0x903/0x9c0 [mac80211]
Product:	Drivers	Reporter:	Gerardo Exequiel Pozzi (vmlinuz386)
Component:	network-wireless	Assignee:	drivers_network-wireless (drivers_network-wireless)
Status:	RESOLVED CODE_FIX
Severity:	normal	CC:	johannes, kvalo, masashi.honma, nbd, raghujindia, ZeroBeat
Priority:	P1
Hardware:	x86-64
OS:	Linux
Kernel Version:	4.14	Subsystem:
Regression:	No	Bisected commit-id:

Description Gerardo Exequiel Pozzi 2018-02-06 19:14:12 UTC

I hist similar issue [#1] like with ath9k (fixed now) but with ath9k_htc use in my "TP-LINK TL-WN722N V1.0 (Qualcomm Atheros AR9271)"

Interface was in monitor mode (But I guess, this does not care).

[#1] https://bugzilla.kernel.org/show_bug.cgi?id=196603

------------[ cut here ]------------
WARNING: CPU: 1 PID: 0 at /usr/src/linux-4.14.15/net/mac80211/rx.c:629 ieee80211_rx_napi+0x903/0x9c0 [mac80211]
Modules linked in: nfnetlink_queue nfnetlink_log nfnetlink 8021q garp mrp stp llc ath9k_htc rpcsec_gss_krb5 nfsv4 dns_resolver nfs overlay dm_crypt ecb aes_x86_64 xts algif_skcipher af_alg 
 soundcore cfbcopyarea fb ath font mac80211 fbdev drm cfg80211 led_class thermal i2c_core fan asus_atk0110 hwmon button processor sch_fq_codel binfmt_misc vboxnetflt(O) vboxnetadp(O) vboxpc
CPU: 1 PID: 0 Comm: swapper/1 Tainted: P        W  O    4.14.15 #1
Hardware name: System manufacturer System Product Name/M2N32-SLI DELUXE, BIOS ASUS M2N32-SLI DELUXE ACPI BIOS Revision 1603 12/17/2007
task: ffff8942e30e0c80 task.stack: ffffad5600074000
RIP: 0010:ieee80211_rx_napi+0x903/0x9c0 [mac80211]
RSP: 0018:ffff8942e7d03e30 EFLAGS: 00010246
RAX: 0000000000010000 RBX: ffff89424341c300 RCX: 0000000000000002
RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff8942887ac660
RBP: ffff8942887ac660 R08: ffff8942e7d03e78 R09: ffff89423b0d8000
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000004
FS:  0000000000000000(0000) GS:ffff8942e7d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f388128a010 CR3: 0000000122176000 CR4: 00000000000006e0
Call Trace:
 <IRQ>
 ? ath9k_rx_prepare.isra.1+0x26b/0x2d0 [ath9k_htc]
 ath9k_rx_tasklet+0xf5/0x1a0 [ath9k_htc]
 tasklet_action+0x51/0xb0
 __do_softirq+0xc9/0x215
 irq_exit+0xaa/0xb0
 do_IRQ+0x8f/0xf0
 common_interrupt+0x92/0x92
 </IRQ>
RIP: 0010:amd_e400_idle+0xd/0x30
RSP: 0018:ffffad5600077f20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff7e
RAX: 687475410001ad40 RBX: ffffffff8cc48670 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff8942e7d170e0 R09: 0000000000000000
R10: 0000000000000000 R11: 0003dfb8b7b84f0e R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 do_idle+0x159/0x180
 cpu_startup_entry+0x1b/0x20
 secondary_startup_64+0xa5/0xb0
Code: 00 00 00 66 c7 85 bc 00 00 00 00 04 66 89 85 c2 00 00 00 0f b6 85 90 00 00 00 83 e0 38 83 c8 43 88 85 90 00 00 00 e9 c7 fb ff ff <0f> ff 48 89 df e8 73 cd 01 cc e9 43 fa ff ff 0f ff e
---[ end trace 8c3de32b4d8052d4 ]---

Comment 1 WhoAmEye 2019-06-15 01:54:39 UTC

The trace comes from WARN_ON in kernel core file mac80211/rx.c 
From kernel version 4.14
static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
                     struct ieee80211_rate *rate)
{

..
..

       if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
                if (unlikely(origskb->len <= FCS_LEN)) {
                        /* driver bug */
                        WARN_ON(1);
                        dev_kfree_skb(origskb);
                        return NULL;
                }
                present_fcs_len = FCS_LEN;
        }

    
}

Warning trace is hit when skblen is less than 4(FCS_LEN) bytes.
In the latest kernel 5.2 , I see checks around this code, maybe the problem might be fixed in latest. Please verify in latest kernel.

Thanks.

Comment 2 Michael 2019-11-09 11:05:19 UTC

I can confirm this on ath9k_htc and several other drivers (rt2800usb, mt76, RTL8821AE):
https://bugzilla.kernel.org/show_bug.cgi?id=202541#c100

Comment 3 Masashi Honma 2019-11-20 21:53:23 UTC

I have encountered similar issue and fixed it on upstream.

Patch 1/2
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-testing.git/commit/?id=e01fddc19d215f6ad397894ec2a851d99bf154e2

Patch 2/2
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-testing.git/commit/?id=cd486e627e67ee9ab66914d36d3127ef057cc010

Could you check with Linux 5.4-rc8 ?

Comment 4 Masashi Honma 2019-11-20 22:27:20 UTC

Sorry the patch is now just merged on wireless-testing branch.
I will notify when it is merged on Linux kernel upstream.

Comment 5 Masashi Honma 2019-12-09 21:06:24 UTC

This was merged at Linux 5.5-rc1.

Patch 1/2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e01fddc19d215f6ad397894ec2a851d99bf154e2

Patch 2/2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=cd486e627e67ee9ab66914d36d3127ef057cc010