Bug 219131

Summary: ath11k: WCN6855: kernel NULL pointer dereference in ath11k_mac_get_eirp_power()
Product: Drivers Reporter: Mikko Tiihonen (mikko.tiihonen)
Component: network-wirelessAssignee: Kalle Valo (kvalo)
Status: RESOLVED CODE_FIX    
Severity: blocking CC: bqiang, kvalo, regressions
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 6.11-rc2 Subsystem:
Regression: Yes Bisected commit-id:

Description Mikko Tiihonen 2024-08-06 15:53:25 UTC 
Wifi stopped working on my laptop when updating from 6.10.3 to 6.11-rc2 kernel.

02:00.0 Network controller: Qualcomm Technologies, Inc QCNFA765 Wireless Network Adapter (rev 01)
wpa_supplicant-2.11-1.fc40.x86_64

wlp2s0: SME: Trying to authenticate with b2:25:4a:59:04:37 (SSID='Mecha34bb-combo' freq=6295 MHz)
BUG: kernel NULL pointer dereference, address: 0000000000000018
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 10 UID: 0 PID: 1308 Comm: wpa_supplicant Not tainted 6.11.0-0.rc2.23.fc41.x86_64 #1
Hardware name: LENOVO 21K5000DMX/21K5000DMX, BIOS R2FET57W (1.37 ) 05/20/2024
RIP: 0010:ath11k_mac_get_eirp_power.isra.0+0x5b/0x80 [ath11k]
Code: 0f 87 7f ea 02 00 66 41 89 5d 00 84 c9 75 35 49 8b 44 24 10 0f b7 f3 69 f6 e8 03 00 00 48 8b 78 40 e8 d9 5f 60 ff 48 89 45 00 <8b> 50 18 48 8b 44 24 28 88 10 5b 5d 41 5c 41 5d e9 0b 1a ae f5 41
RSP: 0018:ffffa725c77a3360 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000001d83 RCX: 0000000000000000
RDX: 00000000005a8f98 RSI: 0000000000000005 RDI: 0000000000000000
RBP: ffffa725c77a33d8 R08: ffffa725c77a33d8 R09: ffff8b7ff1b0e488
R10: ffff8b7ff0aa2000 R11: 0000000000001883 R12: ffff8b7ff0aa2000
R13: ffffa725c77a33d6 R14: 0000000000000000 R15: ffff8b8000cb9440
FS:  00007f07966c4840(0000) GS:ffff8b8e21d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 00000001416fa000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
 <TASK>
 ? __die_body.cold+0x19/0x27
 ? page_fault_oops+0x15a/0x2f0
 ? exc_page_fault+0x7e/0x180
 ? asm_exc_page_fault+0x26/0x30
 ? ath11k_mac_get_eirp_power.isra.0+0x5b/0x80 [ath11k]
 ath11k_mac_fill_reg_tpc_info+0x3d6/0x800 [ath11k]
 ? __entry_text_end+0x101e45/0x101e49
 ath11k_mac_vdev_start_restart+0x412/0x4d0 [ath11k]
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? crypto_alloc_tfm_node+0x5b/0xd0
 ath11k_mac_op_sta_state+0x7bc/0xbb0 [ath11k]
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __rhashtable_insert_fast.constprop.0.isra.0+0x17f/0x490 [mac80211]
 drv_sta_state+0xf1/0x5f0 [mac80211]
 sta_info_insert_rcu+0x28d/0x530 [mac80211]
 sta_info_insert+0xf/0x20 [mac80211]
 ieee80211_prep_connection+0x3b4/0x4c0 [mac80211]
 ieee80211_mgd_auth+0x363/0x600 [mac80211]
 ? __entry_text_end+0xfdd48/0x101e49
 ? __cfg80211_get_bss+0x215/0x2e0 [cfg80211]
 cfg80211_mlme_auth+0xb4/0x1b0 [cfg80211]
 nl80211_authenticate+0x369/0x3d0 [cfg80211]
 genl_family_rcv_msg_doit+0xef/0x150
 genl_rcv_msg+0x1b7/0x2c0
 ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211]
 ? __pfx_nl80211_authenticate+0x10/0x10 [cfg80211]
 ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211]
 ? __pfx_genl_rcv_msg+0x10/0x10
 netlink_rcv_skb+0x50/0x100
 genl_rcv+0x28/0x40
 netlink_unicast+0x242/0x370
 netlink_sendmsg+0x21b/0x470
 ____sys_sendmsg+0x39d/0x3d0
 ? srso_alias_return_thunk+0x5/0xfbef5
 ___sys_sendmsg+0x9a/0xe0
 __sys_sendmsg+0xcc/0x100
 do_syscall_64+0x82/0x160
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? do_sock_setsockopt+0xc1/0x180
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __sys_setsockopt+0xb1/0xe0
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? syscall_exit_to_user_mode+0x10/0x220
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? do_syscall_64+0x8e/0x160
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? do_sock_setsockopt+0xc1/0x180
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? syscall_exit_to_user_mode+0x10/0x220
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? do_syscall_64+0x8e/0x160
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? syscall_exit_to_user_mode+0x10/0x220
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? do_syscall_64+0x8e/0x160
 ? exc_page_fault+0x7e/0x180
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f079612ca14
Code: 15 09 94 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d 35 16 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55
RSP: 002b:00007ffc97d7eeb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000055e6cd9de920 RCX: 00007f079612ca14
RDX: 0000000000000000 RSI: 00007ffc97d7eef0 RDI: 0000000000000006
RBP: 00007ffc97d7eee0 R08: 0000000000000004 R09: 0000000000000001
R10: 00007ffc97d7effc R11: 0000000000000202 R12: 000055e6cdab10a0
R13: 000055e6cd9de830 R14: 00007ffc97d7eef0 R15: 0000000000000000
 </TASK>
Modules linked in: michael_mic nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables bnep sunrpc qrtr_mhi binfmt_misc vfat fat snd_soc_dmic snd_ps_pdm_dma snd_soc_ps_mach snd_sof_amd_acp63 snd_sof_amd_vangogh snd_sof_amd_rembrandt snd_sof_amd_renoir snd_sof_amd_acp snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_hda_codec_realtek snd_sof_utils snd_hda_codec_generic snd_pci_ps snd_amd_sdw_acpi snd_hda_scodec_component soundwire_amd snd_hda_codec_hdmi qrtr soundwire_generic_allocation soundwire_bus ath11k_pci snd_hda_intel snd_intel_dspcfg ath11k snd_intel_sdw_acpi snd_soc_core amd_atl snd_ctl_led intel_rapl_msr snd_hda_codec intel_rapl_common snd_compress uvcvideo edac_mce_amd snd_hda_core ac97_bus qmi_helpers snd_pcm_dmaengine uvc btusb snd_rpl_pci_acp6x snd_hwdep kvm_amd mac80211 btrtl videobuf2_vmalloc snd_acp_pci snd_seq
 btintel snd_acp_legacy_common videobuf2_memops videobuf2_v4l2 btbcm btmtk snd_pci_acp6x snd_seq_device videobuf2_common libarc4 snd_pci_acp5x kvm snd_pcm bluetooth thinkpad_acpi videodev snd_rn_pci_acp3x think_lmi cfg80211 snd_acp_config sparse_keymap snd_timer platform_profile rapl thunderbolt pcspkr firmware_attributes_class mc r8169 wmi_bmof snd_soc_acpi rfkill i2c_piix4 snd snd_pci_acp3x mhi i2c_smbus soundcore k10temp realtek amd_pmc joydev loop nfnetlink zram amdgpu amdxcp i2c_algo_bit drm_ttm_helper ttm drm_exec gpu_sched crct10dif_pclmul crc32_pclmul drm_suballoc_helper crc32c_intel nvme drm_buddy polyval_clmulni polyval_generic drm_display_helper nvme_core ghash_clmulni_intel video hid_multitouch sha512_ssse3 ucsi_acpi ccp cec sha256_ssse3 typec_ucsi sha1_ssse3 sp5100_tco nvme_auth typec wmi i2c_hid_acpi i2c_hid serio_raw ip6_tables ip_tables fuse
CR2: 0000000000000018
Comment 1 The Linux kernel's regression tracker (Thorsten Leemhuis) 2024-08-08 05:57:15 UTC 
Forwarded by mail: https://lore.kernel.org/all/05c3f9ea-b5f5-4341-9e4f-d44133629fe6@leemhuis.info/
Comment 2 Kalle Valo 2024-08-13 09:39:45 UTC 
Mikko, are you able to test this patch:

https://patchwork.kernel.org/project/linux-wireless/patch/20240813083808.9224-1-quic_bqiang@quicinc.com/
Comment 3 Mikko Tiihonen 2024-08-17 07:00:21 UTC 
Managed to build a 6.11-rc3 kernel with the proposed patch.
I can confirm that it makes the wifi work again.
Please add Tested-by: Mikko Tiihonen <mikko.tiihonen@iki.fi>
Comment 4 Kalle Valo 2024-08-20 17:43:52 UTC 
> Managed to build a 6.11-rc3 kernel with the proposed patch.
> I can confirm that it makes the wifi work again.
> Please add Tested-by: Mikko Tiihonen <mikko.tiihonen@iki.fi>
Kiitti, I'll add that.
Comment 5 Kalle Valo 2024-08-27 17:28:35 UTC 
The fix is applied and is queued for v6.11:

9abf199943a6 wifi: ath11k: fix NULL pointer dereference in ath11k_mac_get_eirp_power()

https://git.kernel.org/ath/ath/c/9abf199943a6