219505 – mt7925e: Oops in mt7925_sta_set_decap_offload when running hostapd in AP mode

Bug 219505 - mt7925e: Oops in mt7925_sta_set_decap_offload when running hostapd in AP mode

Summary: mt7925e: Oops in mt7925_sta_set_decap_offload when running hostapd in AP mode

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	network-wireless (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	drivers_network-wireless@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-11-18 00:00 UTC by kernel-bug
Modified:	2025-03-07 15:38 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	6.11.8, 6.12
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description kernel-bug 2024-11-18 00:00:54 UTC

I'm running the mt7925e in AP mode with hostapd in a virtual machine with pcie pass through. After a few hours it always triggers this BUG (kernel is 6.11.8):

[38119.876149] BUG: unable to handle page fault for address: ffffffffffffffa0
[38119.878008] #PF: supervisor read access in kernel mode
[38119.879052] #PF: error_code(0x0000) - not-present page
[38119.879982] PGD 1501e067 P4D 1501e067 PUD 15020067 PMD 0
[38119.880874] Oops: Oops: 0000 [#1] PREEMPT SMP
[38119.881638] CPU: 2 UID: 0 PID: 2496 Comm: hostapd Not tainted 6.11.8 #1
[38119.882533] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[38119.883819] RIP: 0010:mt7925_sta_set_decap_offload+0xff/0x140 [mt7925_common]
[38119.884606] Code: 49 d3 e0 4c 23 45 d0 41 81 e0 ff 7f 00 00 74 8a f3 4d 0f bc f0 41 80 fe 0e 0f 87 7b ff ff ff 49 8b 87 18 06 00 00 41 0f b6 ce <66> 83 78 a0 00 74 1a 48 63 c1 49 8b 84 c7 a0 05 00 00 45 84 ed 75
[38119.886360] RSP: 0018:ffffa98ec0a376f0 EFLAGS: 00010293
[38119.886997] RAX: 0000000000000000 RBX: ffff9fac43342000 RCX: 0000000000000000
[38119.887759] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9fac4334a1f8
[38119.910869] RBP: ffffa98ec0a37738 R08: 0000000000000001 R09: 0000000000000000
[38119.911498] R10: 0000000000000000 R11: ffffffff9903a268 R12: ffff9fac453c5ce0
[38119.912116] R13: 0000000000000001 R14: 0000000000000000 R15: ffff9fac42946a80
[38119.912742] FS:  00007fce3361bb28(0000) GS:ffff9fac5ed00000(0000) knlGS:0000000000000000
[38119.913546] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[38119.914091] CR2: ffffffffffffffa0 CR3: 0000000005259000 CR4: 0000000000750ef0
[38119.914717] PKRU: 55555554
[38119.915090] Call Trace:
[38119.915458]  <TASK>
[38119.915803]  ? show_regs.part.0+0x1d/0x20
[38119.916238]  ? __die+0x52/0x91
[38119.916636]  ? page_fault_oops+0x9a/0x220
[38119.917078]  ? search_bpf_extables+0x5b/0x80
[38119.917535]  ? mt7925_sta_set_decap_offload+0xff/0x140 [mt7925_common]
[38119.918108]  ? search_exception_tables+0x57/0x60
[38119.918604]  ? kernelmode_fixup_or_oops.isra.0+0x56/0x70
[38119.919119]  ? __bad_area_nosemaphore+0x140/0x1a0
[38119.919597]  ? bad_area_nosemaphore+0x11/0x20
[38119.920063]  ? exc_page_fault+0x322/0x5f0
[38119.920538]  ? try_to_grab_pending+0x115/0x1f0
[38119.921031]  ? asm_exc_page_fault+0x27/0x30
[38119.921503]  ? mt7925_sta_set_decap_offload+0xff/0x140 [mt7925_common]
[38119.922093]  ieee80211_check_fast_rx+0x2bc/0x460 [mac80211]
[38119.922654]  _sta_info_move_state+0xeb/0x3c0 [mac80211]
[38119.923192]  sta_info_move_state+0xe/0x10 [mac80211]
[38119.923721]  sta_apply_auth_flags.isra.0+0x13b/0x220 [mac80211]
[38119.924277]  sta_apply_parameters+0x245/0x2e0 [mac80211]
[38119.924788]  ieee80211_add_station+0xe7/0x170 [mac80211]
[38119.925293]  nl80211_new_station+0x578/0x660 [cfg80211]
[38119.925802]  genl_family_rcv_msg_doit+0xcf/0x120
[38119.926278]  genl_rcv_msg+0x174/0x280
[38119.926709]  ? __cfg80211_wdev_from_attrs+0x330/0x330 [cfg80211]
[38119.927228]  ? nl80211_channel_switch+0x400/0x400 [cfg80211]
[38119.927727]  ? nlmsg_trim+0x30/0x30 [cfg80211]
[38119.928173]  ? genl_family_rcv_msg_dumpit+0xe0/0xe0
[38119.928640]  netlink_rcv_skb+0x4d/0xf0
[38119.929048]  genl_rcv+0x23/0x40
[38119.929424]  netlink_unicast+0x22f/0x380
[38119.929841]  netlink_sendmsg+0x203/0x420
[38119.930263]  __sock_sendmsg+0x33/0x40
[38119.930677]  ____sys_sendmsg+0x1fb/0x250
[38119.931090]  ___sys_sendmsg+0x78/0xb0
[38119.931502]  ? ___sys_recvmsg+0x83/0xb0
[38119.931916]  ? do_epoll_wait+0x61c/0x730
[38119.932357]  __sys_sendmsg+0xa2/0xc0
[38119.932783]  __x64_sys_sendmsg+0x18/0x20
[38119.933246]  x64_sys_call+0x894/0x9f0
[38119.933690]  do_syscall_64+0x4b/0x110
[38119.934130]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[38119.934659] RIP: 0033:0x7fce335df347
[38119.935104] Code: c3 8b 07 85 c0 75 24 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> e9 ea d8 ff ff 41 54 b8 02 00 00 00 55 48 89 f5 be 00 88 08 00
[38119.936526] RSP: 002b:00007ffda1205238 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[38119.937248] RAX: ffffffffffffffda RBX: 000000000000002e RCX: 00007fce335df347
[38119.937841] RDX: 0000000000000000 RSI: 00007ffda1205280 RDI: 0000000000000006
[38119.938432] RBP: 00007fce3361bb28 R08: 0000000000000000 R09: 0000000000000000
[38119.939009] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[38119.939593] R13: 00007ffda1205730 R14: 00007fce335529b0 R15: 0000000000000000
[38119.940158]  </TASK>
[38119.940491] Modules linked in: cmac ctr ccm 8021q mrp bridge stp llc af_packet joydev mousedev psmouse serio_raw pcspkr i2c_i801 i2c_mux i2c_smbus lpc_ich mt7925e mt7925_common mt792x_lib mt76_connac_lib mt76 mac80211 cfg80211 rfkill hwmon libarc4 intel_rapl_msr input_leds intel_rapl_common crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 sha256_ssse3 sha1_ssse3 aesni_intel gf128mul crypto_simd cryptd rapl qemu_fw_cfg evdev button virtio_scsi virtio_net net_failover failover virtio_console crc32_pclmul virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring uhci_hcd ehci_pci ehci_hcd loop ext4 crc32c_generic crc32c_intel crc16 mbcache jbd2 usb_storage usbcore usb_common sd_mod scsi_mod scsi_common
[38119.944941] CR2: ffffffffffffffa0
[38119.945351] ---[ end trace 0000000000000000 ]---
[38119.945812] RIP: 0010:mt7925_sta_set_decap_offload+0xff/0x140 [mt7925_common]
[38119.946380] Code: 49 d3 e0 4c 23 45 d0 41 81 e0 ff 7f 00 00 74 8a f3 4d 0f bc f0 41 80 fe 0e 0f 87 7b ff ff ff 49 8b 87 18 06 00 00 41 0f b6 ce <66> 83 78 a0 00 74 1a 48 63 c1 49 8b 84 c7 a0 05 00 00 45 84 ed 75
[38119.947731] RSP: 0018:ffffa98ec0a376f0 EFLAGS: 00010293
[38119.948207] RAX: 0000000000000000 RBX: ffff9fac43342000 RCX: 0000000000000000
[38119.948767] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9fac4334a1f8
[38119.949328] RBP: ffffa98ec0a37738 R08: 0000000000000001 R09: 0000000000000000
[38119.949885] R10: 0000000000000000 R11: ffffffff9903a268 R12: ffff9fac453c5ce0
[38119.950446] R13: 0000000000000001 R14: 0000000000000000 R15: ffff9fac42946a80
[38119.951015] FS:  00007fce3361bb28(0000) GS:ffff9fac5ed00000(0000) knlGS:0000000000000000
[38119.951730] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[38119.952231] CR2: ffffffffffffffa0 CR3: 0000000005259000 CR4: 0000000000750ef0
[38119.952795] PKRU: 55555554
[38119.953160] note: hostapd[2496] exited with irqs disabled

Comment 1 torm84 2024-12-12 07:38:30 UTC

I have same problem with this driver in my router, OS Nixos 24.11, kernel version 6.12.3. With this kernel version the problem repeats 2 times a day. With kernel 6.10.10 the problem repeats near 1 in week. Here is my HW reboot statistics:

Sep 17 16:39:07 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Sep 22 18:26:35 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Oct 07 06:39:14 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Oct 08 07:57:11 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Oct 17 06:35:26 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Oct 27 18:49:47 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Nov 04 21:26:31 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Nov 06 07:45:25 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Nov 11 20:58:13 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Nov 13 09:15:05 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Nov 18 13:24:35 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Nov 24 18:30:16 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Nov 26 13:44:49 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Nov 26 13:58:00 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Dec 02 13:26:39 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Dec 09 04:55:17 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Dec 09 21:35:34 router kernel: Linux version 6.10.10 (nixbld@localhost) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024
Dec 10 18:54:38 router kernel: Linux version 6.12.3 (nixbld@localhost) (gcc (GCC) 13.3.0, GNU ld (GNU Binutils) 2.43.1) #1-NixOS SMP PREEMPT_DYNAMIC Fri Dec  6 06:20:46 UTC 2024
Dec 10 21:34:52 router kernel: Linux version 6.12.3 (nixbld@localhost) (gcc (GCC) 13.3.0, GNU ld (GNU Binutils) 2.43.1) #1-NixOS SMP PREEMPT_DYNAMIC Fri Dec  6 06:20:46 UTC 2024
Dec 11 08:38:45 router kernel: Linux version 6.12.3 (nixbld@localhost) (gcc (GCC) 13.3.0, GNU ld (GNU Binutils) 2.43.1) #1-NixOS SMP PREEMPT_DYNAMIC Fri Dec  6 06:20:46 UTC 2024
Dec 11 15:33:12 router kernel: Linux version 6.12.3 (nixbld@localhost) (gcc (GCC) 13.3.0, GNU ld (GNU Binutils) 2.43.1) #1-NixOS SMP PREEMPT_DYNAMIC Fri Dec  6 06:20:46 UTC 2024
Dec 12 05:36:27 router kernel: Linux version 6.12.3 (nixbld@localhost) (gcc (GCC) 13.3.0, GNU ld (GNU Binutils) 2.43.1) #1-NixOS SMP PREEMPT_DYNAMIC Fri Dec  6 06:20:46 UTC 2024
Dec 12 07:05:18 router kernel: Linux version 6.12.3 (nixbld@localhost) (gcc (GCC) 13.3.0, GNU ld (GNU Binutils) 2.43.1) #1-NixOS SMP PREEMPT_DYNAMIC Fri Dec  6 06:20:46 UTC 2024

Comment 2 Casulo 2025-03-07 15:38:48 UTC

Same issue on 6.14.0-rc1 and rc4. ARM64 machine.

[164455.701704] Unable to handle kernel paging request at virtual address ffffffffffffffa0
[164455.709729] Mem abort info:
[164455.712599]   ESR = 0x0000000096000006
[164455.716435]   EC = 0x25: DABT (current EL), IL = 32 bits
[164455.721823]   SET = 0, FnV = 0
[164455.724962]   EA = 0, S1PTW = 0
[164455.728180]   FSC = 0x06: level 2 translation fault
[164455.733141] Data abort info:
[164455.736099]   ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[164455.741659]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[164455.746790]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[164455.752178] swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000451b1000
[164455.758958] [ffffffffffffffa0] pgd=00000000458e1403, p4d=00000000458e1403, pud=00000000458e1403, pmd=0000000000000000
[164455.769654] Internal error: Oops: 0000000096000006 [#1] SMP
[164455.775306] Modules linked in: wireguard libchacha20poly1305 chacha_neon libchacha poly1305_neon ip6_udp_tunnel udp_tunnel libcurve25519_generic nft_masq nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mt7925e mt7925_common mt792x_lib mt76_connac_lib mt76 mac80211 libarc4 cfg80211 fuse drm drm_panel_orientation_quirks backlight ip_tables x_tables
[164455.817990] CPU: 1 UID: 0 PID: 9674 Comm: hostapd Not tainted 6.14.0-rc1-bpi-r4 #1
[164455.825637] Hardware name: Banana Pi BPI-R4 (DT)
[164455.830329] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[164455.837367] pc : mt7925_sta_set_decap_offload+0xb4/0x178 [mt7925_common]
[164455.844154] lr : mt7925_sta_set_decap_offload+0x50/0x178 [mt7925_common]
[164455.850932] sp : ffffffc08831b540
[164455.854323] x29: ffffffc08831b540 x28: ffffff80c158ecb8 x27: 0000000000000000
[164455.861537] x26: 0000000000000001 x25: 0000000000000001 x24: 0000000000000001
[164455.868749] x23: ffffff80d44aec20 x22: ffffff80d44a27b8 x21: ffffff80c158ea88
[164455.875960] x20: ffffff80c64f1e18 x19: ffffff80d44a2000 x18: 0000000000000000
[164455.883172] x17: 0000000000000000 x16: 0000000000000000 x15: 000000555c186da0
[164455.890384] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[164455.897596] x11: 0000000000000040 x10: ffffffc081689960 x9 : ffffffc081689958
[164455.904809] x8 : ffffff80c0400028 x7 : 0000000000000000 x6 : 0000000000000000
[164455.912021] x5 : ffffff80c0400000 x4 : ffffff80c04000a8 x3 : 0000000000000000
[164455.919233] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff80c158ecb8
[164455.926446] Call trace:
[164455.928969]  mt7925_sta_set_decap_offload+0xb4/0x178 [mt7925_common] (P)
[164455.935749]  ieee80211_check_fast_rx+0x1c8/0x504 [mac80211]
[164455.941441]  _sta_info_move_state+0xdc/0x4b8 [mac80211]
[164455.946776]  sta_info_move_state+0x14/0x20 [mac80211]
[164455.951935]  sta_apply_auth_flags.constprop.0+0x88/0x19c [mac80211]
[164455.958310]  sta_apply_parameters+0x214/0x3d4 [mac80211]
[164455.963731]  ieee80211_add_station+0xd4/0x180 [mac80211]
[164455.969150]  nl80211_new_station+0x45c/0x624 [cfg80211]
[164455.974493]  genl_family_rcv_msg_doit+0xc8/0x130
[164455.979195]  genl_rcv_msg+0x1e4/0x26c
[164455.982938]  netlink_rcv_skb+0x5c/0x128
[164455.986853]  genl_rcv+0x38/0x50
[164455.990073]  netlink_unicast+0x2e4/0x33c
[164455.994074]  netlink_sendmsg+0x17c/0x3b4
[164455.998077]  ____sys_sendmsg+0x18c/0x2f8
[164456.002079]  ___sys_sendmsg+0x80/0xdc
[164456.005820]  __sys_sendmsg+0x80/0xec
[164456.009473]  __arm64_sys_sendmsg+0x24/0x30
[164456.013647]  invoke_syscall+0x48/0x110
[164456.017478]  el0_svc_common.constprop.0+0x40/0xe0
[164456.022261]  do_el0_svc+0x1c/0x28
[164456.025654]  el0_svc+0x30/0xd0
[164456.028792]  el0t_64_sync_handler+0x10c/0x138
[164456.033227]  el0t_64_sync+0x19c/0x1a0
[164456.036970] Code: d280003a f9420381 12001c7b aa1c03e0 (785a0021)
[164456.043138] ---[ end trace 0000000000000000 ]---
[164456.049468] pstore: backend (ramoops) writing error (-28)
[164456.054945] Kernel panic - not syncing: Oops: Fatal exception
[164456.060766] SMP: stopping secondary CPUs
[164456.064768] Kernel Offset: disabled
[164456.068331] CPU features: 0x000,00001020,00800000,8200420b
[164456.073893] Memory Limit: none
[164456.078672] Rebooting in 10 seconds..

Note You need to log in before you can comment on or make changes to this bug.