4.4-rc4 crash net/80211 related

2015-12-16 Thread Mika Penttilä 
Hi,

Triggered this with rc4, but the relevant parts are same in rc5:

offending line is :

(gdb) list *(ieee80211_scan_rx+0x158)
0xf68 is in ieee80211_scan_rx (net/mac80211/scan.c:205).
200 if (!(sdata1 &&
201   (ether_addr_equal(mgmt->da, sdata1->vif.addr) ||
202scan_req->flags & 
NL80211_SCAN_FLAG_RANDOM_ADDR)) &&
203 !(sdata2 &&
204   (ether_addr_equal(mgmt->da, sdata2->vif.addr) ||
205sched_scan_req->flags & 
NL80211_SCAN_FLAG_RANDOM_ADDR)))
206 return;
207 
208 elements = mgmt->u.probe_resp.variable;
209 baselen = offsetof(struct ieee80211_mgmt, 
u.probe_resp.variable);
(gdb)

i.e. sched_scan_req->flags which means sched_scan_req is NULL.

It is not easy to trigger (have been running for days) so its not easy
to say if it's triggering with rc5.

relevant hw info : i.mx6 + ti wl1835 wlan

--

[471559.635143] Unable to handle kernel NULL pointer dereference at
virtual address 0018

Internal error: Oops: 17 [#1] PREEMPT SMP ARM

CPU: 1 PID: 24194 Comm: kworker/u8:1 Tainted: GW   4.4.0-rc4 #1

[a4c7e1(505x9a.76e9f0872] Hardware name: Freescale i.MX6 Quad/DualLite
(Device Tree)

S[u4r7f1a559.717313] PC is at ieee80211_scan_rx+0x158/0x168

LR is at 0x2f04a578

ce(0xa7efe8)

[471559.729744] pc : [<806a0bb0>]lr : [<2f04a578>]psr: a0030113

[471559.729744] sp : a8aa7da0  ip : 0066  fp : a800ac00

[471559.742599] r10: a89e6a00  r9 :   r8 : 

[471559.747913] r7 : a8b00440  r6 : a87764c0  r5 : 647b  r4 : a8b00440

[471559.754529] r3 : d0fbdb87  r2 : 9b84  r1 : a8cc76c0  r0 : a84d43e0

[471559.761146] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM
Segment kernel

[471559.768544] Control: 10c5387d  Table: 1b48804a  DAC: 0055

[471559.774379] Process kworker/u8:1 (pid: 24194, stack limit = 0xa8aa6210)

[471559.781081] Stack: (0xa8aa7da0 to 0xa8aa8000)

[471559.785531] 7da0: 0006f631  afb50401 ab712080 a8aa7dfc
806dc340 ab712080 80042018

[471559.793799] 7dc0:  8a14a000 0002 8003e980 a82d5f48
a82d5f50 a82d5f48 800500d4

[471559.802066] 7de0:   5129e9f0 0001ace1 0001
 a8aa7e3c 806d870c

[471559.810334] 7e00:   a8aa7e1c 800455e4 9c119808
ab7120c0 625e a82d5f00

[471559.818601] 7e20: ab7120c0 a82d5f48 80b6170c 0002 0001
 ab712080 80053738

[471559.826868] 7e40: 9c119808 ab7120c0 1259  1259
 0001 a84d43e0

[471559.835136] 7e60: 0050 a8cc76c0 a8b00440  
806b6ee8 80b5c080 80b5c080

[471559.843403] 7e80: 0004  02953182  a8cc76c0
a84d43e0  

[471559.851670] 7ea0:   0010 0010 
 a800ac00 a84d4c40

[471559.859938] 7ec0: a8cc76c0 a84d43e0 a84d4e00 803b37a4 
a89e6a00 a800ac00 803b37c0

[471559.868205] 7ee0: a84d4ecc a84d4c40 a800ac00 a83c2f00 
803b383c a89e6a00 a84d4ecc

[471559.876473] 7f00: a800ac00 800388ac a800ac14 a800ac14 0001
a800ac00 a89e6a18 a800ac14

[471559.884740] 7f20: a8aa6000 0088 80b9a73b a89e6a00 a800ac00
80038b1c 80b60100 a800ad64

[471559.893007] 7f40: 80038ad0  a8a96f40 a89e6a00 80038ad0
  

[471559.901274] 7f60:  8003dd78 fff5  
a89e6a00  

[471559.909542] 7f80: a8aa7f80 a8aa7f80   a8aa7f90
a8aa7f90 a8aa7fac a8a96f40

[471559.917809] 7fa0: 8003dc90   8000f5a8 
  

[471559.926076] 7fc0:     
  

[471559.934343] 7fe0:     0013
  

[471559.942623] [<806a0bb0>] (ieee80211_scan_rx) from [<806b6ee8>]
(ieee80211_rx_napi+0x680/0x7a0)

[471559.951330] [<806b6ee8>] (ieee80211_rx_napi) from [<803b37c0>]
(wl1271_flush_deferred_work+0x30/0x98)

[471559.960643] [<803b37c0>] (wl1271_flush_deferred_work) from
[<803b383c>] (wl1271_netstack_work+0x14/0x24)

[471559.970216] [<803b383c>] (wl1271_netstack_work) from [<800388ac>]
(process_one_work+0x120/0x344)

[471559.979093] [<800388ac>] (process_one_work) from [<80038b1c>]
(worker_thread+0x4c/0x490)

[471559.987279] [<80038b1c>] (worker_thread) from [<8003dd78>]
(kthread+0xe8/0x104)

[471559.994686] [<8003dd78>] (kthread) from [<8000f5a8>]
(ret_from_fork+0x14/0x2c)

[471560.002000] Code: e0222005 e023300e e1923003 0ac0 (e5993018)

[471560.008219] ---[ end trace eb084eff56d23079 ]---

[471560.012947] Kernel panic - not syncing: Fatal exception in interrupt

[471560.012954] CPU0: stopping

[471560.012962] CPU: 0 PID: 24339 Comm: compositor Tainted: G  D W
 4.4.0-rc4 #1

[471560.012965] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)

[471560.012988] [<80016be4>] (unwind_backtrace) from

4.4-rc4 crash net/80211 related

2015-12-16 Thread Mika Penttilä 
Hi,

Triggered this with rc4, but the relevant parts are same in rc5:

offending line is :

(gdb) list *(ieee80211_scan_rx+0x158)
0xf68 is in ieee80211_scan_rx (net/mac80211/scan.c:205).
200 if (!(sdata1 &&
201   (ether_addr_equal(mgmt->da, sdata1->vif.addr) ||
202scan_req->flags & 
NL80211_SCAN_FLAG_RANDOM_ADDR)) &&
203 !(sdata2 &&
204   (ether_addr_equal(mgmt->da, sdata2->vif.addr) ||
205sched_scan_req->flags & 
NL80211_SCAN_FLAG_RANDOM_ADDR)))
206 return;
207 
208 elements = mgmt->u.probe_resp.variable;
209 baselen = offsetof(struct ieee80211_mgmt, 
u.probe_resp.variable);
(gdb)

i.e. sched_scan_req->flags which means sched_scan_req is NULL.

It is not easy to trigger (have been running for days) so its not easy
to say if it's triggering with rc5.

relevant hw info : i.mx6 + ti wl1835 wlan

--

[471559.635143] Unable to handle kernel NULL pointer dereference at
virtual address 0018

Internal error: Oops: 17 [#1] PREEMPT SMP ARM

CPU: 1 PID: 24194 Comm: kworker/u8:1 Tainted: GW   4.4.0-rc4 #1

[a4c7e1(505x9a.76e9f0872] Hardware name: Freescale i.MX6 Quad/DualLite
(Device Tree)

S[u4r7f1a559.717313] PC is at ieee80211_scan_rx+0x158/0x168

LR is at 0x2f04a578

ce(0xa7efe8)

[471559.729744] pc : [<806a0bb0>]lr : [<2f04a578>]psr: a0030113

[471559.729744] sp : a8aa7da0  ip : 0066  fp : a800ac00

[471559.742599] r10: a89e6a00  r9 :   r8 : 

[471559.747913] r7 : a8b00440  r6 : a87764c0  r5 : 647b  r4 : a8b00440

[471559.754529] r3 : d0fbdb87  r2 : 9b84  r1 : a8cc76c0  r0 : a84d43e0

[471559.761146] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM
Segment kernel

[471559.768544] Control: 10c5387d  Table: 1b48804a  DAC: 0055

[471559.774379] Process kworker/u8:1 (pid: 24194, stack limit = 0xa8aa6210)

[471559.781081] Stack: (0xa8aa7da0 to 0xa8aa8000)

[471559.785531] 7da0: 0006f631  afb50401 ab712080 a8aa7dfc
806dc340 ab712080 80042018

[471559.793799] 7dc0:  8a14a000 0002 8003e980 a82d5f48
a82d5f50 a82d5f48 800500d4

[471559.802066] 7de0:   5129e9f0 0001ace1 0001
 a8aa7e3c 806d870c

[471559.810334] 7e00:   a8aa7e1c 800455e4 9c119808
ab7120c0 625e a82d5f00

[471559.818601] 7e20: ab7120c0 a82d5f48 80b6170c 0002 0001
 ab712080 80053738

[471559.826868] 7e40: 9c119808 ab7120c0 1259  1259
 0001 a84d43e0

[471559.835136] 7e60: 0050 a8cc76c0 a8b00440  
806b6ee8 80b5c080 80b5c080

[471559.843403] 7e80: 0004  02953182  a8cc76c0
a84d43e0  

[471559.851670] 7ea0:   0010 0010 
 a800ac00 a84d4c40

[471559.859938] 7ec0: a8cc76c0 a84d43e0 a84d4e00 803b37a4 
a89e6a00 a800ac00 803b37c0

[471559.868205] 7ee0: a84d4ecc a84d4c40 a800ac00 a83c2f00 
803b383c a89e6a00 a84d4ecc

[471559.876473] 7f00: a800ac00 800388ac a800ac14 a800ac14 0001
a800ac00 a89e6a18 a800ac14

[471559.884740] 7f20: a8aa6000 0088 80b9a73b a89e6a00 a800ac00
80038b1c 80b60100 a800ad64

[471559.893007] 7f40: 80038ad0  a8a96f40 a89e6a00 80038ad0
  

[471559.901274] 7f60:  8003dd78 fff5  
a89e6a00  

[471559.909542] 7f80: a8aa7f80 a8aa7f80   a8aa7f90
a8aa7f90 a8aa7fac a8a96f40

[471559.917809] 7fa0: 8003dc90   8000f5a8 
  

[471559.926076] 7fc0:     
  

[471559.934343] 7fe0:     0013
  

[471559.942623] [<806a0bb0>] (ieee80211_scan_rx) from [<806b6ee8>]
(ieee80211_rx_napi+0x680/0x7a0)

[471559.951330] [<806b6ee8>] (ieee80211_rx_napi) from [<803b37c0>]
(wl1271_flush_deferred_work+0x30/0x98)

[471559.960643] [<803b37c0>] (wl1271_flush_deferred_work) from
[<803b383c>] (wl1271_netstack_work+0x14/0x24)

[471559.970216] [<803b383c>] (wl1271_netstack_work) from [<800388ac>]
(process_one_work+0x120/0x344)

[471559.979093] [<800388ac>] (process_one_work) from [<80038b1c>]
(worker_thread+0x4c/0x490)

[471559.987279] [<80038b1c>] (worker_thread) from [<8003dd78>]
(kthread+0xe8/0x104)

[471559.994686] [<8003dd78>] (kthread) from [<8000f5a8>]
(ret_from_fork+0x14/0x2c)

[471560.002000] Code: e0222005 e023300e e1923003 0ac0 (e5993018)

[471560.008219] ---[ end trace eb084eff56d23079 ]---

[471560.012947] Kernel panic - not syncing: Fatal exception in interrupt

[471560.012954] CPU0: stopping

[471560.012962] CPU: 0 PID: 24339 Comm: compositor Tainted: G  D W
 4.4.0-rc4 #1

[471560.012965] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)

[471560.012988] [<80016be4>] (unwind_backtrace) from