<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless/ath, branch linux-5.11.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ath11k: fix thermal temperature read</title>
<updated>2021-05-19T08:29:26+00:00</updated>
<author>
<name>Pradeep Kumar Chitrapu</name>
<email>pradeepc@codeaurora.org</email>
</author>
<published>2021-02-18T18:27:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a4aa13fca62ebf0e604807efadbde76556492f80'/>
<id>a4aa13fca62ebf0e604807efadbde76556492f80</id>
<content type='text'>
[ Upstream commit e3de5bb7ac1a4cb262f8768924fd3ef6182b10bb ]

Fix dangling pointer in thermal temperature event which causes
incorrect temperature read.

Tested-on: IPQ8074 AHB WLAN.HK.2.4.0.1-00041-QCAHKSWPL_SILICONZ-1

Signed-off-by: Pradeep Kumar Chitrapu &lt;pradeepc@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210218182708.8844-1-pradeepc@codeaurora.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e3de5bb7ac1a4cb262f8768924fd3ef6182b10bb ]

Fix dangling pointer in thermal temperature event which causes
incorrect temperature read.

Tested-on: IPQ8074 AHB WLAN.HK.2.4.0.1-00041-QCAHKSWPL_SILICONZ-1

Signed-off-by: Pradeep Kumar Chitrapu &lt;pradeepc@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210218182708.8844-1-pradeepc@codeaurora.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock</title>
<updated>2021-05-14T08:50:15+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>skhan@linuxfoundation.org</email>
</author>
<published>2021-04-06T23:02:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=076495110d0530f6b6aa13bd5f771655b3cbf612'/>
<id>076495110d0530f6b6aa13bd5f771655b3cbf612</id>
<content type='text'>
[ Upstream commit eaaf52e4b866f265eb791897d622961293fd48c1 ]

ath10k_wmi_tlv_op_pull_peer_stats_info() could try to unlock RCU lock
winthout locking it first when peer reason doesn't match the valid
cases for this function.

Add a default case to return without unlocking.

Fixes: 09078368d516 ("ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr()")
Reported-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210406230228.31301-1-skhan@linuxfoundation.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit eaaf52e4b866f265eb791897d622961293fd48c1 ]

ath10k_wmi_tlv_op_pull_peer_stats_info() could try to unlock RCU lock
winthout locking it first when peer reason doesn't match the valid
cases for this function.

Add a default case to return without unlocking.

Fixes: 09078368d516 ("ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr()")
Reported-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210406230228.31301-1-skhan@linuxfoundation.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: Fix a use after free in ath10k_htc_send_bundle</title>
<updated>2021-05-14T08:50:15+00:00</updated>
<author>
<name>Lv Yunlong</name>
<email>lyl2019@mail.ustc.edu.cn</email>
</author>
<published>2021-03-29T12:01:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3b1ac40c6012140828caa79e592a438a18ebf71b'/>
<id>3b1ac40c6012140828caa79e592a438a18ebf71b</id>
<content type='text'>
[ Upstream commit 8392df5d7e0b6a7d21440da1fc259f9938f4dec3 ]

In ath10k_htc_send_bundle, the bundle_skb could be freed by
dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later
by bundle_skb-&gt;len.

As skb_len = bundle_skb-&gt;len, my patch replaces bundle_skb-&gt;len to
skb_len after the bundle_skb was freed.

Fixes: c8334512f3dd1 ("ath10k: add htt TX bundle for sdio")
Signed-off-by: Lv Yunlong &lt;lyl2019@mail.ustc.edu.cn&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210329120154.8963-1-lyl2019@mail.ustc.edu.cn
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8392df5d7e0b6a7d21440da1fc259f9938f4dec3 ]

In ath10k_htc_send_bundle, the bundle_skb could be freed by
dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later
by bundle_skb-&gt;len.

As skb_len = bundle_skb-&gt;len, my patch replaces bundle_skb-&gt;len to
skb_len after the bundle_skb was freed.

Fixes: c8334512f3dd1 ("ath10k: add htt TX bundle for sdio")
Signed-off-by: Lv Yunlong &lt;lyl2019@mail.ustc.edu.cn&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210329120154.8963-1-lyl2019@mail.ustc.edu.cn
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices</title>
<updated>2021-05-14T08:50:15+00:00</updated>
<author>
<name>Toke Høiland-Jørgensen</name>
<email>toke@redhat.com</email>
</author>
<published>2021-03-26T18:08:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5ba3bb0b00ed5c101bec42ea331a24c27e5870c7'/>
<id>5ba3bb0b00ed5c101bec42ea331a24c27e5870c7</id>
<content type='text'>
[ Upstream commit 7dd9a40fd6e0d0f1fd8e1931c007e080801dfdce ]

When the error check in ath9k_hw_read_revisions() was added, it checked for
-EIO which is what ath9k_regread() in the ath9k_htc driver uses. However,
for plain ath9k, the register read function uses ioread32(), which just
returns -1 on error. So if such a read fails, it still gets passed through
and ends up as a weird mac revision in the log output.

Fix this by changing ath9k_regread() to return -1 on error like ioread32()
does, and fix the error check to look for that instead of -EIO.

Fixes: 2f90c7e5d094 ("ath9k: Check for errors when reading SREV register")
Signed-off-by: Toke Høiland-Jørgensen &lt;toke@redhat.com&gt;
Reviewed-by: Lorenzo Bianconi &lt;lorenzo@kernel.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210326180819.142480-1-toke@redhat.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 7dd9a40fd6e0d0f1fd8e1931c007e080801dfdce ]

When the error check in ath9k_hw_read_revisions() was added, it checked for
-EIO which is what ath9k_regread() in the ath9k_htc driver uses. However,
for plain ath9k, the register read function uses ioread32(), which just
returns -1 on error. So if such a read fails, it still gets passed through
and ends up as a weird mac revision in the log output.

Fix this by changing ath9k_regread() to return -1 on error like ioread32()
does, and fix the error check to look for that instead of -EIO.

Fixes: 2f90c7e5d094 ("ath9k: Check for errors when reading SREV register")
Signed-off-by: Toke Høiland-Jørgensen &lt;toke@redhat.com&gt;
Reviewed-by: Lorenzo Bianconi &lt;lorenzo@kernel.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210326180819.142480-1-toke@redhat.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr()</title>
<updated>2021-04-07T13:02:29+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>skhan@linuxfoundation.org</email>
</author>
<published>2021-02-10T21:21:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cce51ee88fb2bfc12df8faa112ebd1cb6f470693'/>
<id>cce51ee88fb2bfc12df8faa112ebd1cb6f470693</id>
<content type='text'>
[ Upstream commit 09078368d516918666a0122f2533dc73676d3d7e ]

ieee80211_find_sta_by_ifaddr() must be called under the RCU lock and
the resulting pointer is only valid under RCU lock as well.

Fix ath10k_wmi_tlv_op_pull_peer_stats_info() to hold RCU lock before it
calls ieee80211_find_sta_by_ifaddr() and release it when the resulting
pointer is no longer needed.

This problem was found while reviewing code to debug RCU warn from
ath10k_wmi_tlv_parse_peer_stats_info().

Link: https://lore.kernel.org/linux-wireless/7230c9e5-2632-b77e-c4f9-10eca557a5bb@linuxfoundation.org/
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210210212107.40373-1-skhan@linuxfoundation.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 09078368d516918666a0122f2533dc73676d3d7e ]

ieee80211_find_sta_by_ifaddr() must be called under the RCU lock and
the resulting pointer is only valid under RCU lock as well.

Fix ath10k_wmi_tlv_op_pull_peer_stats_info() to hold RCU lock before it
calls ieee80211_find_sta_by_ifaddr() and release it when the resulting
pointer is no longer needed.

This problem was found while reviewing code to debug RCU warn from
ath10k_wmi_tlv_parse_peer_stats_info().

Link: https://lore.kernel.org/linux-wireless/7230c9e5-2632-b77e-c4f9-10eca557a5bb@linuxfoundation.org/
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210210212107.40373-1-skhan@linuxfoundation.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath11k: add ieee80211_unregister_hw to avoid kernel crash caused by NULL pointer</title>
<updated>2021-04-07T13:02:28+00:00</updated>
<author>
<name>Wen Gong</name>
<email>wgong@codeaurora.org</email>
</author>
<published>2021-01-18T16:26:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=48b8b6ad3d1597ee4caf61c20ead586be7bcaa99'/>
<id>48b8b6ad3d1597ee4caf61c20ead586be7bcaa99</id>
<content type='text'>
[ Upstream commit 0d96968315d7ffbd70d608b29e9bea084210b96d ]

When function return fail to __ath11k_mac_register after success called
ieee80211_register_hw, then it set wiphy-&gt;dev.parent to NULL by
SET_IEEE80211_DEV(ar-&gt;hw, NULL) in end of __ath11k_mac_register, then
cfg80211_get_drvinfo will be called by below call stack, but the
wiphy-&gt;dev.parent is NULL, so kernel crash.

Call stack to cfg80211_get_drvinfo:
NetworkManager   826 [001]  6696.731371:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
        ffffffffc107d8f1 cfg80211_get_drvinfo+0x1 (/lib/modules/5.10.0-rc1-wt-ath+/kernel/net/wireless-back/cfg80211.ko)
        ffffffff9d8fc529 ethtool_get_drvinfo+0x99 (vmlinux)
        ffffffff9d90080e dev_ethtool+0x1dbe (vmlinux)
        ffffffff9d8b88f7 dev_ioctl+0xb7 (vmlinux)
        ffffffff9d8668de sock_do_ioctl+0xae (vmlinux)
        ffffffff9d866d60 sock_ioctl+0x350 (vmlinux)
        ffffffff9d2ca30e __x64_sys_ioctl+0x8e (vmlinux)
        ffffffff9da0dda3 do_syscall_64+0x33 (vmlinux)
        ffffffff9dc0008c entry_SYSCALL_64_after_hwframe+0x44 (vmlinux)
            7feb5f673007 __GI___ioctl+0x7 (/lib/x86_64-linux-gnu/libc-2.23.so)
                       0 [unknown] ([unknown])

Code of cfg80211_get_drvinfo, the pdev which is wiphy-&gt;dev.parent is
NULL when kernel crash:
void cfg80211_get_drvinfo(struct net_device *dev, struct ethtool_drvinfo *info)
{
	struct wireless_dev *wdev = dev-&gt;ieee80211_ptr;
	struct device *pdev = wiphy_dev(wdev-&gt;wiphy);

	if (pdev-&gt;driver)
....

kernel crash log:
[  973.619550] ath11k_pci 0000:05:00.0: failed to perform regd update : -16
[  973.619555] ath11k_pci 0000:05:00.0: ath11k regd update failed: -16
[  973.619566] ath11k_pci 0000:05:00.0: failed register the radio with mac80211: -16
[  973.619618] ath11k_pci 0000:05:00.0: failed to create pdev core: -16
[  973.636035] BUG: kernel NULL pointer dereference, address: 0000000000000068
[  973.636046] #PF: supervisor read access in kernel mode
[  973.636050] #PF: error_code(0x0000) - not-present page
[  973.636054] PGD 800000012452e067 P4D 800000012452e067 PUD 12452d067 PMD 0
[  973.636064] Oops: 0000 [#1] SMP PTI
[  973.636072] CPU: 3 PID: 848 Comm: NetworkManager Kdump: loaded Tainted: G        W  OE     5.10.0-rc1-wt-ath+ #24
[  973.636076] Hardware name: LENOVO 418065C/418065C, BIOS 83ET63WW (1.33 ) 07/29/2011
[  973.636161] RIP: 0010:cfg80211_get_drvinfo+0x25/0xd0 [cfg80211]
[  973.636169] Code: e9 c9 fe ff ff 66 66 66 66 90 55 53 ba 20 00 00 00 48 8b af 08 03 00 00 48 89 f3 48 8d 7e 04 48 8b 45 00 48 8b 80 90 01 00 00 &lt;48&gt; 8b 40 68 48 85 c0 0f 84 8d 00 00 00 48 8b 30 e8 a6 cc 72 c7 48
[  973.636174] RSP: 0018:ffffaafb4040bbe0 EFLAGS: 00010286
[  973.636180] RAX: 0000000000000000 RBX: ffffaafb4040bbfc RCX: 0000000000000000
[  973.636184] RDX: 0000000000000020 RSI: ffffaafb4040bbfc RDI: ffffaafb4040bc00
[  973.636188] RBP: ffff8a84c9568950 R08: 722d302e30312e35 R09: 74612d74772d3163
[  973.636192] R10: 3163722d302e3031 R11: 2b6874612d74772d R12: ffffaafb4040bbfc
[  973.636196] R13: 00007ffe453707c0 R14: ffff8a84c9568000 R15: 0000000000000000
[  973.636202] FS:  00007fd3d179b940(0000) GS:ffff8a84fa2c0000(0000) knlGS:0000000000000000
[  973.636206] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  973.636211] CR2: 0000000000000068 CR3: 00000001153b6002 CR4: 00000000000606e0
[  973.636215] Call Trace:
[  973.636234]  ethtool_get_drvinfo+0x99/0x1f0
[  973.636246]  dev_ethtool+0x1dbe/0x2be0
[  973.636256]  ? mntput_no_expire+0x35/0x220
[  973.636264]  ? inet_ioctl+0x1ce/0x200
[  973.636274]  ? tomoyo_path_number_perm+0x68/0x1d0
[  973.636282]  ? kmem_cache_alloc+0x3cb/0x430
[  973.636290]  ? dev_ioctl+0xb7/0x570
[  973.636295]  dev_ioctl+0xb7/0x570
[  973.636307]  sock_do_ioctl+0xae/0x150
[  973.636315]  ? sock_ioctl+0x350/0x3c0
[  973.636319]  sock_ioctl+0x350/0x3c0
[  973.636332]  ? __x64_sys_ioctl+0x8e/0xd0
[  973.636339]  ? dlci_ioctl_set+0x30/0x30
[  973.636346]  __x64_sys_ioctl+0x8e/0xd0
[  973.636359]  do_syscall_64+0x33/0x80
[  973.636368]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Sequence of function call when wlan load for success case when function
__ath11k_mac_register return 0:

kworker/u16:3-e  2922 [001]  6696.729734:   probe:ieee80211_register_hw: (ffffffffc116ae60)
kworker/u16:3-e  2922 [001]  6696.730210:        probe:ieee80211_if_add: (ffffffffc1185cc0)
NetworkManager   826 [001]  6696.731345:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [001]  6696.731371:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
NetworkManager   826 [001]  6696.731639:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [001]  6696.731653:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
NetworkManager   826 [001]  6696.732866:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [001]  6696.732893:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
systemd-udevd  3850 [003]  6696.737199:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
systemd-udevd  3850 [003]  6696.737226:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
NetworkManager   826 [000]  6696.759950:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [000]  6696.759967:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
NetworkManager   826 [000]  6696.760057:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [000]  6696.760062:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)

After apply this patch, kernel crash gone, and below is the test case's
sequence of function call and log when wlan load with fail by function
ath11k_regd_update, and __ath11k_mac_register return fail:

kworker/u16:5-e   192 [001]   215.174388:   probe:ieee80211_register_hw: (ffffffffc1131e60)
kworker/u16:5-e   192 [000]   215.174973:        probe:ieee80211_if_add: (ffffffffc114ccc0)
NetworkManager   846 [001]   215.175857:     probe:ethtool_get_drvinfo: (ffffffff928fc490)
kworker/u16:5-e   192 [000]   215.175867: probe:ieee80211_unregister_hw: (ffffffffc1131970)
NetworkManager   846 [001]   215.175880:    probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
NetworkManager   846 [001]   215.176105:     probe:ethtool_get_drvinfo: (ffffffff928fc490)
NetworkManager   846 [001]   215.176118:    probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
[  215.175859] ath11k_pci 0000:05:00.0: ath11k regd update failed: -16
NetworkManager   846 [001]   215.196420:     probe:ethtool_get_drvinfo: (ffffffff928fc490)
NetworkManager   846 [001]   215.196430:    probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
[  215.258598] ath11k_pci 0000:05:00.0: failed register the radio with mac80211: -16
[  215.258613] ath11k_pci 0000:05:00.0: failed to create pdev core: -16

When ath11k_regd_update or ath11k_debugfs_register return fail, function
ieee80211_unregister_hw of mac80211 will be called, then it will wait
untill cfg80211_get_drvinfo finished, the wiphy-&gt;dev.parent is not NULL
at this moment, after that, it set wiphy-&gt;dev.parent to NULL by
SET_IEEE80211_DEV(ar-&gt;hw, NULL) in end of __ath11k_mac_register, so
not happen kernel crash.

Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Signed-off-by: Wen Gong &lt;wgong@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/1608607824-16067-1-git-send-email-wgong@codeaurora.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 0d96968315d7ffbd70d608b29e9bea084210b96d ]

When function return fail to __ath11k_mac_register after success called
ieee80211_register_hw, then it set wiphy-&gt;dev.parent to NULL by
SET_IEEE80211_DEV(ar-&gt;hw, NULL) in end of __ath11k_mac_register, then
cfg80211_get_drvinfo will be called by below call stack, but the
wiphy-&gt;dev.parent is NULL, so kernel crash.

Call stack to cfg80211_get_drvinfo:
NetworkManager   826 [001]  6696.731371:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
        ffffffffc107d8f1 cfg80211_get_drvinfo+0x1 (/lib/modules/5.10.0-rc1-wt-ath+/kernel/net/wireless-back/cfg80211.ko)
        ffffffff9d8fc529 ethtool_get_drvinfo+0x99 (vmlinux)
        ffffffff9d90080e dev_ethtool+0x1dbe (vmlinux)
        ffffffff9d8b88f7 dev_ioctl+0xb7 (vmlinux)
        ffffffff9d8668de sock_do_ioctl+0xae (vmlinux)
        ffffffff9d866d60 sock_ioctl+0x350 (vmlinux)
        ffffffff9d2ca30e __x64_sys_ioctl+0x8e (vmlinux)
        ffffffff9da0dda3 do_syscall_64+0x33 (vmlinux)
        ffffffff9dc0008c entry_SYSCALL_64_after_hwframe+0x44 (vmlinux)
            7feb5f673007 __GI___ioctl+0x7 (/lib/x86_64-linux-gnu/libc-2.23.so)
                       0 [unknown] ([unknown])

Code of cfg80211_get_drvinfo, the pdev which is wiphy-&gt;dev.parent is
NULL when kernel crash:
void cfg80211_get_drvinfo(struct net_device *dev, struct ethtool_drvinfo *info)
{
	struct wireless_dev *wdev = dev-&gt;ieee80211_ptr;
	struct device *pdev = wiphy_dev(wdev-&gt;wiphy);

	if (pdev-&gt;driver)
....

kernel crash log:
[  973.619550] ath11k_pci 0000:05:00.0: failed to perform regd update : -16
[  973.619555] ath11k_pci 0000:05:00.0: ath11k regd update failed: -16
[  973.619566] ath11k_pci 0000:05:00.0: failed register the radio with mac80211: -16
[  973.619618] ath11k_pci 0000:05:00.0: failed to create pdev core: -16
[  973.636035] BUG: kernel NULL pointer dereference, address: 0000000000000068
[  973.636046] #PF: supervisor read access in kernel mode
[  973.636050] #PF: error_code(0x0000) - not-present page
[  973.636054] PGD 800000012452e067 P4D 800000012452e067 PUD 12452d067 PMD 0
[  973.636064] Oops: 0000 [#1] SMP PTI
[  973.636072] CPU: 3 PID: 848 Comm: NetworkManager Kdump: loaded Tainted: G        W  OE     5.10.0-rc1-wt-ath+ #24
[  973.636076] Hardware name: LENOVO 418065C/418065C, BIOS 83ET63WW (1.33 ) 07/29/2011
[  973.636161] RIP: 0010:cfg80211_get_drvinfo+0x25/0xd0 [cfg80211]
[  973.636169] Code: e9 c9 fe ff ff 66 66 66 66 90 55 53 ba 20 00 00 00 48 8b af 08 03 00 00 48 89 f3 48 8d 7e 04 48 8b 45 00 48 8b 80 90 01 00 00 &lt;48&gt; 8b 40 68 48 85 c0 0f 84 8d 00 00 00 48 8b 30 e8 a6 cc 72 c7 48
[  973.636174] RSP: 0018:ffffaafb4040bbe0 EFLAGS: 00010286
[  973.636180] RAX: 0000000000000000 RBX: ffffaafb4040bbfc RCX: 0000000000000000
[  973.636184] RDX: 0000000000000020 RSI: ffffaafb4040bbfc RDI: ffffaafb4040bc00
[  973.636188] RBP: ffff8a84c9568950 R08: 722d302e30312e35 R09: 74612d74772d3163
[  973.636192] R10: 3163722d302e3031 R11: 2b6874612d74772d R12: ffffaafb4040bbfc
[  973.636196] R13: 00007ffe453707c0 R14: ffff8a84c9568000 R15: 0000000000000000
[  973.636202] FS:  00007fd3d179b940(0000) GS:ffff8a84fa2c0000(0000) knlGS:0000000000000000
[  973.636206] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  973.636211] CR2: 0000000000000068 CR3: 00000001153b6002 CR4: 00000000000606e0
[  973.636215] Call Trace:
[  973.636234]  ethtool_get_drvinfo+0x99/0x1f0
[  973.636246]  dev_ethtool+0x1dbe/0x2be0
[  973.636256]  ? mntput_no_expire+0x35/0x220
[  973.636264]  ? inet_ioctl+0x1ce/0x200
[  973.636274]  ? tomoyo_path_number_perm+0x68/0x1d0
[  973.636282]  ? kmem_cache_alloc+0x3cb/0x430
[  973.636290]  ? dev_ioctl+0xb7/0x570
[  973.636295]  dev_ioctl+0xb7/0x570
[  973.636307]  sock_do_ioctl+0xae/0x150
[  973.636315]  ? sock_ioctl+0x350/0x3c0
[  973.636319]  sock_ioctl+0x350/0x3c0
[  973.636332]  ? __x64_sys_ioctl+0x8e/0xd0
[  973.636339]  ? dlci_ioctl_set+0x30/0x30
[  973.636346]  __x64_sys_ioctl+0x8e/0xd0
[  973.636359]  do_syscall_64+0x33/0x80
[  973.636368]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Sequence of function call when wlan load for success case when function
__ath11k_mac_register return 0:

kworker/u16:3-e  2922 [001]  6696.729734:   probe:ieee80211_register_hw: (ffffffffc116ae60)
kworker/u16:3-e  2922 [001]  6696.730210:        probe:ieee80211_if_add: (ffffffffc1185cc0)
NetworkManager   826 [001]  6696.731345:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [001]  6696.731371:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
NetworkManager   826 [001]  6696.731639:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [001]  6696.731653:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
NetworkManager   826 [001]  6696.732866:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [001]  6696.732893:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
systemd-udevd  3850 [003]  6696.737199:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
systemd-udevd  3850 [003]  6696.737226:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
NetworkManager   826 [000]  6696.759950:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [000]  6696.759967:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
NetworkManager   826 [000]  6696.760057:     probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
NetworkManager   826 [000]  6696.760062:    probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)

After apply this patch, kernel crash gone, and below is the test case's
sequence of function call and log when wlan load with fail by function
ath11k_regd_update, and __ath11k_mac_register return fail:

kworker/u16:5-e   192 [001]   215.174388:   probe:ieee80211_register_hw: (ffffffffc1131e60)
kworker/u16:5-e   192 [000]   215.174973:        probe:ieee80211_if_add: (ffffffffc114ccc0)
NetworkManager   846 [001]   215.175857:     probe:ethtool_get_drvinfo: (ffffffff928fc490)
kworker/u16:5-e   192 [000]   215.175867: probe:ieee80211_unregister_hw: (ffffffffc1131970)
NetworkManager   846 [001]   215.175880:    probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
NetworkManager   846 [001]   215.176105:     probe:ethtool_get_drvinfo: (ffffffff928fc490)
NetworkManager   846 [001]   215.176118:    probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
[  215.175859] ath11k_pci 0000:05:00.0: ath11k regd update failed: -16
NetworkManager   846 [001]   215.196420:     probe:ethtool_get_drvinfo: (ffffffff928fc490)
NetworkManager   846 [001]   215.196430:    probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
[  215.258598] ath11k_pci 0000:05:00.0: failed register the radio with mac80211: -16
[  215.258613] ath11k_pci 0000:05:00.0: failed to create pdev core: -16

When ath11k_regd_update or ath11k_debugfs_register return fail, function
ieee80211_unregister_hw of mac80211 will be called, then it will wait
untill cfg80211_get_drvinfo finished, the wiphy-&gt;dev.parent is not NULL
at this moment, after that, it set wiphy-&gt;dev.parent to NULL by
SET_IEEE80211_DEV(ar-&gt;hw, NULL) in end of __ath11k_mac_register, so
not happen kernel crash.

Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Signed-off-by: Wen Gong &lt;wgong@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/1608607824-16067-1-git-send-email-wgong@codeaurora.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath11k: fix AP mode for QCA6390</title>
<updated>2021-03-17T16:11:19+00:00</updated>
<author>
<name>Kalle Valo</name>
<email>kvalo@codeaurora.org</email>
</author>
<published>2021-02-22T15:14:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=edb24de123165bca427ea5b36db2faedc53b95b7'/>
<id>edb24de123165bca427ea5b36db2faedc53b95b7</id>
<content type='text'>
commit 77d7e87128d4dfb400df4208b2812160e999c165 upstream.

Commit c134d1f8c436 ("ath11k: Handle errors if peer creation fails") completely
broke AP mode on QCA6390:

kernel: [  151.230734] ath11k_pci 0000:06:00.0: failed to create peer after vdev start delay: -22
wpa_supplicant[2307]: Failed to set beacon parameters
wpa_supplicant[2307]: Interface initialization failed
wpa_supplicant[2307]: wlan0: interface state UNINITIALIZED-&gt;DISABLED
wpa_supplicant[2307]: wlan0: AP-DISABLED
wpa_supplicant[2307]: wlan0: Unable to setup interface.
wpa_supplicant[2307]: Failed to initialize AP interface

This was because commit c134d1f8c436 ("ath11k: Handle errors if peer creation
fails") added error handling for ath11k_peer_create(), which had been failing
all along but was unnoticed due to the missing error handling. The actual bug
was introduced already in commit aa44b2f3ecd4 ("ath11k: start vdev if a bss peer is
already created").

ath11k_peer_create() was failing because for AP mode the peer is created
already earlier op_add_interface() and we should skip creation here, but the
check for modes was wrong.  Fixing that makes AP mode work again.

This shouldn't affect IPQ8074 nor QCN9074 as they have hw_params.vdev_start_delay disabled.

Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1

Fixes: c134d1f8c436 ("ath11k: Handle errors if peer creation fails")
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/1614006849-25764-1-git-send-email-kvalo@codeaurora.org
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 77d7e87128d4dfb400df4208b2812160e999c165 upstream.

Commit c134d1f8c436 ("ath11k: Handle errors if peer creation fails") completely
broke AP mode on QCA6390:

kernel: [  151.230734] ath11k_pci 0000:06:00.0: failed to create peer after vdev start delay: -22
wpa_supplicant[2307]: Failed to set beacon parameters
wpa_supplicant[2307]: Interface initialization failed
wpa_supplicant[2307]: wlan0: interface state UNINITIALIZED-&gt;DISABLED
wpa_supplicant[2307]: wlan0: AP-DISABLED
wpa_supplicant[2307]: wlan0: Unable to setup interface.
wpa_supplicant[2307]: Failed to initialize AP interface

This was because commit c134d1f8c436 ("ath11k: Handle errors if peer creation
fails") added error handling for ath11k_peer_create(), which had been failing
all along but was unnoticed due to the missing error handling. The actual bug
was introduced already in commit aa44b2f3ecd4 ("ath11k: start vdev if a bss peer is
already created").

ath11k_peer_create() was failing because for AP mode the peer is created
already earlier op_add_interface() and we should skip creation here, but the
check for modes was wrong.  Fixing that makes AP mode work again.

This shouldn't affect IPQ8074 nor QCN9074 as they have hw_params.vdev_start_delay disabled.

Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1

Fixes: c134d1f8c436 ("ath11k: Handle errors if peer creation fails")
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/1614006849-25764-1-git-send-email-kvalo@codeaurora.org
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath9k: fix transmitting to stations in dynamic SMPS mode</title>
<updated>2021-03-17T16:11:19+00:00</updated>
<author>
<name>Felix Fietkau</name>
<email>nbd@nbd.name</email>
</author>
<published>2021-02-14T18:49:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=11fe93511d02c2e24f8c9eee1ca3f7f8b36e39c3'/>
<id>11fe93511d02c2e24f8c9eee1ca3f7f8b36e39c3</id>
<content type='text'>
commit 3b9ea7206d7e1fdd7419cbd10badd3b2c80d04b4 upstream.

When transmitting to a receiver in dynamic SMPS mode, all transmissions that
use multiple spatial streams need to be sent using CTS-to-self or RTS/CTS to
give the receiver's extra chains some time to wake up.
This fixes the tx rate getting stuck at &lt;= MCS7 for some clients, especially
Intel ones, which make aggressive use of SMPS.

Cc: stable@vger.kernel.org
Reported-by: Martin Kennedy &lt;hurricos@gmail.com&gt;
Signed-off-by: Felix Fietkau &lt;nbd@nbd.name&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210214184911.96702-1-nbd@nbd.name
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3b9ea7206d7e1fdd7419cbd10badd3b2c80d04b4 upstream.

When transmitting to a receiver in dynamic SMPS mode, all transmissions that
use multiple spatial streams need to be sent using CTS-to-self or RTS/CTS to
give the receiver's extra chains some time to wake up.
This fixes the tx rate getting stuck at &lt;= MCS7 for some clients, especially
Intel ones, which make aggressive use of SMPS.

Cc: stable@vger.kernel.org
Reported-by: Martin Kennedy &lt;hurricos@gmail.com&gt;
Signed-off-by: Felix Fietkau &lt;nbd@nbd.name&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/20210214184911.96702-1-nbd@nbd.name
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix wmi mgmt tx queue full due to race condition</title>
<updated>2021-03-07T11:35:50+00:00</updated>
<author>
<name>Miaoqing Pan</name>
<email>miaoqing@codeaurora.org</email>
</author>
<published>2020-12-22T06:34:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e7729fe245f724c7f46507b506ed6e2a2718b77c'/>
<id>e7729fe245f724c7f46507b506ed6e2a2718b77c</id>
<content type='text'>
[ Upstream commit b55379e343a3472c35f4a1245906db5158cab453 ]

Failed to transmit wmi management frames:

[84977.840894] ath10k_snoc a000000.wifi: wmi mgmt tx queue is full
[84977.840913] ath10k_snoc a000000.wifi: failed to transmit packet, dropping: -28
[84977.840924] ath10k_snoc a000000.wifi: failed to submit frame: -28
[84977.840932] ath10k_snoc a000000.wifi: failed to transmit frame: -28

This issue is caused by race condition between skb_dequeue and
__skb_queue_tail. The queue of ‘wmi_mgmt_tx_queue’ is protected by a
different lock: ar-&gt;data_lock vs list-&gt;lock, the result is no protection.
So when ath10k_mgmt_over_wmi_tx_work() and ath10k_mac_tx_wmi_mgmt()
running concurrently on different CPUs, there appear to be a rare corner
cases when the queue length is 1,

  CPUx (skb_deuque)			CPUy (__skb_queue_tail)
					next=list
					prev=list
  struct sk_buff *skb = skb_peek(list);	WRITE_ONCE(newsk-&gt;next, next);
  WRITE_ONCE(list-&gt;qlen, list-&gt;qlen - 1);WRITE_ONCE(newsk-&gt;prev, prev);
  next       = skb-&gt;next;		WRITE_ONCE(next-&gt;prev, newsk);
  prev       = skb-&gt;prev;		WRITE_ONCE(prev-&gt;next, newsk);
  skb-&gt;next  = skb-&gt;prev = NULL;	list-&gt;qlen++;
  WRITE_ONCE(next-&gt;prev, prev);
  WRITE_ONCE(prev-&gt;next, next);

If the instruction ‘next = skb-&gt;next’ is executed before
‘WRITE_ONCE(prev-&gt;next, newsk)’, newsk will be lost, as CPUx get the
old ‘next’ pointer, but the length is still added by one. The final
result is the length of the queue will reach the maximum value but
the queue is empty.

So remove ar-&gt;data_lock, and use 'skb_queue_tail' instead of
'__skb_queue_tail' to prevent the potential race condition. Also switch
to use skb_queue_len_lockless, in case we queue a few SKBs simultaneously.

Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.1.c2-00033-QCAHLSWMTPLZ-1

Signed-off-by: Miaoqing Pan &lt;miaoqing@codeaurora.org&gt;
Reviewed-by: Brian Norris &lt;briannorris@chromium.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/1608618887-8857-1-git-send-email-miaoqing@codeaurora.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b55379e343a3472c35f4a1245906db5158cab453 ]

Failed to transmit wmi management frames:

[84977.840894] ath10k_snoc a000000.wifi: wmi mgmt tx queue is full
[84977.840913] ath10k_snoc a000000.wifi: failed to transmit packet, dropping: -28
[84977.840924] ath10k_snoc a000000.wifi: failed to submit frame: -28
[84977.840932] ath10k_snoc a000000.wifi: failed to transmit frame: -28

This issue is caused by race condition between skb_dequeue and
__skb_queue_tail. The queue of ‘wmi_mgmt_tx_queue’ is protected by a
different lock: ar-&gt;data_lock vs list-&gt;lock, the result is no protection.
So when ath10k_mgmt_over_wmi_tx_work() and ath10k_mac_tx_wmi_mgmt()
running concurrently on different CPUs, there appear to be a rare corner
cases when the queue length is 1,

  CPUx (skb_deuque)			CPUy (__skb_queue_tail)
					next=list
					prev=list
  struct sk_buff *skb = skb_peek(list);	WRITE_ONCE(newsk-&gt;next, next);
  WRITE_ONCE(list-&gt;qlen, list-&gt;qlen - 1);WRITE_ONCE(newsk-&gt;prev, prev);
  next       = skb-&gt;next;		WRITE_ONCE(next-&gt;prev, newsk);
  prev       = skb-&gt;prev;		WRITE_ONCE(prev-&gt;next, newsk);
  skb-&gt;next  = skb-&gt;prev = NULL;	list-&gt;qlen++;
  WRITE_ONCE(next-&gt;prev, prev);
  WRITE_ONCE(prev-&gt;next, next);

If the instruction ‘next = skb-&gt;next’ is executed before
‘WRITE_ONCE(prev-&gt;next, newsk)’, newsk will be lost, as CPUx get the
old ‘next’ pointer, but the length is still added by one. The final
result is the length of the queue will reach the maximum value but
the queue is empty.

So remove ar-&gt;data_lock, and use 'skb_queue_tail' instead of
'__skb_queue_tail' to prevent the potential race condition. Also switch
to use skb_queue_len_lockless, in case we queue a few SKBs simultaneously.

Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.1.c2-00033-QCAHLSWMTPLZ-1

Signed-off-by: Miaoqing Pan &lt;miaoqing@codeaurora.org&gt;
Reviewed-by: Brian Norris &lt;briannorris@chromium.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/1608618887-8857-1-git-send-email-miaoqing@codeaurora.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: prevent deinitializing NAPI twice</title>
<updated>2021-03-07T11:35:48+00:00</updated>
<author>
<name>Wen Gong</name>
<email>wgong@codeaurora.org</email>
</author>
<published>2020-12-15T06:35:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cc8fb7d897e8fb23f278c612811434ec1b40f84f'/>
<id>cc8fb7d897e8fb23f278c612811434ec1b40f84f</id>
<content type='text'>
[ Upstream commit e2f8b74e58cb1560c1399ba94a470b770e858259 ]

It happened "Kernel panic - not syncing: hung_task: blocked tasks" when
test simulate crash and ifconfig down/rmmod meanwhile.

Test steps:

1.Test commands, either can reproduce the hang for PCIe, SDIO and SNOC.
echo soft &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/simulate_fw_crash;sleep 0.05;ifconfig wlan0 down
echo soft &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/simulate_fw_crash;rmmod ath10k_sdio
echo hw-restart &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/simulate_fw_crash;rmmod ath10k_pci

2. dmesg:
[ 5622.548630] ath10k_sdio mmc1:0001:1: simulating soft firmware crash
[ 5622.655995] ieee80211 phy0: Hardware restart was requested
[ 5776.355164] INFO: task shill:1572 blocked for more than 122 seconds.
[ 5776.355687] INFO: task kworker/1:2:24437 blocked for more than 122 seconds.
[ 5776.359812] Kernel panic - not syncing: hung_task: blocked tasks
[ 5776.359836] CPU: 1 PID: 55 Comm: khungtaskd Tainted: G        W         4.19.86 #137
[ 5776.359846] Hardware name: MediaTek krane sku176 board (DT)
[ 5776.359855] Call trace:
[ 5776.359868]  dump_backtrace+0x0/0x170
[ 5776.359881]  show_stack+0x20/0x2c
[ 5776.359896]  dump_stack+0xd4/0x10c
[ 5776.359916]  panic+0x12c/0x29c
[ 5776.359937]  hung_task_panic+0x0/0x50
[ 5776.359953]  kthread+0x120/0x130
[ 5776.359965]  ret_from_fork+0x10/0x18
[ 5776.359986] SMP: stopping secondary CPUs
[ 5776.360012] Kernel Offset: 0x141ea00000 from 0xffffff8008000000
[ 5776.360026] CPU features: 0x0,2188200c
[ 5776.360035] Memory Limit: none

command "ifconfig wlan0 down" or "rmmod ath10k_sdio" will be blocked
callstack of ifconfig:
[&lt;0&gt;] __switch_to+0x120/0x13c
[&lt;0&gt;] msleep+0x28/0x38
[&lt;0&gt;] ath10k_sdio_hif_stop+0x24c/0x294 [ath10k_sdio]
[&lt;0&gt;] ath10k_core_stop+0x50/0x78 [ath10k_core]
[&lt;0&gt;] ath10k_halt+0x120/0x178 [ath10k_core]
[&lt;0&gt;] ath10k_stop+0x4c/0x8c [ath10k_core]
[&lt;0&gt;] drv_stop+0xe0/0x1e4 [mac80211]
[&lt;0&gt;] ieee80211_stop_device+0x48/0x54 [mac80211]
[&lt;0&gt;] ieee80211_do_stop+0x678/0x6f8 [mac80211]
[&lt;0&gt;] ieee80211_stop+0x20/0x30 [mac80211]
[&lt;0&gt;] __dev_close_many+0xb8/0x11c
[&lt;0&gt;] __dev_change_flags+0xe0/0x1d0
[&lt;0&gt;] dev_change_flags+0x30/0x6c
[&lt;0&gt;] devinet_ioctl+0x370/0x564
[&lt;0&gt;] inet_ioctl+0xdc/0x304
[&lt;0&gt;] sock_do_ioctl+0x50/0x288
[&lt;0&gt;] compat_sock_ioctl+0x1b4/0x1aac
[&lt;0&gt;] __se_compat_sys_ioctl+0x100/0x26fc
[&lt;0&gt;] __arm64_compat_sys_ioctl+0x20/0x2c
[&lt;0&gt;] el0_svc_common+0xa4/0x154
[&lt;0&gt;] el0_svc_compat_handler+0x2c/0x38
[&lt;0&gt;] el0_svc_compat+0x8/0x18
[&lt;0&gt;] 0xffffffffffffffff

callstack of rmmod:
[&lt;0&gt;] __switch_to+0x120/0x13c
[&lt;0&gt;] msleep+0x28/0x38
[&lt;0&gt;] ath10k_sdio_hif_stop+0x294/0x31c [ath10k_sdio]
[&lt;0&gt;] ath10k_core_stop+0x50/0x78 [ath10k_core]
[&lt;0&gt;] ath10k_halt+0x120/0x178 [ath10k_core]
[&lt;0&gt;] ath10k_stop+0x4c/0x8c [ath10k_core]
[&lt;0&gt;] drv_stop+0xe0/0x1e4 [mac80211]
[&lt;0&gt;] ieee80211_stop_device+0x48/0x54 [mac80211]
[&lt;0&gt;] ieee80211_do_stop+0x678/0x6f8 [mac80211]
[&lt;0&gt;] ieee80211_stop+0x20/0x30 [mac80211]
[&lt;0&gt;] __dev_close_many+0xb8/0x11c
[&lt;0&gt;] dev_close_many+0x70/0x100
[&lt;0&gt;] dev_close+0x4c/0x80
[&lt;0&gt;] cfg80211_shutdown_all_interfaces+0x50/0xcc [cfg80211]
[&lt;0&gt;] ieee80211_remove_interfaces+0x58/0x1a0 [mac80211]
[&lt;0&gt;] ieee80211_unregister_hw+0x40/0x100 [mac80211]
[&lt;0&gt;] ath10k_mac_unregister+0x1c/0x44 [ath10k_core]
[&lt;0&gt;] ath10k_core_unregister+0x38/0x7c [ath10k_core]
[&lt;0&gt;] ath10k_sdio_remove+0x8c/0xd0 [ath10k_sdio]
[&lt;0&gt;] sdio_bus_remove+0x48/0x108
[&lt;0&gt;] device_release_driver_internal+0x138/0x1ec
[&lt;0&gt;] driver_detach+0x6c/0xa8
[&lt;0&gt;] bus_remove_driver+0x78/0xa8
[&lt;0&gt;] driver_unregister+0x30/0x50
[&lt;0&gt;] sdio_unregister_driver+0x28/0x34
[&lt;0&gt;] cleanup_module+0x14/0x6bc [ath10k_sdio]
[&lt;0&gt;] __arm64_sys_delete_module+0x1e0/0x22c
[&lt;0&gt;] el0_svc_common+0xa4/0x154
[&lt;0&gt;] el0_svc_compat_handler+0x2c/0x38
[&lt;0&gt;] el0_svc_compat+0x8/0x18
[&lt;0&gt;] 0xffffffffffffffff

SNOC:
[  647.156863] Call trace:
[  647.162166] [&lt;ffffff80080855a4&gt;] __switch_to+0x120/0x13c
[  647.164512] [&lt;ffffff800899d8b8&gt;] __schedule+0x5ec/0x798
[  647.170062] [&lt;ffffff800899dad8&gt;] schedule+0x74/0x94
[  647.175050] [&lt;ffffff80089a0848&gt;] schedule_timeout+0x314/0x42c
[  647.179874] [&lt;ffffff80089a0a14&gt;] schedule_timeout_uninterruptible+0x34/0x40
[  647.185780] [&lt;ffffff80082a494&gt;] msleep+0x28/0x38
[  647.192546] [&lt;ffffff800117ec4c&gt;] ath10k_snoc_hif_stop+0x4c/0x1e0 [ath10k_snoc]
[  647.197439] [&lt;ffffff80010dfbd8&gt;] ath10k_core_stop+0x50/0x7c [ath10k_core]
[  647.204652] [&lt;ffffff80010c8f48&gt;] ath10k_halt+0x114/0x16c [ath10k_core]
[  647.211420] [&lt;ffffff80010cad68&gt;] ath10k_stop+0x4c/0x88 [ath10k_core]
[  647.217865] [&lt;ffffff8000fdbf54&gt;] drv_stop+0x110/0x244 [mac80211]
[  647.224367] [&lt;ffffff80010147ac&gt;] ieee80211_stop_device+0x48/0x54 [mac80211]
[  647.230359] [&lt;ffffff8000ff3eec&gt;] ieee80211_do_stop+0x6a4/0x73c [mac80211]
[  647.237033] [&lt;ffffff8000ff4500&gt;] ieee80211_stop+0x20/0x30 [mac80211]
[  647.243942] [&lt;ffffff80087e39b8&gt;] __dev_close_many+0xa0/0xfc
[  647.250435] [&lt;ffffff80087e3888&gt;] dev_close_many+0x70/0x100
[  647.255651] [&lt;ffffff80087e3a60&gt;] dev_close+0x4c/0x80
[  647.261244] [&lt;ffffff8000f1ba54&gt;] cfg80211_shutdown_all_interfaces+0x44/0xcc [cfg80211]
[  647.266383] [&lt;ffffff8000ff3fdc&gt;] ieee80211_remove_interfaces+0x58/0x1b4 [mac80211]
[  647.274128] [&lt;ffffff8000fda540&gt;] ieee80211_unregister_hw+0x50/0x120 [mac80211]
[  647.281659] [&lt;ffffff80010ca314&gt;] ath10k_mac_unregister+0x1c/0x44 [ath10k_core]
[  647.288839] [&lt;ffffff80010dfc94&gt;] ath10k_core_unregister+0x48/0x90 [ath10k_core]
[  647.296027] [&lt;ffffff800117e598&gt;] ath10k_snoc_remove+0x5c/0x150 [ath10k_snoc]
[  647.303229] [&lt;ffffff80085625fc&gt;] platform_drv_remove+0x28/0x50
[  647.310517] [&lt;ffffff80085601a4&gt;] device_release_driver_internal+0x114/0x1b8
[  647.316257] [&lt;ffffff80085602e4&gt;] driver_detach+0x6c/0xa8
[  647.323021] [&lt;ffffff800855e5b8&gt;] bus_remove_driver+0x78/0xa8
[  647.328571] [&lt;ffffff800856107c&gt;] driver_unregister+0x30/0x50
[  647.334213] [&lt;ffffff8008562674&gt;] platform_driver_unregister+0x1c/0x28
[  647.339876] [&lt;ffffff800117fefc&gt;] cleanup_module+0x1c/0x120 [ath10k_snoc]
[  647.346196] [&lt;ffffff8008143ab8&gt;] SyS_delete_module+0x1dc/0x22c

PCIe:
[  615.392770] rmmod           D    0  3523   3458 0x00000080
[  615.392777] Call Trace:
[  615.392784]  __schedule+0x617/0x7d3
[  615.392791]  ? __mod_timer+0x263/0x35c
[  615.392797]  schedule+0x62/0x72
[  615.392803]  schedule_timeout+0x8d/0xf3
[  615.392809]  ? run_local_timers+0x6b/0x6b
[  615.392814]  msleep+0x1b/0x22
[  615.392824]  ath10k_pci_hif_stop+0x68/0xd6 [ath10k_pci]
[  615.392844]  ath10k_core_stop+0x44/0x67 [ath10k_core]
[  615.392859]  ath10k_halt+0x102/0x153 [ath10k_core]
[  615.392873]  ath10k_stop+0x38/0x75 [ath10k_core]
[  615.392893]  drv_stop+0x9a/0x13c [mac80211]
[  615.392915]  ieee80211_do_stop+0x772/0x7cd [mac80211]
[  615.392937]  ieee80211_stop+0x1a/0x1e [mac80211]
[  615.392945]  __dev_close_many+0x9e/0xf0
[  615.392952]  dev_close_many+0x62/0xe8
[  615.392958]  dev_close+0x54/0x7d
[  615.392975]  cfg80211_shutdown_all_interfaces+0x6e/0xa5 [cfg80211]
[  615.393021]  ieee80211_remove_interfaces+0x52/0x1aa [mac80211]
[  615.393049]  ieee80211_unregister_hw+0x54/0x136 [mac80211]
[  615.393068]  ath10k_mac_unregister+0x19/0x4a [ath10k_core]
[  615.393091]  ath10k_core_unregister+0x39/0x7e [ath10k_core]
[  615.393104]  ath10k_pci_remove+0x3d/0x7f [ath10k_pci]
[  615.393117]  pci_device_remove+0x41/0xa6
[  615.393129]  device_release_driver_internal+0x123/0x1ec
[  615.393140]  driver_detach+0x60/0x90
[  615.393152]  bus_remove_driver+0x72/0x9f
[  615.393164]  pci_unregister_driver+0x1e/0x87
[  615.393177]  SyS_delete_module+0x1d7/0x277
[  615.393188]  do_syscall_64+0x6b/0xf7
[  615.393199]  entry_SYSCALL_64_after_hwframe+0x41/0xa6

The test command run simulate_fw_crash firstly and it call into
ath10k_sdio_hif_stop from ath10k_core_restart, then napi_disable
is called and bit NAPI_STATE_SCHED is set. After that, function
ath10k_sdio_hif_stop is called again from ath10k_stop by command
"ifconfig wlan0 down" or "rmmod ath10k_sdio", then command blocked.

It is blocked by napi_synchronize, napi_disable will set bit with
NAPI_STATE_SCHED, and then napi_synchronize will enter dead loop
becuase bit NAPI_STATE_SCHED is set by napi_disable.

function of napi_synchronize
static inline void napi_synchronize(const struct napi_struct *n)
{
	if (IS_ENABLED(CONFIG_SMP))
		while (test_bit(NAPI_STATE_SCHED, &amp;n-&gt;state))
			msleep(1);
	else
		barrier();
}

function of napi_disable
void napi_disable(struct napi_struct *n)
{
	might_sleep();
	set_bit(NAPI_STATE_DISABLE, &amp;n-&gt;state);

	while (test_and_set_bit(NAPI_STATE_SCHED, &amp;n-&gt;state))
		msleep(1);
	while (test_and_set_bit(NAPI_STATE_NPSVC, &amp;n-&gt;state))
		msleep(1);

	hrtimer_cancel(&amp;n-&gt;timer);

	clear_bit(NAPI_STATE_DISABLE, &amp;n-&gt;state);
}

Add flag for it avoid the hang and crash.

Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Tested-on: WCN3990 hw1.0 SNOC hw1.0 WLAN.HL.3.1-01307.1-QCAHLSWMTPL-2

Signed-off-by: Wen Gong &lt;wgong@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/1598617348-2325-1-git-send-email-wgong@codeaurora.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e2f8b74e58cb1560c1399ba94a470b770e858259 ]

It happened "Kernel panic - not syncing: hung_task: blocked tasks" when
test simulate crash and ifconfig down/rmmod meanwhile.

Test steps:

1.Test commands, either can reproduce the hang for PCIe, SDIO and SNOC.
echo soft &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/simulate_fw_crash;sleep 0.05;ifconfig wlan0 down
echo soft &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/simulate_fw_crash;rmmod ath10k_sdio
echo hw-restart &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/simulate_fw_crash;rmmod ath10k_pci

2. dmesg:
[ 5622.548630] ath10k_sdio mmc1:0001:1: simulating soft firmware crash
[ 5622.655995] ieee80211 phy0: Hardware restart was requested
[ 5776.355164] INFO: task shill:1572 blocked for more than 122 seconds.
[ 5776.355687] INFO: task kworker/1:2:24437 blocked for more than 122 seconds.
[ 5776.359812] Kernel panic - not syncing: hung_task: blocked tasks
[ 5776.359836] CPU: 1 PID: 55 Comm: khungtaskd Tainted: G        W         4.19.86 #137
[ 5776.359846] Hardware name: MediaTek krane sku176 board (DT)
[ 5776.359855] Call trace:
[ 5776.359868]  dump_backtrace+0x0/0x170
[ 5776.359881]  show_stack+0x20/0x2c
[ 5776.359896]  dump_stack+0xd4/0x10c
[ 5776.359916]  panic+0x12c/0x29c
[ 5776.359937]  hung_task_panic+0x0/0x50
[ 5776.359953]  kthread+0x120/0x130
[ 5776.359965]  ret_from_fork+0x10/0x18
[ 5776.359986] SMP: stopping secondary CPUs
[ 5776.360012] Kernel Offset: 0x141ea00000 from 0xffffff8008000000
[ 5776.360026] CPU features: 0x0,2188200c
[ 5776.360035] Memory Limit: none

command "ifconfig wlan0 down" or "rmmod ath10k_sdio" will be blocked
callstack of ifconfig:
[&lt;0&gt;] __switch_to+0x120/0x13c
[&lt;0&gt;] msleep+0x28/0x38
[&lt;0&gt;] ath10k_sdio_hif_stop+0x24c/0x294 [ath10k_sdio]
[&lt;0&gt;] ath10k_core_stop+0x50/0x78 [ath10k_core]
[&lt;0&gt;] ath10k_halt+0x120/0x178 [ath10k_core]
[&lt;0&gt;] ath10k_stop+0x4c/0x8c [ath10k_core]
[&lt;0&gt;] drv_stop+0xe0/0x1e4 [mac80211]
[&lt;0&gt;] ieee80211_stop_device+0x48/0x54 [mac80211]
[&lt;0&gt;] ieee80211_do_stop+0x678/0x6f8 [mac80211]
[&lt;0&gt;] ieee80211_stop+0x20/0x30 [mac80211]
[&lt;0&gt;] __dev_close_many+0xb8/0x11c
[&lt;0&gt;] __dev_change_flags+0xe0/0x1d0
[&lt;0&gt;] dev_change_flags+0x30/0x6c
[&lt;0&gt;] devinet_ioctl+0x370/0x564
[&lt;0&gt;] inet_ioctl+0xdc/0x304
[&lt;0&gt;] sock_do_ioctl+0x50/0x288
[&lt;0&gt;] compat_sock_ioctl+0x1b4/0x1aac
[&lt;0&gt;] __se_compat_sys_ioctl+0x100/0x26fc
[&lt;0&gt;] __arm64_compat_sys_ioctl+0x20/0x2c
[&lt;0&gt;] el0_svc_common+0xa4/0x154
[&lt;0&gt;] el0_svc_compat_handler+0x2c/0x38
[&lt;0&gt;] el0_svc_compat+0x8/0x18
[&lt;0&gt;] 0xffffffffffffffff

callstack of rmmod:
[&lt;0&gt;] __switch_to+0x120/0x13c
[&lt;0&gt;] msleep+0x28/0x38
[&lt;0&gt;] ath10k_sdio_hif_stop+0x294/0x31c [ath10k_sdio]
[&lt;0&gt;] ath10k_core_stop+0x50/0x78 [ath10k_core]
[&lt;0&gt;] ath10k_halt+0x120/0x178 [ath10k_core]
[&lt;0&gt;] ath10k_stop+0x4c/0x8c [ath10k_core]
[&lt;0&gt;] drv_stop+0xe0/0x1e4 [mac80211]
[&lt;0&gt;] ieee80211_stop_device+0x48/0x54 [mac80211]
[&lt;0&gt;] ieee80211_do_stop+0x678/0x6f8 [mac80211]
[&lt;0&gt;] ieee80211_stop+0x20/0x30 [mac80211]
[&lt;0&gt;] __dev_close_many+0xb8/0x11c
[&lt;0&gt;] dev_close_many+0x70/0x100
[&lt;0&gt;] dev_close+0x4c/0x80
[&lt;0&gt;] cfg80211_shutdown_all_interfaces+0x50/0xcc [cfg80211]
[&lt;0&gt;] ieee80211_remove_interfaces+0x58/0x1a0 [mac80211]
[&lt;0&gt;] ieee80211_unregister_hw+0x40/0x100 [mac80211]
[&lt;0&gt;] ath10k_mac_unregister+0x1c/0x44 [ath10k_core]
[&lt;0&gt;] ath10k_core_unregister+0x38/0x7c [ath10k_core]
[&lt;0&gt;] ath10k_sdio_remove+0x8c/0xd0 [ath10k_sdio]
[&lt;0&gt;] sdio_bus_remove+0x48/0x108
[&lt;0&gt;] device_release_driver_internal+0x138/0x1ec
[&lt;0&gt;] driver_detach+0x6c/0xa8
[&lt;0&gt;] bus_remove_driver+0x78/0xa8
[&lt;0&gt;] driver_unregister+0x30/0x50
[&lt;0&gt;] sdio_unregister_driver+0x28/0x34
[&lt;0&gt;] cleanup_module+0x14/0x6bc [ath10k_sdio]
[&lt;0&gt;] __arm64_sys_delete_module+0x1e0/0x22c
[&lt;0&gt;] el0_svc_common+0xa4/0x154
[&lt;0&gt;] el0_svc_compat_handler+0x2c/0x38
[&lt;0&gt;] el0_svc_compat+0x8/0x18
[&lt;0&gt;] 0xffffffffffffffff

SNOC:
[  647.156863] Call trace:
[  647.162166] [&lt;ffffff80080855a4&gt;] __switch_to+0x120/0x13c
[  647.164512] [&lt;ffffff800899d8b8&gt;] __schedule+0x5ec/0x798
[  647.170062] [&lt;ffffff800899dad8&gt;] schedule+0x74/0x94
[  647.175050] [&lt;ffffff80089a0848&gt;] schedule_timeout+0x314/0x42c
[  647.179874] [&lt;ffffff80089a0a14&gt;] schedule_timeout_uninterruptible+0x34/0x40
[  647.185780] [&lt;ffffff80082a494&gt;] msleep+0x28/0x38
[  647.192546] [&lt;ffffff800117ec4c&gt;] ath10k_snoc_hif_stop+0x4c/0x1e0 [ath10k_snoc]
[  647.197439] [&lt;ffffff80010dfbd8&gt;] ath10k_core_stop+0x50/0x7c [ath10k_core]
[  647.204652] [&lt;ffffff80010c8f48&gt;] ath10k_halt+0x114/0x16c [ath10k_core]
[  647.211420] [&lt;ffffff80010cad68&gt;] ath10k_stop+0x4c/0x88 [ath10k_core]
[  647.217865] [&lt;ffffff8000fdbf54&gt;] drv_stop+0x110/0x244 [mac80211]
[  647.224367] [&lt;ffffff80010147ac&gt;] ieee80211_stop_device+0x48/0x54 [mac80211]
[  647.230359] [&lt;ffffff8000ff3eec&gt;] ieee80211_do_stop+0x6a4/0x73c [mac80211]
[  647.237033] [&lt;ffffff8000ff4500&gt;] ieee80211_stop+0x20/0x30 [mac80211]
[  647.243942] [&lt;ffffff80087e39b8&gt;] __dev_close_many+0xa0/0xfc
[  647.250435] [&lt;ffffff80087e3888&gt;] dev_close_many+0x70/0x100
[  647.255651] [&lt;ffffff80087e3a60&gt;] dev_close+0x4c/0x80
[  647.261244] [&lt;ffffff8000f1ba54&gt;] cfg80211_shutdown_all_interfaces+0x44/0xcc [cfg80211]
[  647.266383] [&lt;ffffff8000ff3fdc&gt;] ieee80211_remove_interfaces+0x58/0x1b4 [mac80211]
[  647.274128] [&lt;ffffff8000fda540&gt;] ieee80211_unregister_hw+0x50/0x120 [mac80211]
[  647.281659] [&lt;ffffff80010ca314&gt;] ath10k_mac_unregister+0x1c/0x44 [ath10k_core]
[  647.288839] [&lt;ffffff80010dfc94&gt;] ath10k_core_unregister+0x48/0x90 [ath10k_core]
[  647.296027] [&lt;ffffff800117e598&gt;] ath10k_snoc_remove+0x5c/0x150 [ath10k_snoc]
[  647.303229] [&lt;ffffff80085625fc&gt;] platform_drv_remove+0x28/0x50
[  647.310517] [&lt;ffffff80085601a4&gt;] device_release_driver_internal+0x114/0x1b8
[  647.316257] [&lt;ffffff80085602e4&gt;] driver_detach+0x6c/0xa8
[  647.323021] [&lt;ffffff800855e5b8&gt;] bus_remove_driver+0x78/0xa8
[  647.328571] [&lt;ffffff800856107c&gt;] driver_unregister+0x30/0x50
[  647.334213] [&lt;ffffff8008562674&gt;] platform_driver_unregister+0x1c/0x28
[  647.339876] [&lt;ffffff800117fefc&gt;] cleanup_module+0x1c/0x120 [ath10k_snoc]
[  647.346196] [&lt;ffffff8008143ab8&gt;] SyS_delete_module+0x1dc/0x22c

PCIe:
[  615.392770] rmmod           D    0  3523   3458 0x00000080
[  615.392777] Call Trace:
[  615.392784]  __schedule+0x617/0x7d3
[  615.392791]  ? __mod_timer+0x263/0x35c
[  615.392797]  schedule+0x62/0x72
[  615.392803]  schedule_timeout+0x8d/0xf3
[  615.392809]  ? run_local_timers+0x6b/0x6b
[  615.392814]  msleep+0x1b/0x22
[  615.392824]  ath10k_pci_hif_stop+0x68/0xd6 [ath10k_pci]
[  615.392844]  ath10k_core_stop+0x44/0x67 [ath10k_core]
[  615.392859]  ath10k_halt+0x102/0x153 [ath10k_core]
[  615.392873]  ath10k_stop+0x38/0x75 [ath10k_core]
[  615.392893]  drv_stop+0x9a/0x13c [mac80211]
[  615.392915]  ieee80211_do_stop+0x772/0x7cd [mac80211]
[  615.392937]  ieee80211_stop+0x1a/0x1e [mac80211]
[  615.392945]  __dev_close_many+0x9e/0xf0
[  615.392952]  dev_close_many+0x62/0xe8
[  615.392958]  dev_close+0x54/0x7d
[  615.392975]  cfg80211_shutdown_all_interfaces+0x6e/0xa5 [cfg80211]
[  615.393021]  ieee80211_remove_interfaces+0x52/0x1aa [mac80211]
[  615.393049]  ieee80211_unregister_hw+0x54/0x136 [mac80211]
[  615.393068]  ath10k_mac_unregister+0x19/0x4a [ath10k_core]
[  615.393091]  ath10k_core_unregister+0x39/0x7e [ath10k_core]
[  615.393104]  ath10k_pci_remove+0x3d/0x7f [ath10k_pci]
[  615.393117]  pci_device_remove+0x41/0xa6
[  615.393129]  device_release_driver_internal+0x123/0x1ec
[  615.393140]  driver_detach+0x60/0x90
[  615.393152]  bus_remove_driver+0x72/0x9f
[  615.393164]  pci_unregister_driver+0x1e/0x87
[  615.393177]  SyS_delete_module+0x1d7/0x277
[  615.393188]  do_syscall_64+0x6b/0xf7
[  615.393199]  entry_SYSCALL_64_after_hwframe+0x41/0xa6

The test command run simulate_fw_crash firstly and it call into
ath10k_sdio_hif_stop from ath10k_core_restart, then napi_disable
is called and bit NAPI_STATE_SCHED is set. After that, function
ath10k_sdio_hif_stop is called again from ath10k_stop by command
"ifconfig wlan0 down" or "rmmod ath10k_sdio", then command blocked.

It is blocked by napi_synchronize, napi_disable will set bit with
NAPI_STATE_SCHED, and then napi_synchronize will enter dead loop
becuase bit NAPI_STATE_SCHED is set by napi_disable.

function of napi_synchronize
static inline void napi_synchronize(const struct napi_struct *n)
{
	if (IS_ENABLED(CONFIG_SMP))
		while (test_bit(NAPI_STATE_SCHED, &amp;n-&gt;state))
			msleep(1);
	else
		barrier();
}

function of napi_disable
void napi_disable(struct napi_struct *n)
{
	might_sleep();
	set_bit(NAPI_STATE_DISABLE, &amp;n-&gt;state);

	while (test_and_set_bit(NAPI_STATE_SCHED, &amp;n-&gt;state))
		msleep(1);
	while (test_and_set_bit(NAPI_STATE_NPSVC, &amp;n-&gt;state))
		msleep(1);

	hrtimer_cancel(&amp;n-&gt;timer);

	clear_bit(NAPI_STATE_DISABLE, &amp;n-&gt;state);
}

Add flag for it avoid the hang and crash.

Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Tested-on: WCN3990 hw1.0 SNOC hw1.0 WLAN.HL.3.1-01307.1-QCAHLSWMTPL-2

Signed-off-by: Wen Gong &lt;wgong@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Link: https://lore.kernel.org/r/1598617348-2325-1-git-send-email-wgong@codeaurora.org
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
