| Message ID | 20250617104902.146e10919be1.I85f352ca4a2dce6f556e5ff45ceaa5f3769cb5ce@changeid |
|---|---|
| State | New |
| Headers | show |
| Series | [wireless] wifi: mac80211: don't WARN for late channel/color switch | expand |
> From: Johannes Berg <johannes.berg@intel.com> > > There's really no value in the WARN stack trace etc., the reason > for this happening isn't directly related to the calling function > anyway. Also, syzbot has been observing it constantly, and there's > no way we can resolve it there - those systems are just slow. > > Instead print an error message (once) and add a comment about what > really causes this message. > > Reported-by: syzbot+468656785707b0e995df@syzkaller.appspotmail.com > Reported-by: syzbot+18c783c5cf6a781e3e2c@syzkaller.appspotmail.com > Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com > Reported-by: syzbot+7d73d99525d1ff7752ef@syzkaller.appspotmail.com > Reported-by: syzbot+8e6e002c74d1927edaf5@syzkaller.appspotmail.com > Reported-by: syzbot+97254a3b10c541879a65@syzkaller.appspotmail.com > Reported-by: syzbot+dfd1fd46a1960ad9c6ec@syzkaller.appspotmail.com > Reported-by: syzbot+85e0b8d12d9ca877d806@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > #syz test This crash does not have a reproducer. I cannot test it. > --- > net/mac80211/debug.h | 5 ++++- > net/mac80211/tx.c | 29 +++++++++++++++++++++-------- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h > index 5b81998cb0c9..ef7c1a68d88d 100644 > --- a/net/mac80211/debug.h > +++ b/net/mac80211/debug.h > @@ -1,10 +1,11 @@ > /* SPDX-License-Identifier: GPL-2.0 */ > /* > * Portions > - * Copyright (C) 2022 - 2024 Intel Corporation > + * Copyright (C) 2022 - 2025 Intel Corporation > */ > #ifndef __MAC80211_DEBUG_H > #define __MAC80211_DEBUG_H > +#include <linux/once_lite.h> > #include <net/cfg80211.h> > > #ifdef CONFIG_MAC80211_OCB_DEBUG > @@ -152,6 +153,8 @@ do { \ > else \ > _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ > } while (0) > +#define link_err_once(link, fmt, ...) \ > + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) > #define link_id_info(sdata, link_id, fmt, ...) \ > do { \ > if (ieee80211_vif_is_mld(&sdata->vif)) \ > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index d8d4f3d7d7f2..d58b80813bdd 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -5,7 +5,7 @@ > * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> > * Copyright 2013-2014 Intel Mobile Communications GmbH > - * Copyright (C) 2018-2024 Intel Corporation > + * Copyright (C) 2018-2025 Intel Corporation > * > * Transmit and frame generation functions. > */ > @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, > } > } > > -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) > +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, > + struct beacon_data *beacon) > { > - beacon->cntdwn_current_counter--; > + if (beacon->cntdwn_current_counter == 1) { > + /* > + * Channel switch handling is done by a worker thread while > + * beacons get pulled from hardware timers. It's therefore > + * possible that software threads are slow enough to not be > + * able to complete CSA handling in a single beacon interval, > + * in which case we get here. There isn't much to do about > + * it, other than letting the user know that the AP isn't > + * behaving correctly. > + */ > + link_err_once(link, > + "beacon TX faster than countdown (channel/color switch) completion\n"); > + return 0; > + } > > - /* the counter should never reach 0 */ > - WARN_ON_ONCE(!beacon->cntdwn_current_counter); > + beacon->cntdwn_current_counter--; > > return beacon->cntdwn_current_counter; > } > @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i > if (!beacon) > goto unlock; > > - count = __ieee80211_beacon_update_cntdwn(beacon); > + count = __ieee80211_beacon_update_cntdwn(link, beacon); > > unlock: > rcu_read_unlock(); > @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > > if (beacon->cntdwn_counter_offsets[0]) { > if (!is_template) > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > * for now we leave it consistent with overall > * mac80211's behavior. > */ > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > -- > 2.49.0 >
> From: Johannes Berg <johannes.berg@intel.com> > > There's really no value in the WARN stack trace etc., the reason > for this happening isn't directly related to the calling function > anyway. Also, syzbot has been observing it constantly, and there's > no way we can resolve it there - those systems are just slow. > > Instead print an error message (once) and add a comment about what > really causes this message. > > Reported-by: syzbot+468656785707b0e995df@syzkaller.appspotmail.com > Reported-by: syzbot+18c783c5cf6a781e3e2c@syzkaller.appspotmail.com > Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com > Reported-by: syzbot+7d73d99525d1ff7752ef@syzkaller.appspotmail.com > Reported-by: syzbot+8e6e002c74d1927edaf5@syzkaller.appspotmail.com > Reported-by: syzbot+97254a3b10c541879a65@syzkaller.appspotmail.com > Reported-by: syzbot+dfd1fd46a1960ad9c6ec@syzkaller.appspotmail.com > Reported-by: syzbot+85e0b8d12d9ca877d806@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > #syz test This crash does not have a reproducer. I cannot test it. > --- > net/mac80211/debug.h | 5 ++++- > net/mac80211/tx.c | 29 +++++++++++++++++++++-------- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h > index 5b81998cb0c9..ef7c1a68d88d 100644 > --- a/net/mac80211/debug.h > +++ b/net/mac80211/debug.h > @@ -1,10 +1,11 @@ > /* SPDX-License-Identifier: GPL-2.0 */ > /* > * Portions > - * Copyright (C) 2022 - 2024 Intel Corporation > + * Copyright (C) 2022 - 2025 Intel Corporation > */ > #ifndef __MAC80211_DEBUG_H > #define __MAC80211_DEBUG_H > +#include <linux/once_lite.h> > #include <net/cfg80211.h> > > #ifdef CONFIG_MAC80211_OCB_DEBUG > @@ -152,6 +153,8 @@ do { \ > else \ > _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ > } while (0) > +#define link_err_once(link, fmt, ...) \ > + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) > #define link_id_info(sdata, link_id, fmt, ...) \ > do { \ > if (ieee80211_vif_is_mld(&sdata->vif)) \ > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index d8d4f3d7d7f2..d58b80813bdd 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -5,7 +5,7 @@ > * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> > * Copyright 2013-2014 Intel Mobile Communications GmbH > - * Copyright (C) 2018-2024 Intel Corporation > + * Copyright (C) 2018-2025 Intel Corporation > * > * Transmit and frame generation functions. > */ > @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, > } > } > > -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) > +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, > + struct beacon_data *beacon) > { > - beacon->cntdwn_current_counter--; > + if (beacon->cntdwn_current_counter == 1) { > + /* > + * Channel switch handling is done by a worker thread while > + * beacons get pulled from hardware timers. It's therefore > + * possible that software threads are slow enough to not be > + * able to complete CSA handling in a single beacon interval, > + * in which case we get here. There isn't much to do about > + * it, other than letting the user know that the AP isn't > + * behaving correctly. > + */ > + link_err_once(link, > + "beacon TX faster than countdown (channel/color switch) completion\n"); > + return 0; > + } > > - /* the counter should never reach 0 */ > - WARN_ON_ONCE(!beacon->cntdwn_current_counter); > + beacon->cntdwn_current_counter--; > > return beacon->cntdwn_current_counter; > } > @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i > if (!beacon) > goto unlock; > > - count = __ieee80211_beacon_update_cntdwn(beacon); > + count = __ieee80211_beacon_update_cntdwn(link, beacon); > > unlock: > rcu_read_unlock(); > @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > > if (beacon->cntdwn_counter_offsets[0]) { > if (!is_template) > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > * for now we leave it consistent with overall > * mac80211's behavior. > */ > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > -- > 2.49.0 >
> From: Johannes Berg <johannes.berg@intel.com> > > There's really no value in the WARN stack trace etc., the reason > for this happening isn't directly related to the calling function > anyway. Also, syzbot has been observing it constantly, and there's > no way we can resolve it there - those systems are just slow. > > Instead print an error message (once) and add a comment about what > really causes this message. > > Reported-by: syzbot+468656785707b0e995df@syzkaller.appspotmail.com > Reported-by: syzbot+18c783c5cf6a781e3e2c@syzkaller.appspotmail.com > Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com > Reported-by: syzbot+7d73d99525d1ff7752ef@syzkaller.appspotmail.com > Reported-by: syzbot+8e6e002c74d1927edaf5@syzkaller.appspotmail.com > Reported-by: syzbot+97254a3b10c541879a65@syzkaller.appspotmail.com > Reported-by: syzbot+dfd1fd46a1960ad9c6ec@syzkaller.appspotmail.com > Reported-by: syzbot+85e0b8d12d9ca877d806@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > #syz test This crash does not have a reproducer. I cannot test it. > --- > net/mac80211/debug.h | 5 ++++- > net/mac80211/tx.c | 29 +++++++++++++++++++++-------- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h > index 5b81998cb0c9..ef7c1a68d88d 100644 > --- a/net/mac80211/debug.h > +++ b/net/mac80211/debug.h > @@ -1,10 +1,11 @@ > /* SPDX-License-Identifier: GPL-2.0 */ > /* > * Portions > - * Copyright (C) 2022 - 2024 Intel Corporation > + * Copyright (C) 2022 - 2025 Intel Corporation > */ > #ifndef __MAC80211_DEBUG_H > #define __MAC80211_DEBUG_H > +#include <linux/once_lite.h> > #include <net/cfg80211.h> > > #ifdef CONFIG_MAC80211_OCB_DEBUG > @@ -152,6 +153,8 @@ do { \ > else \ > _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ > } while (0) > +#define link_err_once(link, fmt, ...) \ > + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) > #define link_id_info(sdata, link_id, fmt, ...) \ > do { \ > if (ieee80211_vif_is_mld(&sdata->vif)) \ > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index d8d4f3d7d7f2..d58b80813bdd 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -5,7 +5,7 @@ > * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> > * Copyright 2013-2014 Intel Mobile Communications GmbH > - * Copyright (C) 2018-2024 Intel Corporation > + * Copyright (C) 2018-2025 Intel Corporation > * > * Transmit and frame generation functions. > */ > @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, > } > } > > -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) > +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, > + struct beacon_data *beacon) > { > - beacon->cntdwn_current_counter--; > + if (beacon->cntdwn_current_counter == 1) { > + /* > + * Channel switch handling is done by a worker thread while > + * beacons get pulled from hardware timers. It's therefore > + * possible that software threads are slow enough to not be > + * able to complete CSA handling in a single beacon interval, > + * in which case we get here. There isn't much to do about > + * it, other than letting the user know that the AP isn't > + * behaving correctly. > + */ > + link_err_once(link, > + "beacon TX faster than countdown (channel/color switch) completion\n"); > + return 0; > + } > > - /* the counter should never reach 0 */ > - WARN_ON_ONCE(!beacon->cntdwn_current_counter); > + beacon->cntdwn_current_counter--; > > return beacon->cntdwn_current_counter; > } > @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i > if (!beacon) > goto unlock; > > - count = __ieee80211_beacon_update_cntdwn(beacon); > + count = __ieee80211_beacon_update_cntdwn(link, beacon); > > unlock: > rcu_read_unlock(); > @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > > if (beacon->cntdwn_counter_offsets[0]) { > if (!is_template) > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > * for now we leave it consistent with overall > * mac80211's behavior. > */ > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > -- > 2.49.0 >
> From: Johannes Berg <johannes.berg@intel.com> > > There's really no value in the WARN stack trace etc., the reason > for this happening isn't directly related to the calling function > anyway. Also, syzbot has been observing it constantly, and there's > no way we can resolve it there - those systems are just slow. > > Instead print an error message (once) and add a comment about what > really causes this message. > > Reported-by: syzbot+468656785707b0e995df@syzkaller.appspotmail.com > Reported-by: syzbot+18c783c5cf6a781e3e2c@syzkaller.appspotmail.com > Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com > Reported-by: syzbot+7d73d99525d1ff7752ef@syzkaller.appspotmail.com > Reported-by: syzbot+8e6e002c74d1927edaf5@syzkaller.appspotmail.com > Reported-by: syzbot+97254a3b10c541879a65@syzkaller.appspotmail.com > Reported-by: syzbot+dfd1fd46a1960ad9c6ec@syzkaller.appspotmail.com > Reported-by: syzbot+85e0b8d12d9ca877d806@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > #syz test This crash does not have a reproducer. I cannot test it. > --- > net/mac80211/debug.h | 5 ++++- > net/mac80211/tx.c | 29 +++++++++++++++++++++-------- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h > index 5b81998cb0c9..ef7c1a68d88d 100644 > --- a/net/mac80211/debug.h > +++ b/net/mac80211/debug.h > @@ -1,10 +1,11 @@ > /* SPDX-License-Identifier: GPL-2.0 */ > /* > * Portions > - * Copyright (C) 2022 - 2024 Intel Corporation > + * Copyright (C) 2022 - 2025 Intel Corporation > */ > #ifndef __MAC80211_DEBUG_H > #define __MAC80211_DEBUG_H > +#include <linux/once_lite.h> > #include <net/cfg80211.h> > > #ifdef CONFIG_MAC80211_OCB_DEBUG > @@ -152,6 +153,8 @@ do { \ > else \ > _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ > } while (0) > +#define link_err_once(link, fmt, ...) \ > + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) > #define link_id_info(sdata, link_id, fmt, ...) \ > do { \ > if (ieee80211_vif_is_mld(&sdata->vif)) \ > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index d8d4f3d7d7f2..d58b80813bdd 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -5,7 +5,7 @@ > * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> > * Copyright 2013-2014 Intel Mobile Communications GmbH > - * Copyright (C) 2018-2024 Intel Corporation > + * Copyright (C) 2018-2025 Intel Corporation > * > * Transmit and frame generation functions. > */ > @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, > } > } > > -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) > +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, > + struct beacon_data *beacon) > { > - beacon->cntdwn_current_counter--; > + if (beacon->cntdwn_current_counter == 1) { > + /* > + * Channel switch handling is done by a worker thread while > + * beacons get pulled from hardware timers. It's therefore > + * possible that software threads are slow enough to not be > + * able to complete CSA handling in a single beacon interval, > + * in which case we get here. There isn't much to do about > + * it, other than letting the user know that the AP isn't > + * behaving correctly. > + */ > + link_err_once(link, > + "beacon TX faster than countdown (channel/color switch) completion\n"); > + return 0; > + } > > - /* the counter should never reach 0 */ > - WARN_ON_ONCE(!beacon->cntdwn_current_counter); > + beacon->cntdwn_current_counter--; > > return beacon->cntdwn_current_counter; > } > @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i > if (!beacon) > goto unlock; > > - count = __ieee80211_beacon_update_cntdwn(beacon); > + count = __ieee80211_beacon_update_cntdwn(link, beacon); > > unlock: > rcu_read_unlock(); > @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > > if (beacon->cntdwn_counter_offsets[0]) { > if (!is_template) > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > * for now we leave it consistent with overall > * mac80211's behavior. > */ > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > -- > 2.49.0 >
> From: Johannes Berg <johannes.berg@intel.com> > > There's really no value in the WARN stack trace etc., the reason > for this happening isn't directly related to the calling function > anyway. Also, syzbot has been observing it constantly, and there's > no way we can resolve it there - those systems are just slow. > > Instead print an error message (once) and add a comment about what > really causes this message. > > Reported-by: syzbot+468656785707b0e995df@syzkaller.appspotmail.com > Reported-by: syzbot+18c783c5cf6a781e3e2c@syzkaller.appspotmail.com > Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com > Reported-by: syzbot+7d73d99525d1ff7752ef@syzkaller.appspotmail.com > Reported-by: syzbot+8e6e002c74d1927edaf5@syzkaller.appspotmail.com > Reported-by: syzbot+97254a3b10c541879a65@syzkaller.appspotmail.com > Reported-by: syzbot+dfd1fd46a1960ad9c6ec@syzkaller.appspotmail.com > Reported-by: syzbot+85e0b8d12d9ca877d806@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > #syz test This crash does not have a reproducer. I cannot test it. > --- > net/mac80211/debug.h | 5 ++++- > net/mac80211/tx.c | 29 +++++++++++++++++++++-------- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h > index 5b81998cb0c9..ef7c1a68d88d 100644 > --- a/net/mac80211/debug.h > +++ b/net/mac80211/debug.h > @@ -1,10 +1,11 @@ > /* SPDX-License-Identifier: GPL-2.0 */ > /* > * Portions > - * Copyright (C) 2022 - 2024 Intel Corporation > + * Copyright (C) 2022 - 2025 Intel Corporation > */ > #ifndef __MAC80211_DEBUG_H > #define __MAC80211_DEBUG_H > +#include <linux/once_lite.h> > #include <net/cfg80211.h> > > #ifdef CONFIG_MAC80211_OCB_DEBUG > @@ -152,6 +153,8 @@ do { \ > else \ > _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ > } while (0) > +#define link_err_once(link, fmt, ...) \ > + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) > #define link_id_info(sdata, link_id, fmt, ...) \ > do { \ > if (ieee80211_vif_is_mld(&sdata->vif)) \ > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index d8d4f3d7d7f2..d58b80813bdd 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -5,7 +5,7 @@ > * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> > * Copyright 2013-2014 Intel Mobile Communications GmbH > - * Copyright (C) 2018-2024 Intel Corporation > + * Copyright (C) 2018-2025 Intel Corporation > * > * Transmit and frame generation functions. > */ > @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, > } > } > > -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) > +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, > + struct beacon_data *beacon) > { > - beacon->cntdwn_current_counter--; > + if (beacon->cntdwn_current_counter == 1) { > + /* > + * Channel switch handling is done by a worker thread while > + * beacons get pulled from hardware timers. It's therefore > + * possible that software threads are slow enough to not be > + * able to complete CSA handling in a single beacon interval, > + * in which case we get here. There isn't much to do about > + * it, other than letting the user know that the AP isn't > + * behaving correctly. > + */ > + link_err_once(link, > + "beacon TX faster than countdown (channel/color switch) completion\n"); > + return 0; > + } > > - /* the counter should never reach 0 */ > - WARN_ON_ONCE(!beacon->cntdwn_current_counter); > + beacon->cntdwn_current_counter--; > > return beacon->cntdwn_current_counter; > } > @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i > if (!beacon) > goto unlock; > > - count = __ieee80211_beacon_update_cntdwn(beacon); > + count = __ieee80211_beacon_update_cntdwn(link, beacon); > > unlock: > rcu_read_unlock(); > @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > > if (beacon->cntdwn_counter_offsets[0]) { > if (!is_template) > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > * for now we leave it consistent with overall > * mac80211's behavior. > */ > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > -- > 2.49.0 >
> From: Johannes Berg <johannes.berg@intel.com> > > There's really no value in the WARN stack trace etc., the reason > for this happening isn't directly related to the calling function > anyway. Also, syzbot has been observing it constantly, and there's > no way we can resolve it there - those systems are just slow. > > Instead print an error message (once) and add a comment about what > really causes this message. > > Reported-by: syzbot+468656785707b0e995df@syzkaller.appspotmail.com > Reported-by: syzbot+18c783c5cf6a781e3e2c@syzkaller.appspotmail.com > Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com > Reported-by: syzbot+7d73d99525d1ff7752ef@syzkaller.appspotmail.com > Reported-by: syzbot+8e6e002c74d1927edaf5@syzkaller.appspotmail.com > Reported-by: syzbot+97254a3b10c541879a65@syzkaller.appspotmail.com > Reported-by: syzbot+dfd1fd46a1960ad9c6ec@syzkaller.appspotmail.com > Reported-by: syzbot+85e0b8d12d9ca877d806@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > #syz test This crash does not have a reproducer. I cannot test it. > --- > net/mac80211/debug.h | 5 ++++- > net/mac80211/tx.c | 29 +++++++++++++++++++++-------- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h > index 5b81998cb0c9..ef7c1a68d88d 100644 > --- a/net/mac80211/debug.h > +++ b/net/mac80211/debug.h > @@ -1,10 +1,11 @@ > /* SPDX-License-Identifier: GPL-2.0 */ > /* > * Portions > - * Copyright (C) 2022 - 2024 Intel Corporation > + * Copyright (C) 2022 - 2025 Intel Corporation > */ > #ifndef __MAC80211_DEBUG_H > #define __MAC80211_DEBUG_H > +#include <linux/once_lite.h> > #include <net/cfg80211.h> > > #ifdef CONFIG_MAC80211_OCB_DEBUG > @@ -152,6 +153,8 @@ do { \ > else \ > _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ > } while (0) > +#define link_err_once(link, fmt, ...) \ > + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) > #define link_id_info(sdata, link_id, fmt, ...) \ > do { \ > if (ieee80211_vif_is_mld(&sdata->vif)) \ > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index d8d4f3d7d7f2..d58b80813bdd 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -5,7 +5,7 @@ > * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> > * Copyright 2013-2014 Intel Mobile Communications GmbH > - * Copyright (C) 2018-2024 Intel Corporation > + * Copyright (C) 2018-2025 Intel Corporation > * > * Transmit and frame generation functions. > */ > @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, > } > } > > -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) > +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, > + struct beacon_data *beacon) > { > - beacon->cntdwn_current_counter--; > + if (beacon->cntdwn_current_counter == 1) { > + /* > + * Channel switch handling is done by a worker thread while > + * beacons get pulled from hardware timers. It's therefore > + * possible that software threads are slow enough to not be > + * able to complete CSA handling in a single beacon interval, > + * in which case we get here. There isn't much to do about > + * it, other than letting the user know that the AP isn't > + * behaving correctly. > + */ > + link_err_once(link, > + "beacon TX faster than countdown (channel/color switch) completion\n"); > + return 0; > + } > > - /* the counter should never reach 0 */ > - WARN_ON_ONCE(!beacon->cntdwn_current_counter); > + beacon->cntdwn_current_counter--; > > return beacon->cntdwn_current_counter; > } > @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i > if (!beacon) > goto unlock; > > - count = __ieee80211_beacon_update_cntdwn(beacon); > + count = __ieee80211_beacon_update_cntdwn(link, beacon); > > unlock: > rcu_read_unlock(); > @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > > if (beacon->cntdwn_counter_offsets[0]) { > if (!is_template) > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > * for now we leave it consistent with overall > * mac80211's behavior. > */ > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > -- > 2.49.0 >
> From: Johannes Berg <johannes.berg@intel.com> > > There's really no value in the WARN stack trace etc., the reason > for this happening isn't directly related to the calling function > anyway. Also, syzbot has been observing it constantly, and there's > no way we can resolve it there - those systems are just slow. > > Instead print an error message (once) and add a comment about what > really causes this message. > > Reported-by: syzbot+468656785707b0e995df@syzkaller.appspotmail.com > Reported-by: syzbot+18c783c5cf6a781e3e2c@syzkaller.appspotmail.com > Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com > Reported-by: syzbot+7d73d99525d1ff7752ef@syzkaller.appspotmail.com > Reported-by: syzbot+8e6e002c74d1927edaf5@syzkaller.appspotmail.com > Reported-by: syzbot+97254a3b10c541879a65@syzkaller.appspotmail.com > Reported-by: syzbot+dfd1fd46a1960ad9c6ec@syzkaller.appspotmail.com > Reported-by: syzbot+85e0b8d12d9ca877d806@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > #syz test This crash does not have a reproducer. I cannot test it. > --- > net/mac80211/debug.h | 5 ++++- > net/mac80211/tx.c | 29 +++++++++++++++++++++-------- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h > index 5b81998cb0c9..ef7c1a68d88d 100644 > --- a/net/mac80211/debug.h > +++ b/net/mac80211/debug.h > @@ -1,10 +1,11 @@ > /* SPDX-License-Identifier: GPL-2.0 */ > /* > * Portions > - * Copyright (C) 2022 - 2024 Intel Corporation > + * Copyright (C) 2022 - 2025 Intel Corporation > */ > #ifndef __MAC80211_DEBUG_H > #define __MAC80211_DEBUG_H > +#include <linux/once_lite.h> > #include <net/cfg80211.h> > > #ifdef CONFIG_MAC80211_OCB_DEBUG > @@ -152,6 +153,8 @@ do { \ > else \ > _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ > } while (0) > +#define link_err_once(link, fmt, ...) \ > + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) > #define link_id_info(sdata, link_id, fmt, ...) \ > do { \ > if (ieee80211_vif_is_mld(&sdata->vif)) \ > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index d8d4f3d7d7f2..d58b80813bdd 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -5,7 +5,7 @@ > * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> > * Copyright 2013-2014 Intel Mobile Communications GmbH > - * Copyright (C) 2018-2024 Intel Corporation > + * Copyright (C) 2018-2025 Intel Corporation > * > * Transmit and frame generation functions. > */ > @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, > } > } > > -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) > +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, > + struct beacon_data *beacon) > { > - beacon->cntdwn_current_counter--; > + if (beacon->cntdwn_current_counter == 1) { > + /* > + * Channel switch handling is done by a worker thread while > + * beacons get pulled from hardware timers. It's therefore > + * possible that software threads are slow enough to not be > + * able to complete CSA handling in a single beacon interval, > + * in which case we get here. There isn't much to do about > + * it, other than letting the user know that the AP isn't > + * behaving correctly. > + */ > + link_err_once(link, > + "beacon TX faster than countdown (channel/color switch) completion\n"); > + return 0; > + } > > - /* the counter should never reach 0 */ > - WARN_ON_ONCE(!beacon->cntdwn_current_counter); > + beacon->cntdwn_current_counter--; > > return beacon->cntdwn_current_counter; > } > @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i > if (!beacon) > goto unlock; > > - count = __ieee80211_beacon_update_cntdwn(beacon); > + count = __ieee80211_beacon_update_cntdwn(link, beacon); > > unlock: > rcu_read_unlock(); > @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > > if (beacon->cntdwn_counter_offsets[0]) { > if (!is_template) > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > * for now we leave it consistent with overall > * mac80211's behavior. > */ > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > -- > 2.49.0 >
> From: Johannes Berg <johannes.berg@intel.com> > > There's really no value in the WARN stack trace etc., the reason > for this happening isn't directly related to the calling function > anyway. Also, syzbot has been observing it constantly, and there's > no way we can resolve it there - those systems are just slow. > > Instead print an error message (once) and add a comment about what > really causes this message. > > Reported-by: syzbot+468656785707b0e995df@syzkaller.appspotmail.com > Reported-by: syzbot+18c783c5cf6a781e3e2c@syzkaller.appspotmail.com > Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com > Reported-by: syzbot+7d73d99525d1ff7752ef@syzkaller.appspotmail.com > Reported-by: syzbot+8e6e002c74d1927edaf5@syzkaller.appspotmail.com > Reported-by: syzbot+97254a3b10c541879a65@syzkaller.appspotmail.com > Reported-by: syzbot+dfd1fd46a1960ad9c6ec@syzkaller.appspotmail.com > Reported-by: syzbot+85e0b8d12d9ca877d806@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > #syz test This crash does not have a reproducer. I cannot test it. > --- > net/mac80211/debug.h | 5 ++++- > net/mac80211/tx.c | 29 +++++++++++++++++++++-------- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h > index 5b81998cb0c9..ef7c1a68d88d 100644 > --- a/net/mac80211/debug.h > +++ b/net/mac80211/debug.h > @@ -1,10 +1,11 @@ > /* SPDX-License-Identifier: GPL-2.0 */ > /* > * Portions > - * Copyright (C) 2022 - 2024 Intel Corporation > + * Copyright (C) 2022 - 2025 Intel Corporation > */ > #ifndef __MAC80211_DEBUG_H > #define __MAC80211_DEBUG_H > +#include <linux/once_lite.h> > #include <net/cfg80211.h> > > #ifdef CONFIG_MAC80211_OCB_DEBUG > @@ -152,6 +153,8 @@ do { \ > else \ > _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ > } while (0) > +#define link_err_once(link, fmt, ...) \ > + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) > #define link_id_info(sdata, link_id, fmt, ...) \ > do { \ > if (ieee80211_vif_is_mld(&sdata->vif)) \ > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index d8d4f3d7d7f2..d58b80813bdd 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -5,7 +5,7 @@ > * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> > * Copyright 2013-2014 Intel Mobile Communications GmbH > - * Copyright (C) 2018-2024 Intel Corporation > + * Copyright (C) 2018-2025 Intel Corporation > * > * Transmit and frame generation functions. > */ > @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, > } > } > > -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) > +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, > + struct beacon_data *beacon) > { > - beacon->cntdwn_current_counter--; > + if (beacon->cntdwn_current_counter == 1) { > + /* > + * Channel switch handling is done by a worker thread while > + * beacons get pulled from hardware timers. It's therefore > + * possible that software threads are slow enough to not be > + * able to complete CSA handling in a single beacon interval, > + * in which case we get here. There isn't much to do about > + * it, other than letting the user know that the AP isn't > + * behaving correctly. > + */ > + link_err_once(link, > + "beacon TX faster than countdown (channel/color switch) completion\n"); > + return 0; > + } > > - /* the counter should never reach 0 */ > - WARN_ON_ONCE(!beacon->cntdwn_current_counter); > + beacon->cntdwn_current_counter--; > > return beacon->cntdwn_current_counter; > } > @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i > if (!beacon) > goto unlock; > > - count = __ieee80211_beacon_update_cntdwn(beacon); > + count = __ieee80211_beacon_update_cntdwn(link, beacon); > > unlock: > rcu_read_unlock(); > @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > > if (beacon->cntdwn_counter_offsets[0]) { > if (!is_template) > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, > * for now we leave it consistent with overall > * mac80211's behavior. > */ > - __ieee80211_beacon_update_cntdwn(beacon); > + __ieee80211_beacon_update_cntdwn(link, beacon); > > ieee80211_set_beacon_cntdwn(sdata, beacon, link); > } > -- > 2.49.0 >
diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h index 5b81998cb0c9..ef7c1a68d88d 100644 --- a/net/mac80211/debug.h +++ b/net/mac80211/debug.h @@ -1,10 +1,11 @@ /* SPDX-License-Identifier: GPL-2.0 */ /* * Portions - * Copyright (C) 2022 - 2024 Intel Corporation + * Copyright (C) 2022 - 2025 Intel Corporation */ #ifndef __MAC80211_DEBUG_H #define __MAC80211_DEBUG_H +#include <linux/once_lite.h> #include <net/cfg80211.h> #ifdef CONFIG_MAC80211_OCB_DEBUG @@ -152,6 +153,8 @@ do { \ else \ _sdata_err((link)->sdata, fmt, ##__VA_ARGS__); \ } while (0) +#define link_err_once(link, fmt, ...) \ + DO_ONCE_LITE(link_err, link, fmt, ##__VA_ARGS__) #define link_id_info(sdata, link_id, fmt, ...) \ do { \ if (ieee80211_vif_is_mld(&sdata->vif)) \ diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index d8d4f3d7d7f2..d58b80813bdd 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -5,7 +5,7 @@ * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> * Copyright 2013-2014 Intel Mobile Communications GmbH - * Copyright (C) 2018-2024 Intel Corporation + * Copyright (C) 2018-2025 Intel Corporation * * Transmit and frame generation functions. */ @@ -5016,12 +5016,25 @@ static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata, } } -static u8 __ieee80211_beacon_update_cntdwn(struct beacon_data *beacon) +static u8 __ieee80211_beacon_update_cntdwn(struct ieee80211_link_data *link, + struct beacon_data *beacon) { - beacon->cntdwn_current_counter--; + if (beacon->cntdwn_current_counter == 1) { + /* + * Channel switch handling is done by a worker thread while + * beacons get pulled from hardware timers. It's therefore + * possible that software threads are slow enough to not be + * able to complete CSA handling in a single beacon interval, + * in which case we get here. There isn't much to do about + * it, other than letting the user know that the AP isn't + * behaving correctly. + */ + link_err_once(link, + "beacon TX faster than countdown (channel/color switch) completion\n"); + return 0; + } - /* the counter should never reach 0 */ - WARN_ON_ONCE(!beacon->cntdwn_current_counter); + beacon->cntdwn_current_counter--; return beacon->cntdwn_current_counter; } @@ -5052,7 +5065,7 @@ u8 ieee80211_beacon_update_cntdwn(struct ieee80211_vif *vif, unsigned int link_i if (!beacon) goto unlock; - count = __ieee80211_beacon_update_cntdwn(beacon); + count = __ieee80211_beacon_update_cntdwn(link, beacon); unlock: rcu_read_unlock(); @@ -5450,7 +5463,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, if (beacon->cntdwn_counter_offsets[0]) { if (!is_template) - __ieee80211_beacon_update_cntdwn(beacon); + __ieee80211_beacon_update_cntdwn(link, beacon); ieee80211_set_beacon_cntdwn(sdata, beacon, link); } @@ -5482,7 +5495,7 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, * for now we leave it consistent with overall * mac80211's behavior. */ - __ieee80211_beacon_update_cntdwn(beacon); + __ieee80211_beacon_update_cntdwn(link, beacon); ieee80211_set_beacon_cntdwn(sdata, beacon, link); }