NetBSD Problem Report #55655
From www@netbsd.org Sat Sep 12 03:40:26 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 0FA3C1A9239
for <gnats-bugs@gnats.NetBSD.org>; Sat, 12 Sep 2020 03:40:26 +0000 (UTC)
Message-Id: <20200912034025.184EE1A923A@mollari.NetBSD.org>
Date: Sat, 12 Sep 2020 03:40:25 +0000 (UTC)
From: pr@xn--rvztrtkrfrgp-bbb7j2b8f0b9d7a21oft.com
Reply-To: pr@xn--rvztrtkrfrgp-bbb7j2b8f0b9d7a21oft.com
To: gnats-bugs@NetBSD.org
Subject: Specific AP deauth causes panic
X-Send-Pr-Version: www-1.0
>Number: 55655
>Category: port-amd64
>Synopsis: Specific AP deauth causes panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: port-amd64-maintainer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Sep 12 03:45:00 +0000 2020
>Last-Modified: Sat Sep 12 07:50:01 +0000 2020
>Originator: Ben Gergely
>Release:
>Organization:
>Environment:
NetBSD 9.99.72 amd64
>Description:
When APs are rebooted they seem to send a special deauth that triggers a panic, only encountered this occasionally as it was scheduled for 4am and I'm not always around to see it.
But can trigger it by just telling the AP to reboot (it deauths all the clients before it does that).
Initially thought it was wpi specific but have the same behavior with ath.
Other types of de-authentications don't trigger a panic.
Could it be sending along an unexpected deauth code in the deauth packet when its rebooting?
bt from ath and wpi:
[ 2548.592760] panic: kernel diagnostic assertion "!cpu_softintr_p()" failed: file "/usr/src/sys/kern/subr_kmem.c", line 337
[ 2548.592760] cpu0: Begin traceback...
[ 2548.592760] vpanic() at netbsd:vpanic+0x152
[ 2548.592760] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
[ 2548.592760] kmem_free() at netbsd:kmem_free+0x82
[ 2548.592760] _ieee80211_crypto_delkey() at netbsd:_ieee80211_crypto_delkey+0x64
[ 2548.592760] ieee80211_crypto_delkey() at netbsd:ieee80211_crypto_delkey+0x24
[ 2548.592760] ieee80211_node_delucastkey() at netbsd:ieee80211_node_delucastkey+0xc3
[ 2548.592760] ieee80211_sta_leave() at netbsd:ieee80211_sta_leave+0x1c
[ 2548.592760] ieee80211_newstate() at netbsd:ieee80211_newstate+0x18d
[ 2548.592760] ath_newstate() at netbsd:ath_newstate+0x2ed
[ 2548.592760] ath_bmiss_proc_si() at netbsd:ath_bmiss_proc_si+0x13a
[ 2548.592760] softint_dispatch() at netbsd:softint_dispatch+0x2d1
[ 2548.592760] DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffffa700ae4840f0
[ 2548.592760] Xsoftintr() at netbsd:Xsoftintr+0x4f
[ 2548.592760] --- interrupt ---
[ 2548.592760] cccc8ccc4dccddcc:
[ 2548.592760] cpu0: End traceback...
[ 1000.479797] panic: kernel diagnostic assertion "!cpu_softintr_p()" failed: file "/usr/src/sys/kern/subr_kmem.c", line 337
[ 1000.479797] cpu0: Begin traceback...
[ 1000.479797] vpanic() at netbsd:vpanic+0x152
[ 1000.479797] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
[ 1000.479797] kmem_free() at netbsd:kmem_free+0x82
[ 1000.479797] _ieee80211_crypto_delkey() at netbsd:_ieee80211_crypto_delkey+0x64
[ 1000.479797] ieee80211_crypto_delkey() at netbsd:ieee80211_crypto_delkey+0x24
[ 1000.479797] ieee80211_node_delucastkey() at netbsd:ieee80211_node_delucastkey+0xc3
[ 1000.479797] ieee80211_sta_leave() at netbsd:ieee80211_sta_leave+0x1c
[ 1000.479797] ieee80211_newstate() at netbsd:ieee80211_newstate+0x354
[ 1000.479797] iwn_newstate() at netbsd:iwn_newstate+0x346
[ 1000.479797] ieee80211_recv_mgmt() at netbsd:ieee80211_recv_mgmt+0xb4c
[ 1000.479797] ieee80211_input() at netbsd:ieee80211_input+0x408
[ 1000.479797] iwn_notif_intr() at netbsd:iwn_notif_intr+0x515
[ 1000.479797] iwn_softintr() at netbsd:iwn_softintr+0x311
[ 1000.479797] softint_dispatch() at netbsd:softint_dispatch+0x2d1
[ 1000.479797] DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffffac00ae4840f0
[ 1000.479797] Xsoftintr() at netbsd:Xsoftintr+0x4f
[ 1000.479797] --- interrupt ---
[ 1000.479797] cccc8ccc4dccddcc:
[ 1000.479797] cpu0: End traceback...
>How-To-Repeat:
>Fix:
>Audit-Trail:
From: Lars Reichardt <lars@paradoxon.info>
To: gnats-bugs@netbsd.org, port-amd64-maintainer@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: port-amd64/55655: Specific AP deauth causes panic
Date: Sat, 12 Sep 2020 09:12:39 +0200
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--AvBCJCqg1N16yQuXPjELzZVvgsATZMtuZ
Content-Type: multipart/mixed; boundary="RYSd8fBJuXq5OeWFnqqgH8PgC0USmlLG7"
--RYSd8fBJuXq5OeWFnqqgH8PgC0USmlLG7
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
On 9/12/20 5:45 AM, pr@xn--rvztrtkrfrgp-bbb7j2b8f0b9d7a21oft.com wrote:
>> Number: 55655
>> Category: port-amd64
>> Synopsis: Specific AP deauth causes panic
>> Confidential: no
>> Severity: serious
>> Priority: medium
>> Responsible: port-amd64-maintainer
>> State: open
>> Class: sw-bug
>> Submitter-Id: net
>> Arrival-Date: Sat Sep 12 03:45:00 +0000 2020
>> Originator: Ben Gergely
>> Release: =20
>> Organization:
>> Environment:
> NetBSD 9.99.72 amd64
>> Description:
> When APs are rebooted they seem to send a special deauth that triggers =
a panic, only encountered this occasionally as it was scheduled for 4am a=
nd I'm not always around to see it.=20
>
> But can trigger it by just telling the AP to reboot (it deauths all the=
clients before it does that).
>
> Initially thought it was wpi specific but have the same behavior with a=
th.
>
> Other types of de-authentications don't trigger a panic.
>
> Could it be sending along an unexpected deauth code in the deauth packe=
t when its rebooting?
>
>
> bt from ath and wpi:
>
> [ 2548.592760] panic: kernel diagnostic assertion "!cpu_softintr_p()" =
failed: file "/usr/src/sys/kern/subr_kmem.c", line 337
> [ 2548.592760] cpu0: Begin traceback...
> [ 2548.592760] vpanic() at netbsd:vpanic+0x152
> [ 2548.592760] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thu=
nk_rax
> [ 2548.592760] kmem_free() at netbsd:kmem_free+0x82
> [ 2548.592760] _ieee80211_crypto_delkey() at netbsd:_ieee80211_crypto_=
delkey+0x64
> [ 2548.592760] ieee80211_crypto_delkey() at netbsd:ieee80211_crypto_de=
lkey+0x24
> [ 2548.592760] ieee80211_node_delucastkey() at netbsd:ieee80211_node_d=
elucastkey+0xc3
> [ 2548.592760] ieee80211_sta_leave() at netbsd:ieee80211_sta_leave+0x1=
c
> [ 2548.592760] ieee80211_newstate() at netbsd:ieee80211_newstate+0x18d=
> [ 2548.592760] ath_newstate() at netbsd:ath_newstate+0x2ed
> [ 2548.592760] ath_bmiss_proc_si() at netbsd:ath_bmiss_proc_si+0x13a
> [ 2548.592760] softint_dispatch() at netbsd:softint_dispatch+0x2d1
> [ 2548.592760] DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffff=
a700ae4840f0
> [ 2548.592760] Xsoftintr() at netbsd:Xsoftintr+0x4f
> [ 2548.592760] --- interrupt ---
> [ 2548.592760] cccc8ccc4dccddcc:
> [ 2548.592760] cpu0: End traceback...
>
> [ 1000.479797] panic: kernel diagnostic assertion "!cpu_softintr_p()" =
failed: file "/usr/src/sys/kern/subr_kmem.c", line 337
> [ 1000.479797] cpu0: Begin traceback...
> [ 1000.479797] vpanic() at netbsd:vpanic+0x152
> [ 1000.479797] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thu=
nk_rax
> [ 1000.479797] kmem_free() at netbsd:kmem_free+0x82
> [ 1000.479797] _ieee80211_crypto_delkey() at netbsd:_ieee80211_crypto_=
delkey+0x64
> [ 1000.479797] ieee80211_crypto_delkey() at netbsd:ieee80211_crypto_de=
lkey+0x24
> [ 1000.479797] ieee80211_node_delucastkey() at netbsd:ieee80211_node_d=
elucastkey+0xc3
> [ 1000.479797] ieee80211_sta_leave() at netbsd:ieee80211_sta_leave+0x1=
c
> [ 1000.479797] ieee80211_newstate() at netbsd:ieee80211_newstate+0x354=
> [ 1000.479797] iwn_newstate() at netbsd:iwn_newstate+0x346
> [ 1000.479797] ieee80211_recv_mgmt() at netbsd:ieee80211_recv_mgmt+0xb=
4c
> [ 1000.479797] ieee80211_input() at netbsd:ieee80211_input+0x408
> [ 1000.479797] iwn_notif_intr() at netbsd:iwn_notif_intr+0x515
> [ 1000.479797] iwn_softintr() at netbsd:iwn_softintr+0x311
> [ 1000.479797] softint_dispatch() at netbsd:softint_dispatch+0x2d1
> [ 1000.479797] DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffff=
ac00ae4840f0
> [ 1000.479797] Xsoftintr() at netbsd:Xsoftintr+0x4f
> [ 1000.479797] --- interrupt ---
> [ 1000.479797] cccc8ccc4dccddcc:
> [ 1000.479797] cpu0: End traceback...
>
>> How-To-Repeat:
>> Fix:
The kmem_free is called from softint context wich isn't allowed. Those ke=
y allocation should be done via kmem_intr_alloc/kmem_intr_free.
I've seen that as well and forgot about it after patching is locally. I'l=
l commit that change.
--=20
-----
You will continue to suffer
if you have an emotional reaction to everything that is said to you.
True power is sitting back and observing everything with logic.
If words control you that means everyone else can control you.
Breathe and allow things to pass.
--- Bruce Lee
--RYSd8fBJuXq5OeWFnqqgH8PgC0USmlLG7--
--AvBCJCqg1N16yQuXPjELzZVvgsATZMtuZ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKr+CRUEAsbCC4oKDexg3nfOkUnAFAl9cdO8ACgkQexg3nfOk
UnCbpw//e+1GhLTwBZe49qVhZB+1bcTYYXsHkyuOZZzJ3RxyEfRnrcAf1EZ7ZidL
1xtW0NEQk6JRV/uWqOCQF67EsZ5sVvcrQbLc+p5qSxdvypjir6KA7ohS9v71NUjy
wOluM+R9aqu1oN3tjRAuQ5utrT/gdmiOmMhhSlOsXUdWTchX9/glEjWsivHUERf0
vHIMuivcZeJ+sqFLvnh0NNsmoGs7b60hyGBLKfTYeoH43TU1F3pTgTFQexF8p9fW
ZREfXoLHxxXoxeI7eiCcN/9wTp4tqcIvrjPH1wlN+QCZBbijRusbasJLT/UVFdA/
YYZ38RTM+c67h2fnzmP7qfTAEoDdDbIZAMOBW146h9vwSAzcdibHVwf0HKBSopZl
PB7lgsAhJTKB1137N0I7VFfeCgJ8YqHGqflzFMj8JTywKlfU1051TwOxxYhBBfHP
DTFKnXBMTLGQ405lqqXoEIOZAhBgwCrxsPQAWZ6FAYbbOLu18yYdJbNIZwFGv5ir
/3hCkXGtEmriJApv2Y9FZbP0gT1I4TzyQPsRFN6M3UVPfIkRtAyIu+AQVJ12ieGp
bdS0dY4vw4tCiKBCSF+wLlDU6qjWdaqGxdYy1RHg58BKPcZCrE99AAgvzPv7sJaB
em+9Q2VfiTh6YkQNE7eAE1BDm4KK05TTpvH37nPmE9mE52Wxk88=
=VvCC
-----END PGP SIGNATURE-----
--AvBCJCqg1N16yQuXPjELzZVvgsATZMtuZ--
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: port-amd64/55655: Specific AP deauth causes panic
Date: Sat, 12 Sep 2020 07:47:11 -0000 (UTC)
pr@xn--rvztrtkrfrgp-bbb7j2b8f0b9d7a21oft.com writes:
>Initially thought it was wpi specific but have the same behavior with ath.
Also happens on iwn. That's a generic fault, the ieee80211 layer
frees memory in a softint routine, that code needs to be deferred
to a thread context.
--
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.