NetBSD Problem Report #56489
From john@frigg.zia.io Mon Nov 8 18:35:38 2021
Return-Path: <john@frigg.zia.io>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id C2A8A1A9239
for <gnats-bugs@gnats.NetBSD.org>; Mon, 8 Nov 2021 18:35:38 +0000 (UTC)
Message-Id: <20211108160814.AE6DE7E0A0@frigg.zia.io>
Date: Mon, 8 Nov 2021 16:08:14 +0000 (UTC)
From: john@ziaspace.com
Reply-To: john@ziaspace.com
To: gnats-bugs@NetBSD.org
Subject: NetBSD 9.99.92/amd64 panicked by aircrack-ng
X-Send-Pr-Version: 3.95
>Number: 56489
>Category: kern
>Synopsis: NetBSD 9.99.92/amd64 panicked by aircrack-ng
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Nov 08 18:40:00 +0000 2021
>Last-Modified: Tue Nov 09 02:10:01 +0000 2021
>Originator: john@ziaspace.com
>Release: NetBSD 9.99.92
>Organization:
>Environment:
System: NetBSD frigg.zia.io 9.99.92 NetBSD 9.99.92 (FRIGG) #0: Sun Oct 31 22:05:07 UTC 2021 john@frigg.zia.io:/usr/current/obj-amd64/sys/arch/amd64/compile/FRIGG amd64
Architecture: x86_64
Machine: amd64
>Description:
I have an amd64 system running 9.99.92 from Halloween (about a week ago)
with an urtwn0 USB wifi interface:
[ 2.301939] urtwn0 at uhub1 port 7
[ 2.301939] urtwn0: Realtek (0x7392) 802.11n WLAN Adapter (0x7811), rev 2.00/2.00, addr 1
[ 3.851931] urtwn0: MAC/BB RTL8188CUS, RF 6052 1T1R, address 80:1f:02:d3:ad:65
[ 3.851931] urtwn0: 1 rx pipe, 2 tx pipes
I've installed pkgsrc/wip/aircrack-ng. Running "airodump-ng urtwn0"
causes a panic:
nic: kernel diagnostic assertion "mutex_owned(&sc->sc_write_mtx)" failed: file "/usr/current/src/sys/dev/usb/if_urtwn.c", line 4423
[ 348710.188668] cpu1: Begin traceback...
[ 348710.188668] vpanic() at netbsd:vpanic+0x156
[ 348710.188668] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
[ 348710.198668] urtwn_set_chan.constprop.0() at netbsd:urtwn_set_chan.constprop.0+0x9a5
[ 348710.198668] urtwn_ioctl() at netbsd:urtwn_ioctl+0x135
[ 348710.198668] doifioctl() at netbsd:doifioctl+0x30e
[ 348710.198668] sys_ioctl() at netbsd:sys_ioctl+0x56d
[ 348710.198668] syscall() at netbsd:syscall+0x196
[ 348710.198668] --- syscall (number 54) ---
[ 348710.198668] netbsd:syscall+0x196:
[ 348710.198668] cpu1: End traceback...
[ 348710.198668] dumping to dev 19,1 (offset=8, size=16759586):
[ 348710.198668] dump
>How-To-Repeat:
>Fix:
>Audit-Trail:
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@netbsd.org, john@ziaspace.com
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: re: kern/56489: NetBSD 9.99.92/amd64 panicked by aircrack-ng
Date: Tue, 09 Nov 2021 06:41:32 +1100
> nic: kernel diagnostic assertion "mutex_owned(&sc->sc_write_mtx)" faile=
d: file "/usr/current/src/sys/dev/usb/if_urtwn.c", line 4423 =
> [ 348710.188668] cpu1: Begin traceback...
> [ 348710.188668] vpanic() at netbsd:vpanic+0x156
> [ 348710.188668] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thu=
nk_rax
> [ 348710.198668] urtwn_set_chan.constprop.0() at netbsd:urtwn_set_chan.c=
onstprop.0+0x9a5
> [ 348710.198668] urtwn_ioctl() at netbsd:urtwn_ioctl+0x135
> [ 348710.198668] doifioctl() at netbsd:doifioctl+0x30e
> [ 348710.198668] sys_ioctl() at netbsd:sys_ioctl+0x56d
can you try this? there are two cases i see this being
problematic, but this change handles both. the above
path, and, also another path thru urtwn_ioctl() via the
80211 ic_reset() calback.
Index: if_urtwn.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sys/dev/usb/if_urtwn.c,v
retrieving revision 1.101
diff -p -u -r1.101 if_urtwn.c
--- if_urtwn.c 21 Oct 2021 20:18:16 -0000 1.101
+++ if_urtwn.c 8 Nov 2021 19:40:18 -0000
@@ -2998,6 +2998,7 @@ urtwn_ioctl(struct ifnet *ifp, u_long cm
0, 0);
=
s =3D splnet();
+ mutex_enter(&sc->sc_write_mtx);
=
switch (cmd) {
case SIOCSIFFLAGS:
@@ -3053,6 +3054,7 @@ urtwn_ioctl(struct ifnet *ifp, u_long cm
error =3D 0;
}
=
+ mutex_exit(&sc->sc_write_mtx);
splx(s);
=
return error;
From: John Klos <john@ziaspace.com>
To: matthew green <mrg@eterna.com.au>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: kern/56489: NetBSD 9.99.92/amd64 panicked by aircrack-ng
Date: Mon, 8 Nov 2021 20:57:40 +0000 (UTC)
> can you try this? there are two cases i see this being
> problematic, but this change handles both. the above
> path, and, also another path thru urtwn_ioctl() via the
> 80211 ic_reset() calback.
>
>
> Index: if_urtwn.c
> ===================================================================
Tried, and got this:
[ 78.456879] Mutex error: mutex_vector_enter,549: locking against
myself
[ 78.456879] lock address : 0xffffb10086d17210
[ 78.456879] current cpu : 0
[ 78.456879] current lwp : 0xfffffe4657111a00
[ 78.456879] owner field : 0xfffffe4657111a00 wait/spin:
0/0
[ 78.456879] panic: lock error: Mutex: mutex_vector_enter,549: locking
against myself: lock 0xffffb10086d17210 cpu 0 lwp 0xfffffe4657111a00
[ 78.456879] cpu0: Begin traceback...
[ 78.456879] vpanic() at netbsd:vpanic+0x156
[ 78.456879] device_printf() at netbsd:device_printf
[ 78.456879] lockdebug_abort() at netbsd:lockdebug_abort+0xd3
[ 78.456879] mutex_vector_enter() at netbsd:mutex_vector_enter+0x40c
[ 78.456879] urtwn_ioctl() at netbsd:urtwn_ioctl+0x42
[ 78.456879] in6_update_ifa1() at netbsd:in6_update_ifa1+0x7d5
[ 78.456879] in6_update_ifa() at netbsd:in6_update_ifa+0x32
[ 78.456879] in6_ifattach() at netbsd:in6_ifattach+0x425
[ 78.456879] in6_if_up() at netbsd:in6_if_up+0x14
[ 78.456879] if_up_locked() at netbsd:if_up_locked+0x75
[ 78.456879] ifioctl_common() at netbsd:ifioctl_common+0x490
[ 78.456879] urtwn_ioctl() at netbsd:urtwn_ioctl+0x107
[ 78.466879] doifioctl() at netbsd:doifioctl+0x30e
[ 78.466879] sys_ioctl() at netbsd:sys_ioctl+0x56d
[ 78.466879] syscall() at netbsd:syscall+0x196
[ 78.466879] --- syscall (number 54) ---
[ 78.466879] netbsd:syscall+0x196:
[ 78.466879] cpu0: End traceback...
[ 78.466879] dumping to dev 19,1 (offset=8, size=16759586):
[ 78.466879] dump
From: matthew green <mrg@eterna.com.au>
To: John Klos <john@ziaspace.com>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
netbsd-bugs@netbsd.org
Subject: re: kern/56489: NetBSD 9.99.92/amd64 panicked by aircrack-ng
Date: Tue, 09 Nov 2021 10:21:42 +1100
> [ 78.456879] Mutex error: mutex_vector_enter,549: locking against myself
ah, yes. ok, can you try this more targetted change?
thanks. might be with trying without the 2nd chunk if
you still see a problem.
Index: if_urtwn.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/if_urtwn.c,v
retrieving revision 1.101
diff -p -u -r1.101 if_urtwn.c
--- if_urtwn.c 21 Oct 2021 20:18:16 -0000 1.101
+++ if_urtwn.c 8 Nov 2021 23:20:05 -0000
@@ -3034,9 +3034,11 @@ urtwn_ioctl(struct ifnet *ifp, u_long cm
error = ieee80211_ioctl(ic, cmd, data);
if (error == ENETRESET &&
ic->ic_opmode == IEEE80211_M_MONITOR) {
+ mutex_enter(&sc->sc_write_mtx);
urtwn_set_chan(sc, ic->ic_curchan,
IEEE80211_HTINFO_2NDCHAN_NONE);
error = 0;
+ mutex_exit(&sc->sc_write_mtx);
}
break;
@@ -5061,7 +5063,9 @@ urtwn_reset(struct ifnet *ifp)
if (ic->ic_opmode != IEEE80211_M_MONITOR)
return ENETRESET;
+ mutex_enter(&sc->sc_write_mtx);
urtwn_set_chan(sc, ic->ic_curchan, IEEE80211_HTINFO_2NDCHAN_NONE);
+ mutex_exit(&sc->sc_write_mtx);
return 0;
}
From: John Klos <john@ziaspace.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: kern/56489: NetBSD 9.99.92/amd64 panicked by aircrack-ng
Date: Tue, 9 Nov 2021 02:08:33 +0000 (UTC)
> ah, yes. ok, can you try this more targetted change?
>
> thanks. might be with trying without the 2nd chunk if
> you still see a problem.
Happens in both cases, unfortunately.
[ 143.544636] Mutex error: mutex_vector_enter,549: locking against
myself
[ 143.544636] lock address : 0xffffbe0086d17210
[ 143.544636] current cpu : 1
[ 143.544636] current lwp : 0xfffff049d892a1c0
[ 143.544636] owner field : 0xfffff049d892a1c0 wait/spin:
0/0
[ 143.544636] panic: lock error: Mutex: mutex_vector_enter,549: locking
against myself: lock 0xffffbe0086d17210 cpu 1 lwp 0xfffff049d892a1c0
[ 143.544636] cpu1: Begin traceback...
[ 143.544636] vpanic() at netbsd:vpanic+0x156
[ 143.544636] device_printf() at netbsd:device_printf
[ 143.544636] lockdebug_abort() at netbsd:lockdebug_abort+0xd3
[ 143.544636] mutex_vector_enter() at netbsd:mutex_vector_enter+0x40c
[ 143.544636] urtwn_ioctl() at netbsd:urtwn_ioctl+0x42
[ 143.544636] in6_update_ifa1() at netbsd:in6_update_ifa1+0x7d5
[ 143.544636] in6_update_ifa() at netbsd:in6_update_ifa+0x32
[ 143.544636] in6_ifattach() at netbsd:in6_ifattach+0x425
[ 143.544636] in6_if_up() at netbsd:in6_if_up+0x14
[ 143.554636] if_up_locked() at netbsd:if_up_locked+0x75
[ 143.554636] ifioctl_common() at netbsd:ifioctl_common+0x490
[ 143.554636] urtwn_ioctl() at netbsd:urtwn_ioctl+0x107
[ 143.554636] doifioctl() at netbsd:doifioctl+0x30e
[ 143.554636] sys_ioctl() at netbsd:sys_ioctl+0x56d
[ 143.554636] syscall() at netbsd:syscall+0x196
[ 143.554636] --- syscall (number 54) ---
[ 143.554636] netbsd:syscall+0x196:
[ 143.554636] cpu1: End traceback...
[ 143.554636] dumping to dev 19,1 (offset=8, size=16759586):
[ 143.554636] dump
[ 257.207773] Mutex error: mutex_vector_enter,549: locking against
myself
[ 257.207773] lock address : 0xffff9d0086d17210
[ 257.207773] current cpu : 1
[ 257.207773] current lwp : 0xffff9a720b8c6600
[ 257.207773] owner field : 0xffff9a720b8c6600 wait/spin:
0/0
[ 257.207773] panic: lock error: Mutex: mutex_vector_enter,549: locking
against myself: lock 0xffff9d0086d17210 cpu 1 lwp 0xffff9a720b8c6600
[ 257.207773] cpu1: Begin traceback...
[ 257.207773] vpanic() at netbsd:vpanic+0x156
[ 257.207773] device_printf() at netbsd:device_printf
[ 257.217774] lockdebug_abort() at netbsd:lockdebug_abort+0xd3
[ 257.217774] mutex_vector_enter() at netbsd:mutex_vector_enter+0x40c
[ 257.217774] urtwn_ioctl() at netbsd:urtwn_ioctl+0x42
[ 257.217774] in6_update_ifa1() at netbsd:in6_update_ifa1+0x7d5
[ 257.217774] in6_update_ifa() at netbsd:in6_update_ifa+0x32
[ 257.217774] in6_ifattach() at netbsd:in6_ifattach+0x425
[ 257.217774] in6_if_up() at netbsd:in6_if_up+0x14
[ 257.217774] if_up_locked() at netbsd:if_up_locked+0x75
[ 257.217774] ifioctl_common() at netbsd:ifioctl_common+0x490
[ 257.217774] urtwn_ioctl() at netbsd:urtwn_ioctl+0x107
[ 257.217774] doifioctl() at netbsd:doifioctl+0x30e
[ 257.217774] sys_ioctl() at netbsd:sys_ioctl+0x56d
[ 257.217774] syscall() at netbsd:syscall+0x196
[ 257.217774] --- syscall (number 54) ---
[ 257.217774] netbsd:syscall+0x196:
[ 257.217774] cpu1: End traceback...
[ 257.217774] dumping to dev 19,1 (offset=8, size=16759586):
[ 257.217774] dump
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.