NetBSD Problem Report #56489

From john@frigg.zia.io  Mon Nov  8 18:35:38 2021
Return-Path: <john@frigg.zia.io>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id C2A8A1A9239
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  8 Nov 2021 18:35:38 +0000 (UTC)
Message-Id: <20211108160814.AE6DE7E0A0@frigg.zia.io>
Date: Mon,  8 Nov 2021 16:08:14 +0000 (UTC)
From: john@ziaspace.com
Reply-To: john@ziaspace.com
To: gnats-bugs@NetBSD.org
Subject: NetBSD 9.99.92/amd64 panicked by aircrack-ng
X-Send-Pr-Version: 3.95

>Number:         56489
>Category:       kern
>Synopsis:       NetBSD 9.99.92/amd64 panicked by aircrack-ng
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 08 18:40:00 +0000 2021
>Last-Modified:  Tue Nov 09 02:10:01 +0000 2021
>Originator:     john@ziaspace.com
>Release:        NetBSD 9.99.92
>Organization:

>Environment:


System: NetBSD frigg.zia.io 9.99.92 NetBSD 9.99.92 (FRIGG) #0: Sun Oct 31 22:05:07 UTC 2021 john@frigg.zia.io:/usr/current/obj-amd64/sys/arch/amd64/compile/FRIGG amd64
Architecture: x86_64
Machine: amd64
>Description:

I have an amd64 system running 9.99.92 from Halloween (about a week ago)
with an urtwn0 USB wifi interface:

[     2.301939] urtwn0 at uhub1 port 7
[     2.301939] urtwn0: Realtek (0x7392) 802.11n WLAN Adapter (0x7811), rev 2.00/2.00, addr 1
[     3.851931] urtwn0: MAC/BB RTL8188CUS, RF 6052 1T1R, address 80:1f:02:d3:ad:65
[     3.851931] urtwn0: 1 rx pipe, 2 tx pipes

I've installed pkgsrc/wip/aircrack-ng. Running "airodump-ng urtwn0"
causes a panic:

 nic: kernel diagnostic assertion "mutex_owned(&sc->sc_write_mtx)" failed: file "/usr/current/src/sys/dev/usb/if_urtwn.c", line 4423 
[ 348710.188668] cpu1: Begin traceback...
[ 348710.188668] vpanic() at netbsd:vpanic+0x156
[ 348710.188668] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
[ 348710.198668] urtwn_set_chan.constprop.0() at netbsd:urtwn_set_chan.constprop.0+0x9a5
[ 348710.198668] urtwn_ioctl() at netbsd:urtwn_ioctl+0x135
[ 348710.198668] doifioctl() at netbsd:doifioctl+0x30e
[ 348710.198668] sys_ioctl() at netbsd:sys_ioctl+0x56d
[ 348710.198668] syscall() at netbsd:syscall+0x196
[ 348710.198668] --- syscall (number 54) ---
[ 348710.198668] netbsd:syscall+0x196:
[ 348710.198668] cpu1: End traceback...

[ 348710.198668] dumping to dev 19,1 (offset=8, size=16759586):
[ 348710.198668] dump 


>How-To-Repeat:

>Fix:


>Audit-Trail:
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@netbsd.org, john@ziaspace.com
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
    netbsd-bugs@netbsd.org
Subject: re: kern/56489: NetBSD 9.99.92/amd64 panicked by aircrack-ng
Date: Tue, 09 Nov 2021 06:41:32 +1100

 >  nic: kernel diagnostic assertion "mutex_owned(&sc->sc_write_mtx)" faile=
 d: file "/usr/current/src/sys/dev/usb/if_urtwn.c", line 4423 =

 > [ 348710.188668] cpu1: Begin traceback...
 > [ 348710.188668] vpanic() at netbsd:vpanic+0x156
 > [ 348710.188668] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thu=
 nk_rax
 > [ 348710.198668] urtwn_set_chan.constprop.0() at netbsd:urtwn_set_chan.c=
 onstprop.0+0x9a5
 > [ 348710.198668] urtwn_ioctl() at netbsd:urtwn_ioctl+0x135
 > [ 348710.198668] doifioctl() at netbsd:doifioctl+0x30e
 > [ 348710.198668] sys_ioctl() at netbsd:sys_ioctl+0x56d

 can you try this?  there are two cases i see this being
 problematic, but this change handles both.  the above
 path, and, also another path thru urtwn_ioctl() via the
 80211 ic_reset() calback.


 Index: if_urtwn.c
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /cvsroot/src/sys/dev/usb/if_urtwn.c,v
 retrieving revision 1.101
 diff -p -u -r1.101 if_urtwn.c
 --- if_urtwn.c	21 Oct 2021 20:18:16 -0000	1.101
 +++ if_urtwn.c	8 Nov 2021 19:40:18 -0000
 @@ -2998,6 +2998,7 @@ urtwn_ioctl(struct ifnet *ifp, u_long cm
  	    0, 0);
  =

  	s =3D splnet();
 +	mutex_enter(&sc->sc_write_mtx);
  =

  	switch (cmd) {
  	case SIOCSIFFLAGS:
 @@ -3053,6 +3054,7 @@ urtwn_ioctl(struct ifnet *ifp, u_long cm
  		error =3D 0;
  	}
  =

 +	mutex_exit(&sc->sc_write_mtx);
  	splx(s);
  =

  	return error;

From: John Klos <john@ziaspace.com>
To: matthew green <mrg@eterna.com.au>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: kern/56489: NetBSD 9.99.92/amd64 panicked by aircrack-ng
Date: Mon, 8 Nov 2021 20:57:40 +0000 (UTC)

 > can you try this?  there are two cases i see this being
 > problematic, but this change handles both.  the above
 > path, and, also another path thru urtwn_ioctl() via the
 > 80211 ic_reset() calback.
 >
 >
 > Index: if_urtwn.c
 > ===================================================================

 Tried, and got this:

 [    78.456879] Mutex error: mutex_vector_enter,549: locking against 
 myself

 [    78.456879] lock address : 0xffffb10086d17210
 [    78.456879] current cpu  :                  0
 [    78.456879] current lwp  : 0xfffffe4657111a00
 [    78.456879] owner field  : 0xfffffe4657111a00 wait/spin: 
 0/0

 [    78.456879] panic: lock error: Mutex: mutex_vector_enter,549: locking 
 against myself: lock 0xffffb10086d17210 cpu 0 lwp 0xfffffe4657111a00
 [    78.456879] cpu0: Begin traceback...
 [    78.456879] vpanic() at netbsd:vpanic+0x156
 [    78.456879] device_printf() at netbsd:device_printf
 [    78.456879] lockdebug_abort() at netbsd:lockdebug_abort+0xd3
 [    78.456879] mutex_vector_enter() at netbsd:mutex_vector_enter+0x40c
 [    78.456879] urtwn_ioctl() at netbsd:urtwn_ioctl+0x42
 [    78.456879] in6_update_ifa1() at netbsd:in6_update_ifa1+0x7d5
 [    78.456879] in6_update_ifa() at netbsd:in6_update_ifa+0x32
 [    78.456879] in6_ifattach() at netbsd:in6_ifattach+0x425
 [    78.456879] in6_if_up() at netbsd:in6_if_up+0x14
 [    78.456879] if_up_locked() at netbsd:if_up_locked+0x75
 [    78.456879] ifioctl_common() at netbsd:ifioctl_common+0x490
 [    78.456879] urtwn_ioctl() at netbsd:urtwn_ioctl+0x107
 [    78.466879] doifioctl() at netbsd:doifioctl+0x30e
 [    78.466879] sys_ioctl() at netbsd:sys_ioctl+0x56d
 [    78.466879] syscall() at netbsd:syscall+0x196
 [    78.466879] --- syscall (number 54) ---
 [    78.466879] netbsd:syscall+0x196:
 [    78.466879] cpu0: End traceback...

 [    78.466879] dumping to dev 19,1 (offset=8, size=16759586):
 [    78.466879] dump

From: matthew green <mrg@eterna.com.au>
To: John Klos <john@ziaspace.com>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
    netbsd-bugs@netbsd.org
Subject: re: kern/56489: NetBSD 9.99.92/amd64 panicked by aircrack-ng
Date: Tue, 09 Nov 2021 10:21:42 +1100

 > [    78.456879] Mutex error: mutex_vector_enter,549: locking against myself

 ah, yes.  ok, can you try this more targetted change?

 thanks.  might be with trying without the 2nd chunk if
 you still see a problem.



 Index: if_urtwn.c
 ===================================================================
 RCS file: /cvsroot/src/sys/dev/usb/if_urtwn.c,v
 retrieving revision 1.101
 diff -p -u -r1.101 if_urtwn.c
 --- if_urtwn.c	21 Oct 2021 20:18:16 -0000	1.101
 +++ if_urtwn.c	8 Nov 2021 23:20:05 -0000
 @@ -3034,9 +3034,11 @@ urtwn_ioctl(struct ifnet *ifp, u_long cm
  		error = ieee80211_ioctl(ic, cmd, data);
  		if (error == ENETRESET &&
  		    ic->ic_opmode == IEEE80211_M_MONITOR) {
 +			mutex_enter(&sc->sc_write_mtx);
  			urtwn_set_chan(sc, ic->ic_curchan,
  			    IEEE80211_HTINFO_2NDCHAN_NONE);
  			error = 0;
 +			mutex_exit(&sc->sc_write_mtx);
  		}
  		break;

 @@ -5061,7 +5063,9 @@ urtwn_reset(struct ifnet *ifp)
  	if (ic->ic_opmode != IEEE80211_M_MONITOR)
  		return ENETRESET;

 +	mutex_enter(&sc->sc_write_mtx);
  	urtwn_set_chan(sc, ic->ic_curchan, IEEE80211_HTINFO_2NDCHAN_NONE);
 +	mutex_exit(&sc->sc_write_mtx);

  	return 0;
  }

From: John Klos <john@ziaspace.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: kern/56489: NetBSD 9.99.92/amd64 panicked by aircrack-ng
Date: Tue, 9 Nov 2021 02:08:33 +0000 (UTC)

 > ah, yes.  ok, can you try this more targetted change?
 >
 > thanks.  might be with trying without the 2nd chunk if
 > you still see a problem.

 Happens in both cases, unfortunately.

 [   143.544636] Mutex error: mutex_vector_enter,549: locking against 
 myself

 [   143.544636] lock address : 0xffffbe0086d17210
 [   143.544636] current cpu  :                  1
 [   143.544636] current lwp  : 0xfffff049d892a1c0
 [   143.544636] owner field  : 0xfffff049d892a1c0 wait/spin: 
 0/0

 [   143.544636] panic: lock error: Mutex: mutex_vector_enter,549: locking 
 against myself: lock 0xffffbe0086d17210 cpu 1 lwp 0xfffff049d892a1c0
 [   143.544636] cpu1: Begin traceback...
 [   143.544636] vpanic() at netbsd:vpanic+0x156
 [   143.544636] device_printf() at netbsd:device_printf
 [   143.544636] lockdebug_abort() at netbsd:lockdebug_abort+0xd3
 [   143.544636] mutex_vector_enter() at netbsd:mutex_vector_enter+0x40c
 [   143.544636] urtwn_ioctl() at netbsd:urtwn_ioctl+0x42
 [   143.544636] in6_update_ifa1() at netbsd:in6_update_ifa1+0x7d5
 [   143.544636] in6_update_ifa() at netbsd:in6_update_ifa+0x32
 [   143.544636] in6_ifattach() at netbsd:in6_ifattach+0x425
 [   143.544636] in6_if_up() at netbsd:in6_if_up+0x14
 [   143.554636] if_up_locked() at netbsd:if_up_locked+0x75
 [   143.554636] ifioctl_common() at netbsd:ifioctl_common+0x490
 [   143.554636] urtwn_ioctl() at netbsd:urtwn_ioctl+0x107
 [   143.554636] doifioctl() at netbsd:doifioctl+0x30e
 [   143.554636] sys_ioctl() at netbsd:sys_ioctl+0x56d
 [   143.554636] syscall() at netbsd:syscall+0x196
 [   143.554636] --- syscall (number 54) ---
 [   143.554636] netbsd:syscall+0x196:
 [   143.554636] cpu1: End traceback...

 [   143.554636] dumping to dev 19,1 (offset=8, size=16759586):
 [   143.554636] dump










 [   257.207773] Mutex error: mutex_vector_enter,549: locking against 
 myself

 [   257.207773] lock address : 0xffff9d0086d17210
 [   257.207773] current cpu  :                  1
 [   257.207773] current lwp  : 0xffff9a720b8c6600
 [   257.207773] owner field  : 0xffff9a720b8c6600 wait/spin: 
 0/0

 [   257.207773] panic: lock error: Mutex: mutex_vector_enter,549: locking 
 against myself: lock 0xffff9d0086d17210 cpu 1 lwp 0xffff9a720b8c6600
 [   257.207773] cpu1: Begin traceback...
 [   257.207773] vpanic() at netbsd:vpanic+0x156
 [   257.207773] device_printf() at netbsd:device_printf
 [   257.217774] lockdebug_abort() at netbsd:lockdebug_abort+0xd3
 [   257.217774] mutex_vector_enter() at netbsd:mutex_vector_enter+0x40c
 [   257.217774] urtwn_ioctl() at netbsd:urtwn_ioctl+0x42
 [   257.217774] in6_update_ifa1() at netbsd:in6_update_ifa1+0x7d5
 [   257.217774] in6_update_ifa() at netbsd:in6_update_ifa+0x32
 [   257.217774] in6_ifattach() at netbsd:in6_ifattach+0x425
 [   257.217774] in6_if_up() at netbsd:in6_if_up+0x14
 [   257.217774] if_up_locked() at netbsd:if_up_locked+0x75
 [   257.217774] ifioctl_common() at netbsd:ifioctl_common+0x490
 [   257.217774] urtwn_ioctl() at netbsd:urtwn_ioctl+0x107
 [   257.217774] doifioctl() at netbsd:doifioctl+0x30e
 [   257.217774] sys_ioctl() at netbsd:sys_ioctl+0x56d
 [   257.217774] syscall() at netbsd:syscall+0x196
 [   257.217774] --- syscall (number 54) ---
 [   257.217774] netbsd:syscall+0x196:
 [   257.217774] cpu1: End traceback...

 [   257.217774] dumping to dev 19,1 (offset=8, size=16759586):
 [   257.217774] dump

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.