ath / ieee80211 kernel crash (brigding involved)

From: Andriy Gapon <avg_at_FreeBSD.org>
Date: Thu, 16 Oct 2025 14:22:37 UTC
Admittedly, this happened on a system running stable/14 between 14.2 and 14.3 
points, so the problem could have been already fixed.

Here is the stack trace:
#8  <signal handler called>
#9  0xffffffff80a60753 in ieee80211_hdrspace (ic=0xdeadc0dedeadc0de, 
data=0xfffff8002817966e) at sys/net80211/ieee80211_var.h:893
#10 ccmp_encap (k=0xfffffe007ac38160, m=0xfffff80028179600) at 
sys/net80211/ieee80211_crypto_ccmp.c:172
#11 0xffffffff80a60164 in ieee80211_crypto_encap (ni=<optimized out>, 
m=m@entry=0xfffff80028179600) at sys/net80211/ieee80211_crypto.c:599
#12 0xffffffff8065d83c in ath_tx_tag_crypto (sc=0xfffffe00045fd000, 
ni=0xfffffe007ac38000, m0=0xfffff80028179600, iswep=64, isfrag=0, 
hdrlen=<optimized out>, pktlen=<optimized out>, keyix=<optimized out>)
     at sys/dev/ath/if_ath_tx.c:997
#13 ath_tx_normal_setup (sc=0xfffffe00045fd000, ni=0xfffffe007ac38000, 
bf=0xfffffe000478cd58, m0=0xfffff80028179600, txq=0xfffffe0004604860) at 
sys/dev/ath/if_ath_tx.c:1593
#14 ath_tx_start (sc=sc@entry=0xfffffe00045fd000, 
ni=ni@entry=0xfffffe007ac38000, bf=bf@entry=0xfffffe000478cd58, 
m0=m0@entry=0xfffff80028179600) at sys/dev/ath/if_ath_tx.c:2072
#15 0xffffffff80651ebd in ath_transmit (ic=<optimized out>, 
m=0xfffff80028179600) at sys/dev/ath/if_ath.c:3516
#16 0xffffffff80a68967 in ieee80211_parent_xmitpkt 
(ic=ic@entry=0xfffffe00045fd000, m=m@entry=0xfffff80028179600) at 
sys/net80211/ieee80211_freebsd.c:721
#17 0xffffffff80a89656 in ieee80211_vap_pkt_send_dest 
(vap=vap@entry=0xfffff8000e766000, m=0xfffff80028179600, 
m@entry=0xfffff8000ee7de00, ni=<optimized out>)
     at sys/net80211/ieee80211_output.c:322
#18 0xffffffff80a8a964 in ieee80211_start_pkt (vap=0xfffff8000e766000, 
m=0xfffff8000ee7de00) at sys/net80211/ieee80211_output.c:479
#19 ieee80211_vap_transmit (ifp=<optimized out>, m=<optimized out>) at 
sys/net80211/ieee80211_output.c:539
#20 0xffffffff80a210e4 in bridge_enqueue (sc=sc@entry=0xfffff8000778d400, 
dst_ifp=dst_ifp@entry=0xfffff80068819000, m=0xdeadc0dedeadc0de, 
m@entry=0xfffff8000ee7de00)
     at sys/net/if_bridge.c:2108
#21 0xffffffff80a21c6c in bridge_transmit (ifp=ifp@entry=0xfffff800692be000, 
m=0xfffff8000ee7de00) at sys/net/if_bridge.c:2298
#22 0xffffffff80a1e3ef in bridge_altq_transmit (ifp=0xfffff800692be000, 
m=0xdeadc0dedeadc0de) at sys/net/if_bridge.c:2331
#23 0xffffffff80a2629c in ether_output_frame (ifp=0xfffff800692be000, 
m=0xfffff8000ee7de00) at sys/net/if_ethersubr.c:515
#24 0xffffffff80a2614b in ether_output (ifp=<optimized out>, 
m=0xfffff8000ee7de00, dst=<optimized out>, ro=<optimized out>) at 
sys/net/if_ethersubr.c:441
#25 0xffffffff80ac6924 in ip_output_send (inp=0x0, ifp=0xfffff800692be000, 
m=0xdeadc0dedeadc0de, gw=0xfffffe0050fcdb20, ro=0xfffffe0050fcdb00, 
stamp_tag=true) at sys/netinet/ip_output.c:270
#26 ip_output (m=0xfffff8000ee7de00, opt=opt@entry=0x0, 
ro=ro@entry=0xfffffe0050fcdb00, flags=flags@entry=1, imo=imo@entry=0x0, 
inp=inp@entry=0x0) at sys/netinet/ip_output.c:798
#27 0xffffffff80abe905 in ip_forward (m=0xfffff8000ee7de00, srcrt=<optimized 
out>) at sys/netinet/ip_input.c:1038
#28 0xffffffff80abe39c in ip_input (m=0xfffff8000ee7de00) at 
sys/netinet/ip_input.c:643
#29 0xffffffff80a47680 in netisr_dispatch_src (proto=proto@entry=1, 
source=source@entry=0, m=0xfffff8000ee7de00) at sys/net/netisr.c:1152
#30 0xffffffff80a479ee in netisr_dispatch (proto=26, proto@entry=1, m=0x88) at 
sys/net/netisr.c:1243
#31 0xffffffff80a26459 in ether_demux (ifp=ifp@entry=0xfffff800025cc000, 
m=0xfffff8000ee7de00) at sys/net/if_ethersubr.c:954
#32 0xffffffff80a2776e in ether_input_internal (ifp=0xfffff800025cc000, 
m=0xfffff8000ee7de00) at sys/net/if_ethersubr.c:718
#33 ether_nh_input (m=<optimized out>) at sys/net/if_ethersubr.c:748
#34 0xffffffff80a47680 in netisr_dispatch_src (proto=proto@entry=5, 
source=source@entry=0, m=0xfffff8000ee7de00) at sys/net/netisr.c:1152
#35 0xffffffff80a479ee in netisr_dispatch (proto=26, proto@entry=5, m=0x88) at 
sys/net/netisr.c:1243
#36 0xffffffff80a268a5 in ether_input (ifp=0xfffff800025cc000, 
m=0xdeadc0dedeadc0de) at sys/net/if_ethersubr.c:859
#37 0xffffffff80a1be9a in if_input (ifp=0x1a, ifp@entry=0xfffff800025cc000, 
sendmp=0xdeadc0dedeadc0de) at sys/net/if.c:4841
#38 0xffffffff80a40377 in iflib_rxeof (rxq=0xfffff800025cdb40, budget=<optimized 
out>) at sys/net/iflib.c:3081
#39 _task_fn_rx (context=0xfffff800025cdb40) at sys/net/iflib.c:4155
#40 0xffffffff80936e3e in gtaskqueue_run_locked 
(queue=queue@entry=0xfffff8000241fb00) at sys/kern/subr_gtaskqueue.c:369
#41 0xffffffff80936b83 in gtaskqueue_thread_loop 
(arg=arg@entry=0xfffffe00035bd020) at sys/kern/subr_gtaskqueue.c:545

As you can see, the packet path involved bridging from a wired interface to an 
ath one.

The kernel is built with INVARIANTS, so 0xdeadc0dedeadc0de seen here are 
probably related to freed memory _somewhere_.

-- 
Andriy Gapon