[Bug 286063] net80211: isieee80211_sta_join() -> ieee80211_alloc_node() -> ieee80211_chan2mode() panic
Date: Wed, 16 Apr 2025 07:59:26 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286063
--- Comment #1 from Bjoern A. Zeeb <bz@FreeBSD.org> ---
I have another possible hint: for me ieee80211_ies_expand already failed; and
the 2nd STA goes kaboom on the channel in ddb (see very end)
iwlwifi0: linuxkpi_ieee80211_connection_loss: vif 0xfffffe009ecebec0 vap
0xfffffe009eceb010 state AUTH
ieee80211_ies_expand: malformed IEs! ies 0xfffffe009ed46068 { data
0xfffff800017f1e00 len 119 }: ie 222 len 2+192 > total len left 119
Fatal trap 9: general protection fault while in kernel mode
cpuid = 2; apic id = 02
instruction pointer = 0x20:0xffffffff80cc4b00
stack pointer = 0x28:0xfffffe007bf889a8
frame pointer = 0x28:0xfffffe007bf88a30
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 357 (wpa_supplicant)
rdi: c0dedeadc0dedead rsi: fffffe009ed462a5 rdx: 0000000000000001
rcx: 0000000000000011 r8: dedeadc0dedeadc0 r9: c0dedeadc0dedead
rax: fffffe009ed46384 rbx: fffffe009eceb010 rbp: fffffe007bf88a30
r10: c0dedeadc0dedead r11: 000000000000002f r12: fffffe009ed46068
r13: fffffe009ed462a5 r14: fffffe009e09f000 r15: 0000000000000001
trap number = 9
panic: general protection fault
cpuid = 2
time = 1744789360
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe007bf88720
vpanic() at vpanic+0x136/frame 0xfffffe007bf88850
panic() at panic+0x43/frame 0xfffffe007bf888b0
trap_fatal() at trap_fatal+0x68/frame 0xfffffe007bf888d0
calltrap() at calltrap+0x8/frame 0xfffffe007bf888d0
--- trap 0x9, rip = 0xffffffff80cc4b00, rsp = 0xfffffe007bf889a8, rbp =
0xfffffe007bf88a30 ---
ieee80211_chan2mode() at ieee80211_chan2mode/frame 0xfffffe007bf88a30
ieee80211_sta_join() at ieee80211_sta_join+0x256/frame 0xfffffe007bf88a80
ieee80211_ioctl_setmlme() at ieee80211_ioctl_setmlme+0xfc/frame
0xfffffe007bf88b10
ieee80211_ioctl_set80211() at ieee80211_ioctl_set80211+0x9ad/frame
0xfffffe007bf88b80
ieee80211_ioctl() at ieee80211_ioctl+0x2de/frame 0xfffffe007bf88be0
ifioctl() at ifioctl+0x973/frame 0xfffffe007bf88ce0
kern_ioctl() at kern_ioctl+0x286/frame 0xfffffe007bf88d40
sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe007bf88e00
amd64_syscall() at amd64_syscall+0x15a/frame 0xfffffe007bf88f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe007bf88f30
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x2fa19ee23bfa, rsp =
0x2fa198cd2af8, rbp = 0x2fa198cd2b60 ---
KDB: enter: panic
[ thread pid 357 tid 100096 ]
Stopped at kdb_enter+0x33: movq $0,0x105c922(%rip)
db> show all vaps
iwlwifi0: com 0xfffffe009e09f000 vaps: wlan0(0xfffffe009eceb010)
db> show com /a 0xfffffe009e09f000
COM: 0xfffffe009e09f000: wlan0(0xfffffe009eceb010)
softc 0xfffffe009ebbe200 name iwlwifi0 comlock
0xfffffe009e09f010 txlock 0xfffffe009e09f040 fflock 0xfffffe009e09f070
headroom 0 phytype 2 opmode STA
inact 0xfffffe009e09f0d0
flags=42400<SHSLOT,WME,SHPREAMBLE>
flags_ext=2480002<INACT,SCAN_OFFLOAD,VHT,AMPDU_OFFLOAD>
flags_ht=1080000<HT,USEHT40>
flags_ven=0
caps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME>
cryptocaps=1a<TKIP,AES_CCM,TKIPMIC>
htcaps=519ef<LDPC,CHWIDTH40,SHORTGI20,SHORTGI40,TXSTBC,AMSDU(7935),DSSSCCK40>
vhtcaps=39071f6<MPDU11454,CHAN160,RXLDPC,SHORTGI80,SHORTGI160,RXSTBC1,RXSTBC2,BFEECAP>
curmode 1 promisc 0 allmulti 0 nrunning 1
bintval 100 lintval 100 holdover 0 txpowlimit 100
nchans 207
curchan [5180 (36) flags=140<OFDM,5GHZ> maxreg 17 maxpow 34 minpow 0
state 0x0 extieee 0]
bsschan [5180 (36) flags=140<OFDM,5GHZ> maxreg 17 maxpow 34 minpow 0
state 0x0 extieee 0]
prevchan <NULL>
regdomain 0xfffffe009e0a4518
csa_newchan <NULL> csa_count 0dfs 0xfffffe009e0a4548
scan 0xfffffe009ece7000 lastdata 2147424719 lastscan 2147425169
max_keyix 0 hash_key 0x595bc728 wme 0xfffffe009e0a57c8
stageq@0xfffffe009e0a5780:
lock 0xfffffe009e0a5780 len 0 maxlen 0 drops 0 head 0 tail 0
station@0xfffffe009e0a5610:
nodelock 0xfffffe009e0a5618 inact_init 2 keyixmax 0 keyixmap 0
protmode 0 curhtprotmode 0x0 htprotmode 2
superg 0
montaps 0 th 0xfffffe009ebbe220 txchan 0xfffffe009ebbe22a rh
0xfffffe009ebbe230 rxchan 0xfffffe009ebbe242
ic_vap_create : lkpi_ic_vap_create
ic_vap_delete : lkpi_ic_vap_delete
ic_newassoc : 0
ic_getradiocaps : lkpi_ic_getradiocaps
ic_setregdomain : null_setregdomain
ic_send_mgmt : ieee80211_send_mgmt
ic_raw_xmit : lkpi_ic_raw_xmit
ic_updateslot : 0
ic_update_mcast : lkpi_ic_update_mcast
ic_update_promisc : lkpi_ic_update_promisc
ic_node_alloc : lkpi_ic_node_alloc
ic_node_free : lkpi_ic_node_free
ic_node_cleanup : lkpi_ic_node_cleanup
ic_node_getrssi : node_getrssi
ic_node_getsignal : node_getsignal
ic_node_getmimoinfo : node_getmimoinfo
ic_scan_start : lkpi_ic_scan_start
ic_scan_end : lkpi_ic_scan_end
ic_set_channel : lkpi_ic_set_channel
ic_scan_curchan : lkpi_ic_scan_curchan
ic_scan_mindwell : lkpi_ic_scan_mindwell
ic_recv_action : lkpi_ic_recv_action
ic_send_action : lkpi_ic_send_action
ic_addba_request : lkpi_ic_addba_request
ic_addba_response : lkpi_ic_addba_response
ic_addba_stop : lkpi_ic_addba_stop
SCAN 0xfffffe009ece7000: vap 0xfffffe009eceb010 ic 0xfffffe009e09f000
ss_ops 0xffffffff813730f0 (default) ss_priv 0xfffff80017356800
scan_attach : sta_attach
scan_detach : sta_detach
scan_start : sta_start
scan_restart : sta_restart
scan_cancel : sta_cancel
scan_end : sta_pick_bss
scan_flush : sta_flush
scan_pickchan : 0
scan_add : sta_add
scan_age : sta_age
scan_assoc_fail : sta_assoc_fail
scan_assoc_success : sta_assoc_success
scan_iterate : sta_iterate
scan_spare0 : 0
scan_spare1 : 0
scan_spare2 : 0
scan_spare3 : 0
ss_flags 42<ACTIVE,NOJOIN>
ss_nssid 1 ss_nssid[0]""
ss_chans:
ss_next 1 ss_last 0 ss_mindwell 2 ss_maxdwell 20
VAP 0xfffffe009eceb010: bss 0xfffffe009ecfa000 myaddr 74:13:ea:6e:de:c1
opmode STA state 0 INIT ifp 0xfffff80001956800(wlan0)
ic 0xfffffe009e09f000 media 0xfffffe009eceb010 bpf_if
0xfffff8000194d200 mgtsend 0xfffffe009eceb4a0
iv_nstate 0 INIT iv_nstate_b 5 iv_nstate_n 0
[0] iv_nstates 0x2 AUTH _task 0xfffffe009eceb380 _args 192
[1] iv_nstates 0x3 ASSOC _task 0xfffffe009eceb3a0 _args 0
[2] iv_nstates 0x5 RUN _task 0xfffffe009eceb3c0 _args 16
[3] iv_nstates 0x2 AUTH _task 0xfffffe009eceb3e0 _args 4288
[4] iv_nstates 0 INIT _task 0xfffffe009eceb400 _args 0
[5] iv_nstates 0x5 RUN _task 0xfffffe009eceb420 _args 16
[6] iv_nstates 0x2 AUTH _task 0xfffffe009eceb440 _args 4288
[7] iv_nstates 0 INIT _task 0xfffffe009eceb460 _args 0
debug=10000000<CRYPTO>
flags=42842410<PRIVACY,SHSLOT,WME,SHPREAMBLE,WPA1,DROPUNENC,DOTH>
flags_ext=2480002<INACT,SCAN_OFFLOAD,VHT,AMPDU_OFFLOAD>
flags_ht=ddba0000<LDPC_RX,HT,AMPDU_TX,AMPDU_RX,AMSDU_RX,USEHT40,SHORTGI20,SHORTGI40,HTCOMPAT,STBC_TX,STBC_RX>
flags_ven=0
caps=580c001<STA,SHSLOT,SHPREAMBLE,WPA1,WPA2,WME>
htcaps=519ef<LDPC,CHWIDTH40,SHORTGI20,SHORTGI40,TXSTBC,AMPDU,HT>
vhtcap=39071f6<MPDU11454,CHAN160,RXLDPC,SHORTGI80,SHORTGI160,RXSTBC1,RXSTBC2,BFEECAP>
inact_init 2 inact_auth 12 inact_run 20 inact_probe 2
des_nssid 0 des_bssid 00:00:00:00:00:00
des_mode 0 des_chan <ANY>
bgscanidle 2500 bgscanintvl 30000 scanvalid 6000
scanreq_duration 0 scanreq_mindwell 0 scanreq_maxdwell 0
scanreq_flags 0x0 scanreq_nssid 0 roaming 2
roamparms[11a] rssi 7 rate 12
roamparms[11b] rssi 7 rate 1
roamparms[11g] rssi 7 rate 5
roamparms[11na] rssi 7 rate MCS1
roamparms[11ng] rssi 7 rate MCS1
roamparms[11ac] rssi 7 rate MCS1
bmissthreshold 7 bmiss_max 0 bmiss_max 2
swbmiss_count 4 swbmiss_period 0 swbmiss 0xfffffe009eceb600
ampdu_rxmax 0 ampdu_density 0 ampdu_limit 0 amsdu_limit 2048
max_aid 128 aid_bitmap 0
sta_assoc 0 ps_sta 0 ps_pending 0 tim_len 0 tim_bitmap 0
dtim_period 192 dtim_count 0 set_tim 0 csa_count 0
rtsthreshold 2346 fragthreshold 2346 inact_timer 0
txparms[11a] ucastrate <none> mcastrate 6 mgmtrate 6 maxretry 6
txparms[11b] ucastrate <none> mcastrate 1 mgmtrate 1 maxretry 6
txparms[11g] ucastrate <none> mcastrate 1 mgmtrate 1 maxretry 6
txparms[11na] ucastrate <none> mcastrate 6 mgmtrate 6 maxretry 6
txparms[11ng] ucastrate <none> mcastrate 1 mgmtrate 1 maxretry 6
txparms[11ac] ucastrate <none> mcastrate 6 mgmtrate 6 maxretry 6
appie_wpa [XXX]
wpa_ie 0xfffffxxxx
max_keyix 4 def_txkey 65535
nw_keys[0] NULL 65535:0-bit
nw_keys[1] NULL 65535:0-bit
nw_keys[2] NULL 65535:0-bit
nw_keys[3] NULL 65535:0-bit
auth 0xffffffff81372800(wlan_internal) ec 0 acl 0 as 0
sta_assoc 0 ht_sta_assoc 0 ht40_sta_assoc 0
nonerpsta 0 longslotsta 0 lastnonerp 0 lastnonht 0
iv_rate 0xffffffff8136f9b0 iv_rs 0xfffff8001802b070
ir_name amrr
ir_attach : 0
ir_detach : 0
ir_init : amrr_init
ir_deinit : amrr_deinit
ir_node_init : amrr_node_init
ir_node_deinit : amrr_node_deinit
ir_rate : amrr_rate
ir_tx_complete : amrr_tx_complete
ir_tx_update : amrr_tx_update
ir_setinterval : amrr_setinterval
ir_node_stats : amrr_node_stats
iv_key_alloc : null_key_alloc
iv_key_delete : lkpi_iv_key_delete
iv_key_set : lkpi_iv_key_set
iv_key_update_begin : lkpi_iv_key_update_begin
iv_key_update_end : lkpi_iv_key_update_end
iv_opdetach : sta_vdetach
iv_input : sta_input
iv_recv_mgmt : sta_recv_mgmt
iv_deliver_data : ieee80211_deliver_data
iv_bmiss : sta_beacon_miss
iv_reset : default_reset
iv_update_beacon : null_update_beacon
iv_newstate : lkpi_iv_newstate
iv_output : ether_output
STA: 0xfffffe009ecfa000: mac 74:13:ea:6e:de:c1 refcnt 2
vap 0xfffffe009eceb010 wdsvap 0 ic 0xfffffe009e09f000 table
0xfffffe009e0a5610
flags=0
authmode 1 ath_flags 0x0 ath_defkeyix 32767
associd 0x0 txpower 100 vlan 0
jointime 0 (16 secs) challenge 0
ies: data 0 len 0
[wpa_ie 0 rsn_ie 0 wme_ie 0 ath_ie 0
htcap_ie 0 htinfo_ie 0]
vhtcap_ie 0 vhtopmode_ie 0 vhtpwrenv_ie 0]
txseq 0 rxseq 0 fragno 0 rxfragstamp 0
rxfrag[0] 0 rxfrag[1] 0 rxfrag[2] 0
ucastkey NULL 65535:0-bit
avgrssi 0x7f (rssi 1) noise 0
intval 100 capinfo 0
bssid 00:00:00:00:00:00 essid ""
channel <ANY>
erp 0 dtim_period 0 dtim_count 0
htcap 0 htparam 0x0 htctlchan 0 ht2ndchan 0
htopmode 0x0 htstbc 0x0 chw 0 (BW_20)
inact 2 inact_reload 2 txrate type 0 rate 0
meshid "" mlstate 0 mllid 0x0 mlpid 0x0 mlrcnt 0 mltval 0
vhtcap 0 vht_basicmcs 000000 vht_tx_map 000000
vht_mcsinfo: { rx_mcs_map 000000 rx_highest 000000 tx_mcs_map 000000
tx_highest 000000 }
vht_chan1/chan2 0/0 vht_chanwidth 0000
vht_pad1 0000 vht_spare { 0 0 0 0 0 0 0 0 }
ni_tx_superg[] = { 0 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, }
ni_rctls = 0 ni_drv_data = 0xfffff80001d78800
ni_spare[3] = { 0 0 0 }
STA: 0xfffffe009ed46000: mac 9e:9d:7e:76:6f:fa refcnt 1
vap 0xfffffe009eceb010 wdsvap 0 ic 0xfffffe009e09f000 table
0xfffffe009e0a5610
flags=20000<ASSOCID>
authmode 1 ath_flags 0x0 ath_defkeyix 32767
associd 0x0 txpower 100 vlan 0
jointime 0 (16 secs) challenge 0
ies: data 0xfffff800017f1e00 len 119
[wpa_ie 0 rsn_ie 0 wme_ie 0 ath_ie 0
htcap_ie 0 htinfo_ie 0]
vhtcap_ie 0 vhtopmode_ie 0 vhtpwrenv_ie 0]
txseq 0 rxseq 0 fragno 0 rxfragstamp 0
rxfrag[0] 0 rxfrag[1] 0 rxfrag[2] 0
ucastkey NULL 65535:0-bit
avgrssi 0x80 (rssi 1) noise -96
intval 100 capinfo 11<ESS,PRIVACY>
bssid 9e:9d:7e:76:6f:fa essid "SSID"
channelKDB: reentering
^^^^ STA kaputt
--
You are receiving this mail because:
You are the assignee for the bug.