[Bug 294449] if_iwlwifi kernel panic: Page fault (0x10) in lkpi_iv_newstate during hardware error recovery on Intel 7260

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 294449] if_iwlwifi kernel panic: Page fault (0x10) in lkpi_iv_newstate during hardware error recovery on Intel 7260"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 294449] if_iwlwifi kernel panic: Page fault (0x10) in lkpi_iv_newstate during hardware error recovery on Intel 7260"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 294449] if_iwlwifi kernel panic: Page fault (0x10) in lkpi_iv_newstate during hardware error recovery on Intel 7260"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 294449] if_iwlwifi kernel panic: Page fault (0x10) in lkpi_iv_newstate during hardware error recovery on Intel 7260"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 12 Apr 2026 18:31:31 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294449

            Bug ID: 294449
           Summary: if_iwlwifi kernel panic: Page fault (0x10) in
                    lkpi_iv_newstate during hardware error recovery on
                    Intel 7260
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: ruanchunping@gmail.com

Summary:
On FreeBSD 15-RELEASE, using the if_iwlwifi driver with an Intel 7260 card, a
kernel panic occurs during cold boot (specifically after an abrupt power loss
recovery). The hardware triggers a microcode SW error, and during the
subsequent software reset/state transition, the system panics due to a null
pointer dereference in lkpi_iv_newstate.

Description:

1. Environment:

OS: FreeBSD vm 15.0-RELEASE FreeBSD 15.0-RELEASE
releng/15.0-n280995-7aedc8de6446 GENERIC amd64

Hardware: Intel Wireless 7260

Driver: if_iwlwifi (loaded via kld_list)

Network Config: WPA + DHCP

2. Trigger Scenario:
The panic is reliably triggered during a "cold boot" recovery after an abrupt
power disconnection.

First boot after power-on: Microcode error detected -> SW Reset -> Kernel
Panic.

Second boot (automatic reboot after panic): System boots normally and
associates with the AP without issue.

3. Panic Analysis:
The panic is a Fatal trap 12: page fault in kernel mode.

Fault Address: 0x10 (indicating a member access offset from a NULL pointer).

Instruction Pointer: lkpi_iv_newstate+0x43e.

Root Cause: In lkpi_iv_newstate, the code attempts to access lvif_bss which is
reported as 0 (NULL) in the dmesg log just before the crash.

Supporting Data (from kgdb):

Panic String:
$1 = 0xffffffff81bc4620 <vpanic[buf]> "page fault"

Backtrace:

Plaintext
#8  lkpi_sta_auth_to_scan (...) at
/usr/src/sys/compat/linuxkpi/common/src/linux_80211.c:2514
#9  0xffffffff80deb14e in lkpi_iv_newstate (vap=0xfffffe00aa600010,
nstate=IEEE80211_S_SCAN, arg=1) at
/usr/src/sys/compat/linuxkpi/common/src/linux_80211.c:3678
#10 0xffffffff80d12bb8 in ieee80211_newstate_cb (xvap=0xfffffe00aa600010,
npending=<optimized out>) at /usr/src/sys/net80211/ieee80211_proto.c:2609
#11 0xffffffff80bd4de2 in taskqueue_run_locked (queue=0xfffff8000383c500) at
/usr/src/sys/kern/subr_taskqueue.c:517
Relevant dmesg log at time of crash:

Plaintext
iwlwifi0: Microcode SW error detected. Restarting 0x2000000.
iwlwifi0: FW error in SYNC CMD ADD_STA
...
iwlwifi0: lkpi_iv_newstate: error -1 during state transition 3 (ASSOC) -> 2
(AUTH)
iwlwifi0: Device error - SW reset
iwlwifi0: lkpi_sta_auth_to_scan:2503: lvif 0xfffffe00aa600000 vap
0xfffffe00aa600010 iv_bss 0xfffffe00aaaa8000 lvif_bss 0 lvif_bss->ni 0 synched
0

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x10
instruction pointer     = 0x20:0xffffffff80ddbd3d

-- 
You are receiving this mail because:
You are the assignee for the bug.