port-amd64/55655: Specific AP deauth causes panic

[pr%xn--rvztrtkrfrgp-bbb7j2b8f0b9d7a21oft.com@localhost]

>Number:         55655
>Category:       port-amd64
>Synopsis:       Specific AP deauth causes panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-amd64-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Sep 12 03:45:00 +0000 2020
>Originator:     Ben Gergely
>Release:        
>Organization:
>Environment:
NetBSD 9.99.72 amd64
>Description:
When APs are rebooted they seem to send a special deauth that triggers a panic, only encountered this occasionally as it was scheduled for 4am and I'm not always around to see it. 

But can trigger it by just telling the AP to reboot (it deauths all the clients before it does that).

Initially thought it was wpi specific but have the same behavior with ath.

Other types of de-authentications don't trigger a panic.

Could it be sending along an unexpected deauth code in the deauth packet when its rebooting?


bt from ath and wpi:

[  2548.592760] panic: kernel diagnostic assertion "!cpu_softintr_p()" failed: file "/usr/src/sys/kern/subr_kmem.c", line 337
[  2548.592760] cpu0: Begin traceback...
[  2548.592760] vpanic() at netbsd:vpanic+0x152
[  2548.592760] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
[  2548.592760] kmem_free() at netbsd:kmem_free+0x82
[  2548.592760] _ieee80211_crypto_delkey() at netbsd:_ieee80211_crypto_delkey+0x64
[  2548.592760] ieee80211_crypto_delkey() at netbsd:ieee80211_crypto_delkey+0x24
[  2548.592760] ieee80211_node_delucastkey() at netbsd:ieee80211_node_delucastkey+0xc3
[  2548.592760] ieee80211_sta_leave() at netbsd:ieee80211_sta_leave+0x1c
[  2548.592760] ieee80211_newstate() at netbsd:ieee80211_newstate+0x18d
[  2548.592760] ath_newstate() at netbsd:ath_newstate+0x2ed
[  2548.592760] ath_bmiss_proc_si() at netbsd:ath_bmiss_proc_si+0x13a
[  2548.592760] softint_dispatch() at netbsd:softint_dispatch+0x2d1
[  2548.592760] DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffffa700ae4840f0
[  2548.592760] Xsoftintr() at netbsd:Xsoftintr+0x4f
[  2548.592760] --- interrupt ---
[  2548.592760] cccc8ccc4dccddcc:
[  2548.592760] cpu0: End traceback...

[  1000.479797] panic: kernel diagnostic assertion "!cpu_softintr_p()" failed: file "/usr/src/sys/kern/subr_kmem.c", line 337
[  1000.479797] cpu0: Begin traceback...
[  1000.479797] vpanic() at netbsd:vpanic+0x152
[  1000.479797] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
[  1000.479797] kmem_free() at netbsd:kmem_free+0x82
[  1000.479797] _ieee80211_crypto_delkey() at netbsd:_ieee80211_crypto_delkey+0x64
[  1000.479797] ieee80211_crypto_delkey() at netbsd:ieee80211_crypto_delkey+0x24
[  1000.479797] ieee80211_node_delucastkey() at netbsd:ieee80211_node_delucastkey+0xc3
[  1000.479797] ieee80211_sta_leave() at netbsd:ieee80211_sta_leave+0x1c
[  1000.479797] ieee80211_newstate() at netbsd:ieee80211_newstate+0x354
[  1000.479797] iwn_newstate() at netbsd:iwn_newstate+0x346
[  1000.479797] ieee80211_recv_mgmt() at netbsd:ieee80211_recv_mgmt+0xb4c
[  1000.479797] ieee80211_input() at netbsd:ieee80211_input+0x408
[  1000.479797] iwn_notif_intr() at netbsd:iwn_notif_intr+0x515
[  1000.479797] iwn_softintr() at netbsd:iwn_softintr+0x311
[  1000.479797] softint_dispatch() at netbsd:softint_dispatch+0x2d1
[  1000.479797] DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffffac00ae4840f0
[  1000.479797] Xsoftintr() at netbsd:Xsoftintr+0x4f
[  1000.479797] --- interrupt ---
[  1000.479797] cccc8ccc4dccddcc:
[  1000.479797] cpu0: End traceback...

>How-To-Repeat:

>Fix: