Re: port-amd64/55655: Specific AP deauth causes panic

To: port-amd64-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,pr%xn--rvztrtkrfrgp-bbb7j2b8f0b9d7a21oft.com@localhost
Subject: Re: port-amd64/55655: Specific AP deauth causes panic
From: Lars Reichardt <lars%paradoxon.info@localhost>
Date: Sat, 12 Sep 2020 07:15:01 +0000 (UTC)

The following reply was made to PR port-amd64/55655; it has been noted by GNATS.

From: Lars Reichardt <lars%paradoxon.info@localhost>
To: gnats-bugs%netbsd.org@localhost, port-amd64-maintainer%netbsd.org@localhost,
 gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc: 
Subject: Re: port-amd64/55655: Specific AP deauth causes panic
Date: Sat, 12 Sep 2020 09:12:39 +0200

 This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
 --AvBCJCqg1N16yQuXPjELzZVvgsATZMtuZ
 Content-Type: multipart/mixed; boundary="RYSd8fBJuXq5OeWFnqqgH8PgC0USmlLG7"
 
 --RYSd8fBJuXq5OeWFnqqgH8PgC0USmlLG7
 Content-Type: text/plain; charset=utf-8
 Content-Transfer-Encoding: quoted-printable
 Content-Language: en-US
 
 
 On 9/12/20 5:45 AM, pr%xn--rvztrtkrfrgp-bbb7j2b8f0b9d7a21oft.com@localhost wrote:
 >> Number:         55655
 >> Category:       port-amd64
 >> Synopsis:       Specific AP deauth causes panic
 >> Confidential:   no
 >> Severity:       serious
 >> Priority:       medium
 >> Responsible:    port-amd64-maintainer
 >> State:          open
 >> Class:          sw-bug
 >> Submitter-Id:   net
 >> Arrival-Date:   Sat Sep 12 03:45:00 +0000 2020
 >> Originator:     Ben Gergely
 >> Release:       =20
 >> Organization:
 >> Environment:
 > NetBSD 9.99.72 amd64
 >> Description:
 > When APs are rebooted they seem to send a special deauth that triggers =
 a panic, only encountered this occasionally as it was scheduled for 4am a=
 nd I'm not always around to see it.=20
 >
 > But can trigger it by just telling the AP to reboot (it deauths all the=
  clients before it does that).
 >
 > Initially thought it was wpi specific but have the same behavior with a=
 th.
 >
 > Other types of de-authentications don't trigger a panic.
 >
 > Could it be sending along an unexpected deauth code in the deauth packe=
 t when its rebooting?
 >
 >
 > bt from ath and wpi:
 >
 > [  2548.592760] panic: kernel diagnostic assertion "!cpu_softintr_p()" =
 failed: file "/usr/src/sys/kern/subr_kmem.c", line 337
 > [  2548.592760] cpu0: Begin traceback...
 > [  2548.592760] vpanic() at netbsd:vpanic+0x152
 > [  2548.592760] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thu=
 nk_rax
 > [  2548.592760] kmem_free() at netbsd:kmem_free+0x82
 > [  2548.592760] _ieee80211_crypto_delkey() at netbsd:_ieee80211_crypto_=
 delkey+0x64
 > [  2548.592760] ieee80211_crypto_delkey() at netbsd:ieee80211_crypto_de=
 lkey+0x24
 > [  2548.592760] ieee80211_node_delucastkey() at netbsd:ieee80211_node_d=
 elucastkey+0xc3
 > [  2548.592760] ieee80211_sta_leave() at netbsd:ieee80211_sta_leave+0x1=
 c
 > [  2548.592760] ieee80211_newstate() at netbsd:ieee80211_newstate+0x18d=
 
 > [  2548.592760] ath_newstate() at netbsd:ath_newstate+0x2ed
 > [  2548.592760] ath_bmiss_proc_si() at netbsd:ath_bmiss_proc_si+0x13a
 > [  2548.592760] softint_dispatch() at netbsd:softint_dispatch+0x2d1
 > [  2548.592760] DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffff=
 a700ae4840f0
 > [  2548.592760] Xsoftintr() at netbsd:Xsoftintr+0x4f
 > [  2548.592760] --- interrupt ---
 > [  2548.592760] cccc8ccc4dccddcc:
 > [  2548.592760] cpu0: End traceback...
 >
 > [  1000.479797] panic: kernel diagnostic assertion "!cpu_softintr_p()" =
 failed: file "/usr/src/sys/kern/subr_kmem.c", line 337
 > [  1000.479797] cpu0: Begin traceback...
 > [  1000.479797] vpanic() at netbsd:vpanic+0x152
 > [  1000.479797] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thu=
 nk_rax
 > [  1000.479797] kmem_free() at netbsd:kmem_free+0x82
 > [  1000.479797] _ieee80211_crypto_delkey() at netbsd:_ieee80211_crypto_=
 delkey+0x64
 > [  1000.479797] ieee80211_crypto_delkey() at netbsd:ieee80211_crypto_de=
 lkey+0x24
 > [  1000.479797] ieee80211_node_delucastkey() at netbsd:ieee80211_node_d=
 elucastkey+0xc3
 > [  1000.479797] ieee80211_sta_leave() at netbsd:ieee80211_sta_leave+0x1=
 c
 > [  1000.479797] ieee80211_newstate() at netbsd:ieee80211_newstate+0x354=
 
 > [  1000.479797] iwn_newstate() at netbsd:iwn_newstate+0x346
 > [  1000.479797] ieee80211_recv_mgmt() at netbsd:ieee80211_recv_mgmt+0xb=
 4c
 > [  1000.479797] ieee80211_input() at netbsd:ieee80211_input+0x408
 > [  1000.479797] iwn_notif_intr() at netbsd:iwn_notif_intr+0x515
 > [  1000.479797] iwn_softintr() at netbsd:iwn_softintr+0x311
 > [  1000.479797] softint_dispatch() at netbsd:softint_dispatch+0x2d1
 > [  1000.479797] DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffff=
 ac00ae4840f0
 > [  1000.479797] Xsoftintr() at netbsd:Xsoftintr+0x4f
 > [  1000.479797] --- interrupt ---
 > [  1000.479797] cccc8ccc4dccddcc:
 > [  1000.479797] cpu0: End traceback...
 >
 >> How-To-Repeat:
 >> Fix:
 
 The kmem_free is called from softint context wich isn't allowed. Those ke=
 y allocation should be done via kmem_intr_alloc/kmem_intr_free.
 I've seen that as well and forgot about it after patching is locally. I'l=
 l commit that change.
 
 --=20
 -----
 You will continue to suffer
 if you have an emotional reaction to everything that is said to you.
 True power is sitting back and observing everything with logic.
 If words control you that means everyone else can control you.
 Breathe and allow things to pass.
 
 --- Bruce Lee
 
 
 
 --RYSd8fBJuXq5OeWFnqqgH8PgC0USmlLG7--
 
 --AvBCJCqg1N16yQuXPjELzZVvgsATZMtuZ
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename="signature.asc"
 
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAEBCAAdFiEEKr+CRUEAsbCC4oKDexg3nfOkUnAFAl9cdO8ACgkQexg3nfOk
 UnCbpw//e+1GhLTwBZe49qVhZB+1bcTYYXsHkyuOZZzJ3RxyEfRnrcAf1EZ7ZidL
 1xtW0NEQk6JRV/uWqOCQF67EsZ5sVvcrQbLc+p5qSxdvypjir6KA7ohS9v71NUjy
 wOluM+R9aqu1oN3tjRAuQ5utrT/gdmiOmMhhSlOsXUdWTchX9/glEjWsivHUERf0
 vHIMuivcZeJ+sqFLvnh0NNsmoGs7b60hyGBLKfTYeoH43TU1F3pTgTFQexF8p9fW
 ZREfXoLHxxXoxeI7eiCcN/9wTp4tqcIvrjPH1wlN+QCZBbijRusbasJLT/UVFdA/
 YYZ38RTM+c67h2fnzmP7qfTAEoDdDbIZAMOBW146h9vwSAzcdibHVwf0HKBSopZl
 PB7lgsAhJTKB1137N0I7VFfeCgJ8YqHGqflzFMj8JTywKlfU1051TwOxxYhBBfHP
 DTFKnXBMTLGQ405lqqXoEIOZAhBgwCrxsPQAWZ6FAYbbOLu18yYdJbNIZwFGv5ir
 /3hCkXGtEmriJApv2Y9FZbP0gT1I4TzyQPsRFN6M3UVPfIkRtAyIu+AQVJ12ieGp
 bdS0dY4vw4tCiKBCSF+wLlDU6qjWdaqGxdYy1RHg58BKPcZCrE99AAgvzPv7sJaB
 em+9Q2VfiTh6YkQNE7eAE1BDm4KK05TTpvH37nPmE9mE52Wxk88=
 =VvCC
 -----END PGP SIGNATURE-----
 
 --AvBCJCqg1N16yQuXPjELzZVvgsATZMtuZ--

Prev by Date: Re: port-amd64/55655: Specific AP deauth causes panic
Next by Date: Re: port-amd64/55655: Specific AP deauth causes panic
Previous by Thread: Re: port-amd64/55655: Specific AP deauth causes panic
Next by Thread: Re: port-amd64/55655: Specific AP deauth causes panic
Indexes:

Home | Main Index | Thread Index | Old Index