Bug 272607 - iwlwifi: 'service netif stop' causes kernel panic when wrong setting in wpa_supplicant.conf (also node_free, fixed?)
Summary: iwlwifi: 'service netif stop' causes kernel panic when wrong setting in wpa_s...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: wireless (show other bugs)
Version: 13.2-STABLE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Bjoern A. Zeeb
URL:
Keywords: crash
Depends on:
Blocks: iwlwifi
  Show dependency treegraph
 
Reported: 2023-07-19 22:11 UTC by dbdemon
Modified: 2024-02-29 18:48 UTC (History)
5 users (show)

See Also:
bz: mfc-stable14+
bz: mfc-stable13+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description dbdemon 2023-07-19 22:11:45 UTC
Overview: 

    I was attempting to connect my laptop to the eduroam wifi network. I discovered I could reliably cause a kernel panic every time I executed 'service netif stop' or '/etc/rc.d/netif stop'. At this point I had not yet been able to connect to the network. Later I found that one of my settings in /etc/wpa_supplicant.conf was wrong. I had "network {... eap=TTLS ...}" whereas the correct setting was apparently "network {... "eap=PEAP" ...}". Once this was corrected, I was able to connect to the network, and I could no longer trigger a kernel panic. 

Steps to Reproduce:

    1. Use an /etc/wpa_supplicant.conf file similar to below.
    2. Execute 'service netif stop'

/etc/wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
network={
        ssid="eduroam"
        scan_ssid=1
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="your_id@yourdomain.tld"
        anonymous_identity="anonymous_id@yourdomain.tld"
        password="your_password"
        phase2="auth=MSCHAPV2"
        ca_cert="/usr/local/etc/ssl/certs/yourNetworkingRootCA.pem"
}

Actual Results:

    The system crashes with a kernel panic (page fault) with messages as shown below in excerpts from relevant log files.

/var/log/messages:

Jul 19 15:04:32 valhalla syslogd: last message repeated 2 times
Jul 19 15:04:50 valhalla syslogd: last message repeated 1 times
Jul 19 15:04:55 valhalla ntpd[1666]: error resolving pool 0.freebsd.pool.ntp.org: Name does not resolve (8)
Jul 19 15:05:00 valhalla ntpd[1666]: error resolving pool 2.freebsd.pool.ntp.org: Name does not resolve (8)
Jul 19 15:05:24 valhalla dhclient[1782]: Interface wlan1 is down, dhclient exiting
Jul 19 15:05:24 valhalla dhclient[1782]: connection closed
Jul 19 15:05:24 valhalla dhclient[1782]: exiting.
Jul 19 15:05:38 valhalla wpa_supplicant[289]: wlan1: CTRL-EVENT-SSID-REENABLED id=1 ssid="eduroam"
Jul 19 15:06:59 valhalla syslogd: kernel boot file is /boot/kernel/kernel
Jul 19 15:06:59 valhalla kernel: panic: page fault
Jul 19 15:06:59 valhalla kernel: cpuid = 10
Jul 19 15:06:59 valhalla kernel: time = 1689775572
Jul 19 15:06:59 valhalla kernel: KDB: stack backtrace:
Jul 19 15:06:59 valhalla kernel: #0 0xffffffff80c54185 at kdb_backtrace+0x65
Jul 19 15:06:59 valhalla kernel: #1 0xffffffff80c07ac2 at vpanic+0x152
Jul 19 15:06:59 valhalla kernel: #2 0xffffffff80c07963 at panic+0x43
Jul 19 15:06:59 valhalla kernel: #3 0xffffffff810bfde7 at trap_fatal+0x387
Jul 19 15:06:59 valhalla kernel: #4 0xffffffff810bfe3f at trap_pfault+0x4f
Jul 19 15:06:59 valhalla kernel: #5 0xffffffff81096ce8 at calltrap+0x8
Jul 19 15:06:59 valhalla kernel: #6 0xffffffff80d8f5a3 at ieee80211_node_psq_drain+0xf3
Jul 19 15:06:59 valhalla kernel: #7 0xffffffff80d836c6 at node_cleanup+0xa6
Jul 19 15:06:59 valhalla kernel: #8 0xffffffff80d835e5 at node_free+0x25
Jul 19 15:06:59 valhalla kernel: #9 0xffffffff80d84b72 at ieee80211_sta_join1+0xc2
Jul 19 15:06:59 valhalla kernel: #10 0xffffffff80d85aaa at ieee80211_sta_join+0x42a
Jul 19 15:06:59 valhalla kernel: #11 0xffffffff80d79e01 at ieee80211_ioctl_setmlme+0x111
Jul 19 15:06:59 valhalla kernel: #12 0xffffffff80d779ce at ieee80211_ioctl_set80211+0x5de
Jul 19 15:06:59 valhalla kernel: #13 0xffffffff80d76541 at ieee80211_ioctl+0x311
Jul 19 15:06:59 valhalla kernel: #14 0xffffffff80d1f63d at ifioctl+0x98d
Jul 19 15:06:59 valhalla kernel: #15 0xffffffff80c74cb7 at kern_ioctl+0x257
Jul 19 15:06:59 valhalla kernel: #16 0xffffffff80c749eb at sys_ioctl+0x12b
Jul 19 15:06:59 valhalla kernel: #17 0xffffffff810c06dc at amd64_syscall+0x10c
Jul 19 15:06:59 valhalla kernel: Uptime: 4m6s

---

/var/run/dmesg.boot:

wlan1: link state changed to UP
wlan1: link state changed to DOWN
wlan1: link state changed to UP
wlan1: link state changed to DOWN
wlan1: link state changed to UP
wlan1: link state changed to DOWN


Fatal trap 12: page fault while in kernel mode
cpuid = 10; apic id = 0a
fault virtual address = 0x440
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80be476d
stack pointer = 0x28:0xfffffe013ee29870
frame pointer = 0x28:0xfffffe013ee298f0
code segment = base rx0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 289 (wpa_supplicant)
trap number = 12
panic: page fault
cpuid = 10
time = 1689775572
KDB: stack backtrace:
#0 0xffffffff80c54185 at kdb_backtrace+0x65
#1 0xffffffff80c07ac2 at vpanic+0x152
#2 0xffffffff80c07963 at panic+0x43
#3 0xffffffff810bfde7 at trap_fatal+0x387
#4 0xffffffff810bfe3f at trap_pfault+0x4f
#5 0xffffffff81096ce8 at calltrap+0x8
#6 0xffffffff80d8f5a3 at ieee80211_node_psq_drain+0xf3
#7 0xffffffff80d836c6 at node_cleanup+0xa6
#8 0xffffffff80d835e5 at node_free+0x25
#9 0xffffffff80d84b72 at ieee80211_sta_join1+0xc2
#10 0xffffffff80d85aaa at ieee80211_sta_join+0x42a
#11 0xffffffff80d79e01 at ieee80211_ioctl_setmlme+0x111
#12 0xffffffff80d779ce at ieee80211_ioctl_set80211+0x5de
#13 0xffffffff80d76541 at ieee80211_ioctl+0x311
#14 0xffffffff80d1f63d at ifioctl+0x98d
#15 0xffffffff80c74cb7 at kern_ioctl+0x257
#16 0xffffffff80c749eb at sys_ioctl+0x12b
#17 0xffffffff810c06dc at amd64_syscall+0x10c
Uptime: 4m6s

---

Expected Results:

    The service should stop without causing a system crash.

Build Date & Hardware:

    * Kernel and world built on 7th July.
    * FreeBSD valhalla 13.2-STABLE FreeBSD 13.2-STABLE stable/13-n255791-a81d4240b346 VALHALLA amd64
Comment 1 dbdemon 2023-07-19 22:17:23 UTC
My laptop hwprobe: https://bsd-hardware.info/?probe=4c9dd227a7
Comment 2 Graham Perrin 2023-09-11 03:59:11 UTC
(In reply to dbdemon from comment #1)

<https://bsd-hardware.info/?probe=4c9dd227a7#pci:8086-06f0-8086-4070>

> … 8086:06f0:8086:4070 / 02-80-00 Intel Comet Lake PCH CNVi WiFi … iwlwifi
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-02-14 19:50:34 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=0936c648ad0ee5152dc19f261e77fe9c1833fe05

commit 0936c648ad0ee5152dc19f261e77fe9c1833fe05
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2024-02-05 14:51:08 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2024-02-14 19:48:04 +0000

    LinuxKPI: 802.11: update the ni/lsta reference cycle

    Update the ni/lsta reference cycle, add extra checks and assertions.
    This is to accomodate problems we were seeing based on net80211
    behaviour (join1() and (*iv_update_bss)() as well as state changes for
    new iv_bss nodes during an active session).
    This should hopefully help to stabilise behaviour until the underlying
    problems gets properly addressed (for this and all other device drivers).

    PR:             272607, 273985, 274003
    MFC after:      3 days
    Reviewed by:    cc
    Differential Revision: https://reviews.freebsd.org/D43753

 sys/compat/linuxkpi/common/src/linux_80211.c | 209 +++++++++++++++++----------
 sys/compat/linuxkpi/common/src/linux_80211.h |   1 +
 2 files changed, 130 insertions(+), 80 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2024-02-18 21:12:31 UTC
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=12887199b37469c98a47baf66cd3cc182c79fbd6

commit 12887199b37469c98a47baf66cd3cc182c79fbd6
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2024-02-05 14:51:08 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2024-02-18 18:31:17 +0000

    LinuxKPI: 802.11: update the ni/lsta reference cycle

    Update the ni/lsta reference cycle, add extra checks and assertions.
    This is to accomodate problems we were seeing based on net80211
    behaviour (join1() and (*iv_update_bss)() as well as state changes for
    new iv_bss nodes during an active session).
    This should hopefully help to stabilise behaviour until the underlying
    problems gets properly addressed (for this and all other device drivers).

    PR:             272607, 273985, 274003
    Reviewed by:    cc
    Differential Revision: https://reviews.freebsd.org/D43753

    (cherry picked from commit 0936c648ad0ee5152dc19f261e77fe9c1833fe05)

 sys/compat/linuxkpi/common/src/linux_80211.c | 209 +++++++++++++++++----------
 sys/compat/linuxkpi/common/src/linux_80211.h |   1 +
 2 files changed, 130 insertions(+), 80 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-02-19 08:09:03 UTC
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=223edc1a3c2fc86dbc7fa0ecd00f26a85d7c7b43

commit 223edc1a3c2fc86dbc7fa0ecd00f26a85d7c7b43
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2024-02-05 14:51:08 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2024-02-19 08:02:02 +0000

    LinuxKPI: 802.11: update the ni/lsta reference cycle

    Update the ni/lsta reference cycle, add extra checks and assertions.
    This is to accomodate problems we were seeing based on net80211
    behaviour (join1() and (*iv_update_bss)() as well as state changes for
    new iv_bss nodes during an active session).
    This should hopefully help to stabilise behaviour until the underlying
    problems gets properly addressed (for this and all other device drivers).

    PR:             272607, 273985, 274003
    Reviewed by:    cc
    Differential Revision: https://reviews.freebsd.org/D43753

    (cherry picked from commit 0936c648ad0ee5152dc19f261e77fe9c1833fe05)

 sys/compat/linuxkpi/common/src/linux_80211.c | 209 +++++++++++++++++----------
 sys/compat/linuxkpi/common/src/linux_80211.h |   1 +
 2 files changed, 130 insertions(+), 80 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2024-02-19 16:10:42 UTC
A commit in branch releng/13.3 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=9b2da4bc5a68294bc1dcfdd0d0ccadf747bafd67

commit 9b2da4bc5a68294bc1dcfdd0d0ccadf747bafd67
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2024-02-05 14:51:08 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2024-02-19 16:09:22 +0000

    LinuxKPI: 802.11: update the ni/lsta reference cycle

    Update the ni/lsta reference cycle, add extra checks and assertions.
    This is to accomodate problems we were seeing based on net80211
    behaviour (join1() and (*iv_update_bss)() as well as state changes for
    new iv_bss nodes during an active session).
    This should hopefully help to stabilise behaviour until the underlying
    problems gets properly addressed (for this and all other device drivers).

    Approved by:    re (cperciva)
    PR:             272607, 273985, 274003
    Reviewed by:    cc
    Differential Revision: https://reviews.freebsd.org/D43753

    (cherry picked from commit 0936c648ad0ee5152dc19f261e77fe9c1833fe05)
    (cherry picked from commit 223edc1a3c2fc86dbc7fa0ecd00f26a85d7c7b43)

 sys/compat/linuxkpi/common/src/linux_80211.c | 209 +++++++++++++++++----------
 sys/compat/linuxkpi/common/src/linux_80211.h |   1 +
 2 files changed, 130 insertions(+), 80 deletions(-)
Comment 7 Bjoern A. Zeeb freebsd_committer freebsd_triage 2024-02-19 17:06:07 UTC
Hi,

I believe the problem here (also seen in PR 273985) is fixed in 15/14/13/and 13.3 from RC1 on.

Could you try a more recent stable and let us know is you still see the issue?
Comment 8 dbdemon 2024-02-27 14:05:18 UTC
I have just tested this on 14.0-STABLE, and I can confirm that the issue seems to have been resolved. 

# uname -a
FreeBSD valhalla 14.0-STABLE FreeBSD 14.0-STABLE #0 stable/14-n266870-e705ac7788b2: Sat Feb 24 13:58:38 GMT 2024     root@valhalla:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

Thank you very much.
Comment 9 Bjoern A. Zeeb freebsd_committer freebsd_triage 2024-02-27 20:29:46 UTC
(In reply to dbdemon from comment #8)

Thank you so much for the testing and feedback!
Much appreciated.