After booting kernel 680d34896c with patch for panic in PR 285729 applied from https://reviews.freebsd.org/D49791 I got this panic just once, at first boot with this patch. Then I wasn't able to get it. As for getting ieee80211_sta_join+0x256 value you requested - how can I do that? And can I somehow do that with what I have in /var/crash?: -rw-r--r-- 1 root wheel 2 Apr 12 18:33 bounds -rw-r--r-- 1 root wheel 30 Apr 1 01:20 core.txt.0 -rw-r--r-- 1 root wheel 30 Apr 12 18:33 core.txt.1 -rw------- 1 root wheel 489 Apr 1 01:20 info.0 -rw------- 1 root wheel 477 Apr 12 18:33 info.1 lrwxr-xr-x 1 root wheel 6 Apr 12 18:33 info.last -> info.1 -rw-r--r-- 1 root wheel 5 Dec 23 2021 minfree -rw------- 1 root wheel 36864 Apr 1 01:20 textdump.tar.0 -rw------- 1 root wheel 31744 Apr 12 18:33 textdump.tar.1 lrwxr-xr-x 1 root wheel 14 Apr 12 18:33 textdump.tar.last -> textdump.tar.1 > <118>Created wlan(4) interfaces: wlan0. > <6>lo0: link state changed to UP > <118>Starting wpa_supplicant. > <118>Starting dhclient. > <118>wlan0: no link ...... > <6>wlan0: link state changed to UP > <118> got link > <118>DHCPREQUEST on wlan0 to 255.255.255.255 port 67 > <6>wlan0: link state changed to DOWN > <118>DHCPREQUEST on wlan0 to 255.255.255.255 port 67 > <118>wlan0 link state up -> down > iwlwifi0: Not associated and the session protection is over already... > iwlwifi0: linuxkpi_ieee80211_connection_loss: vif 0xfffffe0115d5cec0 vap 0xfffffe0115d5c010 state AUTH > > > Fatal trap 9: general protection fault while in kernel mode > cpuid = 0; apic id = 00 > instruction pointer = 0x20:0xffffffff80cd64e0 > stack pointer = 0x28:0xfffffe01121409a8 > frame pointer = 0x28:0xfffffe0112140a30 > code segment = base rx0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 389 (wpa_supplicant) > rdi: c0dedeadc0dedead rsi: fffffe011611e2a5 rdx: 0000000000000001 > rcx: 0000000000000011 r8: dedeadc0dedeadc0 r9: c0dedeadc0dedead > rax: fffffe011611e384 rbx: fffffe0115d5c010 rbp: fffffe0112140a30 > r10: c0dedeadc0dedead r11: 0000000000000001 r12: fffffe011611e068 > r13: fffffe011611e2a5 r14: fffffe0112621000 r15: 0000000000000001 > trap number = 9 > panic: general protection fault > cpuid = 0 > time = 1744471792 > KDB: stack backtrace: > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0112140720 > vpanic() at vpanic+0x136/frame 0xfffffe0112140850 > panic() at panic+0x43/frame 0xfffffe01121408b0 > trap_fatal() at trap_fatal+0x68/frame 0xfffffe01121408d0 > calltrap() at calltrap+0x8/frame 0xfffffe01121408d0 > --- trap 0x9, rip = 0xffffffff80cd64e0, rsp = 0xfffffe01121409a8, rbp = 0xfffffe0112140a30 --- > ieee80211_chan2mode() at ieee80211_chan2mode/frame 0xfffffe0112140a30 > ieee80211_sta_join() at ieee80211_sta_join+0x256/frame 0xfffffe0112140a80 > ieee80211_ioctl_setmlme() at ieee80211_ioctl_setmlme+0xfc/frame 0xfffffe0112140b10 > ieee80211_ioctl_set80211() at ieee80211_ioctl_set80211+0x9ad/frame 0xfffffe0112140b80 > ieee80211_ioctl() at ieee80211_ioctl+0x2de/frame 0xfffffe0112140be0 > ifioctl() at ifioctl+0x973/frame 0xfffffe0112140ce0 > kern_ioctl() at kern_ioctl+0x286/frame 0xfffffe0112140d40 > sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe0112140e00 > amd64_syscall() at amd64_syscall+0x15a/frame 0xfffffe0112140f30 > fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0112140f30 > --- syscall (54, FreeBSD ELF64, ioctl), rip = 0x60c96590b0a, rsp = 0x60c8f6dbfd8, rbp = 0x60c8f6dc040 --- > KDB: enter: panic >
I have another possible hint: for me ieee80211_ies_expand already failed; and the 2nd STA goes kaboom on the channel in ddb (see very end) iwlwifi0: linuxkpi_ieee80211_connection_loss: vif 0xfffffe009ecebec0 vap 0xfffffe009eceb010 state AUTH ieee80211_ies_expand: malformed IEs! ies 0xfffffe009ed46068 { data 0xfffff800017f1e00 len 119 }: ie 222 len 2+192 > total len left 119 Fatal trap 9: general protection fault while in kernel mode cpuid = 2; apic id = 02 instruction pointer = 0x20:0xffffffff80cc4b00 stack pointer = 0x28:0xfffffe007bf889a8 frame pointer = 0x28:0xfffffe007bf88a30 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 357 (wpa_supplicant) rdi: c0dedeadc0dedead rsi: fffffe009ed462a5 rdx: 0000000000000001 rcx: 0000000000000011 r8: dedeadc0dedeadc0 r9: c0dedeadc0dedead rax: fffffe009ed46384 rbx: fffffe009eceb010 rbp: fffffe007bf88a30 r10: c0dedeadc0dedead r11: 000000000000002f r12: fffffe009ed46068 r13: fffffe009ed462a5 r14: fffffe009e09f000 r15: 0000000000000001 trap number = 9 panic: general protection fault cpuid = 2 time = 1744789360 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe007bf88720 vpanic() at vpanic+0x136/frame 0xfffffe007bf88850 panic() at panic+0x43/frame 0xfffffe007bf888b0 trap_fatal() at trap_fatal+0x68/frame 0xfffffe007bf888d0 calltrap() at calltrap+0x8/frame 0xfffffe007bf888d0 --- trap 0x9, rip = 0xffffffff80cc4b00, rsp = 0xfffffe007bf889a8, rbp = 0xfffffe007bf88a30 --- ieee80211_chan2mode() at ieee80211_chan2mode/frame 0xfffffe007bf88a30 ieee80211_sta_join() at ieee80211_sta_join+0x256/frame 0xfffffe007bf88a80 ieee80211_ioctl_setmlme() at ieee80211_ioctl_setmlme+0xfc/frame 0xfffffe007bf88b10 ieee80211_ioctl_set80211() at ieee80211_ioctl_set80211+0x9ad/frame 0xfffffe007bf88b80 ieee80211_ioctl() at ieee80211_ioctl+0x2de/frame 0xfffffe007bf88be0 ifioctl() at ifioctl+0x973/frame 0xfffffe007bf88ce0 kern_ioctl() at kern_ioctl+0x286/frame 0xfffffe007bf88d40 sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe007bf88e00 amd64_syscall() at amd64_syscall+0x15a/frame 0xfffffe007bf88f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe007bf88f30 --- syscall (54, FreeBSD ELF64, ioctl), rip = 0x2fa19ee23bfa, rsp = 0x2fa198cd2af8, rbp = 0x2fa198cd2b60 --- KDB: enter: panic [ thread pid 357 tid 100096 ] Stopped at kdb_enter+0x33: movq $0,0x105c922(%rip) db> show all vaps iwlwifi0: com 0xfffffe009e09f000 vaps: wlan0(0xfffffe009eceb010) db> show com /a 0xfffffe009e09f000 COM: 0xfffffe009e09f000: wlan0(0xfffffe009eceb010) softc 0xfffffe009ebbe200 name iwlwifi0 comlock 0xfffffe009e09f010 txlock 0xfffffe009e09f040 fflock 0xfffffe009e09f070 headroom 0 phytype 2 opmode STA inact 0xfffffe009e09f0d0 flags=42400<SHSLOT,WME,SHPREAMBLE> flags_ext=2480002<INACT,SCAN_OFFLOAD,VHT,AMPDU_OFFLOAD> flags_ht=1080000<HT,USEHT40> flags_ven=0 caps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=1a<TKIP,AES_CCM,TKIPMIC> htcaps=519ef<LDPC,CHWIDTH40,SHORTGI20,SHORTGI40,TXSTBC,AMSDU(7935),DSSSCCK40> vhtcaps=39071f6<MPDU11454,CHAN160,RXLDPC,SHORTGI80,SHORTGI160,RXSTBC1,RXSTBC2,BFEECAP> curmode 1 promisc 0 allmulti 0 nrunning 1 bintval 100 lintval 100 holdover 0 txpowlimit 100 nchans 207 curchan [5180 (36) flags=140<OFDM,5GHZ> maxreg 17 maxpow 34 minpow 0 state 0x0 extieee 0] bsschan [5180 (36) flags=140<OFDM,5GHZ> maxreg 17 maxpow 34 minpow 0 state 0x0 extieee 0] prevchan <NULL> regdomain 0xfffffe009e0a4518 csa_newchan <NULL> csa_count 0dfs 0xfffffe009e0a4548 scan 0xfffffe009ece7000 lastdata 2147424719 lastscan 2147425169 max_keyix 0 hash_key 0x595bc728 wme 0xfffffe009e0a57c8 stageq@0xfffffe009e0a5780: lock 0xfffffe009e0a5780 len 0 maxlen 0 drops 0 head 0 tail 0 station@0xfffffe009e0a5610: nodelock 0xfffffe009e0a5618 inact_init 2 keyixmax 0 keyixmap 0 protmode 0 curhtprotmode 0x0 htprotmode 2 superg 0 montaps 0 th 0xfffffe009ebbe220 txchan 0xfffffe009ebbe22a rh 0xfffffe009ebbe230 rxchan 0xfffffe009ebbe242 ic_vap_create : lkpi_ic_vap_create ic_vap_delete : lkpi_ic_vap_delete ic_newassoc : 0 ic_getradiocaps : lkpi_ic_getradiocaps ic_setregdomain : null_setregdomain ic_send_mgmt : ieee80211_send_mgmt ic_raw_xmit : lkpi_ic_raw_xmit ic_updateslot : 0 ic_update_mcast : lkpi_ic_update_mcast ic_update_promisc : lkpi_ic_update_promisc ic_node_alloc : lkpi_ic_node_alloc ic_node_free : lkpi_ic_node_free ic_node_cleanup : lkpi_ic_node_cleanup ic_node_getrssi : node_getrssi ic_node_getsignal : node_getsignal ic_node_getmimoinfo : node_getmimoinfo ic_scan_start : lkpi_ic_scan_start ic_scan_end : lkpi_ic_scan_end ic_set_channel : lkpi_ic_set_channel ic_scan_curchan : lkpi_ic_scan_curchan ic_scan_mindwell : lkpi_ic_scan_mindwell ic_recv_action : lkpi_ic_recv_action ic_send_action : lkpi_ic_send_action ic_addba_request : lkpi_ic_addba_request ic_addba_response : lkpi_ic_addba_response ic_addba_stop : lkpi_ic_addba_stop SCAN 0xfffffe009ece7000: vap 0xfffffe009eceb010 ic 0xfffffe009e09f000 ss_ops 0xffffffff813730f0 (default) ss_priv 0xfffff80017356800 scan_attach : sta_attach scan_detach : sta_detach scan_start : sta_start scan_restart : sta_restart scan_cancel : sta_cancel scan_end : sta_pick_bss scan_flush : sta_flush scan_pickchan : 0 scan_add : sta_add scan_age : sta_age scan_assoc_fail : sta_assoc_fail scan_assoc_success : sta_assoc_success scan_iterate : sta_iterate scan_spare0 : 0 scan_spare1 : 0 scan_spare2 : 0 scan_spare3 : 0 ss_flags 42<ACTIVE,NOJOIN> ss_nssid 1 ss_nssid[0]"" ss_chans: ss_next 1 ss_last 0 ss_mindwell 2 ss_maxdwell 20 VAP 0xfffffe009eceb010: bss 0xfffffe009ecfa000 myaddr 74:13:ea:6e:de:c1 opmode STA state 0 INIT ifp 0xfffff80001956800(wlan0) ic 0xfffffe009e09f000 media 0xfffffe009eceb010 bpf_if 0xfffff8000194d200 mgtsend 0xfffffe009eceb4a0 iv_nstate 0 INIT iv_nstate_b 5 iv_nstate_n 0 [0] iv_nstates 0x2 AUTH _task 0xfffffe009eceb380 _args 192 [1] iv_nstates 0x3 ASSOC _task 0xfffffe009eceb3a0 _args 0 [2] iv_nstates 0x5 RUN _task 0xfffffe009eceb3c0 _args 16 [3] iv_nstates 0x2 AUTH _task 0xfffffe009eceb3e0 _args 4288 [4] iv_nstates 0 INIT _task 0xfffffe009eceb400 _args 0 [5] iv_nstates 0x5 RUN _task 0xfffffe009eceb420 _args 16 [6] iv_nstates 0x2 AUTH _task 0xfffffe009eceb440 _args 4288 [7] iv_nstates 0 INIT _task 0xfffffe009eceb460 _args 0 debug=10000000<CRYPTO> flags=42842410<PRIVACY,SHSLOT,WME,SHPREAMBLE,WPA1,DROPUNENC,DOTH> flags_ext=2480002<INACT,SCAN_OFFLOAD,VHT,AMPDU_OFFLOAD> flags_ht=ddba0000<LDPC_RX,HT,AMPDU_TX,AMPDU_RX,AMSDU_RX,USEHT40,SHORTGI20,SHORTGI40,HTCOMPAT,STBC_TX,STBC_RX> flags_ven=0 caps=580c001<STA,SHSLOT,SHPREAMBLE,WPA1,WPA2,WME> htcaps=519ef<LDPC,CHWIDTH40,SHORTGI20,SHORTGI40,TXSTBC,AMPDU,HT> vhtcap=39071f6<MPDU11454,CHAN160,RXLDPC,SHORTGI80,SHORTGI160,RXSTBC1,RXSTBC2,BFEECAP> inact_init 2 inact_auth 12 inact_run 20 inact_probe 2 des_nssid 0 des_bssid 00:00:00:00:00:00 des_mode 0 des_chan <ANY> bgscanidle 2500 bgscanintvl 30000 scanvalid 6000 scanreq_duration 0 scanreq_mindwell 0 scanreq_maxdwell 0 scanreq_flags 0x0 scanreq_nssid 0 roaming 2 roamparms[11a] rssi 7 rate 12 roamparms[11b] rssi 7 rate 1 roamparms[11g] rssi 7 rate 5 roamparms[11na] rssi 7 rate MCS1 roamparms[11ng] rssi 7 rate MCS1 roamparms[11ac] rssi 7 rate MCS1 bmissthreshold 7 bmiss_max 0 bmiss_max 2 swbmiss_count 4 swbmiss_period 0 swbmiss 0xfffffe009eceb600 ampdu_rxmax 0 ampdu_density 0 ampdu_limit 0 amsdu_limit 2048 max_aid 128 aid_bitmap 0 sta_assoc 0 ps_sta 0 ps_pending 0 tim_len 0 tim_bitmap 0 dtim_period 192 dtim_count 0 set_tim 0 csa_count 0 rtsthreshold 2346 fragthreshold 2346 inact_timer 0 txparms[11a] ucastrate <none> mcastrate 6 mgmtrate 6 maxretry 6 txparms[11b] ucastrate <none> mcastrate 1 mgmtrate 1 maxretry 6 txparms[11g] ucastrate <none> mcastrate 1 mgmtrate 1 maxretry 6 txparms[11na] ucastrate <none> mcastrate 6 mgmtrate 6 maxretry 6 txparms[11ng] ucastrate <none> mcastrate 1 mgmtrate 1 maxretry 6 txparms[11ac] ucastrate <none> mcastrate 6 mgmtrate 6 maxretry 6 appie_wpa [XXX] wpa_ie 0xfffffxxxx max_keyix 4 def_txkey 65535 nw_keys[0] NULL 65535:0-bit nw_keys[1] NULL 65535:0-bit nw_keys[2] NULL 65535:0-bit nw_keys[3] NULL 65535:0-bit auth 0xffffffff81372800(wlan_internal) ec 0 acl 0 as 0 sta_assoc 0 ht_sta_assoc 0 ht40_sta_assoc 0 nonerpsta 0 longslotsta 0 lastnonerp 0 lastnonht 0 iv_rate 0xffffffff8136f9b0 iv_rs 0xfffff8001802b070 ir_name amrr ir_attach : 0 ir_detach : 0 ir_init : amrr_init ir_deinit : amrr_deinit ir_node_init : amrr_node_init ir_node_deinit : amrr_node_deinit ir_rate : amrr_rate ir_tx_complete : amrr_tx_complete ir_tx_update : amrr_tx_update ir_setinterval : amrr_setinterval ir_node_stats : amrr_node_stats iv_key_alloc : null_key_alloc iv_key_delete : lkpi_iv_key_delete iv_key_set : lkpi_iv_key_set iv_key_update_begin : lkpi_iv_key_update_begin iv_key_update_end : lkpi_iv_key_update_end iv_opdetach : sta_vdetach iv_input : sta_input iv_recv_mgmt : sta_recv_mgmt iv_deliver_data : ieee80211_deliver_data iv_bmiss : sta_beacon_miss iv_reset : default_reset iv_update_beacon : null_update_beacon iv_newstate : lkpi_iv_newstate iv_output : ether_output STA: 0xfffffe009ecfa000: mac 74:13:ea:6e:de:c1 refcnt 2 vap 0xfffffe009eceb010 wdsvap 0 ic 0xfffffe009e09f000 table 0xfffffe009e0a5610 flags=0 authmode 1 ath_flags 0x0 ath_defkeyix 32767 associd 0x0 txpower 100 vlan 0 jointime 0 (16 secs) challenge 0 ies: data 0 len 0 [wpa_ie 0 rsn_ie 0 wme_ie 0 ath_ie 0 htcap_ie 0 htinfo_ie 0] vhtcap_ie 0 vhtopmode_ie 0 vhtpwrenv_ie 0] txseq 0 rxseq 0 fragno 0 rxfragstamp 0 rxfrag[0] 0 rxfrag[1] 0 rxfrag[2] 0 ucastkey NULL 65535:0-bit avgrssi 0x7f (rssi 1) noise 0 intval 100 capinfo 0 bssid 00:00:00:00:00:00 essid "" channel <ANY> erp 0 dtim_period 0 dtim_count 0 htcap 0 htparam 0x0 htctlchan 0 ht2ndchan 0 htopmode 0x0 htstbc 0x0 chw 0 (BW_20) inact 2 inact_reload 2 txrate type 0 rate 0 meshid "" mlstate 0 mllid 0x0 mlpid 0x0 mlrcnt 0 mltval 0 vhtcap 0 vht_basicmcs 000000 vht_tx_map 000000 vht_mcsinfo: { rx_mcs_map 000000 rx_highest 000000 tx_mcs_map 000000 tx_highest 000000 } vht_chan1/chan2 0/0 vht_chanwidth 0000 vht_pad1 0000 vht_spare { 0 0 0 0 0 0 0 0 } ni_tx_superg[] = { 0 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, } ni_rctls = 0 ni_drv_data = 0xfffff80001d78800 ni_spare[3] = { 0 0 0 } STA: 0xfffffe009ed46000: mac 9e:9d:7e:76:6f:fa refcnt 1 vap 0xfffffe009eceb010 wdsvap 0 ic 0xfffffe009e09f000 table 0xfffffe009e0a5610 flags=20000<ASSOCID> authmode 1 ath_flags 0x0 ath_defkeyix 32767 associd 0x0 txpower 100 vlan 0 jointime 0 (16 secs) challenge 0 ies: data 0xfffff800017f1e00 len 119 [wpa_ie 0 rsn_ie 0 wme_ie 0 ath_ie 0 htcap_ie 0 htinfo_ie 0] vhtcap_ie 0 vhtopmode_ie 0 vhtpwrenv_ie 0] txseq 0 rxseq 0 fragno 0 rxfragstamp 0 rxfrag[0] 0 rxfrag[1] 0 rxfrag[2] 0 ucastkey NULL 65535:0-bit avgrssi 0x80 (rssi 1) noise -96 intval 100 capinfo 11<ESS,PRIVACY> bssid 9e:9d:7e:76:6f:fa essid "SSID" channelKDB: reentering ^^^^ STA kaputt
ieee80211_sta_join() calls ieee80211_alloc_node() not passing the chan ni_chan gets initialized to IEEE80211_CHAN_ANYC the node gets inserted in the nt ni->ni_chan = chan which was passed into ieee80211_sta_join() ieee80211_ies_init ieee80211_ies_expand << one possible problem seen here already -- ??? unrelated? NO! ieee80211_setup_rates calls <<<< real problem for ni_chan happening here ieee80211_fix_rate ucastrate = vap->iv_txparms[ieee80211_chan2mode(ni->ni_chan)].ucastrate; << kaboom with ni_nichan being kaputt The problems that is common to both is that the se became invalid. Please try the patch from this review: https://reviews.freebsd.org/D49865
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=aff56b4f0b25c44c9c2cae9a3f816c4277057a71 commit aff56b4f0b25c44c9c2cae9a3f816c4277057a71 Author: Bjoern A. Zeeb <bz@FreeBSD.org> AuthorDate: 2025-04-16 19:10:58 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2025-05-05 14:58:59 +0000 net80211: fix a race between ieee80211_sta_join and scan entries We were seeing panics during ieee80211_sta_join() which seemed that the ni->ni_chan was not valid anymore, which was true. We also saw errors indicating data put into ni_ies became inalid. The problem was that the ieee80211_scan_entry passed into ieee80211_sta_join() (in the observed case from setmlme_assoc_sta()) became invalid during ieee80211_alloc_node(). As a result for the ni_chan case the the rateset and len in rates[1] became invalid. Similarly for the IEs. Make a (deep)copy of the scan entry in setmlme_assoc_sta() and return the copy as once we leave ieee80211_scan_iterate() we can no longer rely on the scan entry to be valid. Sponsored by: The FreeBSD Foundation MFC after: 3 days Reported by: rm, ziaee, bz Tested by: rm, ziaee, bz PR: 286063 Reviewed by: adrian (,emaste) Differential Revision: https://reviews.freebsd.org/D49865 sys/net80211/ieee80211_ioctl.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=34cd36918652f07ea8a36a62115349781e457fc6 commit 34cd36918652f07ea8a36a62115349781e457fc6 Author: Bjoern A. Zeeb <bz@FreeBSD.org> AuthorDate: 2025-04-16 19:10:58 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2025-05-07 08:52:29 +0000 net80211: fix a race between ieee80211_sta_join and scan entries We were seeing panics during ieee80211_sta_join() which seemed that the ni->ni_chan was not valid anymore, which was true. We also saw errors indicating data put into ni_ies became inalid. The problem was that the ieee80211_scan_entry passed into ieee80211_sta_join() (in the observed case from setmlme_assoc_sta()) became invalid during ieee80211_alloc_node(). As a result for the ni_chan case the the rateset and len in rates[1] became invalid. Similarly for the IEs. Make a (deep)copy of the scan entry in setmlme_assoc_sta() and return the copy as once we leave ieee80211_scan_iterate() we can no longer rely on the scan entry to be valid. Sponsored by: The FreeBSD Foundation Reported by: rm, ziaee, bz Tested by: rm, ziaee, bz PR: 286063 Reviewed by: adrian (,emaste) Differential Revision: https://reviews.freebsd.org/D49865 (cherry picked from commit aff56b4f0b25c44c9c2cae9a3f816c4277057a71) sys/net80211/ieee80211_ioctl.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-)
A commit in branch releng/14.3 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8d6b75819946c5b01281dc93e3b0df049340f9b6 commit 8d6b75819946c5b01281dc93e3b0df049340f9b6 Author: Bjoern A. Zeeb <bz@FreeBSD.org> AuthorDate: 2025-04-16 19:10:58 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2025-05-08 21:22:59 +0000 net80211: fix a race between ieee80211_sta_join and scan entries We were seeing panics during ieee80211_sta_join() which seemed that the ni->ni_chan was not valid anymore, which was true. We also saw errors indicating data put into ni_ies became inalid. The problem was that the ieee80211_scan_entry passed into ieee80211_sta_join() (in the observed case from setmlme_assoc_sta()) became invalid during ieee80211_alloc_node(). As a result for the ni_chan case the the rateset and len in rates[1] became invalid. Similarly for the IEs. Make a (deep)copy of the scan entry in setmlme_assoc_sta() and return the copy as once we leave ieee80211_scan_iterate() we can no longer rely on the scan entry to be valid. Sponsored by: The FreeBSD Foundation Reported by: rm, ziaee, bz Tested by: rm, ziaee, bz PR: 286063 Approved by: re (cperciva) Reviewed by: adrian (,emaste) Differential Revision: https://reviews.freebsd.org/D49865 (cherry picked from commit aff56b4f0b25c44c9c2cae9a3f816c4277057a71) (cherry picked from commit 34cd36918652f07ea8a36a62115349781e457fc6) sys/net80211/ieee80211_ioctl.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-)
Thanks for reporting and testing.