Date: Sat, 8 Dec 2012 09:32:00 GMT From: Adrian Chadd <adrian@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/174273: [net80211] taking down a net80211 node with active fast frames traffic causes a panic Message-ID: <201212080932.qB89W0h5054087@red.freebsd.org> Resent-Message-ID: <201212080940.qB89e0Oc005428@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 174273
>Category: kern
>Synopsis: [net80211] taking down a net80211 node with active fast frames traffic causes a panic
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 08 09:40:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Adrian Chadd
>Release: 10.0-CURRENT
>Organization:
>Environment:
>Description:
When doing active fast frames traffic, tearing down the session can cause a kernel panic.
The specifics:
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0xdeadc0de
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc075e3a0
stack pointer = 0x28:0xf65acaac
frame pointer = 0x28:0xf65acabc
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (ath0 net80211 taskq)
trap number = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xc072db3f at kdb_backtrace+0x4f
#1 0xc06f5cbf at panic+0x16f
#2 0xc097d643 at trap_fatal+0x323
#3 0xc097d6dd at trap_pfault+0x8d
#4 0xc097e895 at trap+0x4a5
#5 0xc096755c at calltrap+0x6
#6 0xcf0ef437 at ieee80211_ff_node_cleanup+0x177
#7 0xcf0ba5c0 at node_cleanup+0xd0
#8 0xcf472d51 at ath_node_cleanup+0xe1
#9 0xcf0ba050 at ieee80211_sta_leave+0x20
#10 0xcf0e6051 at sta_newstate+0x171
#11 0xcf476d00 at ath_newstate+0x370
#12 0xcf0ca3b4 at ieee80211_newstate_cb+0x1a4
#13 0xc073c3db at taskqueue_run_locked+0xeb
#14 0xc073ce37 at taskqueue_thread_loop+0x67
#15 0xc06c47e2 at fork_exit+0x112
#16 0xc09675d4 at fork_trampoline+0x8
And:
(kgdb) list *(0xc075e3a0)
0xc075e3a0 is in m_freem (mbuf.h:604).
599 }
600
601 static __inline struct mbuf *
602 m_free(struct mbuf *m)
603 {
604 struct mbuf *n = m->m_next;
605
606 if (m->m_flags & M_EXT)
607 mb_free_ext(m);
608 else if ((m->m_flags & M_NOFREE) == 0)
>How-To-Repeat:
* create an AP and STA, with pre-11n NICs (AR5212, AR5413 in this instance)
* run iperf from STA -> AP
* in another window on the STA, bring the interface down (ifconfig wlan0 down)
The AP/STA have a good chance of panicing at this point.
>Fix:
This bit of code in sys/net80211/ieee80211_superg.c:ieee80211_ff_node_cleanup() is suspect:
for (m = head; m != NULL; m = m->m_nextpkt) {
m_freem(m);
ieee80211_free_node(ni);
}
once m_freem() is called, m->m_nextpkt is going to be overwritten. In debug builds, this means m_nextpkt may be 0xdeadc0de, leading to this crash.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212080932.qB89W0h5054087>