From owner-freebsd-bugs@FreeBSD.ORG  Sat Dec  8 09:40:00 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id C36FC522
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Sat,  8 Dec 2012 09:40:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 940738FC14
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Sat,  8 Dec 2012 09:40:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qB89e0Ac005429
 for <freebsd-bugs@freefall.freebsd.org>; Sat, 8 Dec 2012 09:40:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qB89e0Oc005428;
 Sat, 8 Dec 2012 09:40:00 GMT (envelope-from gnats)
Resent-Date: Sat, 8 Dec 2012 09:40:00 GMT
Resent-Message-Id: <201212080940.qB89e0Oc005428@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Adrian Chadd <adrian@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 4241A390
 for <freebsd-gnats-submit@FreeBSD.org>; Sat,  8 Dec 2012 09:32:01 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
 by mx1.freebsd.org (Postfix) with ESMTP id 0EEE28FC12
 for <freebsd-gnats-submit@FreeBSD.org>; Sat,  8 Dec 2012 09:32:01 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
 by red.freebsd.org (8.14.5/8.14.5) with ESMTP id qB89W0gn054088
 for <freebsd-gnats-submit@FreeBSD.org>; Sat, 8 Dec 2012 09:32:00 GMT
 (envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
 by red.freebsd.org (8.14.5/8.14.5/Submit) id qB89W0h5054087;
 Sat, 8 Dec 2012 09:32:00 GMT (envelope-from nobody)
Message-Id: <201212080932.qB89W0h5054087@red.freebsd.org>
Date: Sat, 8 Dec 2012 09:32:00 GMT
From: Adrian Chadd <adrian@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: kern/174273: [net80211] taking down a net80211 node with active fast
 frames traffic causes a panic
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2012 09:40:00 -0000


>Number:         174273
>Category:       kern
>Synopsis:       [net80211] taking down a net80211 node with active fast frames traffic causes a panic
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 08 09:40:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Adrian Chadd
>Release:        10.0-CURRENT
>Organization:
>Environment:
>Description:
When doing active fast frames traffic, tearing down the session can cause a kernel panic.

The specifics:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0xdeadc0de
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc075e3a0
stack pointer           = 0x28:0xf65acaac
frame pointer           = 0x28:0xf65acabc
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 0 (ath0 net80211 taskq)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xc072db3f at kdb_backtrace+0x4f
#1 0xc06f5cbf at panic+0x16f
#2 0xc097d643 at trap_fatal+0x323
#3 0xc097d6dd at trap_pfault+0x8d
#4 0xc097e895 at trap+0x4a5
#5 0xc096755c at calltrap+0x6
#6 0xcf0ef437 at ieee80211_ff_node_cleanup+0x177
#7 0xcf0ba5c0 at node_cleanup+0xd0
#8 0xcf472d51 at ath_node_cleanup+0xe1
#9 0xcf0ba050 at ieee80211_sta_leave+0x20
#10 0xcf0e6051 at sta_newstate+0x171
#11 0xcf476d00 at ath_newstate+0x370
#12 0xcf0ca3b4 at ieee80211_newstate_cb+0x1a4
#13 0xc073c3db at taskqueue_run_locked+0xeb
#14 0xc073ce37 at taskqueue_thread_loop+0x67
#15 0xc06c47e2 at fork_exit+0x112
#16 0xc09675d4 at fork_trampoline+0x8

And:

(kgdb) list *(0xc075e3a0)
0xc075e3a0 is in m_freem (mbuf.h:604).
599	}
600	
601	static __inline struct mbuf *
602	m_free(struct mbuf *m)
603	{
604		struct mbuf *n = m->m_next;
605	
606		if (m->m_flags & M_EXT)
607			mb_free_ext(m);
608		else if ((m->m_flags & M_NOFREE) == 0)

>How-To-Repeat:
* create an AP and STA, with pre-11n NICs (AR5212, AR5413 in this instance)
* run iperf from STA -> AP
* in another window on the STA, bring the interface down (ifconfig wlan0 down)

The AP/STA have a good chance of panicing at this point.
>Fix:
This bit of code in sys/net80211/ieee80211_superg.c:ieee80211_ff_node_cleanup() is suspect:

        for (m = head; m != NULL; m = m->m_nextpkt) {
                m_freem(m);
                ieee80211_free_node(ni);
        }

once m_freem() is called, m->m_nextpkt is going to be overwritten. In debug builds, this means m_nextpkt may be 0xdeadc0de, leading to this crash.


>Release-Note:
>Audit-Trail:
>Unformatted: