Date: Mon, 13 Apr 2026 18:20:09 +0000 From: bugzilla-noreply@freebsd.org To: wireless@FreeBSD.org Subject: [Bug 294449] if_iwlwifi kernel panic: Page fault (0x10) in lkpi_iv_newstate during hardware error recovery on Intel 7260 Message-ID: <bug-294449-21060-7cNjvddNN5@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-294449-21060@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294449 Bjoern A. Zeeb <bz@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open Blocks| |273620 --- Comment #1 from Bjoern A. Zeeb <bz@FreeBSD.org> --- This is indeed a NULL pointer dereference as a secondary issue after the FW crash. lkpi_sta_auth_to_scan(): logged lvif_bss being NULL, which we assign to lsta and dereference that for the ni later. On a debug kernel the KASSERT would fire. 2499 #ifdef LINUXKPI_DEBUG_80211 2500 /* XXX-BZ KASSERT later; state going down so no action. */ 2501 if (lvif->lvif_bss == NULL) 2502 ic_printf(vap->iv_ic, "%s:%d: lvif %p vap %p iv_bss %p lvif_bss %p " 2503 "lvif_bss->ni %p synched %d\n", __func__, __LINE__, 2504 lvif, vap, vap->iv_bss, lvif->lvif_bss, 2505 (lvif->lvif_bss != NULL) ? lvif->lvif_bss->ni : NULL, 2506 lvif->lvif_bss_synched); 2507 #endif 2508 2509 lsta = lvif->lvif_bss; 2510 LKPI_80211_LVIF_UNLOCK(lvif); 2511 KASSERT(lsta != NULL && lsta->ni != NULL, ("%s: lsta %p ni %p " 2512 "lvif %p vap %p\n", __func__, 2513 lsta, (lsta != NULL) ? lsta->ni : NULL, lvif, vap)); 2514 ni = lsta->ni; /* Reference held for lvif_bss. */ The real problem is the Firmware crash followed by the SW Reset (of the driver). Unfortunately the FW crash log is omitted in your report. Could you please share it as only that may tell us why the ADD_STA failed? Given the other warning this likely sounds like another issue with net80211 tech debt around state machine handling and throwing away an old node and association attempt but this is harder to say from the abbreviated log. I am a bit puzzled but the fact that we error in assoc->auth already but then still make it to auth->scan and crash there. I'll have to go and read the old state machine (which was re-worked after 15.0 and has changed in stable/15). But I am sure on error we would normally not continue even if it was a "compound" function like lkpi_sta_assoc_to_auth(). Let's start with the firmware crash. Also if you could try stable/15 (or main) (given this may be a VM?) that would be helpful to know if the error persists there. Referenced Bugs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273620 [Bug 273620] iwlwifi meta-bug -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-294449-21060-7cNjvddNN5>