On Fri, Apr 17, 2020 at 12:08:39PM +0200, Jan Stary wrote:
> This is current/i386 on an ALIX (dmesg below) with
>
> athn0 at pci0 dev 12 function 0 "Atheros AR9280" rev 0x01: irq 9
> athn0: AR9280 rev 2 (2T2R), ROM rev 22, address 04:f0:21:01:d6:86
>
> # cat hostname.athn0
> inet 192.168.33.1 255.255.255.0 NONE
> media autoselect mode 11g mediaopt hostap chan 2
> nwid stare.cz wpakey hovnoPrdel123
>
> After changing the password, or the channel, or the mode, and doing
>
> # sh /etc/netstart athn0
>
> the machine reproducibly panics (cereal script below).
>
> I have no idea why it panics in ieee80211_encrypt().
> It happens both with clients associated and not.
>
> Is this known with athn(4)?
> How can I help debug this?
>
> Jan
>
>
> ddb> show panic
> ieee80211_encrypt: key unset for sw crypto: 0
>
> ddb> trace
> db_enter() at db_enter+0x4
> panic(d0b83788) at panic+0xcc
> ieee80211_encrypt(d194e030,d195bc00,d194eb00) at ieee80211_encrypt+0x70
> ar5008_tx(d194e000,d195bc00,d19a0000,2) at ar5008_tx+0x9a
> ar5008_swba_intr(d194e000) at ar5008_swba_intr+0x238
> ar5008_intr(d194e000) at ar5008_intr+0x12f
> intr_handler(f3b1d67c,d1945480) at intr_handler+0x18
> Xintr_legacy9_untramp() at Xintr_legacy9_untramp+0xf7
> end of kernel
Are you using clients which use powersave mode, such as phones?
This trace goes through ar5008_swba_intr(). The only way to get into
ar5008_tx() from there is when group-addressed frames are queued on the
powersave queue of the AP (ic_bss->ni_savedq).
I cannot see this queue being purged anywhere when the interface goes down.
So it seems what happened is that a stale frame was sitting on this queue
and a fatal transmit attempt occurred when the interface came back up after
being re-configured.
Can you please try this diff?
The same panic and trace has also been reported to me by Ted Patterson.
diff ffca677e9e7ca9efd316fa2f2b6572b193c50cf8 /usr/src
blob - f6349c70279687b18ce89f670b732a62f3696271
file + sys/net80211/ieee80211_node.c
--- sys/net80211/ieee80211_node.c
+++ sys/net80211/ieee80211_node.c
@@ -1595,6 +1595,10 @@ ieee80211_node_cleanup(struct ieee80211com *ic, struct
free(ni->ni_unref_arg, M_DEVBUF, ni->ni_unref_arg_size);
ni->ni_unref_arg = NULL;
ni->ni_unref_arg_size = 0;
+
+#ifndef IEEE80211_STA_ONLY
+ mq_purge(&ni->ni_savedq);
+#endif
}
void
@@ -2047,7 +2051,7 @@ ieee80211_free_allnodes(struct ieee80211com *ic, int c
splx(s);
if (clear_ic_bss && ic->ic_bss != NULL)
- ieee80211_node_cleanup(ic, ic->ic_bss); /* for station mode */
+ ieee80211_node_cleanup(ic, ic->ic_bss);
}
void
