Kernel crash (NULL pointer dereference) in brcmfmac driver when hostapd is running #7033
Description
Describe the bug
The hostapd service running on a Raspberry Pi 4 segfault due to a kernel panic (a NULL pointer dereference in the brcmfmac Wi-Fi driver).
The crash occurs shortly after a Wi-Fi client (in this case, an iPhone) sends a specific action frame to the AP.
This issue can be triggered by a simple, non-malicious user action, highlighting a potential stability vulnerability in the driver.
Steps to reproduce the behaviour
- Set up a Wi-Fi Access Point (AP) on a Raspberry Pi 4 Model B running Raspberry Pi OS Bookworm using the
hostapdservice. - Use an
iPhonewithiOS 18.6.1 or laterto search for the Wi-Fi AP. - Navigate to Settings > Wi-Fi list on the iPhone and tap the
(i)icon next to the SSID provided by the Raspberry Pi. This action frequently triggers a kernel panic on the Raspberry Pi.
(Note: This behavior occurs regardless of whether the iPhone has previously paired with or is currently connected to the AP. The crash is triggered by the action of tapping the (i) icon from the iPhone.)
Device (s)
Raspberry Pi 4 Mod. B
System
Raspberry Pi 2024-05-09
Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, f1c166a2833950a7c44fe19b01780723635a7aa3, stage2
Apr 17 2024 17:27:09
Copyright (c) 2012 Broadcom
version 86ccc427f35fdc604edc511881cdf579df945fb4 (clean) (release) (start)
This is the original kernel version(6.6.28) that could already trigger this crash.
The logs attached is the latest crash logs after apt full-upgrade, so the logs show a newer kernel version(6.12.34).
Linux raspi 6.6.28+rpt-rpi-v7l #1 SMP Raspbian 1:6.6.28-1+rpt1 (2024-04-22) armv7l GNU/Linux
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
Logs
The output logs was from /var/syslog when hostapd runs with -dd args in systemd service
Message from syslogd@raspi at Sep 2 17:05:29 ...
kernel:[ 495.011671] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
Message from syslogd@raspi at Sep 2 17:05:29 ...
kernel:[ 495.013524] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: Event message available
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wlan0
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlan0(dc:a6:32:7b:12:1c) A1=dc:a6:32:7b:12:1c A2=a6:ff:9a:d9:db:69
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: MLME event frame - hexdump(len=60): d0 00 00 00 dc a6 32 7b 12 1c a6 ff 9a d9 db 69 dc a6 32 7b 12 1c 00 00 04 0a 94 6c 02 00 00 1b 00 00 01 08 00 0c 01 05 01 08 01 07 01 dd dd 07 00 50 6f 9a 11 01 00 03 00 00 00 00
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: Frame event
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: RX frame da=dc:a6:32:7b:12:1c sa=a6:ff:9a:d9:db:69 bssid=dc:a6:32:7b:12:1c freq=2462 ssi_signal=0 fc=0xd0 seq_ctrl=0x0 stype=13 (WLAN_FC_STYPE_ACTION) len=60
Sep 02 17:05:29 raspi hostapd[1071]: wlan0: Event RX_MGMT (18) received
Sep 02 17:05:29 raspi hostapd[1071]: mgmt::action
Sep 02 17:05:29 raspi hostapd[1071]: RX_ACTION category 4 action 10 sa a6:ff:9a:d9:db:69 da dc:a6:32:7b:12:1c len 60 freq 2462
Sep 02 17:05:29 raspi hostapd[1071]: wlan0: GAS: GAS Initial Request from a6:ff:9a:d9:db:69 (dialog token 148)
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: 4 Info IDs requested in Query list
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: Domain Name not available
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: Roaming Consortium not available
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: 3GPP Cellular Network not available
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: NAI Realm not available
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: HS 2.0 Query List
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: Operator Friendly Name not available
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: Unsupported Query Request element 0
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: Locally generated ANQP responses - hexdump(len=4): 05 01 00 00
Sep 02 17:05:29 raspi hostapd[1071]: ANQP: Initial response (no comeback)
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: Send Action frame (ifindex=3, freq=2462 MHz wait=0 ms no_cck=0 offchanok=0)
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: send_mlme - da=a6:ff:9a:d9:db:69 noack=0 freq=2462 no_cck=0 offchanok=0 wait_time=0 no_encrypt=0 fc=0xd0 (WLAN_FC_STYPE_ACTION) nlmode=3
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: send_mlme -> send_frame_cmd
Sep 02 17:05:29 raspi hostapd[1071]: nl80211: CMD_FRAME freq=2462 wait=0 no_cck=0 no_ack=0 offchanok=0
Sep 02 17:05:29 raspi hostapd[1071]: CMD_FRAME - hexdump(len=41): d0 00 00 00 a6 ff 9a d9 db 69 dc a6 32 7b 12 1c dc a6 32 7b 12 1c 00 00 04 0b 94 00 00 00 00 6c 02 7f 00 04 00 05 01 00 00
Sep 02 17:05:29 raspi kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Sep 02 17:05:29 raspi kernel: Mem abort info:
Sep 02 17:05:29 raspi kernel: ESR = 0x0000000096000007
Sep 02 17:05:29 raspi kernel: EC = 0x25: DABT (current EL), IL = 32 bits
Sep 02 17:05:29 raspi kernel: SET = 0, FnV = 0
Sep 02 17:05:29 raspi kernel: EA = 0, S1PTW = 0
Sep 02 17:05:29 raspi kernel: FSC = 0x07: level 3 translation fault
Sep 02 17:05:29 raspi kernel: Data abort info:
Sep 02 17:05:29 raspi kernel: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
Sep 02 17:05:29 raspi kernel: CM = 0, WnR = 0, TnD = 0, TagAccess = 0
Sep 02 17:05:29 raspi kernel: GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
Sep 02 17:05:29 raspi kernel: user pgtable: 4k pages, 39-bit VAs, pgdp=00000000423fd000
Sep 02 17:05:29 raspi kernel: [0000000000000000] pgd=080000004262e003, p4d=080000004262e003, pud=080000004262e003, pmd=080000004173e003, pte=0000000000000000
Sep 02 17:05:29 raspi kernel: Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
Sep 02 17:05:29 raspi kernel: Modules linked in: nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep brcmfmac_wcc hci_uart btbcm brcmfmac bluetooth vc4 brcmutil binfmt_misc cfg80211 v3d snd_soc_hdmi_codec gpu_sched drm_display_helper rpi_hevc_dec cec drm_shmem_helper bcm2835_codec(C) bcm2835_v4l2(C) bcm2835_isp(C) raspberrypi_hwmon drm_dma_helper ecdh_generic drm_kms_helper bcm2835_mmal_vchiq(C) ecc vc_sm_cma(C) rfkill v4l2_mem2mem snd_soc_core videobuf2_vmalloc videobuf2_dma_contig libaes videobuf2_memops videobuf2_v4l2 videodev snd_bcm2835(C) snd_compress snd_pcm_dmaengine snd_pcm videobuf2_common raspberrypi_gpiomem snd_timer mc snd nvmem_rmem uio_pdrv_genirq uio drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 i2c_brcmstb
Sep 02 17:05:29 raspi kernel: CPU: 1 UID: 0 PID: 1071 Comm: hostapd Tainted: G C 6.12.34+rpt-rpi-v8 #1 Debian 1:6.12.34-1+rpt1~bookworm
Sep 02 17:05:29 raspi kernel: Tainted: [C]=CRAP
Sep 02 17:05:29 raspi kernel: Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
Sep 02 17:05:29 raspi kernel: pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
Sep 02 17:05:29 raspi kernel: pc : brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
Sep 02 17:05:29 raspi kernel: lr : brcmf_p2p_send_action_frame+0x200/0xc58 [brcmfmac]
Sep 02 17:05:29 raspi kernel: sp : ffffffc0819db5e0
Sep 02 17:05:29 raspi kernel: x29: ffffffc0819db5e0 x28: 0000000000000000 x27: ffffff8042b9b0f0
Sep 02 17:05:29 raspi kernel: x26: ffffff8042bfc8c0 x25: ffffffd6d5423eb0 x24: ffffff8042b9b000
Sep 02 17:05:29 raspi kernel: x23: 0000000000000000 x22: ffffff8048aa4800 x21: ffffff8048aa4810
Sep 02 17:05:29 raspi kernel: x20: ffffff8042b9b010 x19: ffffff8042b9b018 x18: 0000000000000000
Sep 02 17:05:29 raspi kernel: x17: 0000000000000000 x16: 0000000000000000 x15: 00000000f555c380
Sep 02 17:05:29 raspi kernel: x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
Sep 02 17:05:29 raspi kernel: x11: 0000000000000000 x10: 0000000000001a40 x9 : ffffffd6d5412000
Sep 02 17:05:29 raspi kernel: x8 : ffffff8042fbc200 x7 : 0000000000000000 x6 : ffffffc0819db578
Sep 02 17:05:29 raspi kernel: x5 : ffffffc0819db5b0 x4 : 00000000ffffffd8 x3 : 0000000000000724
Sep 02 17:05:29 raspi kernel: x2 : ffffff8048aa4800 x1 : ffffffd6d542e820 x0 : 0000000000000000
Sep 02 17:05:29 raspi kernel: Call trace:
Sep 02 17:05:29 raspi kernel: brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
Sep 02 17:05:29 raspi kernel: brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]
Sep 02 17:05:29 raspi kernel: cfg80211_mlme_mgmt_tx+0x1a8/0x418 [cfg80211]
Sep 02 17:05:29 raspi kernel: nl80211_tx_mgmt+0x238/0x388 [cfg80211]
Sep 02 17:05:29 raspi kernel: genl_family_rcv_msg_doit+0xe0/0x158
Sep 02 17:05:29 raspi kernel: genl_rcv_msg+0x220/0x2a0
Sep 02 17:05:29 raspi kernel: netlink_rcv_skb+0x68/0x140
Sep 02 17:05:29 raspi kernel: genl_rcv+0x40/0x60
Sep 02 17:05:29 raspi kernel: netlink_unicast+0x320/0x388
Sep 02 17:05:29 raspi kernel: netlink_sendmsg+0x19c/0x3f8
Sep 02 17:05:29 raspi kernel: __sock_sendmsg+0x64/0xc0
Sep 02 17:05:29 raspi kernel: ____sys_sendmsg+0x268/0x2a0
Sep 02 17:05:29 raspi kernel: ___sys_sendmsg+0xb8/0x118
Sep 02 17:05:29 raspi kernel: __sys_sendmsg+0x90/0xf8
Sep 02 17:05:29 raspi kernel: __arm64_compat_sys_sendmsg+0x2c/0x40
Sep 02 17:05:29 raspi kernel: invoke_syscall+0x50/0x120
Sep 02 17:05:29 raspi kernel: el0_svc_common.constprop.0+0x48/0xf0
Sep 02 17:05:29 raspi kernel: do_el0_svc_compat+0x24/0x48
Sep 02 17:05:29 raspi kernel: el0_svc_compat+0x2c/0x80
Sep 02 17:05:29 raspi kernel: el0t_32_sync_handler+0x98/0x140
Sep 02 17:05:29 raspi kernel: el0t_32_sync+0x194/0x198
Sep 02 17:05:29 raspi kernel: Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Sep 02 17:05:29 raspi kernel: ---[ end trace 0000000000000000 ]---
Sep 02 17:05:29 raspi systemd[1]: hostapd.service: Main process exited, code=killed, status=11/SEGV
Sep 02 17:05:29 raspi systemd[1]: hostapd.service: Failed with result 'signal'.
Additional context
This behavior occurs regardless of whether the iPhone has previously paired with or is currently connected to the AP. I have observed the following:
- The crash has been reproducible since early August, coinciding with the release of iOS 18.6.
- iPhones running
iOS 18.6.2andiOS 18.6.1consistently cause the crash. - iPhones running
iOS 18.2.1andiOS 17.6.1, and a Google Pixel 7 withAndroid 16, do not cause the crash.
The specific action frame appears to be related to nl80211: BSS Event 59 (NL80211_CMD_FRAME), which is received from the iPhone. The crash occurs when the brcmfmac driver attempts to respond via brcmf_p2p_send_action_frame.
Internet related settings I used
- hostapd.conf
$ cat /usr/raspi/configs/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
# Radio
ssid=NU-XXXXXX
hw_mode=g
wmm_enabled=1
channel=11
# Country
country_code=TW
# N
ieee80211n=1
ht_capab=[SHORT-GI-20][DSSS_CCK-40]
# WPA
auth_algs=1
wpa=2
wpa_passphrase=12345678
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
# Ctrl
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
- network interface
$ cat /etc/network/interfaces.d/wlan0
auto wlan0
iface wlan0 inet static
address 192.168.237.253
netmask 255.255.255.0
- dnsmasq
$ cat /etc/dnsmasq.d/raspi_dnsmasq.conf
interface=wlan0
dhcp-range=192.168.237.193,192.168.237.250,255.255.255.192,12h
no-hosts
address=/raspi/192.168.237.253
- iptables.rules
$ cat /usr/raspi/configs/iptables/iptables.rules
# Generated by iptables-save v1.4.21 on Wed Apr 13 10:28:51 2016
*nat
:PREROUTING ACCEPT [1:72]
:INPUT ACCEPT [1:72]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -s 192.168.237.192/26 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Apr 13 10:28:51 2016
- customized hostapd systemd service (to show more detail logs from hostapd in syslog)
$ cat /etc/systemd/system/raspi_hostapd.service
[Unit]
Description=Enable Access Point
After=network.target dnsmasq.service
[Service]
Type=exec
WorkingDirectory=/usr/raspi/configs/
ExecStartPre=-/usr/bin/killall hostapd
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1
ExecStartPre=/bin/bash -c '/usr/sbin/iptables-restore < iptables/iptables.rules'
ExecStartPre=/usr/sbin/service dnsmasq restart
ExecStart=/usr/sbin/hostapd -dd hostapd/hostapd.conf
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target