linux icon indicating copy to clipboard operation
linux copied to clipboard
verified publisher icon raspberrypi

`hostapd` segfault

Open aberenyi opened this issue 7 months ago • 12 comments

Describe the bug

I'm trying to host an AP using the built-in WiFi chip (Broadcom BCM2712 if I'm not mistaken), however, hostapd segfaults from time to time.

I've built the latest hostapd version (2.11 at the time of filing this issue) from source, but that didn't resolve the issue.

Steps to reproduce the behaviour

  1. Install hostapd or build it from source
  2. Set it up in AP mode (sample config here)
  3. Connect to the AP using your phone or any other device.
  4. Wait or connect/disconnect a few times.
  5. hostapd.service: Main process exited, code=killed, status=11/SEGV

Device (s)

Raspberry Pi 5

System

Raspberry Pi reference 2024-03-15
Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, f19ee211ddafcae300827f953d143de92a5c6624, stage2

2025/05/08 15:13:17
Copyright (c) 2012 Broadcom
version 69471177 (release) (embedded)

Linux 2f6621fd717d65e9 6.12.25+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.12.25-1+rpt1 (2025-04-30) aarch64 GNU/Linux

Logs

Jun 06 13:29:59 2f6621fd717d65e9 kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Jun 06 13:29:59 2f6621fd717d65e9 kernel: Mem abort info:
Jun 06 13:30:00 2f6621fd717d65e9 kernel:   ESR = 0x0000000096000005
Jun 06 13:30:00 2f6621fd717d65e9 kernel:   EC = 0x25: DABT (current EL), IL = 32 bits
Jun 06 13:30:00 2f6621fd717d65e9 kernel:   SET = 0, FnV = 0
Jun 06 13:30:00 2f6621fd717d65e9 kernel:   EA = 0, S1PTW = 0
Jun 06 13:30:00 2f6621fd717d65e9 kernel:   FSC = 0x05: level 1 translation fault
Jun 06 13:30:00 2f6621fd717d65e9 kernel: Data abort info:
Jun 06 13:30:00 2f6621fd717d65e9 kernel:   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
Jun 06 13:30:00 2f6621fd717d65e9 kernel:   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
Jun 06 13:30:00 2f6621fd717d65e9 kernel:   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
Jun 06 13:30:00 2f6621fd717d65e9 kernel: user pgtable: 16k pages, 47-bit VAs, pgdp=00000001c0780000
Jun 06 13:30:00 2f6621fd717d65e9 kernel: [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
Jun 06 13:30:00 2f6621fd717d65e9 kernel: Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Jun 06 13:30:00 2f6621fd717d65e9 kernel: Modules linked in: aes_ce_ccm mt76x2u mt76x2_common mt76x02_usb mt76_usb mt76x02_lib mt76 mac80211 libarc4 algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 sr_mod cdrom brcmfmac_wcc sg snd_soc_hdmi_codec drm_display_helper hci_uart cec aes_ce_blk joydev aes_ce_cipher btbcm drm_dma_helper ghash_ce gf128mul bluetooth brcmfmac snd_soc_core cdc_acm rpi_hevc_dec sha2_ce pisp_be brcmutil sha256_arm64 snd_compress sha1_ce snd_pcm_dmaengine v4l2_mem2mem cfg80211 snd_pcm videobuf2_dma_contig ecdh_generic videobuf2_memops ecc snd_timer videobuf2_v4l2 sha1_generic rfkill videodev libaes snd raspberrypi_hwmon v3d videobuf2_common mc gpu_sched drm_shmem_helper rp1_pio drm_kms_helper pwm_fan rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio fuse drm drm_panel_orientation_quirks backlight dm_mod ip_tables x_tables ipv6 hid_logitech_hidpp hid_logitech_dj spidev i2c_brcmstb spi_bcm2835 gpio_keys
Jun 06 13:30:00 2f6621fd717d65e9 kernel: CPU: 0 UID: 0 PID: 2979 Comm: hostapd Not tainted 6.12.25+rpt-rpi-2712 #1  Debian 1:6.12.25-1+rpt1
Jun 06 13:30:00 2f6621fd717d65e9 kernel: Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)
Jun 06 13:30:00 2f6621fd717d65e9 kernel: pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
Jun 06 13:30:00 2f6621fd717d65e9 kernel: pc : brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
Jun 06 13:30:00 2f6621fd717d65e9 kernel: lr : brcmf_p2p_send_action_frame+0x200/0xc58 [brcmfmac]
Jun 06 13:30:00 2f6621fd717d65e9 kernel: sp : ffffc000871a35e0
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x29: ffffc000871a35e0 x28: 0000000000000000 x27: ffff8001006b68f0
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x26: ffff800140ec08c0 x25: ffffd06fbdcd5eb0 x24: ffff8001006b6800
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x23: 0000000000000000 x22: ffff8001c087f800 x21: ffff8001c087f810
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x20: ffff8001006b6810 x19: ffff8001006b6818 x18: 0000000000000000
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x17: 0000000000000000 x16: ffffd06fce566d38 x15: 000055566c6899d0
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x14: 0000a5c53067cf2c x13: 000001050004007f x12: 026c00000000ab0b
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x11: 00000000000000d0 x10: 0000000000001a40 x9 : ffffd06fbdc5e000
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x8 : ffff8000036b8c00 x7 : 0000000000000000 x6 : ffffc000871a3588
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x5 : ffffc000871a35b0 x4 : 00000000ffffffd8 x3 : 0000000000000724
Jun 06 13:30:00 2f6621fd717d65e9 kernel: x2 : ffff8001c087f800 x1 : ffffd06fbdce0820 x0 : 0000000000000000
Jun 06 13:30:00 2f6621fd717d65e9 kernel: Call trace:
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  brcmf_cfg80211_mgmt_tx+0x300/0x5b8 [brcmfmac]
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  cfg80211_mlme_mgmt_tx+0x1a8/0x418 [cfg80211]
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  nl80211_tx_mgmt+0x234/0x388 [cfg80211]
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  genl_family_rcv_msg_doit+0xdc/0x150
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  genl_rcv_msg+0x218/0x298
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  netlink_rcv_skb+0x64/0x138
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  genl_rcv+0x40/0x60
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  netlink_unicast+0x314/0x380
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  netlink_sendmsg+0x198/0x3f0
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  __sock_sendmsg+0x64/0xc0
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  ____sys_sendmsg+0x25c/0x298
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  ___sys_sendmsg+0xb4/0x110
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  __sys_sendmsg+0x8c/0xf0
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  __arm64_sys_sendmsg+0x2c/0x40
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  invoke_syscall+0x50/0x120
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  el0_svc_common.constprop.0+0x48/0xf0
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  do_el0_svc+0x24/0x38
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  el0_svc+0x30/0xd0
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  el0t_64_sync_handler+0x100/0x130
Jun 06 13:30:00 2f6621fd717d65e9 kernel:  el0t_64_sync+0x190/0x198
Jun 06 13:30:00 2f6621fd717d65e9 kernel: Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Jun 06 13:30:00 2f6621fd717d65e9 kernel: ---[ end trace 0000000000000000 ]---
Jun 06 13:30:00 2f6621fd717d65e9 systemd[1]: hostapd.service: Main process exited, code=killed, status=11/SEGV
Jun 06 13:30:00 2f6621fd717d65e9 systemd[1]: hostapd.service: Failed with result 'signal'.

Additional context

The log above is showing the trace w/ driver=nl80211 deinfed in hostapd.conf. Without it the logs are less verbose, see below

Jun 06 13:45:09 2f6621fd717d65e9 systemd[1]: hostapd.service: Main process exited, code=killed, status=11/SEGV
Jun 06 13:45:09 2f6621fd717d65e9 systemd[1]: hostapd.service: Failed with result 'signal'.
Jun 06 13:45:11 2f6621fd717d65e9 systemd[1]: hostapd.service: Scheduled restart job, restart counter is at 1.
Jun 06 13:45:11 2f6621fd717d65e9 systemd[1]: Stopped hostapd.service - Access point and authentication server for Wi-Fi and Ethernet.
Jun 06 13:45:12 2f6621fd717d65e9 systemd[1]: Starting hostapd.service - Access point and authentication server for Wi-Fi and Ethernet...
Jun 06 13:46:42 2f6621fd717d65e9 systemd[1]: hostapd.service: start operation timed out. Terminating.

aberenyi avatar Jun 06 '25 12:06 aberenyi

one workaround is to replace Raspberry Pi OS (formerly Raspbian) w/ the latest Arch Linux ARM

aberenyi avatar Jun 12 '25 15:06 aberenyi

I am also experiencing this.

Kernel

I believe it's the broadcom driver at fault, possibly introduced in 1131db71ef9af6d551f60c219b2516b576e851cd.

I ran a trace on the kernel and found the null pointer dereference occurs here (vif->ifp) https://github.com/raspberrypi/linux/blob/317477113b20b2aebbe39f0132a431dc5e38c2f1/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c#L1566

Adding a check for the null pointer prevents the crash, and allows debugging / finding a workaround in user space.

hostapd

The crash occurs when hostapd attempts to send certain management frames. By running hostapd -dd /etc/hostapd/hostapd.conf, these seem to be in response to hotspot2.0 related frames.

I don't know enough about the relevant protocols, but perhaps it's expected that p2p frames are used in this context. Unfortunately, the broadcom driver expects certain structs to be available when using p2p, and this is not the case when it attempts sending.

Workaround

I used the source for hostapd 2.11 available from https://w1.fi/hostapd/. I compiled it without support for hotspot20, and without support for interworking - enabling either of these features results in the same set of calls and error. This may also be a bug in hostapd, but their bug tracker isn't somewhere I can find it.

unknownconstant avatar Jun 15 '25 09:06 unknownconstant

This workaround is not working on raspberry pi 3b+ is there anything planned so far to solve this issue

theAnDrO40 avatar Jul 03 '25 06:07 theAnDrO40

I faced the same issue with the same status=11/SEGV error, and in my case, it turned out to be caused by a misconfiguration in the hostapd config file (/etc/hostapd/hostapd.conf).

It’s worth double-checking the configuration and trying to run hostapd with a minimal setup (e.g., just interface, ssid, channel, driver, and hw_mode) with the correct values to see if the error still occurs. Simplifying the config helped me identify the problematic directive.

rgf2004 avatar Jul 18 '25 05:07 rgf2004

@rgf2004 So what was this problematic directive in your case?

georgkapellerEET avatar Aug 14 '25 23:08 georgkapellerEET

"Same" problem with same use case: start ap > connect with device > disconnect > seg fault I am running a PI4 bullseye and hostapd v2.9 After error occurred, system keeps looping and trying to restart hostapd, stacking hostapd instances PIDs but unable to kill them at each restart attempt

uname -a

Linux 5.10.92-v7l+ #1514 SMP Mon Jan 17 17:38:03 GMT 2022 armv7l GNU/Linux

hostapd -ddd /etc/hostapd/hostapd.conf

hostapd -ddd /etc/hostapd/hostapd.conf 
random: getrandom() support available
Configuration file: /etc/hostapd/hostapd.conf
nl80211: Using driver-based roaming
nl80211: TDLS supported
nl80211: Supported cipher 00-0f-ac:1
nl80211: Supported cipher 00-0f-ac:5
nl80211: Supported cipher 00-0f-ac:2
nl80211: Supported cipher 00-0f-ac:4
nl80211: Supported cipher 00-0f-ac:6
nl80211: Using driver-based off-channel TX
nl80211: Supported vendor command: vendor_id=0x1018 subcmd=1
nl80211: Use separate P2P group interface (driver advertised support)
nl80211: Enable multi-channel concurrent (driver advertised support)
nl80211: use P2P_DEVICE support
nl80211: interface wlan0 in phy phy0
nl80211: Set mode ifindex 3 iftype 3 (AP)
nl80211: Failed to set interface 3 to mode 3: -1 (Operation not permitted)
nl80211: Setup AP(wlan0) - device_ap_sme=1 use_monitor=0
nl80211: Subscribe to mgmt frames with AP handle 0x16c0010 (device SME)
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=04
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=1): 04
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=0501
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=2): 05 01
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=0503
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=2): 05 03
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=0504
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=2): 05 04
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=06
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=1): 06
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=08
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=1): 08
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=09
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=1): 09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=0a
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=1): 0a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=11
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=1): 11
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=12
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=1): 12
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x16c0010 match=7f
nl80211: Register frame command failed (type=208): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=1): 7f
nl80211: Failed to subscribe for mgmt frames from SME driver - trying to run without it
nl80211: Enable Probe Request reporting nl_preq=0x16bb688
nl80211: Register frame type=0x40 (WLAN_FC_STYPE_PROBE_REQ) nl_handle=0x16bb688 match=
nl80211: Register frame command failed (type=64): ret=-1 (Operation not permitted)
nl80211: Register frame match - hexdump(len=0): [NULL]
nl80211: Failed to enable Probe Request frame reporting in AP mode
rfkill: initial event: idx=0 type=1 op=0 soft=0 hard=0
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
nl80211: Remove monitor interface: refcount=0
nl80211: Remove beacon (ifindex=3)
netlink: Operstate: ifindex=3 linkmode=0 (kernel-control), operstate=6 (IF_OPER_UP)
nl80211 driver initialization failed.
hostapd_interface_deinit_free(0x16b9050)
hostapd_interface_deinit_free: num_bss=1 conf->num_bss=1
hostapd_interface_deinit(0x16b9050)
wlan0: interface state UNINITIALIZED->DISABLED
hostapd_bss_deinit: deinit bss wlan0
wlan0: AP-DISABLED 
hostapd_cleanup(hapd=0x16b9ec8 (wlan0))
wlan0: CTRL-EVENT-TERMINATING 
hostapd_free_hapd_data: Interface wlan0 wasn't started
hostapd_interface_deinit_free: driver=(nil) drv_priv=(nil) -> hapd_deinit
hostapd_interface_free(0x16b9050)
hostapd_interface_free: free hapd 0x16b9ec8
hostapd_cleanup_iface(0x16b9050)
hostapd_cleanup_iface_partial(0x16b9050)
hostapd_cleanup_iface: free iface=0x16b9050

LOGS

Aug 19 17:50:54 rpi4 systemd[1]: hostapd.service: Main process exited, code=killed, status=11/SEGV
Aug 19 17:50:54 rpi4 systemd[1]: hostapd.service: Failed with result 'signal'.
Aug 19 17:50:54 rpi4 kernel: [10236.727494] 8<--- cut here ---
Aug 19 17:50:54 rpi4 kernel: [10236.727526] Unable to handle kernel NULL pointer dereference at virtual address 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.727551] pgd = 824d1b13
Aug 19 17:50:54 rpi4 kernel: [10236.727574] [00000000] *pgd=03dd4003, *pmd=7fc82003
Aug 19 17:50:54 rpi4 kernel: [10236.727627] Internal error: Oops: 207 [#1] SMP ARM
Aug 19 17:50:54 rpi4 kernel: [10236.727642] Modules linked in: tun rfcomm cmac algif_hash aes_arm_bs crypto_simd cryptd algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc rtc_ds1307 regmap_i2c 8021q garp stp llc snd_soc_hdmi_codec brcmfmac brcmutil cfg80211 v3d gpu_sched rfkill raspberrypi_hwmon i2c_brcmstb i2c_bcm2835 snd_bcm2835(C) bcm2835_codec(C) v4l2_mem2mem bcm2835_isp(C) bcm2835_v4l2(C) videobuf2_dma_contig bcm2835_mmal_vchiq(C) videobuf2_vmalloc videobuf2_memops vc_sm_cma(C) videobuf2_v4l2 videobuf2_common videodev vc4 mc cec drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd rpivid_mem syscopyarea sysfillrect sysimgblt fb_sys_fops nvmem_rmem uio_pdrv_genirq uio nft_ct nft_masq nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink i2c_dev drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
Aug 19 17:50:54 rpi4 kernel: [10236.728317] CPU: 2 PID: 561 Comm: hostapd Tainted: G         C        5.10.92-v7l+ #1514
Aug 19 17:50:54 rpi4 kernel: [10236.728331] Hardware name: BCM2711
Aug 19 17:50:54 rpi4 kernel: [10236.728467] PC is at brcmf_p2p_send_action_frame+0x288/0xa60 [brcmfmac]
Aug 19 17:50:54 rpi4 kernel: [10236.728585] LR is at brcmf_p2p_send_action_frame+0x270/0xa60 [brcmfmac]
Aug 19 17:50:54 rpi4 kernel: [10236.728600] pc : [<bf50ef94>]    lr : [<bf50ef7c>]    psr: 80000013
Aug 19 17:50:54 rpi4 kernel: [10236.728614] sp : c442fa88  ip : 00000000  fp : c442faec
Aug 19 17:50:54 rpi4 kernel: [10236.728628] r10: c3fa0500  r9 : 00000004  r8 : bf5296a8
Aug 19 17:50:54 rpi4 kernel: [10236.728642] r7 : 00000000  r6 : c36d800c  r5 : c533a000  r4 : c36d8000
Aug 19 17:50:54 rpi4 kernel: [10236.728655] r3 : 00000000  r2 : c533a000  r1 : bf5304dc  r0 : 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.728672] Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Aug 19 17:50:54 rpi4 kernel: [10236.728687] Control: 30c5383d  Table: 036b9340  DAC: 55555555
Aug 19 17:50:54 rpi4 kernel: [10236.728703] Process hostapd (pid: 561, stack limit = 0x4e95631f)
Aug 19 17:50:54 rpi4 kernel: [10236.728718] Stack: (0xc442fa88 to 0xc4430000)
Aug 19 17:50:54 rpi4 kernel: [10236.728735] fa80:                   00000000 00000000 c120584c c3fa0500 c36da580 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.728754] faa0: ffffffff bf530510 bf53035c bf5304dc bf52fb20 000f2979 c1203d00 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.728771] fac0: c442faec c1205048 00000011 c533a000 c5fa882c c442fb80 c36d8000 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.728789] fae0: c442fb44 c442faf0 bf5049d8 bf50ed18 00000000 00000000 00000011 00000976
Aug 19 17:50:54 rpi4 kernel: [10236.728806] fb00: bf4b3110 c3fa0500 c30d4004 00000029 00000976 1c02cd6b c0a7c230 bf504854
Aug 19 17:50:54 rpi4 kernel: [10236.728824] fb20: c3fa01c0 c3fa0000 c442fbac c442fb80 c68fe300 c8214014 c442fb74 c442fb48
Aug 19 17:50:54 rpi4 kernel: [10236.728841] fb40: bf47a704 bf504860 c0a814ec c0a7c200 c442fc54 c1205048 c3fa0000 c30d4004
Aug 19 17:50:54 rpi4 kernel: [10236.728858] fb60: 00000000 c68fe300 c442fbfc c442fb78 bf470d84 bf47a5fc 00000000 0000003b
Aug 19 17:50:54 rpi4 kernel: [10236.728874] fb80: 00000000 00000000 c0b9235c c029b968 c3ccdc70 00000000 00000976 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.728891] fba0: 00000000 00000000 00000000 c3ccdc70 00000001 00000000 c5fa882c 00000029
Aug 19 17:50:54 rpi4 kernel: [10236.728908] fbc0: 00000000 00000000 00000000 1c02cd6b c442fcb0 00000000 bf4b3110 c1205048
Aug 19 17:50:54 rpi4 kernel: [10236.728925] fbe0: c533a800 c68fe0c0 c1321480 c442fcb0 c442fcac c442fc00 c0a834c0 bf470b54
Aug 19 17:50:54 rpi4 kernel: [10236.728942] fc00: 00000001 c1095c10 c0422e80 00000012 c442fc44 c442fc20 c020bbb4 c020ca78
Aug 19 17:50:54 rpi4 kernel: [10236.728959] fc20: c1205048 00000000 00000cc0 c0426084 eff1dce0 c0a03028 bf470b48 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.728976] fc40: 00000000 00000000 bf4a93cc 00000129 03101c3b 68a475ac f580021e c5fa8800
Aug 19 17:50:54 rpi4 kernel: [10236.728993] fc60: c5fa8810 c5fa8814 c533a800 c1321480 c3fa0000 c30d4004 c442fcb0 1c02cd6b
Aug 19 17:50:54 rpi4 kernel: [10236.729010] fc80: c442fcbc c68fe0c0 c1205048 c0a83300 c5fa8800 00000058 00000000 c1205048
Aug 19 17:50:54 rpi4 kernel: [10236.729027] fca0: c442fcfc c442fcb0 c0a80d68 c0a8330c 00000000 00000000 00000000 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.729044] fcc0: 00000000 00000000 00000000 00000000 00000000 1c02cd6b c442fcfc c13280d4
Aug 19 17:50:54 rpi4 kernel: [10236.729061] fce0: c68fe0c0 00000058 c68fe0c0 c419c584 c442fd14 c442fd00 c0a81630 c0a80cac
Aug 19 17:50:54 rpi4 kernel: [10236.729077] fd00: c1a6c000 c419c400 c442fd4c c442fd18 c0a803c4 c0a81608 7fffffff 1c02cd6b
Aug 19 17:50:54 rpi4 kernel: [10236.729094] fd20: c0a05014 00000008 c442ff40 c1205048 c68fe0c0 00000058 c419c400 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.729111] fd40: c442fdbc c442fd50 c0a80690 c0a80228 00000001 c072696c c442fd8c c442fd68
Aug 19 17:50:54 rpi4 kernel: [10236.729128] fd60: c072b260 c0726960 00000000 00000000 c442fe40 c19c24c0 00000000 00000231
Aug 19 17:50:54 rpi4 kernel: [10236.729145] fd80: 00000000 00000000 00000000 1c02cd6b 00000058 c442ff40 c397ad00 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.729162] fda0: c1205048 c397ad00 00000000 c442fde4 c442fdd4 c442fdc0 c09f897c c0a80480
Aug 19 17:50:54 rpi4 kernel: [10236.729179] fdc0: c442ff40 00000000 c442fe34 c442fdd8 c09f8fc4 c09f8944 00000000 c1205048
Aug 19 17:50:54 rpi4 kernel: [10236.729196] fde0: c442fe34 c442fdf0 c09faa78 c0730b4c c442fe40 c442ff48 c0214f90 c0410454
Aug 19 17:50:54 rpi4 kernel: [10236.729213] fe00: bef7bf7c 1c02cd6b 0007a2c8 c1205048 c442ff40 00000000 c397ad00 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.729230] fe20: 00000000 00000128 c442ff2c c442fe38 c09fab14 c09f8dd0 00000000 1c02cd6b
Aug 19 17:50:54 rpi4 kernel: [10236.729247] fe40: 00000000 014ba5f0 00000058 c442fe58 c03ffd24 c020fed0 7a2c8fdf 04200000
Aug 19 17:50:54 rpi4 kernel: [10236.729264] fe60: 00089000 7a2c83df 7a2c83df 00000000 00000254 c03f2594 c442ff2c c442fe88
Aug 19 17:50:54 rpi4 kernel: [10236.729280] fe80: c03f2594 00000010 00000000 00000000 00000000 00000000 c442fecc c442fea8
Aug 19 17:50:54 rpi4 kernel: [10236.729297] fea0: c020bbb4 c020ca78 00000003 00000000 8000020b c442ffb0 c337a270 00000254
Aug 19 17:50:54 rpi4 kernel: [10236.729314] fec0: 00100cca c0395f70 c442ff44 c442fed8 c0395f70 c419c400 c397ad00 0000000a
Aug 19 17:50:54 rpi4 kernel: [10236.729331] fee0: c419c400 c442ff08 00000004 00000000 c1205048 c0462250 c442ff14 c442ff08
Aug 19 17:50:54 rpi4 kernel: [10236.729348] ff00: c0462250 1c02cd6b c1205048 bef7bf30 00000000 c397ad00 c0200204 c442e000
Aug 19 17:50:54 rpi4 kernel: [10236.729365] ff20: c442ff94 c442ff30 c09faf54 c09faaa4 00000000 00000000 00000000 fffffff7
Aug 19 17:50:54 rpi4 kernel: [10236.729381] ff40: c442fe84 0000000c 00000005 00000000 00000000 c442fe4c 00000000 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.729398] ff60: 00000000 bef7bfa9 00000000 00000000 00000000 1c02cd6b 00000004 b6fee200
Aug 19 17:50:54 rpi4 kernel: [10236.729415] ff80: 014af4d8 00000128 c442ffa4 c442ff98 c09fafac c09faf00 00000000 c442ffa8
Aug 19 17:50:54 rpi4 kernel: [10236.729432] ffa0: c0200040 c09faf9c 00000004 b6fee200 00000004 bef7bf30 00000000 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.729449] ffc0: 00000004 b6fee200 014af4d8 00000128 b6f96000 00000001 00000004 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.729471] ffe0: b6f960d0 bef7bee8 b6b56594 b6b565b0 60000010 00000004 00000000 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.729489] Backtrace: 
Aug 19 17:50:54 rpi4 kernel: [10236.729717] [<bf50ed0c>] (brcmf_p2p_send_action_frame [brcmfmac]) from [<bf5049d8>] (brcmf_cfg80211_mgmt_tx+0x184/0x2e4 [brcmfmac])
Aug 19 17:50:54 rpi4 kernel: [10236.729738]  r10:00000000 r9:c36d8000 r8:c442fb80 r7:c5fa882c r6:c533a000 r5:00000011
Aug 19 17:50:54 rpi4 kernel: [10236.729752]  r4:c1205048
Aug 19 17:50:54 rpi4 kernel: [10236.730021] [<bf504854>] (brcmf_cfg80211_mgmt_tx [brcmfmac]) from [<bf47a704>] (cfg80211_mlme_mgmt_tx+0x114/0x330 [cfg80211])
Aug 19 17:50:54 rpi4 kernel: [10236.730041]  r10:c8214014 r9:c68fe300 r8:c442fb80 r7:c442fbac r6:c3fa0000 r5:c3fa01c0
Aug 19 17:50:54 rpi4 kernel: [10236.730055]  r4:bf504854
Aug 19 17:50:54 rpi4 kernel: [10236.730348] [<bf47a5f0>] (cfg80211_mlme_mgmt_tx [cfg80211]) from [<bf470d84>] (nl80211_tx_mgmt+0x23c/0x36c [cfg80211])
Aug 19 17:50:54 rpi4 kernel: [10236.730366]  r9:c68fe300 r8:00000000 r7:c30d4004 r6:c3fa0000 r5:c1205048 r4:c442fc54
Aug 19 17:50:54 rpi4 kernel: [10236.730523] [<bf470b48>] (nl80211_tx_mgmt [cfg80211]) from [<c0a834c0>] (genl_rcv_msg+0x1c0/0x370)
Aug 19 17:50:54 rpi4 kernel: [10236.730541]  r10:c442fcb0 r9:c1321480 r8:c68fe0c0 r7:c533a800 r6:c1205048 r5:bf4b3110
Aug 19 17:50:54 rpi4 kernel: [10236.730554]  r4:00000000
Aug 19 17:50:54 rpi4 kernel: [10236.730577] [<c0a83300>] (genl_rcv_msg) from [<c0a80d68>] (netlink_rcv_skb+0xc8/0x120)
Aug 19 17:50:54 rpi4 kernel: [10236.730595]  r10:c1205048 r9:00000000 r8:00000058 r7:c5fa8800 r6:c0a83300 r5:c1205048
Aug 19 17:50:54 rpi4 kernel: [10236.730608]  r4:c68fe0c0
Aug 19 17:50:54 rpi4 kernel: [10236.730628] [<c0a80ca0>] (netlink_rcv_skb) from [<c0a81630>] (genl_rcv+0x34/0x44)
Aug 19 17:50:54 rpi4 kernel: [10236.730645]  r8:c419c584 r7:c68fe0c0 r6:00000058 r5:c68fe0c0 r4:c13280d4
Aug 19 17:50:54 rpi4 kernel: [10236.730665] [<c0a815fc>] (genl_rcv) from [<c0a803c4>] (netlink_unicast+0x1a8/0x258)
Aug 19 17:50:54 rpi4 kernel: [10236.730679]  r5:c419c400 r4:c1a6c000
Aug 19 17:50:54 rpi4 kernel: [10236.730701] [<c0a8021c>] (netlink_unicast) from [<c0a80690>] (netlink_sendmsg+0x21c/0x4a4)
Aug 19 17:50:54 rpi4 kernel: [10236.730719]  r10:00000000 r9:c419c400 r8:00000058 r7:c68fe0c0 r6:c1205048 r5:c442ff40
Aug 19 17:50:54 rpi4 kernel: [10236.730732]  r4:00000008
Aug 19 17:50:54 rpi4 kernel: [10236.730755] [<c0a80474>] (netlink_sendmsg) from [<c09f897c>] (sock_sendmsg+0x44/0x54)
Aug 19 17:50:54 rpi4 kernel: [10236.730772]  r10:c442fde4 r9:00000000 r8:c397ad00 r7:c1205048 r6:00000000 r5:c397ad00
Aug 19 17:50:54 rpi4 kernel: [10236.730785]  r4:c442ff40
Aug 19 17:50:54 rpi4 kernel: [10236.730805] [<c09f8938>] (sock_sendmsg) from [<c09f8fc4>] (____sys_sendmsg+0x200/0x22c)
Aug 19 17:50:54 rpi4 kernel: [10236.730819]  r5:00000000 r4:c442ff40
Aug 19 17:50:54 rpi4 kernel: [10236.730840] [<c09f8dc4>] (____sys_sendmsg) from [<c09fab14>] (___sys_sendmsg+0x7c/0xa8)
Aug 19 17:50:54 rpi4 kernel: [10236.730857]  r10:00000128 r9:00000000 r8:00000000 r7:c397ad00 r6:00000000 r5:c442ff40
Aug 19 17:50:54 rpi4 kernel: [10236.730870]  r4:c1205048
Aug 19 17:50:54 rpi4 kernel: [10236.730891] [<c09faa98>] (___sys_sendmsg) from [<c09faf54>] (__sys_sendmsg+0x60/0x9c)
Aug 19 17:50:54 rpi4 kernel: [10236.730908]  r9:c442e000 r8:c0200204 r7:c397ad00 r6:00000000 r5:bef7bf30 r4:c1205048
Aug 19 17:50:54 rpi4 kernel: [10236.730930] [<c09faef4>] (__sys_sendmsg) from [<c09fafac>] (sys_sendmsg+0x1c/0x20)
Aug 19 17:50:54 rpi4 kernel: [10236.730946]  r7:00000128 r6:014af4d8 r5:b6fee200 r4:00000004
Aug 19 17:50:54 rpi4 kernel: [10236.730969] [<c09faf90>] (sys_sendmsg) from [<c0200040>] (ret_fast_syscall+0x0/0x28)
Aug 19 17:50:54 rpi4 kernel: [10236.730983] Exception stack(0xc442ffa8 to 0xc442fff0)
Aug 19 17:50:54 rpi4 kernel: [10236.730999] ffa0:                   00000004 b6fee200 00000004 bef7bf30 00000000 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.731016] ffc0: 00000004 b6fee200 014af4d8 00000128 b6f96000 00000001 00000004 00000000
Aug 19 17:50:54 rpi4 kernel: [10236.731031] ffe0: b6f960d0 bef7bee8 b6b56594 b6b565b0
Aug 19 17:50:54 rpi4 kernel: [10236.731050] Code: e51b1040 e3530002 05943034 1594302c (e5930000) 
Aug 19 17:50:54 rpi4 kernel: [10236.731072] ---[ end trace 1a814376399b2adf ]---

wiill avatar Aug 20 '25 12:08 wiill

Same on raspberry pi 4. Adding these to hostapd.conf did the trick indeed:

interworking=0
hs20=0

mathieuchateau avatar Aug 21 '25 08:08 mathieuchateau

@mathieuchateau which version of hostapd are you running on PI4 ? 2.9 or 2.11 ?

wiill avatar Aug 21 '25 08:08 wiill

@wiill 2.10

mathieuchateau avatar Aug 21 '25 09:08 mathieuchateau

updating to the latest available brcm firmware solved the issue for me: apt update apt install firmware-brcm80211

Version that worked: ii firmware-brcm80211 1:20240709-2~bpo12+1+rpt3 all Binary firmware for Broadcom/Cypress 802.11 wireless cards

earthquake avatar Aug 22 '25 13:08 earthquake

thanks @earthquake, you almost made my day... ; )

which OS version ? RPI 4 or 5 ? On my side, after some apt update > upgrade > full-upgrade > install firmware-brcm80211, still in 1:20230210-5~bpo11+1+rpt2

uname -a

Linux 6.12.42-v8+ #1899 SMP PREEMPT Tue Aug 19 15:10:07 BST 2025 aarch64 GNU/Linux

cat /etc/os-release

PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

I'm still encountering the error, running on a RPI4

Message from syslogd@at Aug 25 09:45:59 ...
 kernel:[  212.137669] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP

Message from syslogd@at Aug 25 09:45:59 ...
 kernel:[  212.138941] Code: 7100081f 540018a0 f9401e80 aa1603e2 (f9400000)

wiill avatar Aug 25 '25 08:08 wiill

To be fair, I've gone through multiple iteration based on this thread and potentially others. So a few parameters were added to the hostapd.conf. Furthermore I had a null pointer dereference in the kernel module, not the same issue as you have.

RPI5

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -a
Linux xxx 6.6.74+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.6.74-1+rpt1 (2025-01-27) aarch64 GNU/Linux

$ cat /etc/hostapd/hostapd.conf 
interface=wlan0
driver=nl80211
ssid=XXXXX
hw_mode=g
channel=1
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=XXXX
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
interworking=0
hs20=0```

earthquake avatar Aug 25 '25 10:08 earthquake