Kernel crash (NULL pointer dereference) in brcmfmac driver when hostapd is running

[HsienChou]

Describe the bug

The hostapd service running on a Raspberry Pi 4 segfault due to a kernel panic (a NULL pointer dereference in the brcmfmac Wi-Fi driver).
The crash occurs shortly after a Wi-Fi client (in this case, an iPhone) sends a specific action frame include ANQP to the AP.

This issue can be triggered by a simple, non-malicious user action, highlighting a potential stability vulnerability in the driver.

Logs below shows:

1. When my Pixel 7 acutally type in the password and click JOIN, the NL80211_CMD_NEW_STATION start and the AP handle with the mobile device
2. When an iPhone with iOS 18.6.2 click the (i) button of the SSID from the Pi AP, the NL80211_CMD_FRAME include ANQP is sent from the mobile device, and then the driver crash.

That means, you don't even need to know the password of the Wi-Fi from the Raspberry Pi hostapd, you just want to check the property of this SSID and you crash the driver of that Raspberry Pi.

After the driver crash, I could not get the Raspberry Pi to reboot with command.
The only thing I could do to make the system works again is to give it a power cycle.

Steps to reproduce the behaviour

1. Set up a Wi-Fi Access Point (AP) on a Raspberry Pi 4 Model B running Raspberry Pi OS Bookworm using the hostapd service.
2. Use an iPhone with iOS 18.6.1 or later to search for the Wi-Fi AP.
3. Navigate to Settings > Wi-Fi list on the iPhone and tap the (i) icon next to the SSID provided by the Raspberry Pi. This action frequently triggers a kernel panic on the Raspberry Pi.

(Note: This behavior occurs regardless of whether the iPhone has previously paired with or is currently connected to the AP. The crash is triggered by the action of tapping the (i) icon from the iPhone.)

Device (s)

Raspberry Pi 4 Mod. B

System

Raspberry Pi 2024-05-09
Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, f1c166a2833950a7c44fe19b01780723635a7aa3, stage2

Apr 17 2024 17:27:09
Copyright (c) 2012 Broadcom
version 86ccc427f35fdc604edc511881cdf579df945fb4 (clean) (release) (start)

This is the original kernel version(6.6.28) that could already trigger this crash.
The logs attached is the latest crash logs after apt full-upgrade, so the logs show a newer kernel version(6.12.34).

Linux raspi 6.6.28+rpt-rpi-v7l #1 SMP Raspbian 1:6.6.28-1+rpt1 (2024-04-22) armv7l GNU/Linux

No LSB modules are available.
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm

Logs

The output logs was from /var/syslog when hostapd runs with -dd args in systemd service

Sep 02 17:23:08 raspi hostapd[1149]: nl80211: Event message available
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: Drv Event 19 (NL80211_CMD_NEW_STATION) received for wlan0
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: New station 62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: Assoc Req IEs - hexdump(len=143): 00 0b 4e 55 33 30 2d 58 58 58 58 58 58 01 08 82 84 8b 96 24 30 48 6c 32 04 0c 12 18 60 21 02 05 16 24 02 01 0d 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 02 0c 00 3b 15 51 86 85 84 83 81 80 7f 7e 7d 7c 7b 7a 79 78 77 76 75 74 73 51 2d 1a 2d 00 1b ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 0a 04 00 08 00 00 00 00 40 00 21 dd 0a 00 10 18 02 00 00 10 00 00 00 dd 07 00 50 f2 02 00 01 00
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: Event ASSOC (0) received
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e IEEE 802.11: associated
Sep 02 17:23:08 raspi hostapd[1149]: STA included RSN IE in (Re)AssocReq
Sep 02 17:23:08 raspi hostapd[1149]:   New STA
Sep 02 17:23:08 raspi hostapd[1149]: ap_sta_add: register ap_handle_timer timeout for 62:a7:67:fb:82:3e (300 seconds - ap_max_inactivity)
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: Set STA flags - ifname=wlan0 addr=62:a7:67:fb:82:3e total_flags=0x60 flags_or=0x0 flags_and=0xfffffff1 authorized=0
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: event 1 notification
Sep 02 17:23:08 raspi hostapd[1149]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0 addr=0x4cede8 key_idx=0 set_tx=1 seq_len=0 key_len=0 key_flag=0x20
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: DEL_KEY
Sep 02 17:23:08 raspi hostapd[1149]:    addr=62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]:    pairwise key
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: set_key failed; err=-22 Invalid argument
Sep 02 17:23:08 raspi hostapd[1149]: RSN: PTK removal from the driver failed
Sep 02 17:23:08 raspi hostapd[1149]: IEEE 802.1X: Ignore STA - 802.1X not enabled or forced for WPS
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: start authentication
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state INITIALIZE
Sep 02 17:23:08 raspi hostapd[1149]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0 addr=0x4cede8 key_idx=0 set_tx=1 seq_len=0 key_len=0 key_flag=0x20
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: DEL_KEY
Sep 02 17:23:08 raspi hostapd[1149]:    addr=62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]:    pairwise key
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: set_key failed; err=-22 Invalid argument
Sep 02 17:23:08 raspi hostapd[1149]: RSN: PTK removal from the driver failed
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: Set STA flags - ifname=wlan0 addr=62:a7:67:fb:82:3e total_flags=0x60 flags_or=0x0 flags_and=0xfffffffe authorized=0
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e IEEE 802.11: associated
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e IEEE 802.1X: unauthorizing port
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK_GROUP entering state IDLE
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state AUTHENTICATION
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state AUTHENTICATION2
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Re-initialize GMK/Counter on first station
Sep 02 17:23:08 raspi hostapd[1149]: Get randomness: len=32 entropy=1
Sep 02 17:23:08 raspi hostapd[1149]: GMK - hexdump(len=32): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: Get randomness: len=32 entropy=0
Sep 02 17:23:08 raspi hostapd[1149]: Key Counter - hexdump(len=32): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: Get randomness: len=16 entropy=0
Sep 02 17:23:08 raspi hostapd[1149]: GTK - hexdump(len=16): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=3 addr=0x144658 key_idx=1 set_tx=1 seq_len=0 key_len=16 key_flag=0x1a
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: NEW_KEY
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]:    broadcast key
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: NL80211_CMD_SET_KEY - default key
Sep 02 17:23:08 raspi hostapd[1149]: Get randomness: len=32 entropy=0
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Assign ANonce - hexdump(len=32): e8 48 2e f7 2a 93 18 7e 90 c6 07 4c e1 1a c1 4c 4f 0a d9 c7 31 0d e9 04 37 56 96 2f f8 19 e3 52
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state INITPSK
Sep 02 17:23:08 raspi hostapd[1149]: Searching a PSK for 62:a7:67:fb:82:3e prev_psk=(nil)
Sep 02 17:23:08 raspi hostapd[1149]: Searching a PSK for 62:a7:67:fb:82:3e prev_psk=(nil)
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state PTKSTART
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: sending 1/4 msg of 4-Way Handshake
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=0 keyidx=0 encr=0)
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 01
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Use EAPOL-Key timeout of 1000 ms (retry counter 1)
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: hostapd_new_assoc_sta: reschedule ap_handle_timer timeout for 62:a7:67:fb:82:3e (300 seconds - ap_max_inactivity)
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: Event EAPOL_RX (23) received
Sep 02 17:23:08 raspi hostapd[1149]: IEEE 802.1X: 121 bytes from 62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]:    IEEE 802.1X: version=1 type=3 length=117
Sep 02 17:23:08 raspi hostapd[1149]: WPA: RX EAPOL data - hexdump(len=121): 01 03 00 75 02 01 0a 00 00 00 00 00 00 00 00 00 01 29 46 d6 34 be 07 41 b8 e6 78 23 8c e3 78 9b 64 ed ea 2f c2 a5 ec 4a f0 73 d7 37 53 15 9a 6c 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 3d 45 86 04 6d 77 3f 86 67 c5 f9 4f 6b 14 36 00 16 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 02 0c 00
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Received EAPOL-Key from 62:a7:67:fb:82:3e key_info=0x10a type=2 mic_len=16 key_data_length=22
Sep 02 17:23:08 raspi hostapd[1149]: WPA: EAPOL-Key header (ending before Key MIC) - hexdump(len=77): 02 01 0a 00 00 00 00 00 00 00 00 00 01 29 46 d6 34 be 07 41 b8 e6 78 23 8c e3 78 9b 64 ed ea 2f c2 a5 ec 4a f0 73 d7 37 53 15 9a 6c 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Sep 02 17:23:08 raspi hostapd[1149]: WPA: EAPOL-Key Key MIC - hexdump(len=16): ec 3d 45 86 04 6d 77 3f 86 67 c5 f9 4f 6b 14 36
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Received Key Nonce - hexdump(len=32): 29 46 d6 34 be 07 41 b8 e6 78 23 8c e3 78 9b 64 ed ea 2f c2 a5 ec 4a f0 73 d7 37 53 15 9a 6c 14
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Received Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 01
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: received EAPOL-Key frame (2/4 Pairwise)
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state PTKCALCNEGOTIATING
Sep 02 17:23:08 raspi hostapd[1149]: Searching a PSK for 62:a7:67:fb:82:3e prev_psk=(nil)
Sep 02 17:23:08 raspi hostapd[1149]: WPA: PTK derivation using PRF(SHA1)
Sep 02 17:23:08 raspi hostapd[1149]: WPA: PTK derivation - A1=dc:a6:32:7b:12:1c A2=62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Nonce1 - hexdump(len=32): e8 48 2e f7 2a 93 18 7e 90 c6 07 4c e1 1a c1 4c 4f 0a d9 c7 31 0d e9 04 37 56 96 2f f8 19 e3 52
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Nonce2 - hexdump(len=32): 29 46 d6 34 be 07 41 b8 e6 78 23 8c e3 78 9b 64 ed ea 2f c2 a5 ec 4a f0 73 d7 37 53 15 9a 6c 14
Sep 02 17:23:08 raspi hostapd[1149]: WPA: PMK - hexdump(len=32): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: WPA: PTK - hexdump(len=48): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: WPA: KCK - hexdump(len=16): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: WPA: KEK - hexdump(len=16): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: WPA: TK - hexdump(len=16): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: WPA: EAPOL-Key MIC using HMAC-SHA1
Sep 02 17:23:08 raspi hostapd[1149]: WPA: RSN IE in EAPOL-Key - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 02 0c 00
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state PTKCALCNEGOTIATING2
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state PTKINITNEGOTIATING
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: sending 3/4 msg of 4-Way Handshake
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Send EAPOL(version=2 secure=1 mic=1 ack=1 install=1 pairwise=1 kde_len=46 keyidx=0 encr=1)
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 02
Sep 02 17:23:08 raspi hostapd[1149]: Plaintext EAPOL-Key Key Data - hexdump(len=56): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Encrypt Key Data using AES-WRAP (KEK length 16)
Sep 02 17:23:08 raspi hostapd[1149]: WPA: EAPOL-Key MIC using HMAC-SHA1
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Use EAPOL-Key timeout of 1000 ms (retry counter 1)
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: Event EAPOL_RX (23) received
Sep 02 17:23:08 raspi hostapd[1149]: IEEE 802.1X: 99 bytes from 62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]:    IEEE 802.1X: version=1 type=3 length=95
Sep 02 17:23:08 raspi hostapd[1149]: WPA: RX EAPOL data - hexdump(len=99): 01 03 00 5f 02 03 0a 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ba bf 05 fb 80 3f 89 e9 c8 b9 2a a0 2e 09 88 4b 00 00
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Received EAPOL-Key from 62:a7:67:fb:82:3e key_info=0x30a type=2 mic_len=16 key_data_length=0
Sep 02 17:23:08 raspi hostapd[1149]: WPA: EAPOL-Key header (ending before Key MIC) - hexdump(len=77): 02 03 0a 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Sep 02 17:23:08 raspi hostapd[1149]: WPA: EAPOL-Key Key MIC - hexdump(len=16): ba bf 05 fb 80 3f 89 e9 c8 b9 2a a0 2e 09 88 4b
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Received Key Nonce - hexdump(len=32): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Sep 02 17:23:08 raspi hostapd[1149]: WPA: Received Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 02
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: received EAPOL-Key frame (4/4 Pairwise)
Sep 02 17:23:08 raspi hostapd[1149]: WPA: EAPOL-Key MIC using HMAC-SHA1
Sep 02 17:23:08 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state PTKINITDONE
Sep 02 17:23:08 raspi hostapd[1149]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=3 addr=0x4cede8 key_idx=0 set_tx=1 seq_len=0 key_len=16 key_flag=0x2c
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: NEW_KEY
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
Sep 02 17:23:08 raspi hostapd[1149]:    addr=62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]:    pairwise key
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: AP-STA-CONNECTED 62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: Set STA flags - ifname=wlan0 addr=62:a7:67:fb:82:3e total_flags=0x61 flags_or=0x1 flags_and=0xffffffff authorized=1
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e IEEE 802.1X: authorizing port
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e RADIUS: starting accounting session E206E6FDB622D1FA
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: pairwise key handshake completed (RSN)
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: EAPOL-4WAY-HS-COMPLETED 62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e RADIUS: starting accounting session E206E6FDB622D1FA
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: pairwise key handshake completed (RSN)
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: Event message available
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wlan0
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlan0(dc:a6:32:7b:12:1c) A1=dc:a6:32:7b:12:1c A2=62:a7:67:fb:82:3e
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: MLME event frame - hexdump(len=28): d0 00 00 00 dc a6 32 7b 12 1c 62 a7 67 fb 82 3e dc a6 32 7b 12 1c 00 00 0a 06 68 06
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: Frame event
Sep 02 17:23:08 raspi hostapd[1149]: nl80211: RX frame da=dc:a6:32:7b:12:1c sa=62:a7:67:fb:82:3e bssid=dc:a6:32:7b:12:1c freq=2462 ssi_signal=0 fc=0xd0 seq_ctrl=0x0 stype=13 (WLAN_FC_STYPE_ACTION) len=28
Sep 02 17:23:08 raspi hostapd[1149]: wlan0: Event RX_MGMT (18) received
Sep 02 17:23:08 raspi hostapd[1149]: mgmt::action
Sep 02 17:23:08 raspi hostapd[1149]: RX_ACTION category 10 action 6 sa 62:a7:67:fb:82:3e da dc:a6:32:7b:12:1c len 28 freq 2462
Sep 02 17:23:08 raspi hostapd[1149]: Ignore BSS Transition Management Query from 62:a7:67:fb:82:3e since BSS Transition Management is disabled
Sep 02 17:23:09 raspi dnsmasq-dhcp[1143]: DHCPREQUEST(wlan0) 192.168.237.234 62:a7:67:fb:82:3e
Sep 02 17:23:09 raspi dnsmasq-dhcp[1143]: DHCPACK(wlan0) 192.168.237.234 62:a7:67:fb:82:3e Pixel-7
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: Event message available
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: Drv Event 20 (NL80211_CMD_DEL_STATION) received for wlan0
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: Delete station 62:a7:67:fb:82:3e
Sep 02 17:23:18 raspi hostapd[1149]: wlan0: Event DISASSOC (1) received
Sep 02 17:23:18 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e IEEE 802.11: disassociated
Sep 02 17:23:18 raspi hostapd[1149]: wlan0: AP-STA-DISCONNECTED 62:a7:67:fb:82:3e
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: Set STA flags - ifname=wlan0 addr=62:a7:67:fb:82:3e total_flags=0x0 flags_or=0x0 flags_and=0xfffffff1 authorized=0
Sep 02 17:23:18 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e WPA: event 2 notification
Sep 02 17:23:18 raspi hostapd[1149]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0 addr=0x4cede8 key_idx=0 set_tx=1 seq_len=0 key_len=0 key_flag=0x20
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: DEL_KEY
Sep 02 17:23:18 raspi hostapd[1149]:    addr=62:a7:67:fb:82:3e
Sep 02 17:23:18 raspi hostapd[1149]:    pairwise key
Sep 02 17:23:18 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state DISCONNECTED
Sep 02 17:23:18 raspi hostapd[1149]: WPA: 62:a7:67:fb:82:3e WPA_PTK entering state INITIALIZE
Sep 02 17:23:18 raspi hostapd[1149]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0 addr=0x4cede8 key_idx=0 set_tx=1 seq_len=0 key_len=0 key_flag=0x20
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: DEL_KEY
Sep 02 17:23:18 raspi hostapd[1149]:    addr=62:a7:67:fb:82:3e
Sep 02 17:23:18 raspi hostapd[1149]:    pairwise key
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: set_key failed; err=-22 Invalid argument
Sep 02 17:23:18 raspi hostapd[1149]: RSN: PTK removal from the driver failed
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: Set STA flags - ifname=wlan0 addr=62:a7:67:fb:82:3e total_flags=0x0 flags_or=0x0 flags_and=0xfffffffe authorized=0
Sep 02 17:23:18 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e IEEE 802.1X: unauthorizing port
Sep 02 17:23:18 raspi hostapd[1149]: wlan0: STA 62:a7:67:fb:82:3e IEEE 802.11: disassociated
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: Set STA flags - ifname=wlan0 addr=62:a7:67:fb:82:3e total_flags=0x0 flags_or=0x0 flags_and=0xfffffff1 authorized=0
Sep 02 17:23:18 raspi hostapd[1149]: nl80211: sta_remove -> DEL_STATION wlan0 62:a7:67:fb:82:3e --> 0 (Success)
Sep 02 17:23:18 raspi hostapd[1149]: hostapd_ht_operation_update current operation mode=0x0
Sep 02 17:23:18 raspi hostapd[1149]: hostapd_ht_operation_update new operation mode=0x0 changes=0
Sep 02 17:23:18 raspi hostapd[1149]: ap_free_sta: cancel ap_handle_timer for 62:a7:67:fb:82:3e

Message from syslogd@raspi at Sep  2 17:24:32 ...
 kernel:[  873.853473] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP

Message from syslogd@raspi at Sep  2 17:24:32 ...
 kernel:[  873.855318] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: Event message available
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wlan0
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlan0(dc:a6:32:7b:12:1c) A1=dc:a6:32:7b:12:1c A2=42:6c:00:9b:53:1b
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: MLME event frame - hexdump(len=60): d0 00 00 00 dc a6 32 7b 12 1c 42 6c 00 9b 53 1b dc a6 32 7b 12 1c 00 00 04 0a c8 6c 02 00 00 1b 00 00 01 08 00 0c 01 05 01 08 01 07 01 dd dd 07 00 50 6f 9a 11 01 00 03 00 00 00 00
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: Frame event
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: RX frame da=dc:a6:32:7b:12:1c sa=42:6c:00:9b:53:1b bssid=dc:a6:32:7b:12:1c freq=2462 ssi_signal=0 fc=0xd0 seq_ctrl=0x0 stype=13 (WLAN_FC_STYPE_ACTION) len=60
Sep 02 17:24:32 raspi hostapd[1149]: wlan0: Event RX_MGMT (18) received
Sep 02 17:24:32 raspi hostapd[1149]: mgmt::action
Sep 02 17:24:32 raspi hostapd[1149]: RX_ACTION category 4 action 10 sa 42:6c:00:9b:53:1b da dc:a6:32:7b:12:1c len 60 freq 2462
Sep 02 17:24:32 raspi hostapd[1149]: wlan0: GAS: GAS Initial Request from 42:6c:00:9b:53:1b (dialog token 200)
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: 4 Info IDs requested in Query list
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: Domain Name not available
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: Roaming Consortium not available
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: 3GPP Cellular Network not available
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: NAI Realm not available
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: HS 2.0 Query List
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: Operator Friendly Name not available
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: Unsupported Query Request element 0
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: Locally generated ANQP responses - hexdump(len=4): 05 01 00 00
Sep 02 17:24:32 raspi hostapd[1149]: ANQP: Initial response (no comeback)
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: Send Action frame (ifindex=3, freq=2462 MHz wait=0 ms no_cck=0 offchanok=0)
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: send_mlme - da=42:6c:00:9b:53:1b noack=0 freq=2462 no_cck=0 offchanok=0 wait_time=0 no_encrypt=0 fc=0xd0 (WLAN_FC_STYPE_ACTION) nlmode=3
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: send_mlme -> send_frame_cmd
Sep 02 17:24:32 raspi hostapd[1149]: nl80211: CMD_FRAME freq=2462 wait=0 no_cck=0 no_ack=0 offchanok=0
Sep 02 17:24:32 raspi hostapd[1149]: CMD_FRAME - hexdump(len=41): d0 00 00 00 42 6c 00 9b 53 1b dc a6 32 7b 12 1c dc a6 32 7b 12 1c 00 00 04 0b c8 00 00 00 00 6c 02 7f 00 04 00 05 01 00 00
Sep 02 17:24:32 raspi kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Sep 02 17:24:32 raspi kernel: Mem abort info:
Sep 02 17:24:32 raspi kernel:   ESR = 0x0000000096000007
Sep 02 17:24:32 raspi kernel:   EC = 0x25: DABT (current EL), IL = 32 bits
Sep 02 17:24:32 raspi kernel:   SET = 0, FnV = 0
Sep 02 17:24:32 raspi kernel:   EA = 0, S1PTW = 0
Sep 02 17:24:32 raspi kernel:   FSC = 0x07: level 3 translation fault
Sep 02 17:24:32 raspi kernel: Data abort info:
Sep 02 17:24:32 raspi kernel:   ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
Sep 02 17:24:32 raspi kernel:   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
Sep 02 17:24:32 raspi kernel:   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
Sep 02 17:24:32 raspi kernel: user pgtable: 4k pages, 39-bit VAs, pgdp=0000000044ee7000
Sep 02 17:24:32 raspi kernel: [0000000000000000] pgd=0800000041d6c003, p4d=0800000041d6c003, pud=0800000041d6c003, pmd=0800000041e58003, pte=0000000000000000
Sep 02 17:24:32 raspi kernel: Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
Sep 02 17:24:32 raspi kernel: Modules linked in: nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep brcmfmac_wcc vc4 brcmfmac v3d brcmutil cfg80211 binfmt_misc gpu_sched hci_uart drm_shmem_helper snd_soc_hdmi_codec btbcm bluetooth drm_display_helper bcm2835_codec(C) cec rpi_hevc_dec raspberrypi_hwmon bcm2835_isp(C) drm_dma_helper bcm2835_v4l2(C) drm_kms_helper bcm2835_mmal_vchiq(C) v4l2_mem2mem ecdh_generic vc_sm_cma(C) ecc snd_soc_core videobuf2_dma_contig rfkill videobuf2_vmalloc videobuf2_memops libaes videobuf2_v4l2 videodev snd_bcm2835(C) snd_compress snd_pcm_dmaengine raspberrypi_gpiomem snd_pcm videobuf2_common mc snd_timer snd nvmem_rmem uio_pdrv_genirq uio drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 i2c_brcmstb
Sep 02 17:24:32 raspi kernel: CPU: 0 UID: 0 PID: 1149 Comm: hostapd Tainted: G         C         6.12.34+rpt-rpi-v8 #1  Debian 1:6.12.34-1+rpt1~bookworm
Sep 02 17:24:32 raspi kernel: Tainted: [C]=CRAP
Sep 02 17:24:32 raspi kernel: Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
Sep 02 17:24:32 raspi kernel: pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
Sep 02 17:24:32 raspi kernel: pc : brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
Sep 02 17:24:32 raspi kernel: lr : brcmf_p2p_send_action_frame+0x200/0xc58 [brcmfmac]
Sep 02 17:24:32 raspi kernel: sp : ffffffc081c1b5e0
Sep 02 17:24:32 raspi kernel: x29: ffffffc081c1b5e0 x28: 0000000000000000 x27: ffffff80457ea8f0
Sep 02 17:24:32 raspi kernel: x26: ffffff80429248c0 x25: ffffffd55ca55eb0 x24: ffffff80457ea800
Sep 02 17:24:32 raspi kernel: x23: 0000000000000000 x22: ffffff8048a5c000 x21: ffffff8048a5c010
Sep 02 17:24:32 raspi kernel: x20: ffffff80457ea810 x19: ffffff80457ea818 x18: 0000000000000000
Sep 02 17:24:32 raspi kernel: x17: 0000000000000000 x16: ffffffd5ab368ce0 x15: 00000000004d3740
Sep 02 17:24:32 raspi kernel: x14: 00001c127b32a6dc x13: 000001050004007f x12: 026c00000000c80b
Sep 02 17:24:32 raspi kernel: x11: 00000000000000d0 x10: 0000000000001a40 x9 : ffffffd55ca44000
Sep 02 17:24:32 raspi kernel: x8 : ffffff8043bb0000 x7 : 0000000000000000 x6 : ffffffc081c1b578
Sep 02 17:24:32 raspi kernel: x5 : ffffffc081c1b5b0 x4 : 00000000ffffffd8 x3 : 0000000000000724
Sep 02 17:24:32 raspi kernel: x2 : ffffff8048a5c000 x1 : ffffffd55ca60820 x0 : 0000000000000000
Sep 02 17:24:32 raspi kernel: Call trace:
Sep 02 17:24:32 raspi kernel:  brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
Sep 02 17:24:32 raspi kernel:  brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]
Sep 02 17:24:32 raspi kernel:  cfg80211_mlme_mgmt_tx+0x1a8/0x418 [cfg80211]
Sep 02 17:24:32 raspi kernel:  nl80211_tx_mgmt+0x238/0x388 [cfg80211]
Sep 02 17:24:32 raspi kernel:  genl_family_rcv_msg_doit+0xe0/0x158
Sep 02 17:24:32 raspi kernel:  genl_rcv_msg+0x220/0x2a0
Sep 02 17:24:32 raspi kernel:  netlink_rcv_skb+0x68/0x140
Sep 02 17:24:32 raspi kernel:  genl_rcv+0x40/0x60
Sep 02 17:24:32 raspi kernel:  netlink_unicast+0x320/0x388
Sep 02 17:24:32 raspi kernel:  netlink_sendmsg+0x19c/0x3f8
Sep 02 17:24:32 raspi kernel:  __sock_sendmsg+0x64/0xc0
Sep 02 17:24:32 raspi kernel:  ____sys_sendmsg+0x268/0x2a0
Sep 02 17:24:32 raspi kernel:  ___sys_sendmsg+0xb8/0x118
Sep 02 17:24:32 raspi kernel:  __sys_sendmsg+0x90/0xf8
Sep 02 17:24:32 raspi kernel:  __arm64_compat_sys_sendmsg+0x2c/0x40
Sep 02 17:24:32 raspi kernel:  invoke_syscall+0x50/0x120
Sep 02 17:24:32 raspi kernel:  el0_svc_common.constprop.0+0x48/0xf0
Sep 02 17:24:32 raspi kernel:  do_el0_svc_compat+0x24/0x48
Sep 02 17:24:32 raspi kernel:  el0_svc_compat+0x2c/0x80
Sep 02 17:24:32 raspi kernel:  el0t_32_sync_handler+0x98/0x140
Sep 02 17:24:32 raspi kernel:  el0t_32_sync+0x194/0x198
Sep 02 17:24:32 raspi kernel: Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Sep 02 17:24:32 raspi kernel: ---[ end trace 0000000000000000 ]---
Sep 02 17:24:32 raspi systemd[1]: hostapd.service: Main process exited, code=killed, status=11/SEGV
Sep 02 17:24:32 raspi systemd[1]: hostapd.service: Failed with result 'signal'.

Additional context

This behavior occurs regardless of whether the iPhone has previously paired with or is currently connected to the AP. I have observed the following:

• The crash has been reproducible since early August, coinciding with the release of iOS 18.6.
• iPhones running iOS 18.6.2 and iOS 18.6.1 consistently cause the crash.
• iPhones running iOS 18.2.1 and iOS 17.6.1, and a Google Pixel 7 with Android 16, do not cause the crash.

The specific action frame appears to be related to nl80211: BSS Event 59 (NL80211_CMD_FRAME), which is received from the iPhone. The crash occurs when the brcmfmac driver attempts to respond via brcmf_p2p_send_action_frame.

Internet related settings I used

1. hostapd.conf

$ cat /usr/raspi/configs/hostapd/hostapd.conf

interface=wlan0
driver=nl80211

# Radio
ssid=NU-XXXXXX
hw_mode=g
wmm_enabled=1
channel=11

# Country
country_code=TW

# N
ieee80211n=1
ht_capab=[SHORT-GI-20][DSSS_CCK-40]

# WPA
auth_algs=1
wpa=2
wpa_passphrase=12345678
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP

# Ctrl
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

2. network interface

$ cat /etc/network/interfaces.d/wlan0

auto wlan0
iface wlan0 inet static
address 192.168.237.253
netmask 255.255.255.0

3. dnsmasq

$ cat /etc/dnsmasq.d/raspi_dnsmasq.conf

interface=wlan0
dhcp-range=192.168.237.193,192.168.237.250,255.255.255.192,12h
no-hosts
address=/raspi/192.168.237.253

4. iptables.rules

$ cat /usr/raspi/configs/iptables/iptables.rules

# Generated by iptables-save v1.4.21 on Wed Apr 13 10:28:51 2016
*nat
:PREROUTING ACCEPT [1:72]
:INPUT ACCEPT [1:72]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -s 192.168.237.192/26 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Apr 13 10:28:51 2016

5. customized hostapd systemd service (to show more detail logs from hostapd in syslog)

$ cat /etc/systemd/system/raspi_hostapd.service

[Unit]
Description=Enable Access Point
After=network.target dnsmasq.service

[Service]
Type=exec
WorkingDirectory=/usr/raspi/configs/
ExecStartPre=-/usr/bin/killall hostapd
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1
ExecStartPre=/bin/bash -c '/usr/sbin/iptables-restore < iptables/iptables.rules'
ExecStartPre=/usr/sbin/service dnsmasq restart
ExecStart=/usr/sbin/hostapd -dd hostapd/hostapd.conf
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

[nolimitdev]

Exactly the same issue here. Thanks for knowledge that issues is triggered by iPhones. We did not know it so far. Now we need to find out how to avoid this issue.

[lategoodbye]

Hi,
since this is a security issue please report this to the upstream maintainers:

M: Arend van Spriel arend.vanspriel@broadcom.com
L: linux-wireless@vger.kernel.org
L: brcm80211@lists.linux.dev
L: brcm80211-dev-list.pdl@broadcom.com

[spargo19]

Also experiencing this issue on a large number of production devices in the field. I'll note that in some cases, a similar crash can be triggered by simply disconnecting from the wifi network on these IOS devices. I don't have a large enough sample set to know which ios devices cause the issue.

[lategoodbye]

The issue has been reported on wireless-linux:
https://lore.kernel.org/linux-wireless/CAE3HL_yETM7LBD5nu3V3zzfR1fThbAzULA=+YJt2tPY6=769Bw@mail.gmail.com/

[nolimitdev]

We also have a large number of devices in production and in external environments without physical access. Fortunately, each our Raspberry Pi has an NC relay before the power supply, which is controlled by a GPIO pin. This bug causes many things to stop working (sudo, or reboot), but switching the GPIO pins still works even during a kernel panic. Therefore, with a remote software modification, we ensured that whenever the hostapd service is in the deactivating state, we cut the power, causing a hard restart. So far, we have never had to use the relay. This bug caused its first use.

[aspriel]

@HsienChou Can you provide the kernel .config file so I can reproduce the driver build?

Thanks, Arend

[amitrohatgi]

Oh wow. This has been driving me crazy for the past 2 days on my raspberrypi running bookworm. Hostapd is at 2.10-12 and I'm on kernel 6.1.21-v7l+. I didn't realize that my iphone may be the one triggering it. Watching this thread very closely ...

[HsienChou]

@HsienChou Can you provide the kernel .config file so I can reproduce the driver build?

Thanks, Arend

@aspriel Hi, I just sent you the kernel .config file via email.

[amitrohatgi]

@aspriel don't intend to pressure you on this. But do you think hiding the SSID via ignore_broadcast_ssid in hostapd.conf would sufficiently avoid this problem for now? At least for "rogue" iphones that have not yet associated with the AP. For previously associated iphones I presume this would still be a problem, but that's a problem I can live with for now.

[spargo19]

In my most respectful tones, what are the odds of this being resolved soon? Would love to be able to set expectations for our users around if and when a resolution might be available. Thanks again to @HsienChou for providing clarity and @aspriel for helping to address this.

[richard-govivid]

I found the bug in kernel 6.1.21 and wrote a patch for it.

(I haven't looked into the newer 6.6. or 6.12 kernels yet, as our device is currently locked on the older kernel version for other reasons.)

[richard-govivid]

https://lore.kernel.org/linux-wireless/20251002232002.124609-1-richard@govivid.ai/