Why does hostapd with channel=0 (ACS) fail

I try to setup a WiFi AP with hostapd on Debian (Bullseye and Bookworm) with Automatic Channel Selection (ACS), by setting channel=0 in /etc/hostapd/hostapd.conf. On multiple system with different hardware this does not work, i.e. we did not find any system where it works.

There are two cases:

1. The hostapd.service starts, but after a few seconds silently stops “successfully” without an error message:

   Aug 17 22:54:23 NanoPiR6C systemd[1]: hostapd.service - Access point and authentication server for Wi-Fi and Ethernet was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/hostapd/hostapd.conf).
   Aug 17 22:54:36 NanoPiR6C systemd[1]: Starting hostapd.service - Access point and authentication server for Wi-Fi and Ethernet...
   Aug 17 22:54:36 NanoPiR6C hostapd[2230]: wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
   Aug 17 22:54:36 NanoPiR6C hostapd[2230]: ACS: Automatic channel selection started, this may take a bit
   Aug 17 22:54:36 NanoPiR6C hostapd[2230]: wlan0: interface state COUNTRY_UPDATE->ACS
   Aug 17 22:54:36 NanoPiR6C hostapd[2230]: wlan0: ACS-STARTED
   Aug 17 22:54:36 NanoPiR6C systemd[1]: Started hostapd.service - Access point and authentication server for Wi-Fi and Ethernet.
   Aug 17 22:54:42 NanoPiR6C systemd[1]: hostapd.service: Deactivated successfully.
   

2. The hostapd.service and process crashes, causing as well a kernel error:

   Aug 17 23:12:32 ROCKPiS systemd[1]: Starting Access point and authentication server for Wi-Fi and Ethernet...
   Aug 17 23:12:32 ROCKPiS hostapd[586]: Configuration file: /etc/hostapd/hostapd.conf
   Aug 17 23:12:32 ROCKPiS hostapd[586]: wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
   Aug 17 23:12:32 ROCKPiS hostapd[586]: ACS: Automatic channel selection started, this may take a bit
   Aug 17 23:12:32 ROCKPiS kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
   Aug 17 23:12:32 ROCKPiS kernel: Mem abort info:
   Aug 17 23:12:32 ROCKPiS kernel:   ESR = 0x0000000096000004
   Aug 17 23:12:32 ROCKPiS kernel:   EC = 0x25: DABT (current EL), IL = 32 bits
   Aug 17 23:12:32 ROCKPiS kernel:   SET = 0, FnV = 0
   Aug 17 23:12:32 ROCKPiS kernel:   EA = 0, S1PTW = 0
   Aug 17 23:12:32 ROCKPiS kernel:   FSC = 0x04: level 0 translation fault
   Aug 17 23:12:32 ROCKPiS kernel: Data abort info:
   Aug 17 23:12:32 ROCKPiS kernel:   ISV = 0, ISS = 0x00000004
   Aug 17 23:12:32 ROCKPiS kernel:   CM = 0, WnR = 0
   Aug 17 23:12:32 ROCKPiS kernel: user pgtable: 4k pages, 48-bit VAs, pgdp=0000000004be1000
   Aug 17 23:12:32 ROCKPiS kernel: [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
   Aug 17 23:12:32 ROCKPiS kernel: Internal error: Oops: 96000004 [#1] PREEMPT SMP
   Aug 17 23:12:32 ROCKPiS kernel: Modules linked in: nft_chain_nat xt_MASQUERADE nf_nat nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink 8723ds cfg80211 snd_soc_pcm5102a rfkill snd_soc_rk3308 snd_soc_simple_card snd_soc_simple_card_utils snd_soc_core snd_pcm_dmaengine snd_pcm nvmem_rockchip_otp snd_timer snd soundcore cpufreq_dt ip_tables x_tables autofs4 realtek dwmac_rk stmmac_platform stmmac pcs_xpcs
   Aug 17 23:12:33 ROCKPiS kernel: CPU: 0 PID: 586 Comm: hostapd Not tainted 5.15.93-rockchip64 #23.02.2
   Aug 17 23:12:33 ROCKPiS kernel: Hardware name: Radxa ROCK Pi S (DT)
   Aug 17 23:12:33 ROCKPiS kernel: pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
   Aug 17 23:12:33 ROCKPiS kernel: pc : __pi_memcmp+0xd8/0x110
   Aug 17 23:12:33 ROCKPiS kernel: lr : _rtw_memcmp+0x14/0x28 [8723ds]
   Aug 17 23:12:33 ROCKPiS kernel: sp : ffff80000a88b480
   Aug 17 23:12:33 ROCKPiS kernel: x29: ffff80000a88b480 x28: 0000000000000000 x27: 00000000000003e8
   Aug 17 23:12:33 ROCKPiS kernel: x26: 0000000000000000 x25: ffff000005146448 x24: 0000000000000000
   Aug 17 23:12:33 ROCKPiS kernel: x23: ffff000005394100 x22: 0000000000000000 x21: 0000000000000000
   Aug 17 23:12:33 ROCKPiS kernel: x20: ffff80000a747000 x19: ffff000005394100 x18: 0000000000000000
   Aug 17 23:12:33 ROCKPiS kernel: x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac19a9640
   Aug 17 23:12:33 ROCKPiS kernel: x14: 0000097b00040008 x13: ffff800001178178 x12: ffff000008471000
   Aug 17 23:12:33 ROCKPiS kernel: x11: 0000000000000999 x10: 0000000000000008 x9 : 0000000000000040
   Aug 17 23:12:33 ROCKPiS kernel: x8 : ffff00000545a460 x7 : ffff80000a88b3c0 x6 : 0000000000000001
   Aug 17 23:12:33 ROCKPiS kernel: x5 : 0000000000000001 x4 : 0000000000000030 x3 : 0000000000000001
   Aug 17 23:12:33 ROCKPiS kernel: x2 : 0000000000000003 x1 : ffff8000012c7400 x0 : 0000000000000000
   Aug 17 23:12:33 ROCKPiS kernel: Call trace:
   Aug 17 23:12:33 ROCKPiS kernel:  __pi_memcmp+0xd8/0x110
   Aug 17 23:12:33 ROCKPiS kernel:  cfg80211_rtw_scan+0x234/0x5e0 [8723ds]
   Aug 17 23:12:33 ROCKPiS kernel:  cfg80211_scan+0x1d0/0x360 [cfg80211]
   Aug 17 23:12:33 ROCKPiS kernel:  nl80211_trigger_scan+0x598/0x690 [cfg80211]
   Aug 17 23:12:33 ROCKPiS kernel:  genl_family_rcv_msg_doit.isra.15+0x10c/0x150
   Aug 17 23:12:33 ROCKPiS kernel:  genl_rcv_msg+0xf0/0x1d8
   Aug 17 23:12:33 ROCKPiS kernel:  netlink_rcv_skb+0x5c/0x120
   Aug 17 23:12:33 ROCKPiS kernel:  genl_rcv+0x38/0x50
   Aug 17 23:12:33 ROCKPiS kernel:  netlink_unicast+0x1cc/0x2a0
   Aug 17 23:12:33 ROCKPiS kernel:  netlink_sendmsg+0x1dc/0x448
   Aug 17 23:12:33 ROCKPiS kernel:  sock_sendmsg+0x4c/0x58
   Aug 17 23:12:33 ROCKPiS kernel:  ____sys_sendmsg+0x274/0x2b8
   Aug 17 23:12:33 ROCKPiS kernel:  ___sys_sendmsg+0x84/0xc8
   Aug 17 23:12:33 ROCKPiS kernel:  __sys_sendmsg+0x6c/0xc0
   Aug 17 23:12:33 ROCKPiS kernel:  __arm64_sys_sendmsg+0x24/0x30
   Aug 17 23:12:33 ROCKPiS kernel:  invoke_syscall+0x44/0x108
   Aug 17 23:12:33 ROCKPiS kernel:  el0_svc_common.constprop.3+0x94/0xf8
   Aug 17 23:12:33 ROCKPiS kernel:  do_el0_svc+0x24/0x98
   Aug 17 23:12:33 ROCKPiS kernel:  el0_svc+0x20/0x50
   Aug 17 23:12:33 ROCKPiS kernel:  el0t_64_sync_handler+0x90/0xb8
   Aug 17 23:12:33 ROCKPiS kernel:  el0t_64_sync+0x180/0x184
   Aug 17 23:12:33 ROCKPiS kernel: Code: d65f03c0 d503201f b1001042 540000c3 (b8404403)
   Aug 17 23:12:33 ROCKPiS kernel: ---[ end trace 98281908e07a73eb ]---
   Aug 17 23:12:33 ROCKPiS systemd[1]: hostapd.service: Control process exited, code=killed, status=11/SEGV
   Aug 17 23:12:33 ROCKPiS systemd[1]: hostapd.service: Failed with result 'signal'.
   Aug 17 23:12:33 ROCKPiS systemd[1]: Failed to start Access point and authentication server for Wi-Fi and Ethernet.
   

   Problematic is that the process in this case becomes an unkillable zombie: SIGTERM and SIGKILL do not work, systemctl hangs until timeout, also reboot hangs until systemd times out attempting to kill the hostapd process. Also the service has an automatic restart schedule, so hostapd processes stack up after a while.

Here an example for a tested hostapd.conf:

interface=wlan0
driver=nl80211
ssid=myssid
country_code=DE
hw_mode=g
channel=0
ieee80211n=1
wmm_enabled=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=mypassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ctrl_interface=/run/hostapd

Enabling/disabling WiFi 4 (ieee80211n=1) and 5 (ieee80211ac=1) as well as switching between 2.4 GHz (hw_mode=g) and 5 GHz mode (hw_mode=a) does not make a difference. I also tried to remove some settings and add everything that comes with the example /usr/share/doc/hostapd/examples/hostapd.conf. As fast as I switch to channel=0 or channel=acs_survey, on all tested systems, hostapd does not work.

Am I missing something, is there another setting explicitly needed for ACS to work? Otherwise why is this the default (generally reasonably) if it does not work on most (all of our) systems?