From nobody Sun Apr 24 14:30:34 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 206A21A9537E for ; Sun, 24 Apr 2022 14:30:54 +0000 (UTC) (envelope-from rob.fx907@gmail.com) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KmVth6rBdz3L34 for ; Sun, 24 Apr 2022 14:30:52 +0000 (UTC) (envelope-from rob.fx907@gmail.com) Received: by mail-ed1-x52d.google.com with SMTP id g23so8656812edy.13 for ; Sun, 24 Apr 2022 07:30:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x0AA+3pEV2qNDk4F3HiPNuGOaMKKImvePhRf0zCQL1s=; b=MOPEXqIQTrLaekym93D7leivz254BD3lZF25AtjYzfeRnosFvPGKQxukIzG/vdax4n n/mPVw63aA/f7YELdpsTVbQUXNncu7XoWkRfmZE10lnAdgOstPYQ7lRCsrxo4iOM4zpU TI+DeSOCkafA3Eh/iHNHtJ9DWnTvd34Je9A8hubXWi4ZT1OdOnXpLlVJ5k/LCly0mT5f a6hF8v8FVHhrWyoRc89VcH9vP+GFY+EEINBittLQLzYdMgfiKEEASrLiSpCNL9dBHIZa hL2Si5fyhoYN5Z+zPXlTx4/64MdV2KDyr/8HZky4D/mNQyh+iS/8DsQp5uK0TjdVIE2g IqPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x0AA+3pEV2qNDk4F3HiPNuGOaMKKImvePhRf0zCQL1s=; b=Mj4/xwYM6NbfpkYZ0N+JS+L1S6X3uyGjncIGjuRW16zWWuY5HYNWIfYfagwwVEg8IP 163zmJUhFoDAOZRbZB97aYb/bQY7lNwQWiYahGgJT7byiRpaYOfxOxj0RzBFQsSlGEm3 YSzOT46blLzRidUFqnFqYsJzK58lVowBpD9Pc9fqOmx5tG92yj9z3VDe3ujIch+dMrHP wQlKCc9M/P6CW1Sj1QITVrhcBJRycZ79XDcisEqZgFLB+YRENcDHL0sp8lP5bfq30Nnq 1hrVVUuzdsXPcXuLlML896Pcy6hWIqBkz0mozcZJ88ObRzGGXdH90ZTDD6wMus2+p95R HHnQ== X-Gm-Message-State: AOAM531cdUGc50AvtqxRs5Uz4ghaoaL9XPVbBllJtbJpDZCCNS4z2AO/ k1Beb5GKHb+6Wqbs/DMrOs68jYObr8ikGpykVC8ViOqo X-Google-Smtp-Source: ABdhPJwru7IkfWsB1+swslDSKFFqd5OT0sobjE81QuC09XyFU/2j76gCflLRaVN7wEugsbasPAbTIQspTM+XVciI9sQ= X-Received: by 2002:aa7:cd0a:0:b0:425:bc13:4ccb with SMTP id b10-20020aa7cd0a000000b00425bc134ccbmr12911824edw.229.1650810645680; Sun, 24 Apr 2022 07:30:45 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: <421d0c0d-4109-3370-9147-85168051deed@freebsd.org> <9ea3536e-b501-3684-850e-65f95fddf2e7@freebsd.org> <28c9ea32-b913-c153-005b-a62d6a7a6f4e@plan-b.pwste.edu.pl> <113d6d4d-eb23-30b1-a9e7-5a82a46604f8@grosbein.net> In-Reply-To: From: Rob Wing Date: Sun, 24 Apr 2022 06:30:34 -0800 Message-ID: Subject: Re: kernel crash making a vlan on a wlan To: Warner Losh Cc: Eugene Grosbein , Marek Zarychta , FreeBSD Hackers Content-Type: multipart/alternative; boundary="0000000000002094fe05dd674e87" X-Rspamd-Queue-Id: 4KmVth6rBdz3L34 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=MOPEXqIQ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of robfx907@gmail.com designates 2a00:1450:4864:20::52d as permitted sender) smtp.mailfrom=robfx907@gmail.com X-Spamd-Result: default: False [-2.11 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.986]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_SPAM_SHORT(0.87)[0.873]; NEURAL_HAM_LONG(-1.00)[-0.997]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::52d:from]; MLMMJ_DEST(0.00)[freebsd-hackers]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --0000000000002094fe05dd674e87 Content-Type: text/plain; charset="UTF-8" What do you mean when you say they are the same thing? On Sun, Apr 24, 2022 at 5:35 AM Warner Losh wrote: > > > On Sun, Apr 24, 2022, 1:03 AM Rob Wing wrote: > >> From what I can tell, the vlan driver is calling ieee80211_output() with >> the wrong ifnet context and dereferencing a bad pointer. >> >> It looks like the passed in if_softc is pointing to a struct ifvlan >> instead of the expected struct ieee80211_vap >> >> Looking at vlan_output(), I wonder if the parents ifnet context should be >> used when calling if_output()? something like: >> >> diff --git a/sys/net/if_vlan.c b/sys/net/if_vlan.c >> index 2bb5284c2129..5fbd7a79dccc 100644 >> --- a/sys/net/if_vlan.c >> +++ b/sys/net/if_vlan.c >> @@ -1318,7 +1318,7 @@ vlan_output(struct ifnet *ifp, struct mbuf *m, >> const struct sockaddr *dst, >> ifv = p->if_softc; >> } while (p->if_type == IFT_L2VLAN); >> >> - return p->if_output(ifp, m, dst, ro); >> + return ((*p->if_output)(p, m, dst, ro)); >> > > No. Those two are the same thing. > > Warner > > } >> >> #ifdef ALTQ >> >> >> On Sat, Apr 23, 2022 at 1:12 PM Eugene Grosbein >> wrote: >> >>> 24.04.2022 3:28, Marek Zarychta wrote: >>> >>> > W dniu 23.04.2022 o 22:11, Craig Leres pisze: >>> >> >>> >> On 4/23/22 11:12, Craig Leres wrote: >>> >>> I am able to reproduce the crash with 13.1-RC4. >>> >> >>> >> I'm also able to reproduce the crash on 12.3-RELEASE-p5. It seems >>> wlan0 is part of the recipe, I tried vlans_em0="vlan0" first but was not >>> able to induce a crash. >>> >> >>> >> Craig >>> >> >>> > >>> > I am curious what is this WiFi hardware that supports 802.1q tagging >>> over the air? Could you please reveal this? >>> > >>> > That's rather not a bug when you are shooting yourself in the foot. >>> >>> Kernel panic due to ifconfig command is always a bug. >>> >>> >>> >>> --0000000000002094fe05dd674e87 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
What do you mean when you say they are the same thing= ?

On Sun, Apr 24, 2022 at 5:35 AM Warner Losh <imp@bsdimp.com> wrote:

On Sun, = Apr 24, 2022, 1:03 AM Rob Wing <rob.fx907@gmail.com> wrote:
From what I can t= ell, the vlan driver is calling ieee80211_output() with the wrong ifnet con= text and dereferencing a bad pointer.

It look= s like the passed in if_softc is pointing to a struct ifvlan instead of the= expected struct ieee80211_vap

Looking at vlan_out= put(), I wonder if the parents ifnet context should be used when calling if= _output()? something like:

diff --git a/sys/net/if= _vlan.c b/sys/net/if_vlan.c
index 2bb5284c2129..5fbd7a79dccc 100644
-= -- a/sys/net/if_vlan.c
+++ b/sys/net/if_vlan.c
@@ -1318,7 +1318,7 @@ = vlan_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,<= br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ifv =3D p->if= _softc;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 } while (p->if_type =3D=3D IFT_L2= VLAN);

- =C2=A0 =C2=A0 =C2=A0 return p->if_output(ifp, m, dst, ro= );
+ =C2=A0 =C2=A0 =C2=A0 return ((*p->if_output)(p, m, dst, ro));

No. Those two are the same thing.

Warner=C2=A0

=C2=A0}

=C2=A0#ifdef ALTQ


On Sat, Apr 23, 2022 at 1:12 PM Eugene Grosbein <eugen@grosb= ein.net> wrote:
24.04.2022 3:28, Marek Zarychta wrote:

> W dniu 23.04.2022 o 22:11, Craig Leres pisze:
>>
>> On 4/23/22 11:12, Craig Leres wrote:
>>> I am able to reproduce the crash with 13.1-RC4.
>>
>> I'm also able to reproduce the crash on 12.3-RELEASE-p5. It se= ems wlan0 is part of the recipe, I tried vlans_em0=3D"vlan0" firs= t but was not able to induce a crash.
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Craig
>>
>
> I am curious what is this WiFi hardware that supports 802.1q tagging o= ver the air? Could you please reveal this?
>
> That's rather not a bug when you are shooting yourself in the foot= .

Kernel panic due to ifconfig command is always a bug.



--0000000000002094fe05dd674e87--