From owner-freebsd-current@FreeBSD.ORG Sat Dec 25 20:33:11 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8C1916A4CE for ; Sat, 25 Dec 2004 20:33:11 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B8D443D31 for ; Sat, 25 Dec 2004 20:33:11 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id iBPKTwFr044967 for ; Sat, 25 Dec 2004 15:29:58 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)iBPKTw8f044964 for ; Sat, 25 Dec 2004 20:29:58 GMT (envelope-from robert@fledge.watson.org) Date: Sat, 25 Dec 2004 20:29:58 +0000 (GMT) From: Robert Watson X-Sender: robert@fledge.watson.org To: current@FreeBSD.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Subject: Problem with 802.11 ad hoc with WEP: NULL pointer dereference X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Dec 2004 20:33:12 -0000 I recently upgraded a kernel on my notebook to Dec 23. I don't have the date of the previous kernel on-hand, but I suspect it was late November from before I was on travel. I have a local configuration I sometimes use with adhoc 802.11 on a prism card using WEP, using a FreeBSD notebook as a proxy to reach a wired network. The other system is a Mac OS X notebook.= =20 As of the upgrade, I get a kernel page fault on the FreeBSD system whenever I attempt to use the Mac OS X box with wireless. In fact, booting the Mac OS X box causes the FreeBSD box to panic, presumably as the Mac OS X box says "Hi, I'm here!". The panic is a NULL pointer derefernece in ieee80211_find_rxnode(). I don't have the complete trap message due to not having a serial console for the box, but below is some core information. This is highly reproduceable; please let me know if more information is needed. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research #21 0x00000002 in ?? () #22 0xc05a6b2b in ieee80211_find_rxnode (ic=3D0xc1bcf25c, wh=3D0xc1bb8730) at atomic.h:365 #23 0xc04ca7c7 in wi_intr (arg=3D0xc1bcf000) at /usr/src/sys/dev/wi/if_wi.c:1533 #24 0xc0506d8d in ithread_loop (arg=3D0xc197b780) at /usr/src/sys/kern/kern_intr.c:547 #25 0xc0505e8c in fork_exit (callout=3D0xc0506ce0 ,=20 arg=3D0xc197b780, frame=3D0xd418fd48) at /usr/src/sys/kern/kern_fork.c:= 790 #26 0xc069619c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209 (kgdb) frame 22 #22 0xc05a6b2b in ieee80211_find_rxnode (ic=3D0xc1bcf25c, wh=3D0xc1bb8730) at atomic.h:365 365 { (kgdb) list=20 360 #define atomic_readandclear_32 atomic_readandclear_int 361 362 #if !defined(WANT_FUNCTIONS) 363 static __inline int 364 atomic_cmpset_ptr(volatile void *dst, void *exp, void *src) 365 { 366 367 return (atomic_cmpset_int((volatile u_int *)dst, (u_int)exp= , 368 (u_int)src)); 369 } (kgdb) inspect nt $1 =3D (struct ieee80211_node_table *) 0x0 # # I'm not sure how to get gdb to tell me what line in the 802.11 code this # is, but I'm assuming it's the call to IEEE80211_NODE_LOCK() that's # failing due to a NULL nt. # (kgdb) inspect ic $2 =3D (struct ieee80211com *) 0xc1bcf25c (kgdb) inspect *ic $3 =3D {ic_next =3D {sle_next =3D 0x0}, ic_ifp =3D 0xc1bcf000, ic_stats =3D= { is_rx_badversion =3D 0, is_rx_tooshort =3D 0, is_rx_wrongbss =3D 0,=20 is_rx_dup =3D 0, is_rx_wrongdir =3D 0, is_rx_mcastecho =3D 0,=20 is_rx_notassoc =3D 0, is_rx_noprivacy =3D 0, is_rx_unencrypted =3D 0,= =20 is_rx_wepfail =3D 0, is_rx_decap =3D 0, is_rx_mgtdiscard =3D 0, is_rx_c= tl =3D 0,=20 is_rx_beacon =3D 0, is_rx_rstoobig =3D 0, is_rx_elem_missing =3D 0,=20 is_rx_elem_toobig =3D 0, is_rx_elem_toosmall =3D 0, is_rx_elem_unknown = =3D 0,=20 is_rx_badchan =3D 0, is_rx_chanmismatch =3D 0, is_rx_nodealloc =3D 0,= =20 is_rx_ssidmismatch =3D 0, is_rx_auth_unsupported =3D 0, is_rx_auth_fail= =3D 0,=20 is_rx_auth_countermeasures =3D 0, is_rx_assoc_bss =3D 0,=20 is_rx_assoc_notauth =3D 0, is_rx_assoc_capmismatch =3D 0,=20 is_rx_assoc_norate =3D 0, is_rx_assoc_badwpaie =3D 0, is_rx_deauth =3D = 0,=20 is_rx_disassoc =3D 0, is_rx_badsubtype =3D 0, is_rx_nobuf =3D 0,=20 is_rx_decryptcrc =3D 0, is_rx_ahdemo_mgt =3D 0, is_rx_bad_auth =3D 0,= =20 is_rx_unauth =3D 0, is_rx_badkeyid =3D 0, is_rx_ccmpreplay =3D 0,=20 is_rx_ccmpformat =3D 0, is_rx_ccmpmic =3D 0, is_rx_tkipreplay =3D 0,=20 is_rx_tkipformat =3D 0, is_rx_tkipmic =3D 0, is_rx_tkipicv =3D 0,=20 is_rx_badcipher =3D 0, is_rx_nocipherctx =3D 0, is_rx_acl =3D 0,=20 is_tx_nobuf =3D 0, is_tx_nonode =3D 0, is_tx_unknownmgt =3D 0,=20 is_tx_badcipher =3D 0, is_tx_nodefkey =3D 0, is_tx_noheadroom =3D 0,=20 is_scan_active =3D 0, is_scan_passive =3D 0, is_node_timeout =3D 0,=20 is_crypto_nomem =3D 0, is_crypto_tkip =3D 0, is_crypto_tkipenmic =3D 0,= =20 is_crypto_tkipdemic =3D 0, is_crypto_tkipcm =3D 0, is_crypto_ccmp =3D 0= ,=20 is_crypto_wep =3D 0, is_crypto_setkey_cipher =3D 0,=20 is_crypto_setkey_nokey =3D 0, is_crypto_delkey =3D 0, is_crypto_badciph= er =3D 0,=20 is_crypto_nocipher =3D 1, is_crypto_attachfail =3D 0,=20 is_crypto_swfallback =3D 0, is_crypto_keyfail =3D 0, is_ibss_capmismatc= h =3D 0,=20 is_ibss_norate =3D 0, is_ps_unassoc =3D 0, is_ps_badaid =3D 0,=20 is_ps_qempty =3D 0}, ic_sysctl =3D 0xc1bd2050, ic_debug =3D 0, ic_vap = =3D 0,=20 ic_beaconlock =3D {mtx_object =3D {lo_class =3D 0xc0719364,=20 lo_name =3D 0xc06eaf51 "beacon",=20 lo_type =3D 0xc06eaf3e "802.11 beacon lock", lo_flags =3D 196608, lo_list =3D { tqe_next =3D 0x0, tqe_prev =3D 0x0}, lo_witness =3D 0x0}, mtx_lock = =3D 4,=20 mtx_recurse =3D 0}, ic_reset =3D 0,=20 ic_recv_mgmt =3D 0xc059e63c ,=20 ic_send_mgmt =3D 0xc05a9948 ,=20 ic_newstate =3D 0xc04c8e2c , ic_newassoc =3D 0, ic_updateslo= t =3D 0,=20 ic_set_tim =3D 0xc05a8b8c , ic_myaddr =3D "\000\t[1'= =A4",=20 ic_sup_rates =3D {{rs_nrates =3D 0 '\0', rs_rates =3D '\0' }, { rs_nrates =3D 0 '\0', rs_rates =3D '\0' }, { rs_nrates =3D 4 '\004',=20 rs_rates =3D "\002\004\v\026\000\000\000\000\000\000\000\000\000\000"}, { rs_nrates =3D 0 '\0', rs_rates =3D '\0' }, { rs_nrates =3D 0 '\0', rs_rates =3D '\0' }, { rs_nrates =3D 0 '\0', rs_rates =3D '\0' }, { rs_nrates =3D 0 '\0', rs_rates =3D '\0' }}, ic_channels =3D { {ic_freq =3D 0, ic_flags =3D 0}, {ic_freq =3D 2412, ic_flags =3D 160}, = { ic_freq =3D 2417, ic_flags =3D 160}, {ic_freq =3D 2422, ic_flags =3D = 160}, { ic_freq =3D 2427, ic_flags =3D 160}, {ic_freq =3D 2432, ic_flags =3D = 160}, { ic_freq =3D 2437, ic_flags =3D 160}, {ic_freq =3D 2442, ic_flags =3D = 160}, { ic_freq =3D 2447, ic_flags =3D 160}, {ic_freq =3D 2452, ic_flags =3D = 160}, { ic_freq =3D 2457, ic_flags =3D 160}, {ic_freq =3D 2462, ic_flags =3D = 160}, { ic_freq =3D 0, ic_flags =3D 0} },=20 ic_chan_avail =3D "=FE\017", '\0' ,=20 ic_chan_active =3D "=FE\017", '\0' ,=20 ic_chan_scan =3D '\0' , ic_scan =3D {nt_ic =3D 0xc1bcf2= 5c,=20 nt_nodelock =3D {mtx_object =3D {lo_class =3D 0xc0719364,=20 lo_name =3D 0xc1bcf00c "wi0", lo_type =3D 0xc06ebe51 "802.11 node table",=20 lo_flags =3D 196608, lo_list =3D {tqe_next =3D 0x0, tqe_prev =3D 0x= 0},=20 lo_witness =3D 0x0}, mtx_lock =3D 4, mtx_recurse =3D 0}, nt_node = =3D { tqh_first =3D 0xc1a6d800, tqh_last =3D 0xc1a6d808}, nt_hash =3D {{ lh_first =3D 0x0}, {lh_first =3D 0x0}, {lh_first =3D 0x0}, {lh_firs= t =3D 0x0},=20 {lh_first =3D 0xc1a6d800}, {lh_first =3D 0x0} },=20 nt_name =3D 0xc06f7e21 "scan", nt_scanlock =3D {mtx_object =3D { lo_class =3D 0xc0719364, lo_name =3D 0xc1bcf00c "wi0",=20 lo_type =3D 0xc06ebe63 "802.11 scangen", lo_flags =3D 196608, lo_li= st =3D { tqe_next =3D 0x0, tqe_prev =3D 0x0}, lo_witness =3D 0x0}, mtx_loc= k =3D 4,=20 mtx_recurse =3D 0}, nt_scangen =3D 1, nt_inact_timer =3D 13,=20 nt_inact_init =3D 20,=20 nt_timeout =3D 0xc05a7c0c }, ic_mgtq =3D { ifq_head =3D 0x0, ifq_tail =3D 0x0, ifq_len =3D 0, ifq_maxlen =3D 0,=20 ifq_drops =3D 0, ifq_mtx =3D {mtx_object =3D {lo_class =3D 0xc0719364,= =20 lo_name =3D 0xc1bcf00c "wi0", lo_type =3D 0xc06ec7bb "mgmt send q",= =20 lo_flags =3D 196608, lo_list =3D {tqe_next =3D 0x0, tqe_prev =3D 0x= 0},=20 lo_witness =3D 0x0}, mtx_lock =3D 4, mtx_recurse =3D 0}},=20 ic_flags =3D 2228240, ic_caps =3D 67329, ic_modecaps =3D 5, ic_curmode = =3D 0,=20 ic_phytype =3D IEEE80211_T_DS, ic_opmode =3D IEEE80211_M_IBSS,=20 ic_state =3D IEEE80211_S_RUN, ic_protmode =3D IEEE80211_PROT_CTSONLY,=20 ic_roaming =3D IEEE80211_ROAMING_AUTO, ic_sta =3D 0x0,=20 ic_aid_bitmap =3D 0xc1bd37e0, ic_max_aid =3D 256, ic_sta_assoc =3D 0,=20 ic_ps_sta =3D 0, ic_ps_pending =3D 0, ic_tim_bitmap =3D 0xc1bd3780 "",=20 ic_tim_len =3D 32, ic_dtim_period =3D 1, ic_media =3D {ifm_mask =3D 0,=20 ifm_media =3D 384, ifm_cur =3D 0xc1bd3760, ifm_list =3D {lh_first =3D 0xc1a6fc20},=20 ifm_change =3D 0xc04c7130 ,=20 ifm_status =3D 0xc04c7490 }, ic_rawbpf =3D 0x0,=20 ic_bss =3D 0xc1a6d800, ic_ibss_chan =3D 0xc1bcf46e, ic_fixed_rate =3D -1,= =20 ic_rtsthreshold =3D 2312, ic_fragthreshold =3D 2346,=20 ic_node_alloc =3D 0xc05a5f9c ,=20 ic_node_free =3D 0xc05a6140 ,=20 ic_node_cleanup =3D 0xc05a5fb8 ,=20 ic_node_getrssi =3D 0xc05a61bc , ic_lintval =3D 100,=20 ic_holdover =3D 0, ic_txmin =3D 0, ic_txmax =3D 0, ic_txlifetime =3D 0,= =20 ic_txpowlimit =3D 100, ic_bmisstimeout =3D 700, ic_nonerpsta =3D 0,=20 ic_longslotsta =3D 0, ic_mgt_timer =3D 0, ic_inact_timer =3D 0, ic_des_es= slen =3D 5,=20 ic_des_essid =3D "XXXXX", '\0' , ic_des_chan =3D 0xffff= ,=20 ic_des_bssid =3D "\000\000\000\000\000", ic_opt_ie =3D 0x0, ic_opt_ie_len= =3D 0,=20 ic_inact_init =3D 2, ic_inact_auth =3D 12, ic_inact_run =3D 20,=20 ic_inact_probe =3D 2, ic_wme =3D {wme_flags =3D 0, wme_hipri_traffic =3D = 0,=20 wme_hipri_switch_thresh =3D 0, wme_hipri_switch_hysteresis =3D 3,=20 wme_params =3D {{wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0',=20 wmep_logcwmin =3D 0 '\0', wmep_logcwmax =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '\0= ',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}, {wmep_acm =3D 0 '\0', wmep_aifsn =3D = 0 '\0',=20 wmep_logcwmin =3D 0 '\0', wmep_logcwmax =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '\0= ',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}}, wme_wmeChanParams =3D {cap_info =3D = 0 '\0',=20 cap_wmeParams =3D {{wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0',=20 wmep_logcwmin =3D 0 '\0', wmep_logcwmax =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '= \0',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}, {wmep_acm =3D 0 '\0', wmep_aifsn = =3D 0 '\0',=20 wmep_logcwmin =3D 0 '\0', wmep_logcwmax =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '= \0',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}}}, wme_wmeBssChanParams =3D { cap_info =3D 0 '\0', cap_wmeParams =3D {{wmep_acm =3D 0 '\0',=20 wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '\0', wmep_logcwmax = =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '= \0',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}, {wmep_acm =3D 0 '\0', wmep_aifsn = =3D 0 '\0',=20 wmep_logcwmin =3D 0 '\0', wmep_logcwmax =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '= \0',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}}}, wme_chanParams =3D {cap_info =3D = 0 '\0',=20 cap_wmeParams =3D {{wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0',=20 wmep_logcwmin =3D 0 '\0', wmep_logcwmax =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '= \0',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}, {wmep_acm =3D 0 '\0', wmep_aifsn = =3D 0 '\0', wmep_logcwmin =3D 0 '\0', wmep_logcwmax =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '= \0',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}}}, wme_bssChanParams =3D { cap_info =3D 0 '\0', cap_wmeParams =3D {{wmep_acm =3D 0 '\0',=20 wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '\0', wmep_logcwmax = =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '= \0',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}, {wmep_acm =3D 0 '\0', wmep_aifsn = =3D 0 '\0',=20 wmep_logcwmin =3D 0 '\0', wmep_logcwmax =3D 0 '\0',=20 wmep_txopLimit =3D 0 '\0', wmep_noackPolicy =3D 0 '\0'}, { wmep_acm =3D 0 '\0', wmep_aifsn =3D 0 '\0', wmep_logcwmin =3D 0 '= \0',=20 wmep_logcwmax =3D 0 '\0', wmep_txopLimit =3D 0 '\0',=20 wmep_noackPolicy =3D 0 '\0'}}}, wme_update =3D 0}, ic_crypto =3D = { cs_nw_keys =3D {{wk_keylen =3D 13 '\r', wk_flags =3D 3 '\003', wk_keyix= =3D 0,=20 wk_key =3D "XXXXXXXXXXXX\021", '\0' , wk_keyrsc = =3D 0,=20 wk_keytsc =3D 0, wk_cipher =3D 0xc1f7b080, wk_private =3D 0xc1a8f01= 0}, { wk_keylen =3D 0 '\0', wk_flags =3D 3 '\003', wk_keyix =3D 1,=20 wk_key =3D '\0' , wk_keyrsc =3D 0, wk_keytsc =3D = 0,=20 wk_cipher =3D 0xc06c2ac0, wk_private =3D 0xc1bcf25c}, {wk_keylen = =3D 0 '\0',=20 wk_flags =3D 3 '\003', wk_keyix =3D 2, wk_key =3D '\0' ,=20 wk_keyrsc =3D 0, wk_keytsc =3D 0, wk_cipher =3D 0xc06c2ac0,=20 wk_private =3D 0xc1bcf25c}, {wk_keylen =3D 0 '\0', wk_flags =3D 3 '\003',=20 wk_keyix =3D 3, wk_key =3D '\0' , wk_keyrsc =3D 0= ,=20 wk_keytsc =3D 0, wk_cipher =3D 0xc06c2ac0, wk_private =3D 0xc1bcf25= c}},=20 cs_def_txkey =3D 0, cs_key_alloc =3D 0xc059d048 ,=20 cs_key_delete =3D 0xc059d054 ,=20 cs_key_set =3D 0xc059d060 ,=20 cs_key_update_begin =3D 0xc059d06c ,=20 cs_key_update_end =3D 0xc059d06c }, ic_auth =3D 0xc06c3160,=20 ic_ec =3D 0x0, ic_acl =3D 0x0, ic_as =3D 0x0} Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research