NetBSD Problem Report #32344
From www@netbsd.org Tue Dec 20 13:12:55 2005
Return-Path: <www@netbsd.org>
Received: by narn.netbsd.org (Postfix, from userid 31301)
id 4C86563B912; Tue, 20 Dec 2005 13:12:55 +0000 (UTC)
Message-Id: <20051220131255.4C86563B912@narn.netbsd.org>
Date: Tue, 20 Dec 2005 13:12:55 +0000 (UTC)
From: stephane.witzmann@gmail.com
Reply-To: stephane.witzmann@gmail.com
To: gnats-bugs@netbsd.org
Subject: atu(4) makes kernel crash
X-Send-Pr-Version: www-1.0
>Number: 32344
>Category: kern
>Synopsis: atu(4) makes kernel crash
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 20 13:15:00 +0000 2005
>Last-Modified: Thu Jul 20 14:06:01 +0000 2006
>Originator: Stéphane Witzmann
>Release: 3.99.13
>Organization:
>Environment:
NetBSD keen 3.99.13 NetBSD 3.99.13 (GENERIC) #4: Tue Dec 20 04:00:32 CET 2005 durandil@wolfenstein:/home/durandil/NetBSD/head/cross/obj/sys/arch/i386/compile/GENERIC i386
>Description:
The atu driver crashes on current (kernel + userland snapshot from a few days ago). I also tried on a 2.1 userland with a current kernel and had the same results.
atu0 at uhub1 port 1 configuration 1 interface 0
atu0: Atmel BW002 Wireless adapter, rev 1.10/1.00, addr 2
atu0: reattaching after firmware upload
atu0: at uhub1 port 1 (addr 2) disconnected
atu0 detached
atu0 at uhub1 port 1 configuration 1 interface 0
atu0: Atmel BW002 Wireless adapter, rev 1.10/1.00, addr 2
atu0: MAC address 00:00:1c:0b:d8:b5
# ifconfig atu0 inet 10.0.0.1
uvm_fault(0xc0862900, 0xc13cb000, 0, 1) -> 0xe
kernel: supervisor trap page fault, code = 0
Stopped in pid 527.1 (ifconfig) at netbsd:atu_initial_config+0xc0: movzbl
0x990(%ebx,%eax,1),%eax
db> bt
atu_initial_config
atu_init
ether_ioctl
iee80211_ioctl
atu_ioctl
in_infinit
in_control
compat_ifioctl
ifioctl
sys_ioctl
syscall_plain
--- syscall (number 54) ---
The fault occurs in atu_initial_config(), at:
switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen)
At this time, ic->ic_def_txkey = 65535 (= IEEE80211_KEYIX_NONE, most
probably initialized by ieee80211_crypto_attach()), which is far beyond the end of the array (size: IEEE80211_WEP_NKID = 4).
>How-To-Repeat:
Plug the device and use ifconfig or dhclient on it. By the way, it doesn't crash with 3.0RC5, only current.
>Fix:
>Release-Note:
>Audit-Trail:
From: "=?ISO-8859-1?Q?St=E9phane_Witzmann?=" <stephane.witzmann@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/32344: atu(4) makes kernel crash
Date: Sat, 15 Apr 2006 02:03:10 +0200
Checked if bug still present : yes it is.
NetBSD wolfenstein 3.99.17 NetBSD 3.99.17 (TEST) #7: Tue Apr 11
21:26:06 CEST 2006=20
durandil@wolfenstein:/home/durandil/NetBSD/head/cross/obj/sys/arch/i386/com=
pile/TEST
i386
From: Rui Paulo <rpaulo@fnop.net>
To: stephane.witzmann@gmail.com
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/32344
Date: Fri, 28 Apr 2006 12:48:58 +0100
Does it also happen when a WEP key is set ?
Can you try checking for ic->ic_def_txkey == IEEE80211_KEYIX_NONE
before executing the switch statement and the for ?
I.e.:
if (ic->ic_def_txkey != IEEE80211_KEYIX_NONE) {
switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen) {
case 5:
cmd.EncryptionType = ATU_WEP_40BITS;
break;
case 13:
cmd.EncryptionType = ATU_WEP_104BITS;
break;
default:
cmd.EncryptionType = ATU_WEP_OFF;
break;
}
cmd.WEP_DefaultKeyID = ic->ic_def_txkey;
for (i = 0; i < IEEE80211_WEP_NKID; i++) {
memcpy(cmd.WEP_DefaultKey[i], ic->ic_nw_keys[i].wk_key,
ic->ic_nw_keys[i].wk_keylen);
}
}
--
Rui Paulo <rpaulo@{NetBSD{,-PT}.org,fnop.net}>
Responsible-Changed-From-To: kern-bug-people->rpaulo
Responsible-Changed-By: rpaulo@netbsd.org
Responsible-Changed-When: Mon, 08 May 2006 13:48:37 +0000
Responsible-Changed-Why:
mine
From: Rui Paulo <rpaulo@fnop.net>
To: gnats-bugs@NetBSD.org,
=?iso-8859-1?q?St=E9phane_Witzmann?= <stephane.witzmann@gmail.com>
Cc:
Subject: Re: kern/32344
Date: Mon, 08 May 2006 20:35:12 +0100
Please try this patch (I think the card you sent me doesn't work on my
country or something else is wrong with my AP):
Index: if_atu.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/if_atu.c,v
retrieving revision 1.15
diff -u -p -r1.15 if_atu.c
--- if_atu.c 8 May 2006 17:12:42 -0000 1.15
+++ if_atu.c 8 May 2006 19:34:09 -0000
@@ -479,6 +479,8 @@ atu_start_scan(struct atu_softc *sc)
else
Scan.Channel = sc->atu_channel;
+ ic->ic_curchan = &ic->ic_channels[Scan.Channel];
+
/* we like scans to be quick :) */
/* the time we wait before sending probe's */
USETW(Scan.ProbeDelay, 0);
@@ -606,23 +608,25 @@ atu_initial_config(struct atu_softc *sc)
cmd.ExcludeUnencrypted = 0;
- switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen) {
- case 5:
- cmd.EncryptionType = ATU_WEP_40BITS;
- break;
- case 13:
- cmd.EncryptionType = ATU_WEP_104BITS;
- break;
- default:
- cmd.EncryptionType = ATU_WEP_OFF;
- break;
- }
+ if (ic->ic_flags & IEEE80211_F_PRIVACY) {
+ switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen) {
+ case 5:
+ cmd.EncryptionType = ATU_WEP_40BITS;
+ break;
+ case 13:
+ cmd.EncryptionType = ATU_WEP_104BITS;
+ break;
+ default:
+ cmd.EncryptionType = ATU_WEP_OFF;
+ break;
+ }
- cmd.WEP_DefaultKeyID = ic->ic_def_txkey;
- for (i = 0; i < IEEE80211_WEP_NKID; i++) {
- memcpy(cmd.WEP_DefaultKey[i], ic->ic_nw_keys[i].wk_key,
- ic->ic_nw_keys[i].wk_keylen);
+ cmd.WEP_DefaultKeyID = ic->ic_def_txkey;
+ for (i = 0; i < IEEE80211_WEP_NKID; i++) {
+ memcpy(cmd.WEP_DefaultKey[i], ic->ic_nw_keys[i].wk_key,
+ ic->ic_nw_keys[i].wk_keylen);
+ }
}
/* Setting the SSID here doesn't seem to do anything */
@@ -1100,8 +1104,7 @@ atu_task(void *arg)
USBDEVNAME(sc->atu_dev)));
s = splnet();
- /* ieee80211_next_scan(ifp); */
- ieee80211_end_scan(ic);
+ ieee80211_next_scan(ic);
splx(s);
DPRINTF(("%s: ----------------------======> END OF SCAN2!\n",
--
Rui Paulo <rpaulo@{NetBSD{,-PT}.org,fnop.net}>
Responsible-Changed-From-To: rpaulo->kern-bug-people
Responsible-Changed-By: rpaulo@netbsd.org
Responsible-Changed-When: Thu, 20 Jul 2006 14:06:01 +0000
Responsible-Changed-Why:
can't work on this no longer
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.