NetBSD Problem Report #32344

From www@netbsd.org  Tue Dec 20 13:12:55 2005
Return-Path: <www@netbsd.org>
Received: by narn.netbsd.org (Postfix, from userid 31301)
	id 4C86563B912; Tue, 20 Dec 2005 13:12:55 +0000 (UTC)
Message-Id: <20051220131255.4C86563B912@narn.netbsd.org>
Date: Tue, 20 Dec 2005 13:12:55 +0000 (UTC)
From: stephane.witzmann@gmail.com
Reply-To: stephane.witzmann@gmail.com
To: gnats-bugs@netbsd.org
Subject: atu(4) makes kernel crash
X-Send-Pr-Version: www-1.0

>Number:         32344
>Category:       kern
>Synopsis:       atu(4) makes kernel crash
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 20 13:15:00 +0000 2005
>Last-Modified:  Thu Jul 20 14:06:01 +0000 2006
>Originator:     Stéphane Witzmann
>Release:        3.99.13
>Organization:
>Environment:
NetBSD keen 3.99.13 NetBSD 3.99.13 (GENERIC) #4: Tue Dec 20 04:00:32 CET 2005  durandil@wolfenstein:/home/durandil/NetBSD/head/cross/obj/sys/arch/i386/compile/GENERIC i386

>Description:
The atu driver crashes on current (kernel + userland snapshot from a few days ago). I also tried on a 2.1 userland with a current kernel and had the same results.

atu0 at uhub1 port 1 configuration 1 interface 0
atu0: Atmel BW002 Wireless adapter, rev 1.10/1.00, addr 2
atu0: reattaching after firmware upload
atu0: at uhub1 port 1 (addr 2) disconnected
atu0 detached
atu0 at uhub1 port 1 configuration 1 interface 0
atu0: Atmel BW002 Wireless adapter, rev 1.10/1.00, addr 2
atu0: MAC address 00:00:1c:0b:d8:b5

# ifconfig atu0 inet 10.0.0.1
uvm_fault(0xc0862900, 0xc13cb000, 0, 1) -> 0xe
kernel: supervisor trap page fault, code = 0
Stopped in pid 527.1 (ifconfig) at netbsd:atu_initial_config+0xc0: movzbl
0x990(%ebx,%eax,1),%eax

db> bt
atu_initial_config
atu_init
ether_ioctl
iee80211_ioctl
atu_ioctl
in_infinit
in_control
compat_ifioctl
ifioctl
sys_ioctl
syscall_plain
--- syscall (number 54) ---



The fault occurs in atu_initial_config(), at:
switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen)

At this time, ic->ic_def_txkey = 65535 (= IEEE80211_KEYIX_NONE, most
probably initialized by ieee80211_crypto_attach()), which is far beyond the end of the array (size: IEEE80211_WEP_NKID = 4).

>How-To-Repeat:
Plug the device and use ifconfig or dhclient on it. By the way, it doesn't crash with 3.0RC5, only current.

>Fix:

>Release-Note:

>Audit-Trail:
From: "=?ISO-8859-1?Q?St=E9phane_Witzmann?=" <stephane.witzmann@gmail.com>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/32344: atu(4) makes kernel crash
Date: Sat, 15 Apr 2006 02:03:10 +0200

 Checked if bug still present : yes it is.

 NetBSD wolfenstein 3.99.17 NetBSD 3.99.17 (TEST) #7: Tue Apr 11
 21:26:06 CEST 2006=20
 durandil@wolfenstein:/home/durandil/NetBSD/head/cross/obj/sys/arch/i386/com=
 pile/TEST
 i386

From: Rui Paulo <rpaulo@fnop.net>
To: stephane.witzmann@gmail.com
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/32344
Date: Fri, 28 Apr 2006 12:48:58 +0100

 Does it also happen when a WEP key is set ?
 Can you try checking for ic->ic_def_txkey == IEEE80211_KEYIX_NONE
 before executing the switch statement and the for ?
 I.e.:
         if (ic->ic_def_txkey != IEEE80211_KEYIX_NONE) {
         	switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen) {
                 case 5:
                 	cmd.EncryptionType = ATU_WEP_40BITS;
                         break;
                 case 13:
                         cmd.EncryptionType = ATU_WEP_104BITS;
                         break;
                 default:
                          cmd.EncryptionType = ATU_WEP_OFF;
                          break;
                 }


                 cmd.WEP_DefaultKeyID = ic->ic_def_txkey;
                 for (i = 0; i < IEEE80211_WEP_NKID; i++) {
                 	memcpy(cmd.WEP_DefaultKey[i], ic->ic_nw_keys[i].wk_key, 
                             ic->ic_nw_keys[i].wk_keylen); 
                 }
 	}
 -- 
   Rui Paulo			<rpaulo@{NetBSD{,-PT}.org,fnop.net}>

Responsible-Changed-From-To: kern-bug-people->rpaulo
Responsible-Changed-By: rpaulo@netbsd.org
Responsible-Changed-When: Mon, 08 May 2006 13:48:37 +0000
Responsible-Changed-Why:
mine


From: Rui Paulo <rpaulo@fnop.net>
To: gnats-bugs@NetBSD.org,
	=?iso-8859-1?q?St=E9phane_Witzmann?= <stephane.witzmann@gmail.com>
Cc: 
Subject: Re: kern/32344
Date: Mon, 08 May 2006 20:35:12 +0100

 Please try this patch (I think the card you sent me doesn't work on my
 country or something else is wrong with my AP):

 Index: if_atu.c
 ===================================================================
 RCS file: /cvsroot/src/sys/dev/usb/if_atu.c,v
 retrieving revision 1.15
 diff -u -p -r1.15 if_atu.c
 --- if_atu.c	8 May 2006 17:12:42 -0000	1.15
 +++ if_atu.c	8 May 2006 19:34:09 -0000
 @@ -479,6 +479,8 @@ atu_start_scan(struct atu_softc *sc)
  	else
  		Scan.Channel = sc->atu_channel;

 +	ic->ic_curchan = &ic->ic_channels[Scan.Channel];
 +
  	/* we like scans to be quick :) */
  	/* the time we wait before sending probe's */
  	USETW(Scan.ProbeDelay, 0);
 @@ -606,23 +608,25 @@ atu_initial_config(struct atu_softc *sc)

  	cmd.ExcludeUnencrypted = 0;

 -	switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen) {
 -	case 5:
 -		cmd.EncryptionType = ATU_WEP_40BITS;
 -		break;
 -	case 13:
 -		cmd.EncryptionType = ATU_WEP_104BITS;
 -		break;
 -	default:
 -		cmd.EncryptionType = ATU_WEP_OFF;
 -		break;
 -	}
 +	if (ic->ic_flags & IEEE80211_F_PRIVACY) {
 +		switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen) {
 +		case 5:
 +			cmd.EncryptionType = ATU_WEP_40BITS;
 +			break;
 +		case 13:
 +			cmd.EncryptionType = ATU_WEP_104BITS;
 +			break;
 +		default:
 +			cmd.EncryptionType = ATU_WEP_OFF;
 +			break;
 +		}


 -	cmd.WEP_DefaultKeyID = ic->ic_def_txkey;
 -	for (i = 0; i < IEEE80211_WEP_NKID; i++) {
 -		memcpy(cmd.WEP_DefaultKey[i], ic->ic_nw_keys[i].wk_key, 
 -		    ic->ic_nw_keys[i].wk_keylen); 
 +		cmd.WEP_DefaultKeyID = ic->ic_def_txkey;
 +		for (i = 0; i < IEEE80211_WEP_NKID; i++) {
 +			memcpy(cmd.WEP_DefaultKey[i], ic->ic_nw_keys[i].wk_key, 
 +			    ic->ic_nw_keys[i].wk_keylen); 
 +		}
  	}

  	/* Setting the SSID here doesn't seem to do anything */
 @@ -1100,8 +1104,7 @@ atu_task(void *arg)
  		    USBDEVNAME(sc->atu_dev)));

  		s = splnet();
 -		/* ieee80211_next_scan(ifp); */
 -		ieee80211_end_scan(ic);
 +		ieee80211_next_scan(ic);
  		splx(s);

  		DPRINTF(("%s: ----------------------======> END OF SCAN2!\n",

 -- 
   Rui Paulo			<rpaulo@{NetBSD{,-PT}.org,fnop.net}>

Responsible-Changed-From-To: rpaulo->kern-bug-people
Responsible-Changed-By: rpaulo@netbsd.org
Responsible-Changed-When: Thu, 20 Jul 2006 14:06:01 +0000
Responsible-Changed-Why:
can't work on this no longer


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.