Problem with 802.11 ad hoc with WEP: NULL pointer dereference
Robert Watson
rwatson at FreeBSD.org
Sat Dec 25 12:33:12 PST 2004
I recently upgraded a kernel on my notebook to Dec 23. I don't have the
date of the previous kernel on-hand, but I suspect it was late November
from before I was on travel. I have a local configuration I sometimes use
with adhoc 802.11 on a prism card using WEP, using a FreeBSD notebook as a
proxy to reach a wired network. The other system is a Mac OS X notebook.
As of the upgrade, I get a kernel page fault on the FreeBSD system
whenever I attempt to use the Mac OS X box with wireless. In fact,
booting the Mac OS X box causes the FreeBSD box to panic, presumably as
the Mac OS X box says "Hi, I'm here!". The panic is a NULL pointer
derefernece in ieee80211_find_rxnode(). I don't have the complete trap
message due to not having a serial console for the box, but below is some
core information. This is highly reproduceable; please let me know if
more information is needed.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Principal Research Scientist, McAfee Research
#21 0x00000002 in ?? ()
#22 0xc05a6b2b in ieee80211_find_rxnode (ic=0xc1bcf25c, wh=0xc1bb8730)
at atomic.h:365
#23 0xc04ca7c7 in wi_intr (arg=0xc1bcf000) at
/usr/src/sys/dev/wi/if_wi.c:1533
#24 0xc0506d8d in ithread_loop (arg=0xc197b780)
at /usr/src/sys/kern/kern_intr.c:547
#25 0xc0505e8c in fork_exit (callout=0xc0506ce0 <ithread_loop>,
arg=0xc197b780, frame=0xd418fd48) at /usr/src/sys/kern/kern_fork.c:790
#26 0xc069619c in fork_trampoline () at
/usr/src/sys/i386/i386/exception.s:209
(kgdb) frame 22
#22 0xc05a6b2b in ieee80211_find_rxnode (ic=0xc1bcf25c, wh=0xc1bb8730)
at atomic.h:365
365 {
(kgdb) list
360 #define atomic_readandclear_32 atomic_readandclear_int
361
362 #if !defined(WANT_FUNCTIONS)
363 static __inline int
364 atomic_cmpset_ptr(volatile void *dst, void *exp, void *src)
365 {
366
367 return (atomic_cmpset_int((volatile u_int *)dst, (u_int)exp,
368 (u_int)src));
369 }
(kgdb) inspect nt
$1 = (struct ieee80211_node_table *) 0x0
#
# I'm not sure how to get gdb to tell me what line in the 802.11 code this
# is, but I'm assuming it's the call to IEEE80211_NODE_LOCK() that's
# failing due to a NULL nt.
#
(kgdb) inspect ic
$2 = (struct ieee80211com *) 0xc1bcf25c
(kgdb) inspect *ic
$3 = {ic_next = {sle_next = 0x0}, ic_ifp = 0xc1bcf000, ic_stats = {
is_rx_badversion = 0, is_rx_tooshort = 0, is_rx_wrongbss = 0,
is_rx_dup = 0, is_rx_wrongdir = 0, is_rx_mcastecho = 0,
is_rx_notassoc = 0, is_rx_noprivacy = 0, is_rx_unencrypted = 0,
is_rx_wepfail = 0, is_rx_decap = 0, is_rx_mgtdiscard = 0, is_rx_ctl =
0,
is_rx_beacon = 0, is_rx_rstoobig = 0, is_rx_elem_missing = 0,
is_rx_elem_toobig = 0, is_rx_elem_toosmall = 0, is_rx_elem_unknown =
0,
is_rx_badchan = 0, is_rx_chanmismatch = 0, is_rx_nodealloc = 0,
is_rx_ssidmismatch = 0, is_rx_auth_unsupported = 0, is_rx_auth_fail =
0,
is_rx_auth_countermeasures = 0, is_rx_assoc_bss = 0,
is_rx_assoc_notauth = 0, is_rx_assoc_capmismatch = 0,
is_rx_assoc_norate = 0, is_rx_assoc_badwpaie = 0, is_rx_deauth = 0,
is_rx_disassoc = 0, is_rx_badsubtype = 0, is_rx_nobuf = 0,
is_rx_decryptcrc = 0, is_rx_ahdemo_mgt = 0, is_rx_bad_auth = 0,
is_rx_unauth = 0, is_rx_badkeyid = 0, is_rx_ccmpreplay = 0,
is_rx_ccmpformat = 0, is_rx_ccmpmic = 0, is_rx_tkipreplay = 0,
is_rx_tkipformat = 0, is_rx_tkipmic = 0, is_rx_tkipicv = 0,
is_rx_badcipher = 0, is_rx_nocipherctx = 0, is_rx_acl = 0,
is_tx_nobuf = 0, is_tx_nonode = 0, is_tx_unknownmgt = 0,
is_tx_badcipher = 0, is_tx_nodefkey = 0, is_tx_noheadroom = 0,
is_scan_active = 0, is_scan_passive = 0, is_node_timeout = 0,
is_crypto_nomem = 0, is_crypto_tkip = 0, is_crypto_tkipenmic = 0,
is_crypto_tkipdemic = 0, is_crypto_tkipcm = 0, is_crypto_ccmp = 0,
is_crypto_wep = 0, is_crypto_setkey_cipher = 0,
is_crypto_setkey_nokey = 0, is_crypto_delkey = 0, is_crypto_badcipher
= 0,
is_crypto_nocipher = 1, is_crypto_attachfail = 0,
is_crypto_swfallback = 0, is_crypto_keyfail = 0, is_ibss_capmismatch =
0,
is_ibss_norate = 0, is_ps_unassoc = 0, is_ps_badaid = 0,
is_ps_qempty = 0}, ic_sysctl = 0xc1bd2050, ic_debug = 0, ic_vap = 0,
ic_beaconlock = {mtx_object = {lo_class = 0xc0719364,
lo_name = 0xc06eaf51 "beacon",
lo_type = 0xc06eaf3e "802.11 beacon lock", lo_flags = 196608,
lo_list = {
tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4,
mtx_recurse = 0}, ic_reset = 0,
ic_recv_mgmt = 0xc059e63c <ieee80211_recv_mgmt>,
ic_send_mgmt = 0xc05a9948 <ieee80211_send_mgmt>,
ic_newstate = 0xc04c8e2c <wi_newstate>, ic_newassoc = 0, ic_updateslot =
0,
ic_set_tim = 0xc05a8b8c <ieee80211_set_tim>, ic_myaddr = "\000\t[1'¤",
ic_sup_rates = {{rs_nrates = 0 '\0', rs_rates = '\0' <repeats 14
times>}, {
rs_nrates = 0 '\0', rs_rates = '\0' <repeats 14 times>}, {
rs_nrates = 4 '\004',
rs_rates =
"\002\004\v\026\000\000\000\000\000\000\000\000\000\000"}, {
rs_nrates = 0 '\0', rs_rates = '\0' <repeats 14 times>}, {
rs_nrates = 0 '\0', rs_rates = '\0' <repeats 14 times>}, {
rs_nrates = 0 '\0', rs_rates = '\0' <repeats 14 times>}, {
rs_nrates = 0 '\0', rs_rates = '\0' <repeats 14 times>}},
ic_channels = {
{ic_freq = 0, ic_flags = 0}, {ic_freq = 2412, ic_flags = 160}, {
ic_freq = 2417, ic_flags = 160}, {ic_freq = 2422, ic_flags = 160}, {
ic_freq = 2427, ic_flags = 160}, {ic_freq = 2432, ic_flags = 160}, {
ic_freq = 2437, ic_flags = 160}, {ic_freq = 2442, ic_flags = 160}, {
ic_freq = 2447, ic_flags = 160}, {ic_freq = 2452, ic_flags = 160}, {
ic_freq = 2457, ic_flags = 160}, {ic_freq = 2462, ic_flags = 160}, {
ic_freq = 0, ic_flags = 0} <repeats 244 times>},
ic_chan_avail = "þ\017", '\0' <repeats 29 times>,
ic_chan_active = "þ\017", '\0' <repeats 29 times>,
ic_chan_scan = '\0' <repeats 31 times>, ic_scan = {nt_ic = 0xc1bcf25c,
nt_nodelock = {mtx_object = {lo_class = 0xc0719364,
lo_name = 0xc1bcf00c "wi0", lo_type = 0xc06ebe51 "802.11 node
table",
lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0},
lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, nt_node = {
tqh_first = 0xc1a6d800, tqh_last = 0xc1a6d808}, nt_hash = {{
lh_first = 0x0}, {lh_first = 0x0}, {lh_first = 0x0}, {lh_first =
0x0},
{lh_first = 0xc1a6d800}, {lh_first = 0x0} <repeats 27 times>},
nt_name = 0xc06f7e21 "scan", nt_scanlock = {mtx_object = {
lo_class = 0xc0719364, lo_name = 0xc1bcf00c "wi0",
lo_type = 0xc06ebe63 "802.11 scangen", lo_flags = 196608, lo_list
= {
tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock =
4,
mtx_recurse = 0}, nt_scangen = 1, nt_inact_timer = 13,
nt_inact_init = 20,
nt_timeout = 0xc05a7c0c <ieee80211_timeout_scan_candidates>}, ic_mgtq
= {
ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 0,
ifq_drops = 0, ifq_mtx = {mtx_object = {lo_class = 0xc0719364,
lo_name = 0xc1bcf00c "wi0", lo_type = 0xc06ec7bb "mgmt send q",
lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0},
lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}},
ic_flags = 2228240, ic_caps = 67329, ic_modecaps = 5, ic_curmode = 0,
ic_phytype = IEEE80211_T_DS, ic_opmode = IEEE80211_M_IBSS,
ic_state = IEEE80211_S_RUN, ic_protmode = IEEE80211_PROT_CTSONLY,
ic_roaming = IEEE80211_ROAMING_AUTO, ic_sta = 0x0,
ic_aid_bitmap = 0xc1bd37e0, ic_max_aid = 256, ic_sta_assoc = 0,
ic_ps_sta = 0, ic_ps_pending = 0, ic_tim_bitmap = 0xc1bd3780 "",
ic_tim_len = 32, ic_dtim_period = 1, ic_media = {ifm_mask = 0,
ifm_media = 384, ifm_cur = 0xc1bd3760, ifm_list = {lh_first =
0xc1a6fc20},
ifm_change = 0xc04c7130 <wi_media_change>,
ifm_status = 0xc04c7490 <wi_media_status>}, ic_rawbpf = 0x0,
ic_bss = 0xc1a6d800, ic_ibss_chan = 0xc1bcf46e, ic_fixed_rate = -1,
ic_rtsthreshold = 2312, ic_fragthreshold = 2346,
ic_node_alloc = 0xc05a5f9c <node_alloc>,
ic_node_free = 0xc05a6140 <node_free>,
ic_node_cleanup = 0xc05a5fb8 <node_cleanup>,
ic_node_getrssi = 0xc05a61bc <node_getrssi>, ic_lintval = 100,
ic_holdover = 0, ic_txmin = 0, ic_txmax = 0, ic_txlifetime = 0,
ic_txpowlimit = 100, ic_bmisstimeout = 700, ic_nonerpsta = 0,
ic_longslotsta = 0, ic_mgt_timer = 0, ic_inact_timer = 0, ic_des_esslen
= 5,
ic_des_essid = "XXXXX", '\0' <repeats 26 times>, ic_des_chan = 0xffff,
ic_des_bssid = "\000\000\000\000\000", ic_opt_ie = 0x0, ic_opt_ie_len =
0,
ic_inact_init = 2, ic_inact_auth = 12, ic_inact_run = 20,
ic_inact_probe = 2, ic_wme = {wme_flags = 0, wme_hipri_traffic = 0,
wme_hipri_switch_thresh = 0, wme_hipri_switch_hysteresis = 3,
wme_params = {{wmep_acm = 0 '\0', wmep_aifsn = 0 '\0',
wmep_logcwmin = 0 '\0', wmep_logcwmax = 0 '\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}, {wmep_acm = 0 '\0', wmep_aifsn = 0
'\0',
wmep_logcwmin = 0 '\0', wmep_logcwmax = 0 '\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}}, wme_wmeChanParams = {cap_info = 0
'\0',
cap_wmeParams = {{wmep_acm = 0 '\0', wmep_aifsn = 0 '\0',
wmep_logcwmin = 0 '\0', wmep_logcwmax = 0 '\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}, {wmep_acm = 0 '\0', wmep_aifsn = 0
'\0',
wmep_logcwmin = 0 '\0', wmep_logcwmax = 0 '\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}}}, wme_wmeBssChanParams = {
cap_info = 0 '\0', cap_wmeParams = {{wmep_acm = 0 '\0',
wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0', wmep_logcwmax = 0
'\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}, {wmep_acm = 0 '\0', wmep_aifsn = 0
'\0',
wmep_logcwmin = 0 '\0', wmep_logcwmax = 0 '\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}}}, wme_chanParams = {cap_info = 0
'\0',
cap_wmeParams = {{wmep_acm = 0 '\0', wmep_aifsn = 0 '\0',
wmep_logcwmin = 0 '\0', wmep_logcwmax = 0 '\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}, {wmep_acm = 0 '\0', wmep_aifsn = 0
'\0', wmep_logcwmin = 0 '\0', wmep_logcwmax = 0 '\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}}}, wme_bssChanParams = {
cap_info = 0 '\0', cap_wmeParams = {{wmep_acm = 0 '\0',
wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0', wmep_logcwmax = 0
'\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}, {wmep_acm = 0 '\0', wmep_aifsn = 0
'\0',
wmep_logcwmin = 0 '\0', wmep_logcwmax = 0 '\0',
wmep_txopLimit = 0 '\0', wmep_noackPolicy = 0 '\0'}, {
wmep_acm = 0 '\0', wmep_aifsn = 0 '\0', wmep_logcwmin = 0 '\0',
wmep_logcwmax = 0 '\0', wmep_txopLimit = 0 '\0',
wmep_noackPolicy = 0 '\0'}}}, wme_update = 0}, ic_crypto = {
cs_nw_keys = {{wk_keylen = 13 '\r', wk_flags = 3 '\003', wk_keyix = 0,
wk_key = "XXXXXXXXXXXX\021", '\0' <repeats 18 times>, wk_keyrsc =
0,
wk_keytsc = 0, wk_cipher = 0xc1f7b080, wk_private = 0xc1a8f010}, {
wk_keylen = 0 '\0', wk_flags = 3 '\003', wk_keyix = 1,
wk_key = '\0' <repeats 31 times>, wk_keyrsc = 0, wk_keytsc = 0,
wk_cipher = 0xc06c2ac0, wk_private = 0xc1bcf25c}, {wk_keylen = 0
'\0',
wk_flags = 3 '\003', wk_keyix = 2, wk_key = '\0' <repeats 31
times>,
wk_keyrsc = 0, wk_keytsc = 0, wk_cipher = 0xc06c2ac0,
wk_private = 0xc1bcf25c}, {wk_keylen = 0 '\0', wk_flags = 3
'\003',
wk_keyix = 3, wk_key = '\0' <repeats 31 times>, wk_keyrsc = 0,
wk_keytsc = 0, wk_cipher = 0xc06c2ac0, wk_private = 0xc1bcf25c}},
cs_def_txkey = 0, cs_key_alloc = 0xc059d048 <null_key_alloc>,
cs_key_delete = 0xc059d054 <null_key_delete>,
cs_key_set = 0xc059d060 <null_key_set>,
cs_key_update_begin = 0xc059d06c <null_key_update>,
cs_key_update_end = 0xc059d06c <null_key_update>}, ic_auth =
0xc06c3160,
ic_ec = 0x0, ic_acl = 0x0, ic_as = 0x0}
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Principal Research Scientist, McAfee Research
More information about the freebsd-current
mailing list