Modify

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#1973 closed defect (fixed)

madwifi 100% reproducible kernel panic associating a VAP with a wrong wep key

Reported by: d.guerri@… Owned by: nbd
Priority: high Milestone: Kamikaze 7.07
Component: kernel Version:
Keywords: Cc:

Description

My setup:

  • Latest openWRT from svn (2523), standard configuration (non preemtible kernel)
  • miniPCI Atheros AR5213A-00 and Atheros AR5213A-001
  • on PC Engines WRAP.1E v1.11

On the WRAP i execute the following commands:

wlanconfig ath create wlandev wifi0 wlanmode ap
iwconfig ath0 essid testSSID enc aabbccddeeffaabbccddeeff00 channel 4 mode master
ifconfig ath0 up

On the client (MacOsX, Linux, Windows, ...) i try to associate with a wrong wep key. For instance on my osx command line i do the following:

<threepwood:davide>[0]{~/bin (.004 Mb)} # /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport -s
28 Infrastructure networks found:
                            SSID Security     Ch Sig Vr  ID IE BSSID             WPA (Auth[]), (Cipher[])                
                  Alice-08953902 WPA PSK      11 -66 -1   0  0 00:03:6f:90:b9:ed   1 (2,0,0,0), ( 2(TKIP),0,0,0)
                  Alice-87115966 WPA PSK      11 -62 -1   0  0 00:03:6f:92:04:85   1 (2,0,0,0), ( 2(TKIP),0,0,0)
                        testSSID WEP           4 -11 -1   0  0 06:0b:6b:4c:ee:9f   0 (0,0,0,0), (0,0,0,0)
                         USR5463               6 -63 -1   0  0 00:14:c1:2b:f9:58   0 (0,0,0,0), (0,0,0,0)
[...]

<threepwood:davide># /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport -AtestSSID
password: <something like "blablabla">
<threepwood:davide>[0]{~/bin (.004 Mb)} # /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport -AtestSSID
password: <again, something like "blablabla">

After this on the WRAP i get:

root@OpenWrt:/# BUG: unable to handle kernel NULL pointer dereference at virtual address 0000010c
 printing eip:
c88f03d4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: ne2k_pci 8390 ath_pci wlan_xauth wlan_wep wlan_tkip wlan_ccmp wlan_acl ath_rate_minstrel ath_hal(P) wlan_scan_sta wlan_scan_ap wlan ipt
_TTL ipt_ttl ipt_TOS ipt_time ipt_tos xt_MARK xt_mark xt_mac xt_length ipt_ECN ipt_ecn xt_DSCP xt_dscp xt_CLASSIFY imq ipt_IMQ ipt_ipp2p xt_NOTRACK iptabl
e_raw xt_portscan xt_DELUDE xt_CHAOS xt_string ipt_recent xt_pkttype ipt_owner ipt_LOG xt_connbytes xt_helper xt_CONNMARK xt_connmark arptable_filter arpt
_mangle arp_tables tun ppp_async ppp_generic slhc crc_ccitt natsemi
CPU:    0
EIP:    0060:[<c88f03d4>]    Tainted: P       VLI
EFLAGS: 00010002   (2.6.22-rc5 #2)
eax: 00000000   ebx: c74d0000   ecx: 00000001   edx: 0000001f
esi: c74d016d   edi: 00000000   ebp: 00000202   esp: c02b5c30
ds: 007b   es: 007b   fs: 0000  gs: 0000  ss: 0068
Process swapper (pid: 0, ti=c02b4000 task=c0296280 task.ti=c02b4000)
Stack: c88f003c c0122f04 c029de70 0000000c 000000b0 c7587000 c0123f25 c754a380
       c74d0000 c74d0000 00000000 c7b58380 c88f0613 c12686e8 c754a380 c7587000
       000d0002 000000b0 c88e984e 00000001 c7587800 c7b58380 00000001 c74d016d
Call Trace:
 [<c88f003c>] <0> [<c0122f04>] <0> [<c0123f25>] <0> [<c88f0613>] <0> [<c88e984e>] <0> [<c88ed7ce>] <0> [<c88ddbd7>] <0> [<c0122f04>] <0> [<c0123f25>] <0>
[<c88d6a1d>] <0> [<c88eb4ac>] <0> [<c88d5310>] <0> [<c88ef91d>] <0> [<c88dd029>] <0> [<c011d53a>] <0> [<c010f10c>] <0> [<c010f074>] <0> [<c010f0d6>] <0> [
<c0103b8f>] <0> [<c0250a25>] <0> [<c0102513>] <0> [<c01012eb>] <0> [<c02c0000>] <0> [<c0101312>] <0> [<c0100b55>] <0> [<c02b6a03>] <0> [<c02b63e0>] <0> ==
=====================
Code: 44 24 28 83 7c 24 28 20 0f 85 37 ff ff ff 55 9d 83 c4 30 5b 5e 5f 5d c3 55 57 56 53 83 ec 20 89 d6 0f b6 52 05 83 e2 1f 9c 5d fa <8b> bc 90 90 00 00
 00 e9 87 00 00 00 85 db 74 06 8b 47 04 89 43
EIP: [<c88f03d4>]  SS:ESP 0068:c02b5c30
Kernel panic - not syncing: Fatal exception in interrupt
Rebooting in 3 seconds..PC Engines WRAP.1C/1D/1E v1.11
640 KB Base Memory
130048 KB Extended Memory
[...]

openWRT kamikaze comes with madwifi r2420-20070602, but i've tried r2518-20070626 with the same results.

Attachments (1)

OSXvsMadWiFi-20070629.pcap (17.2 KB) - added by Cdtdaddy <d.guerri@…> 11 years ago.
pcap dump of 802.11 frames that produce the kernel panic

Download all attachments as: .zip

Change History (9)

comment:1 Changed 11 years ago by Cdtdaddy <d.guerri@…>

I've compiled a clean openWRT kamikaze r7765 kernel with CONFIG_KALLSYMS.
Here is the kernel panic for madwifi r2420-20070602

BUG: unable to handle kernel NULL pointer dereference at virtual address 0000010c
 printing eip:
c88a0450
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: ne2k_pci 8390 ath_pci wlan_xauth wlan_wep wlan_tkip wlan_ccmp wlan_acl ath_rate_minstrel ath_hal(P) wlan_scan_sta wlan_scan_ap wlan ppp_async ppp_generic slhc crc_ccitt natsemi
CPU:    0
EIP:    0060:[<c88a0450>]    Tainted: P       VLI
EFLAGS: 00010002   (2.6.22-rc6 #3)

EIP is at ieee80211_remove_wds_addr+0x10/0xd3 [wlan]
eax: 00000000   ebx: c7970800   ecx: 00000001   edx: 0000001f
esi: 00000000   edi: 00000202   ebp: c7970969   esp: c7b07d08
ds: 007b   es: 007b   fs: 0000  gs: 0000  ss: 0068

Process dropbearkey (pid: 1575, ti=c7b06000 task=c1286a90 task.ti=c7b06000)
Stack: c7970800 00000000 c7fe0001 c7fea380 c88a05fa 00000000 00000000 c114c01c 
       c7fea380 c12683e8 c7fea380 c114c000 c799d380 000000b0 c889bf8e c799d380 
       c799d380 c7fe0001 c7970800 c889e7ca 000d0002 c797f380 c797f000 c797f380 
Call Trace:
 [<c88a05fa>] ieee80211_node_leave+0x22/0x2d3 [wlan]
 [<c889bf8e>] ieee80211_check_mic+0x157/0x17e [wlan]
 [<c889e7ca>] ieee80211_recv_mgmt+0x125e/0x2626 [wlan]
 [<c011b784>] update_wall_time+0x4f4/0x64d
 [<c01f37d2>] dev_hard_start_xmit+0x18e/0x1ed
 [<c0108bba>] __activate_task+0x1c/0x28
 [<c0118966>] autoremove_wake_function+0x15/0x35
 [<c0108a8f>] __wake_up_common+0x31/0x4f
 [<c88d0012>] ath_detach+0xc1b/0x1d2c [ath_pci]
 [<c889d387>] ieee80211_input+0xd65/0xf4a [wlan]
 [<c01ef6a6>] __alloc_skb+0x51/0xfd
 [<c01efa4e>] skb_copy+0xb9/0xc1
 [<c889fbe3>] ieee80211_input_all+0x51/0x82 [wlan]
 [<c88d3e3e>] ath_attach+0x2d1b/0x31a7 [ath_pci]
 [<c01f4daf>] net_rx_action+0x52/0xd0

 [<c010f0cc>] __do_softirq+0x35/0x75
 [<c010f12e>] do_softirq+0x22/0x26
 [<c0103bdf>] do_IRQ+0x55/0x6a
 [<c0102523>] common_interrupt+0x23/0x30
 =======================
Code: 8b 33 8b 04 24 39 43 10 75 f0 eb bb 45 83 fd 20 75 a8 57 9d 5e 5f 5b 5e 5f 5d c3 55 57 56 53 89 d5 0f b6 52 05 83 e2 1f 9c 5f fa <8b> 9c 90 90 00 00 00 eb 37 85 f6 74 06 8b 43 04 89 46 04 8b 43 
EIP: [<c88a0450>] ieee80211_remove_wds_addr+0x10/0xd3 [wlan] SS:ESP 0068:c7b07d08
Kernel panic - not syncing: Fatal exception in interrupt


comment:2 Changed 11 years ago by Cdtdaddy <d.guerri@…>

I've found the problem:

ieee80211_remove_wds_addr is called by ieee80211_node_leave with nt = NULL.

Skipping the call for null values of ni->ni_table avoids the kernel panic.
Although madwifi seems to be stable i fear it's only an hack ...

However, diff follows

diff -p madwifi-ng-r2420-20070602/net80211/ieee80211_node.c ieee80211_node.c 
*** madwifi-ng-r2420-20070602/net80211/ieee80211_node.c 2007-05-30 03:41:18.000000000 +0200
--- ieee80211_node.c    2007-06-29 00:38:30.000000000 +0200
*************** ieee80211_node_leave(struct ieee80211_no
*** 1850,1861 ****
        /* From this point onwards we can no longer find the node,
         * so no more references are generated
         */
!       ieee80211_remove_wds_addr(nt, ni->ni_macaddr);
!       ieee80211_del_wds_node(nt, ni);
!       IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
!       _node_table_leave(nt, ni);
!       IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
! 
        /*
         * If node wasn't previously associated all
         * we need to do is reclaim the reference.
--- 1850,1862 ----
        /* From this point onwards we can no longer find the node,
         * so no more references are generated
         */
!         if (nt) {
!               ieee80211_remove_wds_addr(nt, ni->ni_macaddr);
!               ieee80211_del_wds_node(nt, ni);
!               IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
!               _node_table_leave(nt, ni);
!               IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
!       }
        /*
         * If node wasn't previously associated all
         * we need to do is reclaim the reference.

comment:3 Changed 11 years ago by Cdtdaddy <d.guerri@…>

Sorry from my previous statement about reproducibility of the bug with any OS as a client.
I'm only able to reproduce the kernel panic with an *osx* sta.
I don't know why the wds code is called, but i'm still able to reproduce this bug with my osx.
Other atheros cards and a DWL-G122 802.11g rev. B1 (ralink) on linux work as expected.

I'm going to attach a pcap dump of 802.11 frames that produce the kernel panic.

Changed 11 years ago by Cdtdaddy <d.guerri@…>

pcap dump of 802.11 frames that produce the kernel panic

comment:4 Changed 11 years ago by nbd

  • Owner changed from developers to nbd
  • Status changed from new to assigned

comment:5 follow-up: Changed 11 years ago by nbd

try copying http://nbd.name/309-micfail_detect.patch in your madwifi patch directory and let me know if it fixes this bug

comment:6 in reply to: ↑ 5 Changed 11 years ago by Cdtdaddy <d.guerri@…>

Replying to nbd:

try copying http://nbd.name/309-micfail_detect.patch in your madwifi patch directory and let me know if it fixes this bug

No, sorry. The kernel panic is still reproducible

BUG: unable to handle kernel NULL pointer dereference at virtual address 000000c8
 printing eip:
c88a0450
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: ne2k_pci 8390 ath_pci wlan_xauth wlan_wep wlan_tkip wlan_ccmp wlan_acl ath_rate_minstrel ath_hal(P) wlan_scan_sta wlan_sci
CPU:    0
EIP:    0060:[<c88a0450>]    Tainted: P       VLI
EFLAGS: 00010002   (2.6.22-rc6 #8)
EIP is at ieee80211_remove_wds_addr+0x10/0xd3 [wlan]
eax: 00000000   ebx: c78bb800   ecx: 00000001   edx: 0000000e
esi: 00000000   edi: 00000202   ebp: c78bb969   esp: c02fdcec
ds: 007b   es: 007b   fs: 0000  gs: 0000  ss: 0068
Process swapper (pid: 0, ti=c02fc000 task=c02dd280 task.ti=c02fc000)
Stack: c78bb800 00000000 c7860001 c7862380 c88a05fa 00000000 00000000 c7f4381c 
       c7862380 c12280e8 c7862380 c7f43800 c297f380 000000b0 c889bf8e c297f380 
       c297f380 c7860001 c78bb800 c889e7ca 000d0002 d9facdc1 00000000 00000000 
Call Trace:
 [<c88a05fa>] ieee80211_node_leave+0x22/0x2d3 [wlan]
 [<c889bf8e>] ieee80211_check_mic+0x157/0x17e [wlan]
 [<c889e7ca>] ieee80211_recv_mgmt+0x125e/0x2626 [wlan]
 [<c023de5b>] nf_nat_fn+0x14f/0x15e
 [<c023dec7>] nf_nat_in+0x29/0x92
 [<c0205790>] nf_iterate+0x38/0x6a
 [<c02107f0>] ip_rcv_finish+0x0/0x23c
 [<c0207052>] nf_conntrack_free+0x18/0x1f
 [<c02057e5>] nf_conntrack_destroy+0x10/0x11
 [<c01ef05f>] __kfree_skb+0xb8/0xe2
 [<c0211059>] ip_rcv+0x41c/0x429
 [<c88d0012>] ath_detach+0xc1b/0x1d2c [ath_pci]
 [<c889d387>] ieee80211_input+0xd65/0xf4a [wlan]
 [<c011b784>] update_wall_time+0x4f4/0x64d
 [<c889fbe3>] ieee80211_input_all+0x51/0x82 [wlan]
 [<c88d3e3b>] ath_attach+0x2d18/0x31a4 [ath_pci]
 [<c0111864>] run_timer_softirq+0xe0/0x12f
 [<c011d5c2>] tick_handle_periodic+0xf/0x5d
 [<c01f4daf>] net_rx_action+0x52/0xd0
 [<c010f0cc>] __do_softirq+0x35/0x75
 [<c010f12e>] do_softirq+0x22/0x26
 [<c0103bdf>] do_IRQ+0x55/0x6a
 [<c0251545>] __sched_text_start+0x45d/0x4bc
 [<c0102523>] common_interrupt+0x23/0x30
 [<c01012f8>] default_idle+0x0/0x39
 [<c0310000>] fib_rules_init+0x26/0x53
 [<c010131f>] default_idle+0x27/0x39
 [<c0100b55>] cpu_idle+0x3c/0x51
 [<c02fea3c>] start_kernel+0x245/0x24d
 [<c02fe3e0>] unknown_bootoption+0x0/0x205
 =======================
Code: 8b 33 8b 04 24 39 43 10 75 f0 eb bb 45 83 fd 20 75 a8 57 9d 5e 5f 5b 5e 5f 5d c3 55 57 56 53 89 d5 0f b6 52 05 83 e2 1f 9c 5f fa <8b>  
EIP: [<c88a0450>] ieee80211_remove_wds_addr+0x10/0xd3 [wlan] SS:ESP 0068:c02fdcec
Kernel panic - not syncing: Fatal exception in interrupt

comment:7 Changed 11 years ago by nbd

  • Resolution set to fixed
  • Status changed from assigned to closed

fix committed in [7813]

comment:8 Changed 11 years ago by Cdtdaddy <d.guerri@…>

No more panices here :)

Thank you.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.