Re: NMI crash in ieee80211_recv_auth called from malo driver

[Stefan Sperling]

On Mon, Jul 06, 2015 at 09:15:42AM +0200, Stefan Sperling wrote:
> On Sun, Jul 05, 2015 at 08:21:15PM -0500, Walter Daugherity wrote:
> > >Synopsis: NMI crash in ieee80211_recv_auth called from malo driver
> > 
> > 
> > >Category: kernel
> > 
> > 
> > >Environment:
> > 
> >         System      : OpenBSD CVS + debug flags
> > 
> >         Details     : OpenBSD 5.8-beta (GENERIC.DEBUG) #1: Fri Jul  3
> > 17:24:02 CDT 2015 r...@strait.middle-earth.lan
> > :/usr/src/sys/arch/i386/compile/GENERIC.DEBUG
> > 
> >         Architecture: OpenBSD.i386
> > 
> >         Machine     : i386
> > 
> > 
> > >Description: This is a long-standing problem which I have now narrowed
> > down to a 100% reproducible NMI crash in function ieee80211_recv_auth in
> > source file ieee80211_input.c, called from malo.c.
> 
> Did you see my reply back in April?
> http://marc.info/?l=openbsd-bugs&m=142849629211619&w=2
>  
> As stated there, I very much doubt this problem is rooted anywhere near the
> malo driver and net80211. I've tested malo on both amd64 and i386 machines
> based on your prior and I could not reproduce the issue.

I've verified again that malo(4) works as expected on my i386 test machine.

There's funky code to snip off parts of the frame received from the hardware
which got me curious. But it seems to work as intended. The output below shows
the frame as received from hardware (with some extra data) and then again as
processed by the driver (with extra data stripped, producing a valid auth
frame of 30 bytes length) before it is passed on to ieee80211_input:

malo0: newstate AUTH
malo0: cmd answer for SetPostscan=OK
malo0: cmd answer for SetChannel=OK
malo0: got cmd done interrupt
NODS 50:50:00:18:84:16->da:00:00:40:f4:da(8c:ed:00:18:84:16) reassoc_resp 0M +0
 3200 b000 da00 0040 f4da 5050 0018 8416 8ced 0018 8416 8ced b0d2 5b74 1197 0021
 0000 0200 0000
NODS 00:18:84:16:8c:ed->00:40:f4:da:50:50(00:18:84:16:8c:ed) auth 0M +0
 b000 da00 0040 f4da 5050 0018 8416 8ced 0018 8416 8ced b0d2 0000 0200 0000
malo0: newstate ASSOC

What output does this diff show on your hardware?

Index: dev/ic/malo.c
===================================================================
RCS file: /cvs/src/sys/dev/ic/malo.c,v
retrieving revision 1.105
diff -u -p -r1.105 malo.c
--- dev/ic/malo.c       10 Feb 2015 23:25:46 -0000      1.105
+++ dev/ic/malo.c       6 Jul 2015 09:57:15 -0000
@@ -49,6 +49,8 @@
 
 #include <dev/ic/malo.h>
 
+#define MALO_DEBUG
+
 #ifdef MALO_DEBUG
 int malo_d = 1;
 #define DPRINTF(l, x...)       do { if ((l) <= malo_d) printf(x); } while (0)
@@ -1700,8 +1702,12 @@ malo_rx_intr(struct malo_softc *sc)
                 *  6 bytes addr4 (cut out)
                 *  n bytes 802.11 frame data
                 */
+               if (m->m_len == 38)
+                       ieee80211_dump_pkt(mtod(m, const u_int8_t *), m->m_len, 
0, 0);
                bcopy(m->m_data, m->m_data + 6, 26);
                m_adj(m, 8);
+               if (m->m_len == 30)
+                       ieee80211_dump_pkt(mtod(m, const u_int8_t *), m->m_len, 
0, 0);
 
 #if NBPFILTER > 0
                if (sc->sc_drvbpf != NULL) {
Index: net80211/ieee80211_proto.c
===================================================================
RCS file: /cvs/src/sys/net80211/ieee80211_proto.c,v
retrieving revision 1.51
diff -u -p -r1.51 ieee80211_proto.c
--- net80211/ieee80211_proto.c  14 Mar 2015 03:38:51 -0000      1.51
+++ net80211/ieee80211_proto.c  6 Jul 2015 09:33:11 -0000
@@ -137,7 +137,6 @@ ieee80211_print_essid(const u_int8_t *es
        }
 }
 
-#ifdef IEEE80211_DEBUG
 void
 ieee80211_dump_pkt(const u_int8_t *buf, int len, int rate, int rssi)
 {
@@ -197,7 +196,6 @@ ieee80211_dump_pkt(const u_int8_t *buf, 
                printf("\n");
        }
 }
-#endif
 
 int
 ieee80211_fix_rate(struct ieee80211com *ic, struct ieee80211_node *ni,
Index: net80211/ieee80211_proto.h
===================================================================
RCS file: /cvs/src/sys/net80211/ieee80211_proto.h,v
retrieving revision 1.39
diff -u -p -r1.39 ieee80211_proto.h
--- net80211/ieee80211_proto.h  21 Nov 2009 18:09:31 -0000      1.39
+++ net80211/ieee80211_proto.h  6 Jul 2015 09:33:01 -0000
@@ -136,9 +136,7 @@ extern      int ieee80211_parse_rsn(struct ie
 extern int ieee80211_parse_wpa(struct ieee80211com *, const u_int8_t *,
                struct ieee80211_rsnparams *);
 extern void ieee80211_print_essid(const u_int8_t *, int);
-#ifdef IEEE80211_DEBUG
 extern void ieee80211_dump_pkt(const u_int8_t *, int, int, int);
-#endif
 extern int ieee80211_ibss_merge(struct ieee80211com *,
                struct ieee80211_node *, u_int64_t);
 extern void ieee80211_reset_erp(struct ieee80211com *);