On Tue, Sep 14, 2021 at 05:52:08PM -0400, James Hastings wrote:
> >Synopsis: run(4): connecting to WEP network. panic: null node
> >Category: kernel
> >Environment:
> System : OpenBSD 7.0
> Details : OpenBSD 7.0-beta (GENERIC.MP) #206: Thu Sep 9 09:24:02
> MDT 2021
>
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine : amd64
> >Description:
> I was testing various networks with a Ralink RT5370 USB run(4) device.
> Connecting to a WEP-enabled SSID reliably produces the following kernel
> panic:
I looked at this out of curiosity and the code seems obviously wrong.
> panic: null node
> Stopped at db_enter+0x10: popq %rbp
> TID PID UID PRFLAGS PFLAGS CPU COMMAND
> *515938 8927 0 0x14000 0x200 3K usbtask
> db_enter() at db_enter+0x10
> panic(ffffffff81e29b27) at panic+0xbf
> ieee80211_send_mgmt(ffff800000e7d048,0,c0,3,0) at ieee80211_send_mgmt+0x3aa
> run_set_key_cb(ffff800000e7d000,ffff800000e7fe00) at run_set_key_cb+0x76
> run_task(ffff800000e7d000) at run_task+0xa9
> usb_task_thread(ffff800022d72550) at usb_task_thread+0x135
> end trace frame: 0x0, count: 9
run_init() does this
if (ic->ic_flags & IEEE80211_F_WEPON) {
/* install WEP keys */
for (i = 0; i < IEEE80211_WEP_NKID; i++)
(void)run_set_key(ic, NULL, &ic->ic_nw_keys[i]);
}
run_set_key() passes that NULL argument unaltered to run_set_key_cb()
which eventually calls ieee80211_send_mgmt() with a NULL `ni' argument
which hits the panic.
I don't see how this can work; maybe an oversight whenever run(4) or
802.11 was touched last?
> >How-To-Repeat:
> $ doas ifconfig run0 nwid MYWEPSSID nwkey 0xXXXXXXXXXX
> $ doas ifconfig run0 up
> <panic>
> >Fix:
> Unknown at this time.
