Bug#946639: iwd 1.2-1 is crashing making WiFi access impossible

[Bernhard Übelacker]

(Forgot to attach some more debugging details.)


From submitter
Dec 12 09:40:11 lambda kernel: [55486.381334] iwd[202645]: segfault at 38 ip 
000055b1995e2056 sp 00007ffc966c5360 error 6 in iwd[55b1995c4000+84000]
Dec 12 09:40:11 lambda kernel: [55486.381374] Code: 48 83 c4 20 e9 58 fe ff ff 
0f 1f 00 3c 21 0f 85 70 ff ff ff 31 c0 80 7c 24 10 00 0f 95 c0 83 c0 01 41 89 
47 08 48 8b 44 24 18 <49> 89 46 38 e9 51 ff ff ff 90 41 8b 77 08 85 f6 0f 84 44 
ff ff ff





/*
 * Page fault error code bits:
 *
 *   bit 0 ==    0: no page found       1: protection fault
 *   bit 1 ==    0: read access         1: write access
 *   bit 2 ==    0: kernel-mode access  1: user-mode access
 *   bit 3 ==                           1: use of reserved bit detected
 *   bit 4 ==                           1: fault was an instruction fetch
 *   bit 5 ==                           1: protection keys block access
 */
enum x86_pf_error_code {

        PF_PROT         =               1 << 0,
        PF_WRITE        =               1 << 1,
        PF_USER         =               1 << 2,
        PF_RSVD         =               1 << 3,
        PF_INSTR        =               1 << 4,
        PF_PK           =               1 << 5,
};

arch/x86/mm/fault.c:
    printk("%s%s[%d]: segfault at %lx ip %px sp %px error %lx",


"error 6" == 0x6 == 0b110

bit 0 ==         0: no page found
bit 1 ==         1: write access
bit 2 ==         1: user-mode access
bit 3 ==         0: 
bit 4 ==         0: 
bit 5 ==         0: 



#############



# Bullseye/testing amd64 qemu VM 2019-12-12


apt update
apt dist-upgrade


apt install systemd-coredump mc gdb iwd iwd-dbgsym

apt build-dep iwd




mkdir /home/benutzer/source/iwd/orig -p
cd    /home/benutzer/source/iwd/orig
apt source iwd
cd




gdb -q --args /usr/libexec/iwd


set width 0
set pagination off
directory /home/benutzer/source/iwd/orig/iwd-1.2
b main
run
dele 1


(gdb) info target
...
        0x000055555555e830 - 0x00005555555e1001 is .text
...


(gdb) find /b 0x000055555555e830, 0x00005555555e1001, 0x48, 0x83, 0xc4, 0x20, 
0xe9, 0x58, 0xfe, 0xff, 0xff, 0x0f, 0x1f, 0x00, 0x3c, 0x21, 0x0f, 0x85, 0x70, 
0xff, 0xff, 0xff, 0x31, 0xc0, 0x80, 0x7c, 0x24, 0x10, 0x00, 0x0f, 0x95, 0xc0, 
0x83, 0xc0, 0x01, 0x41, 0x89, 0x47, 0x08, 0x48, 0x8b, 0x44, 0x24, 0x18, 0x49, 
0x89, 0x46, 0x38, 0xe9, 0x51, 0xff, 0xff, 0xff, 0x90, 0x41, 0x8b, 0x77, 0x08, 
0x85, 0xf6, 0x0f, 0x84, 0x44, 0xff, 0xff, 0xff
0x55555557c02c <scan_notify+476>
1 pattern found.


(gdb) b *0x55555557c02c+42
Breakpoint 2 at 0x55555557c056: file src/scan.c, line 1706.
(gdb) info b
Num     Type           Disp Enb Address            What
2       breakpoint     keep y   0x000055555557c056 in scan_notify at 
src/scan.c:1706


(gdb) disassemble /r scan_notify
Dump of assembler code for function scan_notify:
   0x000055555557be50 <+0>:     41 57                   push   %r15
...
   0x000055555557c027 <+471>:   e8 d4 ae 03 00          callq  0x5555555b6f00 
<l_log_with_location>
   0x000055555557c02c <+476>:   48 83 c4 20             add    $0x20,%rsp
   0x000055555557c030 <+480>:   e9 58 fe ff ff          jmpq   0x55555557be8d 
<scan_notify+61>
   0x000055555557c035 <+485>:   0f 1f 00                nopl   (%rax)
   0x000055555557c038 <+488>:   3c 21                   cmp    $0x21,%al
   0x000055555557c03a <+490>:   0f 85 70 ff ff ff       jne    0x55555557bfb0 
<scan_notify+352>
   0x000055555557c040 <+496>:   31 c0                   xor    %eax,%eax
   0x000055555557c042 <+498>:   80 7c 24 10 00          cmpb   $0x0,0x10(%rsp)
   0x000055555557c047 <+503>:   0f 95 c0                setne  %al
   0x000055555557c04a <+506>:   83 c0 01                add    $0x1,%eax
   0x000055555557c04d <+509>:   41 89 47 08             mov    %eax,0x8(%r15)
   0x000055555557c051 <+513>:   48 8b 44 24 18          mov    0x18(%rsp),%rax
   0x000055555557c056 <+518>:   49 89 46 38             mov    %rax,0x38(%r14)  
                        <<<<<<<<<<<<<
   0x000055555557c05a <+522>:   e9 51 ff ff ff          jmpq   0x55555557bfb0 
<scan_notify+352>
   0x000055555557c05f <+527>:   90                      nop
   0x000055555557c060 <+528>:   41 8b 77 08             mov    0x8(%r15),%esi
   0x000055555557c064 <+532>:   85 f6                   test   %esi,%esi
   0x000055555557c066 <+534>:   0f 84 44 ff ff ff       je     0x55555557bfb0 
<scan_notify+352>
   0x000055555557c06c <+540>:   41 0f b6 47 58          movzbl 0x58(%r15),%eax
...
   0x000055555557c2ff <+1199>:  e8 4c 1f fe ff          callq  0x55555555e250 
<__stack_chk_fail@plt>
End of assembler dump.


(gdb) list src/scan.c:1700,src/scan.c:1710
1700            case NL80211_CMD_TRIGGER_SCAN:
1701                    if (active_scan)
1702                            sc->state = SCAN_STATE_ACTIVE;
1703                    else
1704                            sc->state = SCAN_STATE_PASSIVE;
1705
1706                    sr->start_time_tsf = start_time_tsf;           
<<<<<<<<<<<<
1707
1708                    break;
1709
1710            case NL80211_CMD_SCAN_ABORTED:


(gdb) ptype struct scan_request
type = struct scan_request {
    uint32_t id;
    scan_trigger_func_t trigger;
    scan_notify_func_t callback;
    void *userdata;
    scan_destroy_func_t destroy;
    _Bool passive : 1;
    struct l_queue *cmds;
    uint64_t start_time_tsf;
}


(gdb) print/x (int)&((struct scan_request*)0)->id
$3 = 0x0
(gdb) print/x (int)&((struct scan_request*)0)->start_time_tsf
$4 = 0x38




https://git.kernel.org/pub/scm/network/wireless/iwd.git/

https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/src/scan.c?id=d2556a48b7d65eb670fb0ce20e3f929bf9839a20