lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <69e28c910805310934w7d2bc2ddkec27926a8c8033c4@mail.gmail.com>
Date:	Sat, 31 May 2008 18:34:29 +0200
From:	"Stefanik Gábor" <netrolller.3d@...il.com>
To:	"Michael Buesch" <mb@...sch.de>
Cc:	"bcm43xx-dev@...ts.berlios.de" <bcm43xx-dev@...ts.berlios.de>,
	linux-wireless <linux-wireless@...r.kernel.org>,
	linux-kernel@...r.kernel.org
Subject: Re: Wireless-testing's b43 panics in b43_generate_txhdr on packet transmit

On Sat, May 31, 2008 at 5:11 PM, Michael Buesch <mb@...sch.de> wrote:
> On Saturday 31 May 2008 16:23:58 Stefanik Gábor wrote:
>> In the latest wireless-testing kernel, I get a panic when I try to
>> connect to a network or inject a packet in monitor mode using b43
>> (stack obtained using kdump and crash):
>>
>> crash> bt -l
>> PID: 0      TASK: c0431340  CPU: 0   COMMAND: "swapper"
>>  #0 [c04617bc] crash_kexec at c015ce2a
>>     /usr/src/wl-hack/wireless-testing/kernel/kexec.c: 1077
>>  #1 [c046180c] die at c01054ba
>>     /usr/src/wl-hack/wireless-testing/arch/x86/kernel/traps_32.c: 476
>>  #2 [c0461828] do_page_fault at c034ef1f
>>     /usr/src/wl-hack/wireless-testing/arch/x86/mm/fault.c: 858
>>  #3 [c0461994] error_code (via page_fault) at c034d2e8
>>     /usr/src/wl-hack/wireless-testing/arch/i386/kernel/entry.S
>>     EAX: 00000000  EBX: 00000000  ECX: f6103000  EDX: f75ed4a0  EBP: c0461a58
>>     DS:  007b      ESI: 00000002  ES:  007b      EDI: 00000074
>>     CS:  0060      EIP: f8dd3a99  ERR: ffffffff  EFLAGS: 00010046
>>  #4 [c04619c8] b43_generate_txhdr at f8dd3a99
>>  #5 [c0461a5c] b43_dma_tx at f8dd83d7
>>  #6 [c0461ae4] b43_op_tx at f8dc4d32
>>  #7 [c0461afc] __ieee80211_tx at f89c3ed4
>>  #8 [c0461b14] ieee80211_master_start_xmit at f89c4b6d
>>  #9 [c0461b74] dev_hard_start_xmit at c02d4cb5
>>     /usr/src/wl-hack/wireless-testing/net/core/dev.c: 1558
>> #10 [c0461ba0] __qdisc_run at c02e678d
>>     /usr/src/wl-hack/wireless-testing/net/sched/sch_generic.c: 155
>> #11 [c0461bd8] dev_queue_xmit at c02d5172
>>     include/net/pkt_sched.h: 89
>> #12 [c0461c04] ieee80211_subif_start_xmit at f89c45db
>> #13 [c0461cc0] dev_hard_start_xmit at c02d4cb5
>>     /usr/src/wl-hack/wireless-testing/net/core/dev.c: 1558
>> #14 [c0461cec] __qdisc_run at c02e678d
>>     /usr/src/wl-hack/wireless-testing/net/sched/sch_generic.c: 155
>> #15 [c0461d24] dev_queue_xmit at c02d5172
>>     include/net/pkt_sched.h: 89
>> #16 [c0461d50] neigh_resolve_output at c02dac3e
>>     /usr/src/wl-hack/wireless-testing/net/core/neighbour.c: 1215
>> #17 [c0461d90] ip6_output_finish at f8d55c9e
>> #18 [c0461db0] ip6_output2 at f8d57e63
>> #19 [c0461dd4] ip6_output at f8d58418
>> #20 [c0461e50] mld_sendpack at f8d70d8d
>> #21 [c0461ebc] mld_ifc_timer_expire at f8d71a94
>> #22 [c0461ef0] run_timer_softirq at c0138547
>>     /usr/src/wl-hack/wireless-testing/kernel/timer.c: 798
>> #23 [c0461f34] __do_softirq at c0134230
>>     /usr/src/wl-hack/wireless-testing/kernel/softirq.c: 234
>> #24 [c0461f50] do_softirq at c0134318
>>     /usr/src/wl-hack/wireless-testing/kernel/softirq.c: 271
>> #25 [c0461f5c] irq_exit at c01344b0
>>     /usr/src/wl-hack/wireless-testing/kernel/softirq.c: 310
>> #26 [c0461f64] smp_apic_timer_interrupt at c0113583
>>     /usr/src/wl-hack/wireless-testing/arch/x86/kernel/apic_32.c: 619
>> #27 [c0461f7c] apic_timer_interrupt at c0104963
>>     include/linux/kdev_t.h: 52
>> #28 [c0461fbc] cpu_idle at c0102d69
>>     /usr/src/wl-hack/wireless-testing/arch/x86/kernel/process_32.c: 188
>>
>> No out-of-tree patches applied on b43. (I used to have a patch
>> applied, but I removed it to test reproducibility of this crash.)
>>
>> Any ideas why this happens?
>
> Please provide more information. For example as for what "crash" means.
> Is this a NULL pointer dereference or whatever?
> Please put a few printks into b43_generate_txhdr()
>
>
> --
> Greetings Michael.
>

"Crash" = /usr/bin/crash, the GDB-based crashdump debugger.
It's a NULL pointer dereference. I didn't know that when I sent my
previous message, because the kernel doesn't boot in anything but
80x25 mode (vesafb modes result in a blank screen, other VGA modes
like 80x50 either show a jumbled mess of fonts or are ignored in favor
of 80x25, likely a vesafb bug - BTW nvidia video card), so I only see
the bottom of the panic message. (That's why I had to use Crash to
retrieve the stack.) I used the command "bt -l" to get the stack
originally. Since then I discovered the "log" command, which allowed
me to retrieve the full message. (It's the first time I ever debug a
kdump, sorry.)
So, anyway, here is the full panic message, as it was printed out on the screen:

"BUG: unable to handle kernel NULL pointer dereference at 00000004
IP: [<f8dd3a99>] :b43:b43_generate_txhdr+0x6a9/0x790
*pdpt = 00000000360f0001 *pde = 0000000000000000
Oops: 0000 [#1] SMP
Modules linked in: rfkill_input b43 ocfs2_dlmfs ocfs2_dlm
ocfs2_nodemanager configfs ipv6 microcode af_packet snd_pcm_oss
binfmt_misc snd_mixer_oss snd_seq snd_seq_device fuse ext3 jbd mbcache
loop dm_mod joydev rt73usb crc_itu_t arc4 rt2x00usb snd_hda_intel
rt2x00lib ecb crypto_blkcipher ssb rfkill snd_aw2 pcmcia usbhid
forcedeth snd_pcm ohci1394 pcmcia_core zd1211rw sr_mod led_class hid
sata_nv ieee1394 snd_hwdep snd_timer firmware_class i2c_nforce2 cdrom
isp1760 button input_polldev snd ff_memless i2c_core snd_page_alloc
mac80211 soundcore sg cfg80211 ehci_hcd ohci_hcd sd_mod usbcore edd
reiserfs fan pata_amd libata scsi_mod dock thermal processor [last
unloaded: speedstep_lib]

Pid: 0, comm: swapper Not tainted (2.6.26-rc4-wl-wireless6 #8)
EIP: 0060:[<f8dd3a99>] EFLAGS: 00010046 CPU: 0
EIP is at b43_generate_txhdr+0x6a9/0x790 [b43]
EAX: 00000000 EBX: 00000000 ECX: f6103000 EDX: f75ed4a0
ESI: 00000002 EDI: 00000074 EBP: c0461a58 ESP: c04619d0
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 0, ti=c0460000 task=c0431340 task.ti=c0460000)
Stack: 00000000 00000000 00000000 f78aee00 00000040 00004108 40201a0c f61c302c
       f6880dc0 f6103000 00000101 00000002 00000002 00000d80 02984108 00000074
       f88a2bc7 3798e6c0 00000000 f798e6c0 f798e060 f798e6c0 00000200 00000000
Call Trace:
 [<f88a2bc7>] ? qh_urb_transaction+0xe7/0x3e0 [ehci_hcd]
 [<f8dd83dc>] ? b43_dma_tx+0x19c/0x800 [b43]
 [<f8dc4d37>] ? b43_op_tx+0x57/0xc0 [b43]
 [<f89c3ed6>] ? __ieee80211_tx+0x16/0x120 [mac80211]
 [<f89c4b72>] ? ieee80211_master_start_xmit+0x262/0x310 [mac80211]
 [<c02d4cbb>] ? dev_hard_start_xmit+0x24b/0x2e0
 [<c02e6792>] ? __qdisc_run+0x62/0x1e0
 [<c02d5177>] ? dev_queue_xmit+0x307/0x380
 [<f89c45e0>] ? ieee80211_subif_start_xmit+0x3e0/0x710 [mac80211]
 [<c0123da4>] ? __enqueue_entity+0xd4/0x100
 [<c011f3c7>] ? enqueue_task+0x57/0x70
 [<c01251b4>] ? try_to_wake_up+0x74/0x1f0
 [<c02d4cbb>] ? dev_hard_start_xmit+0x24b/0x2e0
 [<c012533b>] ? default_wake_function+0xb/0x10
 [<c014366b>] ? autoremove_wake_function+0x1b/0x50
 [<c02e6792>] ? __qdisc_run+0x62/0x1e0
 [<c02d5177>] ? dev_queue_xmit+0x307/0x380
 [<c02dac41>] ? neigh_resolve_output+0xf1/0x2a0
 [<f8d6fdcc>] ? ipv6_chk_mcast_addr+0xbc/0x180 [ipv6]
 [<f8d55ca1>] ? ip6_output_finish+0x91/0xe0 [ipv6]
 [<f8d57e68>] ? ip6_output2+0x138/0x220 [ipv6]
 [<f8d5841d>] ? ip6_output+0x4cd/0xb30 [ipv6]
 [<c0138be5>] ? lock_timer_base+0x25/0x50
 [<c0138d91>] ? __mod_timer+0xa1/0xe0
 [<c0138e87>] ? mod_timer+0x37/0x80
 [<f8d641db>] ? fib6_force_start_gc+0x2b/0x30 [ipv6]
 [<f8d70d90>] ? mld_sendpack+0x2d0/0x330 [ipv6]
 [<f8d71a99>] ? mld_ifc_timer_expire+0x259/0x2f0 [ipv6]
 [<c014cf7b>] ? clockevents_program_event+0x9b/0x150
 [<c013854a>] ? run_timer_softirq+0x12a/0x1f0
 [<f8d71840>] ? mld_ifc_timer_expire+0x0/0x2f0 [ipv6]
 [<f8d71840>] ? mld_ifc_timer_expire+0x0/0x2f0 [ipv6]
 [<c0134232>] ? __do_softirq+0x92/0x120
 [<c013431d>] ? do_softirq+0x5d/0x60
 [<c01344b5>] ? irq_exit+0x75/0xa0
 [<c0113588>] ? smp_apic_timer_interrupt+0x58/0x90
 [<c0109ca0>] ? mwait_idle+0x0/0x50
 [<c0104968>] ? apic_timer_interrupt+0x28/0x30
 [<c0109ca0>] ? mwait_idle+0x0/0x50
 [<c0109cd2>] ? mwait_idle+0x32/0x50
 [<c0102d6b>] ? cpu_idle+0x6b/0xf0
 [<c033e09e>] ? rest_init+0x4e/0x60
 =======================
Code: 26 00 c7 45 d8 0c 00 00 00 90 e9 7b fc ff ff 8d 76 00 0f b6 4d
af c7 45 d8 02 00 00 00 89 4d f0 eb ae 8b 55 0c 8b 4d 9c 8b 42 0c <0f>
b6 58 04 3a 99 c2 03 00 00 0f 83 b9 00 00 00 8b 7d 9c 0f b6
EIP: [<f8dd3a99>] b43_generate_txhdr+0x6a9/0x790 [b43] SS:ESP 0068:c04619d0"

Full output of crash>log (essentially "dmesg" on a kdump) is attached as a file.

View attachment "b43_generate_txhdr_panic.log" of type "text/x-log" (43920 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ