Bug #1784

wlan_crypt_tkip panic

Added by josepht almost 4 years ago. Updated almost 4 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Hey guys,

It seems I've either munged the iwn driver I'm working on or I'm
genuinely hitting an edge case in the TKIP code. I got the following
panic. I'm attaching a tarball of the source directory and can
include patches from the unaltered FreeBSD source if needed.

My main concerns regarding the wifi driver porting in general is my
weak understanding of the mbuf handling code and the bus_dma* code.

Any ideas are appreciated.

Unread portion of the kernel message buffer:
panic: not enough data, data_len 3 space 2

Trace beginning at frame 0xd801c9b4
panic(ffffffff) at panic+0x8e
panic(c0609324,3,2,db20f500,5f0873f1) at panic+0x8e
michael_mic(1a,3,d801ca2c,c465dff8,d7d682b8) at michael_mic+0x455
tkip_enmic(d7d6b784,db210000,0) at tkip_enmic+0xb5
ieee80211_encap(d7dbb9c0,d7d6b6b8,db20bd00,d7dbb9c0,d7d682b8) at
ieee80211_encap+0x863
ieee80211_start(c48d8198,1,0,1,0) at ieee80211_start+0x657
ifq_dispatch(c48d8198,db20bd00,d801cb38) at ifq_dispatch+0x13a
ether_output_frame(c48d8198,db20bd00,db20bd9a,db20bd9a,0) at
ether_output_frame+0x1be
ether_output(c48d8198,db20bd00,c4549570,c46ef940,14) at
ether_output+0x29b
ieee80211_output(c48d8198,db20bd00,c4549570,c46ef940,0) at
ieee80211_output+0x2f
ip_output(db20bd00,0,d7c20104,10000,0) at ip_output+0xbc1
tcp_output(d7c20188,41eb68,0,db41eb68,1) at tcp_output+0x1449
tcp_usr_send(d7b616e0,0,c47b8700,0,0) at tcp_usr_send+0x1d3
netmsg_pru_send(db41eb68,c0714958,c0714958,d801cd84,c03def13) at
netmsg_pru_send+0x1c
netmsg_service(db41eb68,1,0,c0714440,ff800000) at netmsg_service+0x58
tcpmsg_service_loop(0,0,0,0,0) at tcpmsg_service_loop+0x1d
lwkt_exit() at lwkt_exit

iwn.tgz (55.4 KB) josepht, 06/20/2010 04:30 PM

History

#1 Updated by josepht almost 4 years ago

On Sun, Jun 20, 2010 at 12:20:41PM -0400, Joe Talbott wrote:
> Hey guys,
>
> It seems I've either munged the iwn driver I'm working on or I'm
> genuinely hitting an edge case in the TKIP code. I got the following
> panic. I'm attaching a tarball of the source directory and can
> include patches from the unaltered FreeBSD source if needed.
>
> My main concerns regarding the wifi driver porting in general is my
> weak understanding of the mbuf handling code and the bus_dma* code.
>
> Any ideas are appreciated.
>
> Unread portion of the kernel message buffer:
> panic: not enough data, data_len 3 space 2
>

Here's the kgdb backtrace:

(kgdb) bt
#0 _get_mycpu (di=0xc06d6a00) at ./machine/thread.h:83
#1 md_dumpsys (di=0xc06d6a00) at
/home/josepht/src/dragonfly/sys/platform/pc32/i386/dump_machdep.c:263
#2 0xc0319e29 in dumpsys () at
/home/josepht/src/dragonfly/sys/kern/kern_shutdown.c:838
#3 0xc031a3a4 in boot (howto=260) at
/home/josepht/src/dragonfly/sys/kern/kern_shutdown.c:387
#4 0xc031a4ca in panic (fmt=0xc0609324 "not enough data, data_len %zu
space %u\n") at
/home/josepht/src/dragonfly/sys/kern/kern_shutdown.c:744
#5 0xc03a0369 in michael_mic (ctx=<value optimized out>, key=<value
optimized out>, m=0xdb20f500, off=26, data_len=3, mic=0xd801ca2c
"\324\264;\300\236")
at
/home/josepht/src/dragonfly/sys/netproto/802_11/wlan_tkip/ieee80211_crypto_tkip.c:900
#6 0xc03a12ba in tkip_enmic (k=0xd7d6b784, m=0xdb210000, force=0) at
/home/josepht/src/dragonfly/sys/netproto/802_11/wlan_tkip/ieee80211_crypto_tkip.c:232
#7 0xc03bb921 in ieee80211_crypto_enmic (vap=0xd7dbb9c0,
ni=0xd7d6b6b8, m=0xdb20bd00) at
/home/josepht/src/dragonfly/sys/netproto/802_11/ieee80211_crypto.h:219
#8 ieee80211_encap (vap=0xd7dbb9c0, ni=0xd7d6b6b8, m=0xdb20bd00) at
/home/josepht/src/dragonfly/sys/netproto/802_11/wlan/ieee80211_output.c:1320
#9 0xc03be63d in ieee80211_start (ifp=0xc48d8198) at
/home/josepht/src/dragonfly/sys/netproto/802_11/wlan/ieee80211_output.c:355
#10 0xc038b149 in ifq_dispatch (ifp=0xc48d8198, m=0xdb20bd00,
pa=0xd801cb38) at /home/josepht/src/dragonfly/sys/net/if.c:2273
#11 0xc038c4ba in ether_output_frame (ifp=0xc48d8198, m=0xdb20bd00) at
/home/josepht/src/dragonfly/sys/net/if_ethersubr.c:534
#12 0xc038c767 in ether_output (ifp=0xc48d8198, m=0xdb20bd00,
dst=0xc4549570, rt=0xc46ef940) at
/home/josepht/src/dragonfly/sys/net/if_ethersubr.c:468
#13 0xc03bbf2a in ieee80211_output (ifp=0xc48d8198, m=0xdb20bd00,
dst=0xc4549570, rt=0xc46ef940) at
/home/josepht/src/dragonfly/sys/netproto/802_11/wlan/ieee80211_output.c:408
#14 0xc03d5e4f in ip_output (m0=0xdb20bd00, opt=0x0, ro=0xd7c20104,
flags=<value optimized out>, imo=0x0, inp=0xd7c200c8) at
/home/josepht/src/dragonfly/sys/netinet/ip_output.c:981
#15 0xc03dd53f in tcp_output (tp=0xd7c20188) at
/home/josepht/src/dragonfly/sys/netinet/tcp_output.c:969
#16 0xc03e45c1 in tcp_usr_send (so=0xd7b616e0, flags=<value optimized
out>, m=0xc47b8700, nam=0x0, control=0x0, td=0xdb3f2c90) at
/home/josepht/src/dragonfly/sys/netinet/tcp_usrreq.c:761
#17 0xc034fa19 in netmsg_pru_send (msg=0xdb41eb68) at
/home/josepht/src/dragonfly/sys/kern/uipc_msg.c:564
#18 0xc039598d in netmsg_service (msg=0x0, mpsafe_mode=1, mplocked=0)
at /home/josepht/src/dragonfly/sys/net/netisr.c:310
#19 0xc03def13 in tcpmsg_service_loop (dummy=0x0) at
/home/josepht/src/dragonfly/sys/netinet/tcp_subr.c:410
#20 0xc0322537 in lwkt_deschedule_self (td=Cannot access memory at
address 0x8
) at /home/josepht/src/dragonfly/sys/kern/lwkt_thread.c:250
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

#2 Updated by josepht almost 4 years ago

On Sun, Jun 20, 2010 at 12:20:41PM -0400, Joe Talbott wrote:

As always I forgot the attachment. Here it is. If for some reason
the tarball gets stripped you can find it here:

http://leaf.dragonflybsd.org/~josepht/iwn.tgz

Joe

Also available in: Atom PDF