Re: run(4) panic: null node

Thu, 28 Oct 2021 03:28:02 -0700 

On Thu, 28 Oct 2021 10:10:23 +0000 Klemens Nanni <k...@openbsd.org> wrote:
> On Tue, Sep 14, 2021 at 05:52:08PM -0400, James Hastings wrote:
> > >Synopsis:  run(4): connecting to WEP network. panic: null node
> > >Category:  kernel
> > >Environment:  
> >     System      : OpenBSD 7.0
> >     Details     : OpenBSD 7.0-beta (GENERIC.MP) #206: Thu Sep  9 09:24:02 
> > MDT 2021
> >                      
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > 
> >     Architecture: OpenBSD.amd64
> >     Machine     : amd64  
> > >Description:  
> >     I was testing various networks with a Ralink RT5370 USB run(4) device.
> >     Connecting to a WEP-enabled SSID reliably produces the following kernel 
> > panic:  
> 
> I looked at this out of curiosity and the code seems obviously wrong.
> 
> > panic: null node
> > Stopped at     db_enter+0x10:  popq    %rbp
> >     TID   PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
> > *515938  8927      0     0x14000      0x200    3K usbtask
> > db_enter() at db_enter+0x10
> > panic(ffffffff81e29b27) at panic+0xbf
> > ieee80211_send_mgmt(ffff800000e7d048,0,c0,3,0) at ieee80211_send_mgmt+0x3aa
> > run_set_key_cb(ffff800000e7d000,ffff800000e7fe00) at run_set_key_cb+0x76
> > run_task(ffff800000e7d000) at run_task+0xa9
> > usb_task_thread(ffff800022d72550) at usb_task_thread+0x135
> > end trace frame: 0x0, count: 9  
> 
> run_init() does this
> 
>       if (ic->ic_flags & IEEE80211_F_WEPON) {
>               /* install WEP keys */
>               for (i = 0; i < IEEE80211_WEP_NKID; i++)
>                       (void)run_set_key(ic, NULL, &ic->ic_nw_keys[i]);
>       }   
> 
> run_set_key() passes that NULL argument unaltered to run_set_key_cb()
> which eventually calls ieee80211_send_mgmt() with a NULL `ni' argument
> which hits the panic.
> 
> I don't see how this can work;  maybe an oversight whenever run(4) or
> 802.11 was touched last?

Yes, apparently before
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/dev/usb/if_run.c.diff?r1=1.131&r2=1.132&f=h
run_set_key_cb() wouldn't even look at 'cmd->ni'.


> 
> > >How-To-Repeat:  
> >     $ doas ifconfig run0 nwid MYWEPSSID nwkey 0xXXXXXXXXXX
> >     $ doas ifconfig run0 up
> >     <panic>  
> > >Fix:  
> >     Unknown at this time.  
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to