NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/55968: urtwn_tx null dereference
>Number: 55968
>Category: kern
>Synopsis: urtwn_tx null dereference
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 01 06:30:00 +0000 2021
>Originator: YAMAMOTO Takashi
>Release: current
>Organization:
>Environment:
kingcrab# uname -a
NetBSD kingcrab 9.99.79 NetBSD 9.99.79 (b) #0: Mon Feb 1 14:44:07 JST 2021 yamamoto%spacetanuki.lan@localhost:/Users/yamamoto/work/kernel/b evbarm
kingcrab#
it's raspberry pi 3 model a+
kernel config:
include arch/evbarm/conf/GENERIC
makeoptions DEBUG="-g"
no options INET6
("no options INET6" was just added to simplify packet dump.
i can reproduce the issue with the stock GENERIC binary from
https://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/202101271240Z/evbarm-earmv7hf/binary/gzimg/armv7.img.gz)
>Description:
[ 158.180480] uvm_fault(0x80b498e8, 0, 1) -> e
[ 158.180480] Fatal kernel mode data abort: 'Translation Fault (S)'
[ 158.190479] trapframe: 0xa5afee98
[ 158.190479] FSR=00000005, FAR=0000000c, spsr=00090013
[ 158.200476] r0 =00000000, r1 =00000000, r2 =00000010, r3 =00000075
[ 158.200476] r4 =90c54000, r5 =00000020, r6 =914ceb98, r7 =00000000
[ 158.210474] r8 =91dac100, r9 =00000000, r10=00000001, r11=a5afef34
[ 158.210474] r12=a5afef38, ssp=a5afeee8, slr=80147de8, pc =80146b10
(gdb) disas 0x80146b10
Dump of assembler code for function urtwn_tx:
0x80146a84 <+0>: mov r12, sp
0x80146a88 <+4>: push {r4, r5, r6, r7, r8, r9, r10, r11, r12, lr, pc}
0x80146a8c <+8>: sub r11, r12, #4
0x80146a90 <+12>: sub sp, sp, #36 ; 0x24
0x80146a94 <+16>: ldr r8, [r1, #8]
0x80146a98 <+20>: mov r6, r1
0x80146a9c <+24>: ldr r1, [r0, #3548] ; 0xddc
0x80146aa0 <+28>: mov r7, r3
0x80146aa4 <+32>: mov r4, r0
0x80146aa8 <+36>: tst r1, #32
0x80146aac <+40>: ldrb r3, [r8, #1]
0x80146ab0 <+44>: ldrb r9, [r8]
0x80146ab4 <+48>: movne r5, #40 ; 0x28
0x80146ab8 <+52>: moveq r5, #32
0x80146abc <+56>: tst r3, #64 ; 0x40
0x80146ac0 <+60>: and r9, r9, #12
0x80146ac4 <+64>: bne 0x80146ce4 <urtwn_tx+608>
0x80146ac8 <+68>: add r3, r4, #16384 ; 0x4000
0x80146acc <+72>: ldr r0, [r3, #496] ; 0x1f0
0x80146ad0 <+76>: cmp r0, #0
0x80146ad4 <+80>: bne 0x80146dd0 <urtwn_tx+844>
0x80146ad8 <+84>: ldrb r3, [r8]
0x80146adc <+88>: and r3, r3, #140 ; 0x8c
0x80146ae0 <+92>: str r3, [r11, #-48] ; 0xffffffd0
0x80146ae4 <+96>: cmp r3, #136 ; 0x88
0x80146ae8 <+100>: beq 0x80146d04 <urtwn_tx+640>
0x80146aec <+104>: cmp r9, #8
0x80146af0 <+108>: moveq r3, #0
0x80146af4 <+112>: movne r3, #18
0x80146af8 <+116>: str r3, [r11, #-56] ; 0xffffffc8
0x80146afc <+120>: ldr r3, [r6, #40] ; 0x28
0x80146b00 <+124>: mov r1, #0
0x80146b04 <+128>: ldr r2, [r4, #3548] ; 0xddc
0x80146b08 <+132>: add r3, r5, r3
0x80146b0c <+136>: tst r3, #63 ; 0x3f
0x80146b10 <+140>: ldr r3, [r7, #12]
0x80146b14 <+144>: moveq r10, #8
0x80146b18 <+148>: movne r10, #0
0x80146b1c <+152>: tst r2, #32
0x80146b20 <+156>: mov r0, r3
--Type <RET> for more, q to quit, c to continue without paging--
0x80146b24 <+160>: addeq r2, r10, r5
0x80146b28 <+164>: movne r2, r5
0x80146b2c <+168>: movne r10, #0
0x80146b30 <+172>: str r2, [r11, #-52] ; 0xffffffcc
0x80146b34 <+176>: bl 0x805df2e0 <memset>
0x80146b38 <+180>: ldrh r1, [r6, #40] ; 0x28
0x80146b3c <+184>: sub r12, r9, #8
0x80146b40 <+188>: clz r12, r12
0x80146b44 <+192>: ldr r2, [r11, #-52] ; 0xffffffcc
0x80146b48 <+196>: lsr r12, r12, #5
0x80146b4c <+200>: mov r3, r0
0x80146b50 <+204>: ldr r0, [r0]
0x80146b54 <+208>: orr r1, r1, r0
0x80146b58 <+212>: orr r1, r1, r5, lsl #16
0x80146b5c <+216>: str r1, [r3]
0x80146b60 <+220>: ldr r0, [r4, #3548] ; 0xddc
0x80146b64 <+224>: tst r0, #32
0x80146b68 <+228>: orreq r1, r1, #-1946157056 ; 0x8c000000
0x80146b6c <+232>: streq r1, [r3]
0x80146b70 <+236>: ldrb r1, [r8, #4]
0x80146b74 <+240>: tst r1, #1
0x80146b78 <+244>: ldrne r1, [r3]
0x80146b7c <+248>: orrne r1, r1, #16777216 ; 0x1000000
0x80146b80 <+252>: strne r1, [r3]
0x80146b84 <+256>: cmp r10, #0
0x80146b88 <+260>: ldr r1, [r3, #4]
0x80146b8c <+264>: lsrne r0, r10, #3
0x80146b90 <+268>: orrne r1, r1, r0, lsl #26
0x80146b94 <+272>: ldr r0, [r3, #16]
0x80146b98 <+276>: strne r1, [r3, #4]
0x80146b9c <+280>: ldrb lr, [r8, #4]
0x80146ba0 <+284>: bics r12, r12, lr
0x80146ba4 <+288>: bne 0x80146d14 <urtwn_tx+656>
0x80146ba8 <+292>: cmp r9, #0
0x80146bac <+296>: orr r0, r0, #256 ; 0x100
0x80146bb0 <+300>: orreq r1, r1, #397312 ; 0x61000
0x80146bb4 <+304>: orrne r1, r1, #393216 ; 0x60000
0x80146bb8 <+308>: orreq r1, r1, #512 ; 0x200
0x80146bbc <+312>: orrne r1, r1, #4
0x80146bc0 <+316>: streq r0, [r3, #16]
0x80146bc4 <+320>: strne r0, [r3, #16]
--Type <RET> for more, q to quit, c to continue without paging--
0x80146bc8 <+324>: str r1, [r3, #4]
0x80146bcc <+328>: ldr r0, [r4, #3548] ; 0xddc
0x80146bd0 <+332>: ldrh r1, [r8, #22]
0x80146bd4 <+336>: tst r0, #32
0x80146bd8 <+340>: ldr r0, [r11, #-48] ; 0xffffffd0
0x80146bdc <+344>: asr r1, r1, #4
0x80146be0 <+348>: beq 0x80146cb4 <urtwn_tx+560>
0x80146be4 <+352>: cmp r0, #136 ; 0x88
0x80146be8 <+356>: ldrh r0, [r3, #36] ; 0x24
0x80146bec <+360>: orr r1, r0, r1, lsl #11
0x80146bf0 <+364>: strh r1, [r3, #36] ; 0x24
0x80146bf4 <+368>: beq 0x80146c10 <urtwn_tx+396>
0x80146bf8 <+372>: ldr r0, [r3, #16]
0x80146bfc <+376>: ldr r1, [r3, #32]
0x80146c00 <+380>: orr r0, r0, #128 ; 0x80
0x80146c04 <+384>: str r0, [r3, #16]
0x80146c08 <+388>: orr r1, r1, #32768 ; 0x8000
0x80146c0c <+392>: str r1, [r3, #32]
0x80146c10 <+396>: sub r1, r3, #2
0x80146c14 <+400>: add lr, r3, #30
0x80146c18 <+404>: mov r0, #0
0x80146c1c <+408>: ldrh r12, [r1, #2]!
0x80146c20 <+412>: cmp r1, lr
0x80146c24 <+416>: eor r0, r0, r12
0x80146c28 <+420>: bne 0x80146c1c <urtwn_tx+408>
0x80146c2c <+424>: strh r0, [r3, #28]
0x80146c30 <+428>: add r3, r3, r2
0x80146c34 <+432>: ldr r2, [r6, #40] ; 0x28
0x80146c38 <+436>: mov r1, #0
0x80146c3c <+440>: mov r0, r6
0x80146c40 <+444>: add r5, r2, r5
0x80146c44 <+448>: bl 0x804bd958 <m_copydata>
0x80146c48 <+452>: mov r0, #5
0x80146c4c <+456>: add r10, r5, r10
0x80146c50 <+460>: bl 0x800041cc <_splraise>
0x80146c54 <+464>: mov r12, #8
0x80146c58 <+468>: mov r3, r10
0x80146c5c <+472>: str r12, [sp]
0x80146c60 <+476>: movw r1, #5000 ; 0x1388
0x80146c64 <+480>: movw r2, #51704 ; 0xc9f8
0x80146c68 <+484>: str r1, [sp, #4]
--Type <RET> for more, q to quit, c to continue without paging--
0x80146c6c <+488>: movt r2, #32788 ; 0x8014
0x80146c70 <+492>: mov r1, r7
0x80146c74 <+496>: str r2, [sp, #8]
0x80146c78 <+500>: ldr r2, [r7, #12]
0x80146c7c <+504>: mov r4, r0
0x80146c80 <+508>: ldr r0, [r7, #8]
0x80146c84 <+512>: bl 0x800e78a0 <usbd_setup_xfer>
0x80146c88 <+516>: ldr r0, [r7, #8]
0x80146c8c <+520>: bl 0x800e6d68 <usbd_transfer>
0x80146c90 <+524>: mov r3, r0
0x80146c94 <+528>: cmp r3, #1
0x80146c98 <+532>: mov r0, r4
0x80146c9c <+536>: movhi r4, r3
0x80146ca0 <+540>: movls r4, #0
0x80146ca4 <+544>: bl 0x80004368 <splx>
0x80146ca8 <+548>: mov r0, r4
0x80146cac <+552>: sub sp, r11, #40 ; 0x28
0x80146cb0 <+556>: ldm sp, {r4, r5, r6, r7, r8, r9, r10, r11, sp, pc}
0x80146cb4 <+560>: cmp r0, #136 ; 0x88
0x80146cb8 <+564>: ldrh r0, [r3, #14]
0x80146cbc <+568>: orr r1, r0, r1
0x80146cc0 <+572>: strh r1, [r3, #14]
0x80146cc4 <+576>: beq 0x80146c10 <urtwn_tx+396>
0x80146cc8 <+580>: ldr r0, [r3, #16]
0x80146ccc <+584>: mvn r1, r1, lsl #17
0x80146cd0 <+588>: mvn r1, r1, lsr #17
0x80146cd4 <+592>: strh r1, [r3, #14]
0x80146cd8 <+596>: orr r1, r0, #128 ; 0x80
0x80146cdc <+600>: str r1, [r3, #16]
0x80146ce0 <+604>: b 0x80146c10 <urtwn_tx+396>
0x80146ce4 <+608>: mov r1, r2
0x80146ce8 <+612>: add r0, r0, #8
0x80146cec <+616>: mov r2, r6
0x80146cf0 <+620>: bl 0x801e8388 <ieee80211_crypto_encap>
0x80146cf4 <+624>: cmp r0, #0
0x80146cf8 <+628>: beq 0x80146e30 <urtwn_tx+940>
0x80146cfc <+632>: ldr r8, [r6, #8]
0x80146d00 <+636>: b 0x80146ac8 <urtwn_tx+68>
0x80146d04 <+640>: ldrb r3, [r8, #24]
0x80146d08 <+644>: and r3, r3, #15
0x80146d0c <+648>: str r3, [r11, #-56] ; 0xffffffc8
--Type <RET> for more, q to quit, c to continue without paging--
0x80146d10 <+652>: b 0x80146afc <urtwn_tx+120>
0x80146d14 <+656>: movw r12, #1910 ; 0x776
0x80146d18 <+660>: ldr lr, [r11, #-56] ; 0xffffffc8
0x80146d1c <+664>: ldrh r12, [r4, r12]
0x80146d20 <+668>: cmp r12, #2
0x80146d24 <+672>: moveq r12, #393216 ; 0x60000
0x80146d28 <+676>: movne r12, #262144 ; 0x40000
0x80146d2c <+680>: orr r12, r12, lr, lsl #8
0x80146d30 <+684>: orr r1, r12, r1
0x80146d34 <+688>: orr r1, r1, #64 ; 0x40
0x80146d38 <+692>: str r1, [r3, #4]
0x80146d3c <+696>: ldr r1, [r4, #3548] ; 0xddc
0x80146d40 <+700>: tst r1, #16
0x80146d44 <+704>: ldrne r1, [r3, #8]
0x80146d48 <+708>: orrne r1, r1, #65536 ; 0x10000
0x80146d4c <+712>: strne r1, [r3, #8]
0x80146d50 <+716>: ldrne r1, [r4, #3548] ; 0xddc
0x80146d54 <+720>: tst r1, #32
0x80146d58 <+724>: ldrhne r1, [r3, #12]
0x80146d5c <+728>: orrne r1, r1, #256 ; 0x100
0x80146d60 <+732>: strhne r1, [r3, #12]
0x80146d64 <+736>: ldr r1, [r11, #-48] ; 0xffffffd0
0x80146d68 <+740>: cmp r1, #136 ; 0x88
0x80146d6c <+744>: orreq r0, r0, #64 ; 0x40
0x80146d70 <+748>: streq r0, [r3, #16]
0x80146d74 <+752>: ldr r1, [r4, #1896] ; 0x768
0x80146d78 <+756>: tst r1, #1048576 ; 0x100000
0x80146d7c <+760>: beq 0x80146d98 <urtwn_tx+788>
0x80146d80 <+764>: ldr r1, [r4, #1924] ; 0x784
0x80146d84 <+768>: cmp r1, #1
0x80146d88 <+772>: orreq r0, r0, #10240 ; 0x2800
0x80146d8c <+776>: beq 0x80146d98 <urtwn_tx+788>
0x80146d90 <+780>: cmp r1, #2
0x80146d94 <+784>: orreq r0, r0, #12288 ; 0x3000
0x80146d98 <+788>: ldr r12, [r3, #20]
0x80146d9c <+792>: orr r0, r0, #8
0x80146da0 <+796>: str r0, [r3, #16]
0x80146da4 <+800>: orr r1, r12, #130048 ; 0x1fc00
0x80146da8 <+804>: orr r1, r1, #768 ; 0x300
0x80146dac <+808>: str r1, [r3, #20]
0x80146db0 <+812>: ldr r1, [r4, #3548] ; 0xddc
--Type <RET> for more, q to quit, c to continue without paging--
0x80146db4 <+816>: tst r1, #16
0x80146db8 <+820>: movwne r1, #65299 ; 0xff13
0x80146dbc <+824>: movweq r1, #65291 ; 0xff0b
0x80146dc0 <+828>: movt r1, #1
0x80146dc4 <+832>: orr r1, r12, r1
0x80146dc8 <+836>: str r1, [r3, #20]
0x80146dcc <+840>: b 0x80146bcc <urtwn_tx+328>
0x80146dd0 <+844>: mov r2, #0
0x80146dd4 <+848>: strb r2, [r3, #584] ; 0x248
0x80146dd8 <+852>: ldr r12, [r4, #2176] ; 0x880
0x80146ddc <+856>: add r2, r3, #576 ; 0x240
0x80146de0 <+860>: add r1, r4, #16896 ; 0x4200
0x80146de4 <+864>: add r1, r1, #64 ; 0x40
0x80146de8 <+868>: ldrh lr, [r12]
0x80146dec <+872>: strh lr, [r2, #10]
0x80146df0 <+876>: ldrh r12, [r12, #2]
0x80146df4 <+880>: strh r12, [r2, #12]
0x80146df8 <+884>: movw r12, #4056 ; 0xfd8
0x80146dfc <+888>: movt r12, #32949 ; 0x80b5
0x80146e00 <+892>: ldrb r2, [r8, #1]
0x80146e04 <+896>: ldr r12, [r12]
0x80146e08 <+900>: tst r2, #64 ; 0x40
0x80146e0c <+904>: movne r2, #4
0x80146e10 <+908>: strbne r2, [r3, #584] ; 0x248
0x80146e14 <+912>: ldr r2, [r3, #640] ; 0x280
0x80146e18 <+916>: mov r3, #2
0x80146e1c <+920>: str r3, [sp]
0x80146e20 <+924>: mov r3, r6
0x80146e24 <+928>: ldr r10, [r12, #16]
0x80146e28 <+932>: blx r10
0x80146e2c <+936>: b 0x80146ad8 <urtwn_tx+84>
0x80146e30 <+940>: mov r4, #55 ; 0x37
0x80146e34 <+944>: b 0x80146ca8 <urtwn_tx+548>
End of assembler dump.
(gdb)
(gdb) l *0x80146b10
0x80146b10 is in urtwn_tx (/Users/yamamoto/git/nbsd/src/sys/dev/usb/if_urtwn.c:2688).
2683
2684 if (ISSET(sc->chip, URTWN_CHIP_92EU))
2685 padsize = 0;
2686
2687 /* Fill Tx descriptor. */
2688 txd = (struct r92c_tx_desc_usb *)data->buf;
2689 memset(txd, 0, txd_len + padsize);
2690
2691 txd->txdw0 |= htole32(
2692 SM(R92C_TXDW0_PKTLEN, m->m_pkthdr.len) |
(gdb)
(gdb) l *0x80147de8
0x80147de8 is in urtwn_task (/Users/yamamoto/git/nbsd/src/sys/dev/usb/if_urtwn.c:880).
875 if (m == NULL) {
876 aprint_error_dev(sc->sc_dev,
877 "could not allocate beacon");
878 }
879
880 if (urtwn_tx_beacon(sc, m, ic->ic_bss) != 0) {
881 aprint_error_dev(sc->sc_dev, "could not send beacon");
882 }
883
884 /* beacon is no longer needed */
(gdb)
>How-To-Repeat:
use urtwn in hostap mode?
>Fix:
Home |
Main Index |
Thread Index |
Old Index