wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert 7d930bc33653d5592dc386a76a38f39c2e962344 fixed it.

wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert 7d930bc33653d5592dc386a76a38f39c2e962344 fixed it.

[Jeff Chua]

wpa2 (wpa_supplicant) hangs v2.6.32-rc5-402-gb6727b1.

Reverting 7d930bc33653d5592dc386a76a38f39c2e962344 fixes it.

Here's the bad commit.

Thanks,
Jeff.



7d930bc33653d5592dc386a76a38f39c2e962344 is the first bad commit
commit 7d930bc33653d5592dc386a76a38f39c2e962344
Author: Johannes Berg <johannes@sipsolutions.net>
Date:   Tue Oct 20 15:08:53 2009 +0900

     cfg80211: sme: deauthenticate on assoc failure

     When the in-kernel SME gets an association failure from
     the AP we don't deauthenticate, and thus get into a very
     confused state which will lead to warnings later on. Fix
     this by actually deauthenticating when the AP indicates
     an association failure.

     (Brought to you by the hacking session at Kernel Summit 2009 in Tokyo,
     Japan. -- JWL)

     Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
     Signed-off-by: John W. Linville <linville@tuxdriver.com>

wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert 7d930bc33653d5592dc386a76a38f39c2e962344 fixed it.

[Jeff Chua]

wpa2 (wpa_supplicant) hangs v2.6.32-rc5-402-gb6727b1.

Reverting 7d930bc33653d5592dc386a76a38f39c2e962344 fixes it.

Here's the bad commit.

Thanks,
Jeff.



7d930bc33653d5592dc386a76a38f39c2e962344 is the first bad commit
commit 7d930bc33653d5592dc386a76a38f39c2e962344
Author: Johannes Berg <johannes@sipsolutions.net>
Date:   Tue Oct 20 15:08:53 2009 +0900

      cfg80211: sme: deauthenticate on assoc failure

      When the in-kernel SME gets an association failure from
      the AP we don't deauthenticate, and thus get into a very
      confused state which will lead to warnings later on. Fix
      this by actually deauthenticating when the AP indicates
      an association failure.

      (Brought to you by the hacking session at Kernel Summit 2009 in Tokyo,
      Japan. -- JWL)

      Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
      Signed-off-by: John W. Linville <linville@tuxdriver.com>

Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert 7d930bc33653d5592dc386a76a38f39c2e962344 fixed it.

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 274 bytes --]

On Sun, 2009-11-01 at 23:18 +0800, Jeff Chua wrote:
> wpa2 (wpa_supplicant) hangs v2.6.32-rc5-402-gb6727b1.

Explain?

> Reverting 7d930bc33653d5592dc386a76a38f39c2e962344 fixes it.

Certainly not a good idea, will break when your AP denies association.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert 7d930bc33653d5592dc386a76a38f39c2e962344 fixed it.

[Linus Torvalds]

On Mon, 2 Nov 2009, Jeff Chua wrote:
> 
> I don't know how to redirect the console dump to a file. So, attached is
> what it displayed taken from a camera.

That decodes to 

cfg80211_conn_work+89:

   3:	89 ef                	mov    %ebp,%edi
   5:	e8 6f be 41 e1       	callq  0xffffffffe141be79
   a:	48 8b 43 20          	mov    0x20(%rbx),%rax
   e:	f6 40 48 01          	testb  $0x1,0x48(%rax)
  12:	74 5d                	je     0x71
  14:	83 bb 8c 00 00 00 01 	cmpl   $0x1,0x8c(%rbx)
  1b:	75 54                	jne    0x71
  1d:	48 ?? 50 08          	???    0x8(%rax) ???? uncertain instruction ????
  21:*	8b 02                	mov    (%rdx),%eax     <-- trapping instruction
  23:	41 89 45 00          	mov    %eax,0x0(%r13)
  27:	66 8b 42 04          	mov    0x4(%rdx),%ax
  2b:	66 41 89 45 04       	mov    %ax,0x4(%r13)
  30:	e8 f5 ea ff ff       	callq  0xffffffffffffeb2a

trace:
  __cfg80111_scan_done
  worker_thread

which looks like it matches this code:

        movq    %r14, %rdi      # D.43604,
        call    mutex_lock      #
        movq    32(%rbx), %rax  # <variable>.netdev, <variable>.netdev
        testb   $1, 72(%rax)    #, <variable>.state
        je      .L215   #,
        cmpl    $1, 140(%rbx)   #, <variable>.sme_state
        jne     .L215   #,
        movq    144(%rbx), %rax # <variable>.conn, <variable>.conn
        movq    %rbx, %rdi      # wdev,
        movq    8(%rax), %rax   # <variable>.params.bssid, <variable>.params.bssid
        movl    (%rax), %edx    #* <variable>.params.bssid, tmp74
        movl    %edx, 0(%r13)   # tmp74, bssid
        movw    4(%rax), %ax    #, tmp75
        movw    %ax, 4(%r13)    # tmp75, bssid
        call    cfg80211_conn_do_work   #

ie it looks like 'conn->params.bssid' is NULL and we oops when we try to 
load bssid from there. The code is:

	memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN);

where ETH_ALEN is 6 bytes, so the memcpy is inlined..

And yes, that "memcpy()" was added in that buggy commit. 

So reverting 7d930bc33653d5592dc386a76a38f39c2e962344 is the correct thing 
to do. Or somebody needs to fix that piece-of-shit code.

		Linus

Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert 7d930bc33653d5592dc386a76a38f39c2e962344 fixed it.

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 2519 bytes --]

On Sun, 2009-11-01 at 16:53 -0800, Linus Torvalds wrote:

> That decodes to 
> 
> cfg80211_conn_work+89:
> 
>    3:	89 ef                	mov    %ebp,%edi
>    5:	e8 6f be 41 e1       	callq  0xffffffffe141be79
>    a:	48 8b 43 20          	mov    0x20(%rbx),%rax
>    e:	f6 40 48 01          	testb  $0x1,0x48(%rax)
>   12:	74 5d                	je     0x71
>   14:	83 bb 8c 00 00 00 01 	cmpl   $0x1,0x8c(%rbx)
>   1b:	75 54                	jne    0x71
>   1d:	48 ?? 50 08          	???    0x8(%rax) ???? uncertain instruction ????
>   21:*	8b 02                	mov    (%rdx),%eax     <-- trapping instruction
>   23:	41 89 45 00          	mov    %eax,0x0(%r13)
>   27:	66 8b 42 04          	mov    0x4(%rdx),%ax
>   2b:	66 41 89 45 04       	mov    %ax,0x4(%r13)
>   30:	e8 f5 ea ff ff       	callq  0xffffffffffffeb2a
> 
> trace:
>   __cfg80111_scan_done
>   worker_thread
> 
> which looks like it matches this code:
> 
>         movq    %r14, %rdi      # D.43604,
>         call    mutex_lock      #
>         movq    32(%rbx), %rax  # <variable>.netdev, <variable>.netdev
>         testb   $1, 72(%rax)    #, <variable>.state
>         je      .L215   #,
>         cmpl    $1, 140(%rbx)   #, <variable>.sme_state
>         jne     .L215   #,
>         movq    144(%rbx), %rax # <variable>.conn, <variable>.conn
>         movq    %rbx, %rdi      # wdev,
>         movq    8(%rax), %rax   # <variable>.params.bssid, <variable>.params.bssid
>         movl    (%rax), %edx    #* <variable>.params.bssid, tmp74
>         movl    %edx, 0(%r13)   # tmp74, bssid
>         movw    4(%rax), %ax    #, tmp75
>         movw    %ax, 4(%r13)    # tmp75, bssid
>         call    cfg80211_conn_do_work   #
> 
> ie it looks like 'conn->params.bssid' is NULL and we oops when we try to 
> load bssid from there. The code is:
> 
> 	memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN);
> 
> where ETH_ALEN is 6 bytes, so the memcpy is inlined..
> 
> And yes, that "memcpy()" was added in that buggy commit. 

Indeed, thank you. I'd analysed this before but not made the connection
with Jeff's report.

> So reverting 7d930bc33653d5592dc386a76a38f39c2e962344 is the correct thing 
> to do. Or somebody needs to fix that piece-of-shit code.

Yes ... that params.bssid was != NULL was a bad assumption in that
commit. The right thing to do is to add a check and pass NULL through,
like I did here:
http://thread.gmane.org/gmane.linux.kernel.wireless.general/41695

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert 7d930bc33653d5592dc386a76a38f39c2e962344 fixed it.

[John W. Linville]

On Mon, Nov 02, 2009 at 11:05:07PM +0800, Jeff Chua wrote:
> On Mon, Nov 2, 2009 at 4:49 PM, Johannes Berg <johannes@sipsolutions.net>wrote:
> 
> > On Sun, 2009-11-01 at 16:53 -0800, Linus Torvalds wrote:
> > > That decodes to
> > > cfg80211_conn_work+89:
> > > ie it looks like 'conn->params.bssid' is NULL and we oops when we try to
> > > load bssid from there. The code is:
> > >       memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN);
> > > And yes, that "memcpy()" was added in that buggy commit.
> >
> > Indeed, thank you. I'd analysed this before but not made the connection
> > with Jeff's report.
> >
> > > So reverting 7d930bc33653d5592dc386a76a38f39c2e962344 is the correct
> > thing
> > > to do. Or somebody needs to fix that piece-of-shit code.
> >
> > Yes ... that params.bssid was != NULL was a bad assumption in that
> > commit. The right thing to do is to add a check and pass NULL through,
> > like I did here:
> > http://thread.gmane.org/gmane.linux.kernel.wireless.general/41695
> >
> 
> That patch fixes the WPA2 hanging the system problem for me.
> 
> Thanks for the quick responses!

I'll roll that up with a few other fixes and send it to Dave M. today.

John
-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.