Wcn36xx driver crashes on some networks

vpecanins · September 28, 2017, 1:29pm

Hello,

I am using the latest debian image https://builds.96boards.org/releases/dragonboard410c/linaro/debian/latest/

Wifi client works well with the majority of networks, but when I try to connect to the router I have in my office, it looks that the driver crashes. The nework that causes failure uses WPA2 authentication with a key that is 27-character long. Here’s the dmesg trace dump:

[   18.690808] wcn36xx: firmware WLAN version 'WCN v2.0 RadioPhy vRhea_GF_1.12 with 19.2MHz XO' and CRM version 'CNSS-PR-2-0-1-2-c1-00021'
[   18.690844] wcn36xx: firmware API 1.5.1.2, 41 stations, 2 bssids
[   18.705258] wcn36xx: FW Cap MCC
[   18.708079] wcn36xx: FW Cap P2P
[   18.710926] wcn36xx: FW Cap SLM_SESSIONIZATION
[   18.714011] wcn36xx: FW Cap DOT11AC_OPMODE
[   18.718570] wcn36xx: FW Cap SAP32STA
[   18.722646] wcn36xx: FW Cap TDLS
[   18.726356] wcn36xx: FW Cap P2P_GO_NOA_DECOUPLE_INIT_SCAN
[   18.729624] wcn36xx: FW Cap WLANACTIVE_OFFLOAD
[   18.734888] wcn36xx: FW Cap BEACON_OFFLOAD
[   18.739209] wcn36xx: FW Cap SCAN_OFFLOAD
[   18.743302] wcn36xx: FW Cap BCN_MISS_OFFLOAD
[   18.747385] wcn36xx: FW Cap STA_POWERSAVE
[   18.751643] wcn36xx: FW Cap STA_ADVANCED_PWRSAVE
[   18.755548] wcn36xx: FW Cap BCN_FILTER
[   18.760230] wcn36xx: FW Cap RTT
[   18.763791] wcn36xx: FW Cap RATECTRL
[   18.766828] wcn36xx: FW Cap WOW
[   18.770646] wcn36xx: FW Cap WLAN_ROAM_SCAN_OFFLOAD
[   18.773490] wcn36xx: FW Cap SPECULATIVE_PS_POLL
[   18.778384] wcn36xx: FW Cap IBSS_HEARTBEAT_OFFLOAD
[   18.782803] wcn36xx: FW Cap WLAN_SCAN_OFFLOAD
[   18.787658] wcn36xx: FW Cap WLAN_PERIODIC_TX_PTRN
[   18.792088] wcn36xx: FW Cap ADVANCE_TDLS
[   18.796792] wcn36xx: FW Cap BATCH_SCAN
[   18.800767] wcn36xx: FW Cap FW_IN_TX_PATH
[   18.804331] wcn36xx: FW Cap EXTENDED_NSOFFLOAD_SLOT
[   18.808415] wcn36xx: FW Cap CH_SWITCH_V1
[   18.813102] wcn36xx: FW Cap HT40_OBSS_SCAN
[   18.817266] wcn36xx: FW Cap UPDATE_CHANNEL_LIST
[   18.821165] wcn36xx: FW Cap WLAN_MCADDR_FLT
[   18.825593] wcn36xx: FW Cap WLAN_CH144
[   18.829760] wcn36xx: FW Cap TDLS_SCAN_COEXISTENCE
[   18.833573] wcn36xx: FW Cap LINK_LAYER_STATS_MEAS
[   18.838353] wcn36xx: FW Cap EXTENDED_SCAN
[   18.843032] wcn36xx: FW Cap DYNAMIC_WMM_PS
[   18.847115] wcn36xx: FW Cap MAC_SPOOFED_SCAN
[   18.851033] wcn36xx: FW Cap FW_STATS
[   18.855456] wcn36xx: FW Cap WPS_PRBRSP_TMPL
[   18.859008] wcn36xx: FW Cap BCN_IE_FLT_DELTA
[   18.872528] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   19.090943] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   19.913790] systemd-journald[1519]: Successfully sent stream file descriptor to service manager.
[   22.470896] wlan0: authenticate with f8:63:94:e3:9b:7e
[   22.510236] wlan0: send auth to f8:63:94:e3:9b:7e (try 1/3)
[   22.513273] wlan0: authenticated
[   22.515125] wcn36xx a204000.wcnss:smd-edge:wcnss:wifi wlan0: disabling HT/VHT due to WEP/TKIP use
[   22.518955] wlan0: associate with f8:63:94:e3:9b:7e (try 1/3)
[   22.538100] wlan0: RX AssocResp from f8:63:94:e3:9b:7e (capab=0x411 status=0 aid=20)
[   22.568284] wlan0: associated
[   22.568437] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   22.583403] Unable to handle kernel NULL pointer dereference at virtual address 000000f9
[   22.583433] pgd = ffff8000358b7000
[   22.590607] [000000f9] *pgd=00000000b5a2a003
[   22.593760] , *pud=0000000000000000

[   22.604848] Internal error: Oops: 96000045 [#1] PREEMPT SMP
[   22.606579] Modules linked in: cmac bnep arc4 btqcomsmd btqca wcn36xx bluetooth mac80211 cfg80211 venus_enc venus_dec qcom_wcnss_pil msm_rng rng_core qcom_camss videobuf2_dma_sg qcom_cci venus_core mdt_loader videobuf2_memops v4l2_mem2mem videobuf2_v4l2 videobuf2_core ip_tables x_tables
[   22.637309] CPU: 3 PID: 1694 Comm: wpa_supplicant Tainted: G        W       4.9.39-linaro-lt-qcom #1
[   22.637399] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
[   22.646606] task: ffff800036305b00 task.stack: ffff800036174000
[   22.653331] PC is at wcn36xx_set_key+0x220/0x348 [wcn36xx]
[   22.658971] LR is at wcn36xx_set_key+0x200/0x348 [wcn36xx]
[   22.664488] pc : [<ffff000000cc8860>] lr : [<ffff000000cc8840>] pstate: 60000145
[   22.669950] sp : ffff800036177930
[   22.677505] x29: ffff800036177930 x28: ffff800036174000 
[   22.685833] x27: ffff000008a32000 x26: 0000000000000000 
[   22.691129] x25: 0000000000000000 x24: ffff800029899520 
[   22.696421] x23: ffff80002989b370 x22: ffff80002989b4a8 
[   22.701718] x21: 00000000000000e8 x20: ffff800036177980 
[   22.707014] x19: ffff80003526ce10 x18: 0000000000040927 
[   22.712308] x17: 0000ffffb5ac8f28 x16: ffff0000081e1428 
[   22.717599] x15: 7fffffffffffffff x14: 0000000000000000 
[   22.722900] x13: 0000000000000001 x12: 0000000000f985d5 
[   22.728190] x11: 0000000000e15a1f x10: 0000000000000900 
[   22.733489] x9 : ffff800036174000 x8 : ffff800036306460 
[   22.738780] x7 : ffff800037f67c00 x6 : 0000000000000560 
[   22.744072] x5 : 0000000000000002 x4 : 0000000000000000 
[   22.749375] x3 : 0000000000000000 x2 : 0000000000000001 
[   22.754662] x1 : 00000000000fac01 x0 : 0000000000000001 

[   22.760135] Process wpa_supplicant (pid: 1694, stack limit = 0xffff800036174020)
[   22.761712] Stack: (0xffff800036177930 to 0xffff800036178000)
[   22.769089] 7920:                                   ffff8000361779a0 ffff000000ba9b08
[   22.774737] 7940: ffff80003526cc00 ffff80002989a900 0000000000000000 ffff80002989a900
[   22.782550] 7960: 0000000000000000 ffff800029898700 0000000000000000 ffff000000baa5b0
[   22.790360] 7980: 4552040000000000 0000000000000000 0000000000000000 0000000000000000
[   22.798174] 79a0: ffff8000361779d0 ffff000000baa610 ffff80003526cc00 ffff80002989a900
[   22.805987] 79c0: 0000000000000000 0000000000000000 ffff800036177a10 ffff000000b9a984
[   22.813799] 79e0: ffff80003526cc00 ffff800029898c20 ffff80002989a000 0000000000000000
[   22.821614] 7a00: ffff80002989a900 0000000000000000 ffff800036177a60 ffff000000b314c0
[   22.829424] 7a20: 0000000000000000 00000000ffffffbd ffff800029898000 ffff80002989a000
[   22.837237] 7a40: ffff800024471200 ffff000009089f80 0000000000000000 ffff80002e9e9000
[   22.845050] 7a60: ffff800036177ac0 ffff0000089316a8 ffff000000b4b4a8 ffff000000b52330
[   22.852864] 7a80: ffff800024401800 0000000000000000 ffff800024401820 0000000000000000
[   22.860674] 7aa0: 000000000000000d 00000000000fac05 0000000000000000 0000000000000000
[   22.868488] 7ac0: ffff800036177b50 ffff0000089318b0 ffff000000b52330 ffff800024471200
[   22.876300] 7ae0: ffff800024401800 ffff800024471200 0000000000000000 0000000000000040
[   22.884111] 7b00: 0000000000000000 0000000000000008 bb00069e581b7132 ffff800024401800
[   22.891925] 7b20: ffff800024401810 ffff800024401814 ffff80002e9e9000 ffff000009089f80
[   22.899728] 7b40: ffff800029898000 ffff80002989a000 ffff800036177b80 ffff0000089307dc
[   22.907539] 7b60: ffff800024401800 ffff800024471200 ffff000008931808 ffff00000892e6ac
[   22.915362] 7b80: ffff800036177bb0 ffff00000893148c ffff00000908dad8 ffff800024471200
[   22.923165] 7ba0: 0000000000000040 ffff00000892ffb8 ffff800036177bd0 ffff000008930070
[   22.930987] 7bc0: ffff8000362b9000 ffff8000350c6000 ffff800036177c20 ffff000008930548
[   22.938799] 7be0: ffff800036177e58 0000000000000000 ffff800024471200 ffff8000350c6000
[   22.946612] 7c00: 0000000000000000 00000000ffffffa6 ffff800024471200 7fffffffffffffff
[   22.954426] 7c20: ffff800036177c90 ffff0000088e3ac8 ffff800036177e58 0000000000000000
[   22.962237] 7c40: 0000000000000000 0000000000000000 ffff800032235400 0000000000000000
[   22.970050] 7c60: 0000000000000000 ffff800036177cf8 ffff800035620580 0000000000000000
[   22.977862] 7c80: 000000000000069e 0000000000000000 ffff800036177ca0 ffff0000088e429c
[   22.985674] 7ca0: ffff800036177e20 ffff0000088e5164 ffff800032235400 0000ffffe0c55a00
[   22.993477] 7cc0: 0000000000000000 0000ffff88ebcbf4 0000000040000000 0000000000000015
[   23.001299] 7ce0: 0000000000000123 00000000000000d3 0000000000000000 ffff80003225f7b8
[   23.009102] 7d00: ffff800036177d30 ffff0000081ff99c ffff80003225f730 ffff80000a10e800
[   23.016922] 7d20: 0000000000000010 ffff000000000000 ffff800034e17c00 0000000000000000
[   23.024733] 7d40: ffff800034e17c58 0000000000080060 0000000000000001 ffff800034e17c00
[   23.032546] 7d60: ffff80003225f730 0000000000000039 ffff800036177d80 ffff0000081f9b80
[   23.040350] 7d80: ffff800036177db0 ffff0000081f9e70 ffff800034e17c00 ffff800034e17c58
[   23.048171] 7da0: 0000000141d8f550 0000000000000040 ffff80000a144900 ffff0000081e565c
[   23.055985] 7dc0: ffff800036177df0 ffff000008205374 ffff800024471e00 0000000000000008
[   23.063797] 7de0: ffff80003225f730 ffff800034e17c00 ffff800036177e00 ffff0000088e36a0
[   23.071611] 7e00: ffff800036177e20 ffff0000088e5144 0000000000000000 0000ffffe0c55a00
[   23.079422] 7e20: ffff800036177eb0 ffff0000088e51b8 0000000000000000 0000000141d59530
[   23.087235] 7e40: ffffffffffffffff ffff0000081f6e10 fffffff700000000 ffff800036177d20
[   23.095047] 7e60: ffff80000000000c ffff000000000001 0000000000000000 0000000000000000
[   23.102859] 7e80: ffff800036177db0 0000000000000000 0000000000000000 0000000000000000
[   23.110671] 7ea0: 0000000000000000 0000000000000000 0000000000000000 ffff000008082ef0
[   23.118484] 7ec0: 0000000000000007 0000ffffe0c55a00 0000000000000000 0000000000000000
[   23.126301] 7ee0: 0000000141d5953c 0000ffff8926ecb0 0000000000000000 0000000000000000
[   23.134109] 7f00: 00000000000000d3 0000000000000000 0000000000000000 0000000000000003
[   23.141912] 7f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   23.149725] 7f40: 0000ffff8922c270 0000ffff88ebcbc8 0000000000000000 0000ffff8922b000
[   23.157546] 7f60: 0000000141d59530 0000000141d5b0d0 0000000141d5d790 0000ffffe0c55a00
[   23.165358] 7f80: ffffffffffffffff 000000000000000d 0000000000000001 0000000000000002
[   23.173171] 7fa0: 0000000141d87338 0000ffffe0c55900 0000ffff89211c64 0000ffffe0c55900
[   23.180984] 7fc0: 0000ffff88ebcbf4 0000000040000000 0000000000000007 00000000000000d3
[   23.188795] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   23.196603] Call trace:
[   23.204414] Exception stack(0xffff800036177760 to 0xffff800036177890)
[   23.206679] 7760: ffff80003526ce10 0001000000000000 ffff800036177930 ffff000000cc8860
[   23.213276] 7780: dead000000000100 dead000000000200 ffff8000361777a0 ffff000000ccbf24
[   23.221089] 77a0: ffff8000361777e0 ffff000000ccea50 ffff800029899520 00000000000000f3
[   23.228905] 77c0: ffff800029899630 000000000000000d 0000000000000000 ffff000008fb7000
[   23.236710] 77e0: ffff800036177930 ffff000000cc8840 ffff80003526ce10 ffff800036177980
[   23.244525] 7800: 0000000000000001 00000000000fac01 0000000000000001 0000000000000000
[   23.252338] 7820: 0000000000000000 0000000000000002 0000000000000560 ffff800037f67c00
[   23.260151] 7840: ffff800036306460 ffff800036174000 0000000000000900 0000000000e15a1f
[   23.267962] 7860: 0000000000f985d5 0000000000000001 0000000000000000 7fffffffffffffff
[   23.275774] 7880: ffff0000081e1428 0000ffffb5ac8f28
[   23.283608] [<ffff000000cc8860>] wcn36xx_set_key+0x220/0x348 [wcn36xx]
[   23.288382] [<ffff000000ba9b08>] ieee80211_key_enable_hw_accel+0xd8/0x2b8 [mac80211]
[   23.294973] [<ffff000000baa610>] ieee80211_key_link+0xe0/0x108 [mac80211]
[   23.302876] [<ffff000000b9a984>] ieee80211_add_key+0x114/0x290 [mac80211]
[   23.309533] [<ffff000000b314c0>] nl80211_new_key+0xe8/0x180 [cfg80211]
[   23.316234] [<ffff0000089316a8>] genl_family_rcv_msg+0x208/0x368
[   23.322640] [<ffff0000089318b0>] genl_rcv_msg+0xa8/0xe8
[   23.328801] [<ffff0000089307dc>] netlink_rcv_skb+0xc4/0xf8
[   23.333769] [<ffff00000893148c>] genl_rcv+0x34/0x48
[   23.339319] [<ffff000008930070>] netlink_unicast+0x168/0x240
[   23.344079] [<ffff000008930548>] netlink_sendmsg+0x2f0/0x358
[   23.349984] [<ffff0000088e3ac8>] sock_sendmsg+0x18/0x30
[   23.355626] [<ffff0000088e429c>] ___sys_sendmsg+0x26c/0x280
[   23.360573] [<ffff0000088e5164>] __sys_sendmsg+0x44/0x88
[   23.366129] [<ffff0000088e51b8>] SyS_sendmsg+0x10/0x20
[   23.371685] [<ffff000008082ef0>] el0_svc_naked+0x24/0x28
[   23.376633] Code: 6b01001f 54fff541 9103a2b5 52800020 (390046a0) 
[   23.382438] ---[ end trace d7535a0ca5460922 ]---

Loic · October 2, 2017, 8:46am

Thanks for reporting, I’ve just tried with a 27-character long WPA2 on my side but don’t reproduce the issue.

Would like to have more info:

Is it 100% reproducible with this AP ?
Is it a hidden AP (not broadcasting ssid) ?
Do you think there is any specific character in the key comparing to other AP which does no trigger the issue ?
How do you configure the Access Point, wpa conf file, nmcli ?
Authentication is WPA2 Enterprise(with radius server) or WPA2 Personal ?
Would you be able to change the key to test an other one (simpler/basic) ?
What kind/model of AP causes this crash ?

kfana · November 15, 2017, 11:04am

Hi, got the same crash.

ap not hidden , 128 bit key.
no spcial chars in password
I used nmcli
it is wep

the device info:

Board ID: 96358VW2
Software Version: BZ_1.16
Bootloader (CFE) Version: 1.0.37-10.1
Release Date: Aug. 06, 2010
Wireless Driver Version: 4.150.10.26.cpe1.2

Loic · November 15, 2017, 3:33pm

Thanks @kfana, I indeed reproduce the issue with your configuration (wep), so we should be able to fix it.

For the details:
[ 109.235634] Unable to handle kernel NULL pointer dereference at virtual address 000000f9
…
[ 109.303174] PC is at wcn36xx_set_key+0x220/0x328 [wcn36xx]

wcn36xx_set_key unconditionally dereference the the sta parameter, however this parameter can be NULL as described in mac80211.h.
Buf opened: https://bugs.96boards.org/show_bug.cgi?id=649