NetBSD Problem Report #25128
Received: (qmail 4012 invoked by uid 605); 10 Apr 2004 16:45:55 -0000
Message-Id: <20040410174601.714D39236@panser>
Date: Sat, 10 Apr 2004 17:46:01 +0000 (UTC)
From: pancake@phreaker.net
Sender: gnats-bugs-owner@NetBSD.org
Reply-To: pancake@phreaker.net
To: gnats-bugs@gnats.NetBSD.org
Subject: NetBSD-2.0 (also 1.6 and current) segfaults using wi driver
X-Send-Pr-Version: 3.95
>Number: 25128
>Category: kern
>Synopsis: NetBSD-2.0 (also 1.6 and current) segfaults using wi driver
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: dyoung
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Apr 10 16:46:00 +0000 2004
>Closed-Date:
>Last-Modified: Sun Feb 26 16:27:12 +0000 2012
>Originator:
>Release: NetBSD 2.0B
>Organization:
>Environment:
System: NetBSD pl2 2.0B NetBSD 2.0B (pancake-laptop) #12: Sat Apr 10 17:12:00 CEST 2004 root@panser:/usr/src/sys/arch/i386/compile/PANCAKE_LAPTOP i386
Architecture: i386
Machine: i386
>Description:
NetBSD implementation of wi driver is buggy.
>How-To-Repeat:
I recieve this error trying to sniff using the wistumbler2 under
Gtk2 GUI. It seems that calls two times enought faster to the
initialization of the wifi interface. And kernel doesn't handles
that. I was debugging the kernel, patching and rebuilding.
I will follow looking on that, but could be nice if more people
looks on this bug.
The final idea that I took from this bug was that the vulnerable
code stays on dev/pcmcia/if_wi_pcmcia.c into the 'wi_pcmcia_enable'
function. This bug comes from older versions of NetBSD. I just
write some printf' on this funcion and looks like that:
----8<---------[cut here]----
static int
wi_pcmcia_enable(sc)
struct wi_softc *sc;
{
struct wi_pcmcia_softc *psc = (struct wi_pcmcia_softc *)sc;
struct pcmcia_function *pf; //= psc->sc_pf;
printf("WI_PCMCIA_ENABLE: 1\n");
pf=psc->sc_pf;
printf("WI_PCMCIA_ENABLE: 2\n");
/* establish the interrupt. */
sc->sc_ih = pcmcia_intr_establish(pf, IPL_NET, wi_intr, sc);
printf("WI_PCMCIA_ENABLE: 3\n");
if (sc->sc_ih == NULL) {
printf("%s: couldn't establish interrupt\n",
sc->sc_dev.dv_xname);
return (EIO);
}
printf("WI_PCMCIA_ENABLE: 4\n");
if (pcmcia_function_enable(pf) != 0) {
printf("%s: couldn't enable card\n", sc->sc_dev.dv_xname);
pcmcia_intr_disestablish(pf, sc->sc_ih);
return (EIO);
}
DELAY(1000);
printf("WI_PCMCIA_ENABLE: 5\n");
if (psc->sc_symbol_cf) {
if (wi_pcmcia_load_firm(sc,
spectrum24t_primsym, sizeof(spectrum24t_primsym),
spectrum24t_secsym, sizeof(spectrum24t_secsym))) {
printf("%s: couldn't load firmware\n",
sc->sc_dev.dv_xname);
wi_pcmcia_disable(sc);
return (EIO);
}
}
printf("WI_PCMCIA_ENABLE: ALL DONE\n");
return (0);
}
----8<---------[cut here]----
Ok, then I run the wistumbler2 under Xwindows, and Crash! everything
is halted. Then I jump to the debugger, sync discs and reboot my box.
Back to netbsd, and reading on /var/log/messages I can read these
messages:
# grep -e WI_PCMCIA_ENABLE /var/log/messages
Apr 10 17:24:33 pl2 /netbsd: WI_PCMCIA_ENABLE: 1
Apr 10 17:24:33 pl2 /netbsd: WI_PCMCIA_ENABLE: 2
Apr 10 17:24:33 pl2 /netbsd: WI_PCMCIA_ENABLE: 3
Apr 10 17:24:33 pl2 /netbsd: WI_PCMCIA_ENABLE: 4
Apr 10 17:24:34 pl2 /netbsd: WI_PCMCIA_ENABLE: 5
Apr 10 17:24:34 pl2 /netbsd: WI_PCMCIA_ENABLE: ALL DONE
Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 1
Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 2
Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 3
Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 4
Apr 10 17:25:26 pl2 /netbsd: WI_PCMCIA_ENABLE: 5
Apr 10 17:25:26 pl2 /netbsd: WI_PCMCIA_ENABLE: ALL DONE
Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 1
Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 2
Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 3
Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 4
Apr 10 17:26:02 pl2 /netbsd: WI_PCMCIA_ENABLE: 1
As we can see. kernel jumps after 4 skipping 5 and all done steps.
When this code runs again the first step. It breaks.
The bt of ddb informs about it crashes here:
Stopped in pid 489.2 (wistumbler2) at netbsd:wi_pcmcia_enable+0x92:cmpl $0,0x219c(%ebx)
Yeah, ugly memory pointer I supose.
>Fix:
Patch patch patch :) This file I supose.
>Release-Note:
>Audit-Trail:
From: pancake <pancake@phreaker.net>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: Re: kern/25128
Date: Sat, 10 Apr 2004 18:01:49 +0000
I test this on my laptop:
p4m-1.7 using a Lucent card:
wi0 at pcmcia0 function 0: Cabletron, RoamAbout 802.11 DS, Version 01.01
wi0: 802.11 address 00:01:f4:ec:eb:37
wi0: using Lucent Technologies, WaveLAN/IEEE
wi0: Lucent Firmware: Station (6.4.1)
wi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
dmesg output:
re: Station (6.4.1)
wi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
WI_PCMCIA_ENABLE: 1
WI_PCMCIA_ENABLE: 2
pcmcia0: card irq 4
WI_PCMCIA_ENABLE: 3
WI_PCMCIA_ENABLE: 4
WI_PCMCIA_ENABLE: 5
WI_PCMCIA_ENABLE: ALL DONE
WI_PCMCIA_ENABLE: 1
WI_PCMCIA_ENABLE: 2
pcmcia0: card irq 4
WI_PCMCIA_ENABLE: 3
WI_PCMCIA_ENABLE: 4
WI_PCMCIA_ENABLE: 5
WI_PCMCIA_ENABLE: ALL DONE
WI_PCMCIA_ENABLE: 1
WI_PCMCIA_ENABLE: 2
pcmcia0: card irq 4
WI_PCMCIA_ENABLE: 3
WI_PCMCIA_ENABLE: 4
WI_PCMCIA_ENABLE: 1
WI_PCMCIA_ENABLE: 2
pcmcia0: card irq 5
WI_PCMCIA_ENABLE: 3
WI_PCMCIA_ENABLE: 4
WI_PCMCIA_ENABLE: 5
WI_PCMCIA_ENABLE: ALL DONE
wi0: wi_cmd: busy bit won't clear.
wi0: wi_cmd: busy bit won't clear.
wi0: wi_cmd: busy bit won't clear.
wi0: wi_cmd: busy bit won't clear.
wi0: wi_cmd: busy bit won't clear.
wi0: init failed
wi0: interface not running
wi0: wi_cmd: busy bit won't clear.
NetBSD 2.0B (pancake-laptop) #12: Sat Apr 10 17:12:00 CEST 2004
root@panser:/usr/src/sys/arch/i386/compile/PANCAKE_LAPTOP
total memory = 255 MB
avail memory = 245 MB
BIOS32 rev. 0 found at 0xfd770
PCI BIOS rev. 2.1 found at 0xfd984
pcibios: config mechanism [1][x], special cycles [x][x], last bus 2
PCI IRQ Routing Table rev. 1.0 found at 0xfdf10, size 208 bytes (11 entries)
PCI Interrupt Router at 000:31:0 (Intel 82371FB PCI-to-ISA Bridge (PIIX))
PIR Entry 0:
Bus: 0 Device: 30
INTA: link 0x60 bitmap 0xdef8
INTB: link 0x61 bitmap 0xdef8
INTC: link 0x62 bitmap 0xdef8
INTD: link 0x63 bitmap 0xdef8
PIR Entry 1:
Bus: 255 Device: 1
INTA: link 0x61 bitmap 0x0400
INTB: link 0x00 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 2:
Bus: 255 Device: 4
INTA: link 0x60 bitmap 0x0400
INTB: link 0x61 bitmap 0x0400
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 3:
Bus: 255 Device: 0
INTA: link 0x60 bitmap 0x0400
INTB: link 0x00 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 4:
Bus: 255 Device: 2
INTA: link 0x62 bitmap 0x0800
INTB: link 0x63 bitmap 0x0800
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 5:
Bus: 255 Device: 6
INTA: link 0x62 bitmap 0x0800
INTB: link 0x63 bitmap 0x0800
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 6:
Bus: 0 Device: 0
INTA: link 0x60 bitmap 0xdef8
INTB: link 0x61 bitmap 0xdef8
INTC: link 0x62 bitmap 0xdef8
INTD: link 0x63 bitmap 0xdef8
PIR Entry 7:
Bus: 0 Device: 31
INTA: link 0x62 bitmap 0x0800
INTB: link 0x61 bitmap 0x0400
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 8:
Bus: 0 Device: 29
INTA: link 0x60 bitmap 0x0400
INTB: link 0x63 bitmap 0x0800
INTC: link 0x62 bitmap 0x0800
INTD: link 0x00 bitmap 0xdef8
PIR Entry 9:
Bus: 0 Device: 1
INTA: link 0x60 bitmap 0xdef8
INTB: link 0x61 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 10:
Bus: 255 Device: 0
INTA: link 0x60 bitmap 0x0400
INTB: link 0x00 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
pciintr_link_fixup: PIRQ 0x00 already connected to IRQ 10
pciintr_link_fixup: PIRQ 0x01 already connected to IRQ 10
pciintr_link_fixup: PIRQ 0x02 not connected, assigning IRQ 11
pciintr_link_fixup: PIRQ 0x03 already connected to IRQ 11
pciintr_link_route: route of PIRQ 0x00 -> IRQ 10 preserved BIOS setting
pciintr_link_route: route of PIRQ 0x01 -> IRQ 10 preserved BIOS setting
pciintr_link_route: route of PIRQ 0x03 -> IRQ 11 preserved BIOS setting
------------------------------------------
device vendor product pin PIRQ IRQ stage
------------------------------------------
000:29:0 0x8086 0x2482 A 0x00 10 0 already assigned
000:29:1 0x8086 0x2484 B 0x03 11 0 already assigned
pciintr_header_fixup: no entry for link 0xfe (0:30:0:@)
000:31:1 0x8086 0x248a A 0x02 11 1 fixed up
000:31:3 0x8086 0x2483 B 0x01 10 0 already assigned
000:31:5 0x8086 0x2485 B 0x01 10 0 already assigned
000:31:6 0x8086 0x2486 B 0x01 10 0 already assigned
------------------------------------------
PCI fixup examining 8086:1a30
PCI fixup examining 8086:1a31
PCI fixup examining 10de:175
PCI bridge 0: primary 0, secondary 1, subordinate 1
PCI fixup examining 8086:2482
PCI fixup examining 8086:2484
PCI fixup examining 8086:2448
PCI fixup examining 1106:3044
PCI fixup examining 10ec:8139
PCI fixup examining 1217:6933
PCI bridge 2: primary 2, secondary 3, subordinate 3
PCI fixup examining 1217:6933
PCI bridge 3: primary 2, secondary 4, subordinate 4
PCI fixup examining 1179:804
PCI bridge 1: primary 0, secondary 2, subordinate 4
PCI fixup examining 8086:248c
PCI fixup examining 8086:248a
PCI fixup examining 8086:2483
PCI fixup examining 8086:2485
PCI fixup examining 8086:2486
PCI bus #4 is the last bus
[System BIOS Setting]-----------------------
device vendor product
register space address size
--------------------------------------------
000:00:0 0x8086 0x1a30
10h mem 0xd4000000 0x04000000
[OK]
000:01:0 0x8086 0x1a31
[OK]
000:29:0 0x8086 0x2482
20h port 0x00002400 0x00000020
[OK]
000:29:1 0x8086 0x2484
20h port 0x00002420 0x00000020
[OK]
000:30:0 0x8086 0x2448
[OK]
000:31:0 0x8086 0x248c
[OK]
000:31:1 0x8086 0x248a
10h port 0x00000000 0x00000008
14h port 0x00000000 0x00000004
18h port 0x00000000 0x00000008
1ch port 0x00000000 0x00000004
20h port 0x00001800 0x00000010
24h mem 0x00000000 0x00000400
[NG]
000:31:3 0x8086 0x2483
20h port 0x00001820 0x00000020
[OK]
000:31:5 0x8086 0x2485
10h port 0x00001c00 0x00000100
14h port 0x00001840 0x00000040
[OK]
000:31:6 0x8086 0x2486
10h port 0x00002000 0x00000100
14h port 0x00001880 0x00000080
[OK]
001:00:0 0x10de 0x0175
10h mem 0xd8000000 0x01000000
14h mem 0xf0000000 0x04000000
18h mem 0xe8000000 0x00080000
[OK]
002:00:0 0x1106 0x3044
10h mem 0xe0000000 0x00000800
14h port 0x00003000 0x00000080
[OK]
002:01:0 0x10ec 0x8139
10h port 0x00003400 0x00000100
14h mem 0xe0000800 0x00000100
[OK]
002:04:0 0x1217 0x6933
10h mem 0x00000000 0x00001000
[NG]
002:04:1 0x1217 0x6933
10h mem 0x00000000 0x00001000
[NG]
002:06:0 0x1179 0x0804
10h mem 0xe0000c00 0x00000020
[OK]
--------------------------[ 3 devices bogus]
Physical memory end: 0x0ff7c000
PCI memory mapped I/O space start: 0x10000000
[PCIBIOS fixup stage]-----------------------
device vendor product
register space address size
--------------------------------------------
000:00:0 0x8086 0x1a30
10h mem 0xd4000000 0x04000000
[OK]
000:01:0 0x8086 0x1a31
[OK]
000:29:0 0x8086 0x2482
20h port 0x00002400 0x00000020
[OK]
000:29:1 0x8086 0x2484
20h port 0x00002420 0x00000020
[OK]
000:30:0 0x8086 0x2448
[OK]
000:31:0 0x8086 0x248c
[OK]
000:31:1 0x8086 0x248a
10h port 0x00005800 0x00000008
14h port 0x00005808 0x00000004
18h port 0x00005810 0x00000008
1ch port 0x0000580c 0x00000004
20h port 0x00001800 0x00000010
24h mem 0x10000000 0x00000400
[OK]
000:31:3 0x8086 0x2483
20h port 0x00001820 0x00000020
[OK]
000:31:5 0x8086 0x2485
10h port 0x00001c00 0x00000100
14h port 0x00001840 0x00000040
[OK]
000:31:6 0x8086 0x2486
10h port 0x00002000 0x00000100
14h port 0x00001880 0x00000080
[OK]
001:00:0 0x10de 0x0175
10h mem 0xd8000000 0x01000000
14h mem 0xf0000000 0x04000000
18h mem 0xe8000000 0x00080000
[OK]
002:00:0 0x1106 0x3044
10h mem 0xe0000000 0x00000800
14h port 0x00003000 0x00000080
[OK]
002:01:0 0x10ec 0x8139
10h port 0x00003400 0x00000100
14h mem 0xe0000800 0x00000100
[OK]
002:04:0 0x1217 0x6933
10h mem 0x10001000 0x00001000
[OK]
002:04:1 0x1217 0x6933
10h mem 0x10002000 0x00001000
[OK]
002:06:0 0x1179 0x0804
10h mem 0xe0000c00 0x00000020
[OK]
--------------------------[ 0 devices bogus]
mainbus0 (root)
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel Mobile Celeron (686-class), 1695.06 MHz, id 0xf27
cpu0: features bfebf9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR>
cpu0: features bfebf9ff<PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX>
cpu0: features bfebf9ff<FXSR,SSE,SSE2,SS,HTT,TM,SBF>
cpu0: I-cache 12K uOp cache 8-way, D-cache 8 KB 64b/line 4-way
cpu0: L2 cache 512 KB 64b/line 8-way
cpu0: ITLB 4K/4M: 128 entries
cpu0: DTLB 4K/4M: 64 entries
cpu0: 16 page colors
acpi0 at mainbus0
acpi0: using Intel ACPI CA subsystem version 20040211
acpi0: X/RSDT: OemId <PTLTD , RSDT ,06040000>, AslId < LTP,00000000>
acpi0: SCI interrupting at int 9
acpi0: fixed-feature power button present
ACPI Object Type 'Processor' (0x0c) at acpi0 not configured
PNP0C0D at acpi0 not configured
acpibut0 at acpi0 (PNP0C0C): ACPI Power Button
acpibut1 at acpi0 (PNP0C0E): ACPI Sleep Button
PNP0A03 at acpi0 not configured
PNP0C0F at acpi0 not configured
PNP0C0F at acpi0 not configured
PNP0C0F at acpi0 not configured
PNP0C0F at acpi0 not configured
PNP0100 at acpi0 not configured
PNP0000 at acpi0 not configured
PNP0B00 at acpi0 not configured
PNP0C04 at acpi0 not configured
PNP0200 at acpi0 not configured
PNP0C02 at acpi0 not configured
pckbc0 at acpi0 (PNP0303): kbd port
pckbc0: io 0x60,0x64 irq 1
pckbc1 at acpi0 (PNP0F13): aux port
pckbc1: irq 12
PNP0A05 at acpi0 not configured
SMCF010 at acpi0 not configured
PNP0700 at acpi0 not configured
lpt1 at acpi0 (PNP0401)
lpt1: io 0x378-0x37b,0x778-0x77b irq 7 drq 3
acpiacad0 at acpi0 (ACPI0003): ACPI AC Adapter
acpiec0 at acpi0 (PNP0C09): ACPI Embedded Controller
acpiec0: io 0x62,0x66
acpibat0 at acpi0 (PNP0C0A-1): ACPI Battery (Control Method)
acpitz0 at acpi0: ACPI Thermal Zone
acpitz0: unable to get polling interval; using default of 30.0s
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0
pchb0: Intel 82845 Host (rev. 0x04)
agp0 at pchb0: aperture at 0xd4000000, size 0x4000000
ppb0 at pci0 dev 1 function 0: Intel 82845 AGP (rev. 0x04)
pci1 at ppb0 bus 1
pci1: i/o space, memory space enabled
vga0 at pci1 dev 0 function 0: Nvidia Corporation product 0x0175 (rev. 0xa3)
wsdisplay0 at vga0 kbdmux 1: console (80x25, vt100 emulation), using wskbd0
wsmux1: connecting to wsdisplay0
uhci0 at pci0 dev 29 function 0: Intel 82801CA/CAM USB Controller (rev. 0x02)
uhci0: interrupting at irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1: Intel 82801CA/CAM USB Controller (rev. 0x02)
uhci1: interrupting at irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
ppb1 at pci0 dev 30 function 0: Intel 82801BAM Hub-to-PCI Bridge (rev. 0x42)
pci2 at ppb1 bus 2
pci2: i/o space, memory space enabled
VIA Technologies VT3606 OHCI IEEE 1394 Controller (Firewire serial bus, interface 0x10, revision 0x46) at pci2 dev 0 function 0 not configured
rtk0 at pci2 dev 1 function 0: Realtek 8139 10/100BaseTX
rtk0: interrupting at irq 10
rtk0: Ethernet address 00:02:3f:b1:e3:23
OUI 0x000000 model 0x0000 rev 0 at rtk0 phy 7 not configured
cbb0 at pci2 dev 4 function 0: O2 Micro, Inc. OZ6933 PCI-Cardbus Bridge (rev. 0x01)
cbb0: NOT USED because of unconfigured interrupt
cbb1 at pci2 dev 4 function 1: O2 Micro, Inc. OZ6933 PCI-Cardbus Bridge (rev. 0x01)
cbb1: NOT USED because of unconfigured interrupt
Toshiba Smart Media Controller (miscellaneous system, revision 0x02) at pci2 dev 6 function 0 not configured
pcib0 at pci0 dev 31 function 0
pcib0: Intel 82801CAM LPC Interface (rev. 0x02)
piixide0 at pci0 dev 31 function 1
piixide0: Intel 82801CA IDE Controller (ICH3) (rev. 0x02)
piixide0: bus-master DMA support present
piixide0: primary channel wired to compatibility mode
piixide0: primary channel interrupting at irq 14
atabus0 at piixide0 channel 0
piixide0: secondary channel wired to compatibility mode
piixide0: secondary channel interrupting at irq 15
atabus1 at piixide0 channel 1
Intel 82801CA/CAM SMBus Controller (SMBus serial bus, revision 0x02) at pci0 dev 31 function 3 not configured
auich0 at pci0 dev 31 function 5: i82801CA (ICH3) AC-97 Audio
auich0: interrupting at irq 10
auich0: ac97: Avance Logic ALC101 codec; Realtek 3D
auich0: ac97: ext id 600<AC97_22,AMAP>
Intel 82801CA/CAM Modem (modem communications, revision 0x02) at pci0 dev 31 function 6 not configured
isa0 at pcib0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0-0xff: using exception 16
pcic0 at isa0 port 0x3e0-0x3e1 iomem 0xd0000-0xdffff irq
pcic0: controller 0 (Intel 82365SL-DF) has sockets A and B
pcmcia0 at pcic0 controller 0 socket 0
pcmcia1 at pcic0 controller 0 socket 1
audio0 at auich0: full duplex, independent
pcic0: controller 0 detecting irqs with mask 0xdeb8:..3..4..5
pcic0: using irq 3 for socket events
Kernelized RAIDframe activated
wi0 at pcmcia0 function 0: Cabletron, RoamAbout 802.11 DS, Version 01.01
pcic0: port 0x400-0x43f
uhidev0 at uhub0 port 1 configuration 1 interface 0
uhidev0: Logitech USB Mouse, rev 1.10/4.00, addr 2, iclass 3/1
ums0 at uhidev0: 3 buttons and Z dir.
wsmouse1 at ums0 mux 0
pcmcia0: card irq 4
wi0: 802.11 address 00:01:f4:ec:eb:37
wi0: using Lucent Technologies, WaveLAN/IEEE
wi0: Lucent Firmware: Station (6.4.1)
wi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
wd0 at atabus0 drive 0: <FUJITSU MHS2030AT>
wd0: drive supports 16-sector PIO transfers, LBA addressing
wd0: 28615 MB, 58140 cyl, 16 head, 63 sec, 512 bytes/sect x 58605120 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
wd0(piixide0:0:0): using PIO mode 4, Ultra-DMA mode 5 (Ultra/100) (using DMA data transfers)
atapibus0 at atabus1: 2 targets
cd0 at atapibus0 drive 0: <TOSHIBA DVD-ROM SD-R2212, X248526170, 1013> cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2 (Ultra/33)
cd0(piixide0:1:0): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA data transfers)
boot device: wd0
root on wd0a dumps on wd0b
WARNING: possible botched superblock upgrade detected
on filesystem previously mounted on /
fs_bsize == fs_maxbsize (0x00002000) but FS_FLAGS_UPDATED is not set
Test your filesystem by running fsck_ffs -n -f on it.
If it reports:
``VALUES IN SUPER BLOCK DISAGREE WITH THOSE IN FIRST ALTERNATE''
you should be able to recover with fsck_ffs -b 16 -c 4
See the file src/UPDATING or
http://mail-index.NetBSD.org/current-users/2004/01/11/0022.html
for more details
root file system type: ffs
WARNING: possible botched superblock upgrade detected
on filesystem previously mounted on /
fs_bsize == fs_maxbsize (0x00002000) but FS_FLAGS_UPDATED is not set
Test your filesystem by running fsck_ffs -n -f on it.
If it reports:
``VALUES IN SUPER BLOCK DISAGREE WITH THOSE IN FIRST ALTERNATE''
you should be able to recover with fsck_ffs -b 16 -c 4
See the file src/UPDATING or
http://mail-index.NetBSD.org/current-users/2004/01/11/0022.html
for more details
/: correcting fs_sblockloc from 0 to 8192
WARNING: possible botched superblock upgrade detected
on filesystem previously mounted on /var
fs_bsize == fs_maxbsize (0x00002000) but FS_FLAGS_UPDATED is not set
Test your filesystem by running fsck_ffs -n -f on it.
If it reports:
``VALUES IN SUPER BLOCK DISAGREE WITH THOSE IN FIRST ALTERNATE''
you should be able to recover with fsck_ffs -b 16 -c 4
See the file src/UPDATING or
http://mail-index.NetBSD.org/current-users/2004/01/11/0022.html
for more details
WARNING: possible botched superblock upgrade detected
on filesystem previously mounted on /usr
fs_bsize == fs_maxbsize (0x00002000) but FS_FLAGS_UPDATED is not set
Test your filesystem by running fsck_ffs -n -f on it.
If it reports:
``VALUES IN SUPER BLOCK DISAGREE WITH THOSE IN FIRST ALTERNATE''
you should be able to recover with fsck_ffs -b 16 -c 4
See the file src/UPDATING or
http://mail-index.NetBSD.org/current-users/2004/01/11/0022.html
for more details
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)
From: Martin Husemann <martin@duskware.de>
To: pancake@phreaker.net
Cc: gnats-bugs@gnats.NetBSD.org
Subject: Re: kern/25128: NetBSD-2.0 (also 1.6 and current) segfaults using wi driver
Date: Sat, 10 Apr 2004 19:03:46 +0200
On Sat, Apr 10, 2004 at 05:46:01PM +0000, pancake@phreaker.net wrote:
> Ok, then I run the wistumbler2 under Xwindows, and Crash! everything
> is halted. Then I jump to the debugger, sync discs and reboot my box.
It would be more helpfull if you could give the output of "tr" at this
point, as well as "ps /a" and "ps /w" maybe.
> Back to netbsd, and reading on /var/log/messages I can read these
> messages:
> Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 4
> Apr 10 17:25:26 pl2 /netbsd: WI_PCMCIA_ENABLE: 5
> Apr 10 17:25:26 pl2 /netbsd: WI_PCMCIA_ENABLE: ALL DONE
> Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 1
> Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 2
Why is it enabling the interface multiple times? Does your sniffer do a
constant flood of ifconfig down/up? If so, why?
Martin
Responsible-Changed-From-To: kern-bug-people->dyoung
Responsible-Changed-By: dyoung
Responsible-Changed-When: Sat Apr 10 19:30:12 UTC 2004
Responsible-Changed-Why:
I will take a look at it.
From: David Young <dyoung@pobox.com>
To: gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: kern/25128
Date: Sat, 10 Apr 2004 14:41:09 -0500
Thank you for the PR. The splnet()/splx() in wi_ioctl should synchronize
calls to wi_pcmcia_enable, so it is strange to me that your log indicates
that wi_pcmcia_enable is called on top of itself. I think a traceback
(trace/u) will help me figure out what's going on. Type trace/u into
ddb to get a traceback.
Dave
--
David Young OJC Technologies
dyoung@ojctech.com Urbana, IL * (217) 278-3933
From: pancake <pancake@phreaker.net>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: Re: kern/25128
Date: Tue, 13 Apr 2004 15:40:30 +0000
This is the patch that I do. I'm using netbsd-current on x86. It works perfectly.
Please test it and tell me something before applying it to the official source tree. It's a simple patch, but it's effective enought.
--- src/sys/dev/pcmcia/if_wi_pcmcia.c.orig 2004-04-13 15:47:24.000000000 +0200
+++ src/sys/dev/pcmcia/if_wi_pcmcia.c 2004-04-13 15:56:00.000000000 +0200
@@ -352,6 +352,8 @@
return (0);
}
+int wi_pcmcia_enable_lock=0;
+
static int
wi_pcmcia_enable(sc)
struct wi_softc *sc;
@@ -359,16 +361,23 @@
struct wi_pcmcia_softc *psc = (struct wi_pcmcia_softc *)sc;
struct pcmcia_function *pf = psc->sc_pf;
+ /* Verify if the interface is setting up */
+ if (wi_pcmcia_enable_lock)
+ return (EBUSY);
+ wi_pcmcia_enable_lock=1;
+
/* establish the interrupt. */
sc->sc_ih = pcmcia_intr_establish(pf, IPL_NET, wi_intr, sc);
if (sc->sc_ih == NULL) {
printf("%s: couldn't establish interrupt\n",
sc->sc_dev.dv_xname);
+ wi_pcmcia_enable_lock=0;
return (EIO);
}
if (pcmcia_function_enable(pf) != 0) {
printf("%s: couldn't enable card\n", sc->sc_dev.dv_xname);
pcmcia_intr_disestablish(pf, sc->sc_ih);
+ wi_pcmcia_enable_lock=0;
return (EIO);
}
DELAY(1000);
@@ -379,9 +388,11 @@
printf("%s: couldn't load firmware\n",
sc->sc_dev.dv_xname);
wi_pcmcia_disable(sc);
+ wi_pcmcia_enable_lock=0;
return (EIO);
}
}
+ wi_pcmcia_enable_lock=0;
return (0);
}
From: David Young <dyoung@pobox.com>
To: pancake@phreaker.net, gnats-bugs@netbsd.org
Cc:
Subject: kern/25128: NetBSD-2.0 (also 1.6 and current) segfaults using wi driver
Date: Sun, 6 Jun 2004 00:58:36 -0500
Pancake,
I need for you to send me a stack trace.
Dave
--
David Young OJC Technologies
dyoung@ojctech.com Urbana, IL * (217) 278-3933
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home