NetBSD Problem Report #34118

From www@NetBSD.org  Mon Jul 31 17:20:54 2006
Return-Path: <www@NetBSD.org>
Received: by narn.NetBSD.org (Postfix, from userid 31301)
	id 2271663B8C1; Mon, 31 Jul 2006 17:20:54 +0000 (UTC)
Message-Id: <20060731172054.2271663B8C1@narn.NetBSD.org>
Date: Mon, 31 Jul 2006 17:20:54 +0000 (UTC)
From: groy@qnx.com
Reply-To: groy@qnx.com
To: gnats-bugs@NetBSD.org
Subject: Atheros driver in AP mode causes kernel panic when client moves in/out of range
X-Send-Pr-Version: www-1.0

>Number:         34118
>Category:       kern
>Synopsis:       Atheros driver in AP mode causes kernel panic when client moves in/out of range
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 31 17:25:00 +0000 2006
>Last-Modified:  Tue Jun 08 10:15:02 +0000 2010
>Originator:     Gilles Roy
>Release:        current
>Organization:
>Environment:
NetBSD 3.99.23
>Description:
I am running an Atheros card in access point mode, bridging traffic to Ethernet. When a client who is currently connected moves out of range, then back in range, if there is traffic on the link the driver will hit a KASSERT statement and cause a kernel panic.

The appears to be a problem several other OS's (they all use the same code base)

FreeBSD:
http://tog.net/crashdumps/crashdump3

Linux MadWifi:
http://madwifi.org/ticket/162

>How-To-Repeat:

1) Set the atheros card in AP mode
2) Create a bridge interface
3) Add the ath0 and a wired Ethernet to the bridge
4) Bring up the ath0, the bridge and the wired Ethernet interface
5) Have a client (laptop) connect to the AP
6) Pingflood the client from a host on the LAN
7) Walk out of range with the client/laptop and then come back in range


>Fix:

>Audit-Trail:
From: Gilles Roy <groy@qnx.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/34118: Atheros driver in AP mode causes kernel panic when client moves in/out of range
Date: Mon, 31 Jul 2006 13:35:34 -0400

 Forgot to mention the KASSERT statement is at line 353 of
 athrate-sample.c. Before the panic it prints out "ndx is 0". 

From: Roy Marples <roy@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/34118
Date: Tue, 08 Jun 2010 11:12:15 +0100

 This is a multi-part message in MIME format.
 --------------020907020506010203040809
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit

 According to comment #17 on http://madwifi-project.org/ticket/162
 the attached patch should resolve this issue.

 I'm testing it on my NetBSD-5 wireless router now as I've been bitten
 by this a few times.

 Thanks

 Roy

 --------------020907020506010203040809
 Content-Type: text/plain;
  name="ath-prevrix.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="ath-prevrix.diff"

 Index: sys/dev/ic/ath.c
 ===================================================================
 RCS file: /cvsroot/src/sys/dev/ic/ath.c,v
 retrieving revision 1.102.4.2
 diff -u -p -r1.102.4.2 ath.c
 --- sys/dev/ic/ath.c	7 Aug 2009 06:48:09 -0000	1.102.4.2
 +++ sys/dev/ic/ath.c	8 Jun 2010 10:07:36 -0000
 @@ -3789,6 +3789,13 @@ ath_tx_start(struct ath_softc *sc, struc
  		} else {
  			ath_rate_findrate(sc, an, shortPreamble, pktlen,
  				&rix, &try0, &txrate);
 +			/* Ratecontrol sometimes returns invalid rate index */
 +			if (rix != 0xff)
 +				an->an_prevdatarix = rix;
 +			else {
 +				if_printf(ifp, "invalid rix 0xff\n");
 +				rix = an->an_prevdatarix;
 +			}
  			sc->sc_txrate = txrate;		/* for LED blinking */
  			if (try0 != ATH_TXMAXTRY)
  				ismrr = 1;
 Index: sys/dev/ic/athvar.h
 ===================================================================
 RCS file: /cvsroot/src/sys/dev/ic/athvar.h,v
 retrieving revision 1.25.4.2
 diff -u -p -r1.25.4.2 athvar.h
 --- sys/dev/ic/athvar.h	7 Aug 2009 06:48:09 -0000	1.25.4.2
 +++ sys/dev/ic/athvar.h	8 Jun 2010 10:07:36 -0000
 @@ -90,6 +90,7 @@ typedef unsigned int ath_keyix_t;
  struct ath_node {
  	struct ieee80211_node an_node;	/* base class */
  	u_int32_t	an_avgrssi;	/* average rssi over all rx frames */
 +	u_int8_t	an_prevdatarix; /* rate ix of laste data frame */
  	/* variable-length rate control state follows */
  };
  #define	ATH_NODE(ni)	((struct ath_node *)(ni))

 --------------020907020506010203040809--

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.