NetBSD Problem Report #45745

From prlw1@inf.phy.cam.ac.uk  Mon Dec 26 22:19:56 2011
Return-Path: <prlw1@inf.phy.cam.ac.uk>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 34E7463BB83
	for <gnats-bugs@gnats.netbsd.org>; Mon, 26 Dec 2011 22:19:56 +0000 (UTC)
Message-Id: <E1RfItg-0001HA-0t@quartz.inf.phy.cam.ac.uk>
Date: Mon, 26 Dec 2011 22:19:56 +0000
From: prlw1@cam.ac.uk
Sender: Patrick Welche <prlw1@inf.phy.cam.ac.uk>
Reply-To: prlw1@cam.ac.uk
To: gnats-bugs@gnats.NetBSD.org
Subject: ath0 hostap change mode panic
X-Send-Pr-Version: 3.95

>Number:         45745
>Category:       kern
>Synopsis:       ath0 hostap panics with ifconfig ath0 mode 11g
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 26 22:20:00 +0000 2011
>Last-Modified:  Sat Jun 27 05:10:02 +0000 2020
>Originator:     Patrick Welche
>Release:        NetBSD 5.99.59
>Organization:
>Environment:
Architecture: i386
Machine: i386
>Description:
On NetBSD/i386-current from 24 Dec, I tried setting up a hostap based on ath0:
    Vendor Name: Atheros Communications (0x168c)
    Device Name: AR5212 Wireless LAN (0x0013)

The iwn0 client and the ath0 had an "active" network, but according
to tcpdump, neither could see any packets. I then tried

    ifconfig ath0 mode 11g

as ifconfig -m ath0 lists

     media autoselect mode 11g mediaopt hostap

as the iwn0 selected 11g but as the ath0 was in hostap mode,
it picked the first available mode, i.e., 11b (ieee80211.c::642).
However, this caused a (repeatable) panic:

#0  0xc031c7a8 in maybe_dump (howto=260)
    at ../../../../arch/i386/i386/machdep.c:861
#1  cpu_reboot (howto=260, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:886
#2  0xc0481676 in vpanic (fmt=0xc065e78c "bogus long slot station count %d", 
    ap=0xce45a648 "") at ../../../../kern/subr_prf.c:308
#3  0xc0481738 in panic (fmt=0xc065e78c "bogus long slot station count %d")
    at ../../../../kern/subr_prf.c:205
#4  0xc025cb08 in ieee80211_node_leave_11g (ni=0xc3497000, ic=0xcbdae4ac)
    at ../../../../net80211/ieee80211_node.c:2228
#5  ieee80211_node_leave (ic=0xcbdae4ac, ni=0xc3497000)
    at ../../../../net80211/ieee80211_node.c:2311
#6  0xc025c7c5 in ieee80211_iterate_nodes (nt=0xcbdaec2c, 
    f=0xc02607a0 <sta_disassoc>, arg=0xcbdae4ac)
    at ../../../../net80211/ieee80211_node.c:2062
#7  0xc0260d34 in ieee80211_newstate (ic=0xcbdae4ac, nstate=IEEE80211_S_INIT, 
    arg=-1) at ../../../../net80211/ieee80211_proto.c:939
#8  0xc017ec35 in ath_newstate (ic=0xcbdae4ac, nstate=IEEE80211_S_INIT, arg=-1)
    at ../../../../dev/ic/ath.c:4805
#9  0xc017a4df in ath_stop_locked (ifp=0xcbdae030, disable=0)
    at ../../../../dev/ic/ath.c:1112
#10 0xc017f818 in ath_init (sc=0xcbdae000) at ../../../../dev/ic/ath.c:999
#11 0xc017fa1d in ath_media_change (ifp=0xcbdae030)
    at ../../../../dev/ic/ath.c:1454
#12 0xc027a217 in ifmedia_change (ifp=0xcbdae030, ifm=0xcbdaecf0)
    at ../../../../net/if_media.c:125
#13 ifmedia_ioctl (ifp=0xcbdae030, ifr=0xcc8faf00, ifm=0xcbdaecf0, 
    cmd=3230689589) at ../../../../net/if_media.c:298
#14 0xc02559bb in ieee80211_ioctl (ic=0xcbdae4ac, cmd=3230689589, 
    data=0xcc8faf00) at ../../../../net80211/ieee80211_ioctl.c:2609
#15 0xc017faee in ath_ioctl (ifp=0xcbdae030, cmd=3230689589, data=0xcc8faf00)
    at ../../../../dev/ic/ath.c:5365
#16 0xc0265706 in ifioctl (so=0xc2ece928, cmd=3230689589, data=0xcc8faf00, 
    l=0xcdc8fd40) at ../../../../net/if.c:1839
#17 0xc04959da in soo_ioctl (fp=0xd3af8c40, cmd=3230689589, data=0xcc8faf00)
    at ../../../../kern/sys_socket.c:200
#18 0xc048a921 in sys_ioctl (l=0xcdc8fd40, uap=0xce45acf4, retval=0xce45ad1c)
    at ../../../../kern/sys_generic.c:645
#19 0xc0495ac7 in sy_call (rval=0xce45ad1c, uap=0xce45acf4, l=0xcdc8fd40, 
    sy=0xc06d6e08) at ../../../../sys/syscallvar.h:61
#20 syscall (frame=0xce45ad48) at ../../../../arch/x86/x86/syscall.c:196
#21 0xc010058d in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

ieee80211_node
  ni->nicapinfo = 49 = 0x31 = ESS, PRIVACY, SHORT_PREAMBLE
ieee80211com
  ic->ic_longslotsta = 0
  ic->ic_modecaps = 13 = 1+4+8 = IEEE80211_MODE_AUTO, 11B, 11G.
  ic->ic_curmode = 3 = IEEE80211_MODE_11G

I think that the problem is that we ask for 11G, so ic_curmode is changed
to 11G, then we need to reset for the change to take effect => ath_init, but
then we must leave our current network: 11G as that is what curmode now says.
oops.
>How-To-Repeat:

>Fix:


>Audit-Trail:
From: "Jukka Ruohonen" <jruoho@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/45745 CVS commit: src
Date: Sat, 27 Jun 2020 05:07:08 +0000

 Module Name:	src
 Committed By:	jruoho
 Date:		Sat Jun 27 05:07:08 UTC 2020

 Modified Files:
 	src/distrib/sets/lists/tests: mi
 	src/tests/sbin/ifconfig: Makefile
 Added Files:
 	src/tests/sbin/ifconfig: t_woptions.sh

 Log Message:
 Add test cases for different 802.11 options. These include cases for
 PR kern/35045, PR kern/45745, and PR kern/55424.


 To generate a diff of this commit:
 cvs rdiff -u -r1.854 -r1.855 src/distrib/sets/lists/tests/mi
 cvs rdiff -u -r1.5 -r1.6 src/tests/sbin/ifconfig/Makefile
 cvs rdiff -u -r0 -r1.1 src/tests/sbin/ifconfig/t_woptions.sh

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
 24 Dec 2011

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: gnats-precook-prs,v 1.4 2018/12/21 14:20:20 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.