From owner-freebsd-bugs@FreeBSD.ORG Thu Mar 11 05:40:02 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FBE71065670 for ; Thu, 11 Mar 2010 05:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E16CD8FC25 for ; Thu, 11 Mar 2010 05:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2B5e1aw088950 for ; Thu, 11 Mar 2010 05:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2B5e1Qx088949; Thu, 11 Mar 2010 05:40:01 GMT (envelope-from gnats) Resent-Date: Thu, 11 Mar 2010 05:40:01 GMT Resent-Message-Id: <201003110540.o2B5e1Qx088949@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Arthur Hartwig Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA4CF106564A for ; Thu, 11 Mar 2010 05:32:24 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id D9E468FC1B for ; Thu, 11 Mar 2010 05:32:24 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o2B5WOak081880 for ; Thu, 11 Mar 2010 05:32:24 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id o2B5WOH5081878; Thu, 11 Mar 2010 05:32:24 GMT (envelope-from nobody) Message-Id: <201003110532.o2B5WOH5081878@www.freebsd.org> Date: Thu, 11 Mar 2010 05:32:24 GMT From: Arthur Hartwig To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/144642: Enabling rum interface causes panic X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2010 05:40:02 -0000 >Number: 144642 >Category: kern >Synopsis: Enabling rum interface causes panic >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 11 05:40:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Arthur Hartwig >Release: 8.0 >Organization: self >Environment: FreeBSD tux.example.org 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: I first came across this on pfSense 2.0 BETA (based on FreeBSD 8.0) where I wanted to configure the rum device as a wireless access point. The system panic'd very soon after clicking on the pfSense "Apply changes" button. Analysis showed this click resulted in at least four ifconfig commands relating to the interface but a similar panic could be produced on FreeBSD 8.0 by two simplified commands. The following back trace was taken from a panic of the pfSense debug kernel: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0xffff fault code = supervisor read, page not present instruction pointer = 0x20:0xc0a777ab stack pointer = 0x28:0xd50ddba4 frame pointer = 0x28:0xd50ddbb0 code segment = base 0x0, limit 0xfffff type 16 DPL 0, pres 1, def32 1, gram 1 processor eflags = interrupt enabled, resume, IOPL=0 current process = 0 (rum0 taskq) [thread pid 0 tid 64096] db> bt Tracing pid 0 tid 64096 0xc3673d80 ieee80211_getcapinfo(c36f9000, ffff, c0a5c629, c36f987c, ...) at ieee80211_getcapinfo+0x56 ieee80211_beacon_construct(c3762000, 18, 691, d50ddc04, 5c9, ...) at ieee80211_beacon_construct+0x67 ieee80211_beacon_alloc(c3762000, c36f987c, 6, 2cb, c0e1940e, ...) at ieee80211_beacon_alloc+0xdb rum_new_state(c36f9000, 5, ffffffff, 654, d50ddca8, ...) at rum_newstate+0x2b3 The back trace for the panic in adhoc mode is a bit different to the backtrace in hostap mode, but both cases panic attempting to access 0xffff at ieee80211_getcapinfo+0x56. The problem appears to be that ieee80211_getcapinfo() is called with the second parameter 0xffff (IEEE80211_CHAN_ANYC) rather than a valid pointer to a struct ieee80211_channel. >How-To-Repeat: FreeBSD 8.0, rum USB Wireless NC plugged in, the following two commands cause a system panic within a couple of seconds: # ifconfig wlan create wlandev rum0 wlanmode adhoc bssid # ifconfig wlan0 up ssid Bree The following two commands cause a similar panic: # ifconfig wlan create wlandev rum0 wlanmode hostap bssid # ifconfig wlan0 up ssid Bree The following two commands don't cause a panic within a couple of seconds: # ifconfig wlan create wlandev rum0 bssid # ifconfig wlan0 up ssid Bree >Fix: >Release-Note: >Audit-Trail: >Unformatted: