From nobody@FreeBSD.org  Sun Nov 16 17:12:41 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2A6C9106567A
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 16 Nov 2008 17:12:41 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 1F4C28FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 16 Nov 2008 17:12:41 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id mAGHCexM005917
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 16 Nov 2008 17:12:40 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id mAGHCebw005916;
	Sun, 16 Nov 2008 17:12:40 GMT
	(envelope-from nobody)
Message-Id: <200811161712.mAGHCebw005916@www.freebsd.org>
Date: Sun, 16 Nov 2008 17:12:40 GMT
From: Jason Brand <kitambi@epicsol.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: if_wpi and wpa+tkip causing kernel panic 
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         128917
>Category:       kern
>Synopsis:       [wpi] [panic] if_wpi and wpa+tkip causing kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bschmidt
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 16 17:20:00 UTC 2008
>Closed-Date:    Tue Jun 19 07:18:20 UTC 2012
>Last-Modified:  Tue Jun 19 07:18:20 UTC 2012
>Originator:     Jason Brand
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD paladin 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #1: Fri Nov 14 10:
10:16 EST 2008 root@paladin:/usr/obj/usr/src/sys/PALADIN i386

>Description:
When using WPA+TKIP with if_wpi, the card will become dissociated from the AP.  The LED on the laptop will not be turned off, as it usually will when the link is terminated, and wpa_supplicant does not seem to realize that the link was dropped.  Wpa_supplicant "reassociate" command causes the following:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xffff
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0a12dfc
stack pointer           = 0x28:0xe6db9be0
frame pointer           = 0x28:0xe6db9c9c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 35 (wpi0 taskq)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 13m38s
Physical memory: 3054 MB
Dumping 170 MB: 155 139 123 107 91 75 59 43 27 11

(kgdb) bt
#0  doadump () at pcpu.h:196
#1  0xc058b157 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2  0xc058b462 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:574
#3  0xc07e1fe3 in trap_fatal (frame=0xe6db9ba0, eva=65535)
    at /usr/src/sys/i386/i386/trap.c:939
#4  0xc07e2240 in trap_pfault (frame=0xe6db9ba0, usermode=0, eva=65535)
    at /usr/src/sys/i386/i386/trap.c:852
#5  0xc07e2c12 in trap (frame=0xe6db9ba0) at /usr/src/sys/i386/i386/trap.c:530
#6  0xc07c93fb in calltrap () at /usr/src/sys/i386/i386/exception.s:159
#7  0xc0a12dfc in wpi_ops (arg0=0xc68fd000, pending=1)
    at /usr/src/sys/modules/wpi/../../dev/wpi/if_wpi.c:2411
#8  0xc05be5a5 in taskqueue_run (queue=0xc68f5a00)
    at /usr/src/sys/kern/subr_taskqueue.c:282
#9  0xc05be7ab in taskqueue_thread_loop (arg=0xc68fe9b4)
    at /usr/src/sys/kern/subr_taskqueue.c:401
#10 0xc05677a9 in fork_exit (callout=0xc05be6f0 <taskqueue_thread_loop>,
    arg=0xc68fe9b4, frame=0xe6db9d38) at /usr/src/sys/kern/kern_fork.c:804
#11 0xc07c9470 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:264


>How-To-Repeat:
Connect to a WPA+TKIP network.  The PR originator only has access to one network using this, therefore is unable to verify the reproducibility on other networks.
>Fix:
Workaround:
Do not use wpa_supplicant's "reassociate" command to re-establish the link.  Instead, run /etc/rc.d/netif restart.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-net 
Responsible-Changed-By: remko 
Responsible-Changed-When: Sat Nov 22 13:31:30 UTC 2008 
Responsible-Changed-Why:  
This is a networking item 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128917 

From: Jason Brand <kitambi@epicsol.org>
To: bug-followup@FreeBSD.org;, kitambi@epicsol.org
Cc:  
Subject: Re: kern/128917: [wpi] [panic] if_wpi and wpa+tkip causing kernel
	panic
Date: Tue, 13 Jan 2009 15:01:05 -0500

 Additional information: 
 
 I have managed to reproduce this issue on different network that uses WPA+TKIP,
 with PAP as the phase2 method.
 
 Backtrace:
 Breakpoint 1 at 0xc058bc5c: file pcpu.h, line 196.
 (kgdb) bt
 #0  doadump () at pcpu.h:196
 #1  0xc058c347 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
 #2  0xc058c652 in panic (fmt=Variable "fmt" is not available.
 ) at /usr/src/sys/kern/kern_shutdown.c:574
 #3  0xc07e34f3 in trap_fatal (frame=0xe6db9ba0, eva=65535)
     at /usr/src/sys/i386/i386/trap.c:939
 #4  0xc07e3750 in trap_pfault (frame=0xe6db9ba0, usermode=0, eva=65535)
     at /usr/src/sys/i386/i386/trap.c:852
 #5  0xc07e4122 in trap (frame=0xe6db9ba0) at /usr/src/sys/i386/i386/trap.c:530
 #6  0xc07ca90b in calltrap () at /usr/src/sys/i386/i386/exception.s:159
 #7  0xc0a17dfc in wpi_ops (arg0=0xc68fe000, pending=1)
     at /usr/src/sys/modules/wpi/../../dev/wpi/if_wpi.c:2411
 #8  0xc05bf795 in taskqueue_run (queue=0xc68f7a00)
     at /usr/src/sys/kern/subr_taskqueue.c:282
 #9  0xc05bf99b in taskqueue_thread_loop (arg=0xc68ff9b4)
     at /usr/src/sys/kern/subr_taskqueue.c:401
 #10 0xc0567eb9 in fork_exit (callout=0xc05bf8e0 <taskqueue_thread_loop>,
     arg=0xc68ff9b4, frame=0xe6db9d38) at /usr/src/sys/kern/kern_fork.c:804
 #11 0xc07ca980 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:264
 
 WPA information:
 Selected interface 'wpi0'
 bssid=00:0c:e6:xx:xx:xx
 ssid=<hidden>
 id=2
 pairwise_cipher=TKIP
 group_cipher=TKIP
 key_mgmt=WPA/IEEE 802.1X/EAP
 wpa_state=ASSOCIATED
 ip_address=0.0.0.0
 Supplicant PAE state=HELD
 suppPortStatus=Unauthorized
 EAP state=FAILURE
 selectedMethod=21 (EAP-TTLS)
 EAP TLS cipher=(NONE)
 EAP-TTLSv0 Phase2 method=PAP
 
 

From: Marc Peters <marc@sanity.de>
To: bug-followup@FreeBSD.org, kitambi@epicsol.org
Cc:  
Subject: Re: kern/128917: [wpi] [panic] if_wpi and wpa+tkip causing kernel
 panic
Date: Fri, 16 Jan 2009 13:34:29 +0100

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 I am hitting this too on a network with an airport extreme access point
 when it uses "WPA/WPA2". With these Security Setting Apple just uses
 TKIP and trying to force FreeBSD to use AES-CCMP in
 /etc/wpa_supplicant.conf doesn't work, e.g. wpi cannot connect to the
 network. Using only WPA2 on this access point will provide AES and no
 more panics.
 
 here is some additional information as suggested on the STABLE-ML:
 
 from a textdump:
 
 msgbuf.txt:
 [snipping dmesg and startup-messages]
 Fatal trap 12: page fault while in kernel mode
 cpuid = 1; apic id = 01
 fault virtual address	= 0xffff
 fault code		= supervisor read, page not present
 instruction pointer	= 0x20:0xc0e70dfc
 stack pointer	        = 0x28:0xe58bbbe0
 frame pointer	        = 0x28:0xe58bbc9c
 code segment		= base 0x0, limit 0xfffff, type 0x1b
 			= DPL 0, pres 1, def32 1, gran 1
 processor eflags	= interrupt enabled, resume, IOPL = 0
 current process		= 25 (wpi0 taskq)
 
 
 ddb.txt (just bt output here):
 
 db> bt
 
 Tracing pid 25 tid 100024 td 0xc5189af0
 wpi_ops(c52c5000,1,c0b7cf36,0,0,...) at wpi_ops+0x89c
 taskqueue_run(c52ab200,c52ab21c,0,c0b7cf36,0,...) at taskqueue_run+0x175
 taskqueue_thread_loop(c52c69b4,e58bbd38,0,0,0,...) at
 taskqueue_thread_loop+0xbb
 fork_exit(c07fb2b0,c52c69b4,e58bbd38) at fork_exit+0x99
 fork_trampoline() at fork_trampoline+0x8
 - --- trap 0, eip = 0, esp = 0xe58bbd70, ebp = 0 ---
 
 
 version.txt:
 FreeBSD 7.1-STABLE #0: Thu Jan 15 13:51:12 CET 2009
     root@lappi.agentur.local:/usr/obj/usr/src/sys/DEBUG_DRM
 
 gdb
 gdb> file /boot/YOUR_KERNEL/if_wpi.ko
 
 Reading symbols from /boot/kernel/if_wpi.ko...Reading symbols from
 /boot/kernel/if_wpi.ko.symbols...done.
 
 gdb> l *wpi_ops+0x89c
 
 0x9dfc is in wpi_ops (/usr/src/sys/modules/wpi/../../dev/wpi/if_wpi.c:2411).
 2406		/* update adapter's configuration */
 2407		sc->config.associd = 0;
 2408		sc->config.filter &= ~htole32(WPI_FILTER_BSS);
 2409		IEEE80211_ADDR_COPY(sc->config.bssid, ni->ni_bssid);
 2410		sc->config.chan = ieee80211_chan2ieee(ic, ni->ni_chan);
 2411		if (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) {
 2412			sc->config.flags |= htole32(WPI_CONFIG_AUTO |
 2413			    WPI_CONFIG_24GHZ);
 2414		}
 2415		switch (ic->ic_curmode) {
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.10 (FreeBSD)
 
 iEYEARECAAYFAklwftUACgkQCnBgS+kUGEtEDwCeLB9z3ynmx9yyXcl3+DTJqTyk
 5XQAnRY2PTpFlWrF+5bQqN7ygkV9tMch
 =XAks
 -----END PGP SIGNATURE-----

From: Perrin Alexandre <alexandre.perrin@epfl.ch>
To: bug-followup@FreeBSD.org, kitambi@epicsol.org
Cc:  
Subject: Re: kern/128917: [wpi] [panic] if_wpi and wpa+tkip causing kernel
	panic
Date: Wed, 28 Jan 2009 21:41:41 +0100

 --H1spWtNR+x+ondvy
 Content-Type: multipart/mixed; boundary="y0ulUmNC+osPPQO6"
 Content-Disposition: inline
 
 
 --y0ulUmNC+osPPQO6
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Hi,
 I also got panic from wpi(4) with a WPA/TKIP network at home.
 I'm using 7.1-RELEASE on amd64:
 
 % uname -a
 FreeBSD FriBSD630 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #0: Mon Jan 26
 01:29:32 CET 2009     toor@FriBSD630:/usr/obj/usr/src/sys/KAWAROU  amd64
 
 Regards,
 Perrin Alexandre
 
 --y0ulUmNC+osPPQO6
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="kgdb.txt"
 
 Fatal trap 12: page fault while in kernel mode
 cpuid = 0; apic id = 00
 fault virtual address   = 0xffff
 fault code      = supervisor read data, page not present
 instruction pointer = 0x8:0xffffffff8066353c
 stack pointer           = 0x10:0xffffffffb0004a90
 frame pointer           = 0x10:0xffffffffb0004bb0
 code segment        = base 0x0, limit 0xfffff, type 0x1b
             = DPL 0, pres 1, long 1, def32 0, gran 1
             processor eflags    = interrupt enabled, resume, IOPL = 0
             current process     = 33 (wpi0 taskq)
             trap number     = 12
             panic: page fault
             cpuid = 0
             Uptime: 7h42m19s
             Physical memory: 1514 MB
             Dumping 578 MB: 563 547 531 515 499 483 467 451 435 419 403 387 371 355 339 323 307 291 275 259 243 227 211 195 179 163 147 131 115 (CTRL-C to abort)  99 83 67 (CTRL-C to abort)  51 35 19 3
 
             Reading symbols from /boot/kernel/zfs.ko...Reading symbols from /bootdir/boot/kernel/zfs.ko.symbols...done.
             done.
             Loaded symbols for /boot/kernel/zfs.ko
             Reading symbols from /boot/kernel/opensolaris.ko...Reading symbols from /bootdir/boot/kernel/opensolaris.ko.symbols...done.
             done.
             Loaded symbols for /boot/kernel/opensolaris.ko
             Reading symbols from /boot/kernel/wpifw.ko...Reading symbols from /bootdir/boot/kernel/wpifw.ko.symbols...done.
             done.
             Loaded symbols for /boot/kernel/wpifw.ko
             Reading symbols from /boot/kernel/i915.ko...Reading symbols from /bootdir/boot/kernel/i915.ko.symbols...done.
             done.
             Loaded symbols for /boot/kernel/i915.ko
             Reading symbols from /boot/kernel/drm.ko...Reading symbols from /bootdir/boot/kernel/drm.ko.symbols...done.
             done.
             Loaded symbols for /boot/kernel/drm.ko
 #0  doadump () at pcpu.h:195
             195 pcpu.h: No such file or directory.
                 in pcpu.h
                 (kgdb) bt
 #0  doadump () at pcpu.h:195
 #1  0xffffffff803fecc8 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
 #2  0xffffffff803ff10c in panic (fmt=0xffffffff806b748f "%s") at /usr/src/sys/kern/kern_shutdown.c:574
 #3  0xffffffff8063f51c in trap_fatal (frame=0xffffff00012af000, eva=Variable "eva" is not available.
                 ) at /usr/src/sys/amd64/amd64/trap.c:764
 #4  0xffffffff8063f8e4 in trap_pfault (frame=0xffffffffb00049e0, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:680
 #5  0xffffffff806402c2 in trap (frame=0xffffffffb00049e0) at /usr/src/sys/amd64/amd64/trap.c:449
 #6  0xffffffff806257b3 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:209
 #7  0xffffffff8066353c in wpi_ops (arg0=Variable "arg0" is not available.
                 ) at /usr/src/sys/dev/wpi/if_wpi.c:2411
 #8  0xffffffff80434cbd in taskqueue_run (queue=0xffffff00012d8180) at /usr/src/sys/kern/subr_taskqueue.c:282
 #9  0xffffffff80434f82 in taskqueue_thread_loop (arg=Variable "arg" is not available.
                 ) at /usr/src/sys/kern/subr_taskqueue.c:401
 #10 0xffffffff803dc0df in fork_exit (callout=0xffffffff80434f10 <taskqueue_thread_loop>, arg=0xffffffff80e4a0c0, frame=0xffffffffb0004c80) at /usr/src/sys/kern/kern_fork.c:804
 #11 0xffffffff80625b8e in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:455
 
 --y0ulUmNC+osPPQO6
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="network-infos.txt"
 
 bssid=00:02:cf:xx:xx:xx
 ssid=Nope
 id=1
 pairwise_cipher=TKIP
 group_cipher=TKIP
 key_mgmt=WPA-PSK
 wpa_state=COMPLETED
 ip_address=192.168.1.X
 
 --y0ulUmNC+osPPQO6--
 
 --H1spWtNR+x+ondvy
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.10 (FreeBSD)
 
 iEYEARECAAYFAkmAwwUACgkQ6rsYM89HSUBZlQCfeEbOEhJ81MuHu9u30iQUnLO+
 lfQAn22xBmPwp+TTVRARURSB6t5K7rpq
 =1mVs
 -----END PGP SIGNATURE-----
 
 --H1spWtNR+x+ondvy--
State-Changed-From-To: open->feedback 
State-Changed-By: bschmidt 
State-Changed-When: Wed Dec 22 08:42:16 UTC 2010 
State-Changed-Why:  
Is that still an issue on a recent release? 


Responsible-Changed-From-To: freebsd-net->bschmidt 
Responsible-Changed-By: bschmidt 
Responsible-Changed-When: Wed Dec 22 08:42:16 UTC 2010 
Responsible-Changed-Why:  
over to me 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128917 
State-Changed-From-To: feedback->closed 
State-Changed-By: bschmidt 
State-Changed-When: Tue Jun 19 07:18:04 UTC 2012 
State-Changed-Why:  
feedback timeout 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128917 
>Unformatted:
