From nobody@FreeBSD.org  Thu Mar 11 05:32:24 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EA4CF106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Mar 2010 05:32:24 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id D9E468FC1B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Mar 2010 05:32:24 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o2B5WOak081880
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Mar 2010 05:32:24 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o2B5WOH5081878;
	Thu, 11 Mar 2010 05:32:24 GMT
	(envelope-from nobody)
Message-Id: <201003110532.o2B5WOH5081878@www.freebsd.org>
Date: Thu, 11 Mar 2010 05:32:24 GMT
From: Arthur Hartwig <a_hartwig@fastmail.fm>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Enabling rum interface causes panic
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         144642
>Category:       kern
>Synopsis:       [rum] [panic] Enabling rum interface causes panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 11 05:40:01 UTC 2010
>Closed-Date:    Fri Apr 29 06:28:51 UTC 2011
>Last-Modified:  Wed Jun 22 09:20:13 UTC 2011
>Originator:     Arthur Hartwig
>Release:        8.0
>Organization:
self
>Environment:
FreeBSD tux.example.org 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009     root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
I first came across this on pfSense 2.0 BETA (based on FreeBSD 8.0) where I wanted to configure the rum device as a wireless access point. The system panic'd very soon after clicking on the pfSense "Apply changes" button. Analysis showed this click resulted in at least four ifconfig commands relating to the interface but a similar panic could be produced on FreeBSD 8.0 by two simplified commands.  

The following back trace was taken from a panic of the pfSense debug kernel:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address  = 0xffff
fault code             = supervisor read, page not present
instruction pointer    = 0x20:0xc0a777ab
stack pointer          = 0x28:0xd50ddba4
frame pointer          = 0x28:0xd50ddbb0
code segment           = base 0x0, limit 0xfffff type 16
                         DPL 0, pres 1, def32 1, gram 1
processor eflags       = interrupt enabled, resume, IOPL=0
current process        = 0 (rum0 taskq)
[thread pid 0 tid 64096]
db> bt
Tracing pid 0 tid 64096 0xc3673d80
ieee80211_getcapinfo(c36f9000, ffff, c0a5c629, c36f987c, ...) at ieee80211_getcapinfo+0x56
ieee80211_beacon_construct(c3762000, 18, 691, d50ddc04, 5c9, ...) at ieee80211_beacon_construct+0x67
ieee80211_beacon_alloc(c3762000, c36f987c, 6, 2cb, c0e1940e, ...) at ieee80211_beacon_alloc+0xdb
rum_new_state(c36f9000, 5, ffffffff, 654, d50ddca8, ...) at rum_newstate+0x2b3

The back trace for the panic in adhoc mode is a bit different to the backtrace in hostap mode, but both cases panic attempting to access 0xffff at ieee80211_getcapinfo+0x56.

The problem appears to be that ieee80211_getcapinfo() is called with the second parameter 0xffff (IEEE80211_CHAN_ANYC) rather than a valid pointer to a struct ieee80211_channel. 
>How-To-Repeat:
FreeBSD 8.0, rum USB Wireless NC plugged in, the following two commands cause a system panic within a couple of seconds:

# ifconfig wlan create wlandev rum0 wlanmode adhoc bssid
# ifconfig wlan0 up ssid Bree

The following two commands cause a similar panic:

# ifconfig wlan create wlandev rum0 wlanmode hostap bssid
# ifconfig wlan0 up ssid Bree

The following two commands don't cause a panic within a couple of seconds:

# ifconfig wlan create wlandev rum0 bssid
# ifconfig wlan0 up ssid Bree


>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Mar 11 16:00:34 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144642 

From: Arthur Hartwig <a_hartwig@fastmail.fm>
To: bug-followup@FreeBSD.org, a_hartwig@fastmail.fm
Cc:  
Subject: Re: kern/144642: [rum] [panic] Enabling rum interface causes panic
Date: Mon, 23 Aug 2010 22:16:37 +1000

 The problem still exists in FreeBSD 8.1 Release.
 
 This patch stops by panic soon after setting the interface up:
 
 # diff -b -C 7 if_rum.c.orig if_rum.c
 *** if_rum.c.orig    Tue Aug 10 15:05:51 2010
 --- if_rum.c    Tue Aug 10 20:34:20 2010
 ***************
 *** 2109,2122 ****
 --- 2109,2127 ----
     rum_prepare_beacon(struct rum_softc *sc, struct ieee80211vap *vap)
     {
         struct ieee80211com *ic = vap->iv_ic;
         const struct ieee80211_txparam *tp;
         struct rum_tx_desc desc;
         struct mbuf *m0;
 
 +      /* Guard against default ni_chan */
 +      if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC) {
 +          return 0;
 +      }
 +
         m0 = ieee80211_beacon_alloc(vap->iv_bss,&RUM_VAP(vap)->bo);
         if (m0 == NULL) {
             return ENOBUFS;
         }
 
         tp =&vap->iv_txparms[ieee80211_chan2mode(ic->ic_bsschan)];
         rum_setup_tx_desc(sc,&desc, RT2573_TX_TIMESTAMP, RT2573_TX_HWSEQ,
 #
 
 At the suggestion of Alex Kozlov I ran the shell script:
 for i in `jot - 1 200`; do sudo /etc/rc.d/netif start; done
 on my 2x800MHz PIII system and it did not panic. Alex ran it on some more recent systems and still saw panics. While I think FreeBSD should be "bullet proof" I believe this patch should still be accepted since it makes the system at least somewhat more robust.
 
 The code for the newer run driver makes the same kind of test as suggested by this patch before calling ieee80211_beacon_alloc().
 
 
 
 
 
 
 
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: kevlo 
State-Changed-When: Fri Apr 29 06:28:36 UTC 2011 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144642 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/144642: commit references a PR
Date: Fri, 29 Apr 2011 06:28:45 +0000 (UTC)

 Author: kevlo
 Date: Fri Apr 29 06:28:29 2011
 New Revision: 221199
 URL: http://svn.freebsd.org/changeset/base/221199
 
 Log:
   Guard against default ni_chan
   
   PR: kern/144642
   Submitted by: Arthur Hartwig <a_hartwig at fastmaildot fm>
 
 Modified:
   head/sys/dev/usb/wlan/if_rum.c
 
 Modified: head/sys/dev/usb/wlan/if_rum.c
 ==============================================================================
 --- head/sys/dev/usb/wlan/if_rum.c	Fri Apr 29 06:25:11 2011	(r221198)
 +++ head/sys/dev/usb/wlan/if_rum.c	Fri Apr 29 06:28:29 2011	(r221199)
 @@ -208,7 +208,7 @@ static void		rum_init(void *);
  static void		rum_stop(struct rum_softc *);
  static void		rum_load_microcode(struct rum_softc *, const uint8_t *,
  			    size_t);
 -static int		rum_prepare_beacon(struct rum_softc *,
 +static void		rum_prepare_beacon(struct rum_softc *,
  			    struct ieee80211vap *);
  static int		rum_raw_xmit(struct ieee80211_node *, struct mbuf *,
  			    const struct ieee80211_bpf_params *);
 @@ -2119,7 +2119,7 @@ rum_load_microcode(struct rum_softc *sc,
  	rum_pause(sc, hz / 8);
  }
  
 -static int
 +static void
  rum_prepare_beacon(struct rum_softc *sc, struct ieee80211vap *vap)
  {
  	struct ieee80211com *ic = vap->iv_ic;
 @@ -2127,9 +2127,12 @@ rum_prepare_beacon(struct rum_softc *sc,
  	struct rum_tx_desc desc;
  	struct mbuf *m0;
  
 +	if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
 +		return;
 +
  	m0 = ieee80211_beacon_alloc(vap->iv_bss, &RUM_VAP(vap)->bo);
  	if (m0 == NULL) {
 -		return ENOBUFS;
 +		return;
  	}
  
  	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_bsschan)];
 @@ -2144,8 +2147,6 @@ rum_prepare_beacon(struct rum_softc *sc,
  	    m0->m_pkthdr.len);
  
  	m_freem(m0);
 -
 -	return 0;
  }
  
  static int
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/144642: commit references a PR
Date: Wed, 22 Jun 2011 09:16:42 +0000 (UTC)

 Author: kevlo
 Date: Wed Jun 22 09:16:32 2011
 New Revision: 223420
 URL: http://svn.freebsd.org/changeset/base/223420
 
 Log:
   MFC r221199:
   Guard against default ni_chan
   
   PR:	kern/144642
   Submitted by:	Arthur Hartwig <a_hartwig at fastmaildot fm>
 
 Modified:
   stable/8/sys/dev/usb/wlan/if_rum.c
 
 Modified: stable/8/sys/dev/usb/wlan/if_rum.c
 ==============================================================================
 --- stable/8/sys/dev/usb/wlan/if_rum.c	Wed Jun 22 08:55:00 2011	(r223419)
 +++ stable/8/sys/dev/usb/wlan/if_rum.c	Wed Jun 22 09:16:32 2011	(r223420)
 @@ -207,7 +207,7 @@ static void		rum_init(void *);
  static void		rum_stop(struct rum_softc *);
  static void		rum_load_microcode(struct rum_softc *, const uint8_t *,
  			    size_t);
 -static int		rum_prepare_beacon(struct rum_softc *,
 +static void		rum_prepare_beacon(struct rum_softc *,
  			    struct ieee80211vap *);
  static int		rum_raw_xmit(struct ieee80211_node *, struct mbuf *,
  			    const struct ieee80211_bpf_params *);
 @@ -2118,7 +2118,7 @@ rum_load_microcode(struct rum_softc *sc,
  	rum_pause(sc, hz / 8);
  }
  
 -static int
 +static void
  rum_prepare_beacon(struct rum_softc *sc, struct ieee80211vap *vap)
  {
  	struct ieee80211com *ic = vap->iv_ic;
 @@ -2126,9 +2126,12 @@ rum_prepare_beacon(struct rum_softc *sc,
  	struct rum_tx_desc desc;
  	struct mbuf *m0;
  
 +	if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
 +		return;
 +
  	m0 = ieee80211_beacon_alloc(vap->iv_bss, &RUM_VAP(vap)->bo);
  	if (m0 == NULL) {
 -		return ENOBUFS;
 +		return;
  	}
  
  	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_bsschan)];
 @@ -2143,8 +2146,6 @@ rum_prepare_beacon(struct rum_softc *sc,
  	    m0->m_pkthdr.len);
  
  	m_freem(m0);
 -
 -	return 0;
  }
  
  static int
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
