From nobody@FreeBSD.org  Fri Nov 25 15:35:35 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1839A16A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Nov 2005 15:35:35 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9922B43D72
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Nov 2005 15:35:26 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jAPFZLv4037437
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Nov 2005 15:35:21 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jAPFZLPv037436;
	Fri, 25 Nov 2005 15:35:21 GMT
	(envelope-from nobody)
Message-Id: <200511251535.jAPFZLPv037436@www.freebsd.org>
Date: Fri, 25 Nov 2005 15:35:21 GMT
From: Stuart Weaver <sweaver@sweaver.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ifconfig causes page fault
X-Send-Pr-Version: www-2.3

>Number:         89534
>Category:       kern
>Synopsis:       ifconfig after module unload causes page fault
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    sam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 25 15:40:08 GMT 2005
>Closed-Date:    Sun Mar 19 04:03:12 GMT 2006
>Last-Modified:  Sun Mar 19 04:03:12 GMT 2006
>Originator:     Stuart Weaver
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
N/A
>Environment:
FreeBSD zyon.sweaver.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The machine the problem occures on is running a wireless access point
with a brigde between the wi0 and vr0 devices.  Wen I disable the AP and
then run ifconfig imdeiately afterwards the machine crashes.

I manualy copied the following from the console, there may be errors:

Fatal trap 12: page fault wile in kernel mode
fault virtual address   = 0xc1d6e024
fault code              = supervisor read, pate not present
instruction pointer     = 0x20:0xc06bc581
stack pointer           = 0x28:0xdd6cd6d4
frame pointer           = 0x28:0xdd6cd724
code segmet             = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 857 (ifconfig)
trap number             = 12
panic: page fault
Uptime: 13m8s
Dumping 459 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 479MB (122608 pages) 463 447 431 415 399 383 367 335 319 303 287 271
255 239 207 191 175 159 143 127 111 95 79 63 47 31 15 ... ok
 
Dump complete

>How-To-Repeat:
I use the following steps to repeat the problem.
Bring up wi0 in hostAP mode:

kldload bridge
kldload wlan_wep
sysctl net.link.ether.bridge.enable=1
sysctl net.link.ether.bridge_cfg="wi0 vr0"
sysctl net.inet.ip.forwarding=1
ifconfig wi0 inet SOMEIPADDR netmask 255.255.255.255 ssid SOMESID \
   media DS/11Mbps mode 11b mediaopt hostap stationname SOMENAME \
   channel 11 wepmode on wepkey 1:0xSOMEKEY \
   wepkey 2:0xANOTHERKEY wepkey 3:0xANDANOTHER \
   wepkey 4:0xANDONEMORE weptxkey 1 up


Now bring wi0 down, unload modules and disable forwarding:
  ifconfig wi0 down
  kldunload bridge
  kldunload wlan_wep
  sysctl net.inet.ip.forwarding=0

Running ifconfig immediately after-wards seems to cause the problem:
  ifconfig
>Fix:
              
>Release-Note:
>Audit-Trail:

From: Kris Kennaway <kris@obsecurity.org>
To: Stuart Weaver <sweaver@sweaver.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/89534: ifconfig causes page fault
Date: Sun, 27 Nov 2005 01:51:36 -0500

 --M9NhX3UHpAaciwkO
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Please obtain a debugging backtrace as described in the developers
 handbook chapter on kernel debugging.
 
 Kris
 
 --M9NhX3UHpAaciwkO
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.2 (FreeBSD)
 
 iD8DBQFDiVd4Wry0BWjoQKURAl+QAKDb+hqG8DF7OLAfa3jl1nMsSjvqnQCfQ2R9
 kqA9y0bqy8OJicoKUg5Nm44=
 =/6a0
 -----END PGP SIGNATURE-----
 
 --M9NhX3UHpAaciwkO--

From: Stuart Weaver <sweaver@sweaver.net>
To: Kris Kennaway <kris@obsecurity.org>
Cc: freebsd-gnats-submit@FreeBSD.org,  bug-followup@FreeBSD.org
Subject: Re: misc/89534: ifconfig causes page fault
Date: Mon, 28 Nov 2005 13:38:49 -0500

 Here you go.
 
 [sweaver@zyon GENERIC]$ sudo kgdb kernel.debug /var/crash/vmcore.3
 [GDB will not be able to debug user-mode threads: 
 /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain 
 conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0xc1d6e024
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc06bc581
 stack pointer           = 0x28:0xdd6cd6d4
 frame pointer           = 0x28:0xdd6cd724
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                          = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 857 (ifconfig)
 trap number             = 12
 panic: page fault
 Uptime: 13m8s
 Dumping 479 MB (2 chunks)
    chunk 0: 1MB (159 pages) ... ok
    chunk 1: 479MB (122608 pages) 463 447 431 415 399 383 367 351 335 319 
 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
 
 #0  doadump () at pcpu.h:165
 165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) list *0xc06bc581
 0xc06bc581 is in ieee80211_ioctl_getkey 
 (/usr/src/sys/net80211/ieee80211_ioctl.c:857).
 852                     wk = &ic->ic_nw_keys[kid];
 853                     IEEE80211_ADDR_COPY(&ik.ik_macaddr, 
 ic->ic_bss->ni_macaddr);
 854                     ni = NULL;
 855             }
 856             cip = wk->wk_cipher;
 857             ik.ik_type = cip->ic_cipher;
 858             ik.ik_keylen = wk->wk_keylen;
 859             ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | 
 IEEE80211_KEY_RECV);
 860             if (wk->wk_keyix == ic->ic_def_txkey)
 861                     ik.ik_flags |= IEEE80211_KEY_DEFAULT;
 (kgdb) backtrace
 #0  doadump () at pcpu.h:165
 #1  0xc0638202 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
 #2  0xc0638498 in panic (fmt=0xc084e5a2 "%s")
      at /usr/src/sys/kern/kern_shutdown.c:555
 #3  0xc0807c30 in trap_fatal (frame=0xdd6cd694, eva=3252084772)
      at /usr/src/sys/i386/i386/trap.c:831
 #4  0xc080799b in trap_pfault (frame=0xdd6cd694, usermode=0, eva=3252084772)
      at /usr/src/sys/i386/i386/trap.c:742
 #5  0xc08075d9 in trap (frame=
        {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = 
 -1046446076, tf_ebp = -580069596, tf_isp = -580069696, tf_ebx = 
 -1046443464, tf_edx = 22, tf_ecx = 0, tf_eax = -1042882528, tf_trapno = 
 12, tf_err = 0, tf_eip = -1066678911, tf_cs = 32, tf_eflags = 66198, 
 tf_esp = -1042882528, tf_ss = 0})
      at /usr/src/sys/i386/i386/trap.c:432
 #6  0xc07f6dca in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc06bc581 in ieee80211_ioctl_getkey (ic=0xc1a08004, ireq=0xc1be5740)
      at /usr/src/sys/net80211/ieee80211_ioctl.c:856
 #8  0xc06bd37e in ieee80211_ioctl_get80211 (ic=0x0, cmd=3223087595,
      ireq=0xc1be5740) at /usr/src/sys/net80211/ieee80211_ioctl.c:1434
 #9  0xc06bed2e in ieee80211_ioctl (ic=0xc1a08004, cmd=3223087595,
      data=0xc1be5740 "wi0") at /usr/src/sys/net80211/ieee80211_ioctl.c:2407
 #10 0xc05e2999 in wi_ioctl (ifp=0xc1a04000, cmd=3223087595,
      data=0xc1be5740 "wi0") at /usr/src/sys/dev/wi/if_wi.c:1233
 #11 0xc06c912e in in_control (so=0xc1e39858, cmd=3223087595,
      data=0xc1be5740 "wi0", ifp=0xc1a04000, td=0xc1cd5000)
      at /usr/src/sys/netinet/in.c:470
 #12 0xc06a23bc in ifioctl (so=0xc1e39858, cmd=3223087595,
      data=0xc1be5740 "wi0", td=0xc1cd5000) at /usr/src/sys/net/if.c:1561
 #13 0xc065fb73 in soo_ioctl (fp=0xc1d6e020, cmd=3223087595, 
 data=0xc1be5740,
      active_cred=0xc1f97180, td=0xc1cd5000)
      at /usr/src/sys/kern/sys_socket.c:214
 #14 0xc0659d11 in ioctl (td=0xc1cd5000, uap=0xdd6cdd04) at file.h:258
 #15 0xc0807f47 in syscall (frame=
        {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077943988, tf_esi 
 = 2, tf_ebp = -1077943816, tf_isp = -580067996, tf_ebx = -1077944032, 
 tf_edx = -1077944048, tf_ecx = -1077943920, tf_eax = 54, tf_trapno = 12, 
 tf_err = 2, tf_eip = 671900563, tf_cs = 51, tf_eflags = 582, tf_esp = 
 -1077944100, tf_ss = 59})
      at /usr/src/sys/i386/i386/trap.c:976
 #16 0xc07f6e1f in Xint0x80_syscall () at 
 /usr/src/sys/i386/i386/exception.s:200
 #17 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) q
 
 
From: Stuart Weaver <sweaver@sweaver.net>
To: Kris Kennaway <kris@obsecurity.org>
Cc: freebsd-gnats-submit@FreeBSD.org,  bug-followup@FreeBSD.org
Subject: Re: misc/89534: ifconfig causes page fault
Date: Mon, 28 Nov 2005 13:38:49 -0500

 Here you go.
 
 [sweaver@zyon GENERIC]$ sudo kgdb kernel.debug /var/crash/vmcore.3
 [GDB will not be able to debug user-mode threads: 
 /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain 
 conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0xc1d6e024
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc06bc581
 stack pointer           = 0x28:0xdd6cd6d4
 frame pointer           = 0x28:0xdd6cd724
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                          = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 857 (ifconfig)
 trap number             = 12
 panic: page fault
 Uptime: 13m8s
 Dumping 479 MB (2 chunks)
    chunk 0: 1MB (159 pages) ... ok
    chunk 1: 479MB (122608 pages) 463 447 431 415 399 383 367 351 335 319 
 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
 
 #0  doadump () at pcpu.h:165
 165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) list *0xc06bc581
 0xc06bc581 is in ieee80211_ioctl_getkey 
 (/usr/src/sys/net80211/ieee80211_ioctl.c:857).
 852                     wk = &ic->ic_nw_keys[kid];
 853                     IEEE80211_ADDR_COPY(&ik.ik_macaddr, 
 ic->ic_bss->ni_macaddr);
 854                     ni = NULL;
 855             }
 856             cip = wk->wk_cipher;
 857             ik.ik_type = cip->ic_cipher;
 858             ik.ik_keylen = wk->wk_keylen;
 859             ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | 
 IEEE80211_KEY_RECV);
 860             if (wk->wk_keyix == ic->ic_def_txkey)
 861                     ik.ik_flags |= IEEE80211_KEY_DEFAULT;
 (kgdb) backtrace
 #0  doadump () at pcpu.h:165
 #1  0xc0638202 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
 #2  0xc0638498 in panic (fmt=0xc084e5a2 "%s")
      at /usr/src/sys/kern/kern_shutdown.c:555
 #3  0xc0807c30 in trap_fatal (frame=0xdd6cd694, eva=3252084772)
      at /usr/src/sys/i386/i386/trap.c:831
 #4  0xc080799b in trap_pfault (frame=0xdd6cd694, usermode=0, eva=3252084772)
      at /usr/src/sys/i386/i386/trap.c:742
 #5  0xc08075d9 in trap (frame=
        {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = 
 -1046446076, tf_ebp = -580069596, tf_isp = -580069696, tf_ebx = 
 -1046443464, tf_edx = 22, tf_ecx = 0, tf_eax = -1042882528, tf_trapno = 
 12, tf_err = 0, tf_eip = -1066678911, tf_cs = 32, tf_eflags = 66198, 
 tf_esp = -1042882528, tf_ss = 0})
      at /usr/src/sys/i386/i386/trap.c:432
 #6  0xc07f6dca in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc06bc581 in ieee80211_ioctl_getkey (ic=0xc1a08004, ireq=0xc1be5740)
      at /usr/src/sys/net80211/ieee80211_ioctl.c:856
 #8  0xc06bd37e in ieee80211_ioctl_get80211 (ic=0x0, cmd=3223087595,
      ireq=0xc1be5740) at /usr/src/sys/net80211/ieee80211_ioctl.c:1434
 #9  0xc06bed2e in ieee80211_ioctl (ic=0xc1a08004, cmd=3223087595,
      data=0xc1be5740 "wi0") at /usr/src/sys/net80211/ieee80211_ioctl.c:2407
 #10 0xc05e2999 in wi_ioctl (ifp=0xc1a04000, cmd=3223087595,
      data=0xc1be5740 "wi0") at /usr/src/sys/dev/wi/if_wi.c:1233
 #11 0xc06c912e in in_control (so=0xc1e39858, cmd=3223087595,
      data=0xc1be5740 "wi0", ifp=0xc1a04000, td=0xc1cd5000)
      at /usr/src/sys/netinet/in.c:470
 #12 0xc06a23bc in ifioctl (so=0xc1e39858, cmd=3223087595,
      data=0xc1be5740 "wi0", td=0xc1cd5000) at /usr/src/sys/net/if.c:1561
 #13 0xc065fb73 in soo_ioctl (fp=0xc1d6e020, cmd=3223087595, 
 data=0xc1be5740,
      active_cred=0xc1f97180, td=0xc1cd5000)
      at /usr/src/sys/kern/sys_socket.c:214
 #14 0xc0659d11 in ioctl (td=0xc1cd5000, uap=0xdd6cdd04) at file.h:258
 #15 0xc0807f47 in syscall (frame=
        {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077943988, tf_esi 
 = 2, tf_ebp = -1077943816, tf_isp = -580067996, tf_ebx = -1077944032, 
 tf_edx = -1077944048, tf_ecx = -1077943920, tf_eax = 54, tf_trapno = 12, 
 tf_err = 2, tf_eip = 671900563, tf_cs = 51, tf_eflags = 582, tf_esp = 
 -1077944100, tf_ss = 59})
      at /usr/src/sys/i386/i386/trap.c:976
 #16 0xc07f6e1f in Xint0x80_syscall () at 
 /usr/src/sys/i386/i386/exception.s:200
 #17 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) q
 
Responsible-Changed-From-To: freebsd-bugs->sam 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Mon Dec 12 10:07:05 UTC 2005 
Responsible-Changed-Why:  
To maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89534 
State-Changed-From-To: open->feedback 
State-Changed-By: sam 
State-Changed-When: Thu Dec 22 19:52:10 UTC 2005 
State-Changed-Why:  
fix committed to RELENG_6 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89534 
State-Changed-From-To: feedback->closed 
State-Changed-By: sam 
State-Changed-When: Sun Mar 19 04:02:12 UTC 2006 
State-Changed-Why:  
no response from submitter 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89534 
>Unformatted:

rev 1.7.2.1 of net80211/ieee80211_crypto_wep.c should fix this problem;
will close once I receive confirmation
