From owner-freebsd-net@FreeBSD.ORG Mon Jul 25 12:16:13 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B883E16A41F for ; Mon, 25 Jul 2005 12:16:13 +0000 (GMT) (envelope-from vanhu@easyconnect.fr) Received: from corwin.easynet.fr (smarthost160.mail.easynet.fr [212.180.1.160]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CE1743D45 for ; Mon, 25 Jul 2005 12:16:12 +0000 (GMT) (envelope-from vanhu@easyconnect.fr) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by corwin.easynet.fr with esmtp (Exim 4.50) id 1Dx1sN-00077b-Vz for freebsd-net@freebsd.org; Mon, 25 Jul 2005 14:16:08 +0200 Received: by smtp.zeninc.net (smtpd, from userid 1000) id BBCE13F2E; Mon, 25 Jul 2005 14:16:07 +0200 (CEST) Date: Mon, 25 Jul 2005 14:16:07 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20050725121607.GA24309@zen.inc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i Subject: [FreeBSD 6.0] kernel crash with 802.11g X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 12:16:13 -0000 Hi. I just set up an AP under FreeBSD 6 (sources updated yesterday from cvsup), using a PCI wireless card with a RALink chip. When I start it, the WIFI mode is set to 802.11b, and everything works.... but in 802.11b. As soon as I do an "ifconfig ral0 mode 11g", I have a kernel crash. Here is the backtrace of the vmcore: #0 doadump () at pcpu.h:165 #1 0xc056a988 in boot (howto=260) at #../../../kern/kern_shutdown.c:397 #2 0xc056ac33 in panic (fmt=0xc0748e8b "bogus long slot station count #%d") at ../../../kern/kern_shutdown.c:553 #3 0xc05f11b7 in ieee80211_node_leave_11g (ic=0xc1367004, #ni=0xc1382c00) at ../../../net80211/ieee80211_node.c:1705 #4 0xc05f13fb in ieee80211_node_leave (ic=0xc1367004, ni=0xc1382c00) #at ../../../net80211/ieee80211_node.c:1789 #5 0xc05f46d0 in sta_disassoc (arg=0xc1367004, ni=0xc1382c00) at #../../../net80211/ieee80211_proto.c:829 #6 0xc05f0cd4 in ieee80211_iterate_nodes (nt=0xc13677b0, f=0xc05f46a8 #, arg=0xc1367004) at ../../../net80211/ieee80211_node.c:1539 #7 0xc05f47c8 in ieee80211_newstate (ic=0xc1367004, #nstate=IEEE80211_S_INIT, arg=-1) at #../../../net80211/ieee80211_proto.c:868 #8 0xc04f0c83 in ral_newstate (ic=0xc1367004, #nstate=IEEE80211_S_INIT, arg=-1) at ../../../dev/ral/if_ral.c:1039 #9 0xc04f3c21 in ral_stop (priv=0xc1367000) at #../../../dev/ral/if_ral.c:2781 #10 0xc04f38ce in ral_init (priv=0xc1367000) at #../../../dev/ral/if_ral.c:2694 #11 0xc04f09af in ral_media_change (ifp=0xc1310800) at #../../../dev/ral/if_ral.c:919 #12 0xc05d1733 in ifmedia_ioctl (ifp=0xc1310800, ifr=0x0, #ifm=0xc13678ac, cmd=0) at ../../../net/if_media.c:258 #13 0xc05ee8d9 in ieee80211_ioctl (ic=0xc1367004, cmd=3223349559, #data=0xc19c04a0 "ral0") at ../../../net80211/ieee80211_ioctl.c:2351 #14 0xc04f2b40 in ral_ioctl (ifp=0xc1310800, cmd=3223349559, #data=0xc19c04a0 "ral0") at ../../../dev/ral/if_ral.c:2190 #15 0xc05ccf6c in ifhwioctl (cmd=3223349559, ifp=0xc1310800, #data=0xc19c04a0 "ral0", td=0x0) at ../../../net/if.c:1458 #16 0xc05cd127 in ifioctl (so=0xc148a858, cmd=3223349559, #data=0xc19c04a0 "ral0", td=0xc1524a80) at ../../../net/if.c:1530 #17 0xc0591007 in soo_ioctl (fp=0x0, cmd=3223349559, data=0xc19c04a0, #active_cred=0xc173e300, td=0xc1524a80) at ../../../kern/sys_socket.c:214 #18 0xc058b8bc in ioctl (td=0xc1524a80, uap=0xca529d04) at file.h:258 #19 0xc06f2e8f in syscall (frame= {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134572160, tf_esi #= 134581088, tf_ebp = -1077943064, tf_isp = -900555420, tf_ebx = #134594560, tf_edx = 0, tf_ecx = 134572160, tf_eax = 54, tf_trapno = #12, tf_err = 2, tf_eip = 671900295, tf_cs = 51, tf_eflags = 582, #tf_esp = -1077943092, tf_ss = 59}) at ../../../i386/i386/trap.c:985 #20 0xc06e234f in Xint0x80_syscall () at #../../../i386/i386/exception.s:198 #21 0x0000003b in ?? () [Lots of other] #49 0xc057ad4b in sched_switch (td=0x8058b60, newtd=0x805c000, #flags=Cannot access memory at address 0xbfbfe4f8 ) at ../../../kern/sched_4bsd.c:973 Previous frame inner to this frame (corrupt stack?) Looking at the sources, I can see that it reaches a KASSERT after checking (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME) == 0 (and according to kgdb, this flag is not set). Is this a known bug ? I don't know the 802.11 framework, so I don't know what is IEEE80211_CAPINFO_SHORT_SLOTTIME. I'll try to have a deeper look at this part of the kernel, and I can also make some tests if some people need informations to fix the problem. Yvan.