netbsd-bugs: kern/29326: atu(4) panics on repeated ifconfig up / down

Subject: kern/29326: atu(4) panics on repeated ifconfig up / down
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Andreas Gustafsson <gson@gson.org>
List: netbsd-bugs
Date: 02/10/2005 13:32:00
>Number:         29326
>Category:       kern
>Synopsis:       atu(4) panics on repeated ifconfig up/down
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 10 13:32:00 +0000 2005
>Originator:     Andreas Gustafsson
>Release:        NetBSD-current as of Feb 7, 2005
>Organization:
>Environment:
System: NetBSD guitar.araneus.fi 2.99.15 NetBSD 2.99.15 (GUITAR_KGDB_NOOPT) #0: Thu Feb 10 13:31:47 EET 2005 gson@guava.araneus.fi:/usr/src/sys/arch/i386/compile/GUITAR_KGDB_NOOPT i386
Architecture: i386
Machine: i386
>Description:

Repeatedly configuring an atu(4) device up and down crashes NetBSD.

>How-To-Repeat:

Connect a USB 802.11b adapter supported by the atu(4) driver.
I used a TRENDnet TEW-229UB.  Place it in the proximity of an
802.11b access point with no encryption configured.

Enter the commands

  ifconfig atu0 up
  ifconfig atu0 down
  ifconfig atu0 up
  ifconfig atu0 down

If necessary, repeat a few times.  See the kernel panic.

Here's a backtrace:

  Program received signal SIGSEGV, Segmentation fault.
  0xc043d86d in m_copydata (m=0xc12ad600, off=0, len=30, vp=0x8) at ../../../../kern/uipc_mbuf.c:690
  690                     memcpy(cp, mtod(m, caddr_t) + off, count);
  (gdb) t
  [Current thread is 0 (Thread 42000)]
  (gdb) where
  #0  0xc043d86d in m_copydata (m=0xc12ad600, off=0, len=30, vp=0x8) at ../../../../kern/uipc_mbuf.c:690
  #1  0xc06de11b in atu_tx_start (sc=0xc128f000, ni=0xc146f800, c=0xc128ff4c, m=0xc12ad600) at ../../../../dev/usb/if_atu.c:1727
  #2  0xc06de572 in atu_start (ifp=0xc128f038) at ../../../../dev/usb/if_atu.c:1855
  #3  0xc04b7391 in ieee80211_mgmt_output (ifp=0xc128f038, ni=0xc146f800, m=0xc12ad600, type=176) at ../../../../net80211/ieee80211_output.c:180
  #4  0xc04b8a0c in ieee80211_send_mgmt (ic=0xc128f038, ni=0xc146f800, type=176, arg=1) at ../../../../net80211/ieee80211_output.c:807
  #5  0xc04b9946 in ieee80211_newstate (ic=0xc128f038, nstate=IEEE80211_S_AUTH, mgt=-1) at ../../../../net80211/ieee80211_proto.c:471
  #6  0xc06dcd04 in atu_newstate (ic=0xc128f038, nstate=IEEE80211_S_AUTH, arg=-1) at ../../../../dev/usb/if_atu.c:1131
  #7  0xc04b5b6c in ieee80211_end_scan (ic=0xc128f038) at ../../../../net80211/ieee80211_node.c:444
  #8  0xc06dcb87 in atu_task (arg=0xc128f000) at ../../../../dev/usb/if_atu.c:1083
  #9  0xc069d8ee in usb_task_thread (arg=0xcad2b108) at ../../../../dev/usb/usb.c:366
  #10 0xc0100331 in proc_trampoline ()

(gdb) print cp
$1 = 0x8 <Address 0x8 out of bounds>
(gdb) up
#1  0xc06de11b in atu_tx_start (sc=0xc128f000, ni=0xc146f800, c=0xc128ff4c, m=0xc14a7f00) at ../../../../dev/usb/if_atu.c:1727
1727            m_copydata(m, 0, m->m_pkthdr.len, c->atu_buf + ATU_TX_HDRLEN);
(gdb) print c->atu_buf
$2 = 0x0
(gdb) print *c
$3 = {atu_sc = 0xc128f000, atu_xfer = 0x0, atu_buf = 0x0, atu_mbuf = 0x0, atu_idx = 7 '\a', atu_length = 114, atu_in_xfer = 1, atu_list = { sle_next = 0xc128ff30}}

>Fix:

Unknown.