>Number:         32344
>Category:       kern
>Synopsis:       atu(4) makes kernel crash
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 20 13:15:00 +0000 2005
>Originator:     Stéphane Witzmann
>Release:        3.99.13
>Organization:
>Environment:
NetBSD keen 3.99.13 NetBSD 3.99.13 (GENERIC) #4: Tue Dec 20 04:00:32 CET 2005  durandil@wolfenstein:/home/durandil/NetBSD/head/cross/obj/sys/arch/i386/compile/GENERIC i386

>Description:
The atu driver crashes on current (kernel + userland snapshot from a few days ago). I also tried on a 2.1 userland with a current kernel and had the same results.

atu0 at uhub1 port 1 configuration 1 interface 0
atu0: Atmel BW002 Wireless adapter, rev 1.10/1.00, addr 2
atu0: reattaching after firmware upload
atu0: at uhub1 port 1 (addr 2) disconnected
atu0 detached
atu0 at uhub1 port 1 configuration 1 interface 0
atu0: Atmel BW002 Wireless adapter, rev 1.10/1.00, addr 2
atu0: MAC address 00:00:1c:0b:d8:b5

# ifconfig atu0 inet 10.0.0.1
uvm_fault(0xc0862900, 0xc13cb000, 0, 1) -> 0xe
kernel: supervisor trap page fault, code = 0
Stopped in pid 527.1 (ifconfig) at netbsd:atu_initial_config+0xc0: movzbl
0x990(%ebx,%eax,1),%eax

db> bt
atu_initial_config
atu_init
ether_ioctl
iee80211_ioctl
atu_ioctl
in_infinit
in_control
compat_ifioctl
ifioctl
sys_ioctl
syscall_plain
--- syscall (number 54) ---



The fault occurs in atu_initial_config(), at:
switch (ic->ic_nw_keys[ic->ic_def_txkey].wk_keylen)

At this time, ic->ic_def_txkey = 65535 (= IEEE80211_KEYIX_NONE, most
probably initialized by ieee80211_crypto_attach()), which is far beyond the end of the array (size: IEEE80211_WEP_NKID = 4).

>How-To-Repeat:
Plug the device and use ifconfig or dhclient on it. By the way, it doesn't crash with 3.0RC5, only current.

>Fix: