Subject: kern/37350: reproducible panic with ath(4) on operating mode change
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <j+nbsd@2007.salmi.ch>
List: netbsd-bugs
Date: 11/09/2007 18:10:01 
>Number:         37350
>Category:       kern
>Synopsis:       reproducible panic with ath(4) on operating mode change
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 09 18:10:00 +0000 2007
>Originator:     Jukka Salmi
>Release:        NetBSD 4.0_RC1
>Environment:
System: NetBSD clam.salmi.ch 4.0_RC1 NetBSD 4.0_RC1 (CLAM) #0: Wed Sep 19 16:18:25 UTC 2007  root@moray.salmi.ch:/b/build/nbsd/4/i386/sys/arch/i386/compile/CLAM i386
Architecture: i386
Machine: i386

Partial dmesg output:
[..]
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 (486-class), id 0x494
cpu0: features 1<FPU>
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
elansc0 at pci0 dev 0 function 0: AMD Elan SC520 System Controller
elansc0: product 0 stepping 1.1, CPU clock 100MHz
gpio0 at elansc0: 32 pins
cbb0 at pci0 dev 9 function 0: vendor 0x104c product 0xac50 (rev. 0x02)
[..]
cbb0: interrupting at irq 10
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 1
pcmcia0 at cardslot0
[...]
ath0 at cardbus0 function 0
ath0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
ath0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
ath0: turboA rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
ath0: mac 5.9 phy 4.3 radio 3.6
[...]

The ath(4) adapter is based on the AR5213 chip.

>Description:
This WLAN access point reproducibly panics when the operating mode of
its ath(4) interface is changed from 11g to 11b and then back to 11g.

>How-To-Repeat:
$ ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290
        ssid BS110 apbridge nwkey *****
        powersave off
        bssid 00:0b:6b:20:38:50 chan 2
        address: 00:0b:6b:20:38:50
        media: IEEE802.11 autoselect mode 11g hostap
        status: active
        inet 172.31.205.1 netmask 0xffffff00 broadcast 172.31.205.255
$ sudo ifconfig ath0 mode 11b
$ ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290
        ssid BS110 apbridge nwkey *****
        powersave off
        bssid 00:0b:6b:20:38:50 chan 2
        address: 00:0b:6b:20:38:50
        media: IEEE802.11 autoselect mode 11b hostap
        status: active
        inet 172.31.205.1 netmask 0xffffff00 broadcast 172.31.205.255
$ sudo ifconfig ath0 mode 11g
panic: bogus long slot station count 0
Stopped in pid 265.1 (ifconfig) at      netbsd:cpu_Debugger+0x4:        popl    %ebp
db> bt
cpu_Debugger(292,0,c10e503c,c78597d8,1) at netbsd:cpu_Debugger+0x4
panic(c0266166,0,c1035c40,c1035c40,1) at netbsd:panic+0x12b
ieee80211_node_leave(c10e5474,c115e000,282,282,6) at netbsd:ieee80211_node_leave+0xfe
ieee80211_iterate_nodes(c10e5c00,c011adec,c10e5474,4,c10e5474) at netbsd:ieee80211_iterate_nodes+0x9e
ieee80211_newstate(c10e5474,0,ffffffff,c10e5000,18) at netbsd:ieee80211_newstate+0xf4
ath_newstate(c10e5474,0,ffffffff,0,c10e5474) at netbsd:ath_newstate+0x6a7
ath_stop_locked(ffffffff,c10e503c,c10e7000,c10e503c,c10e503c) at netbsd:ath_stop_locked+0x5f
ath_init(30280,30280,c785997c,c01f3d0a,c10e503c) at netbsd:ath_init+0x8c
ath_media_change(c10e503c,c10e5ccc,30280,0,c018cbad) at netbsd:ath_media_change+0x2b
ifmedia_ioctl(c10e503c,c7859b88,c10e5ccc,c0206935,c0e86f20) at netbsd:ifmedia_ioctl+0x89
ieee80211_ioctl(c10e5474,c0206935,c7859b88,0,c10e5474) at netbsd:ieee80211_ioctl+0x13d
ath_ioctl(c10e503c,c0206935,c7859b88,0,0) at netbsd:ath_ioctl+0x2a3
ifioctl(c1046288,c0206935,c7859b88,c6f6b5c8,c1046288) at netbsd:ifioctl+0x645
sys_ioctl(c6f6b5c8,c7859c48,c7859c68,bfbfed60,bbbc1000) at netbsd:sys_ioctl+0x21d
syscall_plain() at netbsd:syscall_plain+0xb9
--- syscall (number 54) ---
0xbbbb7a2b:
db> show registers
ds          0x10
es          0x10
fs          0x30
gs          0x10
edi         0xc115e000
esi         0xc0266166  copyright+0x1fe6
ebp         0xc78597ac
ebx         0
edx         0x7
ecx         0x286
eax         0x1
eip         0xc0205411  cpu_Debugger+0x4
cs          0x8
eflags      0x246
esp         0xc78597ac
ss          0x10
netbsd:cpu_Debugger+0x4:        popl    %ebp

>Fix:
unknown