[FreeBSD 6.0] kernel crash with 802.11g

Mon Jul 25 12:16:13 GMT 2005

Hi.

I just set up an AP under FreeBSD 6 (sources updated yesterday from
cvsup), using a PCI wireless card with a RALink chip.

When I start it, the WIFI mode is set to 802.11b, and everything
works.... but in 802.11b.

As soon as I do an "ifconfig ral0 mode 11g", I have a kernel crash.

Here is the backtrace of the vmcore:

#0  doadump () at pcpu.h:165
#1  0xc056a988 in boot (howto=260) at
#../../../kern/kern_shutdown.c:397
#2  0xc056ac33 in panic (fmt=0xc0748e8b "bogus long slot station count
#%d") at ../../../kern/kern_shutdown.c:553
#3  0xc05f11b7 in ieee80211_node_leave_11g (ic=0xc1367004,
#ni=0xc1382c00) at ../../../net80211/ieee80211_node.c:1705
#4  0xc05f13fb in ieee80211_node_leave (ic=0xc1367004, ni=0xc1382c00)
#at ../../../net80211/ieee80211_node.c:1789
#5  0xc05f46d0 in sta_disassoc (arg=0xc1367004, ni=0xc1382c00) at
#../../../net80211/ieee80211_proto.c:829
#6  0xc05f0cd4 in ieee80211_iterate_nodes (nt=0xc13677b0, f=0xc05f46a8
#<sta_disassoc>, arg=0xc1367004)
    at ../../../net80211/ieee80211_node.c:1539
#7  0xc05f47c8 in ieee80211_newstate (ic=0xc1367004,
#nstate=IEEE80211_S_INIT, arg=-1) at
#../../../net80211/ieee80211_proto.c:868
#8  0xc04f0c83 in ral_newstate (ic=0xc1367004,
#nstate=IEEE80211_S_INIT, arg=-1) at ../../../dev/ral/if_ral.c:1039
#9  0xc04f3c21 in ral_stop (priv=0xc1367000) at
#../../../dev/ral/if_ral.c:2781
#10 0xc04f38ce in ral_init (priv=0xc1367000) at
#../../../dev/ral/if_ral.c:2694
#11 0xc04f09af in ral_media_change (ifp=0xc1310800) at
#../../../dev/ral/if_ral.c:919
#12 0xc05d1733 in ifmedia_ioctl (ifp=0xc1310800, ifr=0x0,
#ifm=0xc13678ac, cmd=0) at ../../../net/if_media.c:258
#13 0xc05ee8d9 in ieee80211_ioctl (ic=0xc1367004, cmd=3223349559,
#data=0xc19c04a0 "ral0")
    at ../../../net80211/ieee80211_ioctl.c:2351
#14 0xc04f2b40 in ral_ioctl (ifp=0xc1310800, cmd=3223349559,
#data=0xc19c04a0 "ral0") at ../../../dev/ral/if_ral.c:2190
#15 0xc05ccf6c in ifhwioctl (cmd=3223349559, ifp=0xc1310800,
#data=0xc19c04a0 "ral0", td=0x0) at ../../../net/if.c:1458
#16 0xc05cd127 in ifioctl (so=0xc148a858, cmd=3223349559,
#data=0xc19c04a0 "ral0", td=0xc1524a80) at ../../../net/if.c:1530
#17 0xc0591007 in soo_ioctl (fp=0x0, cmd=3223349559, data=0xc19c04a0,
#active_cred=0xc173e300, td=0xc1524a80)
    at ../../../kern/sys_socket.c:214
#18 0xc058b8bc in ioctl (td=0xc1524a80, uap=0xca529d04) at file.h:258
#19 0xc06f2e8f in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134572160, tf_esi
#= 134581088, tf_ebp = -1077943064, tf_isp = -900555420, tf_ebx =
#134594560, tf_edx = 0, tf_ecx = 134572160, tf_eax = 54, tf_trapno =
#12, tf_err = 2, tf_eip = 671900295, tf_cs = 51, tf_eflags = 582,
#tf_esp = -1077943092, tf_ss = 59}) at ../../../i386/i386/trap.c:985
#20 0xc06e234f in Xint0x80_syscall () at
#../../../i386/i386/exception.s:198
#21 0x0000003b in ?? ()
[Lots of other]
#49 0xc057ad4b in sched_switch (td=0x8058b60, newtd=0x805c000,
#flags=Cannot access memory at address 0xbfbfe4f8
) at ../../../kern/sched_4bsd.c:973
Previous frame inner to this frame (corrupt stack?)

Looking at the sources, I can see that it reaches a KASSERT after
checking (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME) == 0 (and
according to kgdb, this flag is not set).

Is this a known bug ?

I don't know the 802.11 framework, so I don't know what is
IEEE80211_CAPINFO_SHORT_SLOTTIME. I'll try to have a deeper look at
this part of the kernel, and I can also make some tests if some people
need informations to fix the problem.

Yvan.