netbsd-bugs: bin/14978: another bug in if

Subject: bin/14978: another bug in if_tl.c
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dive@endersgame.net>
List: netbsd-bugs
Date: 12/17/2001 15:38:34
>Number:         14978
>Category:       bin
>Synopsis:       trying to enable full-duplex mode when not hooked to a full-duplex port causes a panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 17 07:44:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     dive-o
>Release:        NetBSD 1.5Z
>Organization:
/~\ The ASCII                       Sean Davis
\ / Ribbon Campaign                 aka dive-o
 X  Against HTML
/ \ Email!                      dive@endersgame.net
>Environment:
Compaq Netelligent dual port 10/100 NIC
System: NetBSD eros.endersgame.net 1.5Z NetBSD 1.5Z (EROS) #206: Mon Dec 17 07:39:02 EST 2001 dive@eros.endersgame.net:/cvs/nbcurrent/syssrc/sys/arch/i386/compile/EROS i386
Architecture: i386
Machine: i386
>Description:
	I discovered this by accident, but if I have a port on a tl
interface connected to something that only supports 10baseT HDX, and try
`ifconfig tl<x> media 10baseT mediaopt full-duplex`, I get a kernel panic.
if I try it on tl0 it just drops the port speed on my switch, but tl1 is
connected to a cable modem which only works at 10baset half duplex, and the
machine panics then. After reading through the tl driver source, I notice
that the hardware *does* have a phy for 10baseT, but we ignore it, for
convienence reasons in the ifconfig program, it would seem. Isn't there a
better way that'd allow it to be used? I'll work on it, if it's wanted.
Anyway, heres the trace from the crash:
#8  0xc0100baf in calltrap ()

#9  0xc020c2b9 in tl_init (ifp=0xc097d400)
	at sys/dev/pci/if_tl.c:587

#10 0xc020da8e in tl_mediachange (ifp=0xc097d440)
	at sys/dev/pci/if_tl.c:1411

#11 0xc01667ca in ifmedia_ioctl (ifp=0xc097d440, ifr=0xdc81cec0, ifm=0xc097d604, cmd=3223349557)
	at sys/net/if_media.c:283

#12 0xc020d4fe in tl_ifioctl (ifp=0xc097d440, cmd=3223349557, data=0xdc81cec0 "tl1")
	at sys/dev/pci/if_tl.c:1204

#13 0xc0165085 in ifioctl (so=0xc0a3cec0, cmd=3223349557, data=0xdc81cec0 "tl1", p=0xdc205910)
	at sys/net/if.c:1401

#14 0xc013f1c4 in soo_ioctl (fp=0xdc7b57b4, cmd=3223349557, data=0xdc81cec0 "tl1", p=0xdc205910)
	at sys/kern/sys_socket.c:139

#15 0xc013cd7d in sys_ioctl (p=0xdc205910, v=0xdc81cf80, retval=0xdc81cf78)
	at sys/kern/sys_generic.c:614

#16 0xc01f57bb in syscall_plain (
frame={tf_gs = 31, tf_fs = 31, tf_es = 31, tf_ds = 31, tf_edi = 134709739, tf_esi = -1077945400,
tf_ebp = -1077945644, tf_ebx = 2, tf_edx = 0, tf_ecx = 134777200, tf_eax = 54, tf_trapno = 3,
tf_err = 2, tf_eip = 134687083, tf_cs = 23, tf_eflags = 663, tf_esp = -1077945688, tf_ss = 31,
tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0, tf_vm86_gs = 0})
	at sys/arch/i386/i386/syscall.c:140

#17 0xc0100c24 in syscall1 ()
can not access 0xbfbfdad4, invalid translation (invalid PDE)
can not access 0xbfbfdad4, invalid translation (invalid PDE)
Cannot access memory at address 0xbfbfdad4

>How-To-Repeat:
	connect a port on a tl card to a hub or something else that can't do
more than half duplex 10baseT
	ifconfig tl<x> <ip> <netmask> media 10baseT
	ifconfig tl<x> media 10baseT mediaopt full-duplex

>Fix:
	I'm almost positive that adding a simple check to tl_mediachange
would fix this, but I'm still working on it.
>Release-Note:
>Audit-Trail:
>Unformatted:
 	everything as of today (2001/12/17)