kern/92083: panic using WPA on ural NIC in 6.0-RELEASE

Anders Nordby anders at FreeBSD.org
Fri Jan 20 16:10:05 PST 2006 

>Number:         92083
>Category:       kern
>Synopsis:       panic using WPA on ural NIC in 6.0-RELEASE
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 21 00:10:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Anders Nordby
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
-
>Environment:
System: FreeBSD stream.localnet 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Jan 20 20:48:44 
CET 2006     root at stream.localnet:/usr/obj/usr/src/sys/STREAM  i386

Using D-Link DWL-G122 USB Wireless NIC. Running GENERIC kernel with IPv6
stripped and the following added to kernel config:

device          sound
device          "snd_via8233"

device          wlan                    #802.11 support
device          wlan_wep                #802.11 WEP support
device          wlan_ccmp               #802.11 CCMP support
device          wlan_tkip               #802.11 TKIP support
device          wlan_xauth              #802.11 external authenticator support
device          wlan_acl                #802.11 MAC ACL support
device          acpi
   
options         KDB
options         DDB 

Using /etc/wpa_supplicant.conf like this:

ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1

network={
	ssid="SOMENETWORK"
        scan_ssid=1
        key_mgmt=WPA-PSK
	psk="SOMEPASSWORD"
}

NIC is configured through rc.conf:

ifconfig_ural0="inet X.X.X.X netmask 0xYYYYYYYY WPA mode 11g"

>Description:

System panics:

fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0705b21
stack pointer           = 0x28:0xcab36c00
frame pointer           = 0x28:0xcab36c0c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 23 (irq12: vr0 ehci0)
[thread pid 23 tid 100010 ]
Stopped at      ieee80211_free_node+0x9:        movl    0x4(%esi),%ebx
db> 1^H ^Hpanic
panic: from debugger
Uptime: 14m56s
Dumping 223 MB (2 chunks)
  chunk 0: 1MB (160 pages) ... ok
  chunk 1: 223MB (57072 pages) 207 191 175 159 143 127 111 95 79 63 47 31 15 ... ok

Dump complete
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...

Checking where this is with gdb, I get:

stream# gdb /usr/obj/usr/src/sys/STREAM/kernel.debug 
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
(gdb) l *0xc0705b21
0xc0705b21 is in ieee80211_free_node (/usr/src/sys/net80211/ieee80211_node.c:154
2).
1537    ieee80211_free_node_debug(struct ieee80211_node *ni, const char *func, i
nt line)
1538    #else
1539    ieee80211_free_node(struct ieee80211_node *ni)
1540    #endif
1541    {
1542            struct ieee80211_node_table *nt = ni->ni_table;
1543    
1544    #ifdef IEEE80211_DEBUG_REFCNT
1545            IEEE80211_DPRINTF(ni->ni_ic, IEEE80211_MSG_NODE,
1546                    "%s (%s:%u) %p<%s> refcnt %d\n", __func__, func, line, n
i,
(gdb) 

Analyzing the crashdump I get:

stream# kgdb /usr/obj/usr/src/sys/STREAM/kernel.debug /var/crash/vmcore.0
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Unde
fined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0705b21
stack pointer           = 0x28:0xcab36c00
frame pointer           = 0x28:0xcab36c0c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 23 (irq12: vr0 ehci0)
panic: from debugger
Uptime: 14m56s
Dumping 223 MB (2 chunks)
  chunk 0: 1MB (160 pages) ... ok
  chunk 1: 223MB (57072 pages) 207 191 175 159 143 127 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:165
165     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) where
#0  doadump () at pcpu.h:165
#1  0xc067a7aa in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xc067aa70 in panic (fmt=0xc08648d1 "from debugger")
    at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xc0487d71 in db_panic (addr=-1066378463, have_addr=0, count=-1, 
    modif=0xcab36a2c "") at /usr/src/sys/ddb/db_command.c:438
#4  0xc0487d08 in db_command (last_cmdp=0xc0940684, cmd_table=0x0, 
    aux_cmd_tablep=0xc08ba69c, aux_cmd_tablep_end=0xc08ba6b8)
    at /usr/src/sys/ddb/db_command.c:350
#5  0xc0487dd0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
#6  0xc04899dd in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
#7  0xc0692fa3 in kdb_trap (type=12, code=0, tf=0xcab36bc0)
    at /usr/src/sys/kern/subr_kdb.c:473
#8  0xc082d600 in trap_fatal (frame=0xcab36bc0, eva=4)
    at /usr/src/sys/i386/i386/trap.c:822
#9  0xc082d36f in trap_pfault (frame=0xcab36bc0, usermode=0, eva=4)
    at /usr/src/sys/i386/i386/trap.c:742
#10 0xc082cf69 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -1055113216, tf_esi = 0, tf_e
bp = -894211060, tf_isp = -894211092, tf_ebx = -1055110224, tf_edx = -1055541248
, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1066378463, tf_c
s = 32, tf_eflags = 66118, tf_esp = -1055110224, tf_ss = -1055079424})
    at /usr/src/sys/i386/i386/trap.c:432
#11 0xc081c46a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#12 0xc0705b21 in ieee80211_free_node (ni=0x0)
    at /usr/src/sys/net80211/ieee80211_node.c:1541
#13 0xc060453f in ural_txeof (xfer=0xc11afa00, priv=0xc11c4bb0, 
    status=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/if_ural.c:826
#14 0xc061bd80 in usb_transfer_complete (xfer=0xc11afa00)
    at /usr/src/sys/dev/usb/usbdi.c:851
#15 0xc05fa5c4 in ehci_idone (ex=0xc11afa00) at /usr/src/sys/dev/usb/ehci.c:867
#16 0xc05fa49f in ehci_check_intr (sc=0xc115b800, ex=0xc11afa00)
    at /usr/src/sys/dev/usb/ehci.c:752
#17 0xc05fa419 in ehci_softintr (v=0xc115b800)
    at /usr/src/sys/dev/usb/ehci.c:692
#18 0xc06190d1 in usb_schedsoftintr (bus=0x0) at /usr/src/sys/dev/usb/usb.c:871
#19 0xc05fa1fa in ehci_intr1 (sc=0xc115b800) at /usr/src/sys/dev/usb/ehci.c:592
#20 0xc05fa13a in ehci_intr (v=0xc115b800) at /usr/src/sys/dev/usb/ehci.c:551
#21 0xc0665da9 in ithread_loop (arg=0xc1082700)
    at /usr/src/sys/kern/kern_intr.c:547
#22 0xc0665030 in fork_exit (callout=0xc0665c50 <ithread_loop>, 
    arg=0xc1082700, frame=0xcab36d38) at /usr/src/sys/kern/kern_fork.c:789
#23 0xc081c4cc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb) quit

>How-To-Repeat:

Run any kind of real network load (like trying to cvsup ports), and the system
will panic.

>Fix:

N/A
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list