kern/123968: Rum driver causes kernel panic with WPA.

Jonny Crook je.suis.bon at googlemail.com
Sun May 25 00:00:06 UTC 2008 

>Number:         123968
>Category:       kern
>Synopsis:       Rum driver causes kernel panic with WPA.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 25 00:00:06 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Jonny Crook
>Release:        FreeBSD 7.0-RELEASE #0
>Organization:
>Environment:
>Description:
Using a Ralink rt73 chipset USB wireless dongle with WPA causes a kernel panic after a few minutes of network activity, eg. downloading a file.

/var/crash/info.2 :
Dump header from device /dev/ad4s2b
  Architecture: i386
  Architecture Version: 2
  Dump Length: 113614848B (108 MB)
  Blocksize: 512
  Dumptime: Sat May 24 23:33:45 2008
  Hostname: 
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
    root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
  Panic String: page fault
  Dump Parity: 3141769591
  Bounds: 2
  Dump Status: good


kgdb on the dumped image:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x12
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc06b9e7a
stack pointer	        = 0x28:0xe45cebe4
frame pointer	        = 0x28:0xe45cebfc
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 23 (irq23: uhci0 ehci0)
trap number		= 12
panic: page fault
cpuid = 0
Uptime: 3m47s
Physical memory: 1011 MB
Dumping 108 MB: 93 77 61 45 29 13

#0  doadump () at pcpu.h:195
	in pcpu.h
(kgdb) list *0xc06b9e7a
0xc06b9e7a is in rum_txeof (/usr/src/sys/dev/usb/if_rum.c:842).
837     {
838             struct rum_tx_data *data = priv;
839             struct rum_softc *sc = data->sc;
840             struct ifnet *ifp = sc->sc_ic.ic_ifp;
841
842             if (data->m->m_flags & M_TXCB)
843                     ieee80211_process_callback(data->ni, data->m,
844                             status == USBD_NORMAL_COMPLETION ? 0 : 
ETIMEDOUT
);
845
846             if (status != USBD_NORMAL_COMPLETION) {
(kgdb)


I'm very new to FreeBSD, I do not have the knowledge to create a patch. I hope the aforementioned information helps however!

If any more information is needed, do ask. I can even upload the vmcore file, although it may contain sensitive information.

Many thanks,
Jonny. 


>How-To-Repeat:
Use WPA supplicant, with WPA TKIP, authenticate with an AP, download a file over the wireless (or other network activity) and within minutes a kernel panic will occur.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list