kern/92083: [ural] [panic] panic using WPA on ural NIC in 6.2-RELEASE

Jonathan Fosburgh jonathan at fosburgh.org
Tue Mar 6 20:50:10 UTC 2007


The following reply was made to PR kern/92083; it has been noted by GNATS.

From: Jonathan Fosburgh <jonathan at fosburgh.org>
To: Sam Leffler <sam at errno.com>
Cc: Anders Nordby <anders at freebsd.org>,
 bug-followup at freebsd.org
Subject: Re: kern/92083: [ural] [panic] panic using WPA on ural NIC in 6.2-RELEASE
Date: Tue, 6 Mar 2007 14:47:15 -0600

 On Monday 12 February 2007 11:27, Sam Leffler wrote:
 
 >
 > The last I heard about any of this stuff your problems were related to
 > usb xfer stalls.  If this no longer true then please provide me with a
 > recipe for recreating the issue.  If it's a driver/net80211 issue I will
 > try to fix it.  If it's in the usb subsystem it's unlikely I'm going to
 > pursue it.
 >
 
 I finally obtained what may be a useful kernel panic.  I recompiled with the 
 wlan/ural stuff in-kernel versus as modules (can someone put together, in one 
 place, how to debug a kernel with modules? There is documentation in a few 
 places, but it is geared to developers, and not end-users.  That is fine 
 for -CURRENT, but the issue is the same on -STABLE and the mainline 
 releases.)  So far I have captured one dump with this configuration.  I will 
 see if it crashes anymore throughout the day before I switch over to a 
 working configuration.  To reiterate:
 
 ural0: <Ralink 802.11g WLAN + Pen Drive, class 0/0, rev 2.00/0.01, addr 2> on 
 uh
 ub7
 ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526
 ural0: using obsoleted if_watchdog interface
 ural0: Ethernet address: 00:d0:41:a1:09:78
 ural0: if_start running deferred for Giant
 
 
 and 
 
 FreeBSD asgard.fosburgh.org 7.0-CURRENT FreeBSD 7.0-CURRENT #34: Tue Mar  6 
 08:07:37 CST 2007     toor at asgard.fosburgh.org:/usr/obj/usr/src/sys/vmbsd  
 amd64
 
 
 When configuring the NIC using wep in ifconfig, it is stable.  When using 
 wpa_supplicant (even in WEP-mode) the driver is unstable and panics the 
 system.  It does not appear to be under any particular load condition.  I 
 often find the system has rebooted while I have been away and there is no 
 particular network load above background that I am aware of (emails being 
 received, etc).  Here is the panic:
 
 --# kgdb kernel.debug /usr/crash/vmcore.9
 kgdb: kvm_nlist(_stopped_cpus):
 kgdb: kvm_nlist(_stoppcbs):
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: 
 Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "amd64-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x8
 fault code              = supervisor read data, page not present
 instruction pointer     = 0x8:0xffffffff802ee415
 stack pointer           = 0x10:0xffffffff9212ba70
 frame pointer           = 0x10:0x0
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, long 1, def32 0, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 33 (irq21: uhci0 uhci*)
 trap number             = 12
 panic: page fault
 Uptime: 5h13m37s
 Physical memory: 504 MB
 Dumping 78 MB: 63 47 31 15
 
 #0  doadump () at pcpu.h:141
 141             __asm __volatile("movq %%gs:0,%0" : "=r" (td));
 
 
 where:
 
 #0  doadump () at pcpu.h:141
 #1  0x0000000000000004 in ?? ()
 #2  0xffffffff80243519 in boot (howto=260)
     at /usr/src/sys/kern/kern_shutdown.c:409
 #3  0xffffffff80243afe in panic (fmt=0xffffff001ebf1560 "")
     at /usr/src/sys/kern/kern_shutdown.c:563
 #4  0xffffffff8037e022 in trap_fatal (frame=0xffffffff9212b9c0, eva=8)
     at /usr/src/sys/amd64/amd64/trap.c:696
 #5  0xffffffff8037e392 in trap_pfault (frame=0xffffffff9212b9c0, usermode=0)
     at /usr/src/sys/amd64/amd64/trap.c:614
 #6  0xffffffff8037e625 in trap (frame=0xffffffff9212b9c0)
     at /usr/src/sys/amd64/amd64/trap.c:382
 #7  0xffffffff80368fae in calltrap ()
     at /usr/src/sys/amd64/amd64/exception.S:169
 #8  0xffffffff802ee415 in ieee80211_free_node (ni=0x0)
     at /usr/src/sys/net80211/ieee80211_node.c:1602
 #9  0xffffffff801cb131 in ural_txeof (xfer=0x0, priv=0xffffffff80a40ec0,
     status=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/if_ural.c:890
 #10 0xffffffff801e1ca3 in usb_transfer_complete (xfer=0xffffff000099d000)
     at /usr/src/sys/dev/usb/usbdi.c:983
 #11 0xffffffff801c46db in ehci_softintr (v=0x0)
     at /usr/src/sys/dev/usb/ehci.c:872
 #12 0xffffffff801c30d9 in ehci_intr1 (sc=0xffffff000094c000)
     at /usr/src/sys/dev/usb/ehci.c:591
 #13 0xffffffff8022e28d in ithread_loop (arg=0xffffff0000945780)
     at /usr/src/sys/kern/kern_intr.c:682
 #14 0xffffffff8022cd79 in fork_exit (
     callout=0xffffffff8022e150 <ithread_loop>, arg=0xffffff0000945780,
     frame=0xffffffff9212bc90) at /usr/src/sys/kern/kern_fork.c:814
 #15 0xffffffff8036931e in fork_trampoline ()
     at /usr/src/sys/amd64/amd64/exception.S:397
 #16 0x0000000000000000 in ?? ()
 #17 0x0000000000000000 in ?? ()
 #18 0x0000000000000001 in ?? ()
 #19 0x0000000000000000 in ?? ()
 #20 0x0000000000000000 in ?? ()
 #21 0x0000000000000000 in ?? ()
 #22 0x0000000000000000 in ?? ()
 #23 0x0000000000000000 in ?? ()
 #24 0x0000000000000000 in ?? ()
 #25 0x0000000000000000 in ?? ()
 #26 0x0000000000000000 in ?? ()
 #27 0x0000000000000000 in ?? ()
 #28 0x0000000000000000 in ?? ()
 #29 0x0000000000000000 in ?? ()
 #30 0x0000000000000000 in ?? ()
 #31 0x0000000000000000 in ?? ()
 #32 0x0000000000000000 in ?? ()
 #33 0x0000000000000000 in ?? ()
 #34 0x0000000000000000 in ?? ()
 #35 0x0000000000000000 in ?? ()
 #36 0x0000000000000000 in ?? ()
 #37 0x0000000000000000 in ?? ()
 #38 0x0000000000000000 in ?? ()
 #39 0x0000000000000000 in ?? ()
 #40 0x0000000000800000 in ?? ()
 #41 0xffffff001ebf1560 in ?? ()
 #42 0x0000000000000000 in ?? ()
 #43 0x0000000000000001 in ?? ()
 #44 0x0000000000000000 in ?? ()
 #45 0xffffff0016929810 in ?? ()
 #46 0xffffffff9212bbc8 in ?? ()
 #47 0xffffff001ebf1560 in ?? ()
 #48 0xffffffff8025faf0 in sched_switch (td=0xffffff0000945780, newtd=0x0,
     flags=0) at /usr/src/sys/kern/sched_ule.c:1472
 #49 0x0000000000000000 in ?? ()
 #50 0x0000000000000000 in ?? ()
 #51 0x0000000000000000 in ?? ()
 #52 0x0000000000000000 in ?? ()
 #53 0x0000000000000000 in ?? ()
 #54 0x0000000000000000 in ?? ()
 #55 0x0000000000000000 in ?? ()
 #56 0x0000000000000000 in ?? ()
 #57 0x0000000000000000 in ?? ()
 #58 0x0000000000000000 in ?? ()
 #59 0x0000000000000000 in ?? ()
 #60 0x0000000000000000 in ?? ()
 #61 0x0000000000000000 in ?? ()
 #62 0x0000000000000000 in ?? ()
 #63 0x0000000000000000 in ?? ()
 #64 0x0000000000000000 in ?? ()
 #65 0x0000000000000000 in ?? ()
 #66 0x0000000000000000 in ?? ()
 #67 0x0000000000000000 in ?? ()
 #68 0x0000000000000000 in ?? ()
 #69 0x0000000000000000 in ?? ()
 #70 0x0000000000000000 in ?? ()
 #71 0x0000000000000000 in ?? ()
 #72 0x0000000000000000 in ?? ()
 #73 0x0000000000000000 in ?? ()
 #74 0x0000000000000000 in ?? ()
 #75 0x0000000000000000 in ?? ()
 #76 0x0000000000000000 in ?? ()
 #77 0x0000000000000000 in ?? ()
 #78 0x0000000000000000 in ?? ()
 #79 0x0000000000000000 in ?? ()
 #80 0x0000000000000000 in ?? ()
 #81 0x0000000000000000 in ?? ()
 #82 0x0000000000000000 in ?? ()
 #83 0x0000000000000000 in ?? ()
 #84 0x0000000000000000 in ?? ()
 #85 0x0000000000000000 in ?? ()
 #86 0x0000000000000000 in ?? ()
 #87 0x0000000000000000 in ?? ()
 #88 0x0000000000000000 in ?? ()
 #89 0x0000000000000000 in ?? ()
 #90 0x0000000000000000 in ?? ()
 #91 0x0000000000000000 in ?? ()
 #92 0x0000000000000000 in ?? ()
 #93 0x0000000000000000 in ?? ()
 #94 0x0000000000000000 in ?? ()
 #95 0x0000000000000000 in ?? ()
 #96 0x0000000000000000 in ?? ()
 #97 0x0000000000000000 in ?? ()
 #98 0x0000000000000000 in ?? ()
 #99 0x0000000000000000 in ?? ()
 #100 0x0000000000000000 in ?? ()
 #101 0x0000000000000000 in ?? ()
 #102 0x0000000000000000 in ?? ()
 #103 0x0000000000000000 in ?? ()
 #104 0x0000000000000000 in ?? ()
 #105 0x0000000000000000 in ?? ()
 #106 0x0000000000000000 in ?? ()
 #107 0x0000000000000000 in ?? ()
 #108 0x0000000000000000 in ?? ()
 #109 0x0000000000000000 in ?? ()
 #110 0x0000000000000000 in ?? ()
 #111 0x0000000000000000 in ?? ()
 #112 0x0000000000000000 in ?? ()
 #113 0x0000000000000000 in ?? ()
 #114 0x0000000000000000 in ?? ()
 #115 0x0000000000000000 in ?? ()
 #116 0x0000000000000000 in ?? ()
 #117 0x0000000000000000 in ?? ()
 #118 0x0000000000000000 in ?? ()
 #119 0x0000000000000000 in ?? ()
 #120 0x0000000000000000 in ?? ()
 #121 0x0000000000000000 in ?? ()
 #122 0x0000000000000000 in ?? ()
 Cannot access memory at address 0xffffffff9212c000
 
 The instruction pointer matches to:
 
 #8  0xffffffff802ee415 in ieee80211_free_node (ni=0x0)
     at /usr/src/sys/net80211/ieee80211_node.c:1602
 
 
 Line 1602 is an open brace.  Here is the section of the file, starting at line 
 1597:
 
    1597 #ifdef IEEE80211_DEBUG_REFCNT
    1598 ieee80211_free_node_debug(struct ieee80211_node *ni, const char *func, 
 i
 nt line)
    1599 #else
    1600 ieee80211_free_node(struct ieee80211_node *ni)
    1601 #endif
    1602 {
    1603         struct ieee80211_node_table *nt = ni->ni_table;
    1604
    1605 #ifdef IEEE80211_DEBUG_REFCNT
    1606         IEEE80211_DPRINTF(ni->ni_ic, IEEE80211_MSG_NODE,
    1607                 "%s (%s:%u) %p<%s> refcnt %d\n", __func__, func, line, 
 n
 i,
    1608                  ether_sprintf(ni->ni_macaddr), 
 ieee80211_node_refcnt(ni
 )-1);
    1609 #endif
    1610         if (nt != NULL) {
    1611                 IEEE80211_NODE_LOCK(nt);
    1612                 if (ieee80211_node_dectestref(ni)) {
    1613                         /*
    1614                          * Last reference, reclaim state.
    1615                          */
    1616                         _ieee80211_free_node(ni);
    1617                 } else if (ieee80211_node_refcnt(ni) == 1 &&
    1618                     nt->nt_keyixmap != NULL) {
    1619                         ieee80211_keyix keyix;
    1620                         /*
    1621                          * Check for a last reference in the key 
 mapping
  table.
    1622                          */
    1623                         keyix = ni->ni_ucastkey.wk_rxkeyix;
    1624                         if (keyix < nt->nt_keyixmax &&
    1625                             nt->nt_keyixmap[keyix] == ni) {
    1626                                 IEEE80211_DPRINTF(ni->ni_ic, 
 IEEE80211_M
 SG_NODE,
    1627                                     "%s: %p<%s> clear key map entry", 
 __func__,
    1628                                     ni, 
 ether_sprintf(ni->ni_macaddr));
    1629                                 nt->nt_keyixmap[keyix] = NULL;
    1630                                 ieee80211_node_decref(ni); /* XXX 
 needed
 ? */
    1631                                 _ieee80211_free_node(ni);
    1632                         }
    1633                 }
    1634                 IEEE80211_NODE_UNLOCK(nt);
    1635         } else {
    1636                 if (ieee80211_node_dectestref(ni))
    1637                         _ieee80211_free_node(ni);
    1638         }
    1639 }


More information about the freebsd-usb mailing list