usb/156000: rum(4) Fatal trap 18: integer divide fault while in kernel mode

Chunping Ruan rcp at mipang.com
Mon Mar 28 16:00:51 UTC 2011 

>Number:         156000
>Category:       usb
>Synopsis:       rum(4) Fatal trap 18: integer divide fault while in kernel mode
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 28 16:00:19 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Chunping Ruan
>Release:        8.2-RELEASE i386/amd64
>Organization:
>Environment:
FreeBSD test.home.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011     root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
I have a usb wireless NIC (TP-LINK TL-WN321G+ ),
and setup as my hostap

dmesg|grep rum
rum0: <Ralink 54M.USB......., class 0/0, rev 1.10/0.01, addr 2> on usbus0
rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528

ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:d7:1e:31
        inet 192.168.1.220 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
rum0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
        ether 00:1d:0f:07:9b:28
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: running
wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:1d:0f:07:9b:28
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: running
        ssid mptest channel 6 (2437 MHz 11g) bssid 00:1d:0f:07:9b:28
        regdomain ROW country CN authmode WPA2/802.11i privacy MIXED
        deftxkey 2 AES-CCM 2:128-bit txpower 30 scanvalid 60 protmode CTS
        dtimperiod 1 -dfs
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 3e:cc:4a:2e:67:65
        inet 192.168.77.1 netmask 0xffffff00 broadcast 192.168.77.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: wlan0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 370370

arp -an

? (192.168.77.100) at 00:21:fe:3e:0a:6b on bridge0 expires in 1199 seconds [bridge]
? (192.168.77.1) at 3e:cc:4a:2e:67:65 on bridge0 permanent [bridge]
? (192.168.1.77) at e0:05:c5:22:61:fc on em0 expires in 1199 seconds [ethernet]
? (192.168.1.100) at 00:07:e9:a8:1e:f4 on em0 expires in 1153 seconds [ethernet]
? (192.168.1.220) at 08:00:27:d7:1e:31 on em0 permanent [ethernet]


sudo arping -i wlan0 -b -S 192.168.77.100 -s 00:21:fe:3e:0a:6b -t 00:1d:0f:07:9b:28  192.168.77.1

* 00:1d:0f:07:9b:28 is the rum0/wlan0 's MAC

then, system panic and reboot



* why i do such arping ?

it seems that , the bridged wlan0 cant reply ARP reply packets

tcpdump -i wlan0
18:02:08.877494 a4:ed:4e:74:e4:30 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.77.1 tell 192.168.77.100, length 28
18:02:15.260227 a4:ed:4e:74:e4:30 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.77.1 tell 192.168.77.100, length 28
18:02:15.260245 a4:ed:4e:74:e4:30 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.77.1 tell 192.168.77.100, length 28
18:02:16.261477 a4:ed:4e:74:e4:30 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.77.1 tell 192.168.77.100, length 28
18:02:16.261495 a4:ed:4e:74:e4:30 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.77.1 tell 192.168.77.100, length 28


and, 
tcpdump -i bridge0
18:02:15.260258 a4:ed:4e:74:e4:30 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.77.1 tell 192.168.77.100, length 28
18:02:15.260281 72:5f:7d:8a:55:34 > a4:ed:4e:74:e4:30, ethertype ARP (0x0806), length 42: Reply 192.168.77.1 is-at 72:5f:7d:8a:55:34, length 28
18:02:16.261508 a4:ed:4e:74:e4:30 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.77.1 tell 192.168.77.100, length 28
18:02:16.261521 72:5f:7d:8a:55:34 > a4:ed:4e:74:e4:30, ethertype ARP (0x0806), length 42: Reply 192.168.77.1 is-at 72:5f:7d:8a:55:34, length 28

you see, bridge0 send ARP reply ,but wlan0 not send

the arp request packets are sent by my Android mobile phone,he can't access any web site,because he don't know who-has 192.168.77.1
 
so, i use arping to test.


////////////////////////


Fatal trap 18: integer divide fault while in kernel mode
cpuid = 0; apic id = 00
instruction pointer     = 0x20:0xc07f0b2e
stack pointer           = 0x28:0xc2fd5940
frame pointer           = 0x28:0xc2fd5950
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1360 (arping)
trap number             = 18
panic: integer divide fault
cpuid = 0
KDB: stack backtrace:
#0 0xc08e0d07 at kdb_backtrace+0x47
#1 0xc08b1dc7 at panic+0x117
#2 0xc0be4b43 at trap_fatal+0x323
#3 0xc0be54f2 at trap+0x652
#4 0xc0bcbebc at calltrap+0x6
#5 0xc07f21f9 at rum_start+0x519
#6 0xc09581c2 at if_start+0x12
#7 0xc095c1cb at if_transmit+0x15b
#8 0xc099af82 at ieee80211_start+0x742
#9 0xc09581c2 at if_start+0x12

#10 0xc095c1cb at if_transmit+0x15b
#11 0xc3c4438e at bridge_enqueue+0x2e
#12 0xc3c4468e at bridge_output+0x18e
#13 0xc0961911 at ether_output+0x581
#14 0xc099a5fd at ieee80211_output+0x4d
#15 0xc0953ceb at bpfwrite+0x5cb
#16 0xc083345f at devfs_write_f+0x7f
#17 0xc08f0197 at dofilewrite+0x97
Uptime: 4m23s
Physical memory: 499 MB
Dumping 48 MB: 33 17 1

Reading symbols from /boot/kernel/pf.ko...Reading symbols from /boot/kernel/pf.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/pf.ko
Reading symbols from /boot/kernel/wlan_xauth.ko...Reading symbols from /boot/kernel/wlan_xauth.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/wlan_xauth.ko
Reading symbols from /boot/kernel/if_bridge.ko...Reading symbols from /boot/kernel/if_bridge.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/if_bridge.ko
Reading symbols from /boot/kernel/bridgestp.ko...Reading symbols from /boot/kernel/bridgestp.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/bridgestp.ko
#0  doadump () at pcpu.h:231
231     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) #0  doadump () at pcpu.h:231
#1  0xc08b1b63 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:419
#2  0xc08b1e00 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:592
#3  0xc0be4b43 in trap_fatal (frame=0xc2fd5900, eva=0)
    at /usr/src/sys/i386/i386/trap.c:946
#4  0xc0be54f2 in trap (frame=0xc2fd5900) at /usr/src/sys/i386/i386/trap.c:731
#5  0xc0bcbebc in calltrap () at /usr/src/sys/i386/i386/exception.s:166
#6  0xc07f0b2e in rum_setup_tx_desc (sc=Variable "sc" is not available.
)
    at /usr/src/sys/dev/usb/wlan/if_rum.c:1018
#7  0xc07f21f9 in rum_start (ifp=0xc37f0c00)
    at /usr/src/sys/dev/usb/wlan/if_rum.c:1267
#8  0xc09581c2 in if_start (ifp=0xc37f0c00) at /usr/src/sys/net/if.c:3364
#9  0xc095c1cb in if_transmit (ifp=0xc37f0c00, m=0xc335d800)
    at /usr/src/sys/net/if.c:3376

#10 0xc099af82 in ieee80211_start (ifp=0xc3296000)
    at /usr/src/sys/net80211/ieee80211_output.c:362
#11 0xc09581c2 in if_start (ifp=0xc3296000) at /usr/src/sys/net/if.c:3364
#12 0xc095c1cb in if_transmit (ifp=0xc3296000, m=0xc335d300)
    at /usr/src/sys/net/if.c:3376
#13 0xc3c4438e in bridge_enqueue (sc=0xc3adfe00, dst_ifp=0xc3296000, m=Variable "m" is not available.
)
    at /usr/src/sys/modules/if_bridge/../../net/if_bridge.c:1787
#14 0xc3c4468e in bridge_output (ifp=0xc3296000, m=0xc335d300, sa=0x0, rt=0x0)
    at /usr/src/sys/modules/if_bridge/../../net/if_bridge.c:1928
#15 0xc0961911 in ether_output (ifp=0xc3296000, m=0xc335d300, dst=0xc2fd5b64,
    ro=0x0) at /usr/src/sys/net/if_ethersubr.c:394
#16 0xc099a5fd in ieee80211_output (ifp=0xc3296000, m=0xc335d300,
    dst=0xc2fd5b64, ro=0x0) at /usr/src/sys/net80211/ieee80211_output.c:406
#17 0xc0953ceb in bpfwrite (dev=0xc31b8400, uio=0xc2fd5c28, ioflag=0)
    at /usr/src/sys/net/bpf.c:939
#18 0xc083345f in devfs_write_f (fp=0xc380d380, uio=0xc2fd5c28,
    cred=0xc317e700, flags=0, td=0xc3c252d0)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:1528
#19 0xc08f0197 in dofilewrite (td=0xc3c252d0, fd=3, fp=0xc380d380,
    auio=0xc2fd5c28, offset=-1, flags=0) at file.h:239
#20 0xc08f0488 in kern_writev (td=0xc3c252d0, fd=3, auio=0xc2fd5c28)
    at /usr/src/sys/kern/sys_generic.c:447
#21 0xc08f050f in write (td=0xc3c252d0, uap=0xc2fd5cec)
    at /usr/src/sys/kern/sys_generic.c:363
#22 0xc08eca39 in syscallenter (td=0xc3c252d0, sa=0xc2fd5ce4)
    at /usr/src/sys/kern/subr_trap.c:315
#23 0xc0be4e14 in syscall (frame=0xc2fd5d28)
    at /usr/src/sys/i386/i386/trap.c:1061
#24 0xc0bcbf21 in Xint0x80_syscall ()
    at /usr/src/sys/i386/i386/exception.s:264
#25 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb)

>How-To-Repeat:
ifconfig wlan0 create wlandev rum0 wlanmode hostap
ifconfig wlan0 ssid mptest mode 11g channel 6 country CN
ifconfig bridge0 create addm wlan0
ifconfig bridge0 inet 192.168.77.1 netmask 255.255.255.0 up

# cat /etc/hostapd.conf
interface=wlan0
debug=1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=mptest
country_code=CN
#### WPA2-PSK/AES
wpa=2
wpa_passphrase=mypass
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP

/etc/rc.d/hostapd forcestart

# cat /usr/local/etc/dhcpd.conf
option domain-name "home.com";
option domain-name-servers 1.2.3.4, 1.2.3.5;
default-lease-time 172800;
max-lease-time 172800;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.77.0 netmask 255.255.255.0 {
  range 192.168.77.100 192.168.77.200;
  option domain-name-servers 1.2.3.4, 1.2.3.5;
  option domain-name "";
  option routers 192.168.77.1;
  option broadcast-address 192.168.77.255;
  default-lease-time 172800;
  max-lease-time 172800;
}

# /usr/local/etc/rc.d/isc-dhcpd forecrestart

ifconfig bridge0 up


Use my Nokia E71 access AP. everything ok!

arp -an
? (192.168.77.100) at 00:21:fe:3e:0a:6b on bridge0 expires in 271 seconds [bridge]
? (192.168.77.1) at 3e:cc:4a:2e:67:65 on bridge0 permanent [bridge]
? (192.168.1.77) at e0:05:c5:22:61:fc on em0 expires in 271 seconds [ethernet]
? (192.168.1.100) at 00:07:e9:a8:1e:f4 on em0 expires in 1199 seconds [ethernet]
? (192.168.1.220) at 08:00:27:d7:1e:31 on em0 permanent [ethernet]


then

# arping -i wlan0 -b -S 192.168.77.100 -s 00:21:fe:3e:0a:6b -t 00:1d:0f:07:9b:28  192.168.77.1

-_- system panic auto rebooted


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-usb mailing list