From owner-freebsd-bugs@FreeBSD.ORG Sat Jan 21 00:10:04 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9EDE16A41F for ; Sat, 21 Jan 2006 00:10:04 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6BCA43D4C for ; Sat, 21 Jan 2006 00:10:03 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0L0A3wA047664 for ; Sat, 21 Jan 2006 00:10:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0L0A3EK047663; Sat, 21 Jan 2006 00:10:03 GMT (envelope-from gnats) Resent-Date: Sat, 21 Jan 2006 00:10:03 GMT Resent-Message-Id: <200601210010.k0L0A3EK047663@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Anders Nordby Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1702C16A41F; Sat, 21 Jan 2006 00:00:57 +0000 (GMT) (envelope-from anders@totem.fix.no) Received: from totem.fix.no (totem.fix.no [80.91.36.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AE7E43D49; Sat, 21 Jan 2006 00:00:56 +0000 (GMT) (envelope-from anders@totem.fix.no) Received: by totem.fix.no (Postfix, from userid 1000) id 1BA9A8DB147; Sat, 21 Jan 2006 01:00:54 +0100 (CET) Message-Id: <20060121000054.1BA9A8DB147@totem.fix.no> Date: Sat, 21 Jan 2006 01:00:54 +0100 (CET) From: Anders Nordby To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: sam@FreeBSD.org, damien@FreeBSD.org Subject: kern/92083: panic using WPA on ural NIC in 6.0-RELEASE X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Anders Nordby List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2006 00:10:05 -0000 >Number: 92083 >Category: kern >Synopsis: panic using WPA on ural NIC in 6.0-RELEASE >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jan 21 00:10:03 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Anders Nordby >Release: FreeBSD 6.0-RELEASE i386 >Organization: - >Environment: System: FreeBSD stream.localnet 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Jan 20 20:48:44 CET 2006 root@stream.localnet:/usr/obj/usr/src/sys/STREAM i386 Using D-Link DWL-G122 USB Wireless NIC. Running GENERIC kernel with IPv6 stripped and the following added to kernel config: device sound device "snd_via8233" device wlan #802.11 support device wlan_wep #802.11 WEP support device wlan_ccmp #802.11 CCMP support device wlan_tkip #802.11 TKIP support device wlan_xauth #802.11 external authenticator support device wlan_acl #802.11 MAC ACL support device acpi options KDB options DDB Using /etc/wpa_supplicant.conf like this: ctrl_interface_group=0 eapol_version=1 ap_scan=1 fast_reauth=1 network={ ssid="SOMENETWORK" scan_ssid=1 key_mgmt=WPA-PSK psk="SOMEPASSWORD" } NIC is configured through rc.conf: ifconfig_ural0="inet X.X.X.X netmask 0xYYYYYYYY WPA mode 11g" >Description: System panics: fault virtual address = 0x4 fault code = supervisor read, page not present instruction pointer = 0x20:0xc0705b21 stack pointer = 0x28:0xcab36c00 frame pointer = 0x28:0xcab36c0c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 23 (irq12: vr0 ehci0) [thread pid 23 tid 100010 ] Stopped at ieee80211_free_node+0x9: movl 0x4(%esi),%ebx db> 1^H ^Hpanic panic: from debugger Uptime: 14m56s Dumping 223 MB (2 chunks) chunk 0: 1MB (160 pages) ... ok chunk 1: 223MB (57072 pages) 207 191 175 159 143 127 111 95 79 63 47 31 15 ... ok Dump complete Automatic reboot in 15 seconds - press a key on the console to abort Rebooting... Checking where this is with gdb, I get: stream# gdb /usr/obj/usr/src/sys/STREAM/kernel.debug GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... (gdb) l *0xc0705b21 0xc0705b21 is in ieee80211_free_node (/usr/src/sys/net80211/ieee80211_node.c:154 2). 1537 ieee80211_free_node_debug(struct ieee80211_node *ni, const char *func, i nt line) 1538 #else 1539 ieee80211_free_node(struct ieee80211_node *ni) 1540 #endif 1541 { 1542 struct ieee80211_node_table *nt = ni->ni_table; 1543 1544 #ifdef IEEE80211_DEBUG_REFCNT 1545 IEEE80211_DPRINTF(ni->ni_ic, IEEE80211_MSG_NODE, 1546 "%s (%s:%u) %p<%s> refcnt %d\n", __func__, func, line, n i, (gdb) Analyzing the crashdump I get: stream# kgdb /usr/obj/usr/src/sys/STREAM/kernel.debug /var/crash/vmcore.0 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Unde fined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode fault virtual address = 0x4 fault code = supervisor read, page not present instruction pointer = 0x20:0xc0705b21 stack pointer = 0x28:0xcab36c00 frame pointer = 0x28:0xcab36c0c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 23 (irq12: vr0 ehci0) panic: from debugger Uptime: 14m56s Dumping 223 MB (2 chunks) chunk 0: 1MB (160 pages) ... ok chunk 1: 223MB (57072 pages) 207 191 175 159 143 127 111 95 79 63 47 31 15 #0 doadump () at pcpu.h:165 165 pcpu.h: No such file or directory. in pcpu.h (kgdb) where #0 doadump () at pcpu.h:165 #1 0xc067a7aa in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399 #2 0xc067aa70 in panic (fmt=0xc08648d1 "from debugger") at /usr/src/sys/kern/kern_shutdown.c:555 #3 0xc0487d71 in db_panic (addr=-1066378463, have_addr=0, count=-1, modif=0xcab36a2c "") at /usr/src/sys/ddb/db_command.c:438 #4 0xc0487d08 in db_command (last_cmdp=0xc0940684, cmd_table=0x0, aux_cmd_tablep=0xc08ba69c, aux_cmd_tablep_end=0xc08ba6b8) at /usr/src/sys/ddb/db_command.c:350 #5 0xc0487dd0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458 #6 0xc04899dd in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221 #7 0xc0692fa3 in kdb_trap (type=12, code=0, tf=0xcab36bc0) at /usr/src/sys/kern/subr_kdb.c:473 #8 0xc082d600 in trap_fatal (frame=0xcab36bc0, eva=4) at /usr/src/sys/i386/i386/trap.c:822 #9 0xc082d36f in trap_pfault (frame=0xcab36bc0, usermode=0, eva=4) at /usr/src/sys/i386/i386/trap.c:742 #10 0xc082cf69 in trap (frame= {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -1055113216, tf_esi = 0, tf_e bp = -894211060, tf_isp = -894211092, tf_ebx = -1055110224, tf_edx = -1055541248 , tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1066378463, tf_c s = 32, tf_eflags = 66118, tf_esp = -1055110224, tf_ss = -1055079424}) at /usr/src/sys/i386/i386/trap.c:432 #11 0xc081c46a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #12 0xc0705b21 in ieee80211_free_node (ni=0x0) at /usr/src/sys/net80211/ieee80211_node.c:1541 #13 0xc060453f in ural_txeof (xfer=0xc11afa00, priv=0xc11c4bb0, status=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/if_ural.c:826 #14 0xc061bd80 in usb_transfer_complete (xfer=0xc11afa00) at /usr/src/sys/dev/usb/usbdi.c:851 #15 0xc05fa5c4 in ehci_idone (ex=0xc11afa00) at /usr/src/sys/dev/usb/ehci.c:867 #16 0xc05fa49f in ehci_check_intr (sc=0xc115b800, ex=0xc11afa00) at /usr/src/sys/dev/usb/ehci.c:752 #17 0xc05fa419 in ehci_softintr (v=0xc115b800) at /usr/src/sys/dev/usb/ehci.c:692 #18 0xc06190d1 in usb_schedsoftintr (bus=0x0) at /usr/src/sys/dev/usb/usb.c:871 #19 0xc05fa1fa in ehci_intr1 (sc=0xc115b800) at /usr/src/sys/dev/usb/ehci.c:592 #20 0xc05fa13a in ehci_intr (v=0xc115b800) at /usr/src/sys/dev/usb/ehci.c:551 #21 0xc0665da9 in ithread_loop (arg=0xc1082700) at /usr/src/sys/kern/kern_intr.c:547 #22 0xc0665030 in fork_exit (callout=0xc0665c50 , arg=0xc1082700, frame=0xcab36d38) at /usr/src/sys/kern/kern_fork.c:789 #23 0xc081c4cc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208 (kgdb) quit >How-To-Repeat: Run any kind of real network load (like trying to cvsup ports), and the system will panic. >Fix: N/A >Release-Note: >Audit-Trail: >Unformatted: