Date: Wed, 29 Jan 2014 19:29:41 -0200 From: Pedro Flynn <pedro.flynn@gmail.com> To: Adrian Chadd <adrian@freebsd.org> Cc: "freebsd-wireless@freebsd.org" <freebsd-wireless@freebsd.org> Subject: Re: FreeBSD 10.0: hostapd crash with Ralink 3070 Message-ID: <CAN48zx=_keGrTbrwO59CDXFtmBqwnwDm2yDSyjoaQvksjkPZFg@mail.gmail.com> In-Reply-To: <CAN48zx=FG1D=JuNcu1nR_k1QPfBcejvd-ER%2BJRLHRRNn6DpBzA@mail.gmail.com> References: <CAN48zxmMZHsjr55AAbFaeB591Ahd9S1-AkGksRiRtgNOJv6DYQ@mail.gmail.com> <CALCpEUHRsquBrE4o6WxfcLgi-O2BN1FtPa%2BrS2Cdk==0dUdPaA@mail.gmail.com> <CAN48zxkXiUFyGuysTSkEPiwdS9VvEZgeyvo1eTr_seFQ2yM-6A@mail.gmail.com> <CAN48zxn%2BeKDFCbFDHwBJOUfyqvjH3whttTH0whtTfgBQxFRrGA@mail.gmail.com> <CAJ-VmonPDSHOzuD8bqpjLC1FjYQqHrwz2-w8u5wCqUw-hspVfQ@mail.gmail.com> <CAN48zx=zhBYSnkm4Kszs4oe1MdGPrP01B_0eysyso7T5a_WWMA@mail.gmail.com> <CAN48zxmxL_h=9B32C1dC5uGAbV_ExEXQoumPS1Zwvwt2RAbPUQ@mail.gmail.com> <CAN48zx=QgdLpTUm3OK2V-TVUxxBpiGF4A1WzZbSL6thqB_C%2B%2Bg@mail.gmail.com> <CAJ-VmokDb3mUj7Xw6hQKvX5beCv_hXLmMm-nAfz_ZZ-EYq1gyQ@mail.gmail.com> <CAN48zxkcJu-nYWrqJmrpC2VQ_LO2RwV6c9r3sUdKA6uXpfjcVQ@mail.gmail.com> <CAJ-VmokH0O6RMRYyvSDcz%2BCNRha9auujxAnKWRxorG=UrG8J8w@mail.gmail.com> <CAN48zx=RwTJL=M=xLi30CDxVVFUAmOgo%2Bd9ONNxyeRwP=i2=aw@mail.gmail.com> <CAJ-Vmo=kFcEjvmUQX87Q_RX4=aVKNyYDHqf-kZ%2Bp0OcgKdZQGA@mail.gmail.com> <CAN48zx=oG0=eTZLqA4QzhEEcriY8Z3BF7PLDX4Qy=GEX%2B3sDmA@mail.gmail.com> <CAJ-VmokZ5sfiLZc9fSgOwgoSa-5VCvwy1rGAjXQ16GHC3keyhQ@mail.gmail.com> <CAN48zxn8oU8Dzz4oecJaXTNvP6OpTahm50-zCUs-L_m=WK3WYQ@mail.gmail.com> <CAN48zxmDEgBUKAN70-mbB6YAub-M6e2wyvDF0Aun3FdBJJF%2B_A@mail.gmail.com> <CAJ-VmomvFetR8R5W4pRJ2V7Wj_eEk8O3eYPFdg2_VbZfeyqzhg@mail.gmail.com> <CAN48zx=FG1D=JuNcu1nR_k1QPfBcejvd-ER%2BJRLHRRNn6DpBzA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! As stated yesterday, I built a kernel with debug symbols and generated a second crash dump based on this kernel. Files are vmcore.1.xz and core.txt.1: https://drive.google.com/folderview?id=0B0sVwxI7RI7oc3R2bjVQR0pXWG8&usp=sharing Thanks for any suggestion, pflynn On Wed, Jan 29, 2014 at 8:35 AM, Pedro Flynn <pedro.flynn@gmail.com> wrote: > Hmmm... > Where did you see the NULL value? I could not figure it out. > > (Yesterday I built a kernel with debugging symbols enabled and I will > generate a new crash dump tonight. I hope this one will have much more > information). > > Thanks, > > pflynn > > > On Tue, Jan 28, 2014 at 9:54 PM, Adrian Chadd <adrian@freebsd.org> wrote: > >> Yup. Is it? >> >> Adrian >> On Jan 28, 2014 6:10 PM, "Pedro Flynn" <pedro.flynn@gmail.com> wrote: >> >>> You mean rvp->beacon_mbuf is null? >>> >>> Thanks, >>> >>> pflynn >>> >>> >>> On Tue, Jan 28, 2014 at 9:06 PM, Pedro Flynn <pedro.flynn@gmail.com>wrote: >>> >>>> Just to bring to our attention frame 8: >>>> >>>> (kgdb) frame 8 >>>> #8 0xffffffff81a198bc in run_update_beacon (vap=0xfffff8000e8dd000, >>>> item=2) >>>> at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:3974 >>>> 3974 ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, >>>> mcast); >>>> Current language: auto; currently minimal >>>> (kgdb) print run_update_beacon >>>> $23 = {void (struct ieee80211vap *, >>>> int)} 0xffffffff81a19750 <run_update_beacon> >>>> (kgdb) >>>> >>>> thanks, >>>> >>>> pflynn >>>> >>>> >>>> On Tue, Jan 28, 2014 at 9:04 PM, Adrian Chadd <adrian@freebsd.org>wrote: >>>> >>>>> Right, frame 8 (the run beacon update) is passing a NULL mbuf into >>>>> net80211. Why's it doing that. >>>>> >>>>> >>>>> >>>>> -a >>>>> >>>>> >>>>> On 28 January 2014 15:02, Pedro Flynn <pedro.flynn@gmail.com> wrote: >>>>> > Here we go (this output is not beautiful...). Please, let me know if >>>>> I >>>>> > missed something or if I did something wrong: >>>>> > >>>>> > bt output: >>>>> > >>>>> > #0 doadump (textdump=<value optimized out>) at pcpu.h:219 >>>>> > #1 0xffffffff808af530 in kern_reboot (howto=260) >>>>> > at /usr/src/sys/kern/kern_shutdown.c:447 >>>>> > #2 0xffffffff808af8f4 in panic (fmt=<value optimized out>) >>>>> > at /usr/src/sys/kern/kern_shutdown.c:754 >>>>> > #3 0xffffffff80c8e692 in trap_fatal (frame=<value optimized out>, >>>>> > eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:882 >>>>> > #4 0xffffffff80c8e969 in trap_pfault (frame=0xfffffe009695f720, >>>>> usermode=0) >>>>> > at /usr/src/sys/amd64/amd64/trap.c:699 >>>>> > #5 0xffffffff80c8e0f6 in trap (frame=0xfffffe009695f720) >>>>> > at /usr/src/sys/amd64/amd64/trap.c:463 >>>>> > #6 0xffffffff80c75392 in calltrap () >>>>> > at /usr/src/sys/amd64/amd64/exception.S:232 >>>>> > #7 0xffffffff809b1163 in ieee80211_beacon_update >>>>> (ni=0xfffffe0000ffc000, >>>>> > bo=0xfffff8000e8dd9e8, m=0x0, mcast=0) at atomic.h:161 >>>>> > #8 0xffffffff81a198bc in run_update_beacon (vap=0xfffff8000e8dd000, >>>>> item=2) >>>>> > at >>>>> /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:3974 >>>>> > #9 0xffffffff809b42bd in ieee80211_wme_updateparams_locked ( >>>>> > vap=0xfffff8000e8dd000) at ieee80211_var.h:814 >>>>> > #10 0xffffffff809b437a in ieee80211_wme_updateparams >>>>> > (vap=0xfffff8000e8dd000) >>>>> > at /usr/src/sys/net80211/ieee80211_proto.c:1150 >>>>> > #11 0xffffffff809b3f43 in ieee80211_wme_initparams (vap=<value >>>>> optimized >>>>> > out>) >>>>> > at /usr/src/sys/net80211/ieee80211_proto.c:955 >>>>> > #12 0xffffffff809a9aec in ieee80211_sta_join1 () >>>>> > at /usr/src/sys/net80211/ieee80211_node.c:741 >>>>> > #13 0xffffffff8099047b in hostap_newstate (vap=0xfffff8000e8dd000, >>>>> > nstate=<value optimized out>, arg=<value optimized out>) >>>>> > at /usr/src/sys/net80211/ieee80211_hostap.c:274 >>>>> > #14 0xffffffff81a1a36a in run_newstate (vap=<value optimized out>, >>>>> > nstate=IEEE80211_S_RUN, arg=-1) >>>>> > at >>>>> /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:1881 >>>>> > #15 0xffffffff809b2edf in ieee80211_newstate_cb >>>>> (xvap=0xfffff8000e8dd000, >>>>> > npending=<value optimized out>) >>>>> > at /usr/src/sys/net80211/ieee80211_proto.c:1756 >>>>> > #16 0xffffffff808f5b66 in taskqueue_run_locked >>>>> (queue=0xfffff8000e8e4600) >>>>> > at /usr/src/sys/kern/subr_taskqueue.c:333 >>>>> > #17 0xffffffff808f63e8 in taskqueue_thread_loop (arg=<value >>>>> optimized out>) >>>>> > at /usr/src/sys/kern/subr_taskqueue.c:535 >>>>> > #18 0xffffffff8088198a in fork_exit ( >>>>> > callout=0xffffffff808f6340 <taskqueue_thread_loop>, >>>>> > arg=0xfffffe0000ff60f0, frame=0xfffffe009695fc00) >>>>> > at /usr/src/sys/kern/kern_fork.c:995 >>>>> > #19 0xffffffff80c758ce in fork_trampoline () >>>>> > at /usr/src/sys/amd64/amd64/exception.S:606 >>>>> > #20 0x0000000000000000 in ?? () >>>>> > >>>>> > frame 0 >>>>> > #0 doadump (textdump=<value optimized out>) at pcpu.h:219 >>>>> > 219 pcpu.h: No such file or directory. >>>>> > in pcpu.h >>>>> > print doadump >>>>> > $1 = {int (boolean_t)} 0xffffffff808af6f0 <doadump> >>>>> > >>>>> > frame 1: >>>>> > #1 0xffffffff808af530 in kern_reboot (howto=260) >>>>> > at /usr/src/sys/kern/kern_shutdown.c:447 >>>>> > 447 doadump(TRUE); >>>>> > print kern_reboot >>>>> > print kern_reboot >>>>> > $3 = {void (int)} 0xffffffff808aedf0 <kern_reboot> >>>>> > >>>>> > frame 2 >>>>> > #2 0xffffffff808af8f4 in panic (fmt=<value optimized out>) >>>>> > at /usr/src/sys/kern/kern_shutdown.c:754 >>>>> > 754 kern_reboot(bootopt); >>>>> > (kgdb) print panic >>>>> > $4 = {void (const char *)} 0xffffffff808af760 <panic> >>>>> > >>>>> > frame 3 >>>>> > #3 0xffffffff80c8e692 in trap_fatal (frame=<value optimized out>, >>>>> > eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:882 >>>>> > 882 panic("%s", trap_msg[type]); >>>>> > (kgdb) print trap_fatal >>>>> > $5 = {void (struct trapframe *, vm_offset_t)} 0xffffffff80c8e2f0 >>>>> > <trap_fatal> >>>>> > (kgdb) frame 4 >>>>> > #4 0xffffffff80c8e969 in trap_pfault (frame=0xfffffe009695f720, >>>>> usermode=0) >>>>> > at /usr/src/sys/amd64/amd64/trap.c:699 >>>>> > 699 trap_fatal(frame, eva); >>>>> > (kgdb) print trap_pfault >>>>> > $6 = {int (struct trapframe *, int)} 0xffffffff80c8e6a0 <trap_pfault> >>>>> > (kgdb) frame 5 >>>>> > #5 0xffffffff80c8e0f6 in trap (frame=0xfffffe009695f720) >>>>> > at /usr/src/sys/amd64/amd64/trap.c:463 >>>>> > 463 (void) trap_pfault(frame, FALSE); >>>>> > (kgdb) print trap >>>>> > $7 = {void (struct trapframe *)} 0xffffffff80c8db10 <trap> >>>>> > >>>>> > frame 6 >>>>> > #6 0xffffffff80c75392 in calltrap () >>>>> > at /usr/src/sys/amd64/amd64/exception.S:232 >>>>> > 232 call trap >>>>> > Current language: auto; currently asm >>>>> > (kgdb) print calltrap >>>>> > $8 = {<text variable, no debug info>} 0xffffffff80c7538a <calltrap> >>>>> > (kgdb) frame 7 >>>>> > #7 0xffffffff809b1163 in ieee80211_beacon_update >>>>> (ni=0xfffffe0000ffc000, >>>>> > bo=0xfffff8000e8dd9e8, m=0x0, mcast=0) at atomic.h:161 >>>>> > 161 atomic.h: No such file or directory. >>>>> > in atomic.h >>>>> > Current language: auto; currently minimal >>>>> > (kgdb) print ieee80211_beacon_update >>>>> > $9 = {int (struct ieee80211_node *, struct ieee80211_beacon_offsets >>>>> *, >>>>> > struct mbuf *, int)} 0xffffffff809b1090 <ieee80211_beacon_update> >>>>> > >>>>> > frame 8 >>>>> > #8 0xffffffff81a198bc in run_update_beacon (vap=0xfffff8000e8dd000, >>>>> item=2) >>>>> > at >>>>> /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:3974 >>>>> > 3974 ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, >>>>> > mcast); >>>>> > (kgdb) print run_update_beacon >>>>> > $10 = {void (struct ieee80211vap *, >>>>> > int)} 0xffffffff81a19750 <run_update_beacon> >>>>> > (kgdb) frame 9 >>>>> > #9 0xffffffff809b42bd in ieee80211_wme_updateparams_locked ( >>>>> > vap=0xfffff8000e8dd000) at ieee80211_var.h:814 >>>>> > 814 vap->iv_update_beacon(vap, what); >>>>> > (kgdb) print ieee80211_wme_updateparams_locked >>>>> > $11 = {void (struct ieee80211vap >>>>> > *)} 0xffffffff809b3f90 <ieee80211_wme_updateparams_locked> >>>>> > (kgdb) frame 10 >>>>> > #10 0xffffffff809b437a in ieee80211_wme_updateparams >>>>> > (vap=0xfffff8000e8dd000) >>>>> > at /usr/src/sys/net80211/ieee80211_proto.c:1150 >>>>> > 1150 ieee80211_wme_updateparams_locked(vap); >>>>> > (kgdb) print ieee80211_wme_updateparams >>>>> > $12 = {void (struct ieee80211vap >>>>> > *)} 0xffffffff809b4320 <ieee80211_wme_updateparams> >>>>> > >>>>> > frame 11 >>>>> > #11 0xffffffff809b3f43 in ieee80211_wme_initparams (vap=<value >>>>> optimized >>>>> > out>) >>>>> > at /usr/src/sys/net80211/ieee80211_proto.c:955 >>>>> > 955 ieee80211_wme_updateparams(vap); >>>>> > (kgdb) print ieee80211_wme_initparams >>>>> > $13 = {void (struct ieee80211vap >>>>> > *)} 0xffffffff809b3ca0 <ieee80211_wme_initparams> >>>>> > (kgdb) frame 12 >>>>> > #12 0xffffffff809a9aec in ieee80211_sta_join1 () >>>>> > at /usr/src/sys/net80211/ieee80211_node.c:741 >>>>> > 741 ieee80211_wme_initparams(vap); >>>>> > (kgdb) print ieee80211_sta_join1 >>>>> > $14 = {int (struct ieee80211_node *)} 0xffffffff809a9a10 >>>>> > <ieee80211_sta_join1> >>>>> > (kgdb) frame 13 >>>>> > #13 0xffffffff8099047b in hostap_newstate (vap=0xfffff8000e8dd000, >>>>> > nstate=<value optimized out>, arg=<value optimized out>) >>>>> > at /usr/src/sys/net80211/ieee80211_hostap.c:274 >>>>> > 274 ieee80211_ht_adjust_channel(ic, >>>>> > (kgdb) print hostap_newstate >>>>> > $15 = {int (struct ieee80211vap *, enum ieee80211_state, >>>>> > int)} 0xffffffff80990190 <hostap_newstate> >>>>> > frame 14 >>>>> > #14 0xffffffff81a1a36a in run_newstate (vap=<value optimized out>, >>>>> > nstate=IEEE80211_S_RUN, arg=-1) >>>>> > at >>>>> /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:1881 >>>>> > 1881 return(rvp->newstate(vap, nstate, arg)); >>>>> > (kgdb) print run_newstate >>>>> > $16 = {int (struct ieee80211vap *, enum ieee80211_state, >>>>> > int)} 0xffffffff81a19b30 <run_newstate> >>>>> > (kgdb) frame 15 >>>>> > #15 0xffffffff809b2edf in ieee80211_newstate_cb >>>>> (xvap=0xfffff8000e8dd000, >>>>> > npending=<value optimized out>) >>>>> > at /usr/src/sys/net80211/ieee80211_proto.c:1756 >>>>> > 1756 rc = vap->iv_newstate(vap, nstate, arg); >>>>> > (kgdb) print ieee80211_newstate_cb >>>>> > $17 = {void (void *, int)} 0xffffffff809b2d90 <ieee80211_newstate_cb> >>>>> > (kgdb) frame 16 >>>>> > #16 0xffffffff808f5b66 in taskqueue_run_locked >>>>> (queue=0xfffff8000e8e4600) >>>>> > at /usr/src/sys/kern/subr_taskqueue.c:333 >>>>> > 333 task->ta_func(task->ta_context, pending); >>>>> > (kgdb) print taskqueue_run_locked >>>>> > $18 = {void (struct taskqueue *)} 0xffffffff808f5a80 >>>>> <taskqueue_run_locked> >>>>> > frame 17 >>>>> > #17 0xffffffff808f63e8 in taskqueue_thread_loop (arg=<value >>>>> optimized out>) >>>>> > at /usr/src/sys/kern/subr_taskqueue.c:535 >>>>> > 535 taskqueue_run_locked(tq); >>>>> > (kgdb) print taskqueue_thread_loop >>>>> > $19 = {void (void *)} 0xffffffff808f6340 <taskqueue_thread_loop> >>>>> > (kgdb) frame 18 >>>>> > #18 0xffffffff8088198a in fork_exit ( >>>>> > callout=0xffffffff808f6340 <taskqueue_thread_loop>, >>>>> > arg=0xfffffe0000ff60f0, frame=0xfffffe009695fc00) >>>>> > at /usr/src/sys/kern/kern_fork.c:995 >>>>> > 995 callout(arg, frame); >>>>> > (kgdb) print fork_exit >>>>> > $20 = {void (void (*)(void *, struct trapframe *), void *, struct >>>>> trapframe >>>>> > *)} 0xffffffff808818f0 <fork_exit> >>>>> > (kgdb) frame 19 >>>>> > #19 0xffffffff80c758ce in fork_trampoline () >>>>> > at /usr/src/sys/amd64/amd64/exception.S:606 >>>>> > 606 call fork_exit >>>>> > Current language: auto; currently asm >>>>> > (kgdb) print fork_trampoline >>>>> > $21 = {<text variable, no debug info>} 0xffffffff80c758c0 >>>>> <fork_trampoline> >>>>> > frame 20 >>>>> > #20 0x0000000000000000 in ?? () >>>>> > >>>>> > Thanks, >>>>> > >>>>> > pflynn >>>>> > >>>>> > >>>>> > On Tue, Jan 28, 2014 at 8:47 PM, Adrian Chadd <adrian@freebsd.org> >>>>> wrote: >>>>> >> >>>>> >> ok, do 'bt', and see what's being passed into >>>>> ieee80211_beacon_update. >>>>> >> Use 'frame X' to switch to frame X, and 'print VARIABLE_NAME' to >>>>> print >>>>> >> out the contents of the given variable name. >>>>> >> >>>>> >> That mbuf looks like it's NULL, which is odd. >>>>> >> >>>>> >> Thanks! >>>>> >> >>>>> >> >>>>> >> -a >>>>> >> >>>>> >> >>>>> >> On 28 January 2014 14:45, Pedro Flynn <pedro.flynn@gmail.com> >>>>> wrote: >>>>> >> > OK! This is what I have: >>>>> >> > >>>>> >> > list * (0xffffffff809b1163) >>>>> >> > Undefined command: "". Try "help". >>>>> >> > (kgdb) list * (0xffffffff809b1163) >>>>> >> > 0xffffffff809b1163 is in ieee80211_beacon_update >>>>> >> > (/usr/src/sys/net80211/ieee80211_output.c:3099). >>>>> >> > 3094 /* XXX do WME aggressive mode processing? */ >>>>> >> > 3095 IEEE80211_UNLOCK(ic); >>>>> >> > 3096 return 1; /* just assume length changed */ >>>>> >> > 3097 } >>>>> >> > 3098 >>>>> >> > 3099 wh = mtod(m, struct ieee80211_frame *); >>>>> >> > 3100 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; >>>>> >> > 3101 *(uint16_t *)&wh->i_seq[0] = >>>>> >> > 3102 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); >>>>> >> > 3103 M_SEQNO_SET(m, seqno); >>>>> >> > Current language: auto; currently minimal >>>>> >> > (kgdb) >>>>> >> > >>>>> >> > >>>>> >> > (by the way, I'm building a kernel with debug symbols) >>>>> >> > >>>>> >> > Thanks, >>>>> >> > >>>>> >> > pflynn >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > On Tue, Jan 28, 2014 at 8:34 PM, Adrian Chadd <adrian@freebsd.org >>>>> > >>>>> >> > wrote: >>>>> >> >> >>>>> >> >> Ok, fire up kgdb >>>>> >> >> >>>>> >> >> # kgdb /boot/kernel/kernel /var/crash/vmcore.0 >>>>> >> >> >>>>> >> >> then >>>>> >> >> >>>>> >> >> (gdb) list * (0xffffffff809b1163) >>>>> >> >> >>>>> >> >> (.. that's the "instruction pointer" at the time of the panic.) >>>>> >> >> >>>>> >> >> I bet it's iv_bss. >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> -a >>>>> >> > >>>>> >> > >>>>> > >>>>> > >>>>> >>>> >>>> >>> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN48zx=_keGrTbrwO59CDXFtmBqwnwDm2yDSyjoaQvksjkPZFg>