Date: Tue, 28 Jan 2014 21:10:41 -0200 From: Pedro Flynn <pedro.flynn@gmail.com> To: Adrian Chadd <adrian@freebsd.org> Cc: "freebsd-wireless@freebsd.org" <freebsd-wireless@freebsd.org> Subject: Re: FreeBSD 10.0: hostapd crash with Ralink 3070 Message-ID: <CAN48zxmDEgBUKAN70-mbB6YAub-M6e2wyvDF0Aun3FdBJJF%2B_A@mail.gmail.com> In-Reply-To: <CAN48zxn8oU8Dzz4oecJaXTNvP6OpTahm50-zCUs-L_m=WK3WYQ@mail.gmail.com> References: <CAN48zxmMZHsjr55AAbFaeB591Ahd9S1-AkGksRiRtgNOJv6DYQ@mail.gmail.com> <CALCpEUHRsquBrE4o6WxfcLgi-O2BN1FtPa%2BrS2Cdk==0dUdPaA@mail.gmail.com> <CAN48zxkXiUFyGuysTSkEPiwdS9VvEZgeyvo1eTr_seFQ2yM-6A@mail.gmail.com> <CAN48zxn%2BeKDFCbFDHwBJOUfyqvjH3whttTH0whtTfgBQxFRrGA@mail.gmail.com> <CAJ-VmonPDSHOzuD8bqpjLC1FjYQqHrwz2-w8u5wCqUw-hspVfQ@mail.gmail.com> <CAN48zx=zhBYSnkm4Kszs4oe1MdGPrP01B_0eysyso7T5a_WWMA@mail.gmail.com> <CAN48zxmxL_h=9B32C1dC5uGAbV_ExEXQoumPS1Zwvwt2RAbPUQ@mail.gmail.com> <CAN48zx=QgdLpTUm3OK2V-TVUxxBpiGF4A1WzZbSL6thqB_C%2B%2Bg@mail.gmail.com> <CAJ-VmokDb3mUj7Xw6hQKvX5beCv_hXLmMm-nAfz_ZZ-EYq1gyQ@mail.gmail.com> <CAN48zxkcJu-nYWrqJmrpC2VQ_LO2RwV6c9r3sUdKA6uXpfjcVQ@mail.gmail.com> <CAJ-VmokH0O6RMRYyvSDcz%2BCNRha9auujxAnKWRxorG=UrG8J8w@mail.gmail.com> <CAN48zx=RwTJL=M=xLi30CDxVVFUAmOgo%2Bd9ONNxyeRwP=i2=aw@mail.gmail.com> <CAJ-Vmo=kFcEjvmUQX87Q_RX4=aVKNyYDHqf-kZ%2Bp0OcgKdZQGA@mail.gmail.com> <CAN48zx=oG0=eTZLqA4QzhEEcriY8Z3BF7PLDX4Qy=GEX%2B3sDmA@mail.gmail.com> <CAJ-VmokZ5sfiLZc9fSgOwgoSa-5VCvwy1rGAjXQ16GHC3keyhQ@mail.gmail.com> <CAN48zxn8oU8Dzz4oecJaXTNvP6OpTahm50-zCUs-L_m=WK3WYQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You mean rvp->beacon_mbuf is null?
Thanks,
pflynn
On Tue, Jan 28, 2014 at 9:06 PM, Pedro Flynn <pedro.flynn@gmail.com> wrote:
> Just to bring to our attention frame 8:
>
> (kgdb) frame 8
> #8 0xffffffff81a198bc in run_update_beacon (vap=0xfffff8000e8dd000,
> item=2)
> at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:3974
> 3974 ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf,
> mcast);
> Current language: auto; currently minimal
> (kgdb) print run_update_beacon
> $23 = {void (struct ieee80211vap *,
> int)} 0xffffffff81a19750 <run_update_beacon>
> (kgdb)
>
> thanks,
>
> pflynn
>
>
> On Tue, Jan 28, 2014 at 9:04 PM, Adrian Chadd <adrian@freebsd.org> wrote:
>
>> Right, frame 8 (the run beacon update) is passing a NULL mbuf into
>> net80211. Why's it doing that.
>>
>>
>>
>> -a
>>
>>
>> On 28 January 2014 15:02, Pedro Flynn <pedro.flynn@gmail.com> wrote:
>> > Here we go (this output is not beautiful...). Please, let me know if I
>> > missed something or if I did something wrong:
>> >
>> > bt output:
>> >
>> > #0 doadump (textdump=<value optimized out>) at pcpu.h:219
>> > #1 0xffffffff808af530 in kern_reboot (howto=260)
>> > at /usr/src/sys/kern/kern_shutdown.c:447
>> > #2 0xffffffff808af8f4 in panic (fmt=<value optimized out>)
>> > at /usr/src/sys/kern/kern_shutdown.c:754
>> > #3 0xffffffff80c8e692 in trap_fatal (frame=<value optimized out>,
>> > eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:882
>> > #4 0xffffffff80c8e969 in trap_pfault (frame=0xfffffe009695f720,
>> usermode=0)
>> > at /usr/src/sys/amd64/amd64/trap.c:699
>> > #5 0xffffffff80c8e0f6 in trap (frame=0xfffffe009695f720)
>> > at /usr/src/sys/amd64/amd64/trap.c:463
>> > #6 0xffffffff80c75392 in calltrap ()
>> > at /usr/src/sys/amd64/amd64/exception.S:232
>> > #7 0xffffffff809b1163 in ieee80211_beacon_update
>> (ni=0xfffffe0000ffc000,
>> > bo=0xfffff8000e8dd9e8, m=0x0, mcast=0) at atomic.h:161
>> > #8 0xffffffff81a198bc in run_update_beacon (vap=0xfffff8000e8dd000,
>> item=2)
>> > at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:3974
>> > #9 0xffffffff809b42bd in ieee80211_wme_updateparams_locked (
>> > vap=0xfffff8000e8dd000) at ieee80211_var.h:814
>> > #10 0xffffffff809b437a in ieee80211_wme_updateparams
>> > (vap=0xfffff8000e8dd000)
>> > at /usr/src/sys/net80211/ieee80211_proto.c:1150
>> > #11 0xffffffff809b3f43 in ieee80211_wme_initparams (vap=<value optimized
>> > out>)
>> > at /usr/src/sys/net80211/ieee80211_proto.c:955
>> > #12 0xffffffff809a9aec in ieee80211_sta_join1 ()
>> > at /usr/src/sys/net80211/ieee80211_node.c:741
>> > #13 0xffffffff8099047b in hostap_newstate (vap=0xfffff8000e8dd000,
>> > nstate=<value optimized out>, arg=<value optimized out>)
>> > at /usr/src/sys/net80211/ieee80211_hostap.c:274
>> > #14 0xffffffff81a1a36a in run_newstate (vap=<value optimized out>,
>> > nstate=IEEE80211_S_RUN, arg=-1)
>> > at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:1881
>> > #15 0xffffffff809b2edf in ieee80211_newstate_cb
>> (xvap=0xfffff8000e8dd000,
>> > npending=<value optimized out>)
>> > at /usr/src/sys/net80211/ieee80211_proto.c:1756
>> > #16 0xffffffff808f5b66 in taskqueue_run_locked
>> (queue=0xfffff8000e8e4600)
>> > at /usr/src/sys/kern/subr_taskqueue.c:333
>> > #17 0xffffffff808f63e8 in taskqueue_thread_loop (arg=<value optimized
>> out>)
>> > at /usr/src/sys/kern/subr_taskqueue.c:535
>> > #18 0xffffffff8088198a in fork_exit (
>> > callout=0xffffffff808f6340 <taskqueue_thread_loop>,
>> > arg=0xfffffe0000ff60f0, frame=0xfffffe009695fc00)
>> > at /usr/src/sys/kern/kern_fork.c:995
>> > #19 0xffffffff80c758ce in fork_trampoline ()
>> > at /usr/src/sys/amd64/amd64/exception.S:606
>> > #20 0x0000000000000000 in ?? ()
>> >
>> > frame 0
>> > #0 doadump (textdump=<value optimized out>) at pcpu.h:219
>> > 219 pcpu.h: No such file or directory.
>> > in pcpu.h
>> > print doadump
>> > $1 = {int (boolean_t)} 0xffffffff808af6f0 <doadump>
>> >
>> > frame 1:
>> > #1 0xffffffff808af530 in kern_reboot (howto=260)
>> > at /usr/src/sys/kern/kern_shutdown.c:447
>> > 447 doadump(TRUE);
>> > print kern_reboot
>> > print kern_reboot
>> > $3 = {void (int)} 0xffffffff808aedf0 <kern_reboot>
>> >
>> > frame 2
>> > #2 0xffffffff808af8f4 in panic (fmt=<value optimized out>)
>> > at /usr/src/sys/kern/kern_shutdown.c:754
>> > 754 kern_reboot(bootopt);
>> > (kgdb) print panic
>> > $4 = {void (const char *)} 0xffffffff808af760 <panic>
>> >
>> > frame 3
>> > #3 0xffffffff80c8e692 in trap_fatal (frame=<value optimized out>,
>> > eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:882
>> > 882 panic("%s", trap_msg[type]);
>> > (kgdb) print trap_fatal
>> > $5 = {void (struct trapframe *, vm_offset_t)} 0xffffffff80c8e2f0
>> > <trap_fatal>
>> > (kgdb) frame 4
>> > #4 0xffffffff80c8e969 in trap_pfault (frame=0xfffffe009695f720,
>> usermode=0)
>> > at /usr/src/sys/amd64/amd64/trap.c:699
>> > 699 trap_fatal(frame, eva);
>> > (kgdb) print trap_pfault
>> > $6 = {int (struct trapframe *, int)} 0xffffffff80c8e6a0 <trap_pfault>
>> > (kgdb) frame 5
>> > #5 0xffffffff80c8e0f6 in trap (frame=0xfffffe009695f720)
>> > at /usr/src/sys/amd64/amd64/trap.c:463
>> > 463 (void) trap_pfault(frame, FALSE);
>> > (kgdb) print trap
>> > $7 = {void (struct trapframe *)} 0xffffffff80c8db10 <trap>
>> >
>> > frame 6
>> > #6 0xffffffff80c75392 in calltrap ()
>> > at /usr/src/sys/amd64/amd64/exception.S:232
>> > 232 call trap
>> > Current language: auto; currently asm
>> > (kgdb) print calltrap
>> > $8 = {<text variable, no debug info>} 0xffffffff80c7538a <calltrap>
>> > (kgdb) frame 7
>> > #7 0xffffffff809b1163 in ieee80211_beacon_update
>> (ni=0xfffffe0000ffc000,
>> > bo=0xfffff8000e8dd9e8, m=0x0, mcast=0) at atomic.h:161
>> > 161 atomic.h: No such file or directory.
>> > in atomic.h
>> > Current language: auto; currently minimal
>> > (kgdb) print ieee80211_beacon_update
>> > $9 = {int (struct ieee80211_node *, struct ieee80211_beacon_offsets *,
>> > struct mbuf *, int)} 0xffffffff809b1090 <ieee80211_beacon_update>
>> >
>> > frame 8
>> > #8 0xffffffff81a198bc in run_update_beacon (vap=0xfffff8000e8dd000,
>> item=2)
>> > at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:3974
>> > 3974 ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf,
>> > mcast);
>> > (kgdb) print run_update_beacon
>> > $10 = {void (struct ieee80211vap *,
>> > int)} 0xffffffff81a19750 <run_update_beacon>
>> > (kgdb) frame 9
>> > #9 0xffffffff809b42bd in ieee80211_wme_updateparams_locked (
>> > vap=0xfffff8000e8dd000) at ieee80211_var.h:814
>> > 814 vap->iv_update_beacon(vap, what);
>> > (kgdb) print ieee80211_wme_updateparams_locked
>> > $11 = {void (struct ieee80211vap
>> > *)} 0xffffffff809b3f90 <ieee80211_wme_updateparams_locked>
>> > (kgdb) frame 10
>> > #10 0xffffffff809b437a in ieee80211_wme_updateparams
>> > (vap=0xfffff8000e8dd000)
>> > at /usr/src/sys/net80211/ieee80211_proto.c:1150
>> > 1150 ieee80211_wme_updateparams_locked(vap);
>> > (kgdb) print ieee80211_wme_updateparams
>> > $12 = {void (struct ieee80211vap
>> > *)} 0xffffffff809b4320 <ieee80211_wme_updateparams>
>> >
>> > frame 11
>> > #11 0xffffffff809b3f43 in ieee80211_wme_initparams (vap=<value optimized
>> > out>)
>> > at /usr/src/sys/net80211/ieee80211_proto.c:955
>> > 955 ieee80211_wme_updateparams(vap);
>> > (kgdb) print ieee80211_wme_initparams
>> > $13 = {void (struct ieee80211vap
>> > *)} 0xffffffff809b3ca0 <ieee80211_wme_initparams>
>> > (kgdb) frame 12
>> > #12 0xffffffff809a9aec in ieee80211_sta_join1 ()
>> > at /usr/src/sys/net80211/ieee80211_node.c:741
>> > 741 ieee80211_wme_initparams(vap);
>> > (kgdb) print ieee80211_sta_join1
>> > $14 = {int (struct ieee80211_node *)} 0xffffffff809a9a10
>> > <ieee80211_sta_join1>
>> > (kgdb) frame 13
>> > #13 0xffffffff8099047b in hostap_newstate (vap=0xfffff8000e8dd000,
>> > nstate=<value optimized out>, arg=<value optimized out>)
>> > at /usr/src/sys/net80211/ieee80211_hostap.c:274
>> > 274 ieee80211_ht_adjust_channel(ic,
>> > (kgdb) print hostap_newstate
>> > $15 = {int (struct ieee80211vap *, enum ieee80211_state,
>> > int)} 0xffffffff80990190 <hostap_newstate>
>> > frame 14
>> > #14 0xffffffff81a1a36a in run_newstate (vap=<value optimized out>,
>> > nstate=IEEE80211_S_RUN, arg=-1)
>> > at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:1881
>> > 1881 return(rvp->newstate(vap, nstate, arg));
>> > (kgdb) print run_newstate
>> > $16 = {int (struct ieee80211vap *, enum ieee80211_state,
>> > int)} 0xffffffff81a19b30 <run_newstate>
>> > (kgdb) frame 15
>> > #15 0xffffffff809b2edf in ieee80211_newstate_cb
>> (xvap=0xfffff8000e8dd000,
>> > npending=<value optimized out>)
>> > at /usr/src/sys/net80211/ieee80211_proto.c:1756
>> > 1756 rc = vap->iv_newstate(vap, nstate, arg);
>> > (kgdb) print ieee80211_newstate_cb
>> > $17 = {void (void *, int)} 0xffffffff809b2d90 <ieee80211_newstate_cb>
>> > (kgdb) frame 16
>> > #16 0xffffffff808f5b66 in taskqueue_run_locked
>> (queue=0xfffff8000e8e4600)
>> > at /usr/src/sys/kern/subr_taskqueue.c:333
>> > 333 task->ta_func(task->ta_context, pending);
>> > (kgdb) print taskqueue_run_locked
>> > $18 = {void (struct taskqueue *)} 0xffffffff808f5a80
>> <taskqueue_run_locked>
>> > frame 17
>> > #17 0xffffffff808f63e8 in taskqueue_thread_loop (arg=<value optimized
>> out>)
>> > at /usr/src/sys/kern/subr_taskqueue.c:535
>> > 535 taskqueue_run_locked(tq);
>> > (kgdb) print taskqueue_thread_loop
>> > $19 = {void (void *)} 0xffffffff808f6340 <taskqueue_thread_loop>
>> > (kgdb) frame 18
>> > #18 0xffffffff8088198a in fork_exit (
>> > callout=0xffffffff808f6340 <taskqueue_thread_loop>,
>> > arg=0xfffffe0000ff60f0, frame=0xfffffe009695fc00)
>> > at /usr/src/sys/kern/kern_fork.c:995
>> > 995 callout(arg, frame);
>> > (kgdb) print fork_exit
>> > $20 = {void (void (*)(void *, struct trapframe *), void *, struct
>> trapframe
>> > *)} 0xffffffff808818f0 <fork_exit>
>> > (kgdb) frame 19
>> > #19 0xffffffff80c758ce in fork_trampoline ()
>> > at /usr/src/sys/amd64/amd64/exception.S:606
>> > 606 call fork_exit
>> > Current language: auto; currently asm
>> > (kgdb) print fork_trampoline
>> > $21 = {<text variable, no debug info>} 0xffffffff80c758c0
>> <fork_trampoline>
>> > frame 20
>> > #20 0x0000000000000000 in ?? ()
>> >
>> > Thanks,
>> >
>> > pflynn
>> >
>> >
>> > On Tue, Jan 28, 2014 at 8:47 PM, Adrian Chadd <adrian@freebsd.org>
>> wrote:
>> >>
>> >> ok, do 'bt', and see what's being passed into ieee80211_beacon_update.
>> >> Use 'frame X' to switch to frame X, and 'print VARIABLE_NAME' to print
>> >> out the contents of the given variable name.
>> >>
>> >> That mbuf looks like it's NULL, which is odd.
>> >>
>> >> Thanks!
>> >>
>> >>
>> >> -a
>> >>
>> >>
>> >> On 28 January 2014 14:45, Pedro Flynn <pedro.flynn@gmail.com> wrote:
>> >> > OK! This is what I have:
>> >> >
>> >> > list * (0xffffffff809b1163)
>> >> > Undefined command: "". Try "help".
>> >> > (kgdb) list * (0xffffffff809b1163)
>> >> > 0xffffffff809b1163 is in ieee80211_beacon_update
>> >> > (/usr/src/sys/net80211/ieee80211_output.c:3099).
>> >> > 3094 /* XXX do WME aggressive mode processing? */
>> >> > 3095 IEEE80211_UNLOCK(ic);
>> >> > 3096 return 1; /* just assume length changed */
>> >> > 3097 }
>> >> > 3098
>> >> > 3099 wh = mtod(m, struct ieee80211_frame *);
>> >> > 3100 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
>> >> > 3101 *(uint16_t *)&wh->i_seq[0] =
>> >> > 3102 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
>> >> > 3103 M_SEQNO_SET(m, seqno);
>> >> > Current language: auto; currently minimal
>> >> > (kgdb)
>> >> >
>> >> >
>> >> > (by the way, I'm building a kernel with debug symbols)
>> >> >
>> >> > Thanks,
>> >> >
>> >> > pflynn
>> >> >
>> >> >
>> >> >
>> >> > On Tue, Jan 28, 2014 at 8:34 PM, Adrian Chadd <adrian@freebsd.org>
>> >> > wrote:
>> >> >>
>> >> >> Ok, fire up kgdb
>> >> >>
>> >> >> # kgdb /boot/kernel/kernel /var/crash/vmcore.0
>> >> >>
>> >> >> then
>> >> >>
>> >> >> (gdb) list * (0xffffffff809b1163)
>> >> >>
>> >> >> (.. that's the "instruction pointer" at the time of the panic.)
>> >> >>
>> >> >> I bet it's iv_bss.
>> >> >>
>> >> >>
>> >> >>
>> >> >> -a
>> >> >
>> >> >
>> >
>> >
>>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN48zxmDEgBUKAN70-mbB6YAub-M6e2wyvDF0Aun3FdBJJF%2B_A>