Date: Mon, 20 Mar 2006 22:52:01 +0100 From: "Damien Bergamini" <damien.bergamini@free.fr> To: "Arnaud LACOMBE" <lists-freebsd@sigfpe.info>, <freebsd-current@freebsd.org> Subject: Re: ral(4) crashed the kernel Message-ID: <01f401c64c68$84f709d0$0300a8c0@COMETE> References: <20060320211756.GA87266@aries.rezid.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the detailed report. It's great to see someone with a RT2561 adapter :) Support for those adapters is still at a very early stage. It seems that the ieee80211_free_node() function is called from rt2661_tx_intr() with a NULL node which should not happen. I'll investigate on this. Does it work if you don't set a fixed rate? Damien | Hi, | | I bought two week ago a D-Link DWL-G630 wireless card for my laptop | hoping it would be supported by -current. The card is based on a ralink | chipset, here is the full dmesg: | | cardbus0: CIS pointer is 0x601 | cardbus0: CIS in BAR 0x10 | cardbus0: Expecting link target, got 0x0 | ral0: <Ralink Technology RT2561> mem 0x88000000-0x88007fff at device 0.0 on cardbus0 | ral0: MAC/BBP RT2661B, RF RT2527 | ral0: Ethernet address: 00:xx:xx:xx:xx:xx | [NdA: the CIS information are not really long compared to other cardbus | I use] | | As you can see, the ral(4) device attach correctly, then, I played | with ifconfig' option and the crash occured when I launched the | following command: | | # ifconfig ral0 media OFDM24 | (the crash also occured before when I specified 'OFDM54') | | After the computer rebooted, I got the following crash dump: | | kdb_backtrace(1,c19dd8d0,c,c19de1b0,c8378c3c) at kdb_backtrace+0x29 | witness_warn(5,0,c08bc752) at witness_warn+0x192 | trap(c0680008,c09a0028,28,c1ab5400,0) at trap+0x108 | calltrap() at calltrap+0x5 | --- trap 0xc, eip = 0xc06f003d, esp = 0xc8378c84, ebp = 0xc8378c90 --- | ieee80211_free_node(0,c1bde004,c1bde000,1,0) at ieee80211_free_node+0x9 | rt2661_tx_intr(c1bde000) at rt2661_tx_intr+0x10d | rt2661_intr(c1bde000,c1c61440,c8378cec,c0651336,c1a055c0) at rt2661_intr+0x17e | cbb_func_intr(c1a055c0) at cbb_func_intr+0x45 | ithread_execute_handlers(c19dd8d0,c192f880) at ithread_execute_handlers+0xea | ithread_loop(c19e80c0,c8378d38) at ithread_loop+0x67 | fork_exit(c0651408,c19e80c0,c8378d38) at fork_exit+0xa4 | fork_trampoline() at fork_trampoline+0x8 | --- trap 0x1, eip = 0, esp = 0xc8378d6c, ebp = 0 --- | | Fatal trap 12: page fault while in kernel mode | cpuid = 0; apic id = 00 | fault virtual address = 0x4 | fault code = supervisor read, page not present | instruction pointer = 0x20:0xc06f003d | stack pointer = 0x28:0xc8378c84 | frame pointer = 0x28:0xc8378c90 | code segment = base 0x0, limit 0xfffff, type 0x1b | = DPL 0, pres 1, def32 1, gran 1 | processor eflags = interrupt enabled, resume, IOPL = 0 | current process = 19 (irq10: cbb0 ral0+) | panic: from debugger | | a backtrace gives me the following: | | (kgdb) bt | #0 doadump () at pcpu.h:166 | #1 0xc0664b8c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402 | #2 0xc0664ea1 in panic (fmt=0xc085dcdf "from debugger") at /usr/src/sys/kern/kern_shutdown.c:558 | #3 0xc046bc41 in db_panic (addr=-1066467267, have_addr=0, count=-1, modif=0xc8378a8c "") at /usr/src/sys/ddb/db_command.c:426 | #4 0xc046bbd8 in db_command (last_cmdp=0xc0949a84, cmd_table=0x0) at /usr/src/sys/ddb/db_command.c:395 | #5 0xc046bc96 in db_command_loop () at /usr/src/sys/ddb/db_command.c:446 | #6 0xc046d8ad in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221 | #7 0xc067f7e8 in kdb_trap (type=12, code=0, tf=0xc8378c44) at /usr/src/sys/kern/subr_kdb.c:485 | #8 0xc0821278 in trap_fatal (frame=0xc8378c44, eva=4) at /usr/src/sys/i386/i386/trap.c:861 | #9 0xc08208ff in trap (frame= | {tf_fs = -1066926072, tf_es = -1063649240, tf_ds = 40, tf_edi = -1045736448, tf_esi = 0, tf_ebp = -935883632, tf_isp = -935883664, tf_ebx = -1044517792, tf_edx = 0, tf_ecx = 3329, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1066467267, tf_cs = 32, tf_eflags = 66054, tf_esp = -1044517792, tf_ss = -1046534116}) | at /usr/src/sys/i386/i386/trap.c:279 | #10 0xc080d21a in calltrap () at /usr/src/sys/i386/i386/exception.s:137 | #11 0xc06f003d in ieee80211_free_node (ni=0x0) at /usr/src/sys/net80211/ieee80211_node.c:1600 | #12 0xc05addf1 in rt2661_tx_intr (sc=0xc1bde000) at /usr/src/sys/dev/ral/rt2661.c:996 | #13 0xc05ae46a in rt2661_intr (arg=0xc1bde000) at /usr/src/sys/dev/ral/rt2661.c:1245 | #14 0xc059562d in cbb_func_intr (arg=0xc1a055c0) at /usr/src/sys/dev/pccbb/pccbb.c:644 | #15 0xc0651336 in ithread_execute_handlers (p=0xc19dd8d0, ie=0xc192f880) at /usr/src/sys/kern/kern_intr.c:662 | #16 0xc065146f in ithread_loop (arg=0xc19e80c0) at /usr/src/sys/kern/kern_intr.c:745 | #17 0xc06505fc in fork_exit (callout=0xc0651408 <ithread_loop>, arg=0xc19e80c0, frame=0xc8378d38) at /usr/src/sys/kern/kern_fork.c:802 | #18 0xc080d27c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:198 | | The crash seems to be triggered at the beginning of | ieee80211_free_node() in /usr/src/sys/net80211/ieee80211_node.c which is | called from rt2661_tx_intri() with ni = NULL. | | 1594 void | 1595 #ifdef IEEE80211_DEBUG_REFCNT | 1596 ieee80211_free_node_debug(struct ieee80211_node *ni, const char *func, int line) | 1597 #else | 1598 ieee80211_free_node(struct ieee80211_node *ni) | 1599 #endif | 1600 { | 1601 struct ieee80211_node_table *nt = ni->ni_table; | 1602 | | I can provided a crash dump if needed. | | Arnaud | | ps: could you please add me in CC: when you reply, I didn't follow | freebsd-current@... by now. | _______________________________________________ | freebsd-current@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-current | To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01f401c64c68$84f709d0$0300a8c0>