From owner-freebsd-wireless@FreeBSD.ORG  Tue Jan 28 23:02:37 2014
Return-Path: <owner-freebsd-wireless@FreeBSD.ORG>
Delivered-To: freebsd-wireless@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 329C03AB;
 Tue, 28 Jan 2014 23:02:37 +0000 (UTC)
Received: from mail-qc0-x232.google.com (mail-qc0-x232.google.com
 [IPv6:2607:f8b0:400d:c01::232])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id C73101354;
 Tue, 28 Jan 2014 23:02:36 +0000 (UTC)
Received: by mail-qc0-f178.google.com with SMTP id m20so1619230qcx.37
 for <multiple recipients>; Tue, 28 Jan 2014 15:02:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=ZGx9NPgWpHyErFVsL+Lv546XjKGjxwp54aPsBBp3CG0=;
 b=HeHTokaCOBB0+Z0OPRIvUL4kUxadmxdr5m0yr6JYHp3REFKZ1juwdIZ7JP/nymrm4x
 ll4ZUv7AicIJn+/5OhVyECxAu/cWqAUTfRRa5VfJD4NICgl4eA6H6yCWUs857JTpdsRr
 bvRNHZWSD4l7QcBlcPQCCrxNEQUH/p3wkevbue1/5G3i0+tAsk4dujzfY0yRjVlPBjkT
 a68euOWfyQtzM4q8Meg7BPZ1avFqSIYRhFS09NaTUikNkz5kzAfDP8rHsEK+K6sMtuZD
 aaq1rx0rqXG2nVEELGGTLEazZiUDP1EaEFBJfIWWCPzCmgzksskBg7GxKpnwwxdQMi+e
 WK5Q==
MIME-Version: 1.0
X-Received: by 10.229.184.69 with SMTP id cj5mr6973132qcb.8.1390950155918;
 Tue, 28 Jan 2014 15:02:35 -0800 (PST)
Received: by 10.140.27.151 with HTTP; Tue, 28 Jan 2014 15:02:35 -0800 (PST)
In-Reply-To: <CAJ-Vmo=kFcEjvmUQX87Q_RX4=aVKNyYDHqf-kZ+p0OcgKdZQGA@mail.gmail.com>
References: <CAN48zxmMZHsjr55AAbFaeB591Ahd9S1-AkGksRiRtgNOJv6DYQ@mail.gmail.com>
 <CALCpEUHRsquBrE4o6WxfcLgi-O2BN1FtPa+rS2Cdk==0dUdPaA@mail.gmail.com>
 <CAN48zxkXiUFyGuysTSkEPiwdS9VvEZgeyvo1eTr_seFQ2yM-6A@mail.gmail.com>
 <CAN48zxn+eKDFCbFDHwBJOUfyqvjH3whttTH0whtTfgBQxFRrGA@mail.gmail.com>
 <CAJ-VmonPDSHOzuD8bqpjLC1FjYQqHrwz2-w8u5wCqUw-hspVfQ@mail.gmail.com>
 <CAN48zx=zhBYSnkm4Kszs4oe1MdGPrP01B_0eysyso7T5a_WWMA@mail.gmail.com>
 <CAN48zxmxL_h=9B32C1dC5uGAbV_ExEXQoumPS1Zwvwt2RAbPUQ@mail.gmail.com>
 <CAN48zx=QgdLpTUm3OK2V-TVUxxBpiGF4A1WzZbSL6thqB_C++g@mail.gmail.com>
 <CAJ-VmokDb3mUj7Xw6hQKvX5beCv_hXLmMm-nAfz_ZZ-EYq1gyQ@mail.gmail.com>
 <CAN48zxkcJu-nYWrqJmrpC2VQ_LO2RwV6c9r3sUdKA6uXpfjcVQ@mail.gmail.com>
 <CAJ-VmokH0O6RMRYyvSDcz+CNRha9auujxAnKWRxorG=UrG8J8w@mail.gmail.com>
 <CAN48zx=RwTJL=M=xLi30CDxVVFUAmOgo+d9ONNxyeRwP=i2=aw@mail.gmail.com>
 <CAJ-Vmo=kFcEjvmUQX87Q_RX4=aVKNyYDHqf-kZ+p0OcgKdZQGA@mail.gmail.com>
Date: Tue, 28 Jan 2014 21:02:35 -0200
Message-ID: <CAN48zx=oG0=eTZLqA4QzhEEcriY8Z3BF7PLDX4Qy=GEX+3sDmA@mail.gmail.com>
Subject: Re: FreeBSD 10.0: hostapd crash with Ralink 3070
From: Pedro Flynn <pedro.flynn@gmail.com>
To: Adrian Chadd <adrian@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
Cc: "freebsd-wireless@freebsd.org" <freebsd-wireless@freebsd.org>
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 23:02:37 -0000

Here we go (this output is not beautiful...). Please, let me know if I
missed something or if I did something wrong:

bt output:

#0  doadump (textdump=<value optimized out>) at pcpu.h:219
#1  0xffffffff808af530 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:447
#2  0xffffffff808af8f4 in panic (fmt=<value optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:754
#3  0xffffffff80c8e692 in trap_fatal (frame=<value optimized out>,
    eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:882
#4  0xffffffff80c8e969 in trap_pfault (frame=0xfffffe009695f720, usermode=0)
    at /usr/src/sys/amd64/amd64/trap.c:699
#5  0xffffffff80c8e0f6 in trap (frame=0xfffffe009695f720)
    at /usr/src/sys/amd64/amd64/trap.c:463
#6  0xffffffff80c75392 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:232
#7  0xffffffff809b1163 in ieee80211_beacon_update (ni=0xfffffe0000ffc000,
    bo=0xfffff8000e8dd9e8, m=0x0, mcast=0) at atomic.h:161
#8  0xffffffff81a198bc in run_update_beacon (vap=0xfffff8000e8dd000, item=2)
    at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:3974
#9  0xffffffff809b42bd in ieee80211_wme_updateparams_locked (
    vap=0xfffff8000e8dd000) at ieee80211_var.h:814
#10 0xffffffff809b437a in ieee80211_wme_updateparams
(vap=0xfffff8000e8dd000)
    at /usr/src/sys/net80211/ieee80211_proto.c:1150
#11 0xffffffff809b3f43 in ieee80211_wme_initparams (vap=<value optimized
out>)
    at /usr/src/sys/net80211/ieee80211_proto.c:955
#12 0xffffffff809a9aec in ieee80211_sta_join1 ()
    at /usr/src/sys/net80211/ieee80211_node.c:741
#13 0xffffffff8099047b in hostap_newstate (vap=0xfffff8000e8dd000,
    nstate=<value optimized out>, arg=<value optimized out>)
    at /usr/src/sys/net80211/ieee80211_hostap.c:274
#14 0xffffffff81a1a36a in run_newstate (vap=<value optimized out>,
    nstate=IEEE80211_S_RUN, arg=-1)
    at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:1881
#15 0xffffffff809b2edf in ieee80211_newstate_cb (xvap=0xfffff8000e8dd000,
    npending=<value optimized out>)
    at /usr/src/sys/net80211/ieee80211_proto.c:1756
#16 0xffffffff808f5b66 in taskqueue_run_locked (queue=0xfffff8000e8e4600)
    at /usr/src/sys/kern/subr_taskqueue.c:333
#17 0xffffffff808f63e8 in taskqueue_thread_loop (arg=<value optimized out>)
    at /usr/src/sys/kern/subr_taskqueue.c:535
#18 0xffffffff8088198a in fork_exit (
    callout=0xffffffff808f6340 <taskqueue_thread_loop>,
    arg=0xfffffe0000ff60f0, frame=0xfffffe009695fc00)
    at /usr/src/sys/kern/kern_fork.c:995
#19 0xffffffff80c758ce in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:606
#20 0x0000000000000000 in ?? ()

frame 0
#0  doadump (textdump=<value optimized out>) at pcpu.h:219
219 pcpu.h: No such file or directory.
in pcpu.h
print doadump
$1 = {int (boolean_t)} 0xffffffff808af6f0 <doadump>

frame 1:
#1  0xffffffff808af530 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:447
447 doadump(TRUE);
print kern_reboot
print kern_reboot
$3 = {void (int)} 0xffffffff808aedf0 <kern_reboot>

frame 2
#2  0xffffffff808af8f4 in panic (fmt=<value optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:754
754 kern_reboot(bootopt);
(kgdb) print panic
$4 = {void (const char *)} 0xffffffff808af760 <panic>

frame 3
#3  0xffffffff80c8e692 in trap_fatal (frame=<value optimized out>,
    eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:882
882 panic("%s", trap_msg[type]);
(kgdb) print trap_fatal
$5 = {void (struct trapframe *, vm_offset_t)} 0xffffffff80c8e2f0
<trap_fatal>
(kgdb) frame 4
#4  0xffffffff80c8e969 in trap_pfault (frame=0xfffffe009695f720, usermode=0)
    at /usr/src/sys/amd64/amd64/trap.c:699
699 trap_fatal(frame, eva);
(kgdb) print trap_pfault
$6 = {int (struct trapframe *, int)} 0xffffffff80c8e6a0 <trap_pfault>
(kgdb) frame 5
#5  0xffffffff80c8e0f6 in trap (frame=0xfffffe009695f720)
    at /usr/src/sys/amd64/amd64/trap.c:463
463 (void) trap_pfault(frame, FALSE);
(kgdb) print trap
$7 = {void (struct trapframe *)} 0xffffffff80c8db10 <trap>

frame 6
#6  0xffffffff80c75392 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:232
232 call trap
Current language:  auto; currently asm
(kgdb) print calltrap
$8 = {<text variable, no debug info>} 0xffffffff80c7538a <calltrap>
(kgdb) frame 7
#7  0xffffffff809b1163 in ieee80211_beacon_update (ni=0xfffffe0000ffc000,
    bo=0xfffff8000e8dd9e8, m=0x0, mcast=0) at atomic.h:161
161 atomic.h: No such file or directory.
in atomic.h
Current language:  auto; currently minimal
(kgdb) print ieee80211_beacon_update
$9 = {int (struct ieee80211_node *, struct ieee80211_beacon_offsets *,
    struct mbuf *, int)} 0xffffffff809b1090 <ieee80211_beacon_update>

 frame 8
#8  0xffffffff81a198bc in run_update_beacon (vap=0xfffff8000e8dd000, item=2)
    at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:3974
3974 ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf,
mcast);
(kgdb) print run_update_beacon
$10 = {void (struct ieee80211vap *,
    int)} 0xffffffff81a19750 <run_update_beacon>
(kgdb) frame 9
#9  0xffffffff809b42bd in ieee80211_wme_updateparams_locked (
    vap=0xfffff8000e8dd000) at ieee80211_var.h:814
814 vap->iv_update_beacon(vap, what);
(kgdb) print ieee80211_wme_updateparams_locked
$11 = {void (struct ieee80211vap
     *)} 0xffffffff809b3f90 <ieee80211_wme_updateparams_locked>
(kgdb) frame 10
#10 0xffffffff809b437a in ieee80211_wme_updateparams
(vap=0xfffff8000e8dd000)
    at /usr/src/sys/net80211/ieee80211_proto.c:1150
1150 ieee80211_wme_updateparams_locked(vap);
(kgdb) print ieee80211_wme_updateparams
$12 = {void (struct ieee80211vap
     *)} 0xffffffff809b4320 <ieee80211_wme_updateparams>

frame 11
#11 0xffffffff809b3f43 in ieee80211_wme_initparams (vap=<value optimized
out>)
    at /usr/src/sys/net80211/ieee80211_proto.c:955
955 ieee80211_wme_updateparams(vap);
(kgdb) print ieee80211_wme_initparams
$13 = {void (struct ieee80211vap
     *)} 0xffffffff809b3ca0 <ieee80211_wme_initparams>
(kgdb) frame 12
#12 0xffffffff809a9aec in ieee80211_sta_join1 ()
    at /usr/src/sys/net80211/ieee80211_node.c:741
741 ieee80211_wme_initparams(vap);
(kgdb) print ieee80211_sta_join1
$14 = {int (struct ieee80211_node *)} 0xffffffff809a9a10
<ieee80211_sta_join1>
(kgdb) frame 13
#13 0xffffffff8099047b in hostap_newstate (vap=0xfffff8000e8dd000,
    nstate=<value optimized out>, arg=<value optimized out>)
    at /usr/src/sys/net80211/ieee80211_hostap.c:274
274    ieee80211_ht_adjust_channel(ic,
(kgdb) print hostap_newstate
$15 = {int (struct ieee80211vap *, enum ieee80211_state,
    int)} 0xffffffff80990190 <hostap_newstate>
frame 14
#14 0xffffffff81a1a36a in run_newstate (vap=<value optimized out>,
    nstate=IEEE80211_S_RUN, arg=-1)
    at /usr/src/sys/modules/usb/run/../../../dev/usb/wlan/if_run.c:1881
1881 return(rvp->newstate(vap, nstate, arg));
(kgdb) print run_newstate
$16 = {int (struct ieee80211vap *, enum ieee80211_state,
    int)} 0xffffffff81a19b30 <run_newstate>
(kgdb) frame 15
#15 0xffffffff809b2edf in ieee80211_newstate_cb (xvap=0xfffff8000e8dd000,
    npending=<value optimized out>)
    at /usr/src/sys/net80211/ieee80211_proto.c:1756
1756 rc = vap->iv_newstate(vap, nstate, arg);
(kgdb) print ieee80211_newstate_cb
$17 = {void (void *, int)} 0xffffffff809b2d90 <ieee80211_newstate_cb>
(kgdb) frame 16
#16 0xffffffff808f5b66 in taskqueue_run_locked (queue=0xfffff8000e8e4600)
    at /usr/src/sys/kern/subr_taskqueue.c:333
333 task->ta_func(task->ta_context, pending);
(kgdb) print taskqueue_run_locked
$18 = {void (struct taskqueue *)} 0xffffffff808f5a80 <taskqueue_run_locked>
frame 17
#17 0xffffffff808f63e8 in taskqueue_thread_loop (arg=<value optimized out>)
    at /usr/src/sys/kern/subr_taskqueue.c:535
535 taskqueue_run_locked(tq);
(kgdb) print taskqueue_thread_loop
$19 = {void (void *)} 0xffffffff808f6340 <taskqueue_thread_loop>
(kgdb) frame 18
#18 0xffffffff8088198a in fork_exit (
    callout=0xffffffff808f6340 <taskqueue_thread_loop>,
    arg=0xfffffe0000ff60f0, frame=0xfffffe009695fc00)
    at /usr/src/sys/kern/kern_fork.c:995
995 callout(arg, frame);
(kgdb) print fork_exit
$20 = {void (void (*)(void *, struct trapframe *), void *, struct trapframe
     *)} 0xffffffff808818f0 <fork_exit>
(kgdb) frame 19
#19 0xffffffff80c758ce in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:606
606 call fork_exit
Current language:  auto; currently asm
(kgdb) print fork_trampoline
$21 = {<text variable, no debug info>} 0xffffffff80c758c0 <fork_trampoline>
frame 20
#20 0x0000000000000000 in ?? ()

Thanks,

pflynn


On Tue, Jan 28, 2014 at 8:47 PM, Adrian Chadd <adrian@freebsd.org> wrote:

> ok, do 'bt', and see what's being passed into ieee80211_beacon_update.
> Use 'frame X' to switch to frame X, and 'print VARIABLE_NAME' to print
> out the contents of the given variable name.
>
> That mbuf looks like it's NULL, which is odd.
>
> Thanks!
>
>
> -a
>
>
> On 28 January 2014 14:45, Pedro Flynn <pedro.flynn@gmail.com> wrote:
> > OK! This is what I have:
> >
> > list * (0xffffffff809b1163)
> > Undefined command: "".  Try "help".
> > (kgdb) list * (0xffffffff809b1163)
> > 0xffffffff809b1163 is in ieee80211_beacon_update
> > (/usr/src/sys/net80211/ieee80211_output.c:3099).
> > 3094 /* XXX do WME aggressive mode processing? */
> > 3095 IEEE80211_UNLOCK(ic);
> > 3096 return 1; /* just assume length changed */
> > 3097 }
> > 3098
> > 3099 wh = mtod(m, struct ieee80211_frame *);
> > 3100 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
> > 3101 *(uint16_t *)&wh->i_seq[0] =
> > 3102 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
> > 3103 M_SEQNO_SET(m, seqno);
> > Current language:  auto; currently minimal
> > (kgdb)
> >
> >
> > (by the way, I'm building a kernel with debug symbols)
> >
> > Thanks,
> >
> > pflynn
> >
> >
> >
> > On Tue, Jan 28, 2014 at 8:34 PM, Adrian Chadd <adrian@freebsd.org>
> wrote:
> >>
> >> Ok, fire up kgdb
> >>
> >> # kgdb /boot/kernel/kernel /var/crash/vmcore.0
> >>
> >> then
> >>
> >> (gdb) list * (0xffffffff809b1163)
> >>
> >> (.. that's the "instruction pointer" at the time of the panic.)
> >>
> >> I bet it's iv_bss.
> >>
> >>
> >>
> >> -a
> >
> >
>