From owner-freebsd-hackers@freebsd.org  Sat Nov 18 05:29:19 2017
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81690DEEE3C
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Sat, 18 Nov 2017 05:29:19 +0000 (UTC)
 (envelope-from khanzf@gmail.com)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com
 [IPv6:2607:f8b0:400d:c0d::229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 5267C638D0
 for <freebsd-hackers@freebsd.org>; Sat, 18 Nov 2017 05:29:19 +0000 (UTC)
 (envelope-from khanzf@gmail.com)
Received: by mail-qt0-x229.google.com with SMTP id p44so9342501qtj.6
 for <freebsd-hackers@freebsd.org>; Fri, 17 Nov 2017 21:29:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:subject:to:message-id:date:user-agent:mime-version
 :content-language:content-transfer-encoding;
 bh=6CftM72KHT7eGWJBBF4xVpN36BtnMNKmhmpSAZtAmKM=;
 b=ud9FFsaP/mFccRLEAH7r0AENmV31kpY6p5v2khHcnjZpIJ1NVRsB0ZY2glPcpHH50G
 WVJeka5b81tdZXeUp8//pDYpz/Nz5o/4t8OY43eiAWREmdzv8WF/VV2d+NnYYhLCX8Rw
 V5ar0f7CvS19o4LVixYyBXrjac2zpLAPFyqO7/ngNVsR0teQ5vpaAT73JUa86qS0IXlN
 qAv+AM+Kf9O5f54MpWM2IWGoJLo5E4I7/PhkjKwyeRo2nflbvGoWqh+NOwDRWpYULeFh
 /YPMkEubemBEKxFb0DM3RLSSWt63uEWyDGVSx0JAJSgp74MeGZEm5as4eL1+n3yrYtQJ
 o/Ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:subject:to:message-id:date:user-agent
 :mime-version:content-language:content-transfer-encoding;
 bh=6CftM72KHT7eGWJBBF4xVpN36BtnMNKmhmpSAZtAmKM=;
 b=oK+Drrxdw8E0/R+LFcC0XXFQ4Il4N5wqAvQfsONCsIAlia78/yFaScSfu6/whTMaB6
 ZRuMA4Tc9HuMfpoPwVS9aw+rfdP5G3ZFQkx9HCBXDYERRKTStFfdPa17oGwjCH0wdGng
 iIjAMqgxr9B9W2Qu4/oSV3yC4P7uIysAPVTJI371o3uacHfQGknRRGefMGiSRrWzyPLo
 ZtTtuzaHx2WG1xi6dESkSnGowvBJFkuR3f5SgSPLNEKyQ4nNnmHQgkFzPzllu7+9S+2k
 +bW+sLj2Sqgh9lOViKCyfctCJLXWiVSMtUHGax0R5ZpX4KNkxfnlEVBHA389xfxLS+6y
 +CoA==
X-Gm-Message-State: AJaThX6WGR1z/ZCaLMAcl5Mz0g4LWWPvfzHx/RDoVkQyTmLNEj3M/cW2
 LxCPN5R7oCdYrgQhabqa4AAe9zUb
X-Google-Smtp-Source: AGs4zMYGeJlIhazbaSMAFCXyQnTeJ1nu+c2k/BTzFMsXdTVSueDRwyb7F8LmbbSJqvHne8bDEUdYXA==
X-Received: by 10.200.8.11 with SMTP id u11mr12708285qth.315.1510982957984;
 Fri, 17 Nov 2017 21:29:17 -0800 (PST)
Received: from pc.farhan.codes ([2001:470:8:209::dead:c0de])
 by smtp.gmail.com with ESMTPSA id p52sm3821543qtc.72.2017.11.17.21.29.16
 for <freebsd-hackers@freebsd.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 17 Nov 2017 21:29:16 -0800 (PST)
From: Farhan Khan <khanzf@gmail.com>
Subject: Tracking down null pointer reference via kgdb
To: freebsd-hackers@freebsd.org
Message-ID: <407cc5f0-fbd8-5e35-1f1d-2e34a5f8e219@gmail.com>
Date: Sat, 18 Nov 2017 00:29:16 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Nov 2017 05:29:19 -0000

Hi all,

I am working on a driver and getting a kernel panic in an unexpected 
place. A quick kgdb shows me that the panic occurs at line #9, called by 
rtwn_fw_loadpage. Looking up rtwn_fw_load shows a function pointer calle 
that is essentially sc->sc_fw_write_block.

While this is where the bug triggers, I see that in line 
r92ce_iq_calib_chain the sc pointer becomes 0x0. However, I have not 
been able to trace down what caused this. Moreover, I traced the code, 
but cannot even find a connection from r92ce_iq_calib_run (the calling 
function) to r92ce_iq_calib_chain, where the sc variable appears to 
become corrupted.

My printf debugging clearly shows that it is set at one point, but then 
later becomes 0x0.

Is there a way to track this down, either in kgdb or ddb?

Thanks,
Farhan

-------------------
(kgdb) where
#0  __curthread () at ./machine/pcpu.h:232
#1  doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:318
#2  0xffffffff80a64d15 in kern_reboot (howto=260) at 
/usr/src/sys/kern/kern_shutdown.c:386
#3  0xffffffff80a65306 in vpanic (fmt=<optimized out>, 
ap=0xfffffe0119c49480)
     at /usr/src/sys/kern/kern_shutdown.c:779
#4  0xffffffff80a65353 in panic (fmt=<unavailable>) at 
/usr/src/sys/kern/kern_shutdown.c:710
#5  0xffffffff80ef0add in trap_fatal (frame=0xfffffe0119c49720, eva=0) 
at /usr/src/sys/amd64/amd64/trap.c:799
#6  0xffffffff80ef0b52 in trap_pfault (frame=0xfffffe0119c49720, 
usermode=0) at /usr/src/sys/amd64/amd64/trap.c:653
#7  0xffffffff80ef0315 in trap (frame=0xfffffe0119c49720) at 
/usr/src/sys/amd64/amd64/trap.c:420
#8  <signal handler called>
#9  0x0000000000000000 in ?? ()
#10 0xffffffff82c23004 in rtwn_fw_loadpage (sc=0x0, buf=<optimized out>, 
len=0, page=<optimized out>)
     at /usr/src/sys/dev/rtwn/if_rtwn_fw.c:66
#11 rtwn_load_firmware (sc=<optimized out>) at 
/usr/src/sys/dev/rtwn/if_rtwn_fw.c:182
#12 0xffffffff82c47c91 in r92ce_iq_calib_write_results (sc=0x0, tx=0x0, 
rx=0xfffffe00092d9000,
     chain=<optimized out>) at 
/usr/src/sys/dev/rtwn/rtl8192c/pci/r92ce_calib.c:325
#13 0xffffffff82c474a3 in r92ce_iq_calib_chain (sc=0x0, 
tx=0xfffffe0100c49a60, rx=0xfffffe01191fe000,
     chain=<optimized out>) at 
/usr/src/sys/dev/rtwn/rtl8192c/pci/r92ce_calib.c:117
#14 r92ce_iq_calib_run (sc=<optimized out>, n=<optimized out>, 
tx=<optimized out>, rx=<optimized out>,
     vals=<optimized out>) at 
/usr/src/sys/dev/rtwn/rtl8192c/pci/r92ce_calib.c:225
#15 r92ce_iq_calib (sc=<optimized out>) at 
/usr/src/sys/dev/rtwn/rtl8192c/pci/r92ce_calib.c:368
#16 0xffffffff82c47329 in r92ce_iq_calib_run (sc=<optimized out>, 
n=<optimized out>, tx=<optimized out>,
     rx=<optimized out>, vals=<optimized out>) at 
/usr/src/sys/dev/rtwn/rtl8192c/pci/r92ce_calib.c:218
#17 r92ce_iq_calib (sc=0x219c49afc) at 
/usr/src/sys/dev/rtwn/rtl8192c/pci/r92ce_calib.c:368
#18 0xffffffff80a29af9 in intr_event_execute_handlers (p=<optimized 
out>, ie=0xfffff80004cce000)
     at /usr/src/sys/kern/kern_intr.c:1336
#19 0xffffffff80a2a1e6 in ithread_execute_handlers (ie=<optimized out>, 
p=<optimized out>)
     at /usr/src/sys/kern/kern_intr.c:1349
#20 ithread_loop (arg=0xfffff80004cb7040) at 
/usr/src/sys/kern/kern_intr.c:1430
#21 0xffffffff80a26ef4 in fork_exit (callout=0xffffffff80a2a130 
<ithread_loop>, arg=0xfffff80004cb7040,
     frame=0xfffffe0119c49c00) at /usr/src/sys/kern/kern_fork.c:1044
#22 <signal handler called>
-------------------