From owner-freebsd-usb@FreeBSD.ORG Tue Mar 6 20:50:09 2007 Return-Path: X-Original-To: freebsd-usb@hub.freebsd.org Delivered-To: freebsd-usb@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E5C0416A409 for ; Tue, 6 Mar 2007 20:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 9128013C4A8 for ; Tue, 6 Mar 2007 20:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l26Ko9PT099698 for ; Tue, 6 Mar 2007 20:50:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l26Ko98j099697; Tue, 6 Mar 2007 20:50:09 GMT (envelope-from gnats) Date: Tue, 6 Mar 2007 20:50:09 GMT Message-Id: <200703062050.l26Ko98j099697@freefall.freebsd.org> To: freebsd-usb@FreeBSD.org From: Jonathan Fosburgh Cc: Subject: Re: kern/92083: [ural] [panic] panic using WPA on ural NIC in 6.2-RELEASE X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jonathan Fosburgh List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 20:50:10 -0000 The following reply was made to PR kern/92083; it has been noted by GNATS. From: Jonathan Fosburgh To: Sam Leffler Cc: Anders Nordby , bug-followup@freebsd.org Subject: Re: kern/92083: [ural] [panic] panic using WPA on ural NIC in 6.2-RELEASE Date: Tue, 6 Mar 2007 14:47:15 -0600 On Monday 12 February 2007 11:27, Sam Leffler wrote: > > The last I heard about any of this stuff your problems were related to > usb xfer stalls. If this no longer true then please provide me with a > recipe for recreating the issue. If it's a driver/net80211 issue I will > try to fix it. If it's in the usb subsystem it's unlikely I'm going to > pursue it. > I finally obtained what may be a useful kernel panic. I recompiled with the wlan/ural stuff in-kernel versus as modules (can someone put together, in one place, how to debug a kernel with modules? There is documentation in a few places, but it is geared to developers, and not end-users. That is fine for -CURRENT, but the issue is the same on -STABLE and the mainline releases.) So far I have captured one dump with this configuration. I will see if it crashes anymore throughout the day before I switch over to a working configuration. To reiterate: ural0: on uh ub7 ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526 ural0: using obsoleted if_watchdog interface ural0: Ethernet address: 00:d0:41:a1:09:78 ural0: if_start running deferred for Giant and FreeBSD asgard.fosburgh.org 7.0-CURRENT FreeBSD 7.0-CURRENT #34: Tue Mar 6 08:07:37 CST 2007 toor@asgard.fosburgh.org:/usr/obj/usr/src/sys/vmbsd amd64 When configuring the NIC using wep in ifconfig, it is stable. When using wpa_supplicant (even in WEP-mode) the driver is unstable and panics the system. It does not appear to be under any particular load condition. I often find the system has rebooted while I have been away and there is no particular network load above background that I am aware of (emails being received, etc). Here is the panic: --# kgdb kernel.debug /usr/crash/vmcore.9 kgdb: kvm_nlist(_stopped_cpus): kgdb: kvm_nlist(_stoppcbs): [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd". Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode fault virtual address = 0x8 fault code = supervisor read data, page not present instruction pointer = 0x8:0xffffffff802ee415 stack pointer = 0x10:0xffffffff9212ba70 frame pointer = 0x10:0x0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 33 (irq21: uhci0 uhci*) trap number = 12 panic: page fault Uptime: 5h13m37s Physical memory: 504 MB Dumping 78 MB: 63 47 31 15 #0 doadump () at pcpu.h:141 141 __asm __volatile("movq %%gs:0,%0" : "=r" (td)); where: #0 doadump () at pcpu.h:141 #1 0x0000000000000004 in ?? () #2 0xffffffff80243519 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409 #3 0xffffffff80243afe in panic (fmt=0xffffff001ebf1560 "") at /usr/src/sys/kern/kern_shutdown.c:563 #4 0xffffffff8037e022 in trap_fatal (frame=0xffffffff9212b9c0, eva=8) at /usr/src/sys/amd64/amd64/trap.c:696 #5 0xffffffff8037e392 in trap_pfault (frame=0xffffffff9212b9c0, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:614 #6 0xffffffff8037e625 in trap (frame=0xffffffff9212b9c0) at /usr/src/sys/amd64/amd64/trap.c:382 #7 0xffffffff80368fae in calltrap () at /usr/src/sys/amd64/amd64/exception.S:169 #8 0xffffffff802ee415 in ieee80211_free_node (ni=0x0) at /usr/src/sys/net80211/ieee80211_node.c:1602 #9 0xffffffff801cb131 in ural_txeof (xfer=0x0, priv=0xffffffff80a40ec0, status=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/if_ural.c:890 #10 0xffffffff801e1ca3 in usb_transfer_complete (xfer=0xffffff000099d000) at /usr/src/sys/dev/usb/usbdi.c:983 #11 0xffffffff801c46db in ehci_softintr (v=0x0) at /usr/src/sys/dev/usb/ehci.c:872 #12 0xffffffff801c30d9 in ehci_intr1 (sc=0xffffff000094c000) at /usr/src/sys/dev/usb/ehci.c:591 #13 0xffffffff8022e28d in ithread_loop (arg=0xffffff0000945780) at /usr/src/sys/kern/kern_intr.c:682 #14 0xffffffff8022cd79 in fork_exit ( callout=0xffffffff8022e150 , arg=0xffffff0000945780, frame=0xffffffff9212bc90) at /usr/src/sys/kern/kern_fork.c:814 #15 0xffffffff8036931e in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:397 #16 0x0000000000000000 in ?? () #17 0x0000000000000000 in ?? () #18 0x0000000000000001 in ?? () #19 0x0000000000000000 in ?? () #20 0x0000000000000000 in ?? () #21 0x0000000000000000 in ?? () #22 0x0000000000000000 in ?? () #23 0x0000000000000000 in ?? () #24 0x0000000000000000 in ?? () #25 0x0000000000000000 in ?? () #26 0x0000000000000000 in ?? () #27 0x0000000000000000 in ?? () #28 0x0000000000000000 in ?? () #29 0x0000000000000000 in ?? () #30 0x0000000000000000 in ?? () #31 0x0000000000000000 in ?? () #32 0x0000000000000000 in ?? () #33 0x0000000000000000 in ?? () #34 0x0000000000000000 in ?? () #35 0x0000000000000000 in ?? () #36 0x0000000000000000 in ?? () #37 0x0000000000000000 in ?? () #38 0x0000000000000000 in ?? () #39 0x0000000000000000 in ?? () #40 0x0000000000800000 in ?? () #41 0xffffff001ebf1560 in ?? () #42 0x0000000000000000 in ?? () #43 0x0000000000000001 in ?? () #44 0x0000000000000000 in ?? () #45 0xffffff0016929810 in ?? () #46 0xffffffff9212bbc8 in ?? () #47 0xffffff001ebf1560 in ?? () #48 0xffffffff8025faf0 in sched_switch (td=0xffffff0000945780, newtd=0x0, flags=0) at /usr/src/sys/kern/sched_ule.c:1472 #49 0x0000000000000000 in ?? () #50 0x0000000000000000 in ?? () #51 0x0000000000000000 in ?? () #52 0x0000000000000000 in ?? () #53 0x0000000000000000 in ?? () #54 0x0000000000000000 in ?? () #55 0x0000000000000000 in ?? () #56 0x0000000000000000 in ?? () #57 0x0000000000000000 in ?? () #58 0x0000000000000000 in ?? () #59 0x0000000000000000 in ?? () #60 0x0000000000000000 in ?? () #61 0x0000000000000000 in ?? () #62 0x0000000000000000 in ?? () #63 0x0000000000000000 in ?? () #64 0x0000000000000000 in ?? () #65 0x0000000000000000 in ?? () #66 0x0000000000000000 in ?? () #67 0x0000000000000000 in ?? () #68 0x0000000000000000 in ?? () #69 0x0000000000000000 in ?? () #70 0x0000000000000000 in ?? () #71 0x0000000000000000 in ?? () #72 0x0000000000000000 in ?? () #73 0x0000000000000000 in ?? () #74 0x0000000000000000 in ?? () #75 0x0000000000000000 in ?? () #76 0x0000000000000000 in ?? () #77 0x0000000000000000 in ?? () #78 0x0000000000000000 in ?? () #79 0x0000000000000000 in ?? () #80 0x0000000000000000 in ?? () #81 0x0000000000000000 in ?? () #82 0x0000000000000000 in ?? () #83 0x0000000000000000 in ?? () #84 0x0000000000000000 in ?? () #85 0x0000000000000000 in ?? () #86 0x0000000000000000 in ?? () #87 0x0000000000000000 in ?? () #88 0x0000000000000000 in ?? () #89 0x0000000000000000 in ?? () #90 0x0000000000000000 in ?? () #91 0x0000000000000000 in ?? () #92 0x0000000000000000 in ?? () #93 0x0000000000000000 in ?? () #94 0x0000000000000000 in ?? () #95 0x0000000000000000 in ?? () #96 0x0000000000000000 in ?? () #97 0x0000000000000000 in ?? () #98 0x0000000000000000 in ?? () #99 0x0000000000000000 in ?? () #100 0x0000000000000000 in ?? () #101 0x0000000000000000 in ?? () #102 0x0000000000000000 in ?? () #103 0x0000000000000000 in ?? () #104 0x0000000000000000 in ?? () #105 0x0000000000000000 in ?? () #106 0x0000000000000000 in ?? () #107 0x0000000000000000 in ?? () #108 0x0000000000000000 in ?? () #109 0x0000000000000000 in ?? () #110 0x0000000000000000 in ?? () #111 0x0000000000000000 in ?? () #112 0x0000000000000000 in ?? () #113 0x0000000000000000 in ?? () #114 0x0000000000000000 in ?? () #115 0x0000000000000000 in ?? () #116 0x0000000000000000 in ?? () #117 0x0000000000000000 in ?? () #118 0x0000000000000000 in ?? () #119 0x0000000000000000 in ?? () #120 0x0000000000000000 in ?? () #121 0x0000000000000000 in ?? () #122 0x0000000000000000 in ?? () Cannot access memory at address 0xffffffff9212c000 The instruction pointer matches to: #8 0xffffffff802ee415 in ieee80211_free_node (ni=0x0) at /usr/src/sys/net80211/ieee80211_node.c:1602 Line 1602 is an open brace. Here is the section of the file, starting at line 1597: 1597 #ifdef IEEE80211_DEBUG_REFCNT 1598 ieee80211_free_node_debug(struct ieee80211_node *ni, const char *func, i nt line) 1599 #else 1600 ieee80211_free_node(struct ieee80211_node *ni) 1601 #endif 1602 { 1603 struct ieee80211_node_table *nt = ni->ni_table; 1604 1605 #ifdef IEEE80211_DEBUG_REFCNT 1606 IEEE80211_DPRINTF(ni->ni_ic, IEEE80211_MSG_NODE, 1607 "%s (%s:%u) %p<%s> refcnt %d\n", __func__, func, line, n i, 1608 ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni )-1); 1609 #endif 1610 if (nt != NULL) { 1611 IEEE80211_NODE_LOCK(nt); 1612 if (ieee80211_node_dectestref(ni)) { 1613 /* 1614 * Last reference, reclaim state. 1615 */ 1616 _ieee80211_free_node(ni); 1617 } else if (ieee80211_node_refcnt(ni) == 1 && 1618 nt->nt_keyixmap != NULL) { 1619 ieee80211_keyix keyix; 1620 /* 1621 * Check for a last reference in the key mapping table. 1622 */ 1623 keyix = ni->ni_ucastkey.wk_rxkeyix; 1624 if (keyix < nt->nt_keyixmax && 1625 nt->nt_keyixmap[keyix] == ni) { 1626 IEEE80211_DPRINTF(ni->ni_ic, IEEE80211_M SG_NODE, 1627 "%s: %p<%s> clear key map entry", __func__, 1628 ni, ether_sprintf(ni->ni_macaddr)); 1629 nt->nt_keyixmap[keyix] = NULL; 1630 ieee80211_node_decref(ni); /* XXX needed ? */ 1631 _ieee80211_free_node(ni); 1632 } 1633 } 1634 IEEE80211_NODE_UNLOCK(nt); 1635 } else { 1636 if (ieee80211_node_dectestref(ni)) 1637 _ieee80211_free_node(ni); 1638 } 1639 }