123968 – [rum] [panic] rum driver causes kernel panic with WPA.

Bug 123968 - [rum] [panic] rum driver causes kernel panic with WPA.

Summary: [rum] [panic] rum driver causes kernel panic with WPA.

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	7.0-RELEASE
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-05-25 01:00 UTC by Jonny Crook
Modified:	2018-12-09 14:02 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jonny Crook 2008-05-25 01:00:06 UTC

Using a Ralink rt73 chipset USB wireless dongle with WPA causes a kernel panic after a few minutes of network activity, eg. downloading a file.

/var/crash/info.2 :
Dump header from device /dev/ad4s2b
  Architecture: i386
  Architecture Version: 2
  Dump Length: 113614848B (108 MB)
  Blocksize: 512
  Dumptime: Sat May 24 23:33:45 2008
  Hostname: 
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
    root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
  Panic String: page fault
  Dump Parity: 3141769591
  Bounds: 2
  Dump Status: good


kgdb on the dumped image:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x12
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc06b9e7a
stack pointer	        = 0x28:0xe45cebe4
frame pointer	        = 0x28:0xe45cebfc
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 23 (irq23: uhci0 ehci0)
trap number		= 12
panic: page fault
cpuid = 0
Uptime: 3m47s
Physical memory: 1011 MB
Dumping 108 MB: 93 77 61 45 29 13

#0  doadump () at pcpu.h:195
	in pcpu.h
(kgdb) list *0xc06b9e7a
0xc06b9e7a is in rum_txeof (/usr/src/sys/dev/usb/if_rum.c:842).
837     {
838             struct rum_tx_data *data = priv;
839             struct rum_softc *sc = data->sc;
840             struct ifnet *ifp = sc->sc_ic.ic_ifp;
841
842             if (data->m->m_flags & M_TXCB)
843                     ieee80211_process_callback(data->ni, data->m,
844                             status == USBD_NORMAL_COMPLETION ? 0 : 
ETIMEDOUT
);
845
846             if (status != USBD_NORMAL_COMPLETION) {
(kgdb)


I'm very new to FreeBSD, I do not have the knowledge to create a patch. I hope the aforementioned information helps however!

If any more information is needed, do ask. I can even upload the vmcore file, although it may contain sensitive information.

Many thanks,
Jonny.

How-To-Repeat: Use WPA supplicant, with WPA TKIP, authenticate with an AP, download a file over the wireless (or other network activity) and within minutes a kernel panic will occur.

Comment 1 Jonny Crook 2008-05-25 14:31:31 UTC

I have looked into the issue further.

Using a different wireless adapter (still ralink, but a ralink 2500) 
which uses the 'ural' driver, I still get a kernel panic in exactly the 
same manner.

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x12
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc06b4e0a
stack pointer           = 0x28:0xe45cebe4
frame pointer           = 0x28:0xe45cebfc
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 23 (irq23: uhci0 ehci0)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 10m40s
Physical memory: 1011 MB
Dumping 136 MB: 121 105 89 73 57 41 25 9

#0  doadump () at pcpu.h:195
195     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) list *0xc06b4e0a
0xc06b4e0a is in ural_txeof (/usr/src/sys/dev/usb/if_ural.c:881).
876     {
877             struct ural_tx_data *data = priv;
878             struct ural_softc *sc = data->sc;
879             struct ifnet *ifp = sc->sc_ic.ic_ifp;
880
881             if (data->m->m_flags & M_TXCB)
882                     ieee80211_process_callback(data->ni, data->m,
883                             status == USBD_NORMAL_COMPLETION ? 0 :
ETIMEDOUT
);
884             if (status != USBD_NORMAL_COMPLETION) {
885                     if (status == USBD_NOT_STARTED || status ==
USBD_CANCELL
ED)

Comment 2 Mark Linimon freebsd_committer

2008-05-26 01:41:22 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s), although this sounds like it might not be 
specific to this one driver.

Comment 3 Eitan Adler freebsd_committer

2017-12-31 07:59:27 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped

Comment 4 Andriy Voskoboinyk freebsd_committer

2018-12-09 14:02:10 UTC

This code path was rewritten in base r287197 (moves frame post-processing into ieee80211_tx_complete).