ral(4) crashed the kernel

From: Arnaud LACOMBE <lists-freebsd_at_sigfpe.info>
Date: Mon, 20 Mar 2006 22:17:56 +0100
Hi,

I bought two week ago a D-Link DWL-G630 wireless card for my laptop
hoping it would be supported by -current. The card is based on a ralink
chipset, here is the full dmesg: 

 cardbus0: CIS pointer is 0x601
 cardbus0: CIS in BAR 0x10
 cardbus0: Expecting link target, got 0x0
 ral0: <Ralink Technology RT2561> mem 0x88000000-0x88007fff at device 0.0 on cardbus0
 ral0: MAC/BBP RT2661B, RF RT2527
 ral0: Ethernet address: 00:xx:xx:xx:xx:xx
[NdA: the CIS information are not really long compared to other cardbus
I use]

As you can see, the ral(4) device attach correctly, then, I played
with ifconfig' option and the crash occured when I launched the
following command:

# ifconfig ral0 media OFDM24
(the crash also occured before when I specified 'OFDM54')

After the computer rebooted, I got the following crash dump:

kdb_backtrace(1,c19dd8d0,c,c19de1b0,c8378c3c) at kdb_backtrace+0x29
witness_warn(5,0,c08bc752) at witness_warn+0x192
trap(c0680008,c09a0028,28,c1ab5400,0) at trap+0x108
calltrap() at calltrap+0x5
--- trap 0xc, eip = 0xc06f003d, esp = 0xc8378c84, ebp = 0xc8378c90 ---
ieee80211_free_node(0,c1bde004,c1bde000,1,0) at ieee80211_free_node+0x9
rt2661_tx_intr(c1bde000) at rt2661_tx_intr+0x10d
rt2661_intr(c1bde000,c1c61440,c8378cec,c0651336,c1a055c0) at rt2661_intr+0x17e
cbb_func_intr(c1a055c0) at cbb_func_intr+0x45
ithread_execute_handlers(c19dd8d0,c192f880) at ithread_execute_handlers+0xea
ithread_loop(c19e80c0,c8378d38) at ithread_loop+0x67
fork_exit(c0651408,c19e80c0,c8378d38) at fork_exit+0xa4
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xc8378d6c, ebp = 0 ---

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc06f003d
stack pointer           = 0x28:0xc8378c84
frame pointer           = 0x28:0xc8378c90
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 19 (irq10: cbb0 ral0+)
panic: from debugger

a backtrace gives me the following:

(kgdb) bt
#0  doadump () at pcpu.h:166
#1  0xc0664b8c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2  0xc0664ea1 in panic (fmt=0xc085dcdf "from debugger") at /usr/src/sys/kern/kern_shutdown.c:558
#3  0xc046bc41 in db_panic (addr=-1066467267, have_addr=0, count=-1, modif=0xc8378a8c "") at /usr/src/sys/ddb/db_command.c:426
#4  0xc046bbd8 in db_command (last_cmdp=0xc0949a84, cmd_table=0x0) at /usr/src/sys/ddb/db_command.c:395
#5  0xc046bc96 in db_command_loop () at /usr/src/sys/ddb/db_command.c:446
#6  0xc046d8ad in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
#7  0xc067f7e8 in kdb_trap (type=12, code=0, tf=0xc8378c44) at /usr/src/sys/kern/subr_kdb.c:485
#8  0xc0821278 in trap_fatal (frame=0xc8378c44, eva=4) at /usr/src/sys/i386/i386/trap.c:861
#9  0xc08208ff in trap (frame=
      {tf_fs = -1066926072, tf_es = -1063649240, tf_ds = 40, tf_edi = -1045736448, tf_esi = 0, tf_ebp = -935883632, tf_isp = -935883664, tf_ebx = -1044517792, tf_edx = 0, tf_ecx = 3329, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1066467267, tf_cs = 32, tf_eflags = 66054, tf_esp = -1044517792, tf_ss = -1046534116})
    at /usr/src/sys/i386/i386/trap.c:279
#10 0xc080d21a in calltrap () at /usr/src/sys/i386/i386/exception.s:137
#11 0xc06f003d in ieee80211_free_node (ni=0x0) at /usr/src/sys/net80211/ieee80211_node.c:1600
#12 0xc05addf1 in rt2661_tx_intr (sc=0xc1bde000) at /usr/src/sys/dev/ral/rt2661.c:996
#13 0xc05ae46a in rt2661_intr (arg=0xc1bde000) at /usr/src/sys/dev/ral/rt2661.c:1245
#14 0xc059562d in cbb_func_intr (arg=0xc1a055c0) at /usr/src/sys/dev/pccbb/pccbb.c:644
#15 0xc0651336 in ithread_execute_handlers (p=0xc19dd8d0, ie=0xc192f880) at /usr/src/sys/kern/kern_intr.c:662
#16 0xc065146f in ithread_loop (arg=0xc19e80c0) at /usr/src/sys/kern/kern_intr.c:745
#17 0xc06505fc in fork_exit (callout=0xc0651408 <ithread_loop>, arg=0xc19e80c0, frame=0xc8378d38) at /usr/src/sys/kern/kern_fork.c:802
#18 0xc080d27c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:198

The crash seems to be triggered at the beginning of
ieee80211_free_node() in /usr/src/sys/net80211/ieee80211_node.c which is
called from rt2661_tx_intri() with ni = NULL.

1594 void
1595 #ifdef IEEE80211_DEBUG_REFCNT
1596 ieee80211_free_node_debug(struct ieee80211_node *ni, const char *func, int line)
1597 #else
1598 ieee80211_free_node(struct ieee80211_node *ni)
1599 #endif
1600 {
1601         struct ieee80211_node_table *nt = ni->ni_table;
1602 

I can provided a crash dump if needed.

Arnaud

ps: could you please add me in CC: when you reply, I didn't follow
freebsd-current_at_... by now.
Received on Mon Mar 20 2006 - 20:16:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC