NetBSD Problem Report #52553
From gson@gson.org Mon Sep 18 16:04:25 2017
Return-Path: <gson@gson.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id B63007A211
for <gnats-bugs@gnats.NetBSD.org>; Mon, 18 Sep 2017 16:04:25 +0000 (UTC)
Message-Id: <20170918160417.BF8CA989281@guava.gson.org>
Date: Mon, 18 Sep 2017 19:04:17 +0300 (EEST)
From: gson@gson.org (Andreas Gustafsson)
Reply-To: gson@gson.org (Andreas Gustafsson)
To: gnats-bugs@NetBSD.org
Subject: Panic on "ifconfig athn0 up"
X-Send-Pr-Version: 3.95
>Number: 52553
>Category: kern
>Synopsis: Panic on "ifconfig athn0 up"
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: skrll
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 18 16:05:00 +0000 2017
>Closed-Date: Sun Sep 24 14:59:31 +0000 2017
>Last-Modified: Mon Oct 23 19:20:00 +0000 2017
>Originator: Andreas Gustafsson
>Release: NetBSD-current, source date 2017.09.06.18.21.17
>Organization:
>Environment:
System: NetBSD
Architecture: i386
Machine: i386
>Description:
While trying to reproduce PR 52526, I noticed that I can reliably
crash the machine by running the shell command
while true; do ifconfig athn0 down; ifconfig athn0 up; done
I reproduced this with a debug build, built with build.sh -V
MKDEBUG=YES -V COPTS="-g -fdebug-prefix-map=$(pwd)=/usr/src",
and had a look at the crash dump:
localhost# cd /var/crash
localhost# gdb /netbsd
[...]
(gdb) target kvm netbsd.2.core
maybe_dump (howto=260) at /usr/src/sys/arch/i386/i386/machdep.c:757
757 splx(s);
(gdb) bt
#0 maybe_dump (howto=260) at /usr/src/sys/arch/i386/i386/machdep.c:757
#1 0xc011edb5 in cpu_reboot (howto=260, bootstr=0x0) at /usr/src/sys/arch/i386/i386/machdep.c:776
#2 0xc0bf7c59 in vpanic (fmt=0xc1093df8 "trap", ap=0xd95f6b18 "\260k_\331\260k_\331\001") at /usr/src/sys/kern/subr_prf.c:342
#3 0xc0bf7a8b in panic (fmt=0xc1093df8 "trap") at /usr/src/sys/kern/subr_prf.c:258
#4 0xc01225ef in trap (frame=0xd95f6bb0) at /usr/src/sys/arch/i386/i386/trap.c:324
#5 0xc0116e8f in alltraps ()
#6 0xd95f6bb0 in ?? ()
#7 0xc050360c in athn_usb_init (ifp=0xc2685ae4) at /usr/src/sys/dev/usb/if_athn_usb.c:2727
#8 0xc0503465 in athn_usb_ioctl (ifp=0xc2685ae4, cmd=2156947728, data=0xc279d188) at /usr/src/sys/dev/usb/if_athn_usb.c:2673
#9 0xc0cae54d in doifioctl (so=0xc27acbac, cmd=2156947728, data=0xc279d188, l=0xc2752d40) at /usr/src/sys/net/if.c:3042
#10 0xc0c15014 in soo_ioctl (fp=0xc272cf40, cmd=2156947728, data=0xc279d188) at /usr/src/sys/kern/sys_socket.c:202
#11 0xc0c069ae in sys_ioctl (l=0xc2752d40, uap=0xd95f6f74, retval=0xd95f6f6c) at /usr/src/sys/kern/sys_generic.c:671
#12 0xc016a2c5 in sy_call (sy=0xc16aa218 <sysent+1080>, l=0xc2752d40, uap=0xd95f6f74, rval=0xd95f6f6c) at /usr/src/sys/sys/syscallvar.h:65
#13 0xc016a395 in sy_invoke (sy=0xc16aa218 <sysent+1080>, l=0xc2752d40, uap=0xd95f6f74, rval=0xd95f6f6c, code=54) at /usr/src/sys/sys/syscallvar.h:94
#14 0xc016a63c in syscall (frame=0xd95f6fa8) at /usr/src/sys/arch/x86/x86/syscall.c:140
#15 0xc0100696 in Xsyscall ()
#16 0xd95f6fa8 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) frame 7
#7 0xc050360c in athn_usb_init (ifp=0xc2685ae4) at /usr/src/sys/dev/usb/if_athn_usb.c:2727
2727 int ret = athn_usb_init_locked(ifp);
(gdb) l
2722 {
2723 struct athn_softc *sc = ifp->if_softc;
2724 struct athn_usb_softc *usc = ATHN_USB_SOFTC(sc);
2725
2726 mutex_enter(&usc->usc_lock);
2727 int ret = athn_usb_init_locked(ifp);
2728 mutex_exit(&usc->usc_lock);
2729
2730 return ret;
2731 }
(gdb) frame 8
#8 0xc0503465 in athn_usb_ioctl (ifp=0xc2685ae4, cmd=2156947728, data=0xc279d188) at /usr/src/sys/dev/usb/if_athn_usb.c:2673
2673 error = athn_usb_init(ifp);
(gdb) l
2668
2669 switch (ifp->if_flags & (IFF_UP | IFF_RUNNING)) {
2670 case IFF_UP | IFF_RUNNING:
2671 break;
2672 case IFF_UP:
2673 error = athn_usb_init(ifp);
2674 break;
2675 case IFF_RUNNING:
2676 athn_usb_stop(ifp, 0);
2677 break;
Since this crash occurred while configuring the interface up rather
than down, I figure it's a separate bug from 52526 and warrants its
own bug report. Besides, this one is easier to reproduce.
It looks like the trap actually occurred in athn_usb_init_locked(),
but gdb is unable to correctly display the stack frame in case,
which is rather unfortunate and a bug in itself. OTOH, ddb does
pinpoint the trap to athn_usb_init_locked+0x110:
--- trap (number 6) ---
athn_usb_init_locked(c2685ae4,c2685000,c2685000,c2752d40,d95f6cf0,c0503465,c2685ae4,80906910,c279d188,0) at netbsd:athn_usb_init_locked+0x110
athn_usb_init(c2685ae4,80906910,c279d188,0,c2685000,c2685000,c2685030,0,d95f6e00,c0cae54d) at netbsd:athn_usb_init+0x2f
which would be near the end of this code block:
(gdb) x/30i athn_usb_init_locked
0xc0503624 <athn_usb_init_locked>: push %ebp
0xc0503625 <athn_usb_init_locked+1>: mov %esp,%ebp
0xc0503627 <athn_usb_init_locked+3>: push %edi
0xc0503628 <athn_usb_init_locked+4>: push %esi
0xc0503629 <athn_usb_init_locked+5>: push %ebx
0xc050362a <athn_usb_init_locked+6>: sub $0xb4,%esp
0xc0503630 <athn_usb_init_locked+12>: mov 0x8(%ebp),%eax
0xc0503633 <athn_usb_init_locked+15>: mov %eax,-0xa4(%ebp)
0xc0503639 <athn_usb_init_locked+21>: mov 0xc16ad420,%eax
0xc050363e <athn_usb_init_locked+26>: mov %eax,-0x10(%ebp)
0xc0503641 <athn_usb_init_locked+29>: xor %eax,%eax
0xc0503643 <athn_usb_init_locked+31>: mov -0xa4(%ebp),%eax
0xc0503649 <athn_usb_init_locked+37>: mov (%eax),%eax
0xc050364b <athn_usb_init_locked+39>: mov %eax,-0x94(%ebp)
0xc0503651 <athn_usb_init_locked+45>: mov -0x94(%ebp),%eax
0xc0503657 <athn_usb_init_locked+51>: mov %eax,-0x90(%ebp)
0xc050365d <athn_usb_init_locked+57>: mov -0x94(%ebp),%eax
0xc0503663 <athn_usb_init_locked+63>: add $0x1ad4,%eax
0xc0503668 <athn_usb_init_locked+68>: mov %eax,-0x8c(%ebp)
0xc050366e <athn_usb_init_locked+74>: mov -0x94(%ebp),%eax
0xc0503674 <athn_usb_init_locked+80>: add $0x30,%eax
0xc0503677 <athn_usb_init_locked+83>: mov %eax,-0x88(%ebp)
0xc050367d <athn_usb_init_locked+89>: mov -0x90(%ebp),%eax
0xc0503683 <athn_usb_init_locked+95>: mov 0x1db0(%eax),%eax
0xc0503689 <athn_usb_init_locked+101>: test %eax,%eax
0xc050368b <athn_usb_init_locked+103>: je 0xc0503697 <athn_usb_init_locked+115>
0xc050368d <athn_usb_init_locked+105>: mov $0x6,%eax
0xc0503692 <athn_usb_init_locked+110>: jmp 0xc0503ded <athn_usb_init_locked+1993>
0xc0503697 <athn_usb_init_locked+115>: mov -0x90(%ebp),%eax
0xc050369d <athn_usb_init_locked+121>: add $0x1d88,%eax
Here is the full dmesg:
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017
The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
NetBSD 8.99.2 (MONOLITHIC) #1: Sun Sep 17 21:07:09 EEST 2017
gson@guido.araneus.fi:/bracket/prod/current/i386/obj/sys/arch/i386/compile/MONOLITHIC
total memory = 511 MB
avail memory = 477 MB
timecounter: Timecounters tick every 10.000 msec
Kernelized RAIDframe activated
running cgd selftest aes-xts-256 aes-xts-512 done
timecounter: Timecounter "i8254" frequency 1193182 Hz quality 100
Compaq Deskpro EN Series SFF
mainbus0 (root)
ACPI: RSDP 0x00000000000E0010 000014 (v00 COMPAQ)
ACPI: RSDT 0x00000000000E0080 000034 (v01 COMPAQ CPQB053 19990818 00000000)
ACPI: FACP 0x00000000000E00CC 000074 (v01 COMPAQ SCARAB 00000001 00000000)
ACPI: DSDT 0x00000000000E0140 000883 (v01 COMPAQ DSDT 00000001 MSFT 0100000B)
ACPI: FACS 0x00000000000E0040 000040
ACPI: SSDT 0x00000000000E09C3 000FFD (v01 COMPAQ VILLTBL1 00000001 MSFT 0100000B)
ACPI: SSDT 0x00000000000E19C0 000774 (v01 COMPAQ PNP_PRSS 00000001 MSFT 0100000B)
ACPI: SSDT 0x00000000000E2134 000073 (v01 COMPAQ PME 00000001 MSFT 0100000B)
ACPI: 4 ACPI AML tables successfully acquired and loaded
ACPI: BIOS is too old (19990818). Set acpi_force_load to use.
ACPI Error: Could not remove SCI handler (20170303/evmisc-312)
cpu0 at mainbus0
cpu0: Intel 686-class, 597MHz, id 0x683
cpu0: package 0, core 0, smt 0
pci0 at mainbus0 bus 0: configuration mode 1
pci0: This pci host supports neither MSI nor MSI-X.
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0: vendor 8086 product 7190 (rev. 0x03)
agp0 at pchb0: aperture at 0x44000000, size 0x4000000
ppb0 at pci0 dev 1 function 0: vendor 8086 product 7191 (rev. 0x03)
pci1 at ppb0 bus 1
pci1: This pci host supports neither MSI nor MSI-X.
pci1: i/o space, memory space enabled
vga0 at pci1 dev 0 function 0: vendor 1002 product 4742 (rev. 0x5c)
wsdisplay0 at vga0 kbdmux 1: console (80x25, vt100 emulation)
wsmux1: connecting to wsdisplay0
drm at vga0 not configured
fxp0 at pci0 dev 10 function 0: i82558 Ethernet (rev. 0x05)
fxp0: interrupting at irq 11
fxp0: May need receiver lock-up workaround
fxp0: Ethernet address 00:50:8b:d7:f4:37
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pcib0 at pci0 dev 20 function 0: vendor 8086 product 7110 (rev. 0x02)
piixide0 at pci0 dev 20 function 1: Intel 82371AB IDE controller (PIIX4) (rev. 0x01)
piixide0: bus-master DMA support present
piixide0: primary channel wired to compatibility mode
piixide0: primary channel interrupting at irq 14
atabus0 at piixide0 channel 0
piixide0: secondary channel wired to compatibility mode
piixide0: secondary channel interrupting at irq 15
atabus1 at piixide0 channel 1
uhci0 at pci0 dev 20 function 2: vendor 8086 product 7112 (rev. 0x01)
uhci0: interrupting at irq 11
usb0 at uhci0: USB revision 1.0
piixpm0 at pci0 dev 20 function 3: vendor 8086 product 7113 (rev. 0x02)
timecounter: Timecounter "piixpm0" frequency 3579545 Hz quality 900
piixpm0: 24-bit timer
piixpm0: interrupting at SMI, polling
iic0 at piixpm0: I2C bus
isa0 at pcib0
lpt0 at isa0 port 0x378-0x37b irq 7
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
pckbc0 at isa0 port 0x60-0x64
attimer0 at isa0 port 0x40-0x43
sb0 at isa0 port 0x220-0x237 irq 5 drq 1: dsp v3.01
audio0 at sb0: half duplex, playback, capture, mmap, independent
sb0: Virtual format auto config failed!
Please check hardware capabilities
sb0: audioattach: audio_set_vchan_defaults() failed
midi0 at sb0: SB MIDI UART
opl0 at sb0: model OPL3
midi1 at opl0: SB Yamaha OPL3
pcppi0 at isa0 port 0x61
midi2 at pcppi0: PC speaker
sysbeep0 at pcppi0
isapnp0 at isa0 port 0x279
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
attimer0: attached to pcppi0
isapnp0: no ISA Plug 'n Play devices found
timecounter: Timecounter "clockinterrupt" frequency 100 Hz quality 0
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
uhub0 at usb0: vendor 8086 (0x8086) UHCI root hub (0000), class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
IPsec: Initialized Security Association Processing.
uhidev0 at uhub0 port 1 configuration 1 interface 0
uhidev0: Belkin Components (0x50d) USB-PS2 Adapter (0x119), rev 1.10/1.20, addr 2, iclass 3/1
ukbd0 at uhidev0: 8 Variable keys, 6 Array codes
wskbd0 at ukbd0: console keyboard, using wsdisplay0
uhidev1 at uhub0 port 1 configuration 1 interface 1
uhidev1: Belkin Components (0x50d) USB-PS2 Adapter (0x119), rev 1.10/1.20, addr 2, iclass 3/1
ums0 at uhidev1: 5 buttons and Z dir
wsmouse0 at ums0 mux 0
wd0 at atabus0 drive 0
wd0: <Maxtor 6E040L0>
wd0: drive supports 16-sector PIO transfers, LBA48 addressing
wd0: 38166 MB, 77545 cyl, 16 head, 63 sec, 512 bytes/sect x 78165360 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
wd0(piixide0:0:0): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA)
atapibus0 at atabus1: 2 targets
cd0 at atapibus0 drive 0: <Compaq CRN-8241B, 1999/11/13, 2.23> cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2
cd0(piixide0:1:0): using PIO mode 4, DMA mode 2 (using DMA)
WARNING: 2 errors while detecting hardware; check system log.
boot device: wd0
root on wd0a dumps on wd0b
root file system type: ffs
kern.module.path=/stand/i386/8.99.2/modules
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)
athn0 at uhub0 port 2
: Atheros AR9271
athn0: rev 1 (1T1R), ROM rev 15, address 48:5d:60:57:7d:4f
athn0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
athn0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
uvm_fault(0xc261b9f0, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip 0xc0503734 cs 0x8 eflags 0x10246 cr2 0xc ilevel 0x6 esp 0xc2686d8c
curlwp 0xc2752d40 pid 72 lid 1 lowest kstack 0xd95f42c0
panic: trap
cpu0: Begin traceback...
vpanic(c1093df8,d95f6b18,d95f6b18,d95f6ba4,c01225ef,c1093df8,d95f6bb0,d95f6bb0,1,e) at netbsd:vpanic+0x1bb
vpanic(c1093df8,d95f6bb0,d95f6bb0,1,e,d95f6bb0,c0cae076,c26161e4,d95f4000,d95f6c30) at netbsd:vpanic
trap() at netbsd:trap+0x27a
--- trap (number 6) ---
athn_usb_init_locked(c2685ae4,c2685000,c2685000,c2752d40,d95f6cf0,c0503465,c2685ae4,80906910,c279d188,0) at netbsd:athn_usb_init_locked+0x110
athn_usb_init(c2685ae4,80906910,c279d188,0,c2685000,c2685000,c2685030,0,d95f6e00,c0cae54d) at netbsd:athn_usb_init+0x2f
athn_usb_ioctl(c2685ae4,80906910,c279d188,c2685ae4,80906910,0,c0bc9c74,c1636d40,d95f6d64,c0167024) at netbsd:athn_usb_ioctl+0xc3
doifioctl(c27acbac,80906910,c279d188,c2752d40,0,c27acbac,0,d95f6f00,c0c069ae,c272cf40) at netbsd:doifioctl+0x4d7
soo_ioctl(c272cf40,80906910,c279d188,90,0,c261b9f0,ac8d3000,1000,c261b9f0,80906910) at netbsd:soo_ioctl+0x2eb
sys_ioctl(c2752d40,d95f6f74,d95f6f6c,ffff0ff0,d95f6f3c,c016a395,c16aa218,c2752d40,d95f6f74,d95f6f6c) at netbsd:sys_ioctl+0x431
sy_call(c16aa218,c2752d40,d95f6f74,d95f6f6c,c016a4f4,752d40,c2752d40,d95f6f9c,c016a63c,c16aa218) at c016a2c5
sy_invoke(c16aa218,c2752d40,d95f6f74,d95f6f6c,36,0,c2752d40,c26161e4,36,c16aa218) at netbsd:sy_invoke+0xbb
syscall() at netbsd:syscall+0xd7
--- syscall (number 54) ---
ac84a437:
cpu0: End traceback...
dumping to dev 0,1 offset 3148440
dump succeeded
>How-To-Repeat:
Plugin in an athn(4) WiFi adapter and run
while true; do ifconfig athn0 down; ifconfig athn0 up; done
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->skrll
Responsible-Changed-By: skrll@NetBSD.org
Responsible-Changed-When: Wed, 20 Sep 2017 06:46:36 +0000
Responsible-Changed-Why:
Take
From: Nick Hudson <skrll@netbsd.org>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: kern/52553: Panic on "ifconfig athn0 up"
Date: Wed, 20 Sep 2017 08:31:12 +0100
On 09/18/17 17:05, Andreas Gustafsson wrote:
>> Number: 52553
>> Category: kern
>> Synopsis: Panic on "ifconfig athn0 up"
Can you make the crash dump available, please?
Thanks,
Nick
From: Nick Hudson <skrll@netbsd.org>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: kern/52553: Panic on "ifconfig athn0 up"
Date: Wed, 20 Sep 2017 08:39:20 +0100
On 09/18/17 17:05, Andreas Gustafsson wrote:
> It looks like the trap actually occurred in athn_usb_init_locked(),
> but gdb is unable to correctly display the stack frame in case,
> which is rather unfortunate and a bug in itself. OTOH, ddb does
> pinpoint the trap to athn_usb_init_locked+0x110:
>
> --- trap (number 6) ---
> athn_usb_init_locked(c2685ae4,c2685000,c2685000,c2752d40,d95f6cf0,c0503465,c2685ae4,80906910,c279d188,0) at netbsd:athn_usb_init_locked+0x110
> athn_usb_init(c2685ae4,80906910,c279d188,0,c2685000,c2685000,c2685030,0,d95f6e00,c0cae54d) at netbsd:athn_usb_init+0x2f
>
> which would be near the end of this code block:
>
> (gdb) x/30i athn_usb_init_locked
> 0xc0503624 <athn_usb_init_locked>: push %ebp
> 0xc0503625 <athn_usb_init_locked+1>: mov %esp,%ebp
> 0xc0503627 <athn_usb_init_locked+3>: push %edi
> 0xc0503628 <athn_usb_init_locked+4>: push %esi
> 0xc0503629 <athn_usb_init_locked+5>: push %ebx
> 0xc050362a <athn_usb_init_locked+6>: sub $0xb4,%esp
> 0xc0503630 <athn_usb_init_locked+12>: mov 0x8(%ebp),%eax
> 0xc0503633 <athn_usb_init_locked+15>: mov %eax,-0xa4(%ebp)
> 0xc0503639 <athn_usb_init_locked+21>: mov 0xc16ad420,%eax
> 0xc050363e <athn_usb_init_locked+26>: mov %eax,-0x10(%ebp)
> 0xc0503641 <athn_usb_init_locked+29>: xor %eax,%eax
> 0xc0503643 <athn_usb_init_locked+31>: mov -0xa4(%ebp),%eax
> 0xc0503649 <athn_usb_init_locked+37>: mov (%eax),%eax
> 0xc050364b <athn_usb_init_locked+39>: mov %eax,-0x94(%ebp)
> 0xc0503651 <athn_usb_init_locked+45>: mov -0x94(%ebp),%eax
> 0xc0503657 <athn_usb_init_locked+51>: mov %eax,-0x90(%ebp)
> 0xc050365d <athn_usb_init_locked+57>: mov -0x94(%ebp),%eax
> 0xc0503663 <athn_usb_init_locked+63>: add $0x1ad4,%eax
> 0xc0503668 <athn_usb_init_locked+68>: mov %eax,-0x8c(%ebp)
> 0xc050366e <athn_usb_init_locked+74>: mov -0x94(%ebp),%eax
> 0xc0503674 <athn_usb_init_locked+80>: add $0x30,%eax
> 0xc0503677 <athn_usb_init_locked+83>: mov %eax,-0x88(%ebp)
> 0xc050367d <athn_usb_init_locked+89>: mov -0x90(%ebp),%eax
> 0xc0503683 <athn_usb_init_locked+95>: mov 0x1db0(%eax),%eax
> 0xc0503689 <athn_usb_init_locked+101>: test %eax,%eax
> 0xc050368b <athn_usb_init_locked+103>: je 0xc0503697 <athn_usb_init_locked+115>
> 0xc050368d <athn_usb_init_locked+105>: mov $0x6,%eax
> 0xc0503692 <athn_usb_init_locked+110>: jmp 0xc0503ded <athn_usb_init_locked+1993>
> 0xc0503697 <athn_usb_init_locked+115>: mov -0x90(%ebp),%eax
> 0xc050369d <athn_usb_init_locked+121>: add $0x1d88,%eax
+110 is not +0x110 unfortunately...
> Here is the full dmesg:
...
> athn0 at uhub0 port 2
> : Atheros AR9271
> athn0: rev 1 (1T1R), ROM rev 15, address 48:5d:60:57:7d:4f
> athn0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
> athn0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
> uvm_fault(0xc261b9f0, 0, 1) -> 0xe
> fatal page fault in supervisor mode
> trap type 6 code 0 eip 0xc0503734 cs 0x8 eflags 0x10246 cr2 0xc ilevel 0x6 esp 0xc2686d8c
The trap is caused by the instruction at 0xc0503734 (i.e.
athn_usb_init_locked+0x110 )
addr2line -e netbsd.gdb -f 0xc0503734
Will give us the offending line
Nick
From: Andreas Gustafsson <gson@gson.org>
To: skrll@NetBSD.org
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/52553: Panic on "ifconfig athn0 up"
Date: Wed, 20 Sep 2017 15:25:51 +0300
Nick Hudson wrote:
> +110 is not +0x110 unfortunately...
Mea culpa.
> The trap is caused by the instruction at 0xc0503734 (i.e.
> athn_usb_init_locked+0x110 )
>
> addr2line -e netbsd.gdb -f 0xc0503734
# addr2line -e /netbsd -f 0xc0503734
athn_usb_init_locked
/usr/src/sys/dev/usb/if_athn_usb.c:2762
That would be the line
TAILQ_REMOVE(&usc->usc_tx_free_list, usc->usc_tx_bcn, next);
--
Andreas Gustafsson, gson@gson.org
From: Nick Hudson <skrll@netbsd.org>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: kern/52553: Panic on "ifconfig athn0 up"
Date: Thu, 21 Sep 2017 20:47:53 +0100
This is a multi-part message in MIME format.
--------------650FB972A3FA2865F1CE1300
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
On 09/18/17 17:05, Andreas Gustafsson wrote:
> while true; do ifconfig athn0 down; ifconfig athn0 up; done
Please try this patch...
Nick
--------------650FB972A3FA2865F1CE1300
Content-Type: text/x-patch;
name="if_athn_usb.c.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="if_athn_usb.c.diff"
Index: sys/dev/usb/if_athn_usb.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/if_athn_usb.c,v
retrieving revision 1.22
diff -u -p -r1.22 if_athn_usb.c
--- sys/dev/usb/if_athn_usb.c 1 Jun 2017 02:45:11 -0000 1.22
+++ sys/dev/usb/if_athn_usb.c 21 Sep 2017 19:42:29 -0000
@@ -728,9 +728,15 @@ athn_usb_alloc_tx_list(struct athn_usb_s
/* Append this Tx buffer to our free list. */
TAILQ_INSERT_TAIL(&usc->usc_tx_free_list, data, next);
}
- if (error != 0)
+ if (error == 0) {
+ /* Steal one buffer for beacons. */
+ usc->usc_tx_bcn = TAILQ_FIRST(&usc->usc_tx_free_list);
+ TAILQ_REMOVE(&usc->usc_tx_free_list, usc->usc_tx_bcn, next);
+ } else {
athn_usb_free_tx_list(usc);
+ }
mutex_exit(&usc->usc_tx_mtx);
+
return error;
}
@@ -749,6 +755,8 @@ athn_usb_free_tx_list(struct athn_usb_so
if (xfer != NULL)
usbd_destroy_xfer(xfer);
}
+ if (usc->usc_tx_bcn)
+ usbd_destroy_xfer(usc->usc_tx_bcn->xfer);
}
Static int
@@ -2756,12 +2764,6 @@ athn_usb_init_locked(struct ifnet *ifp)
usc->usc_cmdq.cur = usc->usc_cmdq.next = usc->usc_cmdq.queued = 0;
mutex_spin_exit(&usc->usc_task_mtx);
- /* Steal one buffer for beacons. */
- mutex_enter(&usc->usc_tx_mtx);
- usc->usc_tx_bcn = TAILQ_FIRST(&usc->usc_tx_free_list);
- TAILQ_REMOVE(&usc->usc_tx_free_list, usc->usc_tx_bcn, next);
- mutex_exit(&usc->usc_tx_mtx);
-
curchan = ic->ic_curchan;
extchan = NULL;
--------------650FB972A3FA2865F1CE1300--
From: Andreas Gustafsson <gson@gson.org>
To: skrll@NetBSD.org
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/52553: Panic on "ifconfig athn0 up"
Date: Fri, 22 Sep 2017 21:41:49 +0300
Nick Hudson wrote:
> Please try this patch...
With the patch, the "while true; do ifconfig athn0 down; ifconfig
athn0 up; done" test has now run for several hours without crashing.
--
Andreas Gustafsson, gson@gson.org
From: "Nick Hudson" <skrll@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52553 CVS commit: src/sys/dev/usb
Date: Sat, 23 Sep 2017 14:27:44 +0000
Module Name: src
Committed By: skrll
Date: Sat Sep 23 14:27:44 UTC 2017
Modified Files:
src/sys/dev/usb: if_athn_usb.c
Log Message:
PR/52553 Panic on "ifconfig athn0 up"
Don't race for a transfer in athn_usb_init on the free list for beacons.
Instead pre-assign a transfer to beacons in athn_usb_alloc_tx_list
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/sys/dev/usb/if_athn_usb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: gson@NetBSD.org
State-Changed-When: Sun, 24 Sep 2017 14:59:31 +0000
State-Changed-Why:
Fixed by src/sys/dev/usb/if_athn_usb.c 1.23. Thanks skrll.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52553 CVS commit: [netbsd-8] src/sys/dev/usb
Date: Thu, 28 Sep 2017 01:18:55 +0000
Module Name: src
Committed By: snj
Date: Thu Sep 28 01:18:55 UTC 2017
Modified Files:
src/sys/dev/usb [netbsd-8]: if_athn_usb.c
Log Message:
Pull up following revision(s) (requested by skrll in ticket #293):
sys/dev/usb/if_athn_usb.c: revision 1.23
PR/52553 Panic on "ifconfig athn0 up"
Don't race for a transfer in athn_usb_init on the free list for beacons.
Instead pre-assign a transfer to beacons in athn_usb_alloc_tx_list
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.2.1 src/sys/dev/usb/if_athn_usb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52553 CVS commit: [netbsd-7] src/sys/dev/usb
Date: Mon, 23 Oct 2017 19:15:09 +0000
Module Name: src
Committed By: snj
Date: Mon Oct 23 19:15:09 UTC 2017
Modified Files:
src/sys/dev/usb [netbsd-7]: if_athn_usb.c
Log Message:
Pull up following revision(s) (requested by skrll in ticket #1515):
sys/dev/usb/if_athn_usb.c: revision 1.23
PR/52553 Panic on "ifconfig athn0 up"
Don't race for a transfer in athn_usb_init on the free list for beacons.
Instead pre-assign a transfer to beacons in athn_usb_alloc_tx_list
To generate a diff of this commit:
cvs rdiff -u -r1.6.6.1 -r1.6.6.2 src/sys/dev/usb/if_athn_usb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.