Bug #1785

ral(4) cardbus crash

Added by herrgard over 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Hi,

I get this crash when plugging in my ral(4) cardbus card.

DragonFly 2.7-DEVELOPMENT DragonFly v2.7.3.198.gba9d3-DEVELOPMENT #4: Sun Jun 20 09:03:45 CEST 2010 :/usr/obj/usr/src/sys/GENERIC i386

GNU gdb (GDB) 7.0
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-dragonfly".
For bug reporting instructions, please see:
<http://bugs.dragonflybsd.org/&gt;...
Reading symbols from /usr/home/crash/kern.0...done.

Unread portion of the kernel message buffer:
cardbus0: Expecting link target, got 0x0
ral0: <Ralink Technology RT2561S> mem 0x88008000-0x8800ffff irq 10 at device 0.0 on cardbus0
ral0: MAC/BBP RT2561C, RF RT2527

Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x1f0
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc0296ccb
stack pointer = 0x10:0xc7058cb0
frame pointer = 0x10:0xc7058cd0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
current thread = pri 12

kernel: type 12 trap, code=0
panic: from debugger

Fatal trap 3: breakpoint instruction fault while in kernel mode
instruction pointer = 0x8:0xc054ff58
stack pointer = 0x10:0xc7058ac0
frame pointer = 0x10:0xc7058ac8
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, IOPL = 0
current process = Idle
current thread = pri 44 (CRIT)

panic: from debugger
Uptime: 49s
Physical memory: 215 MB
Dumping 48 MB: 33 17 1

Reading symbols from /boot/modules/vesa.ko...done.
Loaded symbols for /boot/modules/vesa.ko
Reading symbols from /boot/modules/acpi.ko...done.
Loaded symbols for /boot/modules/acpi.ko
_get_mycpu (di=0xc06d6380) at ./machine/thread.h:83
83 __asm ("movl %%fs:globaldata,%0" : "=r" (gd) : "m"(__mycpu__dummy));
(kgdb) bt
#0 _get_mycpu (di=0xc06d6380) at ./machine/thread.h:83
#1 md_dumpsys (di=0xc06d6380) at /usr/src/sys/platform/pc32/i386/dump_machdep.c:263
#2 0xc0319ca5 in dumpsys () at /usr/src/sys/kern/kern_shutdown.c:839
#3 0xc031a220 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:388
#4 0xc031a346 in panic (fmt=0xc05acc8a "from debugger") at /usr/src/sys/kern/kern_shutdown.c:745
#5 0xc0178989 in db_panic (addr=-1071026997, have_addr=0, count=-1, modif=0xc7058b28 "") at /usr/src/sys/ddb/db_command.c:448
#6 0xc0178ffe in db_command () at /usr/src/sys/ddb/db_command.c:344
#7 db_command_loop () at /usr/src/sys/ddb/db_command.c:470
#8 0xc017b60c in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_trap.c:71
#9 0xc05500c4 in kdb_trap (type=12, code=0, regs=0xc7058c68) at /usr/src/sys/platform/pc32/i386/db_interface.c:152
#10 0xc0561e54 in trap_fatal (frame=0xc7058c68, eva=<value optimized out>) at /usr/src/sys/platform/pc32/i386/trap.c:1120
#11 0xc0561fb6 in trap_pfault (frame=0xc7058c68, usermode=0, eva=496) at /usr/src/sys/platform/pc32/i386/trap.c:1026
#12 0xc0562488 in trap (frame=0xc7058c68) at /usr/src/sys/platform/pc32/i386/trap.c:713
#13 0xc0551497 in calltrap () at /usr/src/sys/platform/pc32/i386/exception.s:785
#14 0xc0296ccb in ral_pci_attach (dev=0xc14d3a58) at /usr/src/sys/dev/netif/ral/if_ral_pci.c:209
#15 0xc0330953 in DEVICE_ATTACH (dev=0xc14d3a58) at ./device_if.h:40
#16 device_doattach (dev=0xc14d3a58) at /usr/src/sys/kern/subr_bus.c:1662
#17 0xc03312c0 in device_probe_and_attach (dev=0xc14d3a58) at /usr/src/sys/kern/subr_bus.c:1622
#18 0xc0184cf9 in cardbus_attach_card (cbdev=0xc14c60d8) at /usr/src/sys/dev/pccard/cardbus/cardbus.c:208
#19 0xc018195d in CARD_ATTACH_CARD (arg=0xc6fe5400) at ./card_if.h:67
#20 cbb_insert (arg=0xc6fe5400) at /usr/src/sys/dev/pccard/pccbb/pccbb.c:526
#21 cbb_event_thread (arg=0xc6fe5400) at /usr/src/sys/dev/pccard/pccbb/pccbb.c:469
#22 0xc030d1ff in suspend_kproc (td=) at /usr/src/sys/kern/kern_kthread.c:158
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Core and kernel are available in leaf~mh/crash

Max

History

#1 Updated by nthery over 4 years ago

[...]
> #14 0xc0296ccb in ral_pci_attach (dev=0xc14d3a58) at /usr/src/sys/dev/netif/ral/if_ral_pci.c:209

It looks like sc_ifp is initialized after ifp = sc->sc_ifp.

Could you try this patch please?

diff --git a/sys/dev/netif/ral/if_ral_pci.c b/sys/dev/netif/ral/if_ral_pci.c
index 4af51b1..c94fad7 100644
--- a/sys/dev/netif/ral/if_ral_pci.c
+++ b/sys/dev/netif/ral/if_ral_pci.c
@@ -164,7 +164,7 @@ ral_pci_attach(device_t dev)
{
struct ral_pci_softc *psc = device_get_softc(dev);
struct rt2560_softc *sc = &psc->u.sc_rt2560;
- struct ifnet *ifp = sc->sc_ifp;
+ struct ifnet *ifp;
int error;

if (pci_get_powerstate(dev) != PCI_POWERSTATE_D0) {
@@ -202,6 +202,7 @@ ral_pci_attach(device_t dev)
error = (*psc->sc_opns->attach)(dev, pci_get_device(dev));
if (error != 0)
return error;
+ ifp = sc->sc_ifp;

/*
* Hook our interrupt after all initialization is complete.

#2 Updated by herrgard over 4 years ago

Nicolas Thery wrote:
> 2010/6/21 Max Herrgård <>:
>> Hi,
>>
>> I get this crash when plugging in my ral(4) cardbus card.
> [...]
>> #14 0xc0296ccb in ral_pci_attach (dev=0xc14d3a58) at /usr/src/sys/dev/netif/ral/if_ral_pci.c:209
>
> It looks like sc_ifp is initialized after ifp = sc->sc_ifp.
>
> Could you try this patch please?
>
>
> diff --git a/sys/dev/netif/ral/if_ral_pci.c b/sys/dev/netif/ral/if_ral_pci.c
> index 4af51b1..c94fad7 100644
> --- a/sys/dev/netif/ral/if_ral_pci.c
> +++ b/sys/dev/netif/ral/if_ral_pci.c
> @@ -164,7 +164,7 @@ ral_pci_attach(device_t dev)
> {
> struct ral_pci_softc *psc = device_get_softc(dev);
> struct rt2560_softc *sc = &psc->u.sc_rt2560;
> - struct ifnet *ifp = sc->sc_ifp;
> + struct ifnet *ifp;
> int error;
>
> if (pci_get_powerstate(dev) != PCI_POWERSTATE_D0) {
> @@ -202,6 +202,7 @@ ral_pci_attach(device_t dev)
> error = (*psc->sc_opns->attach)(dev, pci_get_device(dev));
> if (error != 0)
> return error;
> + ifp = sc->sc_ifp;
>
> /*
> * Hook our interrupt after all initialization is complete.

Yup. This patch fixes this crash.

Thank you,
Max

#3 Updated by herrgard over 4 years ago

Max Herrgård wrote:
> Nicolas Thery wrote:
>> diff --git a/sys/dev/netif/ral/if_ral_pci.c b/sys/dev/netif/ral/if_ral_pci.c
>> index 4af51b1..c94fad7 100644
>> --- a/sys/dev/netif/ral/if_ral_pci.c
>> +++ b/sys/dev/netif/ral/if_ral_pci.c
>> @@ -164,7 +164,7 @@ ral_pci_attach(device_t dev)
>> {
>> struct ral_pci_softc *psc = device_get_softc(dev);
>> struct rt2560_softc *sc = &psc->u.sc_rt2560;
>> - struct ifnet *ifp = sc->sc_ifp;
>> + struct ifnet *ifp;
>> int error;
>>
>> if (pci_get_powerstate(dev) != PCI_POWERSTATE_D0) {
>> @@ -202,6 +202,7 @@ ral_pci_attach(device_t dev)
>> error = (*psc->sc_opns->attach)(dev, pci_get_device(dev));
>> if (error != 0)
>> return error;
>> + ifp = sc->sc_ifp;
>>
>> /*
>> * Hook our interrupt after all initialization is complete.
>
> Yup. This patch fixes this crash.
>
> Thank you,
> Max

However, this happens when I try to use it:

bender# ifconfig ral0 up
Jul 21 22:47:29 bender kernel: in6_ifattach_linklocal: failed to configure a link-local address on ral0 (errno=22)

bender# ifconfig wlan0 create wlandev ral0
wlan0: MAC address: 00:08:a1:a4:8d:97

...and then this crash comes when doing 'ifconfig wlan0 up':

Reading symbols from /usr/home/crash/kern.5...done.

Unread portion of the kernel message buffer:
ral0: need multicast update callback
panic: only BUS_DMA_NOWAIT is supported

Trace beginning at frame 0xc72ddb9c
panic(ffffffff) at panic+0x8e
panic(c062171c,c72ddc32,45e0d8,0,c723b0c0) at panic+0x8e
bus_dmamap_load_mbuf_segment(c14b3840,0,c9708d00,c72ddc20,1,c72ddc48,0) at bus_dmamap_load_mbuf_segment+0x6d
rt2661_raw_xmit(c6fb52b8,c9708d00,c72ddc96) at rt2661_raw_xmit+0x128
ieee80211_send_probereq(c6fb52b8,c723b364,c058d0c0,c058d0c0,c05c9174,0) at ieee80211_send_probereq+0x3c1
ieee80211_probe_curchan(c723b0c0,0) at ieee80211_probe_curchan+0xb3
scan_curchan(c70669c8,14,c6fb04b8,c6fb04b8,c6fb04cc) at scan_curchan+0x29
scan_task(c70669c8,1,c1423a20,c1423a3c,c06cbb18) at scan_task+0x2a4
taskqueue_run(c06cbb18,ff800000,0,c0322647,c6fb0534) at taskqueue_run+0x70
taskqueue_thread_loop(c6fb0534,0,0,0,0) at taskqueue_thread_loop+0x2b
lwkt_exit() at lwkt_exit
Debugger("panic")
panic: from debugger
Uptime: 54m58s
Physical memory: 215 MB
Dumping 48 MB: 33 17 1

Reading symbols from /boot/modules/vesa.ko...done.
Loaded symbols for /boot/modules/vesa.ko
Reading symbols from /boot/modules/acpi.ko...done.
Loaded symbols for /boot/modules/acpi.ko
_get_mycpu (di=0xc06d7980) at ./machine/thread.h:83
in ./machine/thread.h
(kgdb) bt
#0 _get_mycpu (di=0xc06d7980) at ./machine/thread.h:83
#1 md_dumpsys (di=0xc06d7980) at /usr/src/sys/platform/pc32/i386/dump_machdep.c:263
#2 0xc0319ea1 in dumpsys () at /usr/src/sys/kern/kern_shutdown.c:839
#3 0xc031a41c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:388
#4 0xc031a542 in panic (fmt=0xc05adfb2 "from debugger") at /usr/src/sys/kern/kern_shutdown.c:745
#5 0xc0178ad5 in db_panic (addr=-1068167144, have_addr=0, count=-1, modif=0xc72dda54 "") at /usr/src/sys/ddb/db_command.c:448
#6 0xc017914a in db_command () at /usr/src/sys/ddb/db_command.c:344
#7 db_command_loop () at /usr/src/sys/ddb/db_command.c:470
#8 0xc017b758 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:71
#9 0xc0551184 in kdb_trap (type=3, code=0, regs=0xc72ddb4c) at /usr/src/sys/platform/pc32/i386/db_interface.c:152
#10 0xc0563717 in trap (frame=0xc72ddb4c) at /usr/src/sys/platform/pc32/i386/trap.c:837
#11 0xc0552557 in calltrap () at /usr/src/sys/platform/pc32/i386/exception.s:785
#12 0xc0551018 in breakpoint (msg=0xc05c5eca "panic") at ./cpu/cpufunc.h:73
#13 Debugger (msg=0xc05c5eca "panic") at /usr/src/sys/platform/pc32/i386/db_interface.c:334
#14 0xc031a539 in panic (fmt=0xc062171c "only BUS_DMA_NOWAIT is supported\n") at /usr/src/sys/kern/kern_shutdown.c:743
#15 0xc0550ced in bus_dmamap_load_mbuf_segment (dmat=0xc14b3840, map=0x0, m0=0xff800000, segs=0xc72ddc20, maxsegs=1,
nsegs=0xc72ddc48, flags=<value optimized out>) at /usr/src/sys/platform/pc32/i386/busdma_machdep.c:882
#16 0xc029ea45 in rt2661_tx_mgt (ni=0xc6fb52b8, m=0xc9708d00, params=0xc72ddc96) at /usr/src/sys/dev/netif/ral/rt2661.c:1337
#17 rt2661_raw_xmit (ni=0xc6fb52b8, m=0xc9708d00, params=0xc72ddc96) at /usr/src/sys/dev/netif/ral/rt2661.c:1691
#18 0xc03bea87 in ieee80211_send_probereq (ni=0xc6fb52b8, sa=0xc723b364 "",
da=0xc058d0c0 "\377\377\377\377\377\377ether_input_chain", bssid=0xc058d0c0 "\377\377\377\377\377\377ether_input_chain",
ssid=0xc05c9174 "", ssidlen=0) at /usr/src/sys/netproto/802_11/wlan/ieee80211_output.c:1821
#19 0xc03c31a8 in ieee80211_probe_curchan (vap=0xc723b0c0, force=0) at /usr/src/sys/netproto/802_11/wlan/ieee80211_scan.c:791
#20 0xc03c3c01 in scan_curchan (ss=0xc70669c8, maxdwell=20) at /usr/src/sys/netproto/802_11/wlan/ieee80211_scan.c:809
#21 0xc03c3ed5 in scan_task (arg=0xc70669c8, pending=1) at /usr/src/sys/netproto/802_11/wlan/ieee80211_scan.c:940
#22 0xc033bdbb in taskqueue_run (queue=0xc1423a20, lock_held=1) at /usr/src/sys/kern/subr_taskqueue.c:271
#23 0xc033bf4d in taskqueue_thread_loop (arg=0xc6fb0534) at /usr/src/sys/kern/subr_taskqueue.c:373
#24 0xc0322647 in lwkt_deschedule_self (td=) at /usr/src/sys/kern/lwkt_thread.c:250
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Max

#4 Updated by josepht over 4 years ago

On Wed, Jul 21, 2010 at 09:06:03PM +0200, Max Herrg?rd wrote:
> Max Herrg?rd wrote:
>
> However, this happens when I try to use it:
>
> bender# ifconfig ral0 up
> Jul 21 22:47:29 bender kernel: in6_ifattach_linklocal: failed to configure a link-local address on ral0 (errno=22)
>
> bender# ifconfig wlan0 create wlandev ral0
> wlan0: MAC address: 00:08:a1:a4:8d:97
>
> ...and then this crash comes when doing 'ifconfig wlan0 up':
>
> Reading symbols from /usr/home/crash/kern.5...done.
>
> Unread portion of the kernel message buffer:
> ral0: need multicast update callback
> panic: only BUS_DMA_NOWAIT is supported
>
> Trace beginning at frame 0xc72ddb9c
> panic(ffffffff) at panic+0x8e
> panic(c062171c,c72ddc32,45e0d8,0,c723b0c0) at panic+0x8e
> bus_dmamap_load_mbuf_segment(c14b3840,0,c9708d00,c72ddc20,1,c72ddc48,0) at bus_dmamap_load_mbuf_segment+0x6d

In sys/dev/netif/ral/rt2661.c change the 0 at the end of the calls to
bus_dmamap_load_mbuf_segment to BUS_DMA_NOWAIT.

Thanks,
Joe

#5 Updated by nthery about 4 years ago

Thanks for testing it. I'll commit it this week-end.

2010/7/19 Max Herrgård <>:
> Nicolas Thery wrote:
>> 2010/6/21 Max Herrgård <>:
>>> Hi,
>>>
>>> I get this crash when plugging in my ral(4) cardbus card.
>> [...]
>>> #14 0xc0296ccb in ral_pci_attach (dev=0xc14d3a58) at /usr/src/sys/dev/netif/ral/if_ral_pci.c:209
>>
>> It looks like sc_ifp is initialized after ifp  = sc->sc_ifp.
>>
>> Could you try this patch please?
>>
>>
>> diff --git a/sys/dev/netif/ral/if_ral_pci.c b/sys/dev/netif/ral/if_ral_pci.c
>> index 4af51b1..c94fad7 100644
>> --- a/sys/dev/netif/ral/if_ral_pci.c
>> +++ b/sys/dev/netif/ral/if_ral_pci.c
>> @@ -164,7 +164,7 @@ ral_pci_attach(device_t dev)
>> {
>>        struct ral_pci_softc *psc = device_get_softc(dev);
>>        struct rt2560_softc *sc = &psc->u.sc_rt2560;
>> -       struct ifnet *ifp = sc->sc_ifp;
>> +       struct ifnet *ifp;
>>        int error;
>>
>>        if (pci_get_powerstate(dev) != PCI_POWERSTATE_D0) {
>> @@ -202,6 +202,7 @@ ral_pci_attach(device_t dev)
>>        error = (*psc->sc_opns->attach)(dev, pci_get_device(dev));
>>        if (error != 0)
>>                return error;
>> +       ifp = sc->sc_ifp;
>>
>>        /*
>>         * Hook our interrupt after all initialization is complete.
>
> Yup. This patch fixes this crash.
>
> Thank you,
> Max
>
>
>

#6 Updated by nthery about 4 years ago

Committed to master.

Also available in: Atom PDF