NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/52553: Panic on "ifconfig athn0 up"



>Number:         52553
>Category:       kern
>Synopsis:       Panic on "ifconfig athn0 up"
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 18 16:05:00 +0000 2017
>Originator:     Andreas Gustafsson
>Release:        NetBSD-current, source date 2017.09.06.18.21.17
>Organization:

>Environment:
System: NetBSD
Architecture: i386
Machine: i386
>Description:

While trying to reproduce PR 52526, I noticed that I can reliably
crash the machine by running the shell command

  while true; do ifconfig athn0 down; ifconfig athn0 up; done

I reproduced this with a debug build, built with build.sh -V
MKDEBUG=YES -V COPTS="-g -fdebug-prefix-map=$(pwd)=/usr/src",
and had a look at the crash dump:

  localhost# cd /var/crash
  localhost# gdb /netbsd
  [...]
  (gdb) target kvm netbsd.2.core
  maybe_dump (howto=260) at /usr/src/sys/arch/i386/i386/machdep.c:757
  757             splx(s);
  (gdb) bt
  #0  maybe_dump (howto=260) at /usr/src/sys/arch/i386/i386/machdep.c:757
  #1  0xc011edb5 in cpu_reboot (howto=260, bootstr=0x0) at /usr/src/sys/arch/i386/i386/machdep.c:776
  #2  0xc0bf7c59 in vpanic (fmt=0xc1093df8 "trap", ap=0xd95f6b18 "\260k_\331\260k_\331\001") at /usr/src/sys/kern/subr_prf.c:342
  #3  0xc0bf7a8b in panic (fmt=0xc1093df8 "trap") at /usr/src/sys/kern/subr_prf.c:258
  #4  0xc01225ef in trap (frame=0xd95f6bb0) at /usr/src/sys/arch/i386/i386/trap.c:324
  #5  0xc0116e8f in alltraps ()
  #6  0xd95f6bb0 in ?? ()
  #7  0xc050360c in athn_usb_init (ifp=0xc2685ae4) at /usr/src/sys/dev/usb/if_athn_usb.c:2727
  #8  0xc0503465 in athn_usb_ioctl (ifp=0xc2685ae4, cmd=2156947728, data=0xc279d188) at /usr/src/sys/dev/usb/if_athn_usb.c:2673
  #9  0xc0cae54d in doifioctl (so=0xc27acbac, cmd=2156947728, data=0xc279d188, l=0xc2752d40) at /usr/src/sys/net/if.c:3042
  #10 0xc0c15014 in soo_ioctl (fp=0xc272cf40, cmd=2156947728, data=0xc279d188) at /usr/src/sys/kern/sys_socket.c:202
  #11 0xc0c069ae in sys_ioctl (l=0xc2752d40, uap=0xd95f6f74, retval=0xd95f6f6c) at /usr/src/sys/kern/sys_generic.c:671
  #12 0xc016a2c5 in sy_call (sy=0xc16aa218 <sysent+1080>, l=0xc2752d40, uap=0xd95f6f74, rval=0xd95f6f6c) at /usr/src/sys/sys/syscallvar.h:65
  #13 0xc016a395 in sy_invoke (sy=0xc16aa218 <sysent+1080>, l=0xc2752d40, uap=0xd95f6f74, rval=0xd95f6f6c, code=54) at /usr/src/sys/sys/syscallvar.h:94
  #14 0xc016a63c in syscall (frame=0xd95f6fa8) at /usr/src/sys/arch/x86/x86/syscall.c:140
  #15 0xc0100696 in Xsyscall ()
  #16 0xd95f6fa8 in ?? ()
  Backtrace stopped: previous frame inner to this frame (corrupt stack?)
  (gdb) frame 7
  #7  0xc050360c in athn_usb_init (ifp=0xc2685ae4) at /usr/src/sys/dev/usb/if_athn_usb.c:2727
  2727            int ret = athn_usb_init_locked(ifp);
  (gdb) l
  2722    {
  2723            struct athn_softc *sc = ifp->if_softc;
  2724            struct athn_usb_softc *usc = ATHN_USB_SOFTC(sc);
  2725    
  2726            mutex_enter(&usc->usc_lock);
  2727            int ret = athn_usb_init_locked(ifp);
  2728            mutex_exit(&usc->usc_lock);
  2729    
  2730            return ret;
  2731    }
  (gdb) frame 8
  #8  0xc0503465 in athn_usb_ioctl (ifp=0xc2685ae4, cmd=2156947728, data=0xc279d188) at /usr/src/sys/dev/usb/if_athn_usb.c:2673
  2673                            error = athn_usb_init(ifp);
  (gdb) l
  2668    
  2669                    switch (ifp->if_flags & (IFF_UP | IFF_RUNNING)) {
  2670                    case IFF_UP | IFF_RUNNING:
  2671                            break;
  2672                    case IFF_UP:
  2673                            error = athn_usb_init(ifp);
  2674                            break;
  2675                    case IFF_RUNNING:
  2676                            athn_usb_stop(ifp, 0);
  2677                            break;

Since this crash occurred while configuring the interface up rather
than down, I figure it's a separate bug from 52526 and warrants its
own bug report.  Besides, this one is easier to reproduce.

It looks like the trap actually occurred in athn_usb_init_locked(),
but gdb is unable to correctly display the stack frame in case,
which is rather unfortunate and a bug in itself.  OTOH, ddb does
pinpoint the trap to athn_usb_init_locked+0x110:

  --- trap (number 6) ---
  athn_usb_init_locked(c2685ae4,c2685000,c2685000,c2752d40,d95f6cf0,c0503465,c2685ae4,80906910,c279d188,0) at netbsd:athn_usb_init_locked+0x110
  athn_usb_init(c2685ae4,80906910,c279d188,0,c2685000,c2685000,c2685030,0,d95f6e00,c0cae54d) at netbsd:athn_usb_init+0x2f

which would be near the end of this code block:

  (gdb) x/30i athn_usb_init_locked
     0xc0503624 <athn_usb_init_locked>:   push   %ebp
     0xc0503625 <athn_usb_init_locked+1>: mov    %esp,%ebp
     0xc0503627 <athn_usb_init_locked+3>: push   %edi
     0xc0503628 <athn_usb_init_locked+4>: push   %esi
     0xc0503629 <athn_usb_init_locked+5>: push   %ebx
     0xc050362a <athn_usb_init_locked+6>: sub    $0xb4,%esp
     0xc0503630 <athn_usb_init_locked+12>:        mov    0x8(%ebp),%eax
     0xc0503633 <athn_usb_init_locked+15>:        mov    %eax,-0xa4(%ebp)
     0xc0503639 <athn_usb_init_locked+21>:        mov    0xc16ad420,%eax
     0xc050363e <athn_usb_init_locked+26>:        mov    %eax,-0x10(%ebp)
     0xc0503641 <athn_usb_init_locked+29>:        xor    %eax,%eax
     0xc0503643 <athn_usb_init_locked+31>:        mov    -0xa4(%ebp),%eax
     0xc0503649 <athn_usb_init_locked+37>:        mov    (%eax),%eax
     0xc050364b <athn_usb_init_locked+39>:        mov    %eax,-0x94(%ebp)
     0xc0503651 <athn_usb_init_locked+45>:        mov    -0x94(%ebp),%eax
     0xc0503657 <athn_usb_init_locked+51>:        mov    %eax,-0x90(%ebp)
     0xc050365d <athn_usb_init_locked+57>:        mov    -0x94(%ebp),%eax
     0xc0503663 <athn_usb_init_locked+63>:        add    $0x1ad4,%eax
     0xc0503668 <athn_usb_init_locked+68>:        mov    %eax,-0x8c(%ebp)
     0xc050366e <athn_usb_init_locked+74>:        mov    -0x94(%ebp),%eax
     0xc0503674 <athn_usb_init_locked+80>:        add    $0x30,%eax
     0xc0503677 <athn_usb_init_locked+83>:        mov    %eax,-0x88(%ebp)
     0xc050367d <athn_usb_init_locked+89>:        mov    -0x90(%ebp),%eax
     0xc0503683 <athn_usb_init_locked+95>:        mov    0x1db0(%eax),%eax
     0xc0503689 <athn_usb_init_locked+101>:       test   %eax,%eax
     0xc050368b <athn_usb_init_locked+103>:       je     0xc0503697 <athn_usb_init_locked+115>
     0xc050368d <athn_usb_init_locked+105>:       mov    $0x6,%eax
     0xc0503692 <athn_usb_init_locked+110>:       jmp    0xc0503ded <athn_usb_init_locked+1993>
     0xc0503697 <athn_usb_init_locked+115>:       mov    -0x90(%ebp),%eax
     0xc050369d <athn_usb_init_locked+121>:       add    $0x1d88,%eax

Here is the full dmesg:

  Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
      2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017
      The NetBSD Foundation, Inc.  All rights reserved.
  Copyright (c) 1982, 1986, 1989, 1991, 1993
      The Regents of the University of California.  All rights reserved.

  NetBSD 8.99.2 (MONOLITHIC) #1: Sun Sep 17 21:07:09 EEST 2017
	  gson%guido.araneus.fi@localhost:/bracket/prod/current/i386/obj/sys/arch/i386/compile/MONOLITHIC
  total memory = 511 MB
  avail memory = 477 MB
  timecounter: Timecounters tick every 10.000 msec
  Kernelized RAIDframe activated
  running cgd selftest aes-xts-256 aes-xts-512 done
  timecounter: Timecounter "i8254" frequency 1193182 Hz quality 100
  Compaq Deskpro EN Series SFF
  mainbus0 (root)
  ACPI: RSDP 0x00000000000E0010 000014 (v00 COMPAQ)
  ACPI: RSDT 0x00000000000E0080 000034 (v01 COMPAQ CPQB053  19990818      00000000)
  ACPI: FACP 0x00000000000E00CC 000074 (v01 COMPAQ SCARAB   00000001      00000000)
  ACPI: DSDT 0x00000000000E0140 000883 (v01 COMPAQ DSDT     00000001 MSFT 0100000B)
  ACPI: FACS 0x00000000000E0040 000040
  ACPI: SSDT 0x00000000000E09C3 000FFD (v01 COMPAQ VILLTBL1 00000001 MSFT 0100000B)
  ACPI: SSDT 0x00000000000E19C0 000774 (v01 COMPAQ PNP_PRSS 00000001 MSFT 0100000B)
  ACPI: SSDT 0x00000000000E2134 000073 (v01 COMPAQ PME      00000001 MSFT 0100000B)
  ACPI: 4 ACPI AML tables successfully acquired and loaded
  ACPI: BIOS is too old (19990818). Set acpi_force_load to use.
  ACPI Error: Could not remove SCI handler (20170303/evmisc-312)
  cpu0 at mainbus0
  cpu0: Intel 686-class, 597MHz, id 0x683
  cpu0: package 0, core 0, smt 0
  pci0 at mainbus0 bus 0: configuration mode 1
  pci0: This pci host supports neither MSI nor MSI-X.
  pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
  pchb0 at pci0 dev 0 function 0: vendor 8086 product 7190 (rev. 0x03)
  agp0 at pchb0: aperture at 0x44000000, size 0x4000000
  ppb0 at pci0 dev 1 function 0: vendor 8086 product 7191 (rev. 0x03)
  pci1 at ppb0 bus 1
  pci1: This pci host supports neither MSI nor MSI-X.
  pci1: i/o space, memory space enabled
  vga0 at pci1 dev 0 function 0: vendor 1002 product 4742 (rev. 0x5c)
  wsdisplay0 at vga0 kbdmux 1: console (80x25, vt100 emulation)
  wsmux1: connecting to wsdisplay0
  drm at vga0 not configured
  fxp0 at pci0 dev 10 function 0: i82558 Ethernet (rev. 0x05)
  fxp0: interrupting at irq 11
  fxp0: May need receiver lock-up workaround
  fxp0: Ethernet address 00:50:8b:d7:f4:37
  inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0
  inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
  pcib0 at pci0 dev 20 function 0: vendor 8086 product 7110 (rev. 0x02)
  piixide0 at pci0 dev 20 function 1: Intel 82371AB IDE controller (PIIX4) (rev. 0x01)
  piixide0: bus-master DMA support present
  piixide0: primary channel wired to compatibility mode
  piixide0: primary channel interrupting at irq 14
  atabus0 at piixide0 channel 0
  piixide0: secondary channel wired to compatibility mode
  piixide0: secondary channel interrupting at irq 15
  atabus1 at piixide0 channel 1
  uhci0 at pci0 dev 20 function 2: vendor 8086 product 7112 (rev. 0x01)
  uhci0: interrupting at irq 11
  usb0 at uhci0: USB revision 1.0
  piixpm0 at pci0 dev 20 function 3: vendor 8086 product 7113 (rev. 0x02)
  timecounter: Timecounter "piixpm0" frequency 3579545 Hz quality 900
  piixpm0: 24-bit timer
  piixpm0: interrupting at SMI, polling
  iic0 at piixpm0: I2C bus
  isa0 at pcib0
  lpt0 at isa0 port 0x378-0x37b irq 7
  com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
  com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
  pckbc0 at isa0 port 0x60-0x64
  attimer0 at isa0 port 0x40-0x43
  sb0 at isa0 port 0x220-0x237 irq 5 drq 1: dsp v3.01
  audio0 at sb0: half duplex, playback, capture, mmap, independent
  sb0: Virtual format auto config failed!
  Please check hardware capabilities
  sb0: audioattach: audio_set_vchan_defaults() failed
  midi0 at sb0: SB MIDI UART
  opl0 at sb0: model OPL3
  midi1 at opl0: SB Yamaha OPL3
  pcppi0 at isa0 port 0x61
  midi2 at pcppi0: PC speaker
  sysbeep0 at pcppi0
  isapnp0 at isa0 port 0x279
  fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
  attimer0: attached to pcppi0
  isapnp0: no ISA Plug 'n Play devices found
  timecounter: Timecounter "clockinterrupt" frequency 100 Hz quality 0
  fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
  uhub0 at usb0: vendor 8086 (0x8086) UHCI root hub (0000), class 9/0, rev 1.00/1.00, addr 1
  uhub0: 2 ports with 2 removable, self powered
  IPsec: Initialized Security Association Processing.
  uhidev0 at uhub0 port 1 configuration 1 interface 0
  uhidev0: Belkin Components (0x50d) USB-PS2 Adapter (0x119), rev 1.10/1.20, addr 2, iclass 3/1
  ukbd0 at uhidev0: 8 Variable keys, 6 Array codes
  wskbd0 at ukbd0: console keyboard, using wsdisplay0
  uhidev1 at uhub0 port 1 configuration 1 interface 1
  uhidev1: Belkin Components (0x50d) USB-PS2 Adapter (0x119), rev 1.10/1.20, addr 2, iclass 3/1
  ums0 at uhidev1: 5 buttons and Z dir
  wsmouse0 at ums0 mux 0
  wd0 at atabus0 drive 0
  wd0: <Maxtor 6E040L0>
  wd0: drive supports 16-sector PIO transfers, LBA48 addressing
  wd0: 38166 MB, 77545 cyl, 16 head, 63 sec, 512 bytes/sect x 78165360 sectors
  wd0: 32-bit data port
  wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
  wd0(piixide0:0:0): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA)
  atapibus0 at atabus1: 2 targets
  cd0 at atapibus0 drive 0: <Compaq  CRN-8241B, 1999/11/13, 2.23> cdrom removable
  cd0: 32-bit data port
  cd0: drive supports PIO mode 4, DMA mode 2
  cd0(piixide0:1:0): using PIO mode 4, DMA mode 2 (using DMA)
  WARNING: 2 errors while detecting hardware; check system log.
  boot device: wd0
  root on wd0a dumps on wd0b
  root file system type: ffs
  kern.module.path=/stand/i386/8.99.2/modules
  wsdisplay0: screen 1 added (80x25, vt100 emulation)
  wsdisplay0: screen 2 added (80x25, vt100 emulation)
  wsdisplay0: screen 3 added (80x25, vt100 emulation)
  wsdisplay0: screen 4 added (80x25, vt100 emulation)
  athn0 at uhub0 port 2
  : Atheros AR9271
  athn0: rev 1 (1T1R), ROM rev 15, address 48:5d:60:57:7d:4f
  athn0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
  athn0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
  uvm_fault(0xc261b9f0, 0, 1) -> 0xe
  fatal page fault in supervisor mode
  trap type 6 code 0 eip 0xc0503734 cs 0x8 eflags 0x10246 cr2 0xc ilevel 0x6 esp 0xc2686d8c
  curlwp 0xc2752d40 pid 72 lid 1 lowest kstack 0xd95f42c0
  panic: trap
  cpu0: Begin traceback...
  vpanic(c1093df8,d95f6b18,d95f6b18,d95f6ba4,c01225ef,c1093df8,d95f6bb0,d95f6bb0,1,e) at netbsd:vpanic+0x1bb
  vpanic(c1093df8,d95f6bb0,d95f6bb0,1,e,d95f6bb0,c0cae076,c26161e4,d95f4000,d95f6c30) at netbsd:vpanic
  trap() at netbsd:trap+0x27a
  --- trap (number 6) ---
  athn_usb_init_locked(c2685ae4,c2685000,c2685000,c2752d40,d95f6cf0,c0503465,c2685ae4,80906910,c279d188,0) at netbsd:athn_usb_init_locked+0x110
  athn_usb_init(c2685ae4,80906910,c279d188,0,c2685000,c2685000,c2685030,0,d95f6e00,c0cae54d) at netbsd:athn_usb_init+0x2f
  athn_usb_ioctl(c2685ae4,80906910,c279d188,c2685ae4,80906910,0,c0bc9c74,c1636d40,d95f6d64,c0167024) at netbsd:athn_usb_ioctl+0xc3
  doifioctl(c27acbac,80906910,c279d188,c2752d40,0,c27acbac,0,d95f6f00,c0c069ae,c272cf40) at netbsd:doifioctl+0x4d7
  soo_ioctl(c272cf40,80906910,c279d188,90,0,c261b9f0,ac8d3000,1000,c261b9f0,80906910) at netbsd:soo_ioctl+0x2eb
  sys_ioctl(c2752d40,d95f6f74,d95f6f6c,ffff0ff0,d95f6f3c,c016a395,c16aa218,c2752d40,d95f6f74,d95f6f6c) at netbsd:sys_ioctl+0x431
  sy_call(c16aa218,c2752d40,d95f6f74,d95f6f6c,c016a4f4,752d40,c2752d40,d95f6f9c,c016a63c,c16aa218) at c016a2c5
  sy_invoke(c16aa218,c2752d40,d95f6f74,d95f6f6c,36,0,c2752d40,c26161e4,36,c16aa218) at netbsd:sy_invoke+0xbb
  syscall() at netbsd:syscall+0xd7
  --- syscall (number 54) ---
  ac84a437:
  cpu0: End traceback...

  dumping to dev 0,1 offset 3148440
  dump succeeded

>How-To-Repeat:

Plugin in an athn(4) WiFi adapter and run

  while true; do ifconfig athn0 down; ifconfig athn0 up; done

>Fix:



Home | Main Index | Thread Index | Old Index