NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/52553: Panic on "ifconfig athn0 up"
>Number: 52553
>Category: kern
>Synopsis: Panic on "ifconfig athn0 up"
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 18 16:05:00 +0000 2017
>Originator: Andreas Gustafsson
>Release: NetBSD-current, source date 2017.09.06.18.21.17
>Organization:
>Environment:
System: NetBSD
Architecture: i386
Machine: i386
>Description:
While trying to reproduce PR 52526, I noticed that I can reliably
crash the machine by running the shell command
while true; do ifconfig athn0 down; ifconfig athn0 up; done
I reproduced this with a debug build, built with build.sh -V
MKDEBUG=YES -V COPTS="-g -fdebug-prefix-map=$(pwd)=/usr/src",
and had a look at the crash dump:
localhost# cd /var/crash
localhost# gdb /netbsd
[...]
(gdb) target kvm netbsd.2.core
maybe_dump (howto=260) at /usr/src/sys/arch/i386/i386/machdep.c:757
757 splx(s);
(gdb) bt
#0 maybe_dump (howto=260) at /usr/src/sys/arch/i386/i386/machdep.c:757
#1 0xc011edb5 in cpu_reboot (howto=260, bootstr=0x0) at /usr/src/sys/arch/i386/i386/machdep.c:776
#2 0xc0bf7c59 in vpanic (fmt=0xc1093df8 "trap", ap=0xd95f6b18 "\260k_\331\260k_\331\001") at /usr/src/sys/kern/subr_prf.c:342
#3 0xc0bf7a8b in panic (fmt=0xc1093df8 "trap") at /usr/src/sys/kern/subr_prf.c:258
#4 0xc01225ef in trap (frame=0xd95f6bb0) at /usr/src/sys/arch/i386/i386/trap.c:324
#5 0xc0116e8f in alltraps ()
#6 0xd95f6bb0 in ?? ()
#7 0xc050360c in athn_usb_init (ifp=0xc2685ae4) at /usr/src/sys/dev/usb/if_athn_usb.c:2727
#8 0xc0503465 in athn_usb_ioctl (ifp=0xc2685ae4, cmd=2156947728, data=0xc279d188) at /usr/src/sys/dev/usb/if_athn_usb.c:2673
#9 0xc0cae54d in doifioctl (so=0xc27acbac, cmd=2156947728, data=0xc279d188, l=0xc2752d40) at /usr/src/sys/net/if.c:3042
#10 0xc0c15014 in soo_ioctl (fp=0xc272cf40, cmd=2156947728, data=0xc279d188) at /usr/src/sys/kern/sys_socket.c:202
#11 0xc0c069ae in sys_ioctl (l=0xc2752d40, uap=0xd95f6f74, retval=0xd95f6f6c) at /usr/src/sys/kern/sys_generic.c:671
#12 0xc016a2c5 in sy_call (sy=0xc16aa218 <sysent+1080>, l=0xc2752d40, uap=0xd95f6f74, rval=0xd95f6f6c) at /usr/src/sys/sys/syscallvar.h:65
#13 0xc016a395 in sy_invoke (sy=0xc16aa218 <sysent+1080>, l=0xc2752d40, uap=0xd95f6f74, rval=0xd95f6f6c, code=54) at /usr/src/sys/sys/syscallvar.h:94
#14 0xc016a63c in syscall (frame=0xd95f6fa8) at /usr/src/sys/arch/x86/x86/syscall.c:140
#15 0xc0100696 in Xsyscall ()
#16 0xd95f6fa8 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) frame 7
#7 0xc050360c in athn_usb_init (ifp=0xc2685ae4) at /usr/src/sys/dev/usb/if_athn_usb.c:2727
2727 int ret = athn_usb_init_locked(ifp);
(gdb) l
2722 {
2723 struct athn_softc *sc = ifp->if_softc;
2724 struct athn_usb_softc *usc = ATHN_USB_SOFTC(sc);
2725
2726 mutex_enter(&usc->usc_lock);
2727 int ret = athn_usb_init_locked(ifp);
2728 mutex_exit(&usc->usc_lock);
2729
2730 return ret;
2731 }
(gdb) frame 8
#8 0xc0503465 in athn_usb_ioctl (ifp=0xc2685ae4, cmd=2156947728, data=0xc279d188) at /usr/src/sys/dev/usb/if_athn_usb.c:2673
2673 error = athn_usb_init(ifp);
(gdb) l
2668
2669 switch (ifp->if_flags & (IFF_UP | IFF_RUNNING)) {
2670 case IFF_UP | IFF_RUNNING:
2671 break;
2672 case IFF_UP:
2673 error = athn_usb_init(ifp);
2674 break;
2675 case IFF_RUNNING:
2676 athn_usb_stop(ifp, 0);
2677 break;
Since this crash occurred while configuring the interface up rather
than down, I figure it's a separate bug from 52526 and warrants its
own bug report. Besides, this one is easier to reproduce.
It looks like the trap actually occurred in athn_usb_init_locked(),
but gdb is unable to correctly display the stack frame in case,
which is rather unfortunate and a bug in itself. OTOH, ddb does
pinpoint the trap to athn_usb_init_locked+0x110:
--- trap (number 6) ---
athn_usb_init_locked(c2685ae4,c2685000,c2685000,c2752d40,d95f6cf0,c0503465,c2685ae4,80906910,c279d188,0) at netbsd:athn_usb_init_locked+0x110
athn_usb_init(c2685ae4,80906910,c279d188,0,c2685000,c2685000,c2685030,0,d95f6e00,c0cae54d) at netbsd:athn_usb_init+0x2f
which would be near the end of this code block:
(gdb) x/30i athn_usb_init_locked
0xc0503624 <athn_usb_init_locked>: push %ebp
0xc0503625 <athn_usb_init_locked+1>: mov %esp,%ebp
0xc0503627 <athn_usb_init_locked+3>: push %edi
0xc0503628 <athn_usb_init_locked+4>: push %esi
0xc0503629 <athn_usb_init_locked+5>: push %ebx
0xc050362a <athn_usb_init_locked+6>: sub $0xb4,%esp
0xc0503630 <athn_usb_init_locked+12>: mov 0x8(%ebp),%eax
0xc0503633 <athn_usb_init_locked+15>: mov %eax,-0xa4(%ebp)
0xc0503639 <athn_usb_init_locked+21>: mov 0xc16ad420,%eax
0xc050363e <athn_usb_init_locked+26>: mov %eax,-0x10(%ebp)
0xc0503641 <athn_usb_init_locked+29>: xor %eax,%eax
0xc0503643 <athn_usb_init_locked+31>: mov -0xa4(%ebp),%eax
0xc0503649 <athn_usb_init_locked+37>: mov (%eax),%eax
0xc050364b <athn_usb_init_locked+39>: mov %eax,-0x94(%ebp)
0xc0503651 <athn_usb_init_locked+45>: mov -0x94(%ebp),%eax
0xc0503657 <athn_usb_init_locked+51>: mov %eax,-0x90(%ebp)
0xc050365d <athn_usb_init_locked+57>: mov -0x94(%ebp),%eax
0xc0503663 <athn_usb_init_locked+63>: add $0x1ad4,%eax
0xc0503668 <athn_usb_init_locked+68>: mov %eax,-0x8c(%ebp)
0xc050366e <athn_usb_init_locked+74>: mov -0x94(%ebp),%eax
0xc0503674 <athn_usb_init_locked+80>: add $0x30,%eax
0xc0503677 <athn_usb_init_locked+83>: mov %eax,-0x88(%ebp)
0xc050367d <athn_usb_init_locked+89>: mov -0x90(%ebp),%eax
0xc0503683 <athn_usb_init_locked+95>: mov 0x1db0(%eax),%eax
0xc0503689 <athn_usb_init_locked+101>: test %eax,%eax
0xc050368b <athn_usb_init_locked+103>: je 0xc0503697 <athn_usb_init_locked+115>
0xc050368d <athn_usb_init_locked+105>: mov $0x6,%eax
0xc0503692 <athn_usb_init_locked+110>: jmp 0xc0503ded <athn_usb_init_locked+1993>
0xc0503697 <athn_usb_init_locked+115>: mov -0x90(%ebp),%eax
0xc050369d <athn_usb_init_locked+121>: add $0x1d88,%eax
Here is the full dmesg:
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017
The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
NetBSD 8.99.2 (MONOLITHIC) #1: Sun Sep 17 21:07:09 EEST 2017
gson%guido.araneus.fi@localhost:/bracket/prod/current/i386/obj/sys/arch/i386/compile/MONOLITHIC
total memory = 511 MB
avail memory = 477 MB
timecounter: Timecounters tick every 10.000 msec
Kernelized RAIDframe activated
running cgd selftest aes-xts-256 aes-xts-512 done
timecounter: Timecounter "i8254" frequency 1193182 Hz quality 100
Compaq Deskpro EN Series SFF
mainbus0 (root)
ACPI: RSDP 0x00000000000E0010 000014 (v00 COMPAQ)
ACPI: RSDT 0x00000000000E0080 000034 (v01 COMPAQ CPQB053 19990818 00000000)
ACPI: FACP 0x00000000000E00CC 000074 (v01 COMPAQ SCARAB 00000001 00000000)
ACPI: DSDT 0x00000000000E0140 000883 (v01 COMPAQ DSDT 00000001 MSFT 0100000B)
ACPI: FACS 0x00000000000E0040 000040
ACPI: SSDT 0x00000000000E09C3 000FFD (v01 COMPAQ VILLTBL1 00000001 MSFT 0100000B)
ACPI: SSDT 0x00000000000E19C0 000774 (v01 COMPAQ PNP_PRSS 00000001 MSFT 0100000B)
ACPI: SSDT 0x00000000000E2134 000073 (v01 COMPAQ PME 00000001 MSFT 0100000B)
ACPI: 4 ACPI AML tables successfully acquired and loaded
ACPI: BIOS is too old (19990818). Set acpi_force_load to use.
ACPI Error: Could not remove SCI handler (20170303/evmisc-312)
cpu0 at mainbus0
cpu0: Intel 686-class, 597MHz, id 0x683
cpu0: package 0, core 0, smt 0
pci0 at mainbus0 bus 0: configuration mode 1
pci0: This pci host supports neither MSI nor MSI-X.
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0: vendor 8086 product 7190 (rev. 0x03)
agp0 at pchb0: aperture at 0x44000000, size 0x4000000
ppb0 at pci0 dev 1 function 0: vendor 8086 product 7191 (rev. 0x03)
pci1 at ppb0 bus 1
pci1: This pci host supports neither MSI nor MSI-X.
pci1: i/o space, memory space enabled
vga0 at pci1 dev 0 function 0: vendor 1002 product 4742 (rev. 0x5c)
wsdisplay0 at vga0 kbdmux 1: console (80x25, vt100 emulation)
wsmux1: connecting to wsdisplay0
drm at vga0 not configured
fxp0 at pci0 dev 10 function 0: i82558 Ethernet (rev. 0x05)
fxp0: interrupting at irq 11
fxp0: May need receiver lock-up workaround
fxp0: Ethernet address 00:50:8b:d7:f4:37
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pcib0 at pci0 dev 20 function 0: vendor 8086 product 7110 (rev. 0x02)
piixide0 at pci0 dev 20 function 1: Intel 82371AB IDE controller (PIIX4) (rev. 0x01)
piixide0: bus-master DMA support present
piixide0: primary channel wired to compatibility mode
piixide0: primary channel interrupting at irq 14
atabus0 at piixide0 channel 0
piixide0: secondary channel wired to compatibility mode
piixide0: secondary channel interrupting at irq 15
atabus1 at piixide0 channel 1
uhci0 at pci0 dev 20 function 2: vendor 8086 product 7112 (rev. 0x01)
uhci0: interrupting at irq 11
usb0 at uhci0: USB revision 1.0
piixpm0 at pci0 dev 20 function 3: vendor 8086 product 7113 (rev. 0x02)
timecounter: Timecounter "piixpm0" frequency 3579545 Hz quality 900
piixpm0: 24-bit timer
piixpm0: interrupting at SMI, polling
iic0 at piixpm0: I2C bus
isa0 at pcib0
lpt0 at isa0 port 0x378-0x37b irq 7
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
pckbc0 at isa0 port 0x60-0x64
attimer0 at isa0 port 0x40-0x43
sb0 at isa0 port 0x220-0x237 irq 5 drq 1: dsp v3.01
audio0 at sb0: half duplex, playback, capture, mmap, independent
sb0: Virtual format auto config failed!
Please check hardware capabilities
sb0: audioattach: audio_set_vchan_defaults() failed
midi0 at sb0: SB MIDI UART
opl0 at sb0: model OPL3
midi1 at opl0: SB Yamaha OPL3
pcppi0 at isa0 port 0x61
midi2 at pcppi0: PC speaker
sysbeep0 at pcppi0
isapnp0 at isa0 port 0x279
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
attimer0: attached to pcppi0
isapnp0: no ISA Plug 'n Play devices found
timecounter: Timecounter "clockinterrupt" frequency 100 Hz quality 0
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
uhub0 at usb0: vendor 8086 (0x8086) UHCI root hub (0000), class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
IPsec: Initialized Security Association Processing.
uhidev0 at uhub0 port 1 configuration 1 interface 0
uhidev0: Belkin Components (0x50d) USB-PS2 Adapter (0x119), rev 1.10/1.20, addr 2, iclass 3/1
ukbd0 at uhidev0: 8 Variable keys, 6 Array codes
wskbd0 at ukbd0: console keyboard, using wsdisplay0
uhidev1 at uhub0 port 1 configuration 1 interface 1
uhidev1: Belkin Components (0x50d) USB-PS2 Adapter (0x119), rev 1.10/1.20, addr 2, iclass 3/1
ums0 at uhidev1: 5 buttons and Z dir
wsmouse0 at ums0 mux 0
wd0 at atabus0 drive 0
wd0: <Maxtor 6E040L0>
wd0: drive supports 16-sector PIO transfers, LBA48 addressing
wd0: 38166 MB, 77545 cyl, 16 head, 63 sec, 512 bytes/sect x 78165360 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
wd0(piixide0:0:0): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA)
atapibus0 at atabus1: 2 targets
cd0 at atapibus0 drive 0: <Compaq CRN-8241B, 1999/11/13, 2.23> cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2
cd0(piixide0:1:0): using PIO mode 4, DMA mode 2 (using DMA)
WARNING: 2 errors while detecting hardware; check system log.
boot device: wd0
root on wd0a dumps on wd0b
root file system type: ffs
kern.module.path=/stand/i386/8.99.2/modules
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)
athn0 at uhub0 port 2
: Atheros AR9271
athn0: rev 1 (1T1R), ROM rev 15, address 48:5d:60:57:7d:4f
athn0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
athn0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
uvm_fault(0xc261b9f0, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip 0xc0503734 cs 0x8 eflags 0x10246 cr2 0xc ilevel 0x6 esp 0xc2686d8c
curlwp 0xc2752d40 pid 72 lid 1 lowest kstack 0xd95f42c0
panic: trap
cpu0: Begin traceback...
vpanic(c1093df8,d95f6b18,d95f6b18,d95f6ba4,c01225ef,c1093df8,d95f6bb0,d95f6bb0,1,e) at netbsd:vpanic+0x1bb
vpanic(c1093df8,d95f6bb0,d95f6bb0,1,e,d95f6bb0,c0cae076,c26161e4,d95f4000,d95f6c30) at netbsd:vpanic
trap() at netbsd:trap+0x27a
--- trap (number 6) ---
athn_usb_init_locked(c2685ae4,c2685000,c2685000,c2752d40,d95f6cf0,c0503465,c2685ae4,80906910,c279d188,0) at netbsd:athn_usb_init_locked+0x110
athn_usb_init(c2685ae4,80906910,c279d188,0,c2685000,c2685000,c2685030,0,d95f6e00,c0cae54d) at netbsd:athn_usb_init+0x2f
athn_usb_ioctl(c2685ae4,80906910,c279d188,c2685ae4,80906910,0,c0bc9c74,c1636d40,d95f6d64,c0167024) at netbsd:athn_usb_ioctl+0xc3
doifioctl(c27acbac,80906910,c279d188,c2752d40,0,c27acbac,0,d95f6f00,c0c069ae,c272cf40) at netbsd:doifioctl+0x4d7
soo_ioctl(c272cf40,80906910,c279d188,90,0,c261b9f0,ac8d3000,1000,c261b9f0,80906910) at netbsd:soo_ioctl+0x2eb
sys_ioctl(c2752d40,d95f6f74,d95f6f6c,ffff0ff0,d95f6f3c,c016a395,c16aa218,c2752d40,d95f6f74,d95f6f6c) at netbsd:sys_ioctl+0x431
sy_call(c16aa218,c2752d40,d95f6f74,d95f6f6c,c016a4f4,752d40,c2752d40,d95f6f9c,c016a63c,c16aa218) at c016a2c5
sy_invoke(c16aa218,c2752d40,d95f6f74,d95f6f6c,36,0,c2752d40,c26161e4,36,c16aa218) at netbsd:sy_invoke+0xbb
syscall() at netbsd:syscall+0xd7
--- syscall (number 54) ---
ac84a437:
cpu0: End traceback...
dumping to dev 0,1 offset 3148440
dump succeeded
>How-To-Repeat:
Plugin in an athn(4) WiFi adapter and run
while true; do ifconfig athn0 down; ifconfig athn0 up; done
>Fix:
Home |
Main Index |
Thread Index |
Old Index