From nobody@FreeBSD.org  Sat May 24 23:57:24 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EF4F3106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 May 2008 23:57:24 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 02B808FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 May 2008 23:57:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m4ONtrbg031464
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 May 2008 23:55:53 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m4ONtrta031463;
	Sat, 24 May 2008 23:55:53 GMT
	(envelope-from nobody)
Message-Id: <200805242355.m4ONtrta031463@www.freebsd.org>
Date: Sat, 24 May 2008 23:55:53 GMT
From: Jonny Crook <je.suis.bon@googlemail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Rum driver causes kernel panic with WPA.
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         123968
>Category:       kern
>Synopsis:       [rum] [panic] rum driver causes kernel panic with WPA.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 25 00:00:06 UTC 2008
>Closed-Date:    
>Last-Modified:  Mon May 26 00:41:50 UTC 2008
>Originator:     Jonny Crook
>Release:        FreeBSD 7.0-RELEASE #0
>Organization:
>Environment:
>Description:
Using a Ralink rt73 chipset USB wireless dongle with WPA causes a kernel panic after a few minutes of network activity, eg. downloading a file.

/var/crash/info.2 :
Dump header from device /dev/ad4s2b
  Architecture: i386
  Architecture Version: 2
  Dump Length: 113614848B (108 MB)
  Blocksize: 512
  Dumptime: Sat May 24 23:33:45 2008
  Hostname: 
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
    root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
  Panic String: page fault
  Dump Parity: 3141769591
  Bounds: 2
  Dump Status: good


kgdb on the dumped image:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x12
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc06b9e7a
stack pointer	        = 0x28:0xe45cebe4
frame pointer	        = 0x28:0xe45cebfc
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 23 (irq23: uhci0 ehci0)
trap number		= 12
panic: page fault
cpuid = 0
Uptime: 3m47s
Physical memory: 1011 MB
Dumping 108 MB: 93 77 61 45 29 13

#0  doadump () at pcpu.h:195
	in pcpu.h
(kgdb) list *0xc06b9e7a
0xc06b9e7a is in rum_txeof (/usr/src/sys/dev/usb/if_rum.c:842).
837     {
838             struct rum_tx_data *data = priv;
839             struct rum_softc *sc = data->sc;
840             struct ifnet *ifp = sc->sc_ic.ic_ifp;
841
842             if (data->m->m_flags & M_TXCB)
843                     ieee80211_process_callback(data->ni, data->m,
844                             status == USBD_NORMAL_COMPLETION ? 0 : 
ETIMEDOUT
);
845
846             if (status != USBD_NORMAL_COMPLETION) {
(kgdb)


I'm very new to FreeBSD, I do not have the knowledge to create a patch. I hope the aforementioned information helps however!

If any more information is needed, do ask. I can even upload the vmcore file, although it may contain sensitive information.

Many thanks,
Jonny. 


>How-To-Repeat:
Use WPA supplicant, with WPA TKIP, authenticate with an AP, download a file over the wireless (or other network activity) and within minutes a kernel panic will occur.
>Fix:


>Release-Note:
>Audit-Trail:

From: Jonathan Crook <je.suis.bon@googlemail.com>
To: bug-followup@FreeBSD.org, je.suis.bon@googlemail.com
Cc:  
Subject: Re: kern/123968: Rum driver causes kernel panic with WPA.
Date: Sun, 25 May 2008 14:31:31 +0100

 I have looked into the issue further.
 
 Using a different wireless adapter (still ralink, but a ralink 2500) 
 which uses the 'ural' driver, I still get a kernel panic in exactly the 
 same manner.
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 cpuid = 0; apic id = 00
 fault virtual address   = 0x12
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc06b4e0a
 stack pointer           = 0x28:0xe45cebe4
 frame pointer           = 0x28:0xe45cebfc
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 23 (irq23: uhci0 ehci0)
 trap number             = 12
 panic: page fault
 cpuid = 0
 Uptime: 10m40s
 Physical memory: 1011 MB
 Dumping 136 MB: 121 105 89 73 57 41 25 9
 
 #0  doadump () at pcpu.h:195
 195     pcpu.h: No such file or directory.
         in pcpu.h
 (kgdb) list *0xc06b4e0a
 0xc06b4e0a is in ural_txeof (/usr/src/sys/dev/usb/if_ural.c:881).
 876     {
 877             struct ural_tx_data *data = priv;
 878             struct ural_softc *sc = data->sc;
 879             struct ifnet *ifp = sc->sc_ic.ic_ifp;
 880
 881             if (data->m->m_flags & M_TXCB)
 882                     ieee80211_process_callback(data->ni, data->m,
 883                             status == USBD_NORMAL_COMPLETION ? 0 :
 ETIMEDOUT
 );
 884             if (status != USBD_NORMAL_COMPLETION) {
 885                     if (status == USBD_NOT_STARTED || status ==
 USBD_CANCELL
 ED)
 
 
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon May 26 00:41:22 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s), although this sounds like it might not be 
specific to this one driver. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123968 
>Unformatted:
