crash when unplugging urtwn usb wifi adapter

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

crash when unplugging urtwn usb wifi adapter

Piotr Isajew-2
>Synopsis: page fault trap when removing urtwn Wifi adapter from the port
>Category: kernel
>Environment:
        System      : OpenBSD 6.3
        Details     : OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
                         [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
I'm observing system crash if I remove the the TP-Link TL-WN725N
WiFi adapter from the port. The system reports kernel panic:

kernel: page fault trap, code=0
Stopped at softclock+0x16b: movq %rax,0(%rdx)

and drops to the debugger console. Pressing any key in debugger
causes kernel panic:

panic: mtx 0xffffffff81ac55f0: locking against myself
Stopped at db_enter+0x5: popq %rbp
TID    PID   UID PRFLAGS   PFLAGS  CPU COMMAND
423317 28010  35 0x100010  0x80    2   xconsole
db_enter() at db_enter+0x5
panic() at panic+0x129
__mtx_enter(ffff800000278000) at __mtx_enter+0x74
timeout_del(ffff800000278000) at timeout_del+0x17
xhci_xfer_done(967f170) at xhci_xfer_done+0xbf
xhci_event_dequeue(ffff800033254f24) at xhci_event_dequeue+0xf3
xhci_softintr(ffff800033254f20) at xhci_softintr+0x23
xhci_intr1(ffff800033254f20) at xh ci_intr1+0x66
ukbd_cngetc(ffff800033254f20,ffff800033254f24,d) at ukbd_cngetc+0x39
wskbd_cngetc() at wskbd_cngetc+0x78
db_readline(0,0) at db_readline+0x45
db_read_line() at db_read_line+0x15
db_command_loop() at db_command_loop+0x83
db_trap() at db_trap+0x137

The problem is reproducible and it didn't occur in 6.2 (or it
frequency was so low that I didn't notice).

>How-To-Repeat:
1. Plug the  TP-Link TL-WN725N (might be it will be the same with
any other adapter handled by urtwn) into the port, assign it an
IP, bring it up (in my case I'm using WPA2 with static IPv4
address).
2. Start any dummy network activity, like ping www.yahoo.com
3. Remove the adapter from usb port -> it's likely that you will
get kernel crash.
>Fix:
The only potential workaround I can think of is to bring the
interface down before the adapter gets removed.


dmesg:
OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4174385152 (3981MB)
avail mem = 4040790016 (3853MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x8afad000 (32 entries)
bios0: vendor Apple Inc. version "MBA71.88Z.0166.B30.1706181928" date 06/18/2017
bios0: Apple Inc. MacBookAir7,1
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET APIC SBST ECDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT DMAR MCFG
acpi0: wakeup devices PEG0(S3) EC__(S3) HDEF(S3) RP01(S3) RP02(S3) RP03(S4) ARPT(S4) RP05(S3) RP06(S3) SPIT(S3) XHC1(S3) ADP1(S3) LID0(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 1500.23 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
acpihpet0: recalibrated TSC frequency 1600003279 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 1500.01 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 1500.01 MHz
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 1500.01 MHz
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 40 pins
acpiec0 at acpi0
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-155
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus 2 (RP02)
acpiprt4 at acpi0: bus 3 (RP03)
acpiprt5 at acpi0: bus 5 (RP05)
acpiprt6 at acpi0: bus 4 (RP06)
acpicpu0 at acpi0: C3(200@530 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@530 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@530 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@530 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpisbs0 at acpi0: SBS0 model "bq20z451" serial 36785 type LION oem "DP"
"APP0001" at acpi0 not configured
"ACPI0008" at acpi0 not configured
"ACPI0001" at acpi0 not configured
"APP000D" at acpi0 not configured
acpiac0 at acpi0: AC unit offline
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PWRB
"APP0002" at acpi0 not configured
acpibtn2 at acpi0: SLPB
acpivideo0 at acpi0: IGPU
acpivout0 at acpivideo0: DD01
cpu0: Enhanced SpeedStep 1500 MHz: speeds: 1601, 1600, 1500, 1400, 1300, 1200, 1100, 1000, 900, 800, 700, 600, 500 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 5G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 6000" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1366x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 3 function 0 "Intel Core 5G HD Audio" rev 0x09: msi
xhci0 at pci0 dev 20 function 0 "Intel 9 Series xHCI" rev 0x03: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel 9 Series DMA" rev 0x03 at pci0 dev 21 function 0 not configured
"Intel 9 Series SPI" rev 0x03 at pci0 dev 21 function 4 not configured
"Intel 9 Series MEI" rev 0x03 at pci0 dev 22 function 0 not configured
azalia1 at pci0 dev 27 function 0 "Intel 9 Series HD Audio" rev 0x03: msi
azalia1: codecs: Cirrus Logic CS4208
audio0 at azalia1
ppb0 at pci0 dev 28 function 0 "Intel 9 Series PCIE" rev 0xe3
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 9 Series PCIE" rev 0xe3: msi
pci2 at ppb1 bus 2
"Broadcom BCM15700A2" rev 0x00 at pci2 dev 0 function 0 not configured
ppb2 at pci0 dev 28 function 2 "Intel 9 Series PCIE" rev 0xe3: msi
pci3 at ppb2 bus 3
"Broadcom BCM4360" rev 0x03 at pci3 dev 0 function 0 not configured
ppb3 at pci0 dev 28 function 4 "Intel 9 Series PCIE" rev 0xe3: msi
pci4 at ppb3 bus 5
ppb4 at pci4 dev 0 function 0 vendor "Intel", unknown product 0x156b rev 0x00
pci5 at ppb4 bus 6
ppb5 at pci5 dev 0 function 0 vendor "Intel", unknown product 0x156b rev 0x00: msi
pci6 at ppb5 bus 7
vendor "Intel", unknown product 0x156a (class system subclass miscellaneous, rev 0x00) at pci6 dev 0 function 0 not configured
ppb6 at pci5 dev 3 function 0 vendor "Intel", unknown product 0x156b rev 0x00: msi
pci7 at ppb6 bus 8
ppb7 at pci5 dev 4 function 0 vendor "Intel", unknown product 0x156b rev 0x00: msi
pci8 at ppb7 bus 57
ppb8 at pci5 dev 5 function 0 vendor "Intel", unknown product 0x156b rev 0x00: msi
pci9 at ppb8 bus 106
ppb9 at pci5 dev 6 function 0 vendor "Intel", unknown product 0x156b rev 0x00: msi
pci10 at ppb9 bus 107
ppb10 at pci0 dev 28 function 5 "Intel 9 Series PCIE" rev 0xe3: msi
pci11 at ppb10 bus 4
nvme0 at pci11 dev 0 function 0 "Apple NVMe" rev 0x01: msi, NVMe 1.0
nvme0: APPLE SSD AP0128H, firmware 7.844.01, serial C08543403VGG6KVAC
scsibus1 at nvme0: 1 targets
sd0 at scsibus1 targ 0 lun 0: <NVMe, APPLE SSD AP0128, 7.84> SCSI4 0/direct fixed
sd0: 115712MB, 4096 bytes/sector, 29622272 sectors
pcib0 at pci0 dev 31 function 0 "Intel 9 Series LPC" rev 0x03
ichiic0 at pci0 dev 31 function 3 "Intel 9 Series SMBus" rev 0x03: apic 2 int 18
iic0 at ichiic0
iic0: addr 0x2c 03=fc 05=6b 06=60 71=06 72=80 86=5d 90=37 91=22 92=35 93=3b 94=4a 95=8c 96=72 97=84 98=20 99=1d 9a=82 9f=7c a0=7f a1=b5 a2=bf a3=7b a4=28 a5=cf a6=64 a7=2d words 00=0000 01=0000 02=00fc 03=fc00 04=006b 05=6b80 06=8000 07=0000
pchtemp0 at pci0 dev 31 function 6 "Intel 9 Series Thermal" rev 0x03
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
asmc0 at isa0 port 0x300/32: rev 2.26f626, 612 keys
vmm0 at mainbus0: VMX/EPT
efifb at mainbus0 not configured
uhub1 at uhub0 port 3 configuration 1 interface 0 "Apple Inc. BRCM20702 Hub" rev 2.00/1.00 addr 2
uhidev0 at uhub1 port 1 configuration 1 interface 0 "Apple Computer product 0x820a" rev 2.00/1.00 addr 3
uhidev0: iclass 3/1, 1 report id
ukbd0 at uhidev0 reportid 1: 8 variable keys, 6 key codes
wskbd0 at ukbd0: console keyboard, using wsdisplay0
uhidev1 at uhub1 port 2 configuration 1 interface 0 "Apple Computer product 0x820b" rev 2.00/1.00 addr 4
uhidev1: iclass 3/1, 2 report ids
ums0 at uhidev1 reportid 2: 3 buttons
wsmouse0 at ums0 mux 0
ugen0 at uhub1 port 3 "Apple Inc. Bluetooth USB Host Controller" rev 2.00/1.37 addr 5
uhidev2 at uhub0 port 5 configuration 1 interface 0 "Apple Inc. Apple Internal Keyboard / Trackpad" rev 2.00/1.71 addr 6
uhidev2: iclass 3/0, 63 report ids
uhid0 at uhidev2 reportid 63: input=64, output=0, feature=0
uhidev3 at uhub0 port 5 configuration 1 interface 1 "Apple Inc. Apple Internal Keyboard / Trackpad" rev 2.00/1.71 addr 6
uhidev3: iclass 3/1, 63 report ids
ukbd1 at uhidev3 reportid 1: 8 variable keys, 6 key codes, country code 13
wskbd1 at ukbd1 mux 1
wskbd1: connecting to wsdisplay0
uhid1 at uhidev3 reportid 9: input=0, output=0, feature=3
uhid2 at uhidev3 reportid 63: input=64, output=0, feature=0
ubcmtp0 at uhub0 port 5 configuration 1 interface 2 "Apple Inc. Apple Internal Keyboard / Trackpad" rev 2.00/1.71 addr 6
wsmouse1 at ubcmtp0 mux 0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
softraid0: sd1 was not shutdown properly
sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd1: 111190MB, 4096 bytes/sector, 28464883 sectors
root on sd1a (c1d504a6df9955b5.a) swap on sd1b dump on sd1b
WARNING: / was not properly unmounted

usbdevs:
Controller /dev/usb0:
addr 1: super speed, self powered, config 1, xHCI root hub(0x0000), Intel(0x8086), rev 1.00
 port 1 disabled
 port 2 addr 7: high speed, power 500 mA, config 1, 802.11n NIC(0x8179), Realtek(0x0bda), rev 0.00, iSerialNumber 00E04C0001
 port 3 addr 2: full speed, self powered, config 1, BRCM20702 Hub(0x4500), Apple Inc.(0x0a5c), rev 1.00
  port 1 addr 3: full speed, self powered, config 1, product 0x820a(0x820a), Apple Computer(0x05ac), rev 1.00
  port 2 addr 4: full speed, self powered, config 1, product 0x820b(0x820b), Apple Computer(0x05ac), rev 1.00
  port 3 addr 5: full speed, self powered, config 1, Bluetooth USB Host Controller(0x828f), Apple Inc.(0x05ac), rev 1.37
 port 4 disabled
 port 5 addr 6: full speed, power 500 mA, config 1, Apple Internal Keyboard / Trackpad(0x0290), Apple Inc.(0x05ac), rev 1.71, iSerialNumber DQ65413K6GNF94QA53D
 port 6 disabled
 port 7 disabled
 port 8 disabled
 port 9 disabled
 port 10 disabled
 port 11 disabled
 port 12 disabled
 port 13 disabled
 port 14 disabled
 port 15 disabled

Reply | Threaded
Open this post in threaded view
|

Re: crash when unplugging urtwn usb wifi adapter

Jonathan Matthew-4
On Sat, Apr 14, 2018 at 06:54:35AM +0200, [hidden email] wrote:

> >Synopsis: page fault trap when removing urtwn Wifi adapter from the port
> >Category: kernel
> >Environment:
> System      : OpenBSD 6.3
> Details     : OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
> [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine     : amd64
> >Description:
> I'm observing system crash if I remove the the TP-Link TL-WN725N
> WiFi adapter from the port. The system reports kernel panic:
>
> kernel: page fault trap, code=0
> Stopped at softclock+0x16b: movq %rax,0(%rdx)

Does this fix it?

Index: ieee80211.c
===================================================================
RCS file: /cvs/src/sys/net80211/ieee80211.c,v
retrieving revision 1.65
diff -u -p -u -p -r1.65 ieee80211.c
--- ieee80211.c 12 Dec 2017 15:52:49 -0000 1.65
+++ ieee80211.c 18 Apr 2018 12:25:34 -0000
@@ -193,6 +193,7 @@ ieee80211_ifdetach(struct ifnet *ifp)
 {
  struct ieee80211com *ic = (void *)ifp;
 
+ timeout_del(&ic->ic_bgscan_timeout);
  ieee80211_proto_detach(ifp);
  ieee80211_crypto_detach(ifp);
  ieee80211_node_detach(ifp);


Reply | Threaded
Open this post in threaded view
|

Re: crash when unplugging urtwn usb wifi adapter

Stefan Sperling-5
On Wed, Apr 18, 2018 at 10:27:44PM +1000, Jonathan Matthew wrote:

> On Sat, Apr 14, 2018 at 06:54:35AM +0200, [hidden email] wrote:
> > >Synopsis: page fault trap when removing urtwn Wifi adapter from the port
> > >Category: kernel
> > >Environment:
> > System      : OpenBSD 6.3
> > Details     : OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
> > [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > Architecture: OpenBSD.amd64
> > Machine     : amd64
> > >Description:
> > I'm observing system crash if I remove the the TP-Link TL-WN725N
> > WiFi adapter from the port. The system reports kernel panic:
> >
> > kernel: page fault trap, code=0
> > Stopped at softclock+0x16b: movq %rax,0(%rdx)
>
> Does this fix it?

Either way, OK with me.

It occurred to me we might not want to schedule this timeout in the
first place if the driver doesn't support background scan.
I'll take a look at that next week.

> Index: ieee80211.c
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211.c,v
> retrieving revision 1.65
> diff -u -p -u -p -r1.65 ieee80211.c
> --- ieee80211.c 12 Dec 2017 15:52:49 -0000 1.65
> +++ ieee80211.c 18 Apr 2018 12:25:34 -0000
> @@ -193,6 +193,7 @@ ieee80211_ifdetach(struct ifnet *ifp)
>  {
>   struct ieee80211com *ic = (void *)ifp;
>  
> + timeout_del(&ic->ic_bgscan_timeout);
>   ieee80211_proto_detach(ifp);
>   ieee80211_crypto_detach(ifp);
>   ieee80211_node_detach(ifp);
>
>