>Synopsis: panic when removing urtwn wireless USB on 5.6
>Category: kernel
>Environment:
System : OpenBSD 5.6
Details : OpenBSD 5.6 (URTWNDEBUG.MP) #9: Sat Nov 15 08:34:05
EST 2014
[email protected]:/usr/src/sys/arch/amd64/compile/URTWNDEBUG.MP
Note URTWNDEBUG is just if_urtwn.c with additional
printf statements.
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
panic in rt_missmsg when / after disconnecting urtwn device.
It appears that ifp passed into rt_missmsg is not correctly
dereference-able, even when ifp is non-null.
trace and register output is below. can provide ps output on
request.
Similar to http://marc.info/?l=openbsd-bugs&m=138582943132169&w=2
>How-To-Repeat:
Bring up urtwn0, dhclient. Run normal traffic (eg web browsing).
Unplug device. Chance of panic (rare, 1/20).
>Fix:
It appears that rtm_index is not used directly in route_input
function, therefore remove the assignment.
Note the code path for if(ifp != NULL) in rt_missmsg does not set
rtm_index to anything, and there seem to be no consequences.
I am not a tcp stack expert though so apologies in advance if this
is inappropriate fix.
dmesg:
OpenBSD 5.6 (URTWNDEBUG.MP) #9: Sat Nov 15 08:34:05 EST 2014
[email protected]:/usr/src/sys/arch/amd64/compile/URTWNDEBUG.MP
real mem = 4155543552 (3963MB)
avail mem = 4036136960 (3849MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xebb00 (99 entries)
bios0: vendor Dell Inc. version "A01" date 04/25/2012
bios0: Dell Inc. Latitude E6230
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC TCPA MCFG HPET SSDT SSDT SSDT DMAR ASF! SLIC
acpi0: wakeup devices UAR1(S3) P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB5(S3)
USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP05(S4)
PXSX(S4) RP06(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2592.00 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
SH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-
CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DE
ADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2591.58 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
SH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-
CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DE
ADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2591.58 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
SH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-
CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DE
ADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2591.58 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
SH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-
CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DE
ADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus 2 (RP02)
acpiprt4 at acpi0: bus -1 (RP05)
acpiprt5 at acpi0: bus 11 (RP06)
acpiprt6 at acpi0: bus -1 (RP07)
acpiprt7 at acpi0: bus -1 (RP08)
acpiprt8 at acpi0: bus -1 (PEG0)
acpiprt9 at acpi0: bus -1 (PEG1)
acpiprt10 at acpi0: bus -1 (PEG2)
acpiprt11 at acpi0: bus -1 (PEG3)
acpiprt12 at acpi0: bus 3 (RP03)
acpiprt13 at acpi0: bus 7 (RP04)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2, C1, PSS
acpicpu1 at acpi0: C3, C2, C1, PSS
acpicpu2 at acpi0: C3, C2, C1, PSS
acpicpu3 at acpi0: C3, C2, C1, PSS
acpitz0 at acpi0: critical temperature is 107 degC
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PBTN
acpibtn2 at acpi0: SBTN
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "DELL KFHT825" serial 1444 type LION oem
"Samsung SDI"
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpivideo0 at acpi0: VID_
acpivout0 at acpivideo0: LCD_
cpu0: Enhanced SpeedStep 2592 MHz: speeds: 2601, 2600, 2500, 2400, 2300,
2200, 2100, 2000, 1900, 1800, 1700, 1600, 1500, 1400, 1300, 1200 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 4000" rev 0x09
intagp at vga1 not configured
inteldrm0 at vga1
drm0 at inteldrm0
drm: Memory usable by graphics device = 2048M
inteldrm0: 1366x768
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 7 Series xHCI" rev 0x04 at pci0 dev 20 function 0 not configured
"Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address
d4:be:d9:44:47:06
ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 7 Series HD Audio" rev 0x04: msi
azalia0: codecs: IDT/0x76df, Intel/0x2806, using IDT/0x76df
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 7 Series PCIE" rev 0xc4: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 7 Series PCIE" rev 0xc4: msi
pci2 at ppb1 bus 2
vendor "Broadcom", unknown product 0x4359 (class network subclass
miscellaneous, rev 0x00) at pci2 dev 0 function 0 not configured
ppb2 at pci0 dev 28 function 2 "Intel 7 Series PCIE" rev 0xc4: msi
pci3 at ppb2 bus 3
ppb3 at pci0 dev 28 function 3 "Intel 7 Series PCIE" rev 0xc4: msi
pci4 at ppb3 bus 7
ppb4 at pci0 dev 28 function 5 "Intel 7 Series PCIE" rev 0xc4: msi
pci5 at ppb4 bus 11
sdhc0 at pci5 dev 0 function 0 vendor "O2 Micro", unknown product 0x8221 rev
0x05: apic 2 int 17
sdmmc0 at sdhc0
ehci1 at pci0 dev 29 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 21
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel QM77 LPC" rev 0x04
ahci0 at pci0 dev 31 function 2 "Intel 7 Series AHCI" rev 0x04: msi, AHCI
1.3
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, ST320LT007-9ZV14, 0005> SCSI3 0/direct
fixed naa.5000c50052c32376
sd0: 305245MB, 512 bytes/sector, 625142448 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 7 Series SMBus" rev 0x04: apic 2
int 18
iic0 at ichiic0
iic0: addr 0x29 07=ff 0f=33 10=81 11=8c 12=28 13=68 14=a6 15=26 16=23 17=1c
18=1e 19=a0 1a=60 1b=75 1c=c0 1e=20 20=7f 22=40 25=40 27=ff 29=fe 2b=01
2d=bd 2f=20 30=95 31=25 32=0e 33=16 87=ff 8f=33 90=81 91=8c 92=28 93=68
94=a6 95=26 96=23 97=1c 98=1e 99=a0 9a=60 9b=75 9c=c0 9e=20 a0=7f a2=40
a5=40 a7=ff ad=c4 af=20 b0=95 b1=25 b2=0e b3=16 words 00=0000 01=0000
02=0000 03=0000 04=0000 05=0000 06=0000 07=ffff
spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-12800 SO-DIMM
spdmem1 at iic0 addr 0x52: 2GB DDR3 SDRAM PC3-12800 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
ugen0 at uhub2 port 4 "Broadcom Corp BCM20702A0" rev 2.00/1.12 addr 3
uvideo0 at uhub2 port 5 configuration 1 interface 0 "CNFB183I2130400016M2
Laptop_Integrated_Webcam_E4HD" rev 2.00/23.30 addr 4
video0 at uvideo0
uhub3 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
softraid0: sd1 was not shutdown properly
sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 005> SCSI2 0/direct fixed
sd1: 39998MB, 512 bytes/sector, 81917424 sectors
root device: sd1a
swap device (default sd1b):
root on sd1a swap on sd1b dump on sd1b
WARNING: / was not properly unmounted
usbdevs:
Controller /dev/usb0:
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 addr 2: high speed, self powered, config 1, Rate Matching
Hub(0x0024), Intel(0x8087), rev 0.00
port 1 powered
port 2 addr 5: high speed, power 500 mA, config 1, 802.11n WLAN
Adapter(0x8176), Realtek(0x0bda), rev 2.00, iSerialNumber 00e04c000001
port 3 powered
port 4 addr 3: full speed, self powered, config 1, BCM20702A0(0x8197),
Broadcom Corp(0x413c), rev 1.12, iSerialNumber 9CB70DAA8C66
port 5 addr 4: high speed, power 500 mA, config 1,
Laptop_Integrated_Webcam_E4HD(0x648b), CNFB183I2130400016M2(0x0c45), rev
23.30
port 6 powered
port 2 powered
Controller /dev/usb1:
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 addr 2: high speed, self powered, config 1, Rate Matching
Hub(0x0024), Intel(0x8087), rev 0.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
port 5 powered
port 6 powered
port 7 powered
port 8 powered
port 2 powered
kernel: page fault trap, code=0
Stopped at rt_missmsg+0x7f: movzwl 0xb0(%r15),%eax
cpu0 trace
rt_missmsg() at rt_missmsg+0x7f
in_losing() at in_losing+0x98
tcp_timer_rexmt() at tcp_timer_rexmt+0x2ec
softclock() at softclock+0x315
softintr_dispatch() at softintr_dispatch+0x5d
Xsoftclock() at Xsoftclock+0x2d
--- interrupt ---
end trace frame: 0x0, count: -6
0x8:
cpu1 trace
Debgger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x64
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1b
--- interrupt ---
Bad frame pointer: 0xffff800032c5fec8
end trace frame: 0xffff800032c5fec8, count: -3
cpu_idle_mwait_cycle+0x56:
cpu2 trace
Debgger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x64
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1b
--- interrupt ---
Bad frame pointer: 0xffff800032c64ec8
end trace frame: 0xffff800032c64ec8, count: -3
cpu_idle_mwait_cycle+0x56:
cpu3 trace
Debgger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x64
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1b
--- interrupt ---
Bad frame pointer: 0xffff800032c69ec8
end trace frame: 0xffff800032c69ec8, count: -3
cpu_idle_mwait_cycle+0x56:
show registers
ds 0x1991
es 0x6bd8
fs 0x1100
gs 0xab68
rdi 0xfffffe801ffeab00
rsi 0
rbp 0xffff800032c46c30
rbx 0xffff800032c46c40
rdx 0xfffffe801ffeab68
rcx 0x5
rax 0x7
r8 0x2
r9 0
r10 0x1
r11 0xfffffe801ffeabe8
r12 0x842
r13 0
r14 0
r15 0xffff8000002bb048
rip 0xffffffff8121b53f
cs 0x8
rflags 0x10286
rsp 0xffff800032c46bf0
ss 0x10
rt_missmsg+0x7f: movzwl 0xb0(%r15),%eax
