rt73-cvs-2008112001 Segmentation fault at ifconfig wlan2

Live forum: http://rt2x00.serialmonkey.com/viewtopic.php?t=5089

qjantnn

20-11-2008 10:10:41

Hi !

I have set up a 'sniffer machine' with Fedora 9 (2.6.26.6-79.fc9.i686) and 4*EDIMAX 7318USg USB dongles and with the latest driver from rt2x00.serialmonkey.com.

wget http//rt2x00.serialmonkey.com/rt73-cvs-daily.tar.gz
tar -xvzf rt73-cvs-daily.tar.gz
cd rt73-cvs-2008112001/Module
make
strip -S rt73.ko
make install

It works great with sniffing in parallel on 4 different channels but when I shall reconfigure the cards it often leads to a segmentation fault....

Does anybody know what this could be, or any workaround I could use to get this working ?

Br /Jan Terje



[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan0 down
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan0 mode monitor
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan0 up
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan0 channel 1
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan1 down
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan1 mode monitor
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan1 up
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan1 channel 6
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan2 down
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan2 mode monitor
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan2 up
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan2 channel 13
[root@testpeer1 FC9-install]#

[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan1 down
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan1 mode monitor
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan1 up
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan1 channel 6
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan2 down
Segmentation fault

Message from syslogd@testpeer1 at Nov 20 103417 ...
kerneldivide error 0000 [#2] SMP

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernelProcess ifconfig (pid 3935, ti=f3d4a000 task=f3ddcb00 task.ti=f3d4a000)

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernelStack ec460000 00000004 04000000 ec502000 ec460000 00000000 ec460000 f3d4ae78

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel f8e7f83b 00000000 00000000 00000000 00000000 00000000 00000000 00000000

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernelCall Trace

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<f8e7f83b>] ? RTUSBHalt+0x97/0x123 [rt73]

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c043e374>] ? getnstimeofday+0x3c/0xd6

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c043e374>] ? getnstimeofday+0x3c/0xd6

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0413a27>] ? lapic_next_event+0x15/0x1c

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0440d30>] ? clockevents_program_event+0xe1/0xf0

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0441ab5>] ? tick_dev_program_event+0x28/0x95

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0441b6c>] ? tick_program_event+0x22/0x29

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c041cae5>] ? kmap_atomic_prot+0x1d8/0x1da

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c041c8ed>] ? kunmap_atomic+0x87/0xa7

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0469caf>] ? get_page_from_freelist+0x32a/0x3ae

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0469faa>] ? __alloc_pages_internal+0xb0/0x38d

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0469caf>] ? get_page_from_freelist+0x32a/0x3ae

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c041cae5>] ? kmap_atomic_prot+0x1d8/0x1da

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c041c8ed>] ? kunmap_atomic+0x87/0xa7

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c046ecda>] ? __inc_zone_page_state+0x18/0x1a

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0472852>] ? handle_mm_fault+0x6c5/0x6e0

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c04faa42>] ? number+0x106/0x1c0

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0465411>] ? find_lock_page+0x29/0x8a

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c063352d>] ? do_page_fault+0x3d2/0x71e

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c04f68e5>] ? __next_cpu+0x15/0x25

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c041eb31>] ? find_busiest_group+0x23f/0x5d3

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c043e374>] ? getnstimeofday+0x3c/0xd6

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c043c7da>] ? ktime_get_ts+0x4a/0x4e

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c043c7f1>] ? ktime_get+0x13/0x2f

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c041e47d>] ? hrtick_start_fair+0x140/0x148

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0420748>] ? check_preempt_wakeup+0x93/0xc0

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0420ded>] ? try_to_wake_up+0x1b4/0x1be

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0420e02>] ? default_wake_function+0xb/0xd

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0439942>] ? autoremove_wake_function+0xf/0x33

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c041dbfb>] ? __wake_up_common+0x35/0x5b

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c04206ab>] ? __wake_up+0x31/0x3b

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0436d4f>] ? insert_work+0x49/0x4f

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0437095>] ? __queue_work+0x28/0x2d

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0437106>] ? queue_work+0x3e/0x48

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c04374b2>] ? queue_delayed_work+0xc/0x1e

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c04374d5>] ? schedule_delayed_work+0x11/0x14

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c043cfc7>] ? down_interruptible+0x30/0x37

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<f8e7f957>] ? usb_rtusb_close+0x90/0xb1 [rt73]

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0420df7>] ? default_wake_function+0x0/0xd

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c05c274e>] ? dev_close+0x77/0x96

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c05c2480>] ? dev_change_flags+0x9c/0x14f

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c05fd70c>] ? devinet_ioctl+0x21a/0x526

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c05fe52c>] ? inet_ioctl+0x8e/0xa7

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c05b73ae>] ? sock_ioctl+0x1aa/0x1ce

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c05b7204>] ? sock_ioctl+0x0/0x1ce

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0490a0a>] ? vfs_ioctl+0x22/0x69

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0490c8a>] ? do_vfs_ioctl+0x239/0x24c

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0490cdd>] ? sys_ioctl+0x40/0x5b

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0404c32>] ? syscall_call+0x7/0xb

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel [<c0630000>] ? schedule+0x5b7/0x76b

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernel =======================

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernelCode 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 e8 4e fa ff ff 83 c4 30 8b 4d e4 b8 30 00 00 00 0f b7 91 84 d2 01 00 89 cb 89 d7 31 d2 <f7> f7 83 fa 01 19 c0 81 c3 c8 d3 01 00 83 e0 02 83 c0 30 89 81

Message from syslogd@testpeer1 at Nov 20 103417 ...
kernelEIP [<f8e8c26d>] RTMPSendNullFrame+0x134/0x177 [rt73] SSESP 0068f3d4a628

Spy84464

24-11-2008 17:58:27

Hello,
if "ifconfig" crashes, it could be the driver that returns something corrupted, or a bug within the program. It is hard to say, perhaps you could recompile "ifconfig" yourself and run it though "gdb"?

Regards,
Romain

qjantnn

26-11-2008 20:38:56

Hi !
We have now made some modifications to the driver rt73 and the system is much more stable now.
Is there anywhere we can send the patches so that they can be considered for integration ?

IvD

26-11-2008 20:57:13

You can post patches as attachment to this topic.

qjantnn

27-11-2008 12:56:33

Hi !

The system crashes when I try to setup AdHoc mode on one of my dongles (I just ran the commands below some times when it crashes)

sleep 1;ifconfig ${CARD} down
sleep 1;iwpriv ${CARD} set NetworkType=Adhoc
sleep 1;iwconfig ${CARD} channel ${opt_c}
sleep 1;iwconfig ${CARD} essid ${opt_ssid}

I'll attach a couple of dmesg and a patch that seems to prevent the crashes (the permanent solution might be different).

Thanks /Jan Terje

qjantnn

28-11-2008 09:08:50

Hi !

I see a problem with the patch....
When I monitor on one RT73-device and setup adhoc on another RT73-device the adhoc device send 998 beacons and then it stops.
(Without the patch it sends beacons 'forever' but the kernel crashes when doing the adhoc commands)

I am a tester, not a c-coder or driver expert.
I would be more than happy to do testing on this problem and provide logs if anybody could help with the driver fix..

Br / Jan Terje

Vern

28-11-2008 16:23:17

Hi qjantnn,

I've seen this problem before. Unfortunately, I couldn't get followup. As your patch shows, the bulk out packet size isn't being set. This is supposed to happen during the probe function. However the device seems to be reporting a value of zero for this.

Could you do a 'lsusb -v' and attach a copy of the output to a posting here?

Thanks,

PS It'll be a couple of days before I can get into this more.

IvD

28-11-2008 19:35:32

In rt2x00 there is a workaround for this issue, first the maxpacket size is requested from the USB layer, if that is 0 it is reset to 1. After that all computations with the value are safe. (and apparently working correctly)

qjantnn

01-12-2008 11:46:15

Thanks a lot !

I have now made a new patch based on IvD's comment.
I am running 4*EDIMAX 7318USg USB dongles as sniffers and 1*EDIMAX 7318USg USB dongle as AdHoc device.
I am running some scripts that loops setting up and taking down adhoc with different parameters (wep, 40/104 bit keys, open, shared..) and sniffing on two devices at the same time.

So far working and 100% stable.

I'll attach lspci and the patch

Vern

01-12-2008 17:42:53

Hi qjantnn,

The patch suggested by Ivo is now in CVS and should start showing up in the hourly tarball Soon. I see your patch caught both sides of the conditional compile. Nice.

It's a little confusing that lsusb *does* report a plausible block size. Oh, well.

It turns out that the legacy USB drivers only really use the max packet value to ensure that a transmit request does *not* end exactly on a USB bulk packet boundary. What is nagging about the fix is that, while it avoids the segfault problem, it looks like it can occasionally make a bulk out transfer that otherwise would not end on a packet boundary end exactly on a packet boundary.

The only reasons I can think of for trying to ensure a transfer does not end on a packet boundary are that either the Linux hub driver - or some versions thereof - does not transmit a zero length packet to signal the end of transfer in that case, or that Ralink's firmware does not respond correctly to one. So if we occasionally do have a transfer that ends exactly on a packet boundary, it may be that we'll have a transfer failure of some kind.

If someone more knowledgable than I about either Linux USB hub code, or Ralink's firmware can comment, that would be good.

Thanks,