rt2x00.serialmonkey.com

Hi !

I have set up a 'sniffer machine' with Fedora 9 (2.6.26.6-79.fc9.i686) and 4*EDIMAX 7318USg USB dongles and with the latest driver from rt2x00.serialmonkey.com.

wget http://rt2x00.serialmonkey.com/rt73-cvs-daily.tar.gz
tar -xvzf rt73-cvs-daily.tar.gz
cd rt73-cvs-2008112001/Module
make
strip -S rt73.ko
make install

It works great with sniffing in parallel on 4 different channels but when I shall reconfigure the cards it often leads to a segmentation fault....

Does anybody know what this could be, or any workaround I could use to get this working ?

Br /Jan Terje



[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan0 down
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan0 mode monitor
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan0 up
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan0 channel 1
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan1 down
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan1 mode monitor
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan1 up
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan1 channel 6
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan2 down
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan2 mode monitor
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan2 up
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan2 channel 13
[root@testpeer1 FC9-install]#

[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan1 down
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan1 mode monitor
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan1 up
[root@testpeer1 FC9-install]# sleep 1;iwconfig wlan1 channel 6
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]#
[root@testpeer1 FC9-install]# sleep 1;ifconfig wlan2 down
Segmentation fault

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel:divide error: 0000 [#2] SMP

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel:Process ifconfig (pid: 3935, ti=f3d4a000 task=f3ddcb00 task.ti=f3d4a000)

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel:Stack: ec460000 00000004 04000000 ec502000 ec460000 00000000 ec460000 f3d4ae78

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: f8e7f83b 00000000 00000000 00000000 00000000 00000000 00000000 00000000

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel:Call Trace:

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<f8e7f83b>] ? RTUSBHalt+0x97/0x123 [rt73]

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c043e374>] ? getnstimeofday+0x3c/0xd6

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c043e374>] ? getnstimeofday+0x3c/0xd6

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0413a27>] ? lapic_next_event+0x15/0x1c

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0440d30>] ? clockevents_program_event+0xe1/0xf0

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0441ab5>] ? tick_dev_program_event+0x28/0x95

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0441b6c>] ? tick_program_event+0x22/0x29

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c041cae5>] ? kmap_atomic_prot+0x1d8/0x1da

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c041c8ed>] ? kunmap_atomic+0x87/0xa7

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0469caf>] ? get_page_from_freelist+0x32a/0x3ae

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0469faa>] ? __alloc_pages_internal+0xb0/0x38d

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0469caf>] ? get_page_from_freelist+0x32a/0x3ae

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c041cae5>] ? kmap_atomic_prot+0x1d8/0x1da

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c041c8ed>] ? kunmap_atomic+0x87/0xa7

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c046ecda>] ? __inc_zone_page_state+0x18/0x1a

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0472852>] ? handle_mm_fault+0x6c5/0x6e0

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c04faa42>] ? number+0x106/0x1c0

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0465411>] ? find_lock_page+0x29/0x8a

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c063352d>] ? do_page_fault+0x3d2/0x71e

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c04f68e5>] ? __next_cpu+0x15/0x25

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c041eb31>] ? find_busiest_group+0x23f/0x5d3

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c043e374>] ? getnstimeofday+0x3c/0xd6

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c043c7da>] ? ktime_get_ts+0x4a/0x4e

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c043c7f1>] ? ktime_get+0x13/0x2f

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c041e47d>] ? hrtick_start_fair+0x140/0x148

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0420748>] ? check_preempt_wakeup+0x93/0xc0

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0420ded>] ? try_to_wake_up+0x1b4/0x1be

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0420e02>] ? default_wake_function+0xb/0xd

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0439942>] ? autoremove_wake_function+0xf/0x33

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c041dbfb>] ? __wake_up_common+0x35/0x5b

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c04206ab>] ? __wake_up+0x31/0x3b

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0436d4f>] ? insert_work+0x49/0x4f

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0437095>] ? __queue_work+0x28/0x2d

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0437106>] ? queue_work+0x3e/0x48

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c04374b2>] ? queue_delayed_work+0xc/0x1e

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c04374d5>] ? schedule_delayed_work+0x11/0x14

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c043cfc7>] ? down_interruptible+0x30/0x37

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<f8e7f957>] ? usb_rtusb_close+0x90/0xb1 [rt73]

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0420df7>] ? default_wake_function+0x0/0xd

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c05c274e>] ? dev_close+0x77/0x96

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c05c2480>] ? dev_change_flags+0x9c/0x14f

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c05fd70c>] ? devinet_ioctl+0x21a/0x526

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c05fe52c>] ? inet_ioctl+0x8e/0xa7

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c05b73ae>] ? sock_ioctl+0x1aa/0x1ce

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c05b7204>] ? sock_ioctl+0x0/0x1ce

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0490a0a>] ? vfs_ioctl+0x22/0x69

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0490c8a>] ? do_vfs_ioctl+0x239/0x24c

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0490cdd>] ? sys_ioctl+0x40/0x5b

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0404c32>] ? syscall_call+0x7/0xb

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: [<c0630000>] ? schedule+0x5b7/0x76b

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel: =======================

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel:Code: 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 e8 4e fa ff ff 83 c4 30 8b 4d e4 b8 30 00 00 00 0f b7 91 84 d2 01 00 89 cb 89 d7 31 d2 <f7> f7 83 fa 01 19 c0 81 c3 c8 d3 01 00 83 e0 02 83 c0 30 89 81

Message from syslogd@testpeer1 at Nov 20 10:34:17 ...
kernel:EIP: [<f8e8c26d>] RTMPSendNullFrame+0x134/0x177 [rt73] SS:ESP 0068:f3d4a628

Hello,
if "ifconfig" crashes, it could be the driver that returns something corrupted, or a bug within the program. It is hard to say, perhaps you could recompile "ifconfig" yourself and run it though "gdb"?

Regards,
Romain

_________________
RutilT developer

Hi !
We have now made some modifications to the driver rt73 and the system is much more stable now.
Is there anywhere we can send the patches so that they can be considered for integration ?

You can post patches as attachment to this topic.

_________________
Regards,
Ivo van Doorn
Project Administrator
http://rt2x00.serialmonkey.com

Hi !

The system crashes when I try to setup AdHoc mode on one of my dongles (I just ran the commands below some times when it crashes)

sleep 1;ifconfig ${CARD} down
sleep 1;iwpriv ${CARD} set NetworkType=Adhoc
sleep 1;iwconfig ${CARD} channel ${opt_c}
sleep 1;iwconfig ${CARD} essid ${opt_ssid}

I'll attach a couple of dmesg and a patch that seems to prevent the crashes (the permanent solution might be different).

Thanks /Jan Terje

Hi !

I see a problem with the patch....
When I monitor on one RT73-device and setup adhoc on another RT73-device the adhoc device send 998 beacons and then it stops.
(Without the patch it sends beacons 'forever' but the kernel crashes when doing the adhoc commands)

I am a tester, not a c-coder or driver expert.
I would be more than happy to do testing on this problem and provide logs if anybody could help with the driver fix..

Br / Jan Terje

Hi qjantnn,

I've seen this problem before. Unfortunately, I couldn't get followup. As your patch shows, the bulk out packet size isn't being set. This is supposed to happen during the probe function. However the device seems to be reporting a value of zero for this.

Could you do a 'lsusb -v' and attach a copy of the output to a posting here?

Thanks,

PS It'll be a couple of days before I can get into this more.

_________________
Yr Hmbl Obt Svt & c
Bryan - In favor of Big Oil. Big fan of General Grievous.

In rt2x00 there is a workaround for this issue, first the maxpacket size is requested from the USB layer, if that is 0 it is reset to 1. After that all computations with the value are safe. (and apparently working correctly)

_________________
Regards,
Ivo van Doorn
Project Administrator
http://rt2x00.serialmonkey.com

Thanks a lot !

I have now made a new patch based on IvD's comment.
I am running 4*EDIMAX 7318USg USB dongles as sniffers and 1*EDIMAX 7318USg USB dongle as AdHoc device.
I am running some scripts that loops setting up and taking down adhoc with different parameters (wep, 40/104 bit keys, open, shared..) and sniffing on two devices at the same time.

So far : working and 100% stable.

I'll attach lspci and the patch

Hi qjantnn,

The patch suggested by Ivo is now in CVS and should start showing up in the hourly tarball Soon. I see your patch caught both sides of the conditional compile. Nice.

It's a little confusing that lsusb *does* report a plausible block size. Oh, well.

It turns out that the legacy USB drivers only really use the max packet value to ensure that a transmit request does *not* end exactly on a USB bulk packet boundary. What is nagging about the fix is that, while it avoids the segfault problem, it looks like it can occasionally make a bulk out transfer that otherwise would not end on a packet boundary end exactly on a packet boundary.

The only reasons I can think of for trying to ensure a transfer does not end on a packet boundary are that either the Linux hub driver - or some versions thereof - does not transmit a zero length packet to signal the end of transfer in that case, or that Ralink's firmware does not respond correctly to one. So if we occasionally do have a transfer that ends exactly on a packet boundary, it may be that we'll have a transfer failure of some kind.

If someone more knowledgable than I about either Linux USB hub code, or Ralink's firmware can comment, that would be good.

Thanks,

_________________
Yr Hmbl Obt Svt & c
Bryan - In favor of Big Oil. Big fan of General Grievous.