>Number: 167588
>Category: kern
>Synopsis: [ath] panic during ADDBA request handling
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri May 04 19:40:05 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Bernhard Schmidt
>Release: head
>Organization:
>Environment:
FreeBSD alix1 10.0-CURRENT FreeBSD 10.0-CURRENT #5 r235030M: Fri May 4
21:03:38 CEST 2012
[email protected]:/usr/obj/i386.i386/home/bschmidt/src/svn/freebsd/base/head/sys/ALIX
i386
>Description:
wlan0: [00:16:ea:ef:1f:6a] enable AMPDU on tid 6 (WME_AC_VO), avgpps 33 pkts 1
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x38
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc0568bb0
stack pointer = 0x28:0xc8d5b788
frame pointer = 0x28:0xc8d5b7ac
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (ath0 taskq)
[ thread pid 0 tid 100050 ]
Stopped at _mtx_lock_flags+0x50: movl 0x10(%esi),%eax
db> bt
Tracing pid 0 tid 100050 td 0xc22b72e0
_mtx_lock_flags(28,0,c26799ac,10d6,c22b7390,...) at _mtx_lock_flags+0x50
ath_addba_request(c23ab000,c23ab540,1,101a,0,...) at ath_addba_request+0x74
ieee80211_ampdu_request(c23ab000,c23ab540,c233b2a1,a9,c07ead48,...) at
ieee80211_ampdu_request+0x9c
ieee80211_start(c20d9800,c8d5b8ac,c062bb9f,c20d9800,0,...) at
ieee80211_start+0x7c8
if_start(c20d9800,0,c07a71f9,d20,3,...) at if_start+0x12
if_transmit(c20d9800,c21fb100,c20d9800) at if_transmit+0x13f
ether_output_frame(c20d9800,c21fb100,6,c8d5b974,c8d5b8ec,...) at
ether_output_frame+0x60
ether_output(c20d9800,c21fb100,c8d5b974,c8d5b964,c8d5b94c,...) at
ether_output+0x5eb
ip_output(c21fb100,0,0,0,0,...) at ip_output+0x9fa
icmp_reflect(1,10,0,0,80000000,...) at icmp_reflect+0x565
icmp_input(c21fb100,14,c8d5bae0,c07560c4,c0991428,...) at icmp_input+0x3fc
ip_input(c21fb100,c07905be,119,24,c21fb100,...) at ip_input+0x5b6
netisr_dispatch_src(1,0,c21fb100,c8d5bb18,c06339a1,...) at
netisr_dispatch_src+0xcc
netisr_dispatch(1,c21fb100,0,c20d9800,800,...) at netisr_dispatch+0x20
ether_demux(c20d9800,c21fb100,3,0,3,...) at ether_demux+0x1b1
ether_nh_input(c21fb100,c8d5bb80,c230ec76,c23606d0,0,...) at
ether_nh_input+0x3c3
netisr_dispatch_src(9,0,c21fb100,c8d5bba4,c0633495,...) at
netisr_dispatch_src+0xcc
netisr_dispatch(9,c21fb100,c8d5bc0c,c232e407,c20d9800,...) at
netisr_dispatch+0x20
ether_input(c20d9800,c21fb100,c21fb100,c23606d0,4,...) at ether_input+0x35
hostap_input(c23ab000,c21fb100,2d,ffffffa0,0,...) at hostap_input+0x4b7
ath_rx_proc(c22c0000,1,c0798927,132,c20c6dd8,...) at ath_rx_proc+0x8ee
taskqueue_run_locked(c20c6dc0,c20c6dd8,0,c0784256,0,...) at
taskqueue_run_locked+0xeb
taskqueue_thread_loop(c22c0500,c8d5bd28,c078c390,3d8,c0819820,...) at
taskqueue_thread_loop+0x67
fork_exit(c05bac60,c22c0500,c8d5bd28) at fork_exit+0xb8
fork_trampoline() at fork_trampoline+0x8
--- trap 0, eip = 0, esp = 0xc8d5bd60, ebp = 0 ---
db>
amy:base/head% kgdb /share/nfs/i386/alix/boot/kernel/if_ath.ko.symbols
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...No struct type named
linker_file.
No struct type named linker_file.
No struct type named linker_file.
No symbol "linker_path" in current context.
No symbol "linker_files" in current context.
No symbol "linker_kernel_file" in current context.
No struct type named linker_file.
No struct type named linker_file.
No struct type named linker_file.
No symbol "linker_path" in current context.
No symbol "linker_files" in current context.
No symbol "linker_kernel_file" in current context.
(kgdb) list *(ath_addba_request+0x74)
0x1c624 is in ath_addba_request
(/home/bschmidt/src/svn/freebsd/base/head/sys/modules/ath/../../dev/ath/if_ath_tx.c:4311).
4306 * dobaw. Although net80211 has given us a sequence number,
4307 * it'll be "after" the left edge of the BAW and thus it'll
4308 * fall within it.
4309 */
4310 ATH_TXQ_LOCK(sc->sc_ac2q[atid->tid]);
4311 ath_tx_tid_pause(sc, atid);
4312 ATH_TXQ_UNLOCK(sc->sc_ac2q[atid->tid]);
4313
4314 DPRINTF(sc, ATH_DEBUG_SW_TX_CTRL,
4315 "%s: called; dialogtoken=%d, baparamset=%d, batimeout=%d\n",
(kgdb)
I do not have a dump device, but i added a few printfs to get more details.
ath_addba_request: sc 0xc22be000
ath_addba_request: atid 0xc259ccac
ath_addba_request: atid->tid 6
ath_addba_request: sc->ac2q[atid->tid] 0
So, the argument to ATH_TXQ_LOCK() is NULL.
>How-To-Repeat:
ath(4) is configured as an AP like that
kldload if_ath_pci
ifconfig wlan0 create wlandev ath0 wlanmode ap
wlandebug +11n
ifconfig wlan0 channel 5:ht40+ ssid test 192.168.50.1 up
on the STA side, running the following few commands is enough to trigger the
panic
ifconfig wlan0 create wlandev iwn0
ifconfig wlan0 ssid test channel 5:ht40+ 192.168.50.2 up
ping -i 0.001 -z 0xff 192.168.50.1
>Fix:
Don't use -z 0xff ;)
Patch attached with submission follows:
amy:base/head% cat sys/i386/conf/ALIX
cpu I586_CPU
cpu I686_CPU
ident ALIX
makeoptions DEBUG=-g
makeoptions WITH_CTF=1
makeoptions MODULES_OVERRIDE="ath ath_pci iwi iwifw ipw ipwfw ral ralfw
wlan wlan_amrr wlan_ccmp wlan_tkip wlan_wep wlan_xauth"
options CPU_GEODE
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options NFSCL # New Network Filesystem Client
options NFSD # New Network Filesystem Server
options NFSLOCKD # Network Lock Manager
options NFS_ROOT # NFS usable as /, requires NFSCL
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being
interspersed.
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options KDTRACE_HOOKS # Kernel DTrace hooks
options INCLUDE_CONFIG_FILE # Include this file in kernel
# Debugging support. Always need this:
options KDB # Enable kernel debugger support.
# For minimum debugger support (stable branch) use:
#options KDB_TRACE # Print a stack trace for a panic.
# For full debugger support use this instead:
options DDB # Support DDB.
options GDB # Support remote GDB.
options DDB_CTF # kernel ELF linker loads CTF data
options DEADLKRES # Enable the deadlock resolver
options INVARIANTS # Enable calls of extra sanity checking
options INVARIANT_SUPPORT # Extra sanity checks of internal
structures, required by INVARIANTS
options WITNESS # Enable checks to detect deadlocks and
cycles
options WITNESS_SKIPSPIN # Don't run witness on spinlocks for
speed
options MALLOC_DEBUG_MAXZONES=8 # Separate malloc(9) zones
options ALQ
device apic # I/O APIC
# Bus support.
device pci
# ATA controllers
device ata # Legacy ATA/SATA controllers
options ATA_STATIC_ID # Static device numbering
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# Serial (COM) ports
device uart # Generic UART driver
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device vr # VIA Rhine, Rhine II
# Wireless NIC cards
options IEEE80211_DEBUG # enable debug msgs
options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
options IEEE80211_SUPPORT_MESH # enable 802.11s draft support
options IEEE80211_ALQ
options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
options ATH_DEBUG
options AH_DEBUG_ALQ
options ATH_DIAGAPI
options ATH_ENABLE_11N
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
amy:base/head% cat /share/nfs/i386/alix/var/run/dmesg.boot
Copyright (c) 1992-2012 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.0-CURRENT #5 r235030M: Fri May 4 21:03:38 CEST 2012
[email protected]:/usr/obj/i386.i386/home/bschmidt/src/svn/freebsd/base/head/sys/ALIX
i386
WARNING: WITNESS option enabled, expect reduced performance.
CPU: Geode(TM) Integrated Processor by AMD PCS (431.65-MHz 586-class CPU)
Origin = "AuthenticAMD" Id = 0x5a2 Family = 5 Model = a Stepping = 2
Features=0x88a93d<FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CLFLUSH,MMX>
AMD Features=0xc0400000<MMX+,3DNow!+,3DNow!>
real memory = 134217728 (128 MB)
avail memory = 121577472 (115 MB)
pnpbios: Bad PnP BIOS data checksum
K6-family MTRR support enabled (2 registers)
pcib0 pcibus 0 on motherboard
pci0: <PCI bus> on pcib0
Geode LX: PC Engines ALIX.3 v0.99 tinyBIOS V1.4a (C)1997-2007
pci0: <encrypt/decrypt, entertainment crypto> at device 1.2 (no driver attached)
vr0: <VIA VT6105M Rhine III 10/100BaseTX> port 0x1000-0x10ff mem
0xe0000000-0xe00000ff irq 10 at device 9.0 on pci0
vr0: Quirks: 0x2
vr0: Revision: 0x96
miibus0: <MII bus> on vr0
ukphy0: <Generic IEEE 802.3u media interface> PHY 1 on miibus0
ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr0: Ethernet address: 00:0d:b9:12:ae:4c
pci0: <network> at device 12.0 (no driver attached)
isab0: <PCI-ISA bridge> port
0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x9d7f,0x9c00-0x9c3f at device
15.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <AMD CS5536 UDMA100 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 15.2 on pci0
ata0: <ATA channel> at channel 0 on atapci0
ata1: <ATA channel> at channel 1 on atapci0
pci0: <serial bus, USB> at device 15.4 (no driver attached)
pci0: <serial bus, USB> at device 15.5 (no driver attached)
cpu0 on motherboard
pmtimer0 on isa0
orm0: <ISA Option ROM> at iomem 0xe0000-0xea7ff pnpid ORM0000 on isa0
atrtc0: <AT realtime clock> at port 0x70 irq 8 on isa0
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: <AT timer> at port 0x40 on isa0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
uart0: console (115200,n,8,1)
Timecounters tick every 1.000 msec
Timecounter "TSC" frequency 431653995 Hz quality 800
WARNING: WITNESS option enabled, expect reduced performance.
Trying to mount root from nfs: []...
NFS ROOT: 10.1.1.7:/share/nfs/i386/alix
ath0: <Atheros 9160> mem 0xe0040000-0xe004ffff irq 9 at device 12.0 on pci0
ath0: [HT] enabling HT modes
ath0: [HT] 2 RX streams; 2 TX streams
ath0: AR9160 mac 64.0 RF5133 phy 11.0
ath0: 2GHz radio: 0x0000; 5GHz radio: 0x00c0
wlan0: Ethernet address: 00:15:6d:84:14:78
net.wlan.0.debug: 0x0 => 0x80000000<11n>
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
