[Bug 212005] [panic] [net80211] age -4

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212005

            Bug ID: 212005
           Summary: [panic] [net80211] age -4
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: wireless
          Assignee: freebsd-wireless@FreeBSD.org
          Reporter: ma...@freebsd.org

I use if_run(4) in hostap mode. The system using it has now panicked twice in
ieee80211_pwrsave() at the age >= 0 assertion. Both times it happened after I
woke up a Windows laptop that automatically associates to the AP:

#0  __curthread () at ./machine/pcpu.h:221
#1  doadump (textdump=1) at
/home/mark/src/freebsd-dev/sys/kern/kern_shutdown.c:298
#2  0xffffffff806c2545 in kern_reboot (howto=<optimized out>) at
/home/mark/src/freebsd-dev/sys/kern/kern_shutdown.c:366
#3  0xffffffff806c2b1b in vpanic (fmt=<optimized out>, ap=0xfffffe0469185600)
    at /home/mark/src/freebsd-dev/sys/kern/kern_shutdown.c:759
#4  0xffffffff806c2956 in kassert_panic (fmt=0xffffffff80b6c114 "age %d")
    at /home/mark/src/freebsd-dev/sys/kern/kern_shutdown.c:649
#5  0xffffffff808109cb in ieee80211_pwrsave (ni=0xfffffe0026178000,
m=0xfffff802fb50bb00)
    at /home/mark/src/freebsd-dev/sys/net80211/ieee80211_power.c:392
#6  0xffffffff8080a0fb in ieee80211_vap_pkt_send_dest (vap=0xfffff80027d65000,
m=0xfffff802fb50bb00, ni=0xfffffe0026178000)
    at /home/mark/src/freebsd-dev/sys/net80211/ieee80211_output.c:136
#7  0xffffffff8080b5c4 in ieee80211_start_pkt (vap=0xfffff80027d65000,
m=0xfffff802fb50bb00)
    at /home/mark/src/freebsd-dev/sys/net80211/ieee80211_output.c:435
#8  ieee80211_vap_transmit (ifp=<optimized out>, m=<optimized out>)
    at /home/mark/src/freebsd-dev/sys/net80211/ieee80211_output.c:495
#9  0xffffffff807bc0ff in ether_output_frame (ifp=<optimized out>,
m=<unavailable>)
    at /home/mark/src/freebsd-dev/sys/net/if_ethersubr.c:457
#10 ether_output (ifp=<optimized out>, m=<optimized out>,
dst=0xfffffe0469185810, ro=<optimized out>)
    at /home/mark/src/freebsd-dev/sys/net/if_ethersubr.c:429
#11 0xffffffff807a5692 in bpfwrite (dev=<optimized out>, uio=<optimized out>,
ioflag=<optimized out>)
    at /home/mark/src/freebsd-dev/sys/net/bpf.c:1173
#12 0xffffffff80598157 in devfs_write_f (fp=0xfffff8001999bb90,
uio=0xfffffe0469185970, cred=0xfffff8002709c500, flags=0, 
    td=<optimized out>) at
/home/mark/src/freebsd-dev/sys/fs/devfs/devfs_vnops.c:1773
#13 0xffffffff80727414 in fo_write (fp=<optimized out>, uio=0xfffffe0469185970,
active_cred=<unavailable>, flags=0, 
    td=<optimized out>) at /home/mark/src/freebsd-dev/sys/sys/file.h:311
#14 dofilewrite (td=0xfffff8002709c500, fd=4, fp=0xfffff8001999bb90,
auio=0xfffffe0469185970, offset=<optimized out>, 
    flags=0) at /home/mark/src/freebsd-dev/sys/kern/sys_generic.c:593
#15 0xffffffff807270b8 in kern_writev (td=0xfffff8002709c500, fd=4,
auio=0xfffffe0469185970)
    at /home/mark/src/freebsd-dev/sys/kern/sys_generic.c:508
#16 0xffffffff80727044 in sys_write (td=<unavailable>, uap=<optimized out>)
    at /home/mark/src/freebsd-dev/sys/kern/sys_generic.c:421
#17 0xffffffff809fabab in syscallenter (td=0xfffff8002709c500, sa=<optimized
out>)
    at /home/mark/src/freebsd-dev/sys/amd64/amd64/../../kern/subr_syscall.c:135
#18 amd64_syscall (td=0xfffff8002709c500, traced=0) at
/home/mark/src/freebsd-dev/sys/amd64/amd64/trap.c:942

It looks like there were already two packets in the low-priority aging queue:

(kgdb) frame 5
#5  0xffffffff808109cb in ieee80211_pwrsave (ni=0xfffffe0026178000,
m=0xfffff802fb50bb00)
    at /home/mark/src/freebsd-dev/sys/net80211/ieee80211_power.c:392
warning: Source file is more recent than executable.
392             KASSERT(age >= 0, ("age %d", age));
(kgdb) p ni->ni_psq->psq_head[0]
$1 = {head = 0x0, tail = 0x0, len = 0}
(kgdb) p ni->ni_psq->psq_head[1]
$2 = {head = 0xfffff8027be5f400, tail = 0xfffff80027b7de00, len = 2}

age was 0:

(kgdb) p ni->ni_intval
$3 = 1
(kgdb) p ni->ni_ic->ic_bintval 
$4 = 100

and the first packet in the queue has age 4:

(kgdb) p ni->ni_psq->psq_head[1].head->m_pkthdr.PH_per.thirtytwo[1]
$5 = 4

... so this code sets age to -4, tripping the assertion:

388         } else {                          
389                 qhead->tail->m_nextpkt = m;
390                 age -= M_AGE_GET(qhead->head);                  
391         }

I can provide more info from the core if that's helpful.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-wireless@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-wireless
To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"