Date: Thu, 27 Oct 2005 15:18:41 GMT From: "Jake A." <kerneljake@hotmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/88082: cts protection for ath0 causes panic Message-ID: <200510271518.j9RFIfaa084590@www.freebsd.org> Resent-Message-ID: <200510271520.j9RFKFx2032648@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 88082 >Category: i386 >Synopsis: cts protection for ath0 causes panic >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 27 15:20:15 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Jake A. >Release: 6.0-RC1 >Organization: (none) >Environment: FreeBSD daemon 6.0-RC1 FreeBSD 6.0-RC1 #0: Thu Oct 13 00:46:47 CDT 2005 jake at daemon:usr/src/sys/i386/compile/DAEMON i386 >Description: While streaming FLAC audio data over ath0, the kernel will panic if wireless protection mode is enabled (this is the default for my DWL-G520 Rev.B3 card). A freebsd-current thread on this problem is available at http://lists.freebsd.org/pipermail/freebsd-current/2005-October/056884.html With WITNESS and INVARIATNS enabled, I see the following in dmesg during bootup: Oct 18 00:23:53 daemon kernel: malloc(M_WAITOK) of "32", forcing M_NOWAIT with the following non-sleepable locks held: Oct 18 00:23:53 daemon kernel: exclusive sleep mutex ath0 (network driver) r = 0 (0xc15c8d30) locked @ dev/ath/if_ath.c:4642 Oct 18 00:23:53 daemon kernel: Memory modified after free 0xc174a000(2048) val=1fa00000 @ 0xc174a000 Oct 18 00:23:53 daemon savecore: no dumps found Oct 18 00:23:56 daemon kernel: ath0: link state changed to DOWN Oct 18 00:24:06 daemon kernel: malloc(M_WAITOK) of "32", forcing M_NOWAIT with the following non-sleepable locks held: Oct 18 00:24:06 daemon kernel: exclusive sleep mutex ath0 (network driver) r = 0 (0xc15c8d30) locked @ dev/ath/if_ath.c:4642 Oct 18 00:24:06 daemon kernel: ath0: link state changed to UP Then, when the crash occurs later: # kgdb -q kernel.debug /var/crash/vmcore.2 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] Unread portion of the kernel message buffer: lock order reversal 1st 0xc15c9188 ath0 (xmit q) @ dev/ath/if_ath.c:3537 2nd 0xc093b9c4 user map (user map) @ vm/vm_map.c:2997 Fatal trap 12: page fault while in kernel mode fault virtual address = 0x10 fault code = supervisor read, page not present instruction pointer = 0x20:0xc07af690 stack pointer = 0x28:0xcaf47958 frame pointer = 0x28:0x0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 35 (swi1: net) trap number = 12 panic: page fault Uptime: 22m20s Dumping 223 MB (2 chunks) chunk 0: 1MB (159 pages) ... ok chunk 1: 223MB (57084 pages) 208 192 176 160 144 128 112 96 80 64 48 32 16 #0 doadump () at pcpu.h:165 165 pcpu.h: No such file or directory. in pcpu.h (kdbd) bt full #0 doadump () at pcpu.h:165 No locals. #1 0xc0639540 in boot (howto=260) at ../../../kern/kern_shutdown.c:399 first_buf_printf = 1 #2 0xc06397be in panic (fmt=0xc085b257 "%s") at ../../../kern/kern_shutdown.c:555 td = (struct thread *) 0xc147d900 bootopt = 260 newpanic = 0 ap = 0xcaf47894 "U·\211À" buf = "page fault", '\0' <repeats 245 times> #3 0xc080a374 in trap_fatal (frame=0xcaf47918, eva=16) at ../../../i386/i386/trap.c:831 code = 40 type = 12 ss = 40 esp = 0 softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 6, ssd_xx1 = 1, ssd_def32 = 1, ssd_gran = 1} #4 0xc080a0df in trap_pfault (frame=0xcaf47918, usermode=0, eva=16) at ../../../i386/i386/trap.c:742 va = 0 vm = (struct vmspace *) 0x0 map = 0xc093b980 rv = 1 ftype = 1 '\001' td = (struct thread *) 0xc147d900 p = (struct proc *) 0xc14a9624 #5 0xc0809d71 in trap (frame= {tf_fs = -889978872, tf_es = -1067122648, tf_ds = -1065091032, tf_edi = 0, tf_esi = -812636432, tf_ebp = 0, tf_isp = -889947836, tf_ebx = -812664240, tf_edx = 787639, tf_ecx = -1073479567, tf_eax = 1, tf_trapno = 12, tf_err = 0, tf_eip = -1065683312, tf_cs = 32, tf_eflags = 590338, tf_esp = 16808316, tf_ss = 0}) at ../../../i386/i386/trap.c:432 td = (struct thread *) 0xc147d900 p = (struct proc *) 0xc14a9624 sticks = 3242711296 i = 0 ucode = 0 type = 12 code = 0 eva = 16 #6 0xc07f9bda in calltrap () at ../../../i386/i386/exception.s:139 No locals. #7 0xc07af690 in zz0e373a4d () No symbol table info available. >How-To-Repeat: Run 6.0-RC1 with a D-Link DWL-G520 against a D-Link DI-624 access point. The DWL-G520 will default to a wireless protection mode of CTS, and the DI-624 access point will default to a mode of "Auto". Stream FLAC audio data over the ath0 interface, and the kernel will panic after 20-180 minutes. >Fix: 'ifconfig ath0 protmode off' will turn off protection mode and prevent the panic. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510271518.j9RFIfaa084590>