From owner-freebsd-bugs@FreeBSD.ORG Fri May 4 19:40:06 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 629F41065677 for ; Fri, 4 May 2012 19:40:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2EFF28FC18 for ; Fri, 4 May 2012 19:40:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q44Je6Q0048403 for ; Fri, 4 May 2012 19:40:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q44Je6Tf048396; Fri, 4 May 2012 19:40:06 GMT (envelope-from gnats) Resent-Date: Fri, 4 May 2012 19:40:06 GMT Resent-Message-Id: <201205041940.q44Je6Tf048396@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Bernhard Schmidt Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2FB9106566C for ; Fri, 4 May 2012 19:36:46 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id BDD928FC0A for ; Fri, 4 May 2012 19:36:46 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q44JakVL051835 for ; Fri, 4 May 2012 19:36:46 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q44Jakvh051826; Fri, 4 May 2012 19:36:46 GMT (envelope-from nobody) Message-Id: <201205041936.q44Jakvh051826@red.freebsd.org> Date: Fri, 4 May 2012 19:36:46 GMT From: Bernhard Schmidt To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/167588: [ath] panic during ADDBA request handling X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 May 2012 19:40:06 -0000 >Number: 167588 >Category: kern >Synopsis: [ath] panic during ADDBA request handling >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri May 04 19:40:05 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Bernhard Schmidt >Release: head >Organization: >Environment: FreeBSD alix1 10.0-CURRENT FreeBSD 10.0-CURRENT #5 r235030M: Fri May 4 21:03:38 CEST 2012 bschmidt@amy.lab.techwires.net:/usr/obj/i386.i386/home/bschmidt/src/svn/freebsd/base/head/sys/ALIX i386 >Description: wlan0: [00:16:ea:ef:1f:6a] enable AMPDU on tid 6 (WME_AC_VO), avgpps 33 pkts 1 Fatal trap 12: page fault while in kernel mode fault virtual address = 0x38 fault code = supervisor read, page not present instruction pointer = 0x20:0xc0568bb0 stack pointer = 0x28:0xc8d5b788 frame pointer = 0x28:0xc8d5b7ac code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 0 (ath0 taskq) [ thread pid 0 tid 100050 ] Stopped at _mtx_lock_flags+0x50: movl 0x10(%esi),%eax db> bt Tracing pid 0 tid 100050 td 0xc22b72e0 _mtx_lock_flags(28,0,c26799ac,10d6,c22b7390,...) at _mtx_lock_flags+0x50 ath_addba_request(c23ab000,c23ab540,1,101a,0,...) at ath_addba_request+0x74 ieee80211_ampdu_request(c23ab000,c23ab540,c233b2a1,a9,c07ead48,...) at ieee80211_ampdu_request+0x9c ieee80211_start(c20d9800,c8d5b8ac,c062bb9f,c20d9800,0,...) at ieee80211_start+0x7c8 if_start(c20d9800,0,c07a71f9,d20,3,...) at if_start+0x12 if_transmit(c20d9800,c21fb100,c20d9800) at if_transmit+0x13f ether_output_frame(c20d9800,c21fb100,6,c8d5b974,c8d5b8ec,...) at ether_output_frame+0x60 ether_output(c20d9800,c21fb100,c8d5b974,c8d5b964,c8d5b94c,...) at ether_output+0x5eb ip_output(c21fb100,0,0,0,0,...) at ip_output+0x9fa icmp_reflect(1,10,0,0,80000000,...) at icmp_reflect+0x565 icmp_input(c21fb100,14,c8d5bae0,c07560c4,c0991428,...) at icmp_input+0x3fc ip_input(c21fb100,c07905be,119,24,c21fb100,...) at ip_input+0x5b6 netisr_dispatch_src(1,0,c21fb100,c8d5bb18,c06339a1,...) at netisr_dispatch_src+0xcc netisr_dispatch(1,c21fb100,0,c20d9800,800,...) at netisr_dispatch+0x20 ether_demux(c20d9800,c21fb100,3,0,3,...) at ether_demux+0x1b1 ether_nh_input(c21fb100,c8d5bb80,c230ec76,c23606d0,0,...) at ether_nh_input+0x3c3 netisr_dispatch_src(9,0,c21fb100,c8d5bba4,c0633495,...) at netisr_dispatch_src+0xcc netisr_dispatch(9,c21fb100,c8d5bc0c,c232e407,c20d9800,...) at netisr_dispatch+0x20 ether_input(c20d9800,c21fb100,c21fb100,c23606d0,4,...) at ether_input+0x35 hostap_input(c23ab000,c21fb100,2d,ffffffa0,0,...) at hostap_input+0x4b7 ath_rx_proc(c22c0000,1,c0798927,132,c20c6dd8,...) at ath_rx_proc+0x8ee taskqueue_run_locked(c20c6dc0,c20c6dd8,0,c0784256,0,...) at taskqueue_run_locked+0xeb taskqueue_thread_loop(c22c0500,c8d5bd28,c078c390,3d8,c0819820,...) at taskqueue_thread_loop+0x67 fork_exit(c05bac60,c22c0500,c8d5bd28) at fork_exit+0xb8 fork_trampoline() at fork_trampoline+0x8 --- trap 0, eip = 0, esp = 0xc8d5bd60, ebp = 0 --- db> amy:base/head% kgdb /share/nfs/i386/alix/boot/kernel/if_ath.ko.symbols GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"...No struct type named linker_file. No struct type named linker_file. No struct type named linker_file. No symbol "linker_path" in current context. No symbol "linker_files" in current context. No symbol "linker_kernel_file" in current context. No struct type named linker_file. No struct type named linker_file. No struct type named linker_file. No symbol "linker_path" in current context. No symbol "linker_files" in current context. No symbol "linker_kernel_file" in current context. (kgdb) list *(ath_addba_request+0x74) 0x1c624 is in ath_addba_request (/home/bschmidt/src/svn/freebsd/base/head/sys/modules/ath/../../dev/ath/if_ath_tx.c:4311). 4306 * dobaw. Although net80211 has given us a sequence number, 4307 * it'll be "after" the left edge of the BAW and thus it'll 4308 * fall within it. 4309 */ 4310 ATH_TXQ_LOCK(sc->sc_ac2q[atid->tid]); 4311 ath_tx_tid_pause(sc, atid); 4312 ATH_TXQ_UNLOCK(sc->sc_ac2q[atid->tid]); 4313 4314 DPRINTF(sc, ATH_DEBUG_SW_TX_CTRL, 4315 "%s: called; dialogtoken=%d, baparamset=%d, batimeout=%d\n", (kgdb) I do not have a dump device, but i added a few printfs to get more details. ath_addba_request: sc 0xc22be000 ath_addba_request: atid 0xc259ccac ath_addba_request: atid->tid 6 ath_addba_request: sc->ac2q[atid->tid] 0 So, the argument to ATH_TXQ_LOCK() is NULL. >How-To-Repeat: ath(4) is configured as an AP like that kldload if_ath_pci ifconfig wlan0 create wlandev ath0 wlanmode ap wlandebug +11n ifconfig wlan0 channel 5:ht40+ ssid test 192.168.50.1 up on the STA side, running the following few commands is enough to trigger the panic ifconfig wlan0 create wlandev iwn0 ifconfig wlan0 ssid test channel 5:ht40+ 192.168.50.2 up ping -i 0.001 -z 0xff 192.168.50.1 >Fix: Don't use -z 0xff ;) Patch attached with submission follows: amy:base/head% cat sys/i386/conf/ALIX cpu I586_CPU cpu I686_CPU ident ALIX makeoptions DEBUG=-g makeoptions WITH_CTF=1 makeoptions MODULES_OVERRIDE="ath ath_pci iwi iwifw ipw ipwfw ral ralfw wlan wlan_amrr wlan_ccmp wlan_tkip wlan_wep wlan_xauth" options CPU_GEODE options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options UFS_GJOURNAL # Enable gjournal-based UFS journaling options NFSCL # New Network Filesystem Client options NFSD # New Network Filesystem Server options NFSLOCKD # Network Lock Manager options NFS_ROOT # NFS usable as /, requires NFSCL options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. options GEOM_LABEL # Provides labelization options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed. options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options KDTRACE_HOOKS # Kernel DTrace hooks options INCLUDE_CONFIG_FILE # Include this file in kernel # Debugging support. Always need this: options KDB # Enable kernel debugger support. # For minimum debugger support (stable branch) use: #options KDB_TRACE # Print a stack trace for a panic. # For full debugger support use this instead: options DDB # Support DDB. options GDB # Support remote GDB. options DDB_CTF # kernel ELF linker loads CTF data options DEADLKRES # Enable the deadlock resolver options INVARIANTS # Enable calls of extra sanity checking options INVARIANT_SUPPORT # Extra sanity checks of internal structures, required by INVARIANTS options WITNESS # Enable checks to detect deadlocks and cycles options WITNESS_SKIPSPIN # Don't run witness on spinlocks for speed options MALLOC_DEBUG_MAXZONES=8 # Separate malloc(9) zones options ALQ device apic # I/O APIC # Bus support. device pci # ATA controllers device ata # Legacy ATA/SATA controllers options ATA_STATIC_ID # Static device numbering # Power management support (see NOTES for more options) #device apm # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports device uart # Generic UART driver # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device vr # VIA Rhine, Rhine II # Wireless NIC cards options IEEE80211_DEBUG # enable debug msgs options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's options IEEE80211_SUPPORT_MESH # enable 802.11s draft support options IEEE80211_ALQ options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors options ATH_DEBUG options AH_DEBUG_ALQ options ATH_DIAGAPI options ATH_ENABLE_11N # Pseudo devices. device loop # Network loopback device random # Entropy device device ether # Ethernet support device vlan # 802.1Q VLAN support device tun # Packet tunnel. device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device firmware # firmware assist module # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter amy:base/head% cat /share/nfs/i386/alix/var/run/dmesg.boot Copyright (c) 1992-2012 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 10.0-CURRENT #5 r235030M: Fri May 4 21:03:38 CEST 2012 bschmidt@amy.lab.techwires.net:/usr/obj/i386.i386/home/bschmidt/src/svn/freebsd/base/head/sys/ALIX i386 WARNING: WITNESS option enabled, expect reduced performance. CPU: Geode(TM) Integrated Processor by AMD PCS (431.65-MHz 586-class CPU) Origin = "AuthenticAMD" Id = 0x5a2 Family = 5 Model = a Stepping = 2 Features=0x88a93d AMD Features=0xc0400000 real memory = 134217728 (128 MB) avail memory = 121577472 (115 MB) pnpbios: Bad PnP BIOS data checksum K6-family MTRR support enabled (2 registers) pcib0 pcibus 0 on motherboard pci0: on pcib0 Geode LX: PC Engines ALIX.3 v0.99 tinyBIOS V1.4a (C)1997-2007 pci0: at device 1.2 (no driver attached) vr0: port 0x1000-0x10ff mem 0xe0000000-0xe00000ff irq 10 at device 9.0 on pci0 vr0: Quirks: 0x2 vr0: Revision: 0x96 miibus0: on vr0 ukphy0: PHY 1 on miibus0 ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow vr0: Ethernet address: 00:0d:b9:12:ae:4c pci0: at device 12.0 (no driver attached) isab0: port 0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x9d7f,0x9c00-0x9c3f at device 15.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 15.2 on pci0 ata0: at channel 0 on atapci0 ata1: at channel 1 on atapci0 pci0: at device 15.4 (no driver attached) pci0: at device 15.5 (no driver attached) cpu0 on motherboard pmtimer0 on isa0 orm0: at iomem 0xe0000-0xea7ff pnpid ORM0000 on isa0 atrtc0: at port 0x70 irq 8 on isa0 Event timer "RTC" frequency 32768 Hz quality 0 attimer0: at port 0x40 on isa0 Timecounter "i8254" frequency 1193182 Hz quality 0 Event timer "i8254" frequency 1193182 Hz quality 100 uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 uart0: console (115200,n,8,1) Timecounters tick every 1.000 msec Timecounter "TSC" frequency 431653995 Hz quality 800 WARNING: WITNESS option enabled, expect reduced performance. Trying to mount root from nfs: []... NFS ROOT: 10.1.1.7:/share/nfs/i386/alix ath0: mem 0xe0040000-0xe004ffff irq 9 at device 12.0 on pci0 ath0: [HT] enabling HT modes ath0: [HT] 2 RX streams; 2 TX streams ath0: AR9160 mac 64.0 RF5133 phy 11.0 ath0: 2GHz radio: 0x0000; 5GHz radio: 0x00c0 wlan0: Ethernet address: 00:15:6d:84:14:78 net.wlan.0.debug: 0x0 => 0x80000000<11n> >Release-Note: >Audit-Trail: >Unformatted: