From owner-freebsd-bugs@FreeBSD.ORG  Fri May 10 02:10:00 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id A5549FF6
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Fri, 10 May 2013 02:10:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 898CBE4
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Fri, 10 May 2013 02:10:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4A2A0U2097811
 for <freebsd-bugs@freefall.freebsd.org>; Fri, 10 May 2013 02:10:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4A2A0lx097809;
 Fri, 10 May 2013 02:10:00 GMT (envelope-from gnats)
Resent-Date: Fri, 10 May 2013 02:10:00 GMT
Resent-Message-Id: <201305100210.r4A2A0lx097809@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Glen Barber <gjb@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 58A33E8B
 for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 May 2013 02:04:28 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from oldred.FreeBSD.org (oldred.freebsd.org [8.8.178.121])
 by mx1.freebsd.org (Postfix) with ESMTP id 4A1C7A7
 for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 May 2013 02:04:28 +0000 (UTC)
Received: from oldred.FreeBSD.org ([127.0.1.6])
 by oldred.FreeBSD.org (8.14.5/8.14.5) with ESMTP id r4A24R5A065664
 for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 May 2013 02:04:27 GMT
 (envelope-from nobody@oldred.FreeBSD.org)
Received: (from nobody@localhost)
 by oldred.FreeBSD.org (8.14.5/8.14.5/Submit) id r4A24RfN065663;
 Fri, 10 May 2013 02:04:27 GMT (envelope-from nobody)
Message-Id: <201305100204.r4A24RfN065663@oldred.FreeBSD.org>
Date: Fri, 10 May 2013 02:04:27 GMT
From: Glen Barber <gjb@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: kern/178470: [panic][ath] bss vap can and does change
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2013 02:10:00 -0000


>Number:         178470
>Category:       kern
>Synopsis:       [panic][ath] bss vap can and does change
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 10 02:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Glen Barber
>Release:        10.0-CURRENT r250344
>Organization:
>Environment:
FreeBSD orion 10.0-CURRENT FreeBSD 10.0-CURRENT #9 r250344: Tue May  7 21:52:45 EDT 2013     root@orion:/usr/obj/usr/src/sys/ORION  amd64

>Description:
Requested output from prior discussion with adrian:

root@orion:/usr/obj/usr/src/sys/ORION # kgdb ./kernel.debug /var/crash/vmcore.7
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
wlan0: ieee80211_new_state_locked: pending RUN -> SCAN transition lost


Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0xffff
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff8072fb3f
stack pointer           = 0x28:0xffffff81a944d970
frame pointer           = 0x28:0xffffff81a944d9a0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (irq22: ath0)
trap number             = 12
panic: page fault
cpuid = 3
KDB: stack backtrace:
#0 0xffffffff80676366 at kdb_backtrace+0x66
#1 0xffffffff8063a78b at panic+0x13b
#2 0xffffffff80918300 at trap_fatal+0x290
#3 0xffffffff80918671 at trap_pfault+0x221
#4 0xffffffff80918c24 at trap+0x344
#5 0xffffffff809023b3 at calltrap+0x8
#6 0xffffffff8074c14b at ieee80211_beacon_update+0x21b
#7 0xffffffff8037bcc2 at ath_beacon_generate+0x52
#8 0xffffffff8037c15f at ath_beacon_proc+0x23f
#9 0xffffffff80376a7f at ath_intr+0x44f
#10 0xffffffff8060b99d at intr_event_execute_handlers+0xfd
#11 0xffffffff8060d14b at ithread_loop+0x9b
#12 0xffffffff8060854f at fork_exit+0x11f
#13 0xffffffff809028de at fork_trampoline+0xe
Uptime: 1d23h22m39s
(ada0:ahcich0:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
(ada0:ahcich0:0:0:0): CAM status: CCB request is in progress
(ada0:ahcich0:0:0:0): Error 5, Retries exhausted
(ada0:ahcich0:0:0:0): Synchronize cache failed
(ada1:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
(ada1:ahcich1:0:0:0): CAM status: CCB request is in progress
(ada1:ahcich1:0:0:0): Error 5, Retries exhausted
(ada1:ahcich1:0:0:0): Synchronize cache failed
(ada2:ahcich4:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
(ada2:ahcich4:0:0:0): CAM status: CCB request is in progress
(ada2:ahcich4:0:0:0): Error 5, Retries exhausted
(ada2:ahcich4:0:0:0): Synchronize cache failed
(ada3:ahcich5:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
(ada3:ahcich5:0:0:0): CAM status: CCB request is in progress
(ada3:ahcich5:0:0:0): Error 5, Retries exhausted
(ada3:ahcich5:0:0:0): Synchronize cache failed
Dumping 764 out of 6048 MB:..3%..11%..21%..32%..42%..51%..61%..72%..82%..93%

Reading symbols from /boot/kernel/zfs.ko.symbols...done.
Loaded symbols for /boot/kernel/zfs.ko.symbols
Reading symbols from /boot/kernel/opensolaris.ko.symbols...done.
Loaded symbols for /boot/kernel/opensolaris.ko.symbols
#0  doadump (textdump=<value optimized out>) at pcpu.h:231
231             __asm("movq %%gs:%1,%0" : "=r" (td)
(kgdb) list *0xffffffff8072fb3f
0xffffffff8072fb3f is in ieee80211_ht_update_beacon (/usr/src/sys/net80211/ieee80211_ht.c:2787).
2782            ht->hi_ctrlchannel = ieee80211_chan2ieee(ic, bsschan);
2783            if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
2784                    ht->hi_byte1 = IEEE80211_HTINFO_RIFSMODE_PERM;
2785            else
2786                    ht->hi_byte1 = IEEE80211_HTINFO_RIFSMODE_PROH;
2787            if (IEEE80211_IS_CHAN_HT40U(bsschan))
2788                    ht->hi_byte1 |= IEEE80211_HTINFO_2NDCHAN_ABOVE;
2789            else if (IEEE80211_IS_CHAN_HT40D(bsschan))
2790                    ht->hi_byte1 |= IEEE80211_HTINFO_2NDCHAN_BELOW;
2791            else
(kgdb) quit

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: