Date: Mon, 11 Sep 2023 08:44:40 -0600 From: Warner Losh <imp@bsdimp.com> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: FreeBSD Current <current@freebsd.org> Subject: Re: kernel trap 12 .. cam_periph_release_locked_buses() panics under panic? Message-ID: <CANCZdfoj9rDe4M64Kr=YQ4svGiJWpMFq0Z%2B_UZpc7RxSiLOrDw@mail.gmail.com> In-Reply-To: <qp16r692-0957-06rn-pq29-5r48n466793r@yvfgf.mnoonqbm.arg> References: <514n7872-pp9r-np6p-q6q3-044q4q90709o@yvfgf.mnoonqbm.arg> <CANCZdfq%2BeRG47ymirdca=nTJvg-xPfPTR_LWTuWxFQeWTiEp4Q@mail.gmail.com> <qp16r692-0957-06rn-pq29-5r48n466793r@yvfgf.mnoonqbm.arg>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000006c56d70605165e89 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Sep 11, 2023 at 8:26=E2=80=AFAM Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > On Mon, 11 Sep 2023, Warner Losh wrote: > > > That's a crazy traceback. We get a fatal trap and then call into the wi= fi > > stack? That makes no sense in the absence of some crazy data corruption > or > > a weird traceback issue. > > No, we panic in wifi and then iterated again and again. > The first one is the lkpi_sta_auth_to_scan() panic. > Ah. OK. I don't think there's anything in cam_periph_release_locked_buses that could cause this... but if you get a dump I can help look at it. Warner > > On Mon, Sep 11, 2023, 7:47 AM Bjoern A. Zeeb < > bzeeb-lists@lists.zabbadoz.net> > > wrote: > > > >> Hi, > >> > >> had a kernel hitting an alll-to-known wifi issue and panic (I was > actually > >> happy I could reproduce) and then the screen kept scrolling for a whil= e > >> panicing all over again and ddb was unusable (not so happy). > >> > >> I assume the problem is cam_periph_release_locked_buses()? > >> > > > > Unlikely given the rest of the traceback.... > > > > Can you get a core so we can look at it more deeply? > > No, after <n> iterations. ddb gave up and stopped and power cycle was > the only thing I could still do. > > > > >> /bz > >> > >> ... > >> --- trap 0x80bc1f07, rip =3D 0xffffffff80381e83, rsp =3D 0x3d7bb6db69f= 8, > rbp =3D > >> 0xfffffe00907fa4a0 --- > >> cam_periph_release_locked_buses() at > >> cam_periph_release_locked_buses+0x43/frame 0xfffffe00907fa4a0 > >> kernel trap 12 with interrupts disabled > >> > >> > >> Fatal trap 12: page fault while in kernel mode > >> cpuid =3D 2; apic id =3D 02 > >> fault virtual address =3D 0xfffffe00907fa4a8 > >> fault code =3D supervisor read data, page not present > >> instruction pointer =3D 0x20:0xffffffff8101f660 > >> stack pointer =3D 0x0:0xfffffe00907f8f90 > >> frame pointer =3D 0x0:0xfffffe00907f9020 > >> code segment =3D base 0x0, limit 0xfffff, type 0x1b > >> =3D DPL 0, pres 1, long 1, def32 0, gran 1 > >> processor eflags =3D resume, IOPL =3D 0 > >> current process =3D 0 (iwlwifi0 net80211 t) > >> rdi: fffffe00907f8f90 rsi: 0000000000000008 rdx: fffffe00907fa4a8 > >> rcx: fffffe00907f9030 r8: 0000000000000000 r9: 0000000000000000 > >> rax: 0000000000000000 rbx: fffffe00907f90f0 rbp: fffffe00907f9020 > >> r10: 0000000000000000 r11: 0000000000000000 r12: fffffe00907fa4a8 > >> r13: 0000000000000008 r14: 0000000000000000 r15: fffffe00907f9030 > >> trap number =3D 12 > >> panic: page fault > >> cpuid =3D 2 > >> time =3D 1694439681 > >> KDB: stack backtrace: > >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame > >> 0xfffffe00907f8c60 > >> vpanic() at vpanic+0x132/frame 0xfffffe00907f8d90 > >> panic() at panic+0x43/frame 0xfffffe00907f8df0 > >> trap_fatal() at trap_fatal+0x40c/frame 0xfffffe00907f8e50 > >> trap_pfault() at trap_pfault+0xae/frame 0xfffffe00907f8ec0 > >> calltrap() at calltrap+0x8/frame 0xfffffe00907f8ec0 > >> --- trap 0xc, rip =3D 0xffffffff8101f660, rsp =3D 0xfffffe00907f8f90, = rbp =3D > >> 0xfffffe00907f9020 --- > >> db_read_bytes() at db_read_bytes+0xa0/frame 0xfffffe00907f9020 > >> db_get_value() at db_get_value+0x31/frame 0xfffffe00907f9060 > >> db_backtrace() at db_backtrace+0x1d9/frame 0xfffffe00907f90e0 > >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame > >> 0xfffffe00907f9160 > >> vpanic() at vpanic+0x132/frame 0xfffffe00907f9290 > >> panic() at panic+0x43/frame 0xfffffe00907f92f0 > >> trap_fatal() at trap_fatal+0x40c/frame 0xfffffe00907f9350 > >> trap_pfault() at trap_pfault+0xae/frame 0xfffffe00907f93c0 > >> calltrap() at calltrap+0x8/frame 0xfffffe00907f93c0 > >> --- trap 0xc, rip =3D 0xffffffff8101f660, rsp =3D 0xfffffe00907f9490, = rbp =3D > >> 0xfffffe00907f9520 --- > >> db_read_bytes() at db_read_bytes+0xa0/frame 0xfffffe00907f9520 > >> db_get_value() at db_get_value+0x31/frame 0xfffffe00907f9560 > >> db_backtrace() at db_backtrace+0x1d9/frame 0xfffffe00907f95e0 > >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame > >> 0xfffffe00907f9660 > >> vpanic() at vpanic+0x132/frame 0xfffffe00907f9790 > >> panic() at panic+0x43/frame 0xfffffe00907f97f0 > >> trap_fatal() at trap_fatal+0x40c/frame 0xfffffe00907f9850 > >> trap_pfault() at trap_pfault+0xae/frame 0xfffffe00907f98c0 > >> calltrap() at calltrap+0x8/frame 0xfffffe00907f98c0 > >> --- trap 0xc, rip =3D 0xffffffff8101f660, rsp =3D 0xfffffe00907f9990, = rbp =3D > >> 0xfffffe00907f9a20 --- > >> db_read_bytes() at db_read_bytes+0xa0/frame 0xfffffe00907f9a20 > >> db_get_value() at db_get_value+0x31/frame 0xfffffe00907f9a60 > >> db_backtrace() at db_backtrace+0x1d9/frame 0xfffffe00907f9ae0 > >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame > >> 0xfffffe00907f9b60 > >> vpanic() at vpanic+0x132/frame 0xfffffe00907f9c90 > >> panic() at panic+0x43/frame 0xfffffe00907f9cf0 > >> lkpi_sta_auth_to_scan() at lkpi_sta_auth_to_scan+0x388/frame > >> 0xfffffe00907f9d70 > >> lkpi_iv_newstate() at lkpi_iv_newstate+0x2eb/frame 0xfffffe00907f9df0 > >> ieee80211_newstate_cb() at ieee80211_newstate_cb+0x1e7/frame > >> 0xfffffe00907f9e40 > >> taskqueue_run_locked() at taskqueue_run_locked+0xab/frame > >> 0xfffffe00907f9ec0 > >> taskqueue_thread_loop() at taskqueue_thread_loop+0xd3/frame > >> 0xfffffe00907f9ef0 > >> fork_exit() at fork_exit+0x82/frame 0xfffffe00907f9f30 > >> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00907f9f30 > >> --- trap 0x80bc1f07, rip =3D 0xffffffff80381e83, rsp =3D 0x3d7bb6db69f= 8, > rbp =3D > >> 0xfffffe00907fa4a0 --- > >> cam_periph_release_locked_buses() at > >> cam_periph_release_locked_buses+0x43/frame 0xfffffe00907fa4a0 > >> kernel trap 12 with interrupts disabled > >> ... > >> > >> -- > >> Bjoern A. Zeeb r15= :7 > >> > >> > > > > -- > Bjoern A. Zeeb r15:7 > --0000000000006c56d70605165e89 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Mon, Sep 11, 2023 at 8:26=E2=80=AF= AM Bjoern A. Zeeb <<a href=3D"mailto:bzeeb-lists@lists.zabbadoz.net">bze= eb-lists@lists.zabbadoz.net</a>> wrote:<br></div><blockquote class=3D"gm= ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,= 204,204);padding-left:1ex">On Mon, 11 Sep 2023, Warner Losh wrote:<br> <br> > That's a crazy traceback. We get a fatal trap and then call into t= he wifi<br> > stack? That makes no sense in the absence of some crazy data corruptio= n or<br> > a weird traceback issue.<br> <br> No, we panic in wifi and then iterated again and again.<br> The first one is the lkpi_sta_auth_to_scan() panic.<br></blockquote><div><b= r></div><div>Ah. OK. I don't think there's anything in cam_periph_r= elease_locked_buses</div><div>that could cause this... but if you get a dum= p I can help look at it.</div><div><br></div><div>Warner</div><div>=C2=A0</= div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor= der-left:1px solid rgb(204,204,204);padding-left:1ex"> > On Mon, Sep 11, 2023, 7:47 AM Bjoern A. Zeeb <<a href=3D"mailto:bze= eb-lists@lists.zabbadoz.net" target=3D"_blank">bzeeb-lists@lists.zabbadoz.n= et</a>><br> > wrote:<br> ><br> >> Hi,<br> >><br> >> had a kernel hitting an alll-to-known wifi issue and panic (I was = actually<br> >> happy I could reproduce) and then the screen kept scrolling for a = while<br> >> panicing all over again and ddb was unusable (not so happy).<br> >><br> >> I assume the problem is cam_periph_release_locked_buses()?<br> >><br> ><br> > Unlikely given the rest of the traceback....<br> ><br> > Can you get a core so we can look at it more deeply?<br> <br> No, after <n> iterations. ddb gave up and stopped and power cycle was= <br> the only thing I could still do.<br> <br> <br> <br> >> /bz<br> >><br> >> ...<br> >> --- trap 0x80bc1f07, rip =3D 0xffffffff80381e83, rsp =3D 0x3d7bb6d= b69f8, rbp =3D<br> >> 0xfffffe00907fa4a0 ---<br> >> cam_periph_release_locked_buses() at<br> >> cam_periph_release_locked_buses+0x43/frame 0xfffffe00907fa4a0<br> >> kernel trap 12 with interrupts disabled<br> >><br> >><br> >> Fatal trap 12: page fault while in kernel mode<br> >> cpuid =3D 2; apic id =3D 02<br> >> fault virtual address=C2=A0 =C2=A0=3D 0xfffffe00907fa4a8<br> >> fault code=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D sup= ervisor read data, page not present<br> >> instruction pointer=C2=A0 =C2=A0 =C2=A0=3D 0x20:0xffffffff8101f660= <br> >> stack pointer=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 0x0:0xff= fffe00907f8f90<br> >> frame pointer=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 0x0:0xff= fffe00907f9020<br> >> code segment=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D base 0x0= , limit 0xfffff, type 0x1b<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =3D DPL 0, pres 1, long 1, def32 0, gran 1<br> >> processor eflags=C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D resume, IOPL =3D 0= <br> >> current process=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 0 (iwlwifi0 n= et80211 t)<br> >> rdi: fffffe00907f8f90 rsi: 0000000000000008 rdx: fffffe00907fa4a8<= br> >> rcx: fffffe00907f9030=C2=A0 r8: 0000000000000000=C2=A0 r9: 0000000= 000000000<br> >> rax: 0000000000000000 rbx: fffffe00907f90f0 rbp: fffffe00907f9020<= br> >> r10: 0000000000000000 r11: 0000000000000000 r12: fffffe00907fa4a8<= br> >> r13: 0000000000000008 r14: 0000000000000000 r15: fffffe00907f9030<= br> >> trap number=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 12<= br> >> panic: page fault<br> >> cpuid =3D 2<br> >> time =3D 1694439681<br> >> KDB: stack backtrace:<br> >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame<br> >> 0xfffffe00907f8c60<br> >> vpanic() at vpanic+0x132/frame 0xfffffe00907f8d90<br> >> panic() at panic+0x43/frame 0xfffffe00907f8df0<br> >> trap_fatal() at trap_fatal+0x40c/frame 0xfffffe00907f8e50<br> >> trap_pfault() at trap_pfault+0xae/frame 0xfffffe00907f8ec0<br> >> calltrap() at calltrap+0x8/frame 0xfffffe00907f8ec0<br> >> --- trap 0xc, rip =3D 0xffffffff8101f660, rsp =3D 0xfffffe00907f8f= 90, rbp =3D<br> >> 0xfffffe00907f9020 ---<br> >> db_read_bytes() at db_read_bytes+0xa0/frame 0xfffffe00907f9020<br> >> db_get_value() at db_get_value+0x31/frame 0xfffffe00907f9060<br> >> db_backtrace() at db_backtrace+0x1d9/frame 0xfffffe00907f90e0<br> >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame<br> >> 0xfffffe00907f9160<br> >> vpanic() at vpanic+0x132/frame 0xfffffe00907f9290<br> >> panic() at panic+0x43/frame 0xfffffe00907f92f0<br> >> trap_fatal() at trap_fatal+0x40c/frame 0xfffffe00907f9350<br> >> trap_pfault() at trap_pfault+0xae/frame 0xfffffe00907f93c0<br> >> calltrap() at calltrap+0x8/frame 0xfffffe00907f93c0<br> >> --- trap 0xc, rip =3D 0xffffffff8101f660, rsp =3D 0xfffffe00907f94= 90, rbp =3D<br> >> 0xfffffe00907f9520 ---<br> >> db_read_bytes() at db_read_bytes+0xa0/frame 0xfffffe00907f9520<br> >> db_get_value() at db_get_value+0x31/frame 0xfffffe00907f9560<br> >> db_backtrace() at db_backtrace+0x1d9/frame 0xfffffe00907f95e0<br> >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame<br> >> 0xfffffe00907f9660<br> >> vpanic() at vpanic+0x132/frame 0xfffffe00907f9790<br> >> panic() at panic+0x43/frame 0xfffffe00907f97f0<br> >> trap_fatal() at trap_fatal+0x40c/frame 0xfffffe00907f9850<br> >> trap_pfault() at trap_pfault+0xae/frame 0xfffffe00907f98c0<br> >> calltrap() at calltrap+0x8/frame 0xfffffe00907f98c0<br> >> --- trap 0xc, rip =3D 0xffffffff8101f660, rsp =3D 0xfffffe00907f99= 90, rbp =3D<br> >> 0xfffffe00907f9a20 ---<br> >> db_read_bytes() at db_read_bytes+0xa0/frame 0xfffffe00907f9a20<br> >> db_get_value() at db_get_value+0x31/frame 0xfffffe00907f9a60<br> >> db_backtrace() at db_backtrace+0x1d9/frame 0xfffffe00907f9ae0<br> >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame<br> >> 0xfffffe00907f9b60<br> >> vpanic() at vpanic+0x132/frame 0xfffffe00907f9c90<br> >> panic() at panic+0x43/frame 0xfffffe00907f9cf0<br> >> lkpi_sta_auth_to_scan() at lkpi_sta_auth_to_scan+0x388/frame<br> >> 0xfffffe00907f9d70<br> >> lkpi_iv_newstate() at lkpi_iv_newstate+0x2eb/frame 0xfffffe00907f9= df0<br> >> ieee80211_newstate_cb() at ieee80211_newstate_cb+0x1e7/frame<br> >> 0xfffffe00907f9e40<br> >> taskqueue_run_locked() at taskqueue_run_locked+0xab/frame<br> >> 0xfffffe00907f9ec0<br> >> taskqueue_thread_loop() at taskqueue_thread_loop+0xd3/frame<br> >> 0xfffffe00907f9ef0<br> >> fork_exit() at fork_exit+0x82/frame 0xfffffe00907f9f30<br> >> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00907f9f30<= br> >> --- trap 0x80bc1f07, rip =3D 0xffffffff80381e83, rsp =3D 0x3d7bb6d= b69f8, rbp =3D<br> >> 0xfffffe00907fa4a0 ---<br> >> cam_periph_release_locked_buses() at<br> >> cam_periph_release_locked_buses+0x43/frame 0xfffffe00907fa4a0<br> >> kernel trap 12 with interrupts disabled<br> >> ...<br> >><br> >> --<br> >> Bjoern A. Zeeb=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0r15:7<br> >><br> >><br> ><br> <br> -- <br> Bjoern A. Zeeb=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0r15:7<br> </blockquote></div></div> --0000000000006c56d70605165e89--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfoj9rDe4M64Kr=YQ4svGiJWpMFq0Z%2B_UZpc7RxSiLOrDw>