Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Dec 2005 17:19:51 -0800
From:      Sam Leffler <sam@errno.com>
To:        Andrea Campi <andrea+freebsd_current@webcom.it>
Cc:        current@freebsd.org
Subject:   Re: Panic and LOR on -CURRENT with ath
Message-ID:  <43B339B7.6070809@errno.com>
In-Reply-To: <20051228102512.GV1779@webcom.it>
References:  <20051221191919.GB17950@webcom.it> <43A9B5EA.8030905@errno.com> <20051221215457.GE17950@webcom.it> <43AA4415.8070300@errno.com> <20051228102512.GV1779@webcom.it>

next in thread | previous in thread | raw e-mail | index | archive | help
Andrea Campi wrote:
> On Wed, Dec 21, 2005 at 10:13:41PM -0800, Sam Leffler wrote:
> 
>>The info you want is gone by the time the crash happens.  Last time I 
>>chased a similar problem I did some private hacks to write-protect mbufs 
>>to catch unexpected modification.  You might try removing ipfw or using 
>>an alternate packet filter if that's feasible.  I wouldn't be surprised 
>>if this is related to ipfw and/or divert sockets.
> 
> 
> OK, I'm running with pf right now, and that particular panic went away.
> 
> However, I had a few others... the first one is admittedly old, and it
> might have disappeared with the last cvsup (dec 27):
> 
> Fatal trap 12: page fault while in kernel mode
> fault virtual address   = 0xdeadc0de
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc05288e6
> stack pointer           = 0x28:0xc5b70910
> frame pointer           = 0x28:0xc5b7091c
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 270 (natd)
> [thread pid 270 tid 100043 ]
> Stopped at      ieee80211_find_txnode+0x36:     testb   $0x1,0(%eax)
> db> bt
> Tracing pid 270 tid 100043 td 0xc0d5e300
> ieee80211_find_txnode(c0d681ac,deadc0de,c0d690f8,c0d681ac,c0d71ef4) at ieee80211
> _find_txnode+0x36
> ath_start(c0d65000,25000,be,0,c1040842) at ath_start+0xe52
> ether_output_frame(c0d65000,c1040800,c1040848,0,0) at ether_output_frame+0x226
> ether_output(c0d65000,c1040800,c5b70a80,c0fdda50) at ether_output+0x2d3
> ip_output(c1040800,0,c5b70a7c,1,0,0) at ip_output+0xa7e
> ip_forward(c06376e0,0,c05ef2e7,6d9,c06376e0) at ip_forward+0x120
> ip_input(c1040800) at ip_input+0x8d5
> div_send(c0fda000,0,c1040800,c0d91850,0) at div_send+0x18b
> sosend(c0fda000,c0d91850,c5b70c40,c1040800,0,0,c0d5e300) at sosend+0x5c5
> kern_sendit(c0d5e300,3,c5b70cbc,0,0) at kern_sendit+0xbe
> sendit(c5b70cbc,0,bfbdeca0,0,c0d91850) at sendit+0x41
> sendto(c0d5e300,c5b70d04,6,f65,296) at sendto+0x47
> syscall(3b,3b,bfbf003b,1,b0) at syscall+0x110
> Xint0x80_syscall() at Xint0x80_syscall+0x1f

Another mbuf free'd out form under you (0xdeadc0de param to find_txnode 
is the mac address in the 802.11 header take from the mbuf contents).

> 
> 
> This one happened as I restarted dhclient:
> 
> 
> panic: bus_dmamap_load_mbuf_sg: no mbuf packet header!
> KDB: stack backtrace:
> panic(c06050ba,c060205c,c0554ad9,c1225846,c5708bfa) at panic+0xef
> bus_dmamap_load_mbuf_sg(c0d21d80,0,c1225800,c0d733f0,c0d733d0,1) at bus_dmamap_l
> oad_mbuf_sg+0x4ec
> ath_start(c0d65000,6c,c0ce771c,0,c0614d47) at ath_start+0x26f
> taskqueue_run(c0ce7700,0,c0d0e624,0,c04b84c0) at taskqueue_run+0x81
> ithread_loop(c0ce7680,c5708d38,c0ce7680,c04b84c0,0) at ithread_loop+0x175
> fork_exit(c04b84c0,c0ce7680,c5708d38) at fork_exit+0x83
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xc5708d6c, ebp = 0 ---
> KDB: enter: panic
> [thread pid 31 tid 100017 ]

Probably the same thing; every mbuf chain has a packet header because 
the 802.11 encapsulation guarantees it.

> 
> 
> This is 100% reproducible: switching from 11b to 11g (with a few associated
> nodes, most of which 11b only) results in this panic:
> 
> 
> gw0# ifconfig ath0 mode 11g
> panic: bogus long slot station count 0

This is a bug; I'll merge the correct code from my p4 tree.  Until then 
mark the ap down before changing the mode and bringing it back up.

> KDB: stack backtrace:
> panic(c061e2a3,0,c0d699a8,c0f1d000,b59) at panic+0xef
> ieee80211_node_join(c0d691ac,c0f1d000,c0d699ac,0,c061dd08) at ieee80211_node_joi
> n
> ieee80211_iterate_nodes(c0d699a8,c0557ce0,c0d691ac) at ieee80211_iterate_nodes+0
> xbc
> ieee80211_newstate(c0d691ac,0,ffffffff) at ieee80211_newstate+0x4e6
> ath_newstate(c0d691ac,0,ffffffff,c0d6b000,c0d69000) at ath_newstate+0x2e4
> ath_stop_locked(c0d69d3c,8,c06089ec,356,c0d69d3c) at ath_stop_locked+0xab
> ath_init(c0d69000,20280,c5e20a60,c0539d66,c0d65000) at ath_init+0x4e
> ath_media_change(c0d65000,c066a358,c5e20a64,c0cefd80,c0d65000) at ath_media_chan
> ge+0x3e
> ifmedia_ioctl(c0d65000,c0d92ca0,c0d69aac,c0206937,0) at ifmedia_ioctl+0x1f6
> ieee80211_ioctl(c0d691ac,c0206937,c0d92ca0) at ieee80211_ioctl+0x16a
> ath_ioctl(c0d65000,c0206937,c0d92ca0) at ath_ioctl+0xb2
> ifhwioctl(c0d92ca0,c1110a80,c0d65000,c0fdf6f4,c0206937) at ifhwioctl+0x113
> ifioctl(c0fdf6f4,c0206937,c0d92ca0,c1110a80) at ifioctl+0x5c
> soo_ioctl(c0deca68,c0206937,c0d92ca0,c0ded780,c1110a80) at soo_ioctl+0x29d
> ioctl(c1110a80,c5e20d04,3,c,246) at ioctl+0xfa
> syscall(3b,3b,3b,8057d40,0) at syscall+0x110
> Xint0x80_syscall() at Xint0x80_syscall+0x1f
> --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x2813f71f, esp = 0xbfbfe4cc, ebp = 0xbfbfe4e8 ---
> KDB: enter: panic
> [thread pid 1615 tid 100068 ]
> Stopped at      kdb_enter+0x2c: leal    0(%esi),%esi
> 
> 
> I'll keep testing but things look nicer despite these panics (as they only
> happen during non routine things).

The same problem appears to be around.

	Sam




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B339B7.6070809>