Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 26 Jan 2008 10:59:11 +1300
From:      Sam Banks <w0lfie@clear.net.nz>
To:        freebsd-current@freebsd.org
Cc:        Benjamin.Close@clearchain.com
Subject:   if_wpi panic in 7.0-PRERELEASE
Message-ID:  <479a5baf.c8.565e.23810@clear.net.nz>
next in thread | raw e-mail | index | archive | help 
Hey all,

I have just got myself a new laptop (Dell Vostro 1500) which
has an Intel 3945ABG wifi card in it. I am getting frequent
kernel panics with the if_wpi driver. 

>From the attached kgdb output, it appears that a valid mbuf
struct is being passed into tkip_demic but once m_copydata
is called (within tkip_demic), it's being passed a null
pointer. At least, this is what I can see is going on :)

Does anyone have any ideas why this would be happening or
any further insight?

I've attached what info I think will be helpful but if
there's anything else needed, just yell out.

Cheers,

Sam.


FreeBSD wolfie.evil 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE
#3: Fri Jan 25 17:35:41 NZDT 2008    
root@wolfie.evil:/usr/src/sys/i386/compile/WOLFIE  i386


wpi0@pci0:12:0:0:       class=3d0x028000 card=3d0x10208086
chip=3d0x42228086 rev=3d0x02 hdr=3d0x00
    vendor     =3d 'Intel Corporation'
    device     =3d '10418086 Intel 3945ABG Wireless LAN
controller'
    class      =3d network


Fatal trap 12: page fault while in kernel mode
cpuid =3d 0; apic id =3d 00
fault virtual address   =3d 0xc
fault code              =3d supervisor read, page not
present
instruction pointer     =3d 0x20:0xc0597e0f
stack pointer           =3d 0x28:0xe59c0b00
frame pointer           =3d 0x28:0xe59c0b18
code segment            =3d base 0x0, limit 0xfffff, type
0x1b
                        =3d DPL 0, pres 1, def32 1, gran 1
processor eflags        =3d interrupt enabled, resume, IOPL
=3d 0
current process         =3d 34 (irq17: wpi0 bfe0+)
panic: from debugger
cpuid =3d 0
Uptime: 16s
Physical memory: 2034 MB
Dumping 72 MB: 57 41 25 9

#0  doadump () at pcpu.h:195
195     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:195
#1  0xc054d14a in boot (howto=3d260) at
./../../kern/kern_shutdown.c:409
#2  0xc054d44f in panic (fmt=3dVariable "fmt" is not
available.
) at ../../../kern/kern_shutdown.c:563
#3  0xc044ad49 in db_panic (addr=3dCould not find the frame
base for "db_panic".
) at ../../../ddb/db_command.c:433
#4  0xc044b44c in db_command_loop () at
./../../ddb/db_command.c:401
#5  0xc044cd28 in db_trap (type=3d12, code=3d0) at
./../../ddb/db_main.c:222
#6  0xc0573c18 in kdb_trap (type=3d12, code=3d0,
tf=3ddwarf2_read_address: Corrupted DWARF expression.
) at ../../../kern/subr_kdb.c:502
#7  0xc06cd159 in trap_fatal (frame=3d0xe59c0ac0, eva=3d12)
at ../../../i386/i386/trap.c:890
#8  0xc06cd40e in trap_pfault (frame=3d0xe59c0ac0,
usermode=3d0, eva=3d12) at ../../../i386/i386/trap.c:812
#9  0xc06cdddb in trap (frame=3d0xe59c0ac0) at
./../../i386/i386/trap.c:490
#10 0xc06b502b in calltrap () at
./../../i386/i386/exception.s:139
#11 0xc0597e0f in m_copydata (m=3d0x0, off=3d4, len=3d8,
cp=3d0xe59c0b38 "=a4=f0i=c5") at
./../../kern/uipc_mbuf.c:808
#12 0xc05ee9d2 in tkip_demic (k=3d0xc569f0a4,
m=3d0xc5293000, force=3d0)
    at ../../../net80211/ieee80211_crypto_tkip.c:338
#13 0xc05f7a7e in ieee80211_input (ic=3d0xc527c008,
m=3d0xc5293000, ni=3d0xc569f000, rssi=3d54, noise=3d0,
rstamp=3d0)
    at ieee80211_crypto.h:186
#14 0xc06a9687 in wpi_intr (arg=3d0xc527c000) at
./../../dev/wpi/if_wpi.c:1699
#15 0xc0530e6c in ithread_loop (arg=3d0xc525ab90) at
./../../kern/kern_intr.c:1036
#16 0xc052d931 in fork_exit (callout=3d0xc0530cd0
<ithread_loop>, arg=3d0xc525ab90, frame=3d0xe59c0d38)
    at ../../../kern/kern_fork.c:781
#17 0xc06b50a0 in fork_trampoline () at
./../../i386/i386/exception.s:205


Contents of mbuf struct being passed into tkip_demic:

$1 =3d {m_hdr =3d {mh_next =3d 0x0, mh_nextpkt =3d 0x0,
mh_data =3d 0xe5753820 "\b\002~", mh_len =3d 68, mh_flags
=3d 1,
    mh_type =3d 1, pad =3d "\000"}, M_dat =3d {MH =3d
{MH_pkthdr =3d {rcvif =3d 0xc527a000, header =3d 0x0, len
=3d 80,
        csum_flags =3d 0, csum_data =3d 0, tso_segsz =3d 0,
ether_vtag =3d 0, tags =3d {slh_first =3d 0x0}}, MH_dat =3d
{
        MH_ext =3d {ext_buf =3d 0xe5753800 "t", ext_free =3d
0xc06a5c7d <wpi_free_rbuf>, ext_args =3d 0xc527d990,
          ext_size =3d 3072, ref_cnt =3d 0xc52965a0,
ext_type =3d 100},
        MH_databuf =3d
"\0008u=e5}\\j=c0\220=d9'=c5\000\f\000\000 e)=c5d", '\0'
<repeats 182 times>}},
    M_databuf =3d "\000 '=c5\000\000\000\000P", '\0'
<repeats 20 times>, "8u=e5}\\j=c0\220=d9'=c5\000\f\000\000
e)=c5d", '\0' <repeats 182 times>}}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?479a5baf.c8.565e.23810>