From owner-freebsd-current@FreeBSD.ORG Fri Jan 25 22:14:15 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3971D16A418 for ; Fri, 25 Jan 2008 22:14:15 +0000 (UTC) (envelope-from w0lfie@clear.net.nz) Received: from smtp5.clear.net.nz (smtp5.clear.net.nz [203.97.33.68]) by mx1.freebsd.org (Postfix) with ESMTP id 0492D13C43E for ; Fri, 25 Jan 2008 22:14:14 +0000 (UTC) (envelope-from w0lfie@clear.net.nz) Received: from clear.net.nz (lb2-srcnat.clear.net.nz [203.97.32.237]) by smtp5.clear.net.nz (CLEAR Net Mail) with SMTP id <0JV700F0LZQND710@smtp5.clear.net.nz> for freebsd-current@freebsd.org; Sat, 26 Jan 2008 10:59:12 +1300 (NZDT) Date: Sat, 26 Jan 2008 10:59:11 +1300 From: Sam Banks Sender: w0lfie@clear.net.nz To: freebsd-current@freebsd.org Message-id: <479a5baf.c8.565e.23810@clear.net.nz> MIME-version: 1.0 X-Mailer: CLEAR Net WebMail; webmail.clear.net.nz; user: w0lfie; ip: 121.73.22.121 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable Priority: normal Cc: Benjamin.Close@clearchain.com Subject: if_wpi panic in 7.0-PRERELEASE X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: w0lfie@clear.net.nz List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 22:14:15 -0000 Hey all, I have just got myself a new laptop (Dell Vostro 1500) which has an Intel 3945ABG wifi card in it. I am getting frequent kernel panics with the if_wpi driver. >From the attached kgdb output, it appears that a valid mbuf struct is being passed into tkip_demic but once m_copydata is called (within tkip_demic), it's being passed a null pointer. At least, this is what I can see is going on :) Does anyone have any ideas why this would be happening or any further insight? I've attached what info I think will be helpful but if there's anything else needed, just yell out. Cheers, Sam. FreeBSD wolfie.evil 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #3: Fri Jan 25 17:35:41 NZDT 2008 root@wolfie.evil:/usr/src/sys/i386/compile/WOLFIE i386 wpi0@pci0:12:0:0: class=3d0x028000 card=3d0x10208086 chip=3d0x42228086 rev=3d0x02 hdr=3d0x00 vendor =3d 'Intel Corporation' device =3d '10418086 Intel 3945ABG Wireless LAN controller' class =3d network Fatal trap 12: page fault while in kernel mode cpuid =3d 0; apic id =3d 00 fault virtual address =3d 0xc fault code =3d supervisor read, page not present instruction pointer =3d 0x20:0xc0597e0f stack pointer =3d 0x28:0xe59c0b00 frame pointer =3d 0x28:0xe59c0b18 code segment =3d base 0x0, limit 0xfffff, type 0x1b =3d DPL 0, pres 1, def32 1, gran 1 processor eflags =3d interrupt enabled, resume, IOPL =3d 0 current process =3d 34 (irq17: wpi0 bfe0+) panic: from debugger cpuid =3d 0 Uptime: 16s Physical memory: 2034 MB Dumping 72 MB: 57 41 25 9 #0 doadump () at pcpu.h:195 195 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump () at pcpu.h:195 #1 0xc054d14a in boot (howto=3d260) at ./../../kern/kern_shutdown.c:409 #2 0xc054d44f in panic (fmt=3dVariable "fmt" is not available. ) at ../../../kern/kern_shutdown.c:563 #3 0xc044ad49 in db_panic (addr=3dCould not find the frame base for "db_panic". ) at ../../../ddb/db_command.c:433 #4 0xc044b44c in db_command_loop () at ./../../ddb/db_command.c:401 #5 0xc044cd28 in db_trap (type=3d12, code=3d0) at ./../../ddb/db_main.c:222 #6 0xc0573c18 in kdb_trap (type=3d12, code=3d0, tf=3ddwarf2_read_address: Corrupted DWARF expression. ) at ../../../kern/subr_kdb.c:502 #7 0xc06cd159 in trap_fatal (frame=3d0xe59c0ac0, eva=3d12) at ../../../i386/i386/trap.c:890 #8 0xc06cd40e in trap_pfault (frame=3d0xe59c0ac0, usermode=3d0, eva=3d12) at ../../../i386/i386/trap.c:812 #9 0xc06cdddb in trap (frame=3d0xe59c0ac0) at ./../../i386/i386/trap.c:490 #10 0xc06b502b in calltrap () at ./../../i386/i386/exception.s:139 #11 0xc0597e0f in m_copydata (m=3d0x0, off=3d4, len=3d8, cp=3d0xe59c0b38 "=a4=f0i=c5") at ./../../kern/uipc_mbuf.c:808 #12 0xc05ee9d2 in tkip_demic (k=3d0xc569f0a4, m=3d0xc5293000, force=3d0) at ../../../net80211/ieee80211_crypto_tkip.c:338 #13 0xc05f7a7e in ieee80211_input (ic=3d0xc527c008, m=3d0xc5293000, ni=3d0xc569f000, rssi=3d54, noise=3d0, rstamp=3d0) at ieee80211_crypto.h:186 #14 0xc06a9687 in wpi_intr (arg=3d0xc527c000) at ./../../dev/wpi/if_wpi.c:1699 #15 0xc0530e6c in ithread_loop (arg=3d0xc525ab90) at ./../../kern/kern_intr.c:1036 #16 0xc052d931 in fork_exit (callout=3d0xc0530cd0 , arg=3d0xc525ab90, frame=3d0xe59c0d38) at ../../../kern/kern_fork.c:781 #17 0xc06b50a0 in fork_trampoline () at ./../../i386/i386/exception.s:205 Contents of mbuf struct being passed into tkip_demic: $1 =3d {m_hdr =3d {mh_next =3d 0x0, mh_nextpkt =3d 0x0, mh_data =3d 0xe5753820 "\b\002~", mh_len =3d 68, mh_flags =3d 1, mh_type =3d 1, pad =3d "\000"}, M_dat =3d {MH =3d {MH_pkthdr =3d {rcvif =3d 0xc527a000, header =3d 0x0, len =3d 80, csum_flags =3d 0, csum_data =3d 0, tso_segsz =3d 0, ether_vtag =3d 0, tags =3d {slh_first =3d 0x0}}, MH_dat =3d { MH_ext =3d {ext_buf =3d 0xe5753800 "t", ext_free =3d 0xc06a5c7d , ext_args =3d 0xc527d990, ext_size =3d 3072, ref_cnt =3d 0xc52965a0, ext_type =3d 100}, MH_databuf =3d "\0008u=e5}\\j=c0\220=d9'=c5\000\f\000\000 e)=c5d", '\0' }}, M_databuf =3d "\000 '=c5\000\000\000\000P", '\0' , "8u=e5}\\j=c0\220=d9'=c5\000\f\000\000 e)=c5d", '\0' }}