Date: Thu, 24 Jul 2008 02:26:37 GMT From: E Ruggeri <smallhand@crawblog.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/125914: Ath driver causes kernel panic in 7-STABLE Message-ID: <200807240226.m6O2Qb13017608@www.freebsd.org> Resent-Message-ID: <200807240230.m6O2U1wu049345@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 125914
>Category: kern
>Synopsis: Ath driver causes kernel panic in 7-STABLE
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 24 02:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: E Ruggeri
>Release: 7-STABLE
>Organization:
None
>Environment:
FreeBSD bigclaw.crawblog.com 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 23 08:28:49 EDT 2008 smallhand@bigclaw.crawblog.com:/usr/obj/usr/src/sys/GDEBUG i386
>Description:
Ath driver works under 7.0-RELEASE. However, when running under 7-STABLE (updated 7/22/08), network use causes kernel panic. Connection to the wireless network is achieved (IP address assigned), and generally a few webpages will load. But kernel eventually panics within a minute of network use.
Kernel is the generic 7-STABLE kernel with the 4BSD scheduler swapped for ULE and various debug options enabled (KDB, DDB, INVARIANTS, WITNESS).
I have a core dump. Here is a backtrace from kgdb:
Unread portion of the kernel message buffer:
panic: no buf for txfrag
cpuid = 0
KDB: enter: panic
panic: from debugger
cpuid = 0
Uptime: 8m4s
Physical memory: 2018 MB
Dumping 75 MB: 60 44 28 12
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
#0 doadump () at pcpu.h:195
195 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0 doadump () at pcpu.h:195
#1 0xc077d58e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2 0xc077d853 in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:572
#3 0xc04907b7 in db_panic (addr=) at /usr/src/sys/ddb/db_command.c:446
#4 0xc04911bc in db_command (last_cmdp=0xc0bfb9f4, cmd_table=0x0, dopager=1)
at /usr/src/sys/ddb/db_command.c:413
#5 0xc04912ca in db_command_loop () at /usr/src/sys/ddb/db_command.c:466
#6 0xc0492abd in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:228
#7 0xc07a6276 in kdb_trap (type=3, code=0, tf=0xe572a6a4)
at /usr/src/sys/kern/subr_kdb.c:524
#8 0xc0a7644b in trap (frame=0xe572a6a4) at /usr/src/sys/i386/i386/trap.c:648
#9 0xc0a5bbbb in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#10 0xc07a63fa in kdb_enter_why (why=0xc0b1402b "panic",
msg=0xc0b1402b "panic") at cpufunc.h:60
#11 0xc077d83c in panic (fmt=0xc0add0a6 "no buf for txfrag")
at /usr/src/sys/kern/kern_shutdown.c:556
#12 0xc0530143 in ath_start (ifp=0xc526bc00)
at /usr/src/sys/dev/ath/if_ath.c:1748
#13 0xc080dd19 in if_start (ifp=0xc526bc00) at /usr/src/sys/net/if.c:2704
#14 0xc0813d9b in ether_output_frame (ifp=0xc526bc00, m=0xc5555300)
at /usr/src/sys/net/if_ethersubr.c:405
#15 0xc08143b1 in ether_output (ifp=0xc526bc00, m=0xc5555300, dst=0xc53d98d0,
rt0=0xc59ee000) at /usr/src/sys/net/if_ethersubr.c:374
#16 0xc08409eb in ieee80211_output (ifp=0xc526bc00, m=0xc5555300,
dst=0xc53d98d0, rt0=0xc59ee000)
at /usr/src/sys/net80211/ieee80211_output.c:261
#17 0xc0859b04 in ip_output (m=0xc5555300, opt=0x0, ro=0xe572a888, flags=)
at /usr/src/sys/netinet/ip_output.c:551
#18 0xc08b3a40 in tcp_output (tp=0xc57ca910)
at /usr/src/sys/netinet/tcp_output.c:1135
#19 0xc08afa1b in tcp_do_segment (m=0xc599f800, th=)
at /usr/src/sys/netinet/tcp_input.c:1212
#20 0xc08b1e81 in tcp_input (m=0xc599f800, off0=20)
at /usr/src/sys/netinet/tcp_input.c:845
#21 0xc0857fd0 in ip_input (m=0xc599f800)
at /usr/src/sys/netinet/ip_input.c:665
#22 0xc081e413 in netisr_dispatch (num=2, m=0xc599f800)
at /usr/src/sys/net/netisr.c:185
#23 0xc0814601 in ether_demux (ifp=0xc526bc00, m=0xc599f800)
at /usr/src/sys/net/if_ethersubr.c:834
#24 0xc0814a6f in ether_input (ifp=0xc526bc00, m=0xc599f800)
at /usr/src/sys/net/if_ethersubr.c:692
#25 0xc0830f52 in ieee80211_deliver_data (ic=0xc528122c, ni=0xc59e5000,
m=0xc599f800) at /usr/src/sys/net80211/ieee80211_input.c:779
#26 0xc08367e9 in ieee80211_input (ic=0xc528122c, m=0xc599f800,
ni=0xc59e5000, rssi=48, noise=-95, rstamp=9816)
at /usr/src/sys/net80211/ieee80211_input.c:519
#27 0xc0531c4d in ath_rx_proc (arg=0xc5281000, npending=1)
at /usr/src/sys/dev/ath/if_ath.c:3673
#28 0xc07aff5b in taskqueue_run (queue=0xc526ac00)
at /usr/src/sys/kern/subr_taskqueue.c:255
#29 0xc07b00b8 in taskqueue_thread_loop (arg=0xc5282674)
at /usr/src/sys/kern/subr_taskqueue.c:374
#30 0xc075c888 in fork_exit (callout=0xc07b0050 <taskqueue_thread_loop>,
arg=0xc5282674, frame=0xe572ad38) at /usr/src/sys/kern/kern_fork.c:781
#31 0xc0a5bc30 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:205
>How-To-Repeat:
Buy a current ThinkPad with a ThinkPad 11a/b/g Wireless LAN Mini Express Adapter (AR5212 chipset). Install 7-STABLE FreeBSD. Connect to wireless network, attempt to load a few websites.
My network card information:
ath0: <Atheros 5212> mem 0xdf2f0000-0xdf2fffff irq 17 at device 0.0 on pci3
ath0: [ITHREAD]
ath0: using obsoleted if_watchdog interface
ath0: Ethernet address: XX:XX:XX:XX:XX:XX
ath0: mac 10.3 phy 6.1 radio 10.2
ath0@pci0:3:0:0: class=0x020000 card=0x058a1014 chip=0x1014168c rev=0x01 hdr=0x00
vendor = 'Atheros Communications Inc.'
device = 'AR5212 Atheros AR5212 802.11abg wireless'
class = network
subclass = ethernet
>Fix:
Not a fix, but a guess. Panic occurs on line 1748 of if_ath.c. An assertion fails that a pointer is non-null. Anyone who can help would probably know this already though...
1747 bf = STAILQ_FIRST(&frags);
1748 KASSERT(bf != NULL, ("no buf for txfrag"));
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807240226.m6O2Qb13017608>