Panic in wpi, hard to reproduce

From: Mel Flynn <mel.flynn+fbsd.current_at_mailing.thruhere.net>
Date: Mon, 23 Mar 2009 22:23:47 +0100
Hi,

I've been bit twice now by a panic in wpi(4). It's hard to reproduce but the 
panics are consistent, meaning the two panics are identical. I'm not using wpi 
at the moment, but may again in the relative near future.

At the time of the crashes the card was used as wireless g connection to an 
FreeBSD hostap using ral(4), via WEP.

% ident /boot/kernel/if_wpi.ko
/boot/kernel/if_wpi.ko:
     $FreeBSD: src/sys/dev/wpi/if_wpi.c,v 1.19 2009/02/13 16:17:05 sam Exp $

Script started on Sat Mar  7 10:55:59 2009
# kgdb /boot/kernel/kernel /var/crash/vmcore.0
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x7d1667b8
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc0688be1
stack pointer	        = 0x28:0xc4aabba0
frame pointer	        = 0x28:0xc4aabbb4
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 12 (irq16: vgapci0+++)
trap number		= 12
panic: page fault
cpuid = 0
Uptime: 1d16h11m34s
Physical memory: 1517 MB
Dumping 287 MB: 272 256 240 224 208 192 176 160 144 128 112 96 80 64 48 32 16

Reading symbols from /boot/kernel/geom_journal.ko...Reading symbols from 
/boot/kernel/geom_journal.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_journal.ko
Reading symbols from /boot/kernel/snd_hda.ko...Reading symbols from 
/boot/kernel/snd_hda.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/snd_hda.ko
Reading symbols from /boot/kernel/sound.ko...Reading symbols from 
/boot/kernel/sound.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/sound.ko
Reading symbols from /boot/modules/nvidia.ko...done.
Loaded symbols for /boot/modules/nvidia.ko
Reading symbols from /boot/kernel/linux.ko...Reading symbols from 
/boot/kernel/linux.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/linux.ko
Reading symbols from /boot/kernel/smb.ko...Reading symbols from 
/boot/kernel/smb.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smb.ko
Reading symbols from /boot/kernel/linprocfs.ko...Reading symbols from 
/boot/kernel/linprocfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/linprocfs.ko
Reading symbols from /boot/kernel/wpifw.ko...Reading symbols from 
/boot/kernel/wpifw.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/wpifw.ko
Reading symbols from /boot/kernel/blank_saver.ko...Reading symbols from 
/boot/kernel/blank_saver.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/blank_saver.ko
#0  doadump () at pcpu.h:246
246	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:246
#1  0xc0637bdc in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:420
#2  0xc0637ea9 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:576
#3  0xc08633cc in trap_fatal (frame=0xc4aabb60, eva=2098620344)
    at /usr/src/sys/i386/i386/trap.c:929
#4  0xc0863630 in trap_pfault (frame=0xc4aabb60, usermode=0, eva=2098620344)
    at /usr/src/sys/i386/i386/trap.c:842
#5  0xc0863fb2 in trap (frame=0xc4aabb60) at /usr/src/sys/i386/i386/trap.c:522
#6  0xc084932b in calltrap () at /usr/src/sys/i386/i386/exception.s:165
#7  0xc0688be1 in mb_free_ext (m=0xc925d300) at 
/usr/src/sys/kern/uipc_mbuf.c:228
#8  0xc0689381 in m_freem (mb=0x0) at mbuf.h:524
#9  0xc083d981 in wpi_intr (arg=0xc4e2c800) at 
/usr/src/sys/dev/wpi/if_wpi.c:1589
#10 0xc061688b in intr_event_execute_handlers (p=0xc4d2e7ec, ie=0xc4d70380)
    at /usr/src/sys/kern/kern_intr.c:1134
#11 0xc0617cab in ithread_loop (arg=0xc4eda680) at 
/usr/src/sys/kern/kern_intr.c:1147
#12 0xc06145e3 in fork_exit (callout=0xc0617c40 <ithread_loop>, 
arg=0xc4eda680, 
    frame=0xc4aabd38) at /usr/src/sys/kern/kern_fork.c:821
#13 0xc08493a0 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:270
(kgdb) frame 7
#7  0xc0688be1 in mb_free_ext (m=0xc925d300) at 
/usr/src/sys/kern/uipc_mbuf.c:228
228		if (*(m->m_ext.ref_cnt) == 1 ||
(kgdb) print m->M_dat.MH.MH_dat.MH_ext
$1 = {ext_buf = 0x6ddc9134 <Address 0x6ddc9134 out of bounds>, ext_free = 
0x6e378c2e, 
  ext_arg1 = 0xc25a829, ext_arg2 = 0x6070e28f, ext_size = 2799295368, 
  ref_cnt = 0x7d1667b8, ext_type = 908986233}
(kgdb) print *(m->M_dat.MH.MH_dat.MH_ext.ref_cnt)
Cannot access memory at address 0x7d1667b8
(kgdb) frame 9
#9  0xc083d981 in wpi_intr (arg=0xc4e2c800) at 
/usr/src/sys/dev/wpi/if_wpi.c:1589
1589		m_freem(txdata->m);
(kgdb) list
1584			ifp->if_opackets++;
1585	
1586		bus_dmamap_sync(ring->data_dmat, txdata->map, BUS_DMASYNC_POSTWRITE);
1587		bus_dmamap_unload(ring->data_dmat, txdata->map);
1588		/* XXX handle M_TXCB? */
1589		m_freem(txdata->m);
1590		txdata->m = NULL;
1591		ieee80211_free_node(txdata->ni);
1592		txdata->ni = NULL;
1593	

-- 
Mel
Received on Mon Mar 23 2009 - 20:39:11 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:44 UTC