Re: Panic in ieee80211 tx mgmt timeout

From: Stefan Esser <se_at_freebsd.org>
Date: Wed, 29 Jun 2011 12:57:17 +0200
Am 29.06.2011 12:41, schrieb Bernhard Schmidt:
> On Wednesday, June 29, 2011 10:53:41 Stefan Esser wrote:
>> I recreated the panic, this time with kernel dumps correctly configured
>> (thanks for the hint, Scott). The panic message is:
>>
>> Fatal trap 12: page fault while in kernel mode
>> cpuid = 0; apic id = 00
>> fault virtual address   = 0xffffff809c7a1000
>> fault code              = supervisor read data, page not present
>> instruction pointer     = 0x20:0xffffffff805e1851
>> stack pointer           = 0x28:0xffffff8000288ab0
>> frame pointer           = 0x28:0xffffff8000288b60
>> code segment            = base 0x0, limit 0xfffff, type 0x1b
>>                         = DPL 0, pres 1, long 1, def32 0, gran 1
>> processor eflags        = interrupt enabled, resume, IOPL = 0
>> current process         = 11 (swi4: clock)
>>
>> Traceback:
>>
>> #10 0xffffffff805e1851 in ieee80211_tx_mgt_timeout (arg=0xffffff809c7a1000)
>>     at ../../../net80211/ieee80211_output.c:2487
>>
>> This indicates, that an invalid argument is passed and assigned to
>> "*ni", which causes the page fault when dereferencing "ni" to obtain "*va".
> 
> The problem here seems to be wpa_supplicant. It can try to associate
> at any given point in time which results in the BSS ni being destroyed,
> though it might still be referenced somewhere (In this case the timeout
> stuff, or better said ath's TX queue). Not clearing the reference (or
> stopping whatever is using it) is the fault here. Now how to figure out
> who the caller is? Got the complete backtrace?

Not sure that I understand your question correctly ...

#10 0xffffffff805e1851 in ieee80211_tx_mgt_timeout
(arg=0xffffff809c7a1000) at ../../../net80211/ieee80211_output.c:2487
#11 0xffffffff8050f45c in softclock (arg=Variable "arg" is not
available.) at ../../../kern/kern_timeout.c:564
#12 0xffffffff804d9876 in intr_event_execute_handlers (p=Variable "p" is
not available.) at ../../../kern/kern_intr.c:1257
#13 0xffffffff804da4d6 in ithread_loop (arg=0xfffffe00032dcc60) at
../../../kern/kern_intr.c:1270
#14 0xffffffff804d718d in fork_exit (callout=0xffffffff804da440
<ithread_loop>, arg=0xfffffe00032dcc60, frame=0xffffff8000288c50) at
../../../kern/kern_fork.c:920
#15 0xffffffff807258ce in fork_trampoline () at
../../../amd64/amd64/exception.S:603

Bernhard, I'm sending you the compressed "core.txt" in private mail.

Regards, STefan
Received on Wed Jun 29 2011 - 09:09:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:15 UTC