>Number: 167806
>Category: kern
>Synopsis: [iwn] iwn driver panic on 9.0-STABLE-amd64
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri May 11 20:00:34 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Bojan Petrovic
>Release: 9.0-STABLE-amd64
>Organization:
>Environment:
FreeBSD alpha-60 9.0-STABLE FreeBSD 9.0-STABLE #0: Tue May 1 14:51:47 CEST
2012 root@alpha-60:/usr/obj/usr/src/sys/SL510_9.0 amd64
>Description:
Network card:
iwn0: <Intel Centrino Wireless-N 1000> mem 0xf0600000-0xf0601fff irq 19 at
device 0.0 on pci5
iwn0@pci0:5:0:0: class=0x028000 card=0x13158086 chip=0x00848086 rev=0x00
hdr=0x00
vendor = 'Intel Corporation'
device = 'Centrino Wireless-N 1000'
class = network
Kernel seems to panic mostly when playing flash video on a bad wifi network.
Output of interaction with "kgdb kernel.debug ~/cores/vmcore.1":
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x1e
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff8058353b
stack pointer = 0x28:0xffffff80738cc8e0
frame pointer = 0x28:0xffffff80738cc940
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (irq257: iwn0)
trap number = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff808f9afe at kdb_backtrace+0x5e
#1 0xffffffff808c1c57 at panic+0x187
#2 0xffffffff80bbada0 at trap_fatal+0x290
#3 0xffffffff80bbb14f at trap_pfault+0x25f
#4 0xffffffff80bbb613 at trap+0x373
#5 0xffffffff80ba5d93 at calltrap+0x8
#6 0xffffffff805892ad at iwn_notif_intr+0x3ad
#7 0xffffffff8058b56b at iwn_intr+0x30b
#8 0xffffffff80894d04 at intr_event_execute_handlers+0x104
#9 0xffffffff80896484 at ithread_loop+0xa4
#10 0xffffffff8089193f at fork_exit+0x11f
#11 0xffffffff80ba62be at fork_trampoline+0xe
Uptime: 26m52s
#0 doadump (textdump=Variable "textdump" is not available.
) at pcpu.h:224
224 __asm("movq %%gs:0,%0" : "=r" (td));
(kgdb) bt
#0 doadump (textdump=Variable "textdump" is not available.
) at pcpu.h:224
#1 0xffffffff808c1795 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:442
#2 0xffffffff808c1c41 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:607
#3 0xffffffff80bbada0 in trap_fatal (frame=0xc, eva=Variable "eva" is not
available.
) at /usr/src/sys/amd64/amd64/trap.c:843
#4 0xffffffff80bbb14f in trap_pfault (frame=0xffffff80738cc830, usermode=0) at
/usr/src/sys/amd64/amd64/trap.c:759
#5 0xffffffff80bbb613 in trap (frame=0xffffff80738cc830) at
/usr/src/sys/amd64/amd64/trap.c:454
#6 0xffffffff80ba5d93 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:228
#7 0xffffffff8058353b in iwn_ampdu_tx_done (sc=0xffffff8000782000,
qid=Variable "qid" is not available.
) at /usr/src/sys/dev/iwn/if_iwn.c:2825
#8 0xffffffff805892ad in iwn_notif_intr (sc=0xffffff8000782000) at
/usr/src/sys/dev/iwn/if_iwn.c:2900
#9 0xffffffff8058b56b in iwn_intr (arg=dwarf2_read_address: Corrupted DWARF
expression.
) at /usr/src/sys/dev/iwn/if_iwn.c:3191
#10 0xffffffff80894d04 in intr_event_execute_handlers (p=Variable "p" is not
available.
) at /usr/src/sys/kern/kern_intr.c:1260
#11 0xffffffff80896484 in ithread_loop (arg=0xfffffe0002854380) at
/usr/src/sys/kern/kern_intr.c:1273
#12 0xffffffff8089193f in fork_exit (callout=0xffffffff808963e0 <ithread_loop>,
arg=0xfffffe0002854380, frame=0xffffff80738ccc00) at
/usr/src/sys/kern/kern_fork.c:992
#13 0xffffffff80ba62be in fork_trampoline () at
/usr/src/sys/amd64/amd64/exception.S:602
#14 0x0000000000000000 in ?? ()
#15 0x0000000000000000 in ?? ()
#16 0x0000000000000001 in ?? ()
#17 0x0000000000000000 in ?? ()
#18 0x0000000000000000 in ?? ()
#19 0x0000000000000000 in ?? ()
#20 0x0000000000000000 in ?? ()
#21 0x0000000000000000 in ?? ()
#22 0x0000000000000000 in ?? ()
#23 0x0000000000000000 in ?? ()
#24 0x0000000000000000 in ?? ()
#25 0x0000000000000000 in ?? ()
#26 0x0000000000000000 in ?? ()
#27 0x0000000000000000 in ?? ()
#28 0x0000000000000000 in ?? ()
#29 0x0000000000000000 in ?? ()
#30 0x0000000000000000 in ?? ()
#31 0x0000000000000000 in ?? ()
#32 0x0000000000000000 in ?? ()
#33 0x0000000000000000 in ?? ()
#34 0x0000000000000000 in ?? ()
#35 0x0000000000000000 in ?? ()
#36 0x0000000000000000 in ?? ()
#37 0x0000000000000000 in ?? ()
#38 0x0000000000000001 in ?? ()
#39 0xffffffff81244900 in affinity ()
#40 0xfffffe0002750460 in ?? ()
#41 0xfffffe0002750460 in ?? ()
#42 0xffffff80738cc3d0 in ?? ()
#43 0xffffff80738cc378 in ?? ()
#44 0xfffffe0002483460 in ?? ()
#45 0xffffffff808ec6cd in sched_switch (td=0x0, newtd=0xfffffe0002854380,
flags=Variable "flags" is not available.
) at /usr/src/sys/kern/sched_ule.c:1890
Previous frame inner to this frame (corrupt stack?)
(kgdb) up 7
#7 0xffffffff8058353b in iwn_ampdu_tx_done (sc=0xffffff8000782000,
qid=Variable "qid" is not available.
) at /usr/src/sys/dev/iwn/if_iwn.c:2825
2825 ni = data->ni, data->ni = NULL;
(kgdb) up 7
#7 0xffffffff8058353b in iwn_ampdu_tx_done (sc=0xffffff8000782000,
qid=Variable "qid" is not available.
) at /usr/src/sys/dev/iwn/if_iwn.c:2825
2825 ni = data->ni, data->ni = NULL;
(kgdb) up
#8 0xffffffff805892ad in iwn_notif_intr (sc=0xffffff8000782000) at
/usr/src/sys/dev/iwn/if_iwn.c:2900
2900 ops->tx_done(sc, desc, data);
(kgdb) p sc->ops->tx_done
$1 = (void (*)(struct iwn_softc *, struct iwn_rx_desc *, struct iwn_rx_data *))
0xffffffff805837e0 <iwn5000_tx_done>
(kgdb) l iwn5000_tx_done
2625 }
2626
2627 static void
2628 iwn5000_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
2629 struct iwn_rx_data *data)
2630 {
2631 struct iwn5000_tx_stat *stat = (struct iwn5000_tx_stat *)(desc
+ 1);
2632 struct iwn_tx_ring *ring;
2633 int qid;
2634
(kgdb)
2635 qid = desc->qid & 0xf;
2636 ring = &sc->txq[qid];
2637
2638 DPRINTF(sc, IWN_DEBUG_XMIT, "%s: "
2639 "qid %d idx %d retries %d nkill %d rate %x duration %d
status %x\n",
2640 __func__, desc->qid, desc->idx, stat->ackfailcnt,
2641 stat->btkillcnt, stat->rate, le16toh(stat->duration),
2642 le32toh(stat->status));
2643
2644 #ifdef notyet
(kgdb) down
#7 0xffffffff8058353b in iwn_ampdu_tx_done (sc=0xffffff8000782000,
qid=Variable "qid" is not available.
) at /usr/src/sys/dev/iwn/if_iwn.c:2825
2825 ni = data->ni, data->ni = NULL;
(kgdb) l -10
2805 tap = sc->qid2tap[qid];
2806 if (tap != NULL) {
2807 tid = WME_AC_TO_TID(tap->txa_ac);
2808 wn = (void *)tap->txa_ni;
2809 wn->agg[tid].bitmap = bitmap;
2810 wn->agg[tid].startidx = start;
2811 wn->agg[tid].nframes = nframes;
2812 }
2813
2814 seqno = le32toh(*(status + nframes)) & 0xfff;
(kgdb)
2815 for (lastidx = (seqno & 0xff); ring->read != lastidx;) {
2816 data = &ring->data[ring->read];
2817
2818 KASSERT(data->ni != NULL, ("no node"));
2819
2820 /* Unmap and free mbuf. */
2821 bus_dmamap_sync(ring->data_dmat, data->map,
2822 BUS_DMASYNC_POSTWRITE);
2823 bus_dmamap_unload(ring->data_dmat, data->map);
2824 m = data->m, data->m = NULL;
(kgdb) p sc->txq[desc->qid&0xf]->data[sc->txq[desc->qid&0xf]->read]
No symbol "desc" in current context.
(kgdb) up
#8 0xffffffff805892ad in iwn_notif_intr (sc=0xffffff8000782000) at
/usr/src/sys/dev/iwn/if_iwn.c:2900
2900 ops->tx_done(sc, desc, data);
(kgdb) p sc->txq[desc->qid&0xf]->data[sc->txq[desc->qid&0xf]->read]
$2 = {map = 0x0, cmd_paddr = 2003654528, scratch_paddr = 2003654540, m = 0x0,
ni = 0x0}
Kernel wasn't compiled with assertions turned on, but I would expect the
assertion on line 2818 to fail.
>How-To-Repeat:
It might be repeatable by high network traffic on a bad wifi network. Playing
flash video triggered this repeatedly.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
