Re: hostap / ath: duplicate free in mbuf_jumbo_page

Wed, 05 Jan 2022 03:24:26 -0800 

On 05/01/2022 13:18, Andriy Gapon wrote:



Unfortunately I only have a text dump for this panic, so I do not have much hope 
of root causing it.  Reporting just in case.


This is on recent-ish stable/13 amd64:


panic: Duplicate free of 0xfffff80021593000 from zone 
0xfffffe0003573000(mbuf_jumbo_page) slab 0xfffff800213ffb08(0)


Oh, and there is another active thread that was in the related code.
Perhaps a race between the taskqueue and the callout...


Tracing command kernel pid 0 tid 100045 td 0xfffff800025ed000 (CPU 1) 




cpustop_handler() at 0xffffffff80b9cd7f = cpustop_handler+0x2f/frame 
0xfffffe0003412e00 

ipi_nmi_handler() at 0xffffffff80b9cd2a = ipi_nmi_handler+0x3a/frame 
0xfffffe0003412e10 

trap() at 0xffffffff80bc81ed = trap+0x3d/frame 0xfffffe0003412f20 




nmi_calltrap() at 0xffffffff80ba5967 = nmi_calltrap+0x8/frame 0xfffffe0003412f20 




--- trap 0x13, rip = 0xffffffff80bc47e6, rsp = 0xfffffe0003685820, rbp = 
0xfffffe0003685820 --- 

memcmp() at 0xffffffff80bc47e6 = memcmp+0x66/frame 0xfffffe0003685820 




bridge_input() at 0xffffffff80957f4f = bridge_input+0x23f/frame 
0xfffffe0003685880 




ether_input_internal() at 0xffffffff8095cecd = ether_input_internal+0x24d/frame 
0xfffffe00036858b0 

ether_nh_input() at 0xffffffff8095cc60 = ether_nh_input+0x20/frame 
0xfffffe00036858c0 

netisr_dispatch_src() at 0xffffffff8097c3ec = netisr_dispatch_src+0x9c/frame 
0xfffffe0003685910 

netisr_dispatch() at 0xffffffff8097c77e = netisr_dispatch+0xe/frame 
0xfffffe0003685920 

ether_input() at 0xffffffff8095c0bd = ether_input+0x5d/frame 0xfffffe0003685970 




hostap_deliver_data() at 0xffffffff8099cb4b = hostap_deliver_data+0x17b/frame 
0xfffffe00036859b0 

hostap_input() at 0xffffffff8099b132 = hostap_input+0xbb2/frame 
0xfffffe0003685a50 




ampdu_dispatch() at 0xffffffff8099f648 = ampdu_dispatch+0x18/frame 
0xfffffe0003685a60 

ampdu_dispatch_slot() at 0xffffffff809a2bc6 = ampdu_dispatch_slot+0x56/frame 
0xfffffe0003685a90 

ampdu_rx_flush() at 0xffffffff8099f772 = ampdu_rx_flush+0x52/frame 
0xfffffe0003685ad0 

ieee80211_ampdu_reorder() at 0xffffffff8099f437 = 
ieee80211_ampdu_reorder+0x327/frame 0xfffffe0003685b60 




hostap_input() at 0xffffffff8099abe4 = hostap_input+0x664/frame 
0xfffffe0003685c00 




ieee80211_input_mimo() at 0xffffffff809a67d4 = ieee80211_input_mimo+0xf4/frame 
0xfffffe0003685cb0 

ath_rx_pkt() at 0xffffffff80607bd4 = ath_rx_pkt+0x5c4/frame 0xfffffe0003685d80 




ath_edma_recv_proc_deferred_queue() at 0xffffffff80609cec = 
ath_edma_recv_proc_deferred_queue+0x13c/frame 0xfffffe0003685e20 




ath_edma_recv_tasklet() at 0xffffffff806090f5 = ath_edma_recv_tasklet+0xd5/frame 
0xfffffe0003685e50 

taskqueue_run_locked() at 0xffffffff808a1651 = taskqueue_run_locked+0x1a1/frame 
0xfffffe0003685ed0 

taskqueue_thread_loop() at 0xffffffff808a2318 = taskqueue_thread_loop+0x68/frame 
0xfffffe0003685ef0 

fork_exit() at 0xffffffff8080d85c = fork_exit+0xcc/frame 0xfffffe0003685f30 




fork_trampoline() at 0xffffffff80ba5c5e = fork_trampoline+0xe/frame 
0xfffffe0003685f30




cpuid = 3

time = 1641348396

KDB: stack backtrace:


db_trace_self_wrapper() at 0xffffffff805b632b = db_trace_self_wrapper+0x2b/frame 
0xfffffe005115c7e0

kdb_backtrace() at 0xffffffff8088c7b7 = kdb_backtrace+0x37/frame 
0xfffffe005115c890

vpanic() at 0xffffffff8084946c = vpanic+0x18c/frame 0xfffffe005115c8f0

panic() at 0xffffffff80849083 = panic+0x43/frame 0xfffffe005115c950

uma_dbg_free() at 0xffffffff80b48076 = uma_dbg_free+0xd6/frame 
0xfffffe005115c990

item_dtor() at 0xffffffff80b41cc3 = item_dtor+0x43/frame 0xfffffe005115c9d0

uma_zfree_arg() at 0xffffffff80b416ee = uma_zfree_arg+0x9e/frame 
0xfffffe005115ca10

uma_zfree() at 0xffffffff808296ab = uma_zfree+0xb/frame 0xfffffe005115ca20

mb_free_ext() at 0xffffffff808295eb = mb_free_ext+0xfb/frame 0xfffffe005115ca50

m_free() at 0xffffffff80828e4b = m_free+0x8b/frame 0xfffffe005115ca70

m_freem() at 0xffffffff808293b8 = m_freem+0x38/frame 0xfffffe005115ca90


ieee80211_defrag() at 0xffffffff809a6bc0 = ieee80211_defrag+0x170/frame 
0xfffffe005115cae0

hostap_input() at 0xffffffff8099af0a = hostap_input+0x98a/frame 
0xfffffe005115cb80


ampdu_dispatch() at 0xffffffff8099f648 = ampdu_dispatch+0x18/frame 
0xfffffe005115cb90
ampdu_dispatch_slot() at 0xffffffff809a2bc6 = ampdu_dispatch_slot+0x56/frame 
0xfffffe005115cbc0
ampdu_rx_flush() at 0xffffffff8099f772 = ampdu_rx_flush+0x52/frame 
0xfffffe005115cc00
ieee80211_ht_node_age() at 0xffffffff809a009c = ieee80211_ht_node_age+0x6c/frame 
0xfffffe005115cc30

node_age() at 0xffffffff809b41f7 = node_age+0x47/frame 0xfffffe005115cc50


timeout_stations() at 0xffffffff809b826e = timeout_stations+0xde/frame 
0xfffffe005115cc80
ieee80211_iterate_nodes_vap() at 0xffffffff809b73e2 = 
ieee80211_iterate_nodes_vap+0xf2/frame 0xfffffe005115ccd0



ieee80211_iterate_nodes() at 0xffffffff809b7461 = 
ieee80211_iterate_nodes+0x11/frame 0xfffffe005115cce0



ieee80211_timeout_stations() at 0xffffffff809b7299 = 
ieee80211_timeout_stations+0x19/frame 0xfffffe005115ccf0



ieee80211_node_timeout() at 0xffffffff809b3f06 = 
ieee80211_node_timeout+0x26/frame 0xfffffe005115cd20



softclock_call_cc() at 0xffffffff8086453a = softclock_call_cc+0x23a/frame 
0xfffffe005115cde0

softclock() at 0xffffffff808648ec = softclock+0x7c/frame 0xfffffe005115ce10


intr_event_execute_handlers() at 0xffffffff8081136f = 
intr_event_execute_handlers+0x18f/frame 0xfffffe005115ce60



ithread_execute_handlers() at 0xffffffff808110e2 = 
ithread_execute_handlers+0x32/frame 0xfffffe005115ce80


ithread_loop() at 0xffffffff80810eff = ithread_loop+0x9f/frame 
0xfffffe005115cef0

fork_exit() at 0xffffffff8080d85c = fork_exit+0xcc/frame 0xfffffe005115cf30


fork_trampoline() at 0xffffffff80ba5c5e = fork_trampoline+0xe/frame 
0xfffffe005115cf30





--
Andriy Gapon























					Reply via email to