kern/87350: Reproducible 6.0-RC1 kernel panic

James Snow snow at teardrop.org
Wed Oct 12 16:30:17 PDT 2005 

>Number:         87350
>Category:       kern
>Synopsis:       Reproducible 6.0-RC1 kernel panic
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 12 23:30:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     James Snow
>Release:        6.0-RC1
>Organization:
>Environment:
FreeBSD x40.teardrop.org 6.0-RC1 FreeBSD 6.0-RC1 #14: Wed Oct 12 10:52:10 EDT 2005     snow at x40.teardrop.org:/usr/obj/usr/src/sys/X40  i386

>Description:
Using my ThinkPad X40 as a WAP (on-board ath0 device in ad-hoc mode, NAT enabled on on-board em0) I will get a panic every time I shutdown if a client is still transmitting packets.

Here is the backtrace from the core dump:
Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...5 4 3 1 0 0 done
All buffers synced.
Uptime: 8m48s


Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x10002
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc052c68a
stack pointer           = 0x28:0xd3e1db24
frame pointer           = 0x28:0xd3e1db28
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 39 (swi6: task queue)
trap number             = 12
panic: page fault
Uptime: 8m53s
Dumping 502 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 502MB (128480 pages) 486 470 454 438 422 406 390 374 358 342 326 310 294 278 262 246 230 214 198 182 166 150 134 118 102 86 70 54 38 22 6

#0  doadump () at pcpu.h:165
165     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc04b7a72 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xc04b7d08 in panic (fmt=0xc05e9966 "%s")
    at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xc05cbb8c in trap_fatal (frame=0xd3e1dae4, eva=65538)
    at /usr/src/sys/i386/i386/trap.c:831
#4  0xc05cb8f7 in trap_pfault (frame=0xd3e1dae4, usermode=0, eva=65538)
    at /usr/src/sys/i386/i386/trap.c:742
#5  0xc05cb555 in trap (frame=
      {tf_fs = -1049886712, tf_es = 40, tf_ds = -1049886680, tf_edi = -1050142296, tf_esi = -1050144340, tf_ebp = -740173016, tf_isp = -740173040, tf_ebx = -1050144340, tf_edx = -1051297152, tf_ecx = 65535, tf_eax = 65535, tf_trapno = 12, tf_err = 0, tf_eip = -1068317046, tf_cs = 32, tf_eflags = 590466, tf_esp = -1049847808, tf_ss = -740172988}) at /usr/src/sys/i386/i386/trap.c:432
#6  0xc05bbcea in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc052c68a in ieee80211_chan2mode (ic=0xc16811ac, chan=0xffff)
    at /usr/src/sys/net80211/ieee80211.c:892
#8  0xc05377db in ieee80211_dup_bss (nt=0xc16819a8, macaddr=0xc18f880a "")
    at /usr/src/sys/net80211/ieee80211_node.c:225
#9  0xc0537d36 in ieee80211_add_neighbor (ic=0xc16811ac, wh=0xc18f8800, 
    sp=0xd3e1dbac) at /usr/src/sys/net80211/ieee80211_node.c:1234
#10 0xc0530196 in ieee80211_recv_mgmt (ic=0xc16811ac, m0=0xc18d6900, 
    ni=0xc16c3000, subtype=128, rssi=75, rstamp=26138)
    at /usr/src/sys/net80211/ieee80211_input.c:1959
#11 0xc06f6ba6 in ?? ()
#12 0xc16811ac in ?? ()
#13 0xc18d6900 in ?? ()
#14 0xc16c3000 in ?? ()
#15 0x00000080 in ?? ()
#16 0x0000004b in ?? ()
#17 0x0000661a in ?? ()
#18 0xc1681000 in ?? ()
#19 0x0000661a in ?? ()
#20 0xc16c3000 in ?? ()
#21 0xc18d6900 in ?? ()
#22 0xc18f8800 in ?? ()
#23 0xc16c3000 in ?? ()
#24 0xd3e1dc74 in ?? ()
#25 0xc052e1ad in ieee80211_input (ic=0xc16811ac, m=0xc16811ac, ni=0x4b, 
    rssi=128, rstamp=75) at /usr/src/sys/net80211/ieee80211_input.c:540
Previous frame identical to this frame (corrupt stack?)
(kgdb) 


>How-To-Repeat:
kldload ipfw
kldload ipdivert

sysctl net.inet.ip.forwarding=1
sysctl net.link.ether.ipfw=1
sysctl net.inet.ip.fw.verbose=1

ipfw add divert 8668 ip from any to any via em0
ipfw add allow ip from any to any 

Now associate another wireless device with the ath0 interface, have it transmit traffic continuously and shutdown the router.

I'm happy to test patches. If I can provide any other information, please let me know.

>Fix:
          
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list