kern/125914: Ath driver causes kernel panic in 7-STABLE

E Ruggeri smallhand at crawblog.com
Thu Jul 24 02:30:02 UTC 2008 

>Number:         125914
>Category:       kern
>Synopsis:       Ath driver causes kernel panic in 7-STABLE
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 24 02:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     E Ruggeri
>Release:        7-STABLE
>Organization:
None
>Environment:
FreeBSD bigclaw.crawblog.com 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 23 08:28:49 EDT 2008     smallhand at bigclaw.crawblog.com:/usr/obj/usr/src/sys/GDEBUG  i386
>Description:
Ath driver works under 7.0-RELEASE.  However, when running under 7-STABLE (updated 7/22/08), network use causes kernel panic.  Connection to the wireless network is achieved (IP address assigned), and generally a few webpages will load.  But kernel eventually panics within a minute of network use.

Kernel is the generic 7-STABLE kernel with the 4BSD scheduler swapped for ULE and various debug options enabled (KDB, DDB, INVARIANTS, WITNESS).

I have a core dump.  Here is a backtrace from kgdb:
Unread portion of the kernel message buffer:
panic: no buf for txfrag
cpuid = 0
KDB: enter: panic
panic: from debugger
cpuid = 0
Uptime: 8m4s
Physical memory: 2018 MB
Dumping 75 MB: 60 44 28 12

Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
#0  doadump () at pcpu.h:195
195		__asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:195
#1  0xc077d58e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2  0xc077d853 in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:572
#3  0xc04907b7 in db_panic (addr=) at /usr/src/sys/ddb/db_command.c:446
#4  0xc04911bc in db_command (last_cmdp=0xc0bfb9f4, cmd_table=0x0, dopager=1)
    at /usr/src/sys/ddb/db_command.c:413
#5  0xc04912ca in db_command_loop () at /usr/src/sys/ddb/db_command.c:466
#6  0xc0492abd in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:228
#7  0xc07a6276 in kdb_trap (type=3, code=0, tf=0xe572a6a4)
    at /usr/src/sys/kern/subr_kdb.c:524
#8  0xc0a7644b in trap (frame=0xe572a6a4) at /usr/src/sys/i386/i386/trap.c:648
#9  0xc0a5bbbb in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#10 0xc07a63fa in kdb_enter_why (why=0xc0b1402b "panic", 
    msg=0xc0b1402b "panic") at cpufunc.h:60
#11 0xc077d83c in panic (fmt=0xc0add0a6 "no buf for txfrag")
    at /usr/src/sys/kern/kern_shutdown.c:556
#12 0xc0530143 in ath_start (ifp=0xc526bc00)
    at /usr/src/sys/dev/ath/if_ath.c:1748
#13 0xc080dd19 in if_start (ifp=0xc526bc00) at /usr/src/sys/net/if.c:2704
#14 0xc0813d9b in ether_output_frame (ifp=0xc526bc00, m=0xc5555300)
    at /usr/src/sys/net/if_ethersubr.c:405
#15 0xc08143b1 in ether_output (ifp=0xc526bc00, m=0xc5555300, dst=0xc53d98d0, 
    rt0=0xc59ee000) at /usr/src/sys/net/if_ethersubr.c:374
#16 0xc08409eb in ieee80211_output (ifp=0xc526bc00, m=0xc5555300, 
    dst=0xc53d98d0, rt0=0xc59ee000)
    at /usr/src/sys/net80211/ieee80211_output.c:261
#17 0xc0859b04 in ip_output (m=0xc5555300, opt=0x0, ro=0xe572a888, flags=)
    at /usr/src/sys/netinet/ip_output.c:551
#18 0xc08b3a40 in tcp_output (tp=0xc57ca910)
    at /usr/src/sys/netinet/tcp_output.c:1135
#19 0xc08afa1b in tcp_do_segment (m=0xc599f800, th=)
    at /usr/src/sys/netinet/tcp_input.c:1212
#20 0xc08b1e81 in tcp_input (m=0xc599f800, off0=20)
    at /usr/src/sys/netinet/tcp_input.c:845
#21 0xc0857fd0 in ip_input (m=0xc599f800)
    at /usr/src/sys/netinet/ip_input.c:665
#22 0xc081e413 in netisr_dispatch (num=2, m=0xc599f800)
    at /usr/src/sys/net/netisr.c:185
#23 0xc0814601 in ether_demux (ifp=0xc526bc00, m=0xc599f800)
    at /usr/src/sys/net/if_ethersubr.c:834
#24 0xc0814a6f in ether_input (ifp=0xc526bc00, m=0xc599f800)
    at /usr/src/sys/net/if_ethersubr.c:692
#25 0xc0830f52 in ieee80211_deliver_data (ic=0xc528122c, ni=0xc59e5000, 
    m=0xc599f800) at /usr/src/sys/net80211/ieee80211_input.c:779
#26 0xc08367e9 in ieee80211_input (ic=0xc528122c, m=0xc599f800, 
    ni=0xc59e5000, rssi=48, noise=-95, rstamp=9816)
    at /usr/src/sys/net80211/ieee80211_input.c:519
#27 0xc0531c4d in ath_rx_proc (arg=0xc5281000, npending=1)
    at /usr/src/sys/dev/ath/if_ath.c:3673
#28 0xc07aff5b in taskqueue_run (queue=0xc526ac00)
    at /usr/src/sys/kern/subr_taskqueue.c:255
#29 0xc07b00b8 in taskqueue_thread_loop (arg=0xc5282674)
    at /usr/src/sys/kern/subr_taskqueue.c:374
#30 0xc075c888 in fork_exit (callout=0xc07b0050 <taskqueue_thread_loop>, 
    arg=0xc5282674, frame=0xe572ad38) at /usr/src/sys/kern/kern_fork.c:781
#31 0xc0a5bc30 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:205


>How-To-Repeat:
Buy a current ThinkPad with a ThinkPad 11a/b/g Wireless LAN Mini Express Adapter (AR5212 chipset).  Install 7-STABLE FreeBSD.  Connect to wireless network, attempt to load a few websites.

My network card information:
ath0: <Atheros 5212> mem 0xdf2f0000-0xdf2fffff irq 17 at device 0.0 on pci3
ath0: [ITHREAD]
ath0: using obsoleted if_watchdog interface
ath0: Ethernet address: XX:XX:XX:XX:XX:XX
ath0: mac 10.3 phy 6.1 radio 10.2

ath0 at pci0:3:0:0:	class=0x020000 card=0x058a1014 chip=0x1014168c rev=0x01 hdr=0x00
    vendor     = 'Atheros Communications Inc.'
    device     = 'AR5212 Atheros AR5212 802.11abg wireless'
    class      = network
    subclass   = ethernet
>Fix:
Not a fix, but a guess.  Panic occurs on line 1748 of if_ath.c.  An assertion fails that a pointer is non-null.  Anyone who can help would probably know this already though...

1747                         bf = STAILQ_FIRST(&frags);
1748                         KASSERT(bf != NULL, ("no buf for txfrag"));

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list