i386/88082: cts protection for ath0 causes panic

Jake A. kerneljake at hotmail.com
Thu Oct 27 08:20:16 PDT 2005 

>Number:         88082
>Category:       i386
>Synopsis:       cts protection for ath0 causes panic
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 27 15:20:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Jake A.
>Release:        6.0-RC1
>Organization:
(none)
>Environment:
FreeBSD daemon 6.0-RC1 FreeBSD 6.0-RC1 #0: Thu Oct 13 00:46:47 CDT 2005     
jake at daemon:usr/src/sys/i386/compile/DAEMON  i386
>Description:
While streaming FLAC audio data over ath0, the kernel will panic if wireless protection mode is enabled (this is the default for my DWL-G520 Rev.B3 card).

A freebsd-current thread on this problem is available at http://lists.freebsd.org/pipermail/freebsd-current/2005-October/056884.html

With WITNESS and INVARIATNS enabled, I see the following in dmesg during bootup:

Oct 18 00:23:53 daemon kernel: malloc(M_WAITOK) of "32", forcing M_NOWAIT 
with the following non-sleepable locks held:
Oct 18 00:23:53 daemon kernel: exclusive sleep mutex ath0 (network driver) r 
= 0 (0xc15c8d30) locked @ dev/ath/if_ath.c:4642
Oct 18 00:23:53 daemon kernel: Memory modified after free 0xc174a000(2048) 
val=1fa00000 @ 0xc174a000
Oct 18 00:23:53 daemon savecore: no dumps found
Oct 18 00:23:56 daemon kernel: ath0: link state changed to DOWN
Oct 18 00:24:06 daemon kernel: malloc(M_WAITOK) of "32", forcing M_NOWAIT 
with the following non-sleepable locks held:
Oct 18 00:24:06 daemon kernel: exclusive sleep mutex ath0 (network driver) r 
= 0 (0xc15c8d30) locked @ dev/ath/if_ath.c:4642
Oct 18 00:24:06 daemon kernel: ath0: link state changed to UP

Then, when the crash occurs later:

# kgdb -q kernel.debug /var/crash/vmcore.2
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: 
Undefined symbol "ps_pglobal_lookup"]

Unread portion of the kernel message buffer:
lock order reversal
1st 0xc15c9188 ath0 (xmit q) @ dev/ath/if_ath.c:3537
2nd 0xc093b9c4 user map (user map) @ vm/vm_map.c:2997

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x10
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc07af690
stack pointer           = 0x28:0xcaf47958
frame pointer           = 0x28:0x0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 35 (swi1: net)
trap number             = 12
panic: page fault
Uptime: 22m20s
Dumping 223 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 223MB (57084 pages) 208 192 176 160 144 128 112 96 80 64 48 32 16

#0  doadump () at pcpu.h:165
165     pcpu.h: No such file or directory.
        in pcpu.h
(kdbd) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc0639540 in boot (howto=260) at ../../../kern/kern_shutdown.c:399
        first_buf_printf = 1
#2  0xc06397be in panic (fmt=0xc085b257 "%s")
    at ../../../kern/kern_shutdown.c:555
        td = (struct thread *) 0xc147d900
        bootopt = 260
        newpanic = 0
        ap = 0xcaf47894 "U·\211À"
        buf = "page fault", '\0' <repeats 245 times>
#3  0xc080a374 in trap_fatal (frame=0xcaf47918, eva=16)
    at ../../../i386/i386/trap.c:831
        code = 40
        type = 12
        ss = 40
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27,
  ssd_dpl = 0, ssd_p = 1, ssd_xx = 6, ssd_xx1 = 1, ssd_def32 = 1, ssd_gran = 
1}
#4  0xc080a0df in trap_pfault (frame=0xcaf47918, usermode=0, eva=16)
    at ../../../i386/i386/trap.c:742
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0xc093b980
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc147d900
        p = (struct proc *) 0xc14a9624
#5  0xc0809d71 in trap (frame=
      {tf_fs = -889978872, tf_es = -1067122648, tf_ds = -1065091032, tf_edi 
= 0, tf_esi = -812636432, tf_ebp = 0, tf_isp = -889947836, tf_ebx = 
-812664240, tf_edx = 787639, tf_ecx = -1073479567, tf_eax = 1, tf_trapno = 
12, tf_err = 0, tf_eip = -1065683312, tf_cs = 32, tf_eflags = 590338, tf_esp 
= 16808316, tf_ss = 0})
    at ../../../i386/i386/trap.c:432
        td = (struct thread *) 0xc147d900
        p = (struct proc *) 0xc14a9624
        sticks = 3242711296
        i = 0
        ucode = 0
        type = 12
        code = 0
        eva = 16
#6  0xc07f9bda in calltrap () at ../../../i386/i386/exception.s:139
No locals.
#7  0xc07af690 in zz0e373a4d ()
No symbol table info available.
>How-To-Repeat:
              Run 6.0-RC1 with a D-Link DWL-G520 against a D-Link DI-624 access point.  The DWL-G520 will default to a wireless protection mode of CTS, and the DI-624 access point will default to a mode of "Auto".  Stream FLAC audio data over the ath0 interface, and the kernel will panic after 20-180 minutes.
>Fix:
              'ifconfig ath0 protmode off' will turn off protection mode and prevent the panic.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-i386 mailing list