kern/144755: [iwi] [panic] iwi panic when issuing /etc/rc.d/netif restart on 8-STABLE r205159

Thu Aug 5 21:00:21 UTC 2010

The following reply was made to PR kern/144755; it has been noted by GNATS.

From: Alex Kozlov <spam at rm-rf.kiev.ua>
To: Bernhard Schmidt <bschmidt at techwires.net>,
	Edwin Groothuis <edwin at mavetju.org>, bug-followup at freebsd.org,
	spam at rm-rf.kiev.ua
Cc:  
Subject: Re: kern/144755: [iwi] [panic] iwi panic when issuing
 /etc/rc.d/netif restart on 8-STABLE r205159
Date: Thu, 5 Aug 2010 23:55:43 +0300

 --mYCpIKhGyMATD0i+
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

 On Thu, Aug 05, 2010 at 08:10:08PM +0000, Bernhard Schmidt wrote:
 > The following reply was made to PR kern/144755; it has been noted by GNATS.
 > 
 > From: Bernhard Schmidt <bschmidt at techwires.net>
 > To: Edwin Groothuis <edwin at mavetju.org>
 > Cc: bug-followup at freebsd.org
 > Subject: Re: kern/144755: [iwi] [panic] iwi panic when issuing /etc/rc.d/netif 
 > 	restart on 8-STABLE r205159
 > Date: Thu, 5 Aug 2010 22:08:38 +0200
 > 
 >  --0015175cda7eab5eec048d191d67
 >  Content-Type: text/plain; charset=ISO-8859-1
 >  
 >  On Thu, Aug 5, 2010 at 00:31, Edwin Groothuis <edwin at mavetju.org> wrote:
 >  > [..]
 >  > Nice! Is there a workaround or patch available for testing?
 >  
 >  Please give the attached patch a try. It does not prevent
 >  wpa_supplicant from starting twice (for that you can define
 >  ctrl_interface= in wpa_supplicant.conf), but should no longer panic.
 I can reproduce this panic for if_rum, similiar patch also helps.

 wlan0: ieee80211_new_state_locked: pending RUN -> SCAN transition lost
 wlan0: ieee80211_new_state_locked: pending RUN -> SCAN transition lost

 Fatal trap 12: page fault while in kernel mode
 fault virtual address	= 0xffff
 fault code		= supervisor read, page not present
 instruction pointer	= 0x20:0xc0900d42
 stack pointer	        = 0x28:0xc4f05bac
 frame pointer	        = 0x28:0xc4f05bb8
 code segment		= base 0x0, limit 0xfffff, type 0x1b
 			= DPL 0, pres 1, def32 1, gran 1
 processor eflags	= interrupt enabled, resume, IOPL = 0
 current process		= 0 (rum0 taskq)
 trap number		= 12
 panic: page fault
 KDB: stack backtrace:
 db_trace_self_wrapper(c0669547,c06cb000,c0660c6a,c4f05a5c,c4f05a5c,...) at 0xc0436706 = db_trace_self_wrapper+0x26
 panic(c0660c6a,c0680c79,c4f05b6c,1,1,...) at 0xc04b898d = panic+0xed
 trap_fatal(c06c9740,f000,1,0,c04c0ef6,...) at 0xc06474bd = trap_fatal+0x23d
 trap_pfault(0,c066c5e8,2d7,0,c06c9220,...) at 0xc064787a = trap_pfault+0x27a
 trap(c4f05b6c) at 0xc06481ab = trap+0x39b
 calltrap() at 0xc062d4ac = calltrap+0x6
 --- trap 0xc, eip = 0xc0900d42, esp = 0xc4f05bac, ebp = 0xc4f05bb8 ---
 ieee80211_getcapinfo(c5caa000,ffff,c08f415a,c5caa874,c5463d00,...) at 0xc0900d42 = ieee80211_getcapinfo+0x71
 ieee80211_beacon_construct(c62a8000,18,676,c50f5c00,c54e3988,...) at 0xc090308d = ieee80211_beacon_construct+0x67
 ieee80211_beacon_alloc(c62a8000,c5caa874,6,2c5,5,...) at 0xc09039a0 = ieee80211_beacon_alloc+0x93
 rum_newstate(c5caa000,5,ffffffff,652,c5362014,...) at 0xc9a9b55f = rum_newstate+0x259
 ieee80211_newstate_cb(c5caa000,4,0,c0695c9c,0,...) at 0xc0906eb8 = ieee80211_newstate_cb+0x7a
 taskqueue_run(c537db00,c537db18,0,c0661905,0,...) at 0xc04ef61a = taskqueue_run+0x8a
 taskqueue_thread_loop(c5362074,c4f05d38,0,0,0,...) at 0xc04efd74 = taskqueue_thread_loop+0x44
 fork_exit(c04efd30,c5362074,c4f05d38) at 0xc048e868 = fork_exit+0x88
 fork_trampoline() at 0xc062d524 = fork_trampoline+0x8

 --
 Adios

 --mYCpIKhGyMATD0i+
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="patch.txt"

 Index: sys/dev/usb/wlan/if_rum.c
 @@ -719,7 +719,7 @@
  		break;

  	case IEEE80211_S_RUN:
 -		ni = vap->iv_bss;
 +		ni = ieee80211_ref_node(vap->iv_bss);

  		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
  			rum_update_slot(ic->ic_ifp);
 @@ -743,6 +743,7 @@
  		tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
  		if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
  			rum_ratectl_start(sc, ni);
 +		ieee80211_free_node(ni);
  		break;
  	default:
  		break;
 @@ -2216,7 +2217,7 @@
  	struct ieee80211com *ic = vap->iv_ic;
  	struct ifnet *ifp = ic->ic_ifp;
  	struct rum_softc *sc = ifp->if_softc;
 -	struct ieee80211_node *ni = vap->iv_bss;
 +	struct ieee80211_node *ni;
  	int ok, fail;
  	int sum, retrycnt;

 @@ -2230,8 +2231,10 @@
  	sum = ok+fail;
  	retrycnt = (le32toh(sc->sta[5]) & 0xffff) + fail;

 +	ni = ieee80211_ref_node(vap->iv_bss);
  	ieee80211_ratectl_tx_update(vap, ni, &sum, &ok, &retrycnt);
  	(void) ieee80211_ratectl_rate(ni, NULL, 0);
 +	ieee80211_free_node(ni);

  	ifp->if_oerrors += fail;	/* count TX retry-fail as Tx errors */

 --mYCpIKhGyMATD0i+--