ath induced panic in -stable

Steve Kargl sgk at troutmask.apl.washington.edu
Thu Apr 26 23:21:26 UTC 2007 

In trying to update from a 6.2-release to 6-2.-stable,
I run into a nasty panic which results in a corrupt 
backtrace.  It looks like a cascade of panics.  In
6.2-release, I initialize my ath wirelss NIC with the
following script

#! /bin/sh
ifconfig ath0 inet 192.168.0.10
ifconfig ath0 ssid "My_ssid" mode 11g channel 11 wepmode on
ifconfig ath0 wepkey 0xValid_WEP_key deftxkey 1
route add default 192.168.0.1

I can get to the net without a problem.  However, with up-to-date
6.2-stable sources, the above script will cause a panic.  In
trying various things, I've found that the "mode 11g" in the second
command is the guilty party.  Without "mode 11g", I can once
again to the net.  Here's the output of a kgdb session


Unread portion of the kernel message buffer:
ifhwioctl(c0286938,c34c4c00,c3723e80,c3722000) at ifhwioctl+0xa40
ifioctl(c355a000,c0286938,c3723e80,c3722000,0,...) at ifioctl+0xc3
soo_ioctl(c3512a68,c0286938,c3723e80,c3745180,c3722000) at soo_ioctl+0x2db
ioctl(c3722000,da95ad04) at ioctl+0x396
syscall(bfbf003b,3b,bfbf003b,805d028,0,...) at syscall+0x22f
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x28149787, esp = 0xbfbfe2fc, ebp = 0xbfbfe328 ---
KDB: enter: witness_checkorder
Dumping 511 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 511MB (130786 pages) 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:165
165	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc0477d1b in db_fncall (dummy1=-1065228384, dummy2=0, 
    dummy3=-1066610577, dummy4=0xda95a7c4 "ð§\225ÚÀ³lÀܧ\225Úà§\225Ú\220\a")
    at /usr/src/sys/ddb/db_command.c:492
#2  0xc0477b20 in db_command (last_cmdp=0xc07aef44, cmd_table=0x0, 
    aux_cmd_tablep=0xc0764a34, aux_cmd_tablep_end=0xc0764a38)
    at /usr/src/sys/ddb/db_command.c:350
#3  0xc0477be8 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
#4  0xc04797e5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:222
#5  0xc0573997 in kdb_trap (type=3, code=0, tf=0xda95a904)
    at /usr/src/sys/kern/subr_kdb.c:473
#6  0xc06e9a24 in trap (frame=
      {tf_fs = -627769336, tf_es = -1068040152, tf_ds = -1066205144, tf_edi = 9, tf_esi = -1020494300, tf_ebp = -627726012, tf_isp = -627726032, tf_ebx = -1065345868, tf_edx = 0, tf_ecx = -1056878592, tf_eax = 31, tf_trapno = 3, tf_err = 0, tf_eip = -1068026085, tf_cs = 32, tf_eflags = 662, tf_esp = -627725960, tf_ss = -1067982253}) at /usr/src/sys/i386/i386/trap.c:594
#7  0xc06d7f5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#8  0xc057371b in kdb_enter (msg=0x1f <Address 0x1f out of bounds>)
    at cpufunc.h:60
#9  0xc057e253 in witness_checkorder (lock=0xc32c7e24, flags=9, 
    file=0xc075587c "/usr/src/sys/vm/vm_map.c", line=3074)
    at /usr/src/sys/kern/subr_witness.c:1079
#10 0xc0560a74 in _sx_xlock (sx=0xc32c7e24, 
    file=0xc075587c "/usr/src/sys/vm/vm_map.c", line=3074)
    at /usr/src/sys/kern/kern_sx.c:171
#11 0xc067c273 in _vm_map_lock_read (map=0x1f, 
    file=0xc1015000 "Copyright (c) 1992-2007 The FreeBSD Project.\nCopyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994\n\tThe Regents of the University of California. All rights reserved.\nFreeBSD is a re"..., 
    line=0) at /usr/src/sys/vm/vm_map.c:453
#12 0xc067f330 in vm_map_lookup (var_map=0xda95aa6c, vaddr=134602752, 
    fault_typea=2 '\002', out_entry=0xda95aa70, object=0x1f, 
    pindex=0xc1015000, out_prot=0x1f <Address 0x1f out of bounds>, 
    wired=0xda95aa48) at /usr/src/sys/vm/vm_map.c:3074
#13 0xc06784bd in vm_fault (map=0xc32c7de0, vaddr=134602752, 
    fault_type=2 '\002', fault_flags=8) at /usr/src/sys/vm/vm_fault.c:235
#14 0xc06e9bae in trap_pfault (frame=0xda95ab34, usermode=0, eva=134602752)
    at /usr/src/sys/i386/i386/trap.c:722
#15 0xc06e98b1 in trap (frame=
      {tf_fs = -1065680888, tf_es = 40, tf_ds = -1066205144, tf_edi = 134602752, tf_esi = -1019717632, tf_ebp = -627725396, tf_isp = -627725472, tf_ebx = 620, tf_edx = 0, tf_ecx = 155, tf_eax = 134603372, tf_trapno = 12, tf_err = 2, tf_eip = -1066500010, tf_cs = 32, tf_eflags = 66050, tf_esp = -1015923072, tf_ss = 155}) at /usr/src/sys/i386/i386/trap.c:435
#16 0xc06d7f5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#17 0xc06e8056 in generic_copyout () at /usr/src/sys/i386/i386/support.s:760
Previous frame inner to this frame (corrupt stack?)

If one goes back upto the "Unread portion" above, on the console
I see a line about ath_ioctl, then frame #17. 

-- 
Steve

More information about the freebsd-stable mailing list