kern/137592: [ath] panic - 7-STABLE (Aug 7, 2009 UTC) crashes on network

parv parv at
Sun Aug 9 12:50:03 UTC 2009

>Number:         137592
>Category:       kern
>Synopsis:       [ath] panic - 7-STABLE (Aug 7, 2009 UTC) crashes on network
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 09 12:50:02 UTC 2009
>Originator:     parv
>Release:        7-STABLE
FreeBSD/i386 7-STABLE around Aug 7, 2009 2pm UTC (updated from cvsup5), custom
kernel, on Lenovo Thinkpad T61 (32 bit).

DDB, KDB, WITNESS{,_SKIPSPIN}, INVARIANTS options are enabled in the kernel.
Change from 6-STABLE to 7-STABLE has been stymied due to FreeBSD/i386 7 crashing
on network activity.  Machine is Thinkpad T61 with Atheros 5212 (IBM 802.11
a/b/g) card.  Machine information (under FreeBSD 6.X) can be obtained from ...
  (in particular to ath0:
      ath0 at pci3:0:0:    class=0x020000 card=0x058a1014 chip=0x1014168c rev=0x01 hdr=0x00
          vendor     = 'Atheros Communications Inc.'
          device     = 'AR5212 Atheros AR5212 802.11abg wireless'
          class      = network
          subclass   = ethernet
          cap 01[40] = powerspec 2  supports D0 D3  current D0
          cap 05[50] = MSI supports 1 message
          cap 10[60] = PCI-Express 1 legacy endpoint
          cap 11[90] = MSI-X supports 1 message in map 0x10

.. until I do the disk replacement dance again (& get the 7-STABLE specific
dmesg & pciconf data).

Note that I do not have any problem with ath driver in 6-STABLE. I wonder if
-CURRENT is any better(?).

Crash dump ...

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: operating mode 1
cpuid = 1
KDB: stack backtrace:
db_trace_self_wrapper(c0c260f0,e8fbc8fc,c0852763,c0c5338d,1,...) at db_trace_self_wrapper+0x26
kdb_backtrace(c0c5338d,1,c0c3326f,e8fbc908,1,...) at kdb_backtrace+0x29
panic(c0c3326f,1,4,c0c21ab3,ce,...) at panic+0x114
ieee80211_set_tim(c7aac000,1,c0c345ca,c7,0,c7aad510,c670d22c) at ieee80211_set_tim+0x2d
ieee80211_pwrsave(c7aac000,c7b1ab00,c0be15cd,62c,c0c30884,...) at ieee80211_pwrsave+0x1f3
ath_start(c6709000,c6709108,e8fbca08,c08ed81f,c6709000,...) at ath_start+0x4e3
if_start(c6709000,0,c0c30884,195,2,...) at if_start+0x4f
ether_output_frame(c6709000,c7b1ab00,6,0,e8fbca2a,...) at ether_output_frame+0x1ce
ether_output(c6709000,c7b1ab00,e8fbcac0,c6b45e0c,0,...) at ether_output+0x48d
ieee80211_output(c6709000,c7b1ab00,e8fbcac0,c6b45e0c,c6b402d0,...) at ieee80211_output+0x38
ip_output(c7b1ab00,0,e8fbcabc,0,0,...) at ip_output+0xa10
udp_send(c6b051a0,0,c7b1ab00,0,0,...) at udp_send+0x89b
sosend_dgram(c6b051a0,0,e8fbcbe0,c7b1ab00,0,...) at sosend_dgram+0x359
sosend(c6b051a0,0,e8fbcbe0,0,0,...) at sosend+0x3f
kern_sendit(c6b49b40,4,e8fbcc5c,0,0,...) at kern_sendit+0x107
sendit(0,7844401d,0,0,0,...) at sendit+0xad
sendto(c6b49b40,e8fbccfc,18,c0c3ea41,c,...) at sendto+0x48
syscall(e8fbcd38) at syscall+0x2a1
Xint0x80_syscall() at Xint0x80_syscall+0x20
--- syscall (133, FreeBSD ELF32, sendto), eip = 0x782d2e83, esp = 0xbfbfccdc, ebp = 0xbfbfcd08 ---
KDB: enter: panic
Physical memory: 3034 MB
Dumping 156 MB: 141 125 109 93 77 61 45 29 13

Reading symbols from /boot/kernel/speaker.ko...Reading symbols from /boot/kernel/speaker.ko.symbols...done.
Loaded symbols for /boot/kernel/speaker.ko
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
Loaded symbols for /boot/kernel/acpi.ko
#0  doadump () at pcpu.h:196
196	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:196
#1  0xc04db4eb in db_fncall (dummy1=1, dummy2=0, dummy3=-1059146496,
    dummy4=0xe8fbc6e0 "") at /usr/src7/sys/ddb/db_command.c:516
#2  0xc04dba4c in db_command (last_cmdp=0xc0d3b014, cmd_table=0x0, dopager=1)
    at /usr/src7/sys/ddb/db_command.c:413
#3  0xc04dbb4d in db_command_loop () at /usr/src7/sys/ddb/db_command.c:466
#4  0xc04dd20f in db_trap (type=3, code=0) at /usr/src7/sys/ddb/db_main.c:228
#5  0xc087e4fe in kdb_trap (type=3, code=0, tf=0xe8fbc888)
    at /usr/src7/sys/kern/subr_kdb.c:524
#6  0xc0b5976b in trap (frame=0xe8fbc888)
    at /usr/src7/sys/i386/i386/trap.c:687
#7  0xc0b3f73b in calltrap () at /usr/src7/sys/i386/i386/exception.s:166
#8  0xc087e65f in kdb_enter_why (why=0xc0c2320a "panic",
    msg=0xc0c2320a "panic") at cpufunc.h:60
#9  0xc0852780 in panic (fmt=0xc0c3326f "operating mode %u")
    at /usr/src7/sys/kern/kern_shutdown.c:557
#10 0xc09226e6 in ieee80211_set_tim (ni=0xc0c2320a, set=1)
    at /usr/src7/sys/net80211/ieee80211_power.c:140
#11 0xc0922401 in ieee80211_pwrsave (ni=0xc7aac000, m=0xc7b1ab00)
    at /usr/src7/sys/net80211/ieee80211_power.c:206
#12 0xc0583a45 in ath_start (ifp=0xc6709000)
    at /usr/src7/sys/dev/ath/if_ath.c:1618
#13 0xc08e75fb in if_start (ifp=0xc6709000) at /usr/src7/sys/net/if.c:2837
#14 0xc08ed81f in ether_output_frame (ifp=0xc6709000, m=0xc7b1ab00)
---Type <return> to continue, or q <return> to quit---
    at /usr/src7/sys/net/if_ethersubr.c:405
#15 0xc08edde1 in ether_output (ifp=0xc6709000, m=0xc7b1ab00, dst=0xe8fbcac0,
    rt0=0xc6b45e0c) at /usr/src7/sys/net/if_ethersubr.c:374
#16 0xc0920299 in ieee80211_output (ifp=0xc6709000, m=0xc7b1ab00,
    dst=0xe8fbcac0, rt0=0xc6b45e0c)
    at /usr/src7/sys/net80211/ieee80211_output.c:261
#17 0xc093969c in ip_output (m=0xc7b1ab00, opt=0x0, ro=0xe8fbcabc, flags=Variable "flags" is not available.
    at /usr/src7/sys/netinet/ip_output.c:554
#18 0xc09a734a in udp_send (so=0xc6b051a0, flags=0, m=0xc7b1ab00, addr=0x0,
    control=0x0, td=0xc6b49b40) at /usr/src7/sys/netinet/udp_usrreq.c:1074
#19 0xc08ae729 in sosend_dgram (so=0xc6b051a0, addr=0x0, uio=0xe8fbcbe0,
    top=0xc7b1ab00, control=0x0, flags=Variable "flags" is not available.
    at /usr/src7/sys/kern/uipc_socket.c:1060
#20 0xc08ac439 in sosend (so=0xc6b051a0, addr=0x0, uio=0xe8fbcbe0, top=0x0,
    control=0x0, flags=0, td=0xc6b49b40)
    at /usr/src7/sys/kern/uipc_socket.c:1289
#21 0xc08b3408 in kern_sendit (td=0xc6b49b40, s=4, mp=0xe8fbcc5c, flags=0,
    control=0x0, segflg=UIO_USERSPACE)
    at /usr/src7/sys/kern/uipc_syscalls.c:805
#22 0xc08b54cd in sendit (td=0xc6b49b40, s=4, mp=0xe8fbcc5c, flags=0)
    at /usr/src7/sys/kern/uipc_syscalls.c:742
#23 0xc08b55c2 in sendto (td=0xc6b49b40, uap=0xe8fbccfc)
    at /usr/src7/sys/kern/uipc_syscalls.c:857
#24 0xc0b58f40 in syscall (frame=0xe8fbcd38)
---Type <return> to continue, or q <return> to quit---
    at /usr/src7/sys/i386/i386/trap.c:1089
#25 0xc0b3f7a0 in Xint0x80_syscall ()
    at /usr/src7/sys/i386/i386/exception.s:262
#26 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) q

After initially connecting ath (DHCP with Belkin & Linksys units; WPA with the
Belkin unit), wait about 1.5-2 hours & initiate network traffic, say, ping an
address.  Crash dump above is from panic which happened just about in half hour, while ping'ing Google address every five minutes.



More information about the freebsd-bugs mailing list