ath as AP panics

[Lev Serebryakov]

Hello, Adrian.
You wrote 12 августа 2013 г., 21:47:46:

>> AC> Hm. OK.
>> AC> What I want is the code path _in_ that's queuing a frame via
>> AC> ieee80211_vap_transmit() with m_nextpkt set to NON-NULL.
>>   I could set breakpoint on "printf()" from patch and get backtrace when it
>> will be hit. Is it enough?

AC> yup

db> trace
Tracing pid 0 tid 100037 td 0xfffffe0001a95920
ieee80211_vap_transmit() at ieee80211_vap_transmit+0x12b/frame 0xffffff812205e950
pwrsave_flushq() at pwrsave_flushq+0x19f/frame 0xffffff812205e9a0
hostap_input() at hostap_input+0x8a9/frame 0xffffff812205ea30
ath_rx_pkt() at ath_rx_pkt+0x3fa/frame 0xffffff812205eaa0
ath_rx_proc() at ath_rx_proc+0x290/frame 0xffffff812205eb30
taskqueue_run_locked() at taskqueue_run_locked+0xe6/frame 0xffffff812205eb80
taskqueue_thread_loop() at taskqueue_thread_loop+0xa8/frame 0xffffff812205ebb0
fork_exit() at fork_exit+0x75/frame 0xffffff812205ebf0
fork_trampoline() at fork_trampoline+0xe/frame 0xffffff812205ebf0
--- trap 0, rip = 0, rsp = 0xffffff812205ecb0, rbp = 0 ---

And here are files/lines in r254250 with "printf() patch"):

// No surprise here :)
(kgdb) list *(ieee80211_vap_transmit+0x12b)
0xffffffff8059ad6b is in ieee80211_vap_transmit (/data/src/sys/net80211/ieee80211_output.c:466).
461              * Complain if m->m_nextpkt is set.
462              *
463              * The caller should've pulled this apart for us.
464              */
465             if (m->m_nextpkt != NULL) {
466                     printf("%s: m_nextpkt not NULL?!\n", __func__);
467                     m->m_nextpkt = NULL;
468             }
469
470             /*
(kgdb) list *(pwrsave_flushq+0x19f)
0xffffffff8059f63f is in pwrsave_flushq (/data/src/sys/net80211/ieee80211_power.c:477).
472
473             /* VAP frames, aren't encapsulated */
474             if (ifp != NULL) {
475                     while (ifp_q != NULL) {
476                             m = ifp_q;
477                             ifp_q = m->m_nextpkt;
478                             KASSERT((!(m->m_flags & M_ENCAP)),
479                                 ("%s: vapq with M_ENCAP frame!\n", __func__));
480                             (void) ieee80211_vap_xmitpkt(vap, m);
481                     }
(kgdb) list *(hostap_input+0x8a9)
0xffffffff80588219 is in hostap_input (/data/src/sys/net80211/ieee80211_hostap.c:655).
650                     /*
651                      * For 4-address packets handle WDS discovery
652                      * notifications.  Once a WDS link is setup frames
653                      * are just delivered to the WDS vap (see below).
654                      */
655                     if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
656                             if (!ieee80211_node_is_authorized(ni)) {
657                                     IEEE80211_DISCARD(vap,
658                                         IEEE80211_MSG_INPUT |
659                                         IEEE80211_MSG_WDS, wh,
(kgdb) list *(ath_rx_proc+0x290)
0xffffffff80308ec0 is in ath_rx_proc (/data/src/sys/dev/ath/if_ath_rx.c:995).
990                      * Process a single frame.
991                      */
992                     bus_dmamap_sync(sc->sc_dmat, bf->bf_dmamap, BUS_DMASYNC_POSTREAD);
993                     bus_dmamap_unload(sc->sc_dmat, bf->bf_dmamap);
994                     bf->bf_m = NULL;
995                     if (ath_rx_pkt(sc, rs, status, tsf, nf, HAL_RX_QUEUE_HP, bf, m))
996                             ngood++;
997     rx_proc_next:
998                     TAILQ_INSERT_TAIL(&sc->sc_rxbuf, bf, bf_list);
999             } while (ath_rxbuf_init(sc, bf) == 0);


-- 
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>