Bug 250424

Summary: [rtwn] an USB device could panic under load: panic: not an HT sta
Product: Base System Reporter: vidwer+fbsdbugs
Component: wirelessAssignee: freebsd-wireless (Nobody) <wireless>
Status: New ---    
Severity: Affects Only Me CC: bz
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description vidwer+fbsdbugs 2020-10-17 21:08:18 UTC 
This panic has been observed when updating /usr/ports/ using git. git was the only userland tool generating frames.

From kgdb:
Reading symbols from /usr/lib/debug/boot/kernel/kernel.debug...

Unread portion of the kernel message buffer:
panic: not an HT sta
cpuid = 3
time = 1602954519
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00107e6770
vpanic() at vpanic+0x182/frame 0xfffffe00107e67c0
panic() at panic+0x43/frame 0xfffffe00107e6820
ieee80211_ampdu_reorder() at ieee80211_ampdu_reorder+0x9c6/frame 0xfffffe00107e68c0
sta_input() at sta_input+0xc38/frame 0xfffffe00107e6960
ieee80211_input_mimo() at ieee80211_input_mimo+0x219/frame 0xfffffe00107e6a10
rtwn_bulk_rx_callback() at rtwn_bulk_rx_callback+0x2ab/frame 0xfffffe00107e6a80
usbd_callback_wrapper() at usbd_callback_wrapper+0x85e/frame 0xfffffe00107e6ac0
usb_command_wrapper() at usb_command_wrapper+0x7e/frame 0xfffffe00107e6ae0
usb_callback_proc() at usb_callback_proc+0x8e/frame 0xfffffe00107e6b00
usb_process() at usb_process+0xf3/frame 0xfffffe00107e6b30
fork_exit() at fork_exit+0x80/frame 0xfffffe00107e6b70
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00107e6b70
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic

__curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
55              __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct pcpu,
(kgdb) bt
#0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1  doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:394
#2  0xffffffff804a0a8a in db_dump (dummy=<optimized out>, dummy2=<optimized out>, dummy3=<unavailable>, dummy4=<unavailable>) at /usr/src/sys/ddb/db_command.c:575
#3  0xffffffff804a0850 in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=1) at /usr/src/sys/ddb/db_command.c:482
#4  0xffffffff804a05ad in db_command_loop () at /usr/src/sys/ddb/db_command.c:535
#5  0xffffffff804a38c6 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:270
#6  0xffffffff80c255d4 in kdb_trap (type=3, code=0, tf=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:699
#7  0xffffffff81021dde in trap (frame=0xfffffe00107e66a0) at /usr/src/sys/amd64/amd64/trap.c:576
#8  <signal handler called>
#9  kdb_enter (why=0xffffffff8120c497 "panic", msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:486
#10 0xffffffff80bd996e in vpanic (fmt=<optimized out>, ap=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:901
#11 0xffffffff80bd9713 in panic (fmt=0xffffffff81c88468 <cnputs_mtx> "\270\331\034\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:838
#12 0xffffffff80d3f036 in ieee80211_ampdu_reorder (ni=0xfffffe0065ab7000, m=0xfffff8012b7e7900, rxs=0xfffffe00107e6660) at /usr/src/sys/net80211/ieee80211_ht.c:1018
#13 0xffffffff80d6a898 in sta_input (ni=<optimized out>, m=0xfffff8012b7e7900, rxs=0xfffffe00107e6978, rssi=<optimized out>, nf=<optimized out>) at /usr/src/sys/net80211/ieee80211_sta.c:678
#14 0xffffffff80d45f59 in ieee80211_input_mimo (ni=0xfffffe0065ab7000, m=0xfffff8012b7e7900) at /usr/src/sys/net80211/ieee80211_input.c:101
#15 0xffffffff829423ab in rtwn_bulk_rx_callback (xfer=<optimized out>, error=<optimized out>) at /usr/src/sys/dev/rtwn/usb/rtwn_usb_rx.c:419
#16 0xffffffff80a0c5ee in usbd_callback_wrapper (pq=<optimized out>) at /usr/src/sys/dev/usb/usb_transfer.c:2483
#17 0xffffffff80a0d94e in usb_command_wrapper (pq=0xfffffe0065559060, xfer=<optimized out>) at /usr/src/sys/dev/usb/usb_transfer.c:3136
#18 0xffffffff80a0c76e in usb_callback_proc (_pm=<optimized out>) at /usr/src/sys/dev/usb/usb_transfer.c:2346
#19 0xffffffff80a074a3 in usb_process (arg=0xfffffe004bb294e0) at /usr/src/sys/dev/usb/usb_process.c:178
#20 0xffffffff80b94950 in fork_exit (callout=0xffffffff80a073b0 <usb_process>, arg=0xfffffe004bb294e0, frame=0xfffffe00107e6b80) at /usr/src/sys/kern/kern_fork.c:1052
#21 <signal handler called>
Comment 1 vidwer+fbsdbugs 2020-10-17 21:18:00 UTC 
Device details: RTL8188EU, 0x0bda:0x8179.