Bug 165214 - [ieee80211] Kernel panic in ieee80211_output.c:2505
Summary: [ieee80211] Kernel panic in ieee80211_output.c:2505
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: wireless (show other bugs)
Version: 9.0-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-wireless (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-16 21:30 UTC by adam.twardowski
Modified: 2018-12-17 05:22 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description adam.twardowski 2012-02-16 21:30:12 UTC 
[513][root.p4: ROUTETABLES]$ # kgdb kernel.debug /var/crash/vmcore.2
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x0
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0746b9d
stack pointer           = 0x28:0xd85acbdc
frame pointer           = 0x28:0xd85acbf4
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 15 (usbus4)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xc069421a at kdb_backtrace+0x43
#1 0xc0663652 at panic+0x114
#2 0xc08fbcb4 at trap_fatal+0x320
#3 0xc08fbd49 at trap_pfault+0x89
#4 0xc08fca67 at trap+0x437
#5 0xc08e6e7c at calltrap+0x6
#6 0xc072b61a at ieee80211_process_callback+0x46
#7 0xc0574743 at urtw_bulk_tx_callback+0x96
#8 0xc056f8ab at usbd_callback_wrapper+0x70c
#9 0xc056bda4 at usb_command_wrapper+0xc5
#10 0xc056e7ce at usb_callback_proc+0x100
#11 0xc0568c8e at usb_process+0xf5
#12 0xc06375db at fork_exit+0x91
#13 0xc08e6ef4 at fork_trampoline+0x8
Uptime: 3h44m34s
Physical memory: 1006 MB
Dumping 209 MB: 194 178 162 146 130 114 98 82 66 50 34 18 2

Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_mirror.ko
#0  doadump (textdump=1) at pcpu.h:244
244             __asm("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc0746b9d
0xc0746b9d is in ieee80211_tx_mgt_cb (/usr/src/sys/net80211/ieee80211_output.c:2505).
2500    }
2501
2502    static void
2503    ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status)
2504    {
2505            struct ieee80211vap *vap = ni->ni_vap;
2506            enum ieee80211_state ostate = (enum ieee80211_state) arg;
2507
2508            /*
2509             * Frame transmit completed; arrange timer callback.  If
(kgdb) backtrace
#0  doadump (textdump=1) at pcpu.h:244
#1  0xc06633fe in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:442
#2  0xc066368f in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:607
#3  0xc08fbcb4 in trap_fatal (frame=0xd85acb9c, eva=0) at /usr/src/sys/i386/i386/trap.c:975
#4  0xc08fbd49 in trap_pfault (frame=0xd85acb9c, usermode=0, eva=0) at /usr/src/sys/i386/i386/trap.c:839
#5  0xc08fca67 in trap (frame=0xd85acb9c) at /usr/src/sys/i386/i386/trap.c:558
#6  0xc08e6e7c in calltrap () at /usr/src/sys/i386/i386/exception.s:168
#7  0xc0746b9d in ieee80211_tx_mgt_cb (ni=0x0, arg=0x2, status=0) at /usr/src/sys/net80211/ieee80211_output.c:2504
#8  0xc072b61a in ieee80211_process_callback (ni=0x0, m=0xc818f100, status=0) at /usr/src/sys/net80211/ieee80211_freebsd.c:478
#9  0xc0574743 in urtw_bulk_tx_callback (xfer=0xc3cc9168, error=USB_ERR_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/wlan/if_urtw.c:4176
#10 0xc056f8ab in usbd_callback_wrapper (pq=0xc3cc9030) at /usr/src/sys/dev/usb/usb_transfer.c:2231
#11 0xc056bda4 in usb_command_wrapper (pq=0xc3cc9030, xfer=0x0) at /usr/src/sys/dev/usb/usb_transfer.c:2860
#12 0xc056e7ce in usb_callback_proc (_pm=0xc3cc9044) at /usr/src/sys/dev/usb/usb_transfer.c:2096
#13 0xc0568c8e in usb_process (arg=0xc3a96ccc) at /usr/src/sys/dev/usb/usb_process.c:170
#14 0xc06375db in fork_exit (callout=0xc0568b99 <usb_process>, arg=0xc3a96ccc, frame=0xd85acd28) at /usr/src/sys/kern/kern_fork.c:995
#15 0xc08e6ef4 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:275
(kgdb)

How-To-Repeat: Not sure, seems to happen randomly.  I did notice that that it happened about 15 min after the wireless link went down.  The adapter is an Alfa AWUS036H.

urtw0: <vendor 0x0bda product 0x8187, class 0/0, rev 2.00/1.00, addr 2> on usbus4
urtw0: unknown RTL8187L type: 0x8000000


Feb 16 05:51:17 p4 kernel: wlan0: link state changed to DOWN
Feb 16 06:06:36 p4 syslogd: kernel boot file is /boot/kernel/kernel
Feb 16 06:06:37 p4 kernel: Copyright (c) 1992-2012 The FreeBSD Project.
Feb 16 06:06:37 p4 kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2012-02-17 20:25:58 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-wireless

Over to maintainer(s).
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2018-05-28 19:42:09 UTC 
batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Comment 3 Andriy Voskoboinyk freebsd_committer freebsd_triage 2018-12-17 05:22:33 UTC 
Fixed in base r287197 (ieee80211_tx_complete will process callback only if ni != NULL).