From nobody@FreeBSD.org  Mon Aug 31 21:38:55 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 802C91065679
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 31 Aug 2009 21:38:55 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 557FC8FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 31 Aug 2009 21:38:55 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n7VLcsqp035788
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 31 Aug 2009 21:38:54 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n7VLcsGe035781;
	Mon, 31 Aug 2009 21:38:54 GMT
	(envelope-from nobody)
Message-Id: <200908312138.n7VLcsGe035781@www.freebsd.org>
Date: Mon, 31 Aug 2009 21:38:54 GMT
From: Marcin Nowak <marcin.nowak@simplusnet.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Kernel panic after trying set monitor wlanmode on Intel 3945 ABG (wpi driver)
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         138427
>Category:       kern
>Synopsis:       [wpi] [panic] Kernel panic after trying set monitor wlanmode on Intel 3945 ABG (wpi driver)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 31 21:40:06 UTC 2009
>Closed-Date:    Sun Dec 19 10:42:16 UTC 2010
>Last-Modified:  Sun Dec 26 14:20:08 UTC 2010
>Originator:     Marcin Nowak
>Release:        Current
>Organization:
>Environment:
>Description:
Kernel panic after trying set monitor wlanmode on Intel 3945 ABG (wpi driver)

I did this in that way:

# ifconfig wlan0 create wlandev wpi0 wlanmode monitor

>How-To-Repeat:
Just try to set that ;-)
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Sep 1 05:32:27 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138427 

From: Henry Hu <henry.hu.sh@gmail.com>
To: bug-followup@FreeBSD.org, marcin.nowak@simplusnet.pl
Cc:  
Subject: Re: kern/138427: [wpi] [panic] Kernel panic after trying set monitor 
	wlanmode on Intel 3945 ABG (wpi driver)
Date: Thu, 25 Mar 2010 23:40:26 +0800

 Me too. backtrace:
 
 
 (kgdb) where
 #0  doadump () at pcpu.h:246
 #1  0xc0637af7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:416
 #2  0xc0637e02 in panic (fmt=Variable "fmt" is not available.
 ) at /usr/src/sys/kern/kern_shutdown.c:579
 #3  0xc08bd983 in trap_fatal (frame=0xf09caaa8, eva=20) at
 /usr/src/sys/i386/i386/trap.c:938
 #4  0xc08be2b7 in trap (frame=0xf09caaa8) at /usr/src/sys/i386/i386/trap.c:328
 #5  0xc08a0bbb in calltrap () at /usr/src/sys/i386/i386/exception.s:165
 #6  0xc06736bf in turnstile_broadcast (ts=0x0, queue=0) at
 /usr/src/sys/kern/subr_turnstile.c:832
 #7  0xc0628129 in _mtx_unlock_sleep (m=0xc6d2b008, opts=0, file=0x0,
 line=0) at /usr/src/sys/kern/kern_mutex.c:677
 #8  0xc06286c4 in unlock_mtx (lock=0xc6d2b008) at
 /usr/src/sys/kern/kern_mutex.c:164
 #9  0xc06409e7 in _sleep (ident=0xf0bd1b60, lock=0xc6d2b008,
 priority=256, wmesg=0xc8c3a896 "wpicmd", timo=100) at
 /usr/src/sys/kern/kern_synch.c:204
 #10 0xc8c34369 in wpi_cmd (sc=0xc6d2b000, code=Variable "code" is not available.
 ) at /usr/src/sys/modules/wpi/../../dev/wpi/if_wpi.c:2210
 #11 0xc8c3709b in wpi_config (sc=0xc6d2b000) at
 /usr/src/sys/modules/wpi/../../dev/wpi/if_wpi.c:2771
 #12 0xc8c374d7 in wpi_set_channel (ic=0xc8c3d000) at
 /usr/src/sys/modules/wpi/../../dev/wpi/if_wpi.c:3555
 #13 0xc0729913 in update_channel (arg=0xc8c3d000, npending=1) at
 /usr/src/sys/net80211/ieee80211_proto.c:1119
 #14 0xc06711a2 in taskqueue_run (queue=0xc81dc100) at
 /usr/src/sys/kern/subr_taskqueue.c:239
 #15 0xc06713ad in taskqueue_thread_loop (arg=0xc8c3d074) at
 /usr/src/sys/kern/subr_taskqueue.c:360
 #16 0xc060c661 in fork_exit (callout=0xc06712f0
 <taskqueue_thread_loop>, arg=0xc8c3d074, frame=0xf09cad38) at
 /usr/src/sys/kern/kern_fork.c:843
 #17 0xc08a0c30 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:270
 (kgdb) frame 7
 #7  0xc0628129 in _mtx_unlock_sleep (m=0xc6d2b008, opts=0, file=0x0,
 line=0) at /usr/src/sys/kern/kern_mutex.c:677
 677             turnstile_broadcast(ts, TS_EXCLUSIVE_QUEUE);
 (kgdb) l
 672             turnstile_chain_lock(&m->lock_object);
 673             ts = turnstile_lookup(&m->lock_object);
 674             if (LOCK_LOG_TEST(&m->lock_object, opts))
 675                     CTR1(KTR_LOCK, "_mtx_unlock_sleep: %p contested", m);
 676             MPASS(ts != NULL);
 677             turnstile_broadcast(ts, TS_EXCLUSIVE_QUEUE);
 678             _release_lock_quick(m);
 679
 680             /*
 681              * This turnstile is now no longer associated with the
 mutex.  We can
 (kgdb) p ts
 $13 = (struct turnstile *) 0x0
 (kgdb) frame 10
 #10 0xc8c34369 in wpi_cmd (sc=0xc6d2b000, code=Variable "code" is not available.
 ) at /usr/src/sys/modules/wpi/../../dev/wpi/if_wpi.c:2210
 2210            return msleep(cmd, &sc->sc_mtx, PCATCH, "wpicmd", hz);
 (kgdb) l
 2205            if (async) {
 2206                    sc->flags &= ~ WPI_FLAG_BUSY;
 2207                    return 0;
 2208            }
 2209
 2210            return msleep(cmd, &sc->sc_mtx, PCATCH, "wpicmd", hz);
 2211    }
 2212
 2213    static int
 2214    wpi_wme_update(struct ieee80211com *ic)
 (kgdb) frame 7
 #7  0xc0628129 in _mtx_unlock_sleep (m=0xc6d2b008, opts=0, file=0x0,
 line=0) at /usr/src/sys/kern/kern_mutex.c:677
 677             turnstile_broadcast(ts, TS_EXCLUSIVE_QUEUE);
 (kgdb) p *m
 $14 = {lock_object = {lo_name = 0xc655f1a0 "wpi0", lo_flags =
 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock = 3358744576}
 (kgdb) frame 10
 #10 0xc8c34369 in wpi_cmd (sc=0xc6d2b000, code=Variable "code" is not available.
 ) at /usr/src/sys/modules/wpi/../../dev/wpi/if_wpi.c:2210
 2210            return msleep(cmd, &sc->sc_mtx, PCATCH, "wpicmd", hz);
 (kgdb) p sc->sc_mtx
 $15 = {lock_object = {lo_name = 0xc655f1a0 "wpi0", lo_flags =
 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock = 3358744576}
 
 it seems like turnstile_lookup failed.
 The driver works well in normal mode.
 
 -- 
 Cheers,
 Henry

From: Henry Hu <henry.hu.sh@gmail.com>
To: bug-followup@FreeBSD.org, marcin.nowak@simplusnet.pl
Cc:  
Subject: Re: kern/138427: [wpi] [panic] Kernel panic after trying set monitor 
	wlanmode on Intel 3945 ABG (wpi driver)
Date: Fri, 26 Mar 2010 00:19:14 +0800

 --00163628426c61e9260482a26872
 Content-Type: text/plain; charset=ISO-8859-1
 
 OK, maybe I've found the problem.
 In wpi_set_channel, when in monitor mode, wpi_config is called without
 locks. However, it thinks that the lock is held. So the problem
 occurs.
 See the attached patch. Now I'm capturing in monitor mode with wireshark.
 
 -- 
 Cheers,
 Henry
 
 --00163628426c61e9260482a26872
 Content-Type: application/octet-stream; name="wpi.diff"
 Content-Disposition: attachment; filename="wpi.diff"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_g77rnz290
 
 LS0tIGlmX3dwaS5jLm9yaWcJMjAxMC0wMy0yNSAyMzo1NTo0MC4wMDAwMDAwMDAgKzA4MDAKKysr
 IGlmX3dwaS5jCTIwMTAtMDMtMjUgMjM6NTU6NTcuMDAwMDAwMDAwICswODAwCkBAIC0zNTUyLDcg
 KzM1NTIsOSBAQAogCSAqIGFyZSBhbHJlYWR5IHRha2VuIGNhcmUgb2YgYnkgdGhlaXIgcmVzcGVj
 dGl2ZSBmaXJtd2FyZSBjb21tYW5kcy4KIAkgKi8KIAlpZiAoaWMtPmljX29wbW9kZSA9PSBJRUVF
 ODAyMTFfTV9NT05JVE9SKSB7CisJCVdQSV9MT0NLKHNjKTsKIAkJZXJyb3IgPSB3cGlfY29uZmln
 KHNjKTsKKwkJV1BJX1VOTE9DSyhzYyk7CiAJCWlmIChlcnJvciAhPSAwKQogCQkJZGV2aWNlX3By
 aW50ZihzYy0+c2NfZGV2LAogCQkJICAgICJlcnJvciAlZCBzZXR0dGluZyBjaGFubmVsXG4iLCBl
 cnJvcik7Cg==
 --00163628426c61e9260482a26872--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/138427: commit references a PR
Date: Sun, 19 Dec 2010 10:36:11 +0000 (UTC)

 Author: bschmidt
 Date: Sun Dec 19 10:36:06 2010
 New Revision: 216557
 URL: http://svn.freebsd.org/changeset/base/216557
 
 Log:
   Fix panic trying to use monitor mode. The iwn_cmd() calls issued by
   iwn_config() want to msleep() on the mutex.
   
   PR:		kern/138427
   Submitted by:	Henry Hu <henry.hu.sh at gmail.com>
   MFC after:	3 days
 
 Modified:
   head/sys/dev/wpi/if_wpi.c
 
 Modified: head/sys/dev/wpi/if_wpi.c
 ==============================================================================
 --- head/sys/dev/wpi/if_wpi.c	Sun Dec 19 09:18:14 2010	(r216556)
 +++ head/sys/dev/wpi/if_wpi.c	Sun Dec 19 10:36:06 2010	(r216557)
 @@ -3561,7 +3561,9 @@ wpi_set_channel(struct ieee80211com *ic)
  	 * are already taken care of by their respective firmware commands.
  	 */
  	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
 +		WPI_LOCK(sc);
  		error = wpi_config(sc);
 +		WPI_UNLOCK(sc);
  		if (error != 0)
  			device_printf(sc->sc_dev,
  			    "error %d settting channel\n", error);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: bschmidt 
State-Changed-When: Sun Dec 19 10:41:31 UTC 2010 
State-Changed-Why:  
Patch confirmed and comitted, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138427 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/138427: commit references a PR
Date: Sun, 26 Dec 2010 14:09:11 +0000 (UTC)

 Author: bschmidt
 Date: Sun Dec 26 14:09:06 2010
 New Revision: 216709
 URL: http://svn.freebsd.org/changeset/base/216709
 
 Log:
   MFC r216557:
   Fix panic while trying to use monitor mode. The iwn_cmd() calls issued by
   iwn_config() want to msleep() on the mutex.
   
   PR:		kern/138427
   Submitted by:	Henry Hu <henry.hu.sh at gmail.com>
   Approved by:	re (kib)
 
 Modified:
   stable/8/sys/dev/wpi/if_wpi.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/dev/wpi/if_wpi.c
 ==============================================================================
 --- stable/8/sys/dev/wpi/if_wpi.c	Sun Dec 26 13:57:05 2010	(r216708)
 +++ stable/8/sys/dev/wpi/if_wpi.c	Sun Dec 26 14:09:06 2010	(r216709)
 @@ -3561,7 +3561,9 @@ wpi_set_channel(struct ieee80211com *ic)
  	 * are already taken care of by their respective firmware commands.
  	 */
  	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
 +		WPI_LOCK(sc);
  		error = wpi_config(sc);
 +		WPI_UNLOCK(sc);
  		if (error != 0)
  			device_printf(sc->sc_dev,
  			    "error %d settting channel\n", error);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/138427: commit references a PR
Date: Sun, 26 Dec 2010 14:10:18 +0000 (UTC)

 Author: bschmidt
 Date: Sun Dec 26 14:10:12 2010
 New Revision: 216710
 URL: http://svn.freebsd.org/changeset/base/216710
 
 Log:
   MFC r216557:
   Fix panic while trying to use monitor mode. The iwn_cmd() calls issued by
   iwn_config() want to msleep() on the mutex.
   
   PR:		kern/138427
   Submitted by:	Henry Hu <henry.hu.sh at gmail.com>
   Approved by:	re (kib)
 
 Modified:
   releng/8.2/sys/dev/wpi/if_wpi.c
 Directory Properties:
   releng/8.2/sys/   (props changed)
   releng/8.2/sys/amd64/include/xen/   (props changed)
   releng/8.2/sys/cddl/contrib/opensolaris/   (props changed)
   releng/8.2/sys/contrib/dev/acpica/   (props changed)
   releng/8.2/sys/contrib/pf/   (props changed)
 
 Modified: releng/8.2/sys/dev/wpi/if_wpi.c
 ==============================================================================
 --- releng/8.2/sys/dev/wpi/if_wpi.c	Sun Dec 26 14:09:06 2010	(r216709)
 +++ releng/8.2/sys/dev/wpi/if_wpi.c	Sun Dec 26 14:10:12 2010	(r216710)
 @@ -3561,7 +3561,9 @@ wpi_set_channel(struct ieee80211com *ic)
  	 * are already taken care of by their respective firmware commands.
  	 */
  	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
 +		WPI_LOCK(sc);
  		error = wpi_config(sc);
 +		WPI_UNLOCK(sc);
  		if (error != 0)
  			device_printf(sc->sc_dev,
  			    "error %d settting channel\n", error);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
