From nobody@FreeBSD.org  Sat Oct  8 22:13:30 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DFDA9106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  8 Oct 2011 22:13:29 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id C57248FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  8 Oct 2011 22:13:29 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p98MDTlJ036813
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 8 Oct 2011 22:13:29 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p98MDTGr036810;
	Sat, 8 Oct 2011 22:13:29 GMT
	(envelope-from nobody)
Message-Id: <201110082213.p98MDTGr036810@red.freebsd.org>
Date: Sat, 8 Oct 2011 22:13:29 GMT
From: Rene Ladan <rene@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: iwn panic on 9.0-BETA3
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         161407
>Category:       kern
>Synopsis:       [iwn] iwn panic on 9.0-BETA3
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bschmidt
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 08 22:20:07 UTC 2011
>Closed-Date:    Tue Jun 19 06:50:58 UTC 2012
>Last-Modified:  Tue Jun 19 06:50:58 UTC 2012
>Originator:     Rene Ladan
>Release:        9.0-BETA3-amd64
>Organization:
>Environment:
FreeBSD acer 9.0-BETA3 FreeBSD 9.0-BETA3 #0 r225874: Thu Sep 29 16:29:00 CEST 2011     rene@acer:/usr/obj/usr/src/9/sys/ACER  amd64

GENERIC with CAPABILITIES compiled with clang and CPUTYPE?=core2
>Description:
My network card: iwn0: <Intel(R) WiFi Link 5100> mem
0xf5200000-0xf5201fff irq 17 at device 0.0 on pci3

iwn0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 2290
       ether 00:26:c6:xx:xx:xx
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
       media: IEEE 802.11 Wireless Ethernet autoselect mode 11b
       status: associated

Some snippets from /var/crash/core.txt.24 :

Unread portion of the kernel message buffer:
Kernel page fault with the following non-sleepable locks held:
exclusive sleep mutex iwn0 (network driver) r = 0 (0xffffff8000882018)
locked @ /usr/src/9/sys/dev/iwn/if_iwn.c:3135
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b
kdb_backtrace() at kdb_backtrace+0x39
witness_warn() at witness_warn+0x438
trap() at trap+0x14c
calltrap() at calltrap+0x8
--- trap 0xc, rip = 0xffffffff804fd1c7, rsp = 0xffffff811850a9d0, rbp =
0xffffff811850aa30 ---
iwn_ampdu_tx_done() at iwn_ampdu_tx_done+0xa7
iwn_notif_intr() at iwn_notif_intr+0x523
iwn_intr() at iwn_intr+0x60c
intr_event_execute_handlers() at intr_event_execute_handlers+0x7e
ithread_loop() at ithread_loop+0xf0
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xe
--- trap 0, rip = 0, rsp = 0xffffff811850ad00, rbp = 0 ---

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xa
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff804fd1c7
stack pointer           = 0x28:0xffffff811850a9d0
frame pointer           = 0x28:0xffffff811850aa30
code segment            = base 0x0, limit 0xfffff, type 0x1b
                       = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (irq259: iwn0)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 1h23m24s
Dumping 692 out of 4055 MB:..3%..12%..21%..31%..42%..51%..61%..72%..81%..91%

No symbol "dumptid" in current context.
[...]

#0  sched_switch (td=dwarf2_read_address: Corrupted DWARF expression.
) at /usr/src/9/sys/kern/sched_ule.c:1854
1854    /usr/src/9/sys/kern/sched_ule.c: No such file or directory.
       in /usr/src/9/sys/kern/sched_ule.c
(kgdb) #0  sched_switch (td=dwarf2_read_address: Corrupted DWARF expression.
) at /usr/src/9/sys/kern/sched_ule.c:1854
#1  0xffffffff807f23c9 in mi_switch (flags=dwarf2_read_address:
Corrupted DWARF expression.
)
   at /usr/src/9/sys/kern/kern_synch.c:448
#2  0x0000000000000000 in ?? ()
#3  0xffffff811c0367d0 in ?? ()
#4  0x0000000000000046 in ?? ()
#5  0xffffff811c036810 in ?? ()
#6  0xffffffff807c2075 in intr_event_handle (ie=dwarf2_read_address:
Corrupted DWARF expression.
)
   at /usr/src/9/sys/kern/kern_intr.c:1476
Previous frame inner to this frame (corrupt stack?)

[...]

This was with the MeetingPlaza network during EuroBSDCon 2011, I normally use wired network at home (too much neighbors).

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-wireless 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Oct 8 23:58:14 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161407 

From: Bernhard Schmidt <bschmidt@freebsd.org>
To: Rene Ladan <rene@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: kern/161407: [iwn] iwn panic on 9.0-BETA3
Date: Thu, 13 Oct 2011 15:06:17 +0200

 --Boundary-00=_JJulOFQ1TNWsRFT
 Content-Type: Text/Plain;
   charset="iso-8859-15"
 Content-Transfer-Encoding: 7bit
 
 Hi,
 
 been able to reproduce the panic with an added hack (iwn_bmiss.diff)
 to simulate a beacon miss scenario. Once in RUN state and an AMPDU TX
 session has been started (check debug output of wlandebug +action),
 doing
 
 for x in $(seq 1 100); do
 	sysctl dev.iwn.0.bmiss=1
 	sleep 0.01
 done
 
 while trigger it.
 
 Attached patch (iwn_addba_stop.diff) fixed the issue for me. Wanna
 give it a shot?
 
 Thanks
 
 -- 
 Bernhard
 
 --Boundary-00=_JJulOFQ1TNWsRFT
 Content-Type: text/x-patch;
   charset="ISO-8859-1";
   name="iwn_addba_stop.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename="iwn_addba_stop.diff"
 
 Index: if_iwn.c
 ===================================================================
 --- if_iwn.c	(revision 226336)
 +++ if_iwn.c	(working copy)
 @@ -5641,6 +5641,7 @@ iwn_ampdu_tx_stop(struct ieee80211_node *ni, struc
  	sc->qid2tap[qid] = NULL;
  	free(tap->txa_private, M_DEVBUF);
  	tap->txa_private = NULL;
 +	sc->sc_addba_stop(ni, tap);
  }
  
  static void
 
 --Boundary-00=_JJulOFQ1TNWsRFT
 Content-Type: text/x-patch;
   charset="ISO-8859-1";
   name="iwn_bmiss.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename="iwn_bmiss.diff"
 
 Index: if_iwnvar.h
 ===================================================================
 --- if_iwnvar.h	(revision 226336)
 +++ if_iwnvar.h	(working copy)
 @@ -200,6 +200,7 @@ struct iwn_softc {
  
  	struct ifnet		*sc_ifp;
  	int			sc_debug;
 +	int			sc_bmiss;
  
  	struct mtx		sc_mtx;
  
 Index: if_iwn.c
 ===================================================================
 --- if_iwn.c	(revision 226336)
 +++ if_iwn.c	(working copy)
 @@ -841,6 +841,10 @@ iwn_sysctlattach(struct iwn_softc *sc)
  	SYSCTL_ADD_INT(ctx, SYSCTL_CHILDREN(tree), OID_AUTO,
  	    "debug", CTLFLAG_RW, &sc->sc_debug, 0, "control debugging printfs");
  #endif
 +
 +	sc->sc_bmiss = 0;
 +	SYSCTL_ADD_INT(ctx, SYSCTL_CHILDREN(tree), OID_AUTO,
 +	    "bmiss", CTLFLAG_RW, &sc->sc_bmiss, 0, "simulate beacon miss");
  }
  
  static struct ieee80211vap *
 @@ -3138,6 +3148,20 @@ iwn_intr(void *arg)
  	/* Disable interrupts. */
  	IWN_WRITE(sc, IWN_INT_MASK, 0);
  
 +	if (sc->sc_bmiss) {
 +		struct ieee80211com *ic = ifp->if_l2com;
 +		struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
 +
 +		sc->sc_bmiss = 0;
 +
 +		if (vap->iv_state == IEEE80211_S_RUN &&
 +		    (ic->ic_flags & IEEE80211_F_SCAN) == 0) {
 +			IWN_UNLOCK(sc);
 +			ieee80211_beacon_miss(ic);
 +			IWN_LOCK(sc);
 +		}
 +	}
 +
  	/* Read interrupts from ICT (fast) or from registers (slow). */
  	if (sc->sc_flags & IWN_FLAG_USE_ICT) {
  		tmp = 0;
 
 --Boundary-00=_JJulOFQ1TNWsRFT--
Responsible-Changed-From-To: freebsd-wireless->bschmidt 
Responsible-Changed-By: bschmidt 
Responsible-Changed-When: Mon Oct 24 07:30:15 UTC 2011 
Responsible-Changed-Why:  
grab 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161407 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161407: commit references a PR
Date: Mon, 24 Oct 2011 07:37:16 +0000 (UTC)

 Author: bschmidt
 Date: Mon Oct 24 07:37:01 2011
 New Revision: 226679
 URL: http://svn.freebsd.org/changeset/base/226679
 
 Log:
   Let net80211 also know about stopped BA sessions. This fixes some issues
   where the driver assumed that BA resources are still available due to
   net80211 saying so.
   
   PR:		161407, 159768
   Tested by:	cperciva, rene
   MFC after:	3 days
 
 Modified:
   head/sys/dev/iwn/if_iwn.c
 
 Modified: head/sys/dev/iwn/if_iwn.c
 ==============================================================================
 --- head/sys/dev/iwn/if_iwn.c	Mon Oct 24 05:26:40 2011	(r226678)
 +++ head/sys/dev/iwn/if_iwn.c	Mon Oct 24 07:37:01 2011	(r226679)
 @@ -5641,6 +5641,7 @@ iwn_ampdu_tx_stop(struct ieee80211_node 
  	sc->qid2tap[qid] = NULL;
  	free(tap->txa_private, M_DEVBUF);
  	tap->txa_private = NULL;
 +	sc->sc_addba_stop(ni, tap);
  }
  
  static void
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161407: commit references a PR
Date: Wed, 16 Nov 2011 17:40:16 +0000 (UTC)

 Author: bschmidt
 Date: Wed Nov 16 17:39:59 2011
 New Revision: 227570
 URL: http://svn.freebsd.org/changeset/base/227570
 
 Log:
   MFC r226679:
   Let net80211 also know about stopped BA sessions. This fixes some issues
   where the driver assumed that BA resources are still available due to
   net80211 saying so.
   
   PR:		161407, 159768
   Tested by:	cperciva, rene
   Approved by:	re (kib)
 
 Modified:
   stable/9/sys/dev/iwn/if_iwn.c
 Directory Properties:
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/dev/iwn/if_iwn.c
 ==============================================================================
 --- stable/9/sys/dev/iwn/if_iwn.c	Wed Nov 16 17:11:13 2011	(r227569)
 +++ stable/9/sys/dev/iwn/if_iwn.c	Wed Nov 16 17:39:59 2011	(r227570)
 @@ -5641,6 +5641,7 @@ iwn_ampdu_tx_stop(struct ieee80211_node 
  	sc->qid2tap[qid] = NULL;
  	free(tap->txa_private, M_DEVBUF);
  	tap->txa_private = NULL;
 +	sc->sc_addba_stop(ni, tap);
  }
  
  static void
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161407: commit references a PR
Date: Wed, 16 Nov 2011 17:41:39 +0000 (UTC)

 Author: bschmidt
 Date: Wed Nov 16 17:41:31 2011
 New Revision: 227571
 URL: http://svn.freebsd.org/changeset/base/227571
 
 Log:
   MFC r226679:
   Let net80211 also know about stopped BA sessions. This fixes some issues
   where the driver assumed that BA resources are still available due to
   net80211 saying so.
   
   PR:		161407, 159768
   Tested by:	cperciva, rene
   Approved by:	re (kib)
 
 Modified:
   releng/9.0/sys/dev/iwn/if_iwn.c
 Directory Properties:
   releng/9.0/sys/   (props changed)
 
 Modified: releng/9.0/sys/dev/iwn/if_iwn.c
 ==============================================================================
 --- releng/9.0/sys/dev/iwn/if_iwn.c	Wed Nov 16 17:39:59 2011	(r227570)
 +++ releng/9.0/sys/dev/iwn/if_iwn.c	Wed Nov 16 17:41:31 2011	(r227571)
 @@ -5641,6 +5641,7 @@ iwn_ampdu_tx_stop(struct ieee80211_node 
  	sc->qid2tap[qid] = NULL;
  	free(tap->txa_private, M_DEVBUF);
  	tap->txa_private = NULL;
 +	sc->sc_addba_stop(ni, tap);
  }
  
  static void
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Bernhard Schmidt <bschmidt@freebsd.org>
To: Rene Ladan <rene@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: kern/161407: [iwn] iwn panic on 9.0-BETA3
Date: Mon, 20 Feb 2012 15:03:00 +0100

 Hi,
 
 did you have a chance to look at this again? I think the issue is
 fixed, just waiting on some kind of feedback so I know if I can close
 this PR or not. :)
 
 -- 
 Bernhard

From: =?ISO-8859-1?Q?Ren=E9_Ladan?= <rene@freebsd.org>
To: Bernhard Schmidt <bschmidt@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: kern/161407: [iwn] iwn panic on 9.0-BETA3
Date: Mon, 20 Feb 2012 15:57:49 +0100

 2012/2/20 Bernhard Schmidt <bschmidt@freebsd.org>:
 > Hi,
 >
 > did you have a chance to look at this again? I think the issue is
 > fixed, just waiting on some kind of feedback so I know if I can close
 > this PR or not. :)
 >
 Oops, I completely forgot about this.  I can take a look at it this
 weekend when I'm at my parents place, where WiFi is more reliable
 than at home.
State-Changed-From-To: open->closed 
State-Changed-By: bschmidt 
State-Changed-When: Tue Jun 19 06:50:38 UTC 2012 
State-Changed-Why:  
I guess this is fixed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161407 
>Unformatted:
