From nobody@FreeBSD.org  Fri May 11 19:54:03 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D8AC81065672
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 May 2012 19:54:03 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id C2EF68FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 May 2012 19:54:03 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q4BJs355006173
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 May 2012 19:54:03 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q4BJs3oG006155;
	Fri, 11 May 2012 19:54:03 GMT
	(envelope-from nobody)
Message-Id: <201205111954.q4BJs3oG006155@red.freebsd.org>
Date: Fri, 11 May 2012 19:54:03 GMT
From: Bojan Petrovic <bojan_petrovic@fastmail.fm>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [iwn] iwn driver panic on 9.0-STABLE-amd64
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         167806
>Category:       kern
>Synopsis:       [iwn] iwn driver panic on 9.0-STABLE-amd64
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bschmidt
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 11 20:00:34 UTC 2012
>Closed-Date:    Mon Jul 02 06:50:08 UTC 2012
>Last-Modified:  Thu May 23 03:50:00 UTC 2013
>Originator:     Bojan Petrovic
>Release:        9.0-STABLE-amd64
>Organization:
>Environment:
FreeBSD alpha-60 9.0-STABLE FreeBSD 9.0-STABLE #0: Tue May  1 14:51:47 CEST 2012     root@alpha-60:/usr/obj/usr/src/sys/SL510_9.0  amd64

>Description:
Network card:

iwn0: <Intel Centrino Wireless-N 1000> mem 0xf0600000-0xf0601fff irq 19 at device 0.0 on pci5

iwn0@pci0:5:0:0:	class=0x028000 card=0x13158086 chip=0x00848086 rev=0x00 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Centrino Wireless-N 1000'
    class      = network

Kernel seems to panic mostly when playing flash video on a bad wifi network.

Output of interaction with "kgdb kernel.debug ~/cores/vmcore.1":


Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address	= 0x1e
fault code		= supervisor read data, page not present
instruction pointer	= 0x20:0xffffffff8058353b
stack pointer	        = 0x28:0xffffff80738cc8e0
frame pointer	        = 0x28:0xffffff80738cc940
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 12 (irq257: iwn0)
trap number		= 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff808f9afe at kdb_backtrace+0x5e
#1 0xffffffff808c1c57 at panic+0x187
#2 0xffffffff80bbada0 at trap_fatal+0x290
#3 0xffffffff80bbb14f at trap_pfault+0x25f
#4 0xffffffff80bbb613 at trap+0x373
#5 0xffffffff80ba5d93 at calltrap+0x8
#6 0xffffffff805892ad at iwn_notif_intr+0x3ad
#7 0xffffffff8058b56b at iwn_intr+0x30b
#8 0xffffffff80894d04 at intr_event_execute_handlers+0x104
#9 0xffffffff80896484 at ithread_loop+0xa4
#10 0xffffffff8089193f at fork_exit+0x11f
#11 0xffffffff80ba62be at fork_trampoline+0xe
Uptime: 26m52s
#0  doadump (textdump=Variable "textdump" is not available.
) at pcpu.h:224
224		__asm("movq %%gs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump (textdump=Variable "textdump" is not available.
) at pcpu.h:224
#1  0xffffffff808c1795 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:442
#2  0xffffffff808c1c41 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:607
#3  0xffffffff80bbada0 in trap_fatal (frame=0xc, eva=Variable "eva" is not available.
) at /usr/src/sys/amd64/amd64/trap.c:843
#4  0xffffffff80bbb14f in trap_pfault (frame=0xffffff80738cc830, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:759
#5  0xffffffff80bbb613 in trap (frame=0xffffff80738cc830) at /usr/src/sys/amd64/amd64/trap.c:454
#6  0xffffffff80ba5d93 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:228
#7  0xffffffff8058353b in iwn_ampdu_tx_done (sc=0xffffff8000782000, qid=Variable "qid" is not available.
) at /usr/src/sys/dev/iwn/if_iwn.c:2825
#8  0xffffffff805892ad in iwn_notif_intr (sc=0xffffff8000782000) at /usr/src/sys/dev/iwn/if_iwn.c:2900
#9  0xffffffff8058b56b in iwn_intr (arg=dwarf2_read_address: Corrupted DWARF expression.
) at /usr/src/sys/dev/iwn/if_iwn.c:3191
#10 0xffffffff80894d04 in intr_event_execute_handlers (p=Variable "p" is not available.
) at /usr/src/sys/kern/kern_intr.c:1260
#11 0xffffffff80896484 in ithread_loop (arg=0xfffffe0002854380) at /usr/src/sys/kern/kern_intr.c:1273
#12 0xffffffff8089193f in fork_exit (callout=0xffffffff808963e0 <ithread_loop>, arg=0xfffffe0002854380, frame=0xffffff80738ccc00) at /usr/src/sys/kern/kern_fork.c:992
#13 0xffffffff80ba62be in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:602
#14 0x0000000000000000 in ?? ()
#15 0x0000000000000000 in ?? ()
#16 0x0000000000000001 in ?? ()
#17 0x0000000000000000 in ?? ()
#18 0x0000000000000000 in ?? ()
#19 0x0000000000000000 in ?? ()
#20 0x0000000000000000 in ?? ()
#21 0x0000000000000000 in ?? ()
#22 0x0000000000000000 in ?? ()
#23 0x0000000000000000 in ?? ()
#24 0x0000000000000000 in ?? ()
#25 0x0000000000000000 in ?? ()
#26 0x0000000000000000 in ?? ()
#27 0x0000000000000000 in ?? ()
#28 0x0000000000000000 in ?? ()
#29 0x0000000000000000 in ?? ()
#30 0x0000000000000000 in ?? ()
#31 0x0000000000000000 in ?? ()
#32 0x0000000000000000 in ?? ()
#33 0x0000000000000000 in ?? ()
#34 0x0000000000000000 in ?? ()
#35 0x0000000000000000 in ?? ()
#36 0x0000000000000000 in ?? ()
#37 0x0000000000000000 in ?? ()
#38 0x0000000000000001 in ?? ()
#39 0xffffffff81244900 in affinity ()
#40 0xfffffe0002750460 in ?? ()
#41 0xfffffe0002750460 in ?? ()
#42 0xffffff80738cc3d0 in ?? ()
#43 0xffffff80738cc378 in ?? ()
#44 0xfffffe0002483460 in ?? ()
#45 0xffffffff808ec6cd in sched_switch (td=0x0, newtd=0xfffffe0002854380, flags=Variable "flags" is not available.
) at /usr/src/sys/kern/sched_ule.c:1890
Previous frame inner to this frame (corrupt stack?)
(kgdb) up 7
#7  0xffffffff8058353b in iwn_ampdu_tx_done (sc=0xffffff8000782000, qid=Variable "qid" is not available.
) at /usr/src/sys/dev/iwn/if_iwn.c:2825
2825			ni = data->ni, data->ni = NULL;
(kgdb) up 7
#7  0xffffffff8058353b in iwn_ampdu_tx_done (sc=0xffffff8000782000, qid=Variable "qid" is not available.
) at /usr/src/sys/dev/iwn/if_iwn.c:2825
2825			ni = data->ni, data->ni = NULL;
(kgdb) up
#8  0xffffffff805892ad in iwn_notif_intr (sc=0xffffff8000782000) at /usr/src/sys/dev/iwn/if_iwn.c:2900
2900				ops->tx_done(sc, desc, data);
(kgdb) p sc->ops->tx_done
$1 = (void (*)(struct iwn_softc *, struct iwn_rx_desc *, struct iwn_rx_data *)) 0xffffffff805837e0 <iwn5000_tx_done>
(kgdb) l iwn5000_tx_done
2625	}
2626	
2627	static void
2628	iwn5000_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
2629	    struct iwn_rx_data *data)
2630	{
2631		struct iwn5000_tx_stat *stat = (struct iwn5000_tx_stat *)(desc + 1);
2632		struct iwn_tx_ring *ring;
2633		int qid;
2634	
(kgdb) 
2635		qid = desc->qid & 0xf;
2636		ring = &sc->txq[qid];
2637	
2638		DPRINTF(sc, IWN_DEBUG_XMIT, "%s: "
2639		    "qid %d idx %d retries %d nkill %d rate %x duration %d status %x\n",
2640		    __func__, desc->qid, desc->idx, stat->ackfailcnt,
2641		    stat->btkillcnt, stat->rate, le16toh(stat->duration),
2642		    le32toh(stat->status));
2643	
2644	#ifdef notyet
(kgdb) down
#7  0xffffffff8058353b in iwn_ampdu_tx_done (sc=0xffffff8000782000, qid=Variable "qid" is not available.
) at /usr/src/sys/dev/iwn/if_iwn.c:2825
2825			ni = data->ni, data->ni = NULL;
(kgdb) l -10
2805		tap = sc->qid2tap[qid];
2806		if (tap != NULL) {
2807			tid = WME_AC_TO_TID(tap->txa_ac);
2808			wn = (void *)tap->txa_ni;
2809			wn->agg[tid].bitmap = bitmap;
2810			wn->agg[tid].startidx = start;
2811			wn->agg[tid].nframes = nframes;
2812		}
2813	
2814		seqno = le32toh(*(status + nframes)) & 0xfff;
(kgdb) 
2815		for (lastidx = (seqno & 0xff); ring->read != lastidx;) {
2816			data = &ring->data[ring->read];
2817	
2818			KASSERT(data->ni != NULL, ("no node"));
2819	
2820			/* Unmap and free mbuf. */
2821			bus_dmamap_sync(ring->data_dmat, data->map,
2822			    BUS_DMASYNC_POSTWRITE);
2823			bus_dmamap_unload(ring->data_dmat, data->map);
2824			m = data->m, data->m = NULL;
(kgdb) p sc->txq[desc->qid&0xf]->data[sc->txq[desc->qid&0xf]->read]
No symbol "desc" in current context.
(kgdb) up
#8  0xffffffff805892ad in iwn_notif_intr (sc=0xffffff8000782000) at /usr/src/sys/dev/iwn/if_iwn.c:2900
2900				ops->tx_done(sc, desc, data);
(kgdb) p sc->txq[desc->qid&0xf]->data[sc->txq[desc->qid&0xf]->read]
$2 = {map = 0x0, cmd_paddr = 2003654528, scratch_paddr = 2003654540, m = 0x0, ni = 0x0}

Kernel wasn't compiled with assertions turned on, but I would expect the
assertion on line 2818 to fail.

>How-To-Repeat:
It might be repeatable by high network traffic on a bad wifi network. Playing flash video triggered this repeatedly.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: gnats 
Responsible-Changed-When: Fri May 11 20:07:13 UTC 2012 
Responsible-Changed-Why:  
Over to maintainers. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167806 
Responsible-Changed-From-To: freebsd-net->bschmidt 
Responsible-Changed-By: bschmidt 
Responsible-Changed-When: Sat May 12 07:34:01 UTC 2012 
Responsible-Changed-Why:  
over to me 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167806 

From: Bernhard Schmidt <bschmidt@freebsd.org>
To: Bojan Petrovic <bojan_petrovic@fastmail.fm>
Cc: bug-followup <bug-followup@freebsd.org>
Subject: Re: kern/167806: [iwn] iwn driver panic on 9.0-STABLE-amd64
Date: Sat, 12 May 2012 09:36:04 +0200

 --f46d04089131c9fe2304bfd1e7c3
 Content-Type: text/plain; charset=ISO-8859-1
 
 Please try attached patch
 
 -- 
 Bernhard
 
 --f46d04089131c9fe2304bfd1e7c3
 Content-Type: application/octet-stream; name="iwn_delba.diff"
 Content-Disposition: attachment; filename="iwn_delba.diff"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_h24d2fsg0
 
 SW5kZXg6IHN5cy9kZXYvaXduL2lmX2l3bi5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHN5cy9kZXYvaXduL2lm
 X2l3bi5jCShyZXZpc2lvbiAyMzQ5NzUpCisrKyBzeXMvZGV2L2l3bi9pZl9pd24uYwkod29ya2lu
 ZyBjb3B5KQpAQCAtMjc1OCwxMyArMjc1OCwxMyBAQCBzdGF0aWMgdm9pZAogaXduX2FtcGR1X3R4
 X2RvbmUoc3RydWN0IGl3bl9zb2Z0YyAqc2MsIGludCBxaWQsIGludCBpZHgsIGludCBuZnJhbWVz
 LAogICAgIHZvaWQgKnN0YXQpCiB7CisJc3RydWN0IGl3bl9vcHMgKm9wcyA9ICZzYy0+b3BzOwog
 CXN0cnVjdCBpZm5ldCAqaWZwID0gc2MtPnNjX2lmcDsKIAlzdHJ1Y3QgaXduX3R4X3JpbmcgKnJp
 bmcgPSAmc2MtPnR4cVtxaWRdOwogCXN0cnVjdCBpd25fdHhfZGF0YSAqZGF0YTsKIAlzdHJ1Y3Qg
 bWJ1ZiAqbTsKIAlzdHJ1Y3QgaXduX25vZGUgKnduOwogCXN0cnVjdCBpZWVlODAyMTFfbm9kZSAq
 bmk7Ci0Jc3RydWN0IGllZWU4MDIxMXZhcCAqdmFwOwogCXN0cnVjdCBpZWVlODAyMTFfdHhfYW1w
 ZHUgKnRhcDsKIAl1aW50NjRfdCBiaXRtYXA7CiAJdWludDMyX3QgKnN0YXR1cyA9IHN0YXQ7CkBA
 IC0yODAyLDI5ICsyODAyLDI4IEBAIGl3bl9hbXBkdV90eF9kb25lKHN0cnVjdCBpd25fc29mdGMg
 KnNjLCBpbnQgcWlkLCBpCiAJCWJpdG1hcCA9IGJpdG1hcCA8PCBzaGlmdDsKIAkJYml0bWFwIHw9
 IDFVTEwgPDwgYml0OwogCX0KKwogCXRhcCA9IHNjLT5xaWQydGFwW3FpZF07Ci0JaWYgKHRhcCAh
 PSBOVUxMKSB7Ci0JCXRpZCA9IFdNRV9BQ19UT19USUQodGFwLT50eGFfYWMpOwotCQl3biA9ICh2
 b2lkICopdGFwLT50eGFfbmk7Ci0JCXduLT5hZ2dbdGlkXS5iaXRtYXAgPSBiaXRtYXA7Ci0JCXdu
 LT5hZ2dbdGlkXS5zdGFydGlkeCA9IHN0YXJ0OwotCQl3bi0+YWdnW3RpZF0ubmZyYW1lcyA9IG5m
 cmFtZXM7Ci0JfQorCXRpZCA9IFdNRV9BQ19UT19USUQodGFwLT50eGFfYWMpOworCXduID0gKHZv
 aWQgKil0YXAtPnR4YV9uaTsKKwl3bi0+YWdnW3RpZF0uYml0bWFwID0gYml0bWFwOworCXduLT5h
 Z2dbdGlkXS5zdGFydGlkeCA9IHN0YXJ0OworCXduLT5hZ2dbdGlkXS5uZnJhbWVzID0gbmZyYW1l
 czsKIAogCXNlcW5vID0gbGUzMnRvaCgqKHN0YXR1cyArIG5mcmFtZXMpKSAmIDB4ZmZmOwogCWZv
 ciAobGFzdGlkeCA9IChzZXFubyAmIDB4ZmYpOyByaW5nLT5yZWFkICE9IGxhc3RpZHg7KSB7CiAJ
 CWRhdGEgPSAmcmluZy0+ZGF0YVtyaW5nLT5yZWFkXTsKIAotCQlLQVNTRVJUKGRhdGEtPm5pICE9
 IE5VTEwsICgibm8gbm9kZSIpKTsKLQogCQkvKiBVbm1hcCBhbmQgZnJlZSBtYnVmLiAqLwogCQli
 dXNfZG1hbWFwX3N5bmMocmluZy0+ZGF0YV9kbWF0LCBkYXRhLT5tYXAsCiAJCSAgICBCVVNfRE1B
 U1lOQ19QT1NUV1JJVEUpOwogCQlidXNfZG1hbWFwX3VubG9hZChyaW5nLT5kYXRhX2RtYXQsIGRh
 dGEtPm1hcCk7CiAJCW0gPSBkYXRhLT5tLCBkYXRhLT5tID0gTlVMTDsKIAkJbmkgPSBkYXRhLT5u
 aSwgZGF0YS0+bmkgPSBOVUxMOwotCQl2YXAgPSBuaS0+bmlfdmFwOwogCisJCUtBU1NFUlQobmkg
 IT0gTlVMTCwgKCJubyBub2RlIikpOworCQlLQVNTRVJUKG0gIT0gTlVMTCwgKCJubyBtYnVmIikp
 OworCiAJCWlmIChtLT5tX2ZsYWdzICYgTV9UWENCKQogCQkJaWVlZTgwMjExX3Byb2Nlc3NfY2Fs
 bGJhY2sobmksIG0sIDEpOwogCkBAIC0yODM1LDYgKzI4MzQsMTggQEAgaXduX2FtcGR1X3R4X2Rv
 bmUoc3RydWN0IGl3bl9zb2Z0YyAqc2MsIGludCBxaWQsIGkKIAkJcmluZy0+cmVhZCA9IChyaW5n
 LT5yZWFkICsgMSkgJSBJV05fVFhfUklOR19DT1VOVDsKIAl9CiAKKwlpZiAocmluZy0+cXVldWVk
 ID09IDAgJiYgSUVFRTgwMjExX0FNUERVX1JVTk5JTkcodGFwKSA9PSAwKSB7CisJCURQUklOVEYo
 c2MsIElXTl9ERUJVR19YTUlULCAiJXM6IHJhPSVkIHRpZD0lZCBzc249JWQgcWlkPSVkXG4iLAor
 CQkgICAgX19mdW5jX18sIHduLT5pZCwgdGlkLCB0YXAtPnR4YV9zdGFydCwgcWlkKTsKKwkJaWYg
 KGl3bl9uaWNfbG9jayhzYykgIT0gMCkKKwkJCXJldHVybjsKKwkJb3BzLT5hbXBkdV90eF9zdG9w
 KHNjLCBxaWQsIHRpZCwgdGFwLT50eGFfc3RhcnQgJiAweGZmZik7CisJCWl3bl9uaWNfdW5sb2Nr
 KHNjKTsKKwkJc2MtPnFpZDJ0YXBbcWlkXSA9IE5VTEw7CisJCWZyZWUodGFwLT50eGFfcHJpdmF0
 ZSwgTV9ERVZCVUYpOworCQl0YXAtPnR4YV9wcml2YXRlID0gTlVMTDsKKwl9CisKIAlzYy0+c2Nf
 dHhfdGltZXIgPSAwOwogCWlmIChyaW5nLT5xdWV1ZWQgPCBJV05fVFhfUklOR19MT01BUkspIHsK
 IAkJc2MtPnFmdWxsbXNrICY9IH4oMSA8PCByaW5nLT5xaWQpOwpAQCAtNTYzMyw2ICs1NjQ0LDgg
 QEAgaXduX2FtcGR1X3R4X3N0YXJ0KHN0cnVjdCBpZWVlODAyMTFjb20gKmljLCBzdHJ1Y3QKIAlp
 ZiAoKGVycm9yID0gaXduX25pY19sb2NrKHNjKSkgIT0gMCkKIAkJcmV0dXJuIDA7CiAJcWlkID0g
 KihpbnQgKil0YXAtPnR4YV9wcml2YXRlOworCURQUklOVEYoc2MsIElXTl9ERUJVR19YTUlULCAi
 JXM6IHJhPSVkIHRpZD0lZCBzc249JWQgcWlkPSVkXG4iLAorCSAgICBfX2Z1bmNfXywgd24tPmlk
 LCB0aWQsIHRhcC0+dHhhX3N0YXJ0LCBxaWQpOwogCW9wcy0+YW1wZHVfdHhfc3RhcnQoc2MsIG5p
 LCBxaWQsIHRpZCwgdGFwLT50eGFfc3RhcnQgJiAweGZmZik7CiAJaXduX25pY191bmxvY2soc2Mp
 OwogCkBAIC01NjQ1LDIxICs1NjU4LDI3IEBAIGl3bl9hbXBkdV90eF9zdG9wKHN0cnVjdCBpZWVl
 ODAyMTFfbm9kZSAqbmksIHN0cnVjCiB7CiAJc3RydWN0IGl3bl9zb2Z0YyAqc2MgPSBuaS0+bmlf
 aWMtPmljX2lmcC0+aWZfc29mdGM7CiAJc3RydWN0IGl3bl9vcHMgKm9wcyA9ICZzYy0+b3BzOwor
 CXN0cnVjdCBpd25fbm9kZSAqd24gPSAodm9pZCAqKW5pOwogCXVpbnQ4X3QgdGlkID0gV01FX0FD
 X1RPX1RJRCh0YXAtPnR4YV9hYyk7CiAJaW50IHFpZDsKIAorCXNjLT5zY19hZGRiYV9zdG9wKG5p
 LCB0YXApOworCiAJaWYgKHRhcC0+dHhhX3ByaXZhdGUgPT0gTlVMTCkKIAkJcmV0dXJuOwogCiAJ
 cWlkID0gKihpbnQgKil0YXAtPnR4YV9wcml2YXRlOwotCWlmIChpd25fbmljX2xvY2soc2MpICE9
 IDApCi0JCXJldHVybjsKLQlvcHMtPmFtcGR1X3R4X3N0b3Aoc2MsIHFpZCwgdGlkLCB0YXAtPnR4
 YV9zdGFydCAmIDB4ZmZmKTsKLQlpd25fbmljX3VubG9jayhzYyk7Ci0Jc2MtPnFpZDJ0YXBbcWlk
 XSA9IE5VTEw7Ci0JZnJlZSh0YXAtPnR4YV9wcml2YXRlLCBNX0RFVkJVRik7Ci0JdGFwLT50eGFf
 cHJpdmF0ZSA9IE5VTEw7Ci0Jc2MtPnNjX2FkZGJhX3N0b3AobmksIHRhcCk7CisJaWYgKHNjLT50
 eHFbcWlkXS5xdWV1ZWQgPT0gMCkgeworCQlEUFJJTlRGKHNjLCBJV05fREVCVUdfWE1JVCwgIiVz
 OiByYT0lZCB0aWQ9JWQgc3NuPSVkIHFpZD0lZFxuIiwKKwkJICAgIF9fZnVuY19fLCB3bi0+aWQs
 IHRpZCwgdGFwLT50eGFfc3RhcnQsIHFpZCk7CisJCWlmIChpd25fbmljX2xvY2soc2MpICE9IDAp
 CisJCQlyZXR1cm47CisJCW9wcy0+YW1wZHVfdHhfc3RvcChzYywgcWlkLCB0aWQsIHRhcC0+dHhh
 X3N0YXJ0ICYgMHhmZmYpOworCQlpd25fbmljX3VubG9jayhzYyk7CisJCXNjLT5xaWQydGFwW3Fp
 ZF0gPSBOVUxMOworCQlmcmVlKHRhcC0+dHhhX3ByaXZhdGUsIE1fREVWQlVGKTsKKwkJdGFwLT50
 eGFfcHJpdmF0ZSA9IE5VTEw7CisJfQogfQogCiBzdGF0aWMgdm9pZAo=
 --f46d04089131c9fe2304bfd1e7c3--

From: Bojan Petrovic <bojan_petrovic@fastmail.fm>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/167806: [iwn] iwn driver panic on 9.0-STABLE-amd64
Date: Fri, 18 May 2012 22:41:49 +0200

 The driver seems to be behaving fine, I haven't experienced any panics after applying the patch.
 
 
 Regards,
 Bojan
 
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/167806: commit references a PR
Date: Wed, 27 Jun 2012 16:07:45 +0000 (UTC)

 Author: bschmidt
 Date: Wed Jun 27 16:07:01 2012
 New Revision: 237649
 URL: http://svn.freebsd.org/changeset/base/237649
 
 Log:
   We need to defer passing the DELBA request to the firmware until the aggr
   queue is empty or the firmware will go nuts.
   
   PR:		kern/167806
   Tested by:	osa@, Brandon Gooch (earlier version),
   		    Bojan Petrovic (earlier version)
   MFC after:	3 days
 
 Modified:
   head/sys/dev/iwn/if_iwn.c
 
 Modified: head/sys/dev/iwn/if_iwn.c
 ==============================================================================
 --- head/sys/dev/iwn/if_iwn.c	Wed Jun 27 16:05:09 2012	(r237648)
 +++ head/sys/dev/iwn/if_iwn.c	Wed Jun 27 16:07:01 2012	(r237649)
 @@ -2432,6 +2432,7 @@ static void
  iwn_rx_compressed_ba(struct iwn_softc *sc, struct iwn_rx_desc *desc,
      struct iwn_rx_data *data)
  {
 +	struct iwn_ops *ops = &sc->ops;
  	struct ifnet *ifp = sc->sc_ifp;
  	struct iwn_node *wn;
  	struct ieee80211_node *ni;
 @@ -2441,8 +2442,9 @@ iwn_rx_compressed_ba(struct iwn_softc *s
  	struct ieee80211_tx_ampdu *tap;
  	struct mbuf *m;
  	uint64_t bitmap;
 +	uint16_t ssn;
  	uint8_t tid;
 -	int ackfailcnt = 0, i, lastidx, qid, shift;
 +	int ackfailcnt = 0, i, lastidx, qid, *res, shift;
  
  	bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
  
 @@ -2452,6 +2454,13 @@ iwn_rx_compressed_ba(struct iwn_softc *s
  	tid = tap->txa_tid;
  	wn = (void *)tap->txa_ni;
  
 +	res = NULL;
 +	ssn = 0;
 +	if (!IEEE80211_AMPDU_RUNNING(tap)) {
 +		res = tap->txa_private;
 +		ssn = tap->txa_start & 0xfff;
 +	}
 +
  	for (lastidx = le16toh(ba->ssn) & 0xff; txq->read != lastidx;) {
  		txdata = &txq->data[txq->read];
  
 @@ -2475,6 +2484,15 @@ iwn_rx_compressed_ba(struct iwn_softc *s
  		txq->read = (txq->read + 1) % IWN_TX_RING_COUNT;
  	}
  
 +	if (txq->queued == 0 && res != NULL) {
 +		iwn_nic_lock(sc);
 +		ops->ampdu_tx_stop(sc, qid, tid, ssn);
 +		iwn_nic_unlock(sc);
 +		sc->qid2tap[qid] = NULL;
 +		free(res, M_DEVBUF);
 +		return;
 +	}
 +
  	if (wn->agg[tid].bitmap == 0)
  		return;
  
 @@ -2785,6 +2803,7 @@ static void
  iwn_ampdu_tx_done(struct iwn_softc *sc, int qid, int idx, int nframes,
      void *stat)
  {
 +	struct iwn_ops *ops = &sc->ops;
  	struct ifnet *ifp = sc->sc_ifp;
  	struct iwn_tx_ring *ring = &sc->txq[qid];
  	struct iwn_tx_data *data;
 @@ -2795,8 +2814,9 @@ iwn_ampdu_tx_done(struct iwn_softc *sc, 
  	uint64_t bitmap;
  	uint32_t *status = stat;
  	uint16_t *aggstatus = stat;
 +	uint16_t ssn;
  	uint8_t tid;
 -	int bit, i, lastidx, seqno, shift, start;
 +	int bit, i, lastidx, *res, seqno, shift, start;
  
  #ifdef NOT_YET
  	if (nframes == 1) {
 @@ -2829,12 +2849,17 @@ iwn_ampdu_tx_done(struct iwn_softc *sc, 
  		bitmap |= 1ULL << bit;
  	}
  	tap = sc->qid2tap[qid];
 -	if (tap != NULL) {
 -		tid = tap->txa_tid;
 -		wn = (void *)tap->txa_ni;
 -		wn->agg[tid].bitmap = bitmap;
 -		wn->agg[tid].startidx = start;
 -		wn->agg[tid].nframes = nframes;
 +	tid = tap->txa_tid;
 +	wn = (void *)tap->txa_ni;
 +	wn->agg[tid].bitmap = bitmap;
 +	wn->agg[tid].startidx = start;
 +	wn->agg[tid].nframes = nframes;
 +
 +	res = NULL;
 +	ssn = 0;
 +	if (!IEEE80211_AMPDU_RUNNING(tap)) {
 +		res = tap->txa_private;
 +		ssn = tap->txa_start & 0xfff;
  	}
  
  	seqno = le32toh(*(status + nframes)) & 0xfff;
 @@ -2861,6 +2886,15 @@ iwn_ampdu_tx_done(struct iwn_softc *sc, 
  		ring->read = (ring->read + 1) % IWN_TX_RING_COUNT;
  	}
  
 +	if (ring->queued == 0 && res != NULL) {
 +		iwn_nic_lock(sc);
 +		ops->ampdu_tx_stop(sc, qid, tid, ssn);
 +		iwn_nic_unlock(sc);
 +		sc->qid2tap[qid] = NULL;
 +		free(res, M_DEVBUF);
 +		return;
 +	}
 +
  	sc->sc_tx_timer = 0;
  	if (ring->queued < IWN_TX_RING_LOMARK) {
  		sc->qfullmsk &= ~(1 << ring->qid);
 @@ -5661,6 +5695,8 @@ iwn_ampdu_tx_start(struct ieee80211com *
  	if ((error = iwn_nic_lock(sc)) != 0)
  		return 0;
  	qid = *(int *)tap->txa_private;
 +	DPRINTF(sc, IWN_DEBUG_XMIT, "%s: ra=%d tid=%d ssn=%d qid=%d\n",
 +	    __func__, wn->id, tid, tap->txa_start, qid);
  	ops->ampdu_tx_start(sc, ni, qid, tid, tap->txa_start & 0xfff);
  	iwn_nic_unlock(sc);
  
 @@ -5676,10 +5712,14 @@ iwn_ampdu_tx_stop(struct ieee80211_node 
  	uint8_t tid = tap->txa_tid;
  	int qid;
  
 +	sc->sc_addba_stop(ni, tap);
 +
  	if (tap->txa_private == NULL)
  		return;
  
  	qid = *(int *)tap->txa_private;
 +	if (sc->txq[qid].queued != 0)
 +		return;
  	if (iwn_nic_lock(sc) != 0)
  		return;
  	ops->ampdu_tx_stop(sc, qid, tid, tap->txa_start & 0xfff);
 @@ -5687,7 +5727,6 @@ iwn_ampdu_tx_stop(struct ieee80211_node 
  	sc->qid2tap[qid] = NULL;
  	free(tap->txa_private, M_DEVBUF);
  	tap->txa_private = NULL;
 -	sc->sc_addba_stop(ni, tap);
  }
  
  static void
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/167806: commit references a PR
Date: Sun,  1 Jul 2012 09:30:48 +0000 (UTC)

 Author: bschmidt
 Date: Sun Jul  1 09:30:37 2012
 New Revision: 237917
 URL: http://svn.freebsd.org/changeset/base/237917
 
 Log:
   MFC BA/DELBA fixes:
   - r234321:
     Use the M_AMPDU_MPDU flag to determine when to manually set the seqno and
     use a BA queue.
   - r235686:
     Discard frames after a DELBA which where queued during an active BA
     session.
   - r235687:
     remove unused vap variable
   - r237647:
     Fix a TX aggregation issue, if after the last compressed BA notification
     the TX queue is empty, there won't be a TX done notification, effectly
     resulting in an mbuf leak. The correct way to handle this is to free
     up mbufs on both BA and TX done notifications up to the last sent seqno.
   - r237649 (1):
     We need to defer passing the DELBA request to the firmware until the aggr
     queue is empty or the firmware will go nuts.
   
   PR:		kern/167806 (1)
 
 Modified:
   stable/9/sys/dev/iwn/if_iwn.c
 Directory Properties:
   stable/9/sys/   (props changed)
   stable/9/sys/dev/   (props changed)
 
 Modified: stable/9/sys/dev/iwn/if_iwn.c
 ==============================================================================
 --- stable/9/sys/dev/iwn/if_iwn.c	Sun Jul  1 09:17:55 2012	(r237916)
 +++ stable/9/sys/dev/iwn/if_iwn.c	Sun Jul  1 09:30:37 2012	(r237917)
 @@ -2432,23 +2432,66 @@ static void
  iwn_rx_compressed_ba(struct iwn_softc *sc, struct iwn_rx_desc *desc,
      struct iwn_rx_data *data)
  {
 +	struct iwn_ops *ops = &sc->ops;
  	struct ifnet *ifp = sc->sc_ifp;
  	struct iwn_node *wn;
  	struct ieee80211_node *ni;
  	struct iwn_compressed_ba *ba = (struct iwn_compressed_ba *)(desc + 1);
  	struct iwn_tx_ring *txq;
 +	struct iwn_tx_data *txdata;
  	struct ieee80211_tx_ampdu *tap;
 +	struct mbuf *m;
  	uint64_t bitmap;
 +	uint16_t ssn;
  	uint8_t tid;
 -	int ackfailcnt = 0, i, shift;
 +	int ackfailcnt = 0, i, lastidx, qid, *res, shift;
  
  	bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
  
 -	txq = &sc->txq[le16toh(ba->qid)];
 -	tap = sc->qid2tap[le16toh(ba->qid)];
 +	qid = le16toh(ba->qid);
 +	txq = &sc->txq[ba->qid];
 +	tap = sc->qid2tap[ba->qid];
  	tid = WME_AC_TO_TID(tap->txa_ac);
 -	ni = tap->txa_ni;
 -	wn = (void *)ni;
 +	wn = (void *)tap->txa_ni;
 +
 +	res = NULL;
 +	ssn = 0;
 +	if (!IEEE80211_AMPDU_RUNNING(tap)) {
 +		res = tap->txa_private;
 +		ssn = tap->txa_start & 0xfff;
 +	}
 +
 +	for (lastidx = le16toh(ba->ssn) & 0xff; txq->read != lastidx;) {
 +		txdata = &txq->data[txq->read];
 +
 +		/* Unmap and free mbuf. */
 +		bus_dmamap_sync(txq->data_dmat, txdata->map,
 +		    BUS_DMASYNC_POSTWRITE);
 +		bus_dmamap_unload(txq->data_dmat, txdata->map);
 +		m = txdata->m, txdata->m = NULL;
 +		ni = txdata->ni, txdata->ni = NULL;
 +
 +		KASSERT(ni != NULL, ("no node"));
 +		KASSERT(m != NULL, ("no mbuf"));
 +
 +		if (m->m_flags & M_TXCB)
 +			ieee80211_process_callback(ni, m, 1);
 +
 +		m_freem(m);
 +		ieee80211_free_node(ni);
 +
 +		txq->queued--;
 +		txq->read = (txq->read + 1) % IWN_TX_RING_COUNT;
 +	}
 +
 +	if (txq->queued == 0 && res != NULL) {
 +		iwn_nic_lock(sc);
 +		ops->ampdu_tx_stop(sc, qid, tid, ssn);
 +		iwn_nic_unlock(sc);
 +		sc->qid2tap[qid] = NULL;
 +		free(res, M_DEVBUF);
 +		return;
 +	}
  
  	if (wn->agg[tid].bitmap == 0)
  		return;
 @@ -2460,6 +2503,7 @@ iwn_rx_compressed_ba(struct iwn_softc *s
  	if (wn->agg[tid].nframes > (64 - shift))
  		return;
  
 +	ni = tap->txa_ni;
  	bitmap = (le64toh(ba->bitmap) >> shift) & wn->agg[tid].bitmap;
  	for (i = 0; bitmap; i++) {
  		if ((bitmap & 1) == 0) {
 @@ -2759,19 +2803,20 @@ static void
  iwn_ampdu_tx_done(struct iwn_softc *sc, int qid, int idx, int nframes,
      void *stat)
  {
 +	struct iwn_ops *ops = &sc->ops;
  	struct ifnet *ifp = sc->sc_ifp;
  	struct iwn_tx_ring *ring = &sc->txq[qid];
  	struct iwn_tx_data *data;
  	struct mbuf *m;
  	struct iwn_node *wn;
  	struct ieee80211_node *ni;
 -	struct ieee80211vap *vap;
  	struct ieee80211_tx_ampdu *tap;
  	uint64_t bitmap;
  	uint32_t *status = stat;
  	uint16_t *aggstatus = stat;
 +	uint16_t ssn;
  	uint8_t tid;
 -	int bit, i, lastidx, seqno, shift, start;
 +	int bit, i, lastidx, *res, seqno, shift, start;
  
  #ifdef NOT_YET
  	if (nframes == 1) {
 @@ -2804,27 +2849,32 @@ iwn_ampdu_tx_done(struct iwn_softc *sc, 
  		bitmap |= 1ULL << bit;
  	}
  	tap = sc->qid2tap[qid];
 -	if (tap != NULL) {
 -		tid = WME_AC_TO_TID(tap->txa_ac);
 -		wn = (void *)tap->txa_ni;
 -		wn->agg[tid].bitmap = bitmap;
 -		wn->agg[tid].startidx = start;
 -		wn->agg[tid].nframes = nframes;
 +	tid = WME_AC_TO_TID(tap->txa_ac);
 +	wn = (void *)tap->txa_ni;
 +	wn->agg[tid].bitmap = bitmap;
 +	wn->agg[tid].startidx = start;
 +	wn->agg[tid].nframes = nframes;
 +
 +	res = NULL;
 +	ssn = 0;
 +	if (!IEEE80211_AMPDU_RUNNING(tap)) {
 +		res = tap->txa_private;
 +		ssn = tap->txa_start & 0xfff;
  	}
  
  	seqno = le32toh(*(status + nframes)) & 0xfff;
  	for (lastidx = (seqno & 0xff); ring->read != lastidx;) {
  		data = &ring->data[ring->read];
  
 -		KASSERT(data->ni != NULL, ("no node"));
 -
  		/* Unmap and free mbuf. */
  		bus_dmamap_sync(ring->data_dmat, data->map,
  		    BUS_DMASYNC_POSTWRITE);
  		bus_dmamap_unload(ring->data_dmat, data->map);
  		m = data->m, data->m = NULL;
  		ni = data->ni, data->ni = NULL;
 -		vap = ni->ni_vap;
 +
 +		KASSERT(ni != NULL, ("no node"));
 +		KASSERT(m != NULL, ("no mbuf"));
  
  		if (m->m_flags & M_TXCB)
  			ieee80211_process_callback(ni, m, 1);
 @@ -2836,6 +2886,15 @@ iwn_ampdu_tx_done(struct iwn_softc *sc, 
  		ring->read = (ring->read + 1) % IWN_TX_RING_COUNT;
  	}
  
 +	if (ring->queued == 0 && res != NULL) {
 +		iwn_nic_lock(sc);
 +		ops->ampdu_tx_stop(sc, qid, tid, ssn);
 +		iwn_nic_unlock(sc);
 +		sc->qid2tap[qid] = NULL;
 +		free(res, M_DEVBUF);
 +		return;
 +	}
 +
  	sc->sc_tx_timer = 0;
  	if (ring->queued < IWN_TX_RING_LOMARK) {
  		sc->qfullmsk &= ~(1 << ring->qid);
 @@ -3309,18 +3368,20 @@ iwn_tx_data(struct iwn_softc *sc, struct
  		tid = 0;
  	}
  	ac = M_WME_GETAC(m);
 -
 -	if (IEEE80211_QOS_HAS_SEQ(wh) &&
 -	    IEEE80211_AMPDU_RUNNING(&ni->ni_tx_ampdu[ac])) {
 +	if (m->m_flags & M_AMPDU_MPDU) {
  		struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac];
  
 -		ring = &sc->txq[*(int *)tap->txa_private];
 +		if (!IEEE80211_AMPDU_RUNNING(tap)) {
 +			m_freem(m);
 +			return EINVAL;
 +		}
 +
 +		ac = *(int *)tap->txa_private;
  		*(uint16_t *)wh->i_seq =
  		    htole16(ni->ni_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT);
  		ni->ni_txseqs[tid]++;
 -	} else {
 -		ring = &sc->txq[ac];
  	}
 +	ring = &sc->txq[ac];
  	desc = &ring->desc[ring->cur];
  	data = &ring->data[ring->cur];
  
 @@ -5634,6 +5695,8 @@ iwn_ampdu_tx_start(struct ieee80211com *
  	if ((error = iwn_nic_lock(sc)) != 0)
  		return 0;
  	qid = *(int *)tap->txa_private;
 +	DPRINTF(sc, IWN_DEBUG_XMIT, "%s: ra=%d tid=%d ssn=%d qid=%d\n",
 +	    __func__, wn->id, tid, tap->txa_start, qid);
  	ops->ampdu_tx_start(sc, ni, qid, tid, tap->txa_start & 0xfff);
  	iwn_nic_unlock(sc);
  
 @@ -5649,10 +5712,14 @@ iwn_ampdu_tx_stop(struct ieee80211_node 
  	uint8_t tid = WME_AC_TO_TID(tap->txa_ac);
  	int qid;
  
 +	sc->sc_addba_stop(ni, tap);
 +
  	if (tap->txa_private == NULL)
  		return;
  
  	qid = *(int *)tap->txa_private;
 +	if (sc->txq[qid].queued != 0)
 +		return;
  	if (iwn_nic_lock(sc) != 0)
  		return;
  	ops->ampdu_tx_stop(sc, qid, tid, tap->txa_start & 0xfff);
 @@ -5660,7 +5727,6 @@ iwn_ampdu_tx_stop(struct ieee80211_node 
  	sc->qid2tap[qid] = NULL;
  	free(tap->txa_private, M_DEVBUF);
  	tap->txa_private = NULL;
 -	sc->sc_addba_stop(ni, tap);
  }
  
  static void
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: bschmidt 
State-Changed-When: Mon Jul 2 06:49:32 UTC 2012 
State-Changed-Why:  
Fix MFCed to stable/9, will be in the next release. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167806 

From: Colin Percival <cperciva@freebsd.org>
To: bug-followup@FreeBSD.org, Bernhard Schmidt <bschmidt@freebsd.org>
Cc:  
Subject: Re: kern/167806: [iwn] iwn driver panic on 9.0-STABLE-amd64
Date: Wed, 22 May 2013 20:46:49 -0700

 I'm still seeing this or a very closely related issue on 9.1-RELEASE:
 
 Fatal trap 12: page fault while in kernel mode
 cpuid = 0; apic id = 00
 fault virtual address   = 0x1e
 fault code              = supervisor read data, page not present
 instruction pointer     = 0x20:0xffffffff80566414
 stack pointer           = 0x28:0xffffff822aef3780
 frame pointer           = 0x28:0xffffff822aef37f0
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, long 1, def32 0, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 12 (irq265: iwn0)
 trap number             = 12
 panic: page fault
 
 #6  0xffffffff80bc315f in calltrap ()
     at /usr/src/sys/amd64/amd64/exception.S:228
 #7  0xffffffff80566414 in iwn_ampdu_tx_done (sc=0xffffff8001b6a000, qid=10,
     idx=Variable "idx" is not available.
 ) at /usr/src/sys/dev/iwn/if_iwn.c:2874
 #8  0xffffffff8056a78d in iwn_notif_intr (sc=0xffffff8001b6a000)
     at /usr/src/sys/dev/iwn/if_iwn.c:2960
 #9  0xffffffff8056e7fb in iwn_intr (arg=Variable "arg" is not available.
 ) at /usr/src/sys/dev/iwn/if_iwn.c:3251
 #10 0xffffffff808be8d4 in intr_event_execute_handlers (p=Variable "p" is not
 available.
 )
     at /usr/src/sys/kern/kern_intr.c:1262
 #11 0xffffffff808c0076 in ithread_loop (arg=0xfffffe000369ab80)
     at /usr/src/sys/kern/kern_intr.c:1275
 
 Looking at the source code and kgdb, it looks like we're getting a NULL mbuf
 at line 2879 of 9.1's if_iwn.c (where it examines m->m_flags).
 
 Let me know if there's anything useful I can do with this dump.
 
 -- 
 Colin Percival
 Security Officer Emeritus, FreeBSD | The power to serve
 Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
>Unformatted:
