From nobody@FreeBSD.org  Fri May 10 02:04:28 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id 58A33E8B
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 May 2013 02:04:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.FreeBSD.org (oldred.freebsd.org [8.8.178.121])
	by mx1.freebsd.org (Postfix) with ESMTP id 4A1C7A7
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 May 2013 02:04:28 +0000 (UTC)
Received: from oldred.FreeBSD.org ([127.0.1.6])
	by oldred.FreeBSD.org (8.14.5/8.14.5) with ESMTP id r4A24R5A065664
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 May 2013 02:04:27 GMT
	(envelope-from nobody@oldred.FreeBSD.org)
Received: (from nobody@localhost)
	by oldred.FreeBSD.org (8.14.5/8.14.5/Submit) id r4A24RfN065663;
	Fri, 10 May 2013 02:04:27 GMT
	(envelope-from nobody)
Message-Id: <201305100204.r4A24RfN065663@oldred.FreeBSD.org>
Date: Fri, 10 May 2013 02:04:27 GMT
From: Glen Barber <gjb@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [panic][ath] bss vap can and does change
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         178470
>Category:       kern
>Synopsis:       [panic][ath] bss vap can and does change
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-wireless
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 10 02:10:00 UTC 2013
>Closed-Date:    Sun Apr 20 01:46:51 UTC 2014
>Last-Modified:  Sun Apr 20 01:46:51 UTC 2014
>Originator:     Glen Barber
>Release:        10.0-CURRENT r250344
>Organization:
>Environment:
FreeBSD orion 10.0-CURRENT FreeBSD 10.0-CURRENT #9 r250344: Tue May  7 21:52:45 EDT 2013     root@orion:/usr/obj/usr/src/sys/ORION  amd64

>Description:
Requested output from prior discussion with adrian:

root@orion:/usr/obj/usr/src/sys/ORION # kgdb ./kernel.debug /var/crash/vmcore.7
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
wlan0: ieee80211_new_state_locked: pending RUN -> SCAN transition lost


Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0xffff
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff8072fb3f
stack pointer           = 0x28:0xffffff81a944d970
frame pointer           = 0x28:0xffffff81a944d9a0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (irq22: ath0)
trap number             = 12
panic: page fault
cpuid = 3
KDB: stack backtrace:
#0 0xffffffff80676366 at kdb_backtrace+0x66
#1 0xffffffff8063a78b at panic+0x13b
#2 0xffffffff80918300 at trap_fatal+0x290
#3 0xffffffff80918671 at trap_pfault+0x221
#4 0xffffffff80918c24 at trap+0x344
#5 0xffffffff809023b3 at calltrap+0x8
#6 0xffffffff8074c14b at ieee80211_beacon_update+0x21b
#7 0xffffffff8037bcc2 at ath_beacon_generate+0x52
#8 0xffffffff8037c15f at ath_beacon_proc+0x23f
#9 0xffffffff80376a7f at ath_intr+0x44f
#10 0xffffffff8060b99d at intr_event_execute_handlers+0xfd
#11 0xffffffff8060d14b at ithread_loop+0x9b
#12 0xffffffff8060854f at fork_exit+0x11f
#13 0xffffffff809028de at fork_trampoline+0xe
Uptime: 1d23h22m39s
(ada0:ahcich0:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
(ada0:ahcich0:0:0:0): CAM status: CCB request is in progress
(ada0:ahcich0:0:0:0): Error 5, Retries exhausted
(ada0:ahcich0:0:0:0): Synchronize cache failed
(ada1:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
(ada1:ahcich1:0:0:0): CAM status: CCB request is in progress
(ada1:ahcich1:0:0:0): Error 5, Retries exhausted
(ada1:ahcich1:0:0:0): Synchronize cache failed
(ada2:ahcich4:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
(ada2:ahcich4:0:0:0): CAM status: CCB request is in progress
(ada2:ahcich4:0:0:0): Error 5, Retries exhausted
(ada2:ahcich4:0:0:0): Synchronize cache failed
(ada3:ahcich5:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
(ada3:ahcich5:0:0:0): CAM status: CCB request is in progress
(ada3:ahcich5:0:0:0): Error 5, Retries exhausted
(ada3:ahcich5:0:0:0): Synchronize cache failed
Dumping 764 out of 6048 MB:..3%..11%..21%..32%..42%..51%..61%..72%..82%..93%

Reading symbols from /boot/kernel/zfs.ko.symbols...done.
Loaded symbols for /boot/kernel/zfs.ko.symbols
Reading symbols from /boot/kernel/opensolaris.ko.symbols...done.
Loaded symbols for /boot/kernel/opensolaris.ko.symbols
#0  doadump (textdump=<value optimized out>) at pcpu.h:231
231             __asm("movq %%gs:%1,%0" : "=r" (td)
(kgdb) list *0xffffffff8072fb3f
0xffffffff8072fb3f is in ieee80211_ht_update_beacon (/usr/src/sys/net80211/ieee80211_ht.c:2787).
2782            ht->hi_ctrlchannel = ieee80211_chan2ieee(ic, bsschan);
2783            if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
2784                    ht->hi_byte1 = IEEE80211_HTINFO_RIFSMODE_PERM;
2785            else
2786                    ht->hi_byte1 = IEEE80211_HTINFO_RIFSMODE_PROH;
2787            if (IEEE80211_IS_CHAN_HT40U(bsschan))
2788                    ht->hi_byte1 |= IEEE80211_HTINFO_2NDCHAN_ABOVE;
2789            else if (IEEE80211_IS_CHAN_HT40D(bsschan))
2790                    ht->hi_byte1 |= IEEE80211_HTINFO_2NDCHAN_BELOW;
2791            else
(kgdb) quit

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-wireless 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri May 10 03:33:29 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=178470 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178470: commit references a PR
Date: Fri, 10 May 2013 09:38:06 +0000 (UTC)

 Author: adrian
 Date: Fri May 10 09:37:58 2013
 New Revision: 250442
 URL: http://svnweb.freebsd.org/changeset/base/250442
 
 Log:
   Fix a VAP BSS node reference in the HT code to actually take a reference
   before using said node.
   
   The "blessed" way here is to take a node reference before referencing
   anything inside the node, otherwise the node can be freed between
   the time the pointer is copied/dereferenced and the time the node contents
   are used.
   
   This mirrors fixes that I've done elsewhere in the net80211/driver
   stack.
   
   PR:		kern/178470
 
 Modified:
   head/sys/net80211/ieee80211_ht.c
 
 Modified: head/sys/net80211/ieee80211_ht.c
 ==============================================================================
 --- head/sys/net80211/ieee80211_ht.c	Fri May 10 08:46:10 2013	(r250441)
 +++ head/sys/net80211/ieee80211_ht.c	Fri May 10 09:37:58 2013	(r250442)
 @@ -2773,11 +2773,15 @@ ieee80211_ht_update_beacon(struct ieee80
  	struct ieee80211_beacon_offsets *bo)
  {
  #define	PROTMODE	(IEEE80211_HTINFO_OPMODE|IEEE80211_HTINFO_NONHT_PRESENT)
 -	const struct ieee80211_channel *bsschan = vap->iv_bss->ni_chan;
 +	struct ieee80211_node *ni;
 +	const struct ieee80211_channel *bsschan;
  	struct ieee80211com *ic = vap->iv_ic;
  	struct ieee80211_ie_htinfo *ht =
  	   (struct ieee80211_ie_htinfo *) bo->bo_htinfo;
  
 +	ni = ieee80211_ref_node(vap->iv_bss);
 +	bsschan = ni->ni_chan;
 +
  	/* XXX only update on channel change */
  	ht->hi_ctrlchannel = ieee80211_chan2ieee(ic, bsschan);
  	if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
 @@ -2796,6 +2800,8 @@ ieee80211_ht_update_beacon(struct ieee80
  	/* protection mode */
  	ht->hi_byte2 = (ht->hi_byte2 &~ PROTMODE) | ic->ic_curhtprotmode;
  
 +	ieee80211_free_node(ni);
 +
  	/* XXX propagate to vendor ie's */
  #undef PROTMODE
  }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Apr 20 01:43:17 UTC 2014 
State-Changed-Why:  
committed over one year ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=178470 
>Unformatted:
