freebsd stable - Apr 2011 - Fatal trap 12: page fault while in kernel mode

Downloading a torrent with many peers on a toshiba satellite notebook
using an Atheros AR5006 wireless nic caused the following panic.  This
is an i386 system running 8.2-STABLE from around April 06.

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xc647a000
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0999329
stack pointer           = 0x28:0xc51c1c18
frame pointer           = 0x28:0xc51c1c24
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi4: clock)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xc08e0d07 at kdb_backtrace+0x47
#1 0xc08b1dc7 at panic+0x117
#2 0xc0be4b43 at trap_fatal+0x323
#3 0xc0be4dc0 at trap_pfault+0x270
#4 0xc0be5305 at trap+0x465
#5 0xc0bcbebc at calltrap+0x6
#6 0xc08c508a at softclock+0x22a
#7 0xc088903b at intr_event_execute_handlers+0x13b
#8 0xc088a75b at ithread_loop+0x6b
#9 0xc0886d51 at fork_exit+0x91
#10 0xc0bcbf34 at fork_trampoline+0x8
Uptime: 6m15s
Physical memory: 2026 MB
Dumping 99 MB: 84 68 52 36 20 4

#0  doadump () at pcpu.h:231
231     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) #0  doadump () at pcpu.h:231
#1  0xc08b1b63 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:419
#2  0xc08b1e00 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:592
#3  0xc0be4b43 in trap_fatal (frame=0xc51c1bd8, eva=3326582784)
    at /usr/src/sys/i386/i386/trap.c:946
#4  0xc0be4dc0 in trap_pfault (frame=0xc51c1bd8, usermode=0, eva=3326582784)
    at /usr/src/sys/i386/i386/trap.c:859
#5  0xc0be5305 in trap (frame=0xc51c1bd8) at /usr/src/sys/i386/i386/trap.c:532
#6  0xc0bcbebc in calltrap () at /usr/src/sys/i386/i386/exception.s:166
#7  0xc0999329 in ieee80211_tx_mgt_timeout (arg=0xc647a000)
    at /usr/src/sys/net80211/ieee80211_output.c:2478
#8  0xc08c508a in softclock (arg=0xc0df90e0)
    at /usr/src/sys/kern/kern_timeout.c:430
#9  0xc088903b in intr_event_execute_handlers (p=0xc55497f8, ie=0xc5591d00)
    at /usr/src/sys/kern/kern_intr.c:1220
#10 0xc088a75b in ithread_loop (arg=0xc5548070)
    at /usr/src/sys/kern/kern_intr.c:1233
#11 0xc0886d51 in fork_exit (callout=0xc088a6f0 <ithread_loop>,
    arg=0xc5548070, frame=0xc51c1d28) at /usr/src/sys/kern/kern_fork.c:845
#12 0xc0bcbf34 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:273
(kgdb)

on 26/04/2011 02:09 Gardner Bell said the following:
> #6  0xc0bcbebc in calltrap () at /usr/src/sys/i386/i386/exception.s:166
> #7  0xc0999329 in ieee80211_tx_mgt_timeout (arg=0xc647a000)
>     at /usr/src/sys/net80211/ieee80211_output.c:2478
Looks like an issue in wireless code...

-- 
Andriy Gapon

On Tuesday, April 26, 2011 01:09:42 Gardner Bell wrote:
> Downloading a torrent with many peers on a toshiba satellite notebook
> using an Atheros AR5006 wireless nic caused the following panic.  This
> is an i386 system running 8.2-STABLE from around April 06.
Can you reproduce that?

A comment about the relevant code says:
	/*
	 * XXX what happens if !acked but response shows up before callback?
	 */

Guess we now know.. ;)

-- 
Bernhard

On Tue, Apr 26, 2011 at 04:25:26PM +0200, Bernhard Schmidt
wrote:
> On Tuesday, April 26, 2011 15:15:45 Gardner Bell wrote:
> > On Tue, Apr 26, 2011 at 4:12 AM, Bernhard Schmidt
<bschmidt@freebsd.org> wrote:
> > > On Tuesday, April 26, 2011 01:09:42 Gardner Bell wrote:
> > >> Downloading a torrent with many peers on a toshiba satellite
notebook
> > >> using an Atheros AR5006 wireless nic caused the following
panic.  This
> > >> is an i386 system running 8.2-STABLE from around April 06.
> > >
> > > Can you reproduce that?
> >
> > So far I've not been able to reproduce this.
>
> Ok. I assume this only happens when loosing the connection and trying
> to re-associate. At least that is the only possible scenario I can
> think of where a timeout for mgmt frames is involved. Probably we
> aren't bumping a refcount correctly or something. Actually that sounds
> rather plausible as it panics exactly when trying to access ni which
> should, for a station, always point to iv_bss, which can in turn be
> free'd almost unconditionally if someone's telling net80211 to
> associate to another (or even the same) network. Hmm.. tracing refcount
> it is.
>
> Were you running wpa_supplicant at that point? Any messages before
> the panic happened?
>
Yes, I'm running wpa_supplicant with the following settings:

network={
    ssid="xxxxx"
    psk="xxxxx"
}

Other settings for the wireless card I have in rc.conf:

wlans_ath0="wlan0"
ifconfig_wlan0="WPA DHCP"
ifconfig_wlan0_alias0="inet 192.168.0.12 netmask 0xffffffff"


The last messages seen on the console before the panic are wlan0:
ieee80211_new_state_locked: pending SCAN -> AUTH transition lost
and several UP/DOWN events.

> --
> Bernhard
--
Gardner Bell