From owner-freebsd-stable@FreeBSD.ORG Fri Apr 27 21:26:10 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9FA4E16A401 for ; Fri, 27 Apr 2007 21:26:10 +0000 (UTC) (envelope-from sam@errno.com) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id 5864C13C455 for ; Fri, 27 Apr 2007 21:26:10 +0000 (UTC) (envelope-from sam@errno.com) Received: from [10.0.0.178] ([10.0.0.178]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id l3RLQ8VT022975 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 27 Apr 2007 14:26:10 -0700 (PDT) (envelope-from sam@errno.com) Message-ID: <46326A77.4060607@errno.com> Date: Fri, 27 Apr 2007 14:26:15 -0700 From: Sam Leffler Organization: Errno Consulting User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221) MIME-Version: 1.0 To: Steve Kargl References: <20070426234153.GA50866@troutmask.apl.washington.edu> In-Reply-To: <20070426234153.GA50866@troutmask.apl.washington.edu> X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: ath0 induced panic additional info X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 21:26:10 -0000 Steve Kargl wrote: > By increasing the kernel message buffer, I was able to > get the previous "Unread portion" im my last email. > > Unread portion of the kernel message buffer: > lock order reversal: (sleepable after non-sleepable) > 1st 0xc34caec0 ath0 (ath0) @ /usr/src/sys/dev/ath/if_ath.c:5210 > 2nd 0xc32cbe24 user map (user map) @ /usr/src/sys/vm/vm_map.c:3074 > KDB: stack backtrace: > kdb_backtrace(0,ffffffff,c07c3e08,c07c5500,c078596c,...) at kdb_backtrace+0x29 > witness_checkorder(c32cbe24,9,c075587c,c02) at witness_checkorder+0x578 > _sx_xlock(c32cbe24,c075587c,c02) at _sx_xlock+0x50 > _vm_map_lock_read(c32cbde0,c075587c,c02,2000246,c3722068,...) at _vm_map_lock_read+0x37 > vm_map_lookup(d9753a6c,805e000,2,d9753a70,d9753a60,d9753a64,d9753a47,d9753a48) at vm_map_lookup+0x28 > vm_fault(c32cbde0,805e000,2,8,c34ee180,...) at vm_fault+0x65 > trap_pfault(d9753b34,0,805e000) at trap_pfault+0xce > trap(c07b0008,28,c0730028,805e000,c334f400,...) at trap+0x319 > calltrap() at calltrap+0x5 > --- trap 0xc, eip = 0xc06e8056, esp = 0xd9753b74, ebp = 0xd9753bac --- > generic_copyout(c34c8c00,c3726400,c34cab30,c0286938,0,...) at generic_copyout+0x36 > ieee80211_ioctl(c34ca230,c0286938,c3726400) at ieee80211_ioctl+0xc1 > ath_ioctl(c34c8c00,c0286938,c3726400) at ath_ioctl+0x190 > ifhwioctl(c0286938,c34c8c00,c3726400,c34ee180) at ifhwioctl+0xa40 > ifioctl(c355e000,c0286938,c3726400,c34ee180,0,...) at ifioctl+0xc3 > soo_ioctl(c3516ab0,c0286938,c3726400,c3748480,c34ee180) at soo_ioctl+0x2db > ioctl(c34ee180,d9753d04) at ioctl+0x396 > syscall(3b,3b,3b,805d028,0,...) at syscall+0x22f > Xint0x80_syscall() at Xint0x80_syscall+0x1f > --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x28149787, esp = 0xbfbfe2fc, ebp = 0xbfbfe328 --- > KDB: enter: witness_checkorder > panic: from debugger > KDB: stack backtrace: > Uptime: 1m1s > Dumping 511 MB (2 chunks) > chunk 0: 1MB (159 pages) ... ok > chunk 1: 511MB (130786 pages) 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15 > > #0 doadump () at pcpu.h:165 > 165 pcpu.h: No such file or directory. > in pcpu.h > (kgdb) quit > mobile:root[157] exit > exit > > Script done on Thu Apr 26 16:38:51 2007 Age old issue: the driver calls into the net80211 layer holding it's softc lock but net80211 calls copyout and if that faults copying data to user mode then you'll blow up. I've proposed a solution but noone's responded so it remains. Sam