netbsd-bugs: Re: kern/33778 (Intel Pro Wireless 3945ABG support (wpi driver))

Subject: Re: kern/33778 (Intel Pro Wireless 3945ABG support (wpi driver))
To: None <simonb@NetBSD.org, gnats-admin@netbsd.org,>
From: Simon Burge <simonb@NetBSD.org>
List: netbsd-bugs
Date: 06/26/2006 14:35:02
The following reply was made to PR kern/33778; it has been noted by GNATS.

From: Simon Burge <simonb@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: simonb@NetBSD.org, netbsd-bugs@netbsd.org,
	gnats-admin@netbsd.org, camjelemon@gmail.com
Subject: Re: kern/33778 (Intel Pro Wireless 3945ABG support (wpi driver)) 
Date: Tue, 27 Jun 2006 00:14:52 +1000

 Hi Jean-Baptiste,
 
 I've seen the following panics while using the wpi driver.  This is on
 a core-duo machine running an MP ACPI kernel if that matters.  The two
 different panics I've seen are, with backtraces:
 
 panic: free 2: inuse 0, probable double free
 
 #25 0xc01bf26f in db_trap (type=1, code=0) at ../../../../ddb/db_trap.c:101
 #26 0xc04a10b2 in kdb_trap (type=1, code=0, regs=0xcbe3acbc)
     at ../../../../arch/i386/i386/db_interface.c:226
 #27 0xc04ae38a in trap (frame=0xcbe3acbc)
     at ../../../../arch/i386/i386/trap.c:312
 #28 0xc010bdae in calltrap ()
 #29 0xc0420dcd in panic (
     fmt=0xc089f160 "free 2: inuse 0, probable double free")
     at ../../../../kern/subr_prf.c:243
 #30 0xc03ff41a in free (addr=0xc25b0400, ksp=0xc08ef200)
     at ../../../../kern/kern_malloc.c:593
 #31 0xc012947a in node_free (ni=0xc25b0400)
     at ../../../../net80211/ieee80211_node.c:972
 #32 0xc012a801 in _ieee80211_free_node (ni=0xc25b0400)
     at ../../../../net80211/ieee80211_node.c:1654
 #33 0xc012f9c9 in ieee80211_newstate (ic=0xc2196244, nstate=IEEE80211_S_INIT, 
     arg=-1) at ../../../../net80211/ieee80211_proto.c:970
 #34 0xc059e652 in wpi_newstate (ic=0xc2196244, nstate=IEEE80211_S_INIT, arg=-1)
     at ../../../../dev/pci/if_wpi.c:880
 #35 0xc05a1af9 in wpi_stop (ifp=0xc219603c, disable=1)
     at ../../../../dev/pci/if_wpi.c:2697
 #36 0xc059f661 in wpi_intr (arg=0xc2196000)
     at ../../../../dev/pci/if_wpi.c:1408
 #37 0xc0499e34 in intr_biglock_wrapper (vp=0xc2430ec0)
     at ../../../../arch/x86/x86/intr.c:534
 
 
 panic: pool_get(mclpl): free list modified: magic=2900c1b0; page 0xcbb81000; item addr 0xcbb81800
 
 #6  0xc01bf26f in db_trap (type=1, code=0) at ../../../../ddb/db_trap.c:101
 #7  0xc04a10b2 in kdb_trap (type=1, code=0, regs=0xd5049130)
     at ../../../../arch/i386/i386/db_interface.c:226
 #8  0xc04ae38a in trap (frame=0xd5049130)
     at ../../../../arch/i386/i386/trap.c:312
 #9  0xc010bdae in calltrap ()
 #10 0xc03fd123 in _simple_lock (alp=0xc098ad90, 
     id=0xc083881a "../../../../kern/subr_pool.c", l=910)
     at ../../../../kern/kern_lock.c:1128
 #11 0xc041ebe2 in pool_get (pp=0xc098ad20, flags=0)
     at ../../../../kern/subr_pool.c:910
 #12 0xc042043c in pool_cache_get_paddr (pc=0xc098a940, flags=0, pap=0xc21a4954)
     at ../../../../kern/subr_pool.c:2037
 #13 0xc059efd5 in wpi_rx_intr (sc=0xc2196000, desc=0xcbb7d000, data=0xc2196fcc)
     at ../../../../dev/pci/if_wpi.c:1148
 #14 0xc059f4da in wpi_notif_intr (sc=0xc2196000)
     at ../../../../dev/pci/if_wpi.c:1323
 #15 0xc059f632 in wpi_intr (arg=0xc2196000)
     at ../../../../dev/pci/if_wpi.c:1413
 #16 0xc0499e34 in intr_biglock_wrapper (vp=0xc2430ec0)
     at ../../../../arch/x86/x86/intr.c:534
 
 The largish frame numbers are because sometimes I get a TLB panic when I
 first type "sync" in ddb.  I'll dig around a little more to try to find
 the cause, but I wanted to let you know about these as soon as I could.
 
 Cheers,
 Simon.