kern/58761: bwi(4): reproducible panic: kernel diagnostic assertion "ci->ci_mtx_count == -1" failed

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/58761: bwi(4): reproducible panic: kernel diagnostic assertion "ci->ci_mtx_count == -1" failed
From: vezhlys%gmail.com@localhost
Date: Sat, 19 Oct 2024 22:10:01 +0000 (UTC)

>Number:         58761
>Category:       kern
>Synopsis:       bwi(4): reproducible panic: kernel diagnostic assertion "ci->ci_mtx_count == -1" failed
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Oct 19 22:10:01 +0000 2024
>Originator:     Andrius V
>Release:        NetBSD 10.99.12
>Organization:
>Environment:
NetBSD 10.99.12 (VT-310DP) #2: Sat Oct 19 23:17:54 EEST 2024 i386
>Description:
I have a Buffalo AirStation wireless-g wifi card on cardbus which is attached to a PCI cardbus adapter. NetBSD successfully attaches bfi(4) interface with the required firmware copied to the system. dhcpcd successfully assigns IP address and network is working. However, system crashes as soon as I call ifconfig bwi0 down. System is VIA C3 i386 based system. Reproducible each time. Tested on the latest netbsd current code at time of writing only. Will do checks on older releases later.

panic: kernel diagnostic assertion "ci->ci_mtx_count == -1" failed: file "/home/andriusv/netbsd-src-git/sys/kern/kern_synch.c", line 762 mi_switch: cpu0: ci_mtx_count (-2) != -1 (block with spin-mutex held)
cpu0: Begin traceback...
vpanic(c0fe1c98,dd3179f0,dd317a38,c0a5e139,c0fe1c98,c0efe1c7,c0fe1f5c,c0fe1ac4,2fa,c0ee15a0) at netbsd:vpanic+0x176
kern_assert(c0fe1c98,c0efe1c7,c0fe1f5c,c0fe1ac4,2fa,c0ee15a0,0,fffffffe,c0a593ab,c0a6ca50) at netbsd:kern_assert+0x23
mi_switch(c639cb40,4,0,0,0,c0f2d3d6,c38c26b8,c38c26b8,c38c26c0,2) at netbsd:mi_switch+0x77e
sleepq_block(4,0,c0ee0920,2,0,c11d4740,c38c2580,4,db952000,dd317af4) at netbsd:sleepq_block+0x207
cv_timedwait(c38c26b8,c38c26c0,4,400,cfc,dd317ae4,c38c26b8,3,c38c26c0,4) at netbsd:cv_timedwait+0xe3
pccbb_power(c38c2580,4,dd317b0b,c031b22b,c3e30000,80,c3e6b380,dd317b20,c031782a,dd317b84) at netbsd:pccbb_power+0x230
disable_function(dd317b84,c057368c,c3d7df40,0,b540e2,4d0,c0a94ab9,0,1e,1) at netbsd:disable_function+0x71
cardbus_function_disable(c3d7df40,0,b540e2,4d0,c0a94ab9,0,1e,1,c3e30244,ffffffff) at netbsd:cardbus_function_disable+0xe
bwi_init_statechg(c3e30004,c3e30a90,dd317bb8,c0b6840b,c3e30004,6,0,10003,c3e30a90,c3e30a90) at netbsd:bwi_init_statechg+0x20
bwi_media_change(c3e30004,6,0,10003,c3e30a90,c3e30a90,c3e30a90,dd317bec,c0b68a2d,c3e30a90) at netbsd:bwi_media_change+0x38
ifmedia_change(c3e30a90,c3e30004,0,c0b448aa,0,c3886ac0,c3e6b380,80,c3e30244,c3e30004) at netbsd:ifmedia_change+0x31
ifmedia_ioctl(c3e30004,c4074d00,c3e30a90,c0906937,dd317c2c,dd317c94,0,bfb535b0,dd317c2c,c6124cf0) at netbsd:ifmedia_ioctl+0x231
ieee80211_ioctl(c3e30244,c0906937,c4074d00,c0a1532d,4,c11a7f40,c3e30244,c639cb40,c3e30004,c0906937) at netbsd:ieee80211_ioctl+0x4ef
bwi_ioctl(c3e30004,c0906937,c4074d00,14,c3e30004,c0906937,0,7,c4074d00,8843) at netbsd:bwi_ioctl+0xd8
doifioctl(c6464050,c0906937,c4074d00,c639cb40,c4074d00,1,c42019c0,c0906937,dd317e6c,c0a86b4b) at netbsd:doifioctl+0x876
soo_ioctl(c42019c0,c0906937,c4074d00,c0a64747,c11a7660,c639cb40,0,4af,c0906937,c4074d00) at netbsd:soo_ioctl+0x11c
sys_ioctl(c639cb40,dd317f68,dd317f60,ffffffff,0,dd317f60,c11baa58,36,0,0) at netbsd:sys_ioctl+0x2c3
syscall() at netbsd:syscall+0x10f
--- syscall (number 54) ---

relevant dmesg messages:
cbb0 at pci0 dev 8 function 0: Ricoh 5C475 PCI-CardBus Bridge (rev. 0x81)
...
cbb0: osock_ctrl 0x400 sock_ctrl 0x400
cbb0: wait took 0.040025s
cbb0: cacheline 0x0 lattimer 0x20
cbb0: bhlc 0x22000
allocated pic ioapic0 type level pin 16 level 6 to cpu0 slot 8 idt entry 103
cbb0: interrupting at ioapic0 pin 16
cardslot0 at cbb0
cardbus0 at cardslot0: bus 2 cacheline 0x0, lattimer 0x20
pcmciabus at cardslot0 not configured
...
cbb0: osock_ctrl 0x400 sock_ctrl 0x43
...
cbb0: wait took 0.031573s
cb_reset: enter bcr 7e3010
cb_reset: wrote bcr 7e3010a
...
cb_reset: wrote bcr 7a3010a
cb_reset: end of delay
cardbus0: id reg valid in 0 iterations
bwi0 at cardbus0 function 0: Broadcom Wireless
cardbus_mapreg_map called: cardbus0 0
cardbus_mapreg_map: physaddr 80000000
bwi0: BBP id 0x4318, BBP rev 0x2, BBP pkg 0
bwi0: MAC: rev 9
bwi0: PHY type 2, rev 7, ver 3
bwi0: RF manu 0x17f, type 0x2050, rev 8
bwi0: autoconfiguration error: invalid antenna gain in sprom
bwi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
bwi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
cbb0: osock_ctrl 0x430 sock_ctrl 0x400
bwi0: link state DOWN (was UNKNOWN)
cbb0: wait took 0.194386s
...
cbb0: osock_ctrl 0x400 sock_ctrl 0x400
cbb0: wait took 0.196547s
cbb0: osock_ctrl 0x400 sock_ctrl 0x430
cbb0: wait took 0.031575s
cb_reset: enter bcr 4a3010a
cb_reset: wrote bcr 4e3010a
cb_reset: wrote bcr 4a3010a
cb_reset: end of delay
bwi0: firmware rev 0x0127, patch level 0x000e
bwi0: autoconfiguration error: base tssi measure failed
...
bwi0: link state UP (was DOWN)


wpa_supplicant sometimes throws this error (on link up for example)
wpa_supplicant[1598]: ioctl[SIOCS80211, op=20, val=0, arg_len=7]: Invalid argument
>How-To-Repeat:
# wpa_supplicant enabled and configured
# dhcpcd enabled
# bwi0 fully configured and working 
ifconfig bwi0
run:
ifconfig bwi0 down

# observe panic shortly after

>Fix:

Prev by Date: Re: kern/58760: running fdisk(8) on a vnd(4) backed by NFS crashes the kernel
Next by Date: misc/58762: arm binary/sets/base32.tgz is bogus
Previous by Thread: Re: kern/16401 (filesystem corrupt after 'rm' with msdosfs on vnd)
Next by Thread: misc/58762: arm binary/sets/base32.tgz is bogus
Indexes:

Home | Main Index | Thread Index | Old Index