tech-net: trap in ipw(4)

Subject: trap in ipw(4)
To: None <tech-net@netbsd.org>
From: john heasley <heas@shrubbery.net>
List: tech-net
Date: 12/15/2004 15:25:38
I've hit a trap in the ipw driver several times on an ibm t41p w/ a
2100 3B mini-pci.  I can almost reliably trigger it by booting, logging
in from a remote, and running dmesg.  It always occurs at the same place
each time;  IIRC, from the two occasions where it wasnt stuck in X, it
complained about the value of %ebx, which appears to be m (the mbuf *).

It seems as if the values of ifp and m (in ipw_start) get swapped
somehow.  I looked through the code and do not see any place where these
could get swapped.

The firmware is the most recent with -current of ~12/4.  It is not doing
WEP.

Has anyone seen this before?  Clues on how to debug?

#7  0xc026b9bf in trap (frame=0xcd553624)
    at ../../../../arch/i386/i386/trap.c:270
#8  0xc0102cc3 in calltrap ()
#9  0xc02bb227 in ipw_start (ifp=0xc2159038)
    at ../../../../dev/pci/if_ipw.c:850
#10 0xc0227f46 in ether_output (ifp=0xc2159038, m0=0xc23eaa00, dst=0xcd5537a4, 
    rt0=0x0) at ../../../../net/if_ethersubr.c:549
#11 0xc0244f5c in in_arpinput (m=0xc23eaa00)
    at ../../../../netinet/if_arp.c:1117
#12 0xc0244a1d in arpintr () at ../../../../netinet/if_arp.c:805

(gdb) p ifp
$1 = (struct ifnet *) 0xc2159038
(gdb) do
#9  0xc02bb227 in ipw_start (ifp=0xc2159038)
    at ../../../../dev/pci/if_ipw.c:850
850                     if (ipw_tx_start(ifp, m, ni) != 0) {
(gdb) p ifp
$2 = (struct ifnet *) 0xc2159000
(gdb) p m
$3 = (struct mbuf *) 0xc2159038
(gdb) info reg
eax            0xcd5533e0       -850054176
ecx            0x0      0
edx            0x0      0
ebx            0xc2159038       -1038774216
esp            0xcd55333c       0xcd55333c
ebp            0xcd5536bc       0xcd5536bc
esi            0xc2159000       -1038774272
edi            0x0      0
eip            0xc02bb227       0xc02bb227

#7  0xc026b9bf in trap (frame=0xc046eb8c)
    at ../../../../arch/i386/i386/trap.c:270
#8  0xc0102cc3 in calltrap ()
#9  0xc02bb227 in ipw_start (ifp=0xc2159038)
    at ../../../../dev/pci/if_ipw.c:850
#10 0xc0227f46 in ether_output (ifp=0xc2159038, m0=0xc2501600, dst=0xc21b5b70, 
    rt0=0xc22e1c60) at ../../../../net/if_ethersubr.c:549
#11 0xc0109eb4 in ip_output (m0=0xc2501600)
    at ../../../../netinet/ip_output.c:784
#12 0xc01120ab in tcp_output (tp=0xc24ad62c)
    at ../../../../netinet/tcp_output.c:1255
#13 0xc011526c in tcp_delack (arg=0xc24ad62c)
    at ../../../../netinet/tcp_timer.c:235
#14 0xc01e9a6a in softclock (v=0x0) at ../../../../kern/kern_timeout.c:387
#15 0xc025cde4 in softintr_dispatch (which=0)
    at ../../../../arch/x86/x86/softintr.c:104
#16 0xc01029de in Xsoftclock ()

(gdb) p ifp
$1 = (struct ifnet *) 0xc2159038
(gdb) do
#9  0xc02bb227 in ipw_start (ifp=0xc2159038)
    at ../../../../dev/pci/if_ipw.c:850
850                     if (ipw_tx_start(ifp, m, ni) != 0) {
(gdb) p ifp
$2 = (struct ifnet *) 0xc2159000
(gdb) p m
$3 = (struct mbuf *) 0xc2159038
(gdb) info registers
eax            0xc046e948       -1069094584
ecx            0x0      0
edx            0x0      0
ebx            0xc2159038       -1038774216
esp            0xc046e8a4       0xc046e8a4
ebp            0xc046ec24       0xc046ec24
esi            0xc2159000       -1038774272
edi            0x0      0
eip            0xc02bb227       0xc02bb227