netbsd-bugs: Re: kern/33778 (Intel Pro Wireless 3945ABG support (wpi driver))

Subject: Re: kern/33778 (Intel Pro Wireless 3945ABG support (wpi driver))
To: None <gnats-bugs@NetBSD.org>
From: Simon Burge <simonb@NetBSD.org>
List: netbsd-bugs
Date: 06/27/2006 00:14:52
Hi Jean-Baptiste,

I've seen the following panics while using the wpi driver.  This is on
a core-duo machine running an MP ACPI kernel if that matters.  The two
different panics I've seen are, with backtraces:

panic: free 2: inuse 0, probable double free

#25 0xc01bf26f in db_trap (type=1, code=0) at ../../../../ddb/db_trap.c:101
#26 0xc04a10b2 in kdb_trap (type=1, code=0, regs=0xcbe3acbc)
    at ../../../../arch/i386/i386/db_interface.c:226
#27 0xc04ae38a in trap (frame=0xcbe3acbc)
    at ../../../../arch/i386/i386/trap.c:312
#28 0xc010bdae in calltrap ()
#29 0xc0420dcd in panic (
    fmt=0xc089f160 "free 2: inuse 0, probable double free")
    at ../../../../kern/subr_prf.c:243
#30 0xc03ff41a in free (addr=0xc25b0400, ksp=0xc08ef200)
    at ../../../../kern/kern_malloc.c:593
#31 0xc012947a in node_free (ni=0xc25b0400)
    at ../../../../net80211/ieee80211_node.c:972
#32 0xc012a801 in _ieee80211_free_node (ni=0xc25b0400)
    at ../../../../net80211/ieee80211_node.c:1654
#33 0xc012f9c9 in ieee80211_newstate (ic=0xc2196244, nstate=IEEE80211_S_INIT, 
    arg=-1) at ../../../../net80211/ieee80211_proto.c:970
#34 0xc059e652 in wpi_newstate (ic=0xc2196244, nstate=IEEE80211_S_INIT, arg=-1)
    at ../../../../dev/pci/if_wpi.c:880
#35 0xc05a1af9 in wpi_stop (ifp=0xc219603c, disable=1)
    at ../../../../dev/pci/if_wpi.c:2697
#36 0xc059f661 in wpi_intr (arg=0xc2196000)
    at ../../../../dev/pci/if_wpi.c:1408
#37 0xc0499e34 in intr_biglock_wrapper (vp=0xc2430ec0)
    at ../../../../arch/x86/x86/intr.c:534


panic: pool_get(mclpl): free list modified: magic=2900c1b0; page 0xcbb81000; item addr 0xcbb81800

#6  0xc01bf26f in db_trap (type=1, code=0) at ../../../../ddb/db_trap.c:101
#7  0xc04a10b2 in kdb_trap (type=1, code=0, regs=0xd5049130)
    at ../../../../arch/i386/i386/db_interface.c:226
#8  0xc04ae38a in trap (frame=0xd5049130)
    at ../../../../arch/i386/i386/trap.c:312
#9  0xc010bdae in calltrap ()
#10 0xc03fd123 in _simple_lock (alp=0xc098ad90, 
    id=0xc083881a "../../../../kern/subr_pool.c", l=910)
    at ../../../../kern/kern_lock.c:1128
#11 0xc041ebe2 in pool_get (pp=0xc098ad20, flags=0)
    at ../../../../kern/subr_pool.c:910
#12 0xc042043c in pool_cache_get_paddr (pc=0xc098a940, flags=0, pap=0xc21a4954)
    at ../../../../kern/subr_pool.c:2037
#13 0xc059efd5 in wpi_rx_intr (sc=0xc2196000, desc=0xcbb7d000, data=0xc2196fcc)
    at ../../../../dev/pci/if_wpi.c:1148
#14 0xc059f4da in wpi_notif_intr (sc=0xc2196000)
    at ../../../../dev/pci/if_wpi.c:1323
#15 0xc059f632 in wpi_intr (arg=0xc2196000)
    at ../../../../dev/pci/if_wpi.c:1413
#16 0xc0499e34 in intr_biglock_wrapper (vp=0xc2430ec0)
    at ../../../../arch/x86/x86/intr.c:534

The largish frame numbers are because sometimes I get a TLB panic when I
first type "sync" in ddb.  I'll dig around a little more to try to find
the cause, but I wanted to let you know about these as soon as I could.

Cheers,
Simon.