NetBSD Problem Report #37400

From jukka+moray@salmi.ch  Sat Nov 17 14:05:57 2007
Return-Path: <jukka+moray@salmi.ch>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id DB99863B89A
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 17 Nov 2007 14:05:56 +0000 (UTC)
Message-Id: <20071117140553.E880E1A49F@moray.salmi.ch>
Date: Sat, 17 Nov 2007 15:05:53 +0100 (CET)
From: j+nbsd@2007.salmi.ch
To: gnats-bugs@NetBSD.org
Subject: panic in ath_rate_findrate(): ndx is 0
X-Send-Pr-Version: 3.95

>Number:         37400
>Category:       kern
>Synopsis:       panic in ath_rate_findrate(): ndx is 0
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 17 14:10:01 +0000 2007
>Last-Modified:  Wed Jan 26 21:50:02 +0000 2011
>Originator:     Jukka Salmi
>Release:        NetBSD 4.0_RC4
>Environment:
System: NetBSD clam.salmi.ch 4.0_RC4 NetBSD 4.0_RC4 (CLAM) #0: Fri Nov  9 21:40:09 UTC 2007  root@moray.salmi.ch:/b/build/nbsd/4/i386/sys/arch/i386/compile/CLAM i386
Architecture: i386
Machine: i386
Some sysctl settings:
net.link.ieee80211.vap0.parent = ath0
hw.ath.dwell = 200
hw.ath.calibrate = 30
hw.ath.outdoor = 1
hw.ath.countrycode = 0
hw.ath.regdomain = 0
hw.ath.debug = 0
hw.ath.rxbuf = 40
hw.ath.txbuf = 100
hw.ath.hal.version = 0.9.17.2
hw.ath.hal.dma_brt = 2
hw.ath.hal.sw_brt = 10
hw.ath.hal.swba_backoff = 0
hw.ath0.smoothing_rate = 95
hw.ath0.sample_rate = 10
hw.ath0.countrycode = 0
hw.ath0.debug = 0
hw.ath0.slottime = 9
hw.ath0.acktimeout = 48
hw.ath0.ctstimeout = 48
hw.ath0.softled = 0
hw.ath0.ledpin = 0
hw.ath0.ledon = 0
hw.ath0.ledidle = 270
hw.ath0.txantenna = 0
hw.ath0.rxantenna = 1
hw.ath0.diversity = 1
hw.ath0.txintrperiod = 5
hw.ath0.diag = 0
hw.ath0.tpscale = 0
hw.ath0.tpc = 0
hw.ath0.tpack = 63
hw.ath0.tpcts = 63
hw.ath0.regdomain = 0

>Description:
This system mainly acts as a WLAN access point, routing traffic between
three IPv4 networks. About once or twice a week the system panics as
described below. Slightly modifying sys/dev/ic/athrate-sample.c and
waiting for the next panic revealed that both ndx and sn->num_rates
indeed were zero.

>How-To-Repeat:
I haven't yet found out how to deliberately force the panic. When it
happens, the panic message is `panic: ndx is 0', and ddb shows:

panic: ndx is 0
Stopped at      netbsd:cpu_Debugger+0x4:        popl    %ebp
db> bt
cpu_Debugger(c0ee88c0,0,0,c0ee8854,0) at netbsd:cpu_Debugger+0x4
panic(c026dee7,0,0,0,20) at netbsd:panic+0x12b
ath_rate_findrate(c10e5000,c10f4000,0,108,c0ee896f) at netbsd:ath_rate_findrate+0x3de
ath_start(c10e503c,c1185700,2,5,c1185700) at netbsd:ath_start+0x941
ifq_enqueue(c10e503c,c118dc00,c10e5160,c10e5160,c0ee8a6c) at netbsd:ifq_enqueue+0xb5
ether_output(c10e503c,c1185700,c0e962f8,c1048908,0) at netbsd:ether_output+0x3bc
ip_output(c118dc00,0,c0e962f4,1,0) at netbsd:ip_output+0x996
ip_forward(c118dc00,1,8004e39,8004e39,c0ee8b10) at netbsd:ip_forward+0x1b2
ip_input(c118dc00,0,c0ee8b48,c012202e,c106ea80) at netbsd:ip_input+0x4fb
ipintr(c0ee0010,30,10,c0ee0010,c0ee8ce0) at netbsd:ipintr+0x59
DDB lost frame for netbsd:Xsoftnet+0x41, trying 0xc0ee8b50
Xsoftnet() at netbsd:Xsoftnet+0x41
--- interrupt ---
0x246:
db> show registers
ds          0x10
es          0x10
fs          0x30
gs          0x10
edi         0xc10f41f8
esi         0xc026dee7  copyright+0x9d67
ebp         0xc0ee8828  _prop_array_pool+0x46e28
ebx         0
edx         0x7
ecx         0x286
eax         0x1
eip         0xc0205411  cpu_Debugger+0x4
cs          0x8
eflags      0x246
esp         0xc0ee8828  _prop_array_pool+0x46e28
ss          0x10
netbsd:cpu_Debugger+0x4:        popl    %ebp
db> reboot
syncing disks... sip1: receive ring overrun
sip0: receive ring overrun
done

>Fix:
...would be most appreciated.

>Audit-Trail:
From: Paul Ripke <stix@stix.id.au>
To: NetBSD gnats-bugs <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: kern/37400 panic in ath_rate_findrate(): ndx is 0
Date: Fri, 21 Dec 2007 11:20:29 +1100

 Managed to trip over this myself. Occurred exactly at the time I did
 a "sudo ifconfig en1 down up" on a Mac OS X laptop that was peered
 to the NetBSD access point.

 Have not tried again to see if it is reproducible.

 -- 
 Paul Ripke

From: Jukka Salmi <j+nbsd@2008.salmi.ch>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/37400: panic in ath_rate_findrate(): ndx is 0
Date: Tue, 5 Feb 2008 18:40:54 +0100

 I've just seen probably the same problem happening while the system
 was running NetBSD/i386 4.99.52. Unfortunately ddb.onpanic was 0, so
 I can't verify whether it really was the same problem. The only thing
 I can see now are these dmesg contents:

 	ath0: device timeout (txq 8)
 	panic: ndx is 0
 	Begin traceback...
 	End traceback...
 	syncing disks...

 ...and then the system rebooted. The system is now still running 4.99.52
 with ddb.onpanic=1, waiting for the next crash...

 -- 
 It's an odd coincidence that all the men whose skulls have been opened
 had a brain.

 	Ludwig Wittgenstein

From: Paul Ripke <stix@stix.id.au>
To: NetBSD gnats-bugs <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: kern/37400 panic in ath_rate_findrate(): ndx is 0
Date: Thu, 19 Mar 2009 21:52:27 +1100

 Just hit this again. Kernel is 4.0_STABLE, built
 Sun Jan 11 00:17:44 EST 2009.

 I now also have a full system dump of the panic and appropriate symbol
 file if anyone is interested in digging. Backtrace of the panic CPU is

 #0  0xc03c070a in cpu_reboot (howto=0, bootstr=0x0) at /export/netbsd/netbsd-4/src/sys/arch/i386/i386/machdep.c:896
 #1  0xc033a187 in panic (fmt=0x0) at /export/netbsd/netbsd-4/src/sys/kern/subr_prf.c:246
 #2  0xc020609b in ath_rate_findrate (sc=0xc1afb000, an=0xc27dd000, shortPreamble=0, frameLen=1110, rix=0xcc945fab "", 
     try0=0xcc945fa4, txrate=0xcc945faa "") at /export/netbsd/netbsd-4/src/sys/dev/ic/athrate-sample.c:353
 #3  0xc0200243 in ath_start (ifp=0xc1afb03c) at /export/netbsd/netbsd-4/src/sys/dev/ic/ath.c:3631
 #4  0xc037d8d6 in ifq_enqueue (ifp=0xc1afb03c, m=0xc2294b00, pktattr=0xcc946034)
     at /export/netbsd/netbsd-4/src/sys/net/if.c:1702
 #5  0xc0382faa in ether_output (ifp0=0xc1afb03c, m0=0xc2294b00, dst=0xc05a4298, rt0=0xc1fb2aa4)
     at /export/netbsd/netbsd-4/src/sys/net/if_ethersubr.c:522
 #6  0xc013f9c9 in ip_output (m0=0xc1fbb800) at /export/netbsd/netbsd-4/src/sys/netinet/ip_output.c:888
 #7  0xc013bd3a in ip_forward (m=0xc1fbb800, srcrt=1) at /export/netbsd/netbsd-4/src/sys/netinet/ip_input.c:1937
 #8  0xc013d851 in ip_input (m=0xc1fbb800) at /export/netbsd/netbsd-4/src/sys/netinet/ip_input.c:885
 #9  0xc013d921 in ipintr () at /export/netbsd/netbsd-4/src/sys/netinet/ip_input.c:471
 #10 0xc010bba9 in Xsoftnet ()
 #11 0x00000010 in ?? ()
 #12 0xcc940030 in ?? ()
 #13 0xc01f0010 in ahc_handle_seqint (ahc=0xc1aa5fc0, intstat=3248761344)
     at /export/netbsd/netbsd-4/src/sys/dev/ic/aic7xxx.c:2623

 -- 
 Paul Ripke

From: "OBATA Akio" <obache@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/37400: panic in ath_rate_findrate(): ndx is 0
Date: Mon, 17 Jan 2011 14:29:05 +0900

 Is this issue same as PR#34118?
 Someone else is trying roy's patch in the PR?

From: Jukka Salmi <j+nbsd@2010.salmi.ch>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/37400: panic in ath_rate_findrate(): ndx is 0
Date: Wed, 26 Jan 2011 21:27:54 +0100

 OBATA Akio wrote:
 >  Is this issue same as PR#34118?
 >  Someone else is trying roy's patch in the PR?

 Not sure, but I can't test because (at least ATM) I don't have the
 hardware I was seeing the problem with anymore...

 -- 
 This email fills a much-needed gap in your mailbox.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.