AP panic: Duplicate free .. from mbuf_packet

Question

AP panic: Duplicate free .. from mbuf_packet

Opened this issue 4 years ago · 2 comments

This is a backtrace for the Pull Request #26 .
I happens in AP mode.
I can easily trigger it by issuing say: ifconfig wlan0 channel 8

athp0: athp_vap_wme_update: called
athp0: ath10k_conf_tx: ac=0, cwmin=15, cwmax=63, aifs=3, txop=0
athp0: ath10k_conf_tx: ac=1, cwmin=15, cwmax=1023, aifs=7, txop=0
athp0: ath10k_conf_tx: ac=2, cwmin=7, cwmax=15, aifs=1, txop=3008
athp0: ath10k_conf_tx: ac=3, cwmin=3, cwmax=7, aifs=1, txop=1504
athp0: athp_vap_newstate: SCAN -> RUN (is_setup=1) (is_dying=0)
athp0: ath10k_vif_restart: called, but not started!
athp0: ath10k_vdev_restart: XXX: notice, isn't already started
athp0: ath10k_vdev_start_restart: called; dtim=0, intval=0; restart=1
athp0: ath10k_recalc_radar_detection: TODO
athp0: athp_vif_ap_setup: TODO: probe response template setup
athp0: athp_vif_ap_setup: TODO: set hidden_ssid flag if required
athp0: ath10k_control_beaconing: called; enable=1
athp0: ath10k_control_beaconing: TODO: fix_hidden_ssid!
athp0: athp_vif_ap_setup: TODO: RTS/CTS prot, ERP slot, ERP preamble
athp0: athp_vap_wme_update: called
athp0: ath10k_conf_tx: ac=0, cwmin=7, cwmax=1023, aifs=2, txop=0
athp0: ath10k_conf_tx: ac=1, cwmin=15, cwmax=1023, aifs=7, txop=0
athp0: ath10k_conf_tx: ac=2, cwmin=7, cwmax=15, aifs=1, txop=3008
PKTLOG [614586] WAL_DBGID_CHANNEL_CHANGE ( 0x7098f, 0 )
athp0: ath10k_conf_tx: ac=3, cwmin=3, cwmax=7, aifs=1, txop=1504
panic: Duplicate free of 0xfffff8003b4e3000 from zone 0xfffffe0007ac3000(mbuf_packet) slab 0xfffff8003b4e3fd8(0)

cpuid = 0
time = 1490284479
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe003b171480
vpanic() at vpanic+0x182/frame 0xfffffe003b1714d0
panic() at panic+0x43/frame 0xfffffe003b171530
uma_dbg_free() at uma_dbg_free+0x1f2/frame 0xfffffe003b171570
uma_zfree_arg() at uma_zfree_arg+0x130/frame 0xfffffe003b1715c0
mb_free_ext() at mb_free_ext+0x114/frame 0xfffffe003b1715f0
m_free() at m_free+0xd8/frame 0xfffffe003b171620
m_freem() at m_freem+0x28/frame 0xfffffe003b171640
_athp_freebuf() at _athp_freebuf+0x175/frame 0xfffffe003b171670
ath10k_wmi_event_host_swba() at ath10k_wmi_event_host_swba+0x7a7/frame 0xfffffe003b171910
ath10k_wmi_10_2_op_rx() at ath10k_wmi_10_2_op_rx+0x2b9/frame 0xfffffe003b1719b0
ath10k_htc_rx_completion_handler() at ath10k_htc_rx_completion_handler+0x203/frame 0xfffffe003b171a40
ath10k_pci_ce_recv_data() at ath10k_pci_ce_recv_data+0xff/frame 0xfffffe003b171ac0
ath10k_ce_per_engine_service() at ath10k_ce_per_engine_service+0x8c/frame 0xfffffe003b171b00
ath10k_pci_ce_tasklet() at ath10k_pci_ce_tasklet+0x55/frame 0xfffffe003b171b20
ithread_loop() at ithread_loop+0x279/frame 0xfffffe003b171bb0
fork_exit() at fork_exit+0x80/frame 0xfffffe003b171bf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe003b171bf0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
[ thread pid 12 tid 100136 ]
Stopped at      kdb_enter+0x37: movq    $0,0x10c9ad6(%rip)

Answer 1 · 2020-05-29T18:02:44.000Z

Hey Bz, thanks for the effort on this. Have you been able to test out vif, and even interface creation in pfsense?

Answer 2 · 2020-05-29T18:18:27.000Z

I am on FreeBSD HEAD not on pfsense.