Bug 208605

Summary: Kernel panic when unplug and replug USB WiFi dongle.
Product: Base System Reporter: Johannes Lundberg <johalun0>
Component: wirelessAssignee: freebsd-wireless (Nobody) <wireless>
Status: Closed FIXED    
Severity: Affects Some People CC: adrian, amd64, hselasky, usb
Priority: ---    
Version: CURRENT   
Hardware: amd64   
OS: Any   

Description Johannes Lundberg 2016-04-07 15:49:08 UTC 
Dongle: EDIMAX EW-7811UN
Chipset: RTL8188CUS

Backtrace (sorry GENERIC-NODEBUG build):

(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:221
#1  0xffffffff80aa8c03 in kern_reboot (howto=260) at /usr/home/mirama/dev/freebsd/sys/kern/kern_shutdown.c:364
#2  0xffffffff80aa916b in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /usr/home/mirama/dev/freebsd/sys/kern/kern_shutdown.c:757
#3  0xffffffff80aa8fa3 in panic (fmt=0x0) at /usr/home/mirama/dev/freebsd/sys/kern/kern_shutdown.c:688
#4  0xffffffff80f445d1 in trap_fatal (frame=0xfffffe011a0648b0, eva=48) at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/trap.c:841
#5  0xffffffff80f447c3 in trap_pfault (frame=0xfffffe011a0648b0, usermode=0) at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/trap.c:691
#6  0xffffffff80f43d6c in trap (frame=0xfffffe011a0648b0) at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/trap.c:442
#7  0xffffffff80f27557 in calltrap () at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/exception.S:234
#8  0xffffffff80bfb4ec in scan_curchan_task (arg=<value optimized out>, pending=<value optimized out>)
    at /usr/home/mirama/dev/freebsd/sys/net80211/ieee80211_scan_sw.c:808
#9  0xffffffff80b003fb in taskqueue_run_locked (queue=<value optimized out>) at /usr/home/mirama/dev/freebsd/sys/kern/subr_taskqueue.c:430
#10 0xffffffff80b01238 in taskqueue_thread_loop (arg=<value optimized out>) at /usr/home/mirama/dev/freebsd/sys/kern/subr_taskqueue.c:683
#11 0xffffffff80a63cac in fork_exit (callout=0xffffffff80b01160 <taskqueue_thread_loop>, arg=0xfffffe0001ea40e0, frame=0xfffffe011a064ac0)
    at /usr/home/mirama/dev/freebsd/sys/kern/kern_fork.c:1034
#12 0xffffffff80f27a8e in fork_trampoline () at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/exception.S:609
#13 0x0000000000000000 in ?? ()
Comment 1 Hans Petter Selasky freebsd_committer freebsd_triage 2016-04-13 07:08:40 UTC 
Adrian - can you have a look at this?
Comment 2 Adrian Chadd freebsd_committer freebsd_triage 2016-04-14 19:32:32 UTC 
The real problem(tm) is that we don't have a nice framework for handling device lifecycle when it comes to unplug events like this.
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-04-19 20:20:17 UTC 
A commit references this bug:

Author: avos
Date: Tue Apr 19 20:19:22 UTC 2016
New revision: 298293
URL: https://svnweb.freebsd.org/changeset/base/298293

Log:
  net80211: do not reschedule scan_curchan_task() if the scan was canceled.

  This should fix possible use-after-free in the scheduled task.

  PR:		208605

Changes:
  head/sys/net80211/ieee80211_scan_sw.c
Comment 4 Johannes Lundberg 2016-04-27 15:22:52 UTC 
Seems to been fixed. No more crashes now. Thank you!