208605 – Kernel panic when unplug and replug USB WiFi dongle.

Bug 208605 - Kernel panic when unplug and replug USB WiFi dongle.

Summary: Kernel panic when unplug and replug USB WiFi dongle.

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	wireless (show other bugs)
Version:	CURRENT
Hardware:	amd64 Any

Importance:	--- Affects Some People
Assignee:	freebsd-wireless (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-04-07 15:49 UTC by Johannes Lundberg
Modified:	2016-04-27 15:22 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Lundberg 2016-04-07 15:49:08 UTC

Dongle: EDIMAX EW-7811UN
Chipset: RTL8188CUS

Backtrace (sorry GENERIC-NODEBUG build):

(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:221
#1  0xffffffff80aa8c03 in kern_reboot (howto=260) at /usr/home/mirama/dev/freebsd/sys/kern/kern_shutdown.c:364
#2  0xffffffff80aa916b in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /usr/home/mirama/dev/freebsd/sys/kern/kern_shutdown.c:757
#3  0xffffffff80aa8fa3 in panic (fmt=0x0) at /usr/home/mirama/dev/freebsd/sys/kern/kern_shutdown.c:688
#4  0xffffffff80f445d1 in trap_fatal (frame=0xfffffe011a0648b0, eva=48) at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/trap.c:841
#5  0xffffffff80f447c3 in trap_pfault (frame=0xfffffe011a0648b0, usermode=0) at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/trap.c:691
#6  0xffffffff80f43d6c in trap (frame=0xfffffe011a0648b0) at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/trap.c:442
#7  0xffffffff80f27557 in calltrap () at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/exception.S:234
#8  0xffffffff80bfb4ec in scan_curchan_task (arg=<value optimized out>, pending=<value optimized out>)
    at /usr/home/mirama/dev/freebsd/sys/net80211/ieee80211_scan_sw.c:808
#9  0xffffffff80b003fb in taskqueue_run_locked (queue=<value optimized out>) at /usr/home/mirama/dev/freebsd/sys/kern/subr_taskqueue.c:430
#10 0xffffffff80b01238 in taskqueue_thread_loop (arg=<value optimized out>) at /usr/home/mirama/dev/freebsd/sys/kern/subr_taskqueue.c:683
#11 0xffffffff80a63cac in fork_exit (callout=0xffffffff80b01160 <taskqueue_thread_loop>, arg=0xfffffe0001ea40e0, frame=0xfffffe011a064ac0)
    at /usr/home/mirama/dev/freebsd/sys/kern/kern_fork.c:1034
#12 0xffffffff80f27a8e in fork_trampoline () at /usr/home/mirama/dev/freebsd/sys/amd64/amd64/exception.S:609
#13 0x0000000000000000 in ?? ()

Comment 1 Hans Petter Selasky freebsd_committer

2016-04-13 07:08:40 UTC

Adrian - can you have a look at this?

Comment 2 Adrian Chadd freebsd_committer

2016-04-14 19:32:32 UTC

The real problem(tm) is that we don't have a nice framework for handling device lifecycle when it comes to unplug events like this.

Comment 3 commit-hook freebsd_committer

2016-04-19 20:20:17 UTC

A commit references this bug:

Author: avos
Date: Tue Apr 19 20:19:22 UTC 2016
New revision: 298293
URL: https://svnweb.freebsd.org/changeset/base/298293

Log:
  net80211: do not reschedule scan_curchan_task() if the scan was canceled.

  This should fix possible use-after-free in the scheduled task.

  PR:		208605

Changes:
  head/sys/net80211/ieee80211_scan_sw.c

Comment 4 Johannes Lundberg 2016-04-27 15:22:52 UTC

Seems to been fixed. No more crashes now. Thank you!