On Fri, Jul 20, 2018 at 05:38:56PM -0300, Martin Pieuchot wrote:
> On 20/07/18(Fri) 14:32, Theo de Raadt wrote:
> > Martin Pieuchot <m...@openbsd.org> wrote:
> >
> > > On 20/07/18(Fri) 03:12, Mike Larkin wrote:
> > > > On Wed, Jul 18, 2018 at 11:34:41PM +0000, Romain wrote:
> > > > > > I'm wondering if this is due to the fact that we detach usb(4)
> > > > > > devices on
> > > > > > suspend. Looks like this may be trying to process a timeout that
> > > > > > corresponds
> > > > > > to a device that is no longer attached. Maybe the urtwn(4)?
> > >
> > > Well the device is detaching just after re-attaching. So it must be
> > > something different. But I agree with your assumption that it is
> > > related to urtwn(4).
> > >
> > > The problem seems to be a use-after-free of a timeout. The question is
> > > which timeout? Is it in urtwn(4)? In ic/rtwn.c? In the wireless stack?
> > > In the network stack?
> > >
> > > Our timeout_add(9) interface is simple but doesn't help to debug such
> > > issue.
> >
> > Is it a timeout not removed during detach?
>
> That might be that or a timeout re-attached after being removed
> because there's a race somewhere...
>
> That's not the only place where we have such problem. If somebody has
> an idea or a floating diff to ease timeout debugging, that's the moment
> to speak (:
It's likely this bug which was fixed in -current back in April:
----- Forwarded message from Piotr Isajew <p...@ex.com.pl> -----
Date: Thu, 19 Apr 2018 20:46:35 +0200
From: Piotr Isajew <p...@ex.com.pl>
To: Jonathan Matthew <jonat...@d14n.org>
Cc: bugs@openbsd.org
Subject: Re: crash when unplugging urtwn usb wifi adapter
Message-ID: <20180419184635.GA31492@undefined.localnet>
Content-Type: text/plain; charset="utf-8"
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Spam-Score: (-2.601) BAYES_00,SPF_HELO_PASS,SPF_PASS
On Wed, Apr 18, 2018 at 10:27:44PM +1000, Jonathan Matthew wrote:
> On Sat, Apr 14, 2018 at 06:54:35AM +0200, p...@ex.com.pl wrote:
> > >Synopsis: page fault trap when removing urtwn Wifi adapter from the port
> > >Category: kernel
> > >Environment:
> > System : OpenBSD 6.3
> > Details : OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT
> > 2018
> >
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > Architecture: OpenBSD.amd64
> > Machine : amd64
> > >Description:
> > I'm observing system crash if I remove the the TP-Link TL-WN725N
> > WiFi adapter from the port. The system reports kernel panic:
> >
> > kernel: page fault trap, code=0
> > Stopped at softclock+0x16b: movq %rax,0(%rdx)
>
> Does this fix it?
>
> Index: ieee80211.c
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211.c,v
> retrieving revision 1.65
> diff -u -p -u -p -r1.65 ieee80211.c
> --- ieee80211.c 12 Dec 2017 15:52:49 -0000 1.65
> +++ ieee80211.c 18 Apr 2018 12:25:34 -0000
> @@ -193,6 +193,7 @@ ieee80211_ifdetach(struct ifnet *ifp)
> {
> struct ieee80211com *ic = (void *)ifp;
>
> + timeout_del(&ic->ic_bgscan_timeout);
> ieee80211_proto_detach(ifp);
> ieee80211_crypto_detach(ifp);
> ieee80211_node_detach(ifp);
Yes, it does.
----- End forwarded message -----
