Restarting rtwn(0)-based interface causes reproducible kernel panics

From: Marcus von Appen <mva_at_FreeBSD.org> Date: Mon, 27 Jun 2016 19:14:03 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:06 UTC

Hi,

restarting the network interface for my rtwn(0)-based RTL8188CE card
causes a reproducible kernel panic:

# service netif restart
[...]
panic: Memory modified after free 0xfffff80005c22800(2048) val=8018 _at_ 0xfffff80005c22800
[...]

Unread portion of the kernel message buffer:
panic: Memory modified after free 0xfffff80005c22800(2048) val=8018 _at_ 0xfffff80005c22800

cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe045362b670
vpanic() at vpanic+0x186/frame 0xfffffe045362b6f0
panic() at panic+0x43/frame 0xfffffe045362b750
trash_ctor() at trash_ctor+0x4b/frame 0xfffffe045362b760
mb_ctor_pack() at mb_ctor_pack+0x3c/frame 0xfffffe045362b7a0
uma_zalloc_arg() at uma_zalloc_arg+0x504/frame 0xfffffe045362b800
ieee80211_getmgtframe() at ieee80211_getmgtframe+0x120/frame 0xfffffe045362b840
ieee80211_send_probereq() at ieee80211_send_probereq+0x104/frame 0xfffffe045362b8e0
ieee80211_swscan_probe_curchan() at ieee80211_swscan_probe_curchan+0x5a/frame 0xfffffe045362b920
scan_curchan() at scan_curchan+0x68/frame 0xfffffe045362b960
scan_curchan_task() at scan_curchan_task+0x247/frame 0xfffffe045362b9e0
taskqueue_run_locked() at taskqueue_run_locked+0x13c/frame 0xfffffe045362ba40
taskqueue_thread_loop() at taskqueue_thread_loop+0x88/frame 0xfffffe045362ba70
fork_exit() at fork_exit+0x84/frame 0xfffffe045362bab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe045362bab0
[...]

and (probably) a variant:

# service netif restart
[...]
panic: Memory modified after free 0xfffff80005c07800(2048) val=19 _at_ 0xfffff80005c07800
[...]
Unread portion of the kernel message buffer:
panic: Memory modified after free 0xfffff80005c07800(2048) val=19 _at_ 0xfffff80005c07800

cpuid = 3
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0455213540
vpanic() at vpanic+0x186/frame 0xfffffe04552135c0
panic() at panic+0x43/frame 0xfffffe0455213620
trash_ctor() at trash_ctor+0x4b/frame 0xfffffe0455213630
mb_ctor_pack() at mb_ctor_pack+0x3c/frame 0xfffffe0455213670
uma_zalloc_arg() at uma_zalloc_arg+0x504/frame 0xfffffe04552136d0
m_getm2() at m_getm2+0x12d/frame 0xfffffe0455213740
m_uiotombuf() at m_uiotombuf+0x62/frame 0xfffffe0455213790
sosend_generic() at sosend_generic+0x356/frame 0xfffffe0455213850
kern_sendit() at kern_sendit+0x244/frame 0xfffffe0455213900
sendit() at sendit+0x1af/frame 0xfffffe0455213950
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe04552139a0
amd64_syscall() at amd64_syscall+0x2db/frame 0xfffffe0455213ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0455213ab0
[...]

Let me know how to help on getting this fixed.

Cheers
Marcus