[panic] Race in IEEE802.11 layer towards device drivers
Hans Petter Selasky
hselasky at c2i.net
Mon Jul 12 20:04:09 UTC 2010
Your patch appears to be working. Can you fix this issue in the other WLAN
drivers aswell? Then send an e-mail to request testing? I had a go at it here:
I found another panic issue:
ifconfig wlan0 delete
ifconfig wlan0 destroy
When not associate or associated.
Backtrace (AMD64 - 9-current):
node_free() + 0x2c
rum_tx_free() + 0x3b
which is called from the bulk tx callback
Another thread is running an IOCTL -> rum_stop(), which causes the CANCELLED
event to be passed to USB. Can't we free any nodes at this point?
> This turned out to be refcounting of the ieee80211_node struct which
> was causing this panic. vap->iv_bss can be freed at any time so all
> users of it need to bump the refcount to use it safely.
> This patch should fix the panic in the rum driver.
> There are other places where it is still an issue such as the
> ieee80211_tx_mgt_timeout callout which havnt been addressed yet, and
> of course all other ieee80211 drivers.
More information about the freebsd-current