[panic] Race in IEEE802.11 layer towards device drivers
moonlightakkiy at yahoo.ca
Tue Jul 13 01:54:10 UTC 2010
----- Original Message ----
> From: Hans Petter Selasky <hselasky at c2i.net>
> To: freebsd-current at freebsd.org
> Cc: Andrew Thompson <thompsa at freebsd.org>; Sam Leffler <sam at freebsd.org>;
>PseudoCylon <moonlightakkiy at yahoo.ca>; freebsd-usb at freebsd.org
> Sent: Mon, July 12, 2010 2:01:11 PM
> Subject: Re: [panic] Race in IEEE802.11 layer towards device drivers
> Hi Andrew,
> Your patch appears to be working. Can you fix this issue in the other WLAN
> drivers aswell? Then send an e-mail to request testing? I had a go at it
Since I wasn't able to reproduce the panic, I can only confirm the patched
run(4) driver runs OK.
I just want to patch hostap related fix before calling for this test. I'll ask
the user if it's fixed.
Should the debugging code, usb_pause_mtx(), be left in the code for testing? If
the drivers don't panic to begin with, we won't know the patch really fixed the
> I found another panic issue:
> ifconfig wlan0 delete
> ifconfig wlan0 destroy
> When not associate or associated.
> Backtrace (AMD64 - 9-current):
> node_free() + 0x2c
> rum_tx_free() + 0x3b
> which is called from the bulk tx callback
> Another thread is running an IOCTL -> rum_stop(), which causes the CANCELLED
> event to be passed to USB. Can't we free any nodes at this point?
> > This turned out to be refcounting of the ieee80211_node struct which
> > was causing this panic. vap->iv_bss can be freed at any time so all
> > users of it need to bump the refcount to use it safely.
> > This patch should fix the panic in the rum driver.
> > http://people.freebsd.org/~thompsa/rum_node_refcnt.diff
> > There are other places where it is still an issue such as the
> > ieee80211_tx_mgt_timeout callout which havnt been addressed yet, and
> > of course all other ieee80211 drivers.
More information about the freebsd-current