net80211 race conditions seen in -HEAD

Adrian Chadd adrian at
Wed Jan 25 21:47:09 UTC 2012

On 25 January 2012 06:43, PseudoCylon <moonlightakkiy at> wrote:

> Here is my brain dump.
> While ago usb wifi drivers had the slimier issue (race in 80211
> stack). It's worth checking this rev.
> AK


right, but that isn't at all completely _atomic_.  It's quite possible that
the underlying node gets ripped out by thread B whilst the assignment is
happening in thread A.

Once you have that reference you're fine, but I can't see where the
guarantee is that vap->iv_bss is actually going to stay referenced for the
lifecycle of the call _to_ ieee80211_ref_node() (rather than the atomic
increment itself.)

The fundamental trouble there is that the assignment can and does occur
whilst the refcount i


More information about the freebsd-wireless mailing list