net80211 race conditions seen in -HEAD

Adrian Chadd adrian at
Thu Jan 26 18:56:12 UTC 2012

On 26 January 2012 08:35, Bernhard Schmidt <bschmidt at> wrote:

> On Wed, Jan 25, 2012 at 22:47, Adrian Chadd <adrian at> wrote:
> > .. whilst the refcount is 1, so ieee80211_ref_node() may not increment
> the
> > counter before it's freed by another thread.
> You know, that is an inline function, what "lifetime" are we taking about?
Although the 4 byte pointer assignment _should_ be atomic on i386
architectures, I haven't gone and verified that there are no places where
inconsistencies can occur.
Except that they are occuring.

I wonder if it's the debugging..

> iv_bss has other issues, being overwritten while some task is using it
> no matter how high the refcount is is once of those.

Yeah. Ew.


More information about the freebsd-wireless mailing list