net80211 race conditions seen in -HEAD
adrian at freebsd.org
Thu Jan 26 18:56:12 UTC 2012
On 26 January 2012 08:35, Bernhard Schmidt <bschmidt at techwires.net> wrote:
> On Wed, Jan 25, 2012 at 22:47, Adrian Chadd <adrian at freebsd.org> wrote:
> > .. whilst the refcount is 1, so ieee80211_ref_node() may not increment
> > counter before it's freed by another thread.
> You know, that is an inline function, what "lifetime" are we taking about?
Although the 4 byte pointer assignment _should_ be atomic on i386
architectures, I haven't gone and verified that there are no places where
inconsistencies can occur.
Except that they are occuring.
I wonder if it's the debugging..
> iv_bss has other issues, being overwritten while some task is using it
> no matter how high the refcount is is once of those.
More information about the freebsd-wireless