From owner-freebsd-wireless@FreeBSD.ORG  Thu Jan 26 07:22:53 2012
Return-Path: <owner-freebsd-wireless@FreeBSD.ORG>
Delivered-To: freebsd-wireless@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E0009106566C
	for <freebsd-wireless@freebsd.org>;
	Thu, 26 Jan 2012 07:22:52 +0000 (UTC)
	(envelope-from moonlightakkiy@yahoo.ca)
Received: from nm28.bullet.mail.sp2.yahoo.com (nm28.bullet.mail.sp2.yahoo.com
	[98.139.91.98]) by mx1.freebsd.org (Postfix) with SMTP id AC4798FC18
	for <freebsd-wireless@freebsd.org>;
	Thu, 26 Jan 2012 07:22:52 +0000 (UTC)
Received: from [98.139.91.67] by nm28.bullet.mail.sp2.yahoo.com with NNFMP;
	26 Jan 2012 07:09:27 -0000
Received: from [208.71.42.202] by tm7.bullet.mail.sp2.yahoo.com with NNFMP;
	26 Jan 2012 07:08:27 -0000
Received: from [127.0.0.1] by smtp213.mail.gq1.yahoo.com with NNFMP;
	26 Jan 2012 07:08:27 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.ca; s=s1024;
	t=1327561707; bh=W6T+NrF05Ar9mRDylkk5HHTDiLaXZPMes32lNgzoYJg=;
	h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Received:MIME-Version:Received:Received:In-Reply-To:References:Date:Message-ID:Subject:From:To:Cc:Content-Type;
	b=dyDTI7nAJvVWnOoyu31VJJaaHAtaBlckYlR4CwHUOj4abx1DbFKkGvHByx0s3cKlm885L95OQyeGSWp+lgkgZsG2zN37Iy+V9Yi3GnmrUYoFYn4VqEA6h2X3cUa7azAUqpyBgvQ1Nf6bs56eRn9V+Kxot3p6+sFgAsc7xT0w4Fc=
X-Yahoo-Newman-Id: 177578.60162.bm@smtp213.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: le2ePckVM1nAQA5OZj83l2cgXywLsE6EEvjU3YYsB9Gv1lT
	Mq76BWyZ.HC4bfp3qEq5G.OqKscKoXer9rNhQ0evwrl9C7yMFvSGre48yzid
	IKU7J8.DVBXIsnmLLz7oCwDSPJ6McEzR9_fwoLMFu5wMAiqfcHsiPTaT8xkb
	yqlwotzEv1lZOYzDUNZ_Bwa2wEBkXXL82sVK7NTAJflL8y47OZwOd0VMPele
	ZGOZCy_CI0gs8aFuR0szCnTMvAXZmWKpYwtLXb8IAZdLezbKkJ7cHgOf.kG1
	.ah.g7_Dq3Rsi.s6FMKDQEaz8RrRugumszTBfg8Xo0i8PLOvR2RD.nrE9nNg
	wnC.zLNbtm8NH8ZJcyT_aZ.3IKkLn.0bpVxPMXBkRXFwptUw.uQXBkfP3Cty
	gWhNciHHXC1iVKL0a3eCMu53uLa1sZc3XGF6KuPWldu8DIO61PFx_U1_M3Es
	ENDUEuhS_BIkulwcN2OKzBJDcp.yBGt0F6WWa73Dixdn_Df9tbcXrQgCORWX
	p2Dj1bwFa7yDZnFZQg3W07vyrtQHMoL0WzD_CuA7BPqK46N9.GcMf1QrkqGU
	z57bmeos-
X-Yahoo-SMTP: Xr6qjFWswBAEmd20sAvB4Q3keqXvXsIH9TjJ
Received: from mail-iy0-f182.google.com (moonlightakkiy@209.85.210.182 with
	plain)
	by smtp213.mail.gq1.yahoo.com with SMTP; 25 Jan 2012 23:08:26 -0800 PST
Received: by iaeo4 with SMTP id o4so650092iae.13
	for <multiple recipients>; Wed, 25 Jan 2012 23:08:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.153.234 with SMTP id vj10mr903192igb.16.1327561706372; Wed,
	25 Jan 2012 23:08:26 -0800 (PST)
Received: by 10.231.37.2 with HTTP; Wed, 25 Jan 2012 23:08:26 -0800 (PST)
In-Reply-To: <CAJ-Vmo=tv0oHrsG834YdS32j+6+Ae-Co9142Diox6SS6usL24w@mail.gmail.com>
References: <CAFZ_MY+ifiXc3iPfDEuWNHyr7JvhuG55uzp3BTmCO2Ek2G1LOg@mail.gmail.com>
	<CAJ-VmomReMTTDQ3KYjbRTb4+LY+KVtkba_T0fwM49oHakW_XSg@mail.gmail.com>
	<CAJ-Vmo=tv0oHrsG834YdS32j+6+Ae-Co9142Diox6SS6usL24w@mail.gmail.com>
Date: Thu, 26 Jan 2012 00:08:26 -0700
Message-ID: <CAFZ_MYKdcFm5ukJyK8-0YoyAKsu+8jwXpvvt9T7=oF0VVbuvmA@mail.gmail.com>
From: PseudoCylon <moonlightakkiy@yahoo.ca>
To: Adrian Chadd <adrian@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-wireless@freebsd.org
Subject: Re: net80211 race conditions seen in -HEAD
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussions of 802.11 stack,
	tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2012 07:22:53 -0000

On Wed, Jan 25, 2012 at 2:47 PM, Adrian Chadd <adrian@freebsd.org> wrote:
> .. whilst the refcount is 1, so ieee80211_ref_node() may not increment the
> counter before it's freed by another thread.
>

Further browsing the codes, I'd say here is the point of no return.
http://fxr.watson.org/fxr/source/net80211/ieee80211_freebsd.c?im=bigexcerpts#L310
After atomic_cmpset_int() returned 1, increment ref cont won't stop
freeing node no matter how we handle the ref count. It will continue
freeing node, anyway. If we cannot stop freeing node, we should stop
the thread using the node once freeing node process has started. How
about make ieee80211_ref_node() return NULL when ni_refcnt == 0 and
caller of ieee80211_ref_node() to exit?

ieee80211_ref_node(ni)
{
#ifdef	NO_LOCK
	/*
	 * This loop simulates atomic_cmp_and_add() as commented at
http://fxr.watson.org/fxr/source/net80211/ieee80211_freebsd.c?im=bigexcerpts#L308
	 * The current code work most of the time, so this will loop very rarely
	 */
	for (;;) {
		if ((cnt = atomic_load_int(&ni_refcnt)) == 0)
			return (NULL);	/* caller should abort process */
		if (atomic_cmp_set(&ni_refcnt, cnt, cnt + 1))
			return (ni);
	}
#else
	/* you may receive complimentary barrage of LOR */
	LOCK();
	if (ni_refcnt == 0)
		ni = NULL;
	else
		ni_refcnt++:
	UNLOCK();
	return (ni);
#endif
}

ieee80211_node_dectestref(ni)
{
#ifdef	NO_LOCK
	for (;;) {
		if ((cnt = atomic_load_int(&ni_refcnt)) == 0)
			return (1);	/* free node */
		if (atomic_cmp_set(&ni_refcnt, cnt, cnt -1))
			return (cnt <= 1);	/* cnt - 1 == 0 free node */
	}
#else
	LOCK();
	cnt = ni_refcnt > 0 ?  cnt - 1 : 0;
	UNLOCK();
	return (cnt);
#endif
}


AK