From owner-freebsd-current@FreeBSD.ORG Wed Jun 29 08:29:40 2011 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3710E106566C; Wed, 29 Jun 2011 08:29:40 +0000 (UTC) (envelope-from bschmidt@techwires.net) Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9E4FA8FC1D; Wed, 29 Jun 2011 08:29:36 +0000 (UTC) Received: by fxe6 with SMTP id 6so850403fxe.17 for ; Wed, 29 Jun 2011 01:29:36 -0700 (PDT) Received: by 10.223.6.198 with SMTP id a6mr845586faa.130.1309336176120; Wed, 29 Jun 2011 01:29:36 -0700 (PDT) Received: from jessie.localnet (p5B2EC842.dip0.t-ipconnect.de [91.46.200.66]) by mx.google.com with ESMTPS id v20sm675447fai.7.2011.06.29.01.29.34 (version=SSLv3 cipher=OTHER); Wed, 29 Jun 2011 01:29:35 -0700 (PDT) Sender: Bernhard Schmidt From: Bernhard Schmidt To: Adrian Chadd Date: Wed, 29 Jun 2011 10:27:56 +0200 User-Agent: KMail/1.13.5 (Linux/2.6.32-32-generic; KDE/4.4.5; i686; ; ) References: <4E099EB2.7050902@freebsd.org> <201106290803.36647.bschmidt@freebsd.org> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201106291027.56939.bschmidt@freebsd.org> Cc: Stefan Esser , freebsd-current@freebsd.org Subject: Re: Panic in ieee80211 tx mgmt timeout X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bschmidt@freebsd.org List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 08:29:40 -0000 On Wednesday, June 29, 2011 10:03:02 Adrian Chadd wrote: > On 29 June 2011 14:03, Bernhard Schmidt wrote: > > > It's name is ieee80211_tx_mgt_timeout used to track AUTH/ASSOC > > requests. Afaik there is even a similar PR about that. > > > > Adrian, you've got a AP set up to drop either a AUTH or ASSOC > > response frame? > > Tell me how and I'll set it up. > > A panic at that point in the function indicates maybe ni is NULL? > or ni->vap is now NULL, maybe? vap should never be NULL, so, I'd guess it's ni. Hmm.. I'd guess there is some kind of racy behavior, if the driver is telling us that it was able to send the AUTH req frame, net80211 sets up the timeout callback. What happens if the AUTH resp as well as the callback hit at the same time? It should be locked appropriately, but is it? This will drop the AUTH response: Index: sys/net80211/ieee80211_hostap.c =================================================================== --- sys/net80211/ieee80211_hostap.c (revision 223661) +++ sys/net80211/ieee80211_hostap.c (working copy) @@ -978,7 +978,7 @@ hostap_auth_open(struct ieee80211_node *ni, struct "%s", "station authentication defered (radius acl)"); ieee80211_notify_node_auth(ni); } else { - IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); + //IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, "%s", "station authenticated (open)"); @@ -1158,7 +1158,7 @@ hostap_auth_shared(struct ieee80211_node *ni, stru estatus = IEEE80211_STATUS_SEQUENCE; goto bad; } - IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); + //IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); return; bad: /* -- Bernhard