From owner-freebsd-current@FreeBSD.ORG Wed Jun 29 09:16:20 2011 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8ADF106566B for ; Wed, 29 Jun 2011 09:16:20 +0000 (UTC) (envelope-from se@freebsd.org) Received: from nm10.bullet.mail.sp2.yahoo.com (nm10.bullet.mail.sp2.yahoo.com [98.139.91.80]) by mx1.freebsd.org (Postfix) with SMTP id 8A0048FC1C for ; Wed, 29 Jun 2011 09:16:20 +0000 (UTC) Received: from [98.139.91.70] by nm10.bullet.mail.sp2.yahoo.com with NNFMP; 29 Jun 2011 09:03:50 -0000 Received: from [208.71.42.208] by tm10.bullet.mail.sp2.yahoo.com with NNFMP; 29 Jun 2011 09:03:50 -0000 Received: from [127.0.0.1] by smtp219.mail.gq1.yahoo.com with NNFMP; 29 Jun 2011 09:03:50 -0000 X-Yahoo-Newman-Id: 129554.88532.bm@smtp219.mail.gq1.yahoo.com Received: from [192.168.119.20] (se@81.173.144.90 with plain) by smtp219.mail.gq1.yahoo.com with SMTP; 29 Jun 2011 02:03:49 -0700 PDT X-Yahoo-SMTP: iDf2N9.swBDAhYEh7VHfpgq0lnq. X-YMail-OSG: mvwkV1oVM1nM5Y_5F6WljkzySuQc.g6NybE9CJTaEet2qXj 0QZl3mPR25o1szrm4EgQsbXAR4W1AOCHPuaK9zbb9wy0aKR8h9T4yDwpkrCi 24qT1ga_JIDqV5j.edPOkHv8rlNEi6y_4AzUpKySdyEDufpGVzd9IjUSHCw. lpIO3bYstOOE8lM7pbphyKaIYOQ64wrDv_9ren5FqMVe_nZflq9Pa.OorOkF YNT9rHaXfbE1mBOkZALjpPisL.ygYcEprCFYV03ahQGsFgOZKMMszJqPV.Ma UU6uLARwPxvW9AZrNc_iTV_r6oRrfiwYF6g0D7dI.6XYfzT8gbK.uM5bZcOW cnN6TNmu1ch_p5ERYR7RfIsxWlg-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4E0AEA74.1050603@freebsd.org> Date: Wed, 29 Jun 2011 11:03:48 +0200 From: Stefan Esser User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110620 Thunderbird/5.0b2 MIME-Version: 1.0 To: bschmidt@freebsd.org References: <4E099EB2.7050902@freebsd.org> <201106290803.36647.bschmidt@freebsd.org> <201106291027.56939.bschmidt@freebsd.org> In-Reply-To: <201106291027.56939.bschmidt@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Adrian Chadd , freebsd-current@freebsd.org Subject: Re: Panic in ieee80211 tx mgmt timeout X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 09:16:20 -0000 On 29.06.2011 10:27, Bernhard Schmidt wrote: > On Wednesday, June 29, 2011 10:03:02 Adrian Chadd wrote: >> On 29 June 2011 14:03, Bernhard Schmidt wrote: >> >>> It's name is ieee80211_tx_mgt_timeout used to track AUTH/ASSOC >>> requests. Afaik there is even a similar PR about that. >>> >>> Adrian, you've got a AP set up to drop either a AUTH or ASSOC >>> response frame? >> >> Tell me how and I'll set it up. >> >> A panic at that point in the function indicates maybe ni is NULL? >> or ni->vap is now NULL, maybe? > > vap should never be NULL, so, I'd guess it's ni. No, neither vap no vap->ni appear to cause NULL dereferences. The panic message indicates a fault address of 0xffffff809c7a1000, which is the value of arg passed to ieee80211_tx_mgt_timeout(). The fault occurs on the first instruction within that function and I take this to mean, that it points outside kernel VM space. (I have got to admit, that I do not know the exact memory layout for amd64, though.) > Hmm.. I'd guess there is some kind of racy behavior, if the driver is > telling us that it was able to send the AUTH req frame, net80211 sets > up the timeout callback. What happens if the AUTH resp as well as the > callback hit at the same time? It should be locked appropriately, but > is it? > > This will drop the AUTH response: I have received a number of messages that might indicate a lost race: ieee80211_new_state_locked: pending AUTH -> SCAN transition lost repeats with between a few seconds and 20 minutes between messages. > Index: sys/net80211/ieee80211_hostap.c > =================================================================== > --- sys/net80211/ieee80211_hostap.c (revision 223661) > +++ sys/net80211/ieee80211_hostap.c (working copy) > @@ -978,7 +978,7 @@ hostap_auth_open(struct ieee80211_node *ni, struct > "%s", "station authentication defered (radius acl)"); > ieee80211_notify_node_auth(ni); > } else { > - IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); > + //IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); > IEEE80211_NOTE_MAC(vap, > IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, > "%s", "station authenticated (open)"); > @@ -1158,7 +1158,7 @@ hostap_auth_shared(struct ieee80211_node *ni, stru > estatus = IEEE80211_STATUS_SEQUENCE; > goto bad; > } > - IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); > + //IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); > return; > bad: > /* > > I could try that patch for a few hours ... Regards, STefan