Date: Wed, 29 Jun 2011 17:21:55 +0800 From: Adrian Chadd <adrian@freebsd.org> To: bschmidt@freebsd.org Cc: Stefan Esser <st_esser@t-online.de>, freebsd-current@freebsd.org Subject: Re: Panic in ieee80211 tx mgmt timeout Message-ID: <BANLkTi=QNwtifaq0svdexVjBvSViVjVgWA@mail.gmail.com> In-Reply-To: <201106291027.56939.bschmidt@freebsd.org> References: <4E099EB2.7050902@freebsd.org> <201106290803.36647.bschmidt@freebsd.org> <BANLkTim601dRADEPz4sbETwMiEBt0YqyHg@mail.gmail.com> <201106291027.56939.bschmidt@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The question here is - what context is the callback being called in?
The lack of net80211 locking has me confused and sad. :/
Adrian
On 29 June 2011 16:27, Bernhard Schmidt <bschmidt@freebsd.org> wrote:
> On Wednesday, June 29, 2011 10:03:02 Adrian Chadd wrote:
>> On 29 June 2011 14:03, Bernhard Schmidt <bschmidt@freebsd.org> wrote:
>>
>> > It's name is ieee80211_tx_mgt_timeout used to track AUTH/ASSOC
>> > requests. Afaik there is even a similar PR about that.
>> >
>> > Adrian, you've got a AP set up to drop either a AUTH or ASSOC
>> > response frame?
>>
>> Tell me how and I'll set it up.
>>
>> A panic at that point in the function indicates maybe ni is NULL?
>> or ni->vap is now NULL, maybe?
>
> vap should never be NULL, so, I'd guess it's ni.
>
> Hmm.. I'd guess there is some kind of racy behavior, if the driver is
> telling us that it was able to send the AUTH req frame, net80211 sets
> up the timeout callback. What happens if the AUTH resp as well as the
> callback hit at the same time? It should be locked appropriately, but
> is it?
>
> This will drop the AUTH response:
>
> Index: sys/net80211/ieee80211_hostap.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- sys/net80211/ieee80211_hostap.c =A0 =A0 (revision 223661)
> +++ sys/net80211/ieee80211_hostap.c =A0 =A0 (working copy)
> @@ -978,7 +978,7 @@ hostap_auth_open(struct ieee80211_node *ni, struct
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0"%s", "station authentication defe=
red (radius acl)");
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ieee80211_notify_node_auth(ni);
> =A0 =A0 =A0 =A0} else {
> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTY=
PE_AUTH, seq + 1);
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 //IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUB=
TYPE_AUTH, seq + 1);
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0IEEE80211_NOTE_MAC(vap,
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0IEEE80211_MSG_DEBUG | IEEE80211_MS=
G_AUTH, ni->ni_macaddr,
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0"%s", "station authenticated (open=
)");
> @@ -1158,7 +1158,7 @@ hostap_auth_shared(struct ieee80211_node *ni, stru
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0estatus =3D IEEE80211_STATUS_SEQUENCE;
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad;
> =A0 =A0 =A0 =A0}
> - =A0 =A0 =A0 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1=
);
> + =A0 =A0 =A0 //IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq +=
1);
> =A0 =A0 =A0 =A0return;
> =A0bad:
> =A0 =A0 =A0 =A0/*
>
>
> --
> Bernhard
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTi=QNwtifaq0svdexVjBvSViVjVgWA>