From owner-freebsd-current@FreeBSD.ORG  Wed Jun 29 09:21:56 2011
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9744A106566C;
	Wed, 29 Jun 2011 09:21:56 +0000 (UTC)
	(envelope-from adrian.chadd@gmail.com)
Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com
	[209.85.218.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 457908FC08;
	Wed, 29 Jun 2011 09:21:56 +0000 (UTC)
Received: by yic13 with SMTP id 13so534513yic.13
	for <multiple recipients>; Wed, 29 Jun 2011 02:21:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=Bk1O7ABdo0Tap11y5nCTPrRTFZIjLuQ9I7FAa1Xm480=;
	b=k61x9cdCTSO/cjvCVzKUY5KM9kTBcOfpeZyEap1KwyPPBWGwnjjdEWk+Zc7lJ9ZutR
	0N+1Y2NL1R3bp/0P6zbDFV9B+CvGtPQI0C7mJXONj2MenpTEBu8GfhxMLAsBOuoLhB9a
	c+9Zo8/mF1C6a2zT6g8tVqbjD40LuGJb6S0VE=
MIME-Version: 1.0
Received: by 10.150.208.8 with SMTP id f8mr498038ybg.399.1309339315427; Wed,
	29 Jun 2011 02:21:55 -0700 (PDT)
Sender: adrian.chadd@gmail.com
Received: by 10.151.45.11 with HTTP; Wed, 29 Jun 2011 02:21:55 -0700 (PDT)
In-Reply-To: <201106291027.56939.bschmidt@freebsd.org>
References: <4E099EB2.7050902@freebsd.org>
	<201106290803.36647.bschmidt@freebsd.org>
	<BANLkTim601dRADEPz4sbETwMiEBt0YqyHg@mail.gmail.com>
	<201106291027.56939.bschmidt@freebsd.org>
Date: Wed, 29 Jun 2011 17:21:55 +0800
X-Google-Sender-Auth: Yo9wAgsqCuMfsJ8S5vSEYNzggB0
Message-ID: <BANLkTi=QNwtifaq0svdexVjBvSViVjVgWA@mail.gmail.com>
From: Adrian Chadd <adrian@freebsd.org>
To: bschmidt@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Stefan Esser <st_esser@t-online.de>, freebsd-current@freebsd.org
Subject: Re: Panic in ieee80211 tx mgmt timeout
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2011 09:21:56 -0000

The question here is - what context is the callback being called in?

The lack of net80211 locking has me confused and sad. :/


Adrian

On 29 June 2011 16:27, Bernhard Schmidt <bschmidt@freebsd.org> wrote:
> On Wednesday, June 29, 2011 10:03:02 Adrian Chadd wrote:
>> On 29 June 2011 14:03, Bernhard Schmidt <bschmidt@freebsd.org> wrote:
>>
>> > It's name is ieee80211_tx_mgt_timeout used to track AUTH/ASSOC
>> > requests. Afaik there is even a similar PR about that.
>> >
>> > Adrian, you've got a AP set up to drop either a AUTH or ASSOC
>> > response frame?
>>
>> Tell me how and I'll set it up.
>>
>> A panic at that point in the function indicates maybe ni is NULL?
>> or ni->vap is now NULL, maybe?
>
> vap should never be NULL, so, I'd guess it's ni.
>
> Hmm.. I'd guess there is some kind of racy behavior, if the driver is
> telling us that it was able to send the AUTH req frame, net80211 sets
> up the timeout callback. What happens if the AUTH resp as well as the
> callback hit at the same time? It should be locked appropriately, but
> is it?
>
> This will drop the AUTH response:
>
> Index: sys/net80211/ieee80211_hostap.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- sys/net80211/ieee80211_hostap.c =A0 =A0 (revision 223661)
> +++ sys/net80211/ieee80211_hostap.c =A0 =A0 (working copy)
> @@ -978,7 +978,7 @@ hostap_auth_open(struct ieee80211_node *ni, struct
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0"%s", "station authentication defe=
red (radius acl)");
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ieee80211_notify_node_auth(ni);
> =A0 =A0 =A0 =A0} else {
> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTY=
PE_AUTH, seq + 1);
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 //IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUB=
TYPE_AUTH, seq + 1);
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0IEEE80211_NOTE_MAC(vap,
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0IEEE80211_MSG_DEBUG | IEEE80211_MS=
G_AUTH, ni->ni_macaddr,
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0"%s", "station authenticated (open=
)");
> @@ -1158,7 +1158,7 @@ hostap_auth_shared(struct ieee80211_node *ni, stru
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0estatus =3D IEEE80211_STATUS_SEQUENCE;
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad;
> =A0 =A0 =A0 =A0}
> - =A0 =A0 =A0 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1=
);
> + =A0 =A0 =A0 //IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq +=
 1);
> =A0 =A0 =A0 =A0return;
> =A0bad:
> =A0 =A0 =A0 =A0/*
>
>
> --
> Bernhard
>