From owner-svn-src-all@FreeBSD.ORG  Tue Oct  6 16:05:07 2009
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 35EA9106568F;
	Tue,  6 Oct 2009 16:05:07 +0000 (UTC)
	(envelope-from cokane@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 091518FC0C;
	Tue,  6 Oct 2009 16:05:07 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n96G56bT051646;
	Tue, 6 Oct 2009 16:05:06 GMT (envelope-from cokane@svn.freebsd.org)
Received: (from cokane@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n96G56kA051644;
	Tue, 6 Oct 2009 16:05:06 GMT (envelope-from cokane@svn.freebsd.org)
Message-Id: <200910061605.n96G56kA051644@svn.freebsd.org>
From: Coleman Kane <cokane@FreeBSD.org>
Date: Tue, 6 Oct 2009 16:05:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r197806 - in stable/8/sys: . amd64/include/xen
	cddl/contrib/opensolaris contrib/dev/acpica contrib/pf
	dev/if_ndis dev/xen/xenpci
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2009 16:05:07 -0000

Author: cokane
Date: Tue Oct  6 16:05:06 2009
New Revision: 197806
URL: http://svn.freebsd.org/changeset/base/197806

Log:
  MFC: r197403, r197644, r197654, and r197659
  
  Fix some unexpected potential NULL de-references in kernel mode due to
  usage of pre-8.0 wifi operations with the ndis driver wrapping a Win32/64
  wifi driver.
  
  Submitted by:	Paul B Mahol <onemda@gmail.com>
  Approved by:	re

Modified:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/if_ndis/if_ndis.c
  stable/8/sys/dev/xen/xenpci/   (props changed)

Modified: stable/8/sys/dev/if_ndis/if_ndis.c
==============================================================================
--- stable/8/sys/dev/if_ndis/if_ndis.c	Tue Oct  6 15:44:08 2009	(r197805)
+++ stable/8/sys/dev/if_ndis/if_ndis.c	Tue Oct  6 16:05:06 2009	(r197806)
@@ -1012,7 +1012,12 @@ static void
 ndis_vap_delete(struct ieee80211vap *vap)
 {
 	struct ndis_vap *nvp = NDIS_VAP(vap);
+	struct ieee80211com *ic = vap->iv_ic;
+	struct ifnet *ifp = ic->ic_ifp;
+	struct ndis_softc *sc = ifp->if_softc;
 
+	ndis_stop(sc);
+	callout_drain(&sc->ndis_scan_callout);
 	ieee80211_vap_detach(vap);
 	free(nvp, M_80211_VAP);
 }
@@ -1529,7 +1534,7 @@ ndis_inputtask(dobj, arg)
 		if (m == NULL)
 			break;
 		KeReleaseSpinLock(&sc->ndis_rxlock, irql);
-		if (sc->ndis_80211)
+		if ((sc->ndis_80211 != 0) && (vap != NULL))
 			vap->iv_deliver_data(vap, vap->iv_bss, m);
 		else
 			(*ifp->if_input)(ifp, m);
@@ -1741,7 +1746,7 @@ ndis_ticktask(d, xsc)
 	    sc->ndis_sts == NDIS_STATUS_MEDIA_CONNECT) {
 		sc->ndis_link = 1;
 		NDIS_UNLOCK(sc);
-		if (sc->ndis_80211) {
+		if ((sc->ndis_80211 != 0) && (vap != NULL)) {
 			ndis_getstate_80211(sc);
 			ieee80211_new_state(vap, IEEE80211_S_RUN, -1);
 		}
@@ -1753,7 +1758,7 @@ ndis_ticktask(d, xsc)
 	    sc->ndis_sts == NDIS_STATUS_MEDIA_DISCONNECT) {
 		sc->ndis_link = 0;
 		NDIS_UNLOCK(sc);
-		if (sc->ndis_80211)
+		if ((sc->ndis_80211 != 0) && (vap != NULL))
 			ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
 		NDIS_LOCK(sc);
 		if_link_state_change(sc->ifp, LINK_STATE_DOWN);
@@ -2042,9 +2047,6 @@ ndis_init(xsc)
 	/* Setup task offload. */
 	ndis_set_offload(sc);
 
-	if (sc->ndis_80211)
-		ndis_setstate_80211(sc);
-
 	NDIS_LOCK(sc);
 
 	sc->ndis_txidx = 0;
@@ -2292,8 +2294,6 @@ ndis_setstate_80211(sc)
 	ifp = sc->ifp;
 	ic = ifp->if_l2com;
 	vap = TAILQ_FIRST(&ic->ic_vaps);
-	if (vap == NULL)
-		return;
 
 	if (!NDIS_INITIALIZED(sc)) {
 		DPRINTF(("%s: NDIS not initialized\n", __func__));
@@ -2725,8 +2725,6 @@ ndis_getstate_80211(sc)
 	ifp = sc->ifp;
 	ic = ifp->if_l2com;
 	vap = TAILQ_FIRST(&ic->ic_vaps);
-	if (vap == NULL)
-		return;
 	ni = vap->iv_bss;
 
 	if (!NDIS_INITIALIZED(sc))