From owner-freebsd-wireless@FreeBSD.ORG  Thu Sep  8 04:35:47 2011
Return-Path: <owner-freebsd-wireless@FreeBSD.ORG>
Delivered-To: freebsd-wireless@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ACE44106566B;
	Thu,  8 Sep 2011 04:35:47 +0000 (UTC)
	(envelope-from adrian.chadd@gmail.com)
Received: from mail-gw0-f49.google.com (mail-gw0-f49.google.com [74.125.83.49])
	by mx1.freebsd.org (Postfix) with ESMTP id 3F2AD8FC14;
	Thu,  8 Sep 2011 04:35:47 +0000 (UTC)
Received: by gwb1 with SMTP id 1so514112gwb.36
	for <multiple recipients>; Wed, 07 Sep 2011 21:35:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type;
	bh=VmiIuJZr7+sSCR7ACzmdOJuEvYfBfhTBwMvySnTvA8Q=;
	b=uUZ5FHM5Qgi/MT1awrZUcKwUvoEoJKFolJtAwHDLY0cpD5OOLpq0n0Zxy0ElN1+Rck
	VudxH9pYGR5Id6Csk3pp1EehnbiqL0xJ4RzBDTtZ9GyCROypIOpWtWda5HOX2C0rBJlk
	RGN3Gzi9BexrlcFMs9fWdc2rzirIdwuM2c5dI=
MIME-Version: 1.0
Received: by 10.236.22.9 with SMTP id s9mr1013156yhs.129.1315456546646; Wed,
	07 Sep 2011 21:35:46 -0700 (PDT)
Sender: adrian.chadd@gmail.com
Received: by 10.236.103.6 with HTTP; Wed, 7 Sep 2011 21:35:46 -0700 (PDT)
In-Reply-To: <20110907174755.GR52426@goofy03.vnode.local>
References: <09C13664-4FC0-41F3-8849-CE875B3A6CC0@vnode.se>
	<CAJ-VmokggV3r8cStQNOMRCKoWMF1tPsoXW6PhHPxSq-i8Pyf-Q@mail.gmail.com>
	<20110905062453.GM52426@goofy03.vnode.local>
	<CAAgh0_b6WKYQSyT22MegzxaEsdQBiP0huWgQC+9a7yAFvWdYJw@mail.gmail.com>
	<20110906204242.GP52426@goofy03.vnode.local>
	<CAAgh0_bOOT2j_y4AeJHpXQty36Gb32pYq_atyf6j9QqnhqeCsA@mail.gmail.com>
	<20110907105325.GQ52426@goofy03.vnode.local>
	<CAAgh0_Y6HEGmqW9-FXig5F5fQ+6HSz_j9SY0DupUjZidkMFRLA@mail.gmail.com>
	<20110907174755.GR52426@goofy03.vnode.local>
Date: Thu, 8 Sep 2011 12:35:46 +0800
X-Google-Sender-Auth: QQ4qvVkTkWkUjvwvVt51ZRq33-Y
Message-ID: <CAJ-Vmomg1N5VoEeqpvs5fTGnn9w9Hw--vi6eZKNvzm-UbqPpbg@mail.gmail.com>
From: Adrian Chadd <adrian@freebsd.org>
To: Joel Dahl <joel@vnode.se>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-wireless@freebsd.org, weongyo@freebsd.org,
	Bernhard Schmidt <bschmidt@freebsd.org>
Subject: Re: BETA2 panic
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussions of 802.11 stack,
	tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 04:35:47 -0000

Hi,

Please try this patch.

I bet what's happening is:

* transition is going from RUN -> ! RUN;
* the state is changed before the swbmiss timer is cancelled;
* the callout gets called in another process context;
* bang!

This patch:

* changes the order of things so the callout is cancelled -before- the
state is changed;
* grabs the ic lock in the swbmiss task just to make sure nothing else
is fiddling with it.

Thanks,


cynthia:head adrian$ svn diff sys/net80211/
Index: sys/net80211/ieee80211_sta.c
===================================================================
--- sys/net80211/ieee80211_sta.c	(revision 225421)
+++ sys/net80211/ieee80211_sta.c	(working copy)
@@ -217,13 +217,14 @@
 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
 	    __func__, ieee80211_state_name[ostate],
 	    ieee80211_state_name[nstate], arg);
+	/* Disable callout before changing state */
+	if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
+		callout_stop(&vap->iv_swbmiss);
 	vap->iv_state = nstate;			/* state transition */
 	callout_stop(&vap->iv_mgtsend);		/* XXX callout_drain */
 	if (ostate != IEEE80211_S_SCAN)
 		ieee80211_cancel_scan(vap);	/* background scan */
 	ni = vap->iv_bss;			/* NB: no reference held */
-	if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
-		callout_stop(&vap->iv_swbmiss);
 	switch (nstate) {
 	case IEEE80211_S_INIT:
 		switch (ostate) {
Index: sys/net80211/ieee80211_proto.c
===================================================================
--- sys/net80211/ieee80211_proto.c	(revision 225421)
+++ sys/net80211/ieee80211_proto.c	(working copy)
@@ -1440,6 +1440,12 @@
 	struct ieee80211vap *vap = arg;
 	struct ieee80211com *ic = vap->iv_ic;

+	/*
+	 * Grab comlock; a state transition may be occuring
+	 * in another context.
+	 */
+	IEEE80211_LOCK(ic);
+
 	/* XXX sleep state? */
 	KASSERT(vap->iv_state == IEEE80211_S_RUN,
 	    ("wrong state %d", vap->iv_state));
@@ -1463,6 +1469,8 @@
 		vap->iv_swbmiss_count = 0;
 	callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
 		ieee80211_swbmiss, vap);
+
+	IEEE80211_UNLOCK(ic);
 }