From owner-freebsd-current@FreeBSD.ORG Mon Jul 12 00:07:56 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A422106566C; Mon, 12 Jul 2010 00:07:56 +0000 (UTC) (envelope-from andy@fud.org.nz) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 075B68FC08; Mon, 12 Jul 2010 00:07:55 +0000 (UTC) Received: by gyd8 with SMTP id 8so2825012gyd.13 for ; Sun, 11 Jul 2010 17:07:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.44.9 with SMTP id r9mr14233367anr.152.1278893275124; Sun, 11 Jul 2010 17:07:55 -0700 (PDT) Sender: andy@fud.org.nz Received: by 10.100.110.6 with HTTP; Sun, 11 Jul 2010 17:07:55 -0700 (PDT) In-Reply-To: <201007072113.16320.hselasky@c2i.net> References: <201007072113.16320.hselasky@c2i.net> Date: Mon, 12 Jul 2010 12:07:55 +1200 X-Google-Sender-Auth: UH_NqquzGXOopjgtBV_kVmyCbls Message-ID: From: Andrew Thompson To: Hans Petter Selasky Content-Type: text/plain; charset=ISO-8859-1 Cc: Sam Leffler , PseudoCylon , freebsd-usb@freebsd.org, freebsd-current@freebsd.org Subject: Re: [panic] Race in IEEE802.11 layer towards device drivers X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 00:07:56 -0000 On 8 July 2010 07:13, Hans Petter Selasky wrote: > Hi, > > When supplying wpa_supplicant.conf with incorrect passwords, but a valid SSID, > I have seen kernel panics several times when using USB based WLAN dongles. > When only supplying a valid password, no panic has been seen. > > How to reproduce: > > 1) configure invalid password > 2) wpa_cli: reconfigure > 3) configure valid password > 4) wpa_cli: reconfigure > 5) goto 1 > > The USB commands which are executed inside the newstate callback usually take > very little time, but still not as little time as PCI read/writes. I've forced > slower operation in the newstate callback, and can reproduce warning printouts > from the IEEE802.11 layer in FreeBSD. Try to apply the following patch to your > USB code: > > http://p4web.freebsd.org/@@180604?ac=10 > > In my opinion the deferring of all states to a single task is wrong. There > should be at least one task per possible state, and the queuing mechanism > should follow the last-queued is last executed rule. This is not the case with > the task-queue mechanism in the kernel. This turned out to be refcounting of the ieee80211_node struct which was causing this panic. vap->iv_bss can be freed at any time so all users of it need to bump the refcount to use it safely. This patch should fix the panic in the rum driver. http://people.freebsd.org/~thompsa/rum_node_refcnt.diff There are other places where it is still an issue such as the ieee80211_tx_mgt_timeout callout which havnt been addressed yet, and of course all other ieee80211 drivers. Andrew