From owner-freebsd-usb@FreeBSD.ORG  Mon Jul 12 20:04:09 2010
Return-Path: <owner-freebsd-usb@FreeBSD.ORG>
Delivered-To: freebsd-usb@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 26B081065670;
	Mon, 12 Jul 2010 20:04:09 +0000 (UTC)
	(envelope-from hselasky@c2i.net)
Received: from swip.net (mailfe06.swip.net [212.247.154.161])
	by mx1.freebsd.org (Postfix) with ESMTP id 236588FC23;
	Mon, 12 Jul 2010 20:04:07 +0000 (UTC)
X-Cloudmark-Score: 0.000000 []
X-Cloudmark-Analysis: v=1.0 c=1 a=HRj3ij7MtkgA:10 a=UBIxAjGgU1YA:10
	a=8nJEP1OIZ-IA:10 a=M8b_wTzEtboA:10
	a=MnI1ikcADjEx7bvsp0jZvQ==:17 a=6I5d2MoRAAAA:8
	a=hwjHTafsMXyKm7GaZ_oA:9 a=Jx0BzAULFPxU7FjL2gn-SgJJS_MA:4
	a=wPNLvfGTeEIA:10
Received: from [188.126.201.140] (account mc467741@c2i.net HELO
	laptop002.hselasky.homeunix.org)
	by mailfe06.swip.net (CommuniGate Pro SMTP 5.2.19)
	with ESMTPA id 1378929241; Mon, 12 Jul 2010 22:04:06 +0200
From: Hans Petter Selasky <hselasky@c2i.net>
To: freebsd-current@freebsd.org
Date: Mon, 12 Jul 2010 22:01:11 +0200
User-Agent: KMail/1.12.4 (FreeBSD/8.1-PRERELEASE; KDE/4.3.4; amd64; ; )
References: <201007072113.16320.hselasky@c2i.net>
	<AANLkTim-2GbC0fOKnZkyV_c_LzIy2hPdeC_jnNaBFXza@mail.gmail.com>
In-Reply-To: <AANLkTim-2GbC0fOKnZkyV_c_LzIy2hPdeC_jnNaBFXza@mail.gmail.com>
X-Face: +~\`s("[*<S!NI[0M*"FaghA8S>|O,="7?X@L.elg*F"OA\I/3%^p8g?ab%RN'(; _IjlA:
	hGE..Ew, XAQ*o#\/M~SC=S1-f9{EzRfT'|Hhll5Q]ha5Bt-s|oTlKMusi:1e[wJl}kd}GR
	Z0adGx-x_0zGbZj'e(Y[(UNle~)8CQWXW@:DX+9)_YlB[tIccCPN$7/L'
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201007122201.11534.hselasky@c2i.net>
Cc: Sam Leffler <sam@freebsd.org>, PseudoCylon <moonlightakkiy@yahoo.ca>,
	freebsd-usb@freebsd.org
Subject: Re: [panic] Race in IEEE802.11 layer towards device drivers
X-BeenThere: freebsd-usb@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: FreeBSD support for USB <freebsd-usb.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
	<mailto:freebsd-usb-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-usb>
List-Post: <mailto:freebsd-usb@freebsd.org>
List-Help: <mailto:freebsd-usb-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
	<mailto:freebsd-usb-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 20:04:09 -0000

Hi Andrew,

Your patch appears to be working. Can you fix this issue in the other WLAN 
drivers aswell? Then send an e-mail to request testing? I had a go at it here:

http://p4web.freebsd.org/@@180844?ac=10

I found another panic issue:

ifconfig wlan0 delete
ifconfig wlan0 destroy

When not associate or associated.

Backtrace (AMD64 - 9-current):

node_free() + 0x2c
rum_tx_free() + 0x3b
which is called from the bulk tx callback

Another thread is running an IOCTL -> rum_stop(), which causes the CANCELLED 
event to be passed to USB. Can't we free any nodes at this point?

--HPS
 
> This turned out to be refcounting of the ieee80211_node struct which
> was causing this panic. vap->iv_bss can be freed at any time so all
> users of it need to bump the refcount to use it safely.
> 
> This patch should fix the panic in the rum driver.
> http://people.freebsd.org/~thompsa/rum_node_refcnt.diff
> 
> There are other places where it is still an issue such as the
> ieee80211_tx_mgt_timeout callout which havnt been addressed yet, and
> of course all other ieee80211 drivers.
>