From nobody@FreeBSD.org  Tue Sep  8 13:45:09 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1E3BB106568D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  8 Sep 2009 13:45:09 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 0DDD58FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  8 Sep 2009 13:45:09 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n88Dj88j014357
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 8 Sep 2009 13:45:08 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n88Dj8KY014353;
	Tue, 8 Sep 2009 13:45:08 GMT
	(envelope-from nobody)
Message-Id: <200909081345.n88Dj8KY014353@www.freebsd.org>
Date: Tue, 8 Sep 2009 13:45:08 GMT
From: Paul <onemda@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: race at vap destroy
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         138632
>Category:       kern
>Synopsis:       [ndis] [patch] race at vap destroy
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    cokane
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 08 13:50:00 UTC 2009
>Closed-Date:    Tue Sep 22 12:40:23 UTC 2009
>Last-Modified:  Tue Sep 22 12:50:00 UTC 2009
>Originator:     Paul
>Release:        FreeBSD 9.0-CURRENT
>Organization:
>Environment:
FreeBSD dhcppc3 9.0-CURRENT FreeBSD 9.0-CURRENT #2 r196918M: Mon Sep  7 22:22:16 UTC 2009     root@dhcppc3:/usr/obj/usr/src/sys/kernel  i386
>Description:
Regression introduced with ndisulator being ported to VAP.
ndis_scan function may be started after ndis vap have been destroyed.

db:0:kdb.enter.unknown>  bt
Tracing pid 11 tid 100005 td 0xc3d07690
ieee80211_scan_done(0,c05e3712,f8,0,c3d07690,...) at ieee80211_scan_done+0xb
ndis_scan(c4642800,0,c061e422,176,c068c974,...) at ndis_scan+0x38d
softclock(c068c940,c3aa7cc8,c049873d,c0690680,c3d03938,...) at softclock+0x242
intr_event_execute_handlers(c3d05aa0,c3d03900,c06188e0,4fc,c3d03970,...) at intr_event_execute_handlers+0x10f
ithread_loop(c3d49110,c3aa7d38,c0618636,343,c3d05aa0,...) at ithread_loop+0x98
fork_exit(c0483f41,c3d49110,c3aa7d38) at fork_exit+0xb8
fork_trampoline() at fork_trampoline+0x8
--- trap 0, eip = 0, esp = 0xc3aa7d70, ebp = 0 ---

>How-To-Repeat:
# ifconfig wlan0 create wlandev ndis0
# ifconfig wlan0 up && ifconfig wlan0 destroy
>Fix:
--- if_ndis.c   (revision 196964)+++ if_ndis.c   (working copy)
@@ -1012,7 +1012,12 @@
 ndis_vap_delete(struct ieee80211vap *vap)
 {
        struct ndis_vap *nvp = NDIS_VAP(vap);
+       struct ieee80211com *ic = vap->iv_ic;
+       struct ifnet *ifp = ic->ic_ifp;
+       struct ndis_softc *sc = ifp->if_softc;

+       ndis_stop(sc);
+       callout_drain(&sc->ndis_scan_callout);
        ieee80211_vap_detach(vap);
        free(nvp, M_80211_VAP); }

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Sep 8 18:08:44 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138632 
State-Changed-From-To: open->closed 
State-Changed-By: cokane 
State-Changed-When: Tue Sep 22 12:37:27 UTC 2009 
State-Changed-Why:  
Committed fix in r197403 


Responsible-Changed-From-To: freebsd-net->cokane 
Responsible-Changed-By: cokane 
Responsible-Changed-When: Tue Sep 22 12:37:27 UTC 2009 
Responsible-Changed-Why:  
Committed fix in r197403 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138632 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/138632: commit references a PR
Date: Tue, 22 Sep 2009 12:37:06 +0000 (UTC)

 Author: cokane
 Date: Tue Sep 22 12:36:51 2009
 New Revision: 197403
 URL: http://svn.freebsd.org/changeset/base/197403
 
 Log:
   The ndis_scan function may be started after ndis vap have been destroyed
   
   PR:		kern/138632
   Submitted by:	Paul B. Mahol <onemda at gmail.com>
   MFC after:	3 days
 
 Modified:
   head/sys/dev/if_ndis/if_ndis.c
 
 Modified: head/sys/dev/if_ndis/if_ndis.c
 ==============================================================================
 --- head/sys/dev/if_ndis/if_ndis.c	Tue Sep 22 11:47:21 2009	(r197402)
 +++ head/sys/dev/if_ndis/if_ndis.c	Tue Sep 22 12:36:51 2009	(r197403)
 @@ -1012,7 +1012,12 @@ static void
  ndis_vap_delete(struct ieee80211vap *vap)
  {
  	struct ndis_vap *nvp = NDIS_VAP(vap);
 +	struct ieee80211com *ic = vap->iv_ic;
 +	struct ifnet *ifp = ic->ic_ifp;
 +	struct ndis_softc *sc = ifp->if_softc;
  
 +	ndis_stop(sc);
 +	callout_drain(&sc->ndis_scan_callout);
  	ieee80211_vap_detach(vap);
  	free(nvp, M_80211_VAP);
  }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:

Committed fix in r197403.
