From 23401900d3fc272b2f343290b2bdd4b4e02f67bf Mon Sep 17 00:00:00 2001 From: Adrian Chadd Date: Sun, 2 Oct 2011 02:42:31 +0000 Subject: [PATCH] Fix a panic in the wifi stack when a software beacon miss occurs in the wrong state. The ieee80211_swbmiss() callout is not called with the ic lock held, so it's quite possible the scheduler will run the callout during a state change. This patch: * changes the swbmiss callout to be locked by the ic lock * enforces the ic lock being held across the beacon vap functions by grabbing it inside beacon_miss() and beacon_swmiss(). This ensures that the ic lock is held (and thus the VAP state stays constant) during beacon miss and software miss processing. Since the callout is removed whilst the ic lock is held, it also ensures that the ic lock can't be called during a state change or exhibit any race conditions seen above. Both Edgar and Joel report that this patch fixes the crash and doesn't introduce new issues. Reported by: Edgar Martinez Reported by: Joel Dahl Reported by: emaste --- sys/net80211/ieee80211_proto.c | 19 ++++++++++++------- sys/net80211/ieee80211_sta.c | 2 ++ sys/net80211/ieee80211_tdma.c | 3 +++ 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/sys/net80211/ieee80211_proto.c b/sys/net80211/ieee80211_proto.c index 8dee3f7f32d..b4288b77bbb 100644 --- a/sys/net80211/ieee80211_proto.c +++ b/sys/net80211/ieee80211_proto.c @@ -193,7 +193,7 @@ ieee80211_proto_vattach(struct ieee80211vap *vap) vap->iv_rtsthreshold = IEEE80211_RTS_DEFAULT; vap->iv_fragthreshold = IEEE80211_FRAG_DEFAULT; vap->iv_bmiss_max = IEEE80211_BMISS_MAX; - callout_init(&vap->iv_swbmiss, CALLOUT_MPSAFE); + callout_init_mtx(&vap->iv_swbmiss, IEEE80211_LOCK_OBJ(ic), 0); callout_init(&vap->iv_mgtsend, CALLOUT_MPSAFE); TASK_INIT(&vap->iv_nstate_task, 0, ieee80211_newstate_cb, vap); TASK_INIT(&vap->iv_swbmiss_task, 0, beacon_swmiss, vap); @@ -1403,7 +1403,7 @@ beacon_miss(void *arg, int npending) struct ieee80211com *ic = arg; struct ieee80211vap *vap; - /* XXX locking */ + IEEE80211_LOCK(ic); TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) { /* * We only pass events through for sta vap's in RUN state; @@ -1415,18 +1415,21 @@ beacon_miss(void *arg, int npending) vap->iv_bmiss != NULL) vap->iv_bmiss(vap); } + IEEE80211_UNLOCK(ic); } static void beacon_swmiss(void *arg, int npending) { struct ieee80211vap *vap = arg; + struct ieee80211com *ic = vap->iv_ic; - if (vap->iv_state != IEEE80211_S_RUN) - return; - - /* XXX Call multiple times if npending > zero? */ - vap->iv_bmiss(vap); + IEEE80211_LOCK(ic); + if (vap->iv_state == IEEE80211_S_RUN) { + /* XXX Call multiple times if npending > zero? */ + vap->iv_bmiss(vap); + } + IEEE80211_UNLOCK(ic); } /* @@ -1440,6 +1443,8 @@ ieee80211_swbmiss(void *arg) struct ieee80211vap *vap = arg; struct ieee80211com *ic = vap->iv_ic; + IEEE80211_LOCK_ASSERT(ic); + /* XXX sleep state? */ KASSERT(vap->iv_state == IEEE80211_S_RUN, ("wrong state %d", vap->iv_state)); diff --git a/sys/net80211/ieee80211_sta.c b/sys/net80211/ieee80211_sta.c index 5444459a152..97a9dbc39f2 100644 --- a/sys/net80211/ieee80211_sta.c +++ b/sys/net80211/ieee80211_sta.c @@ -109,6 +109,8 @@ sta_beacon_miss(struct ieee80211vap *vap) { struct ieee80211com *ic = vap->iv_ic; + IEEE80211_LOCK_ASSERT(ic); + KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning")); KASSERT(vap->iv_state >= IEEE80211_S_RUN, ("wrong state %s", ieee80211_state_name[vap->iv_state])); diff --git a/sys/net80211/ieee80211_tdma.c b/sys/net80211/ieee80211_tdma.c index 8c191ab92b5..ed46c92e068 100644 --- a/sys/net80211/ieee80211_tdma.c +++ b/sys/net80211/ieee80211_tdma.c @@ -285,6 +285,9 @@ static void tdma_beacon_miss(struct ieee80211vap *vap) { struct ieee80211_tdma_state *ts = vap->iv_tdma; + struct ieee80211com *ic = vap->iv_ic; + + IEEE80211_LOCK_ASSERT(ic); KASSERT((vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning")); KASSERT(vap->iv_state == IEEE80211_S_RUN,