From owner-svn-src-all@FreeBSD.ORG  Wed Mar 12 08:25:25 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id CC17D607;
 Wed, 12 Mar 2014 08:25:25 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9FF65A4C;
 Wed, 12 Mar 2014 08:25:25 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2C8PPWx067712;
 Wed, 12 Mar 2014 08:25:25 GMT
 (envelope-from hselasky@svn.freebsd.org)
Received: (from hselasky@localhost)
 by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2C8PPBt067711;
 Wed, 12 Mar 2014 08:25:25 GMT
 (envelope-from hselasky@svn.freebsd.org)
Message-Id: <201403120825.s2C8PPBt067711@svn.freebsd.org>
From: Hans Petter Selasky <hselasky@FreeBSD.org>
Date: Wed, 12 Mar 2014 08:25:25 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r263073 - stable/10/sys/dev/usb/wlan
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 08:25:25 -0000

Author: hselasky
Date: Wed Mar 12 08:25:25 2014
New Revision: 263073
URL: http://svnweb.freebsd.org/changeset/base/263073

Log:
  MFC r262795:
  - Temporary fix for race in RUN driver which can
  cause freed memory to be accessed.
  - Properly lock callout_reset()'s.

Modified:
  stable/10/sys/dev/usb/wlan/if_run.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/usb/wlan/if_run.c
==============================================================================
--- stable/10/sys/dev/usb/wlan/if_run.c	Wed Mar 12 08:23:27 2014	(r263072)
+++ stable/10/sys/dev/usb/wlan/if_run.c	Wed Mar 12 08:25:25 2014	(r263073)
@@ -2507,9 +2507,7 @@ run_ratectl_cb(void *arg, int pending)
 	if (vap == NULL)
 		return;
 
-	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA)
-		run_iter_func(sc, vap->iv_bss);
-	else {
+	if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
 		/*
 		 * run_reset_livelock() doesn't do anything with AMRR,
 		 * but Ralink wants us to call it every 1 sec. So, we
@@ -2522,9 +2520,10 @@ run_ratectl_cb(void *arg, int pending)
 		/* just in case, there are some stats to drain */
 		run_drain_fifo(sc);
 		RUN_UNLOCK(sc);
-		ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
 	}
 
+	ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
+
 	RUN_LOCK(sc);
 	if(sc->ratectl_run != RUN_RATECTL_OFF)
 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
@@ -2604,6 +2603,11 @@ run_iter_func(void *arg, struct ieee8021
 
 	RUN_LOCK(sc);
 
+	/* Check for special case */
+	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
+	    ni != vap->iv_bss)
+		goto fail;
+
 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
 	    vap->iv_opmode == IEEE80211_M_STA)) {
 		/* read statistic counters (clear on read) and update AMRR state */
@@ -2732,7 +2736,10 @@ run_newassoc(struct ieee80211_node *ni, 
 	rn->mgt_ridx = ridx;
 	DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
 
-	usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
+	RUN_LOCK(sc);
+	if(sc->ratectl_run != RUN_RATECTL_OFF)
+		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
+	RUN_UNLOCK(sc);
 }
 
 /*