From owner-svn-src-all@FreeBSD.ORG Wed Mar 12 08:26:50 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5E83C89A; Wed, 12 Mar 2014 08:26:50 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2FF87A73; Wed, 12 Mar 2014 08:26:50 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2C8Qoo3067903; Wed, 12 Mar 2014 08:26:50 GMT (envelope-from hselasky@svn.freebsd.org) Received: (from hselasky@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2C8QoMB067902; Wed, 12 Mar 2014 08:26:50 GMT (envelope-from hselasky@svn.freebsd.org) Message-Id: <201403120826.s2C8QoMB067902@svn.freebsd.org> From: Hans Petter Selasky Date: Wed, 12 Mar 2014 08:26:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r263074 - stable/9/sys/dev/usb/wlan X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2014 08:26:50 -0000 Author: hselasky Date: Wed Mar 12 08:26:49 2014 New Revision: 263074 URL: http://svnweb.freebsd.org/changeset/base/263074 Log: MFC r262795: - Temporary fix for race in RUN driver which can cause freed memory to be accessed. - Properly lock callout_reset()'s. Modified: stable/9/sys/dev/usb/wlan/if_run.c (contents, props changed) Directory Properties: stable/9/sys/ (props changed) stable/9/sys/dev/ (props changed) Modified: stable/9/sys/dev/usb/wlan/if_run.c ============================================================================== --- stable/9/sys/dev/usb/wlan/if_run.c Wed Mar 12 08:25:25 2014 (r263073) +++ stable/9/sys/dev/usb/wlan/if_run.c Wed Mar 12 08:26:49 2014 (r263074) @@ -2507,9 +2507,7 @@ run_ratectl_cb(void *arg, int pending) if (vap == NULL) return; - if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA) - run_iter_func(sc, vap->iv_bss); - else { + if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) { /* * run_reset_livelock() doesn't do anything with AMRR, * but Ralink wants us to call it every 1 sec. So, we @@ -2522,9 +2520,10 @@ run_ratectl_cb(void *arg, int pending) /* just in case, there are some stats to drain */ run_drain_fifo(sc); RUN_UNLOCK(sc); - ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc); } + ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc); + RUN_LOCK(sc); if(sc->ratectl_run != RUN_RATECTL_OFF) usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc); @@ -2604,6 +2603,11 @@ run_iter_func(void *arg, struct ieee8021 RUN_LOCK(sc); + /* Check for special case */ + if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA && + ni != vap->iv_bss) + goto fail; + if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS || vap->iv_opmode == IEEE80211_M_STA)) { /* read statistic counters (clear on read) and update AMRR state */ @@ -2732,7 +2736,10 @@ run_newassoc(struct ieee80211_node *ni, rn->mgt_ridx = ridx; DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx); - usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc); + RUN_LOCK(sc); + if(sc->ratectl_run != RUN_RATECTL_OFF) + usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc); + RUN_UNLOCK(sc); } /*