MFp4 changes to fix locking issues and correct reference

count handling of station entries in hostap mode:

Input path:

o driver is now expected to find the node associated with the
  sender of a received frame; use ic_bss if none is located
o driver passes the (referenced) node into ieee80211_input for
  use within the wlan module and is responsible for cleaning up
  on return
o the antenna state is no longer passed up with each frame; this
  is now considered driver-private state and drivers are responsible
  for keeping it in the driver-private part of a node

Output path:

Revamp output path for management frames to eliminate redundant
locking that causes problems and to correct reference counting
bogosity that occurs when stations are timed out due to inactivity
(in AP mode).  On output the refcnt'd node is stashed in the pkthdr's
recvif field (yech) and retrieved by the driver.  This eliminates
an unref/ref scenario and related node table unlock/lock due to the
driver looking up the node.  This is particularly important when
stations are timed out as this causes a lock order reversal that
can result in a deadlock.  As a byproduct we also reduce the overhead
for sending management frames (minimal).  Additional fallout from
this is a change to ieee80211_encap to return a refcn't node for
tieing to the outbound frame.  Node refcnts are not reclaimed until
after a frame is completely processed (e.g. in the tx interrupt
handler).  This is especially important for timed out stations as
this deref will be the final one causing the node entry to be
reclaimed.

Additional semi-related changes:
o replace m_copym use with m_copypacket (optimization)
o add assert to verify ic_bss is never free'd during normal operation
o add comments explaining calling conventions by drivers for frames
  going in each direction
o remove extraneous code that "cannot be executed" (e.g. because
  pointers may never be null)

1 files changed, 51 insertions, 22 deletions

diff --git a/sys/dev/wi/if_wi.c b/sys/dev/wi/if_wi.c
index 91e68b1..2fd33d5 100644
--- a/sys/dev/wi/if_wi.c
+++ b/sys/dev/wi/if_wi.c
@@ -805,10 +805,11 @@ wi_start(struct ifnet *ifp)
 {
 	struct wi_softc	*sc = ifp->if_softc;
 	struct ieee80211com *ic = &sc->sc_ic;
+	struct ieee80211_node *ni;
 	struct ieee80211_frame *wh;
 	struct mbuf *m0;
 	struct wi_frame frmhdr;
-	int cur, fid, off;
+	int cur, fid, off, error;
 	WI_LOCK_DECL();
 
 	WI_LOCK(sc);
@@ -832,6 +833,18 @@ wi_start(struct ifnet *ifp)
 				break;
 			}
 			IF_DEQUEUE(&ic->ic_mgtq, m0);
+			/*
+			 * Hack!  The referenced node pointer is in the
+			 * rcvif field of the packet header.  This is
+			 * placed there by ieee80211_mgmt_output because
+			 * we need to hold the reference with the frame
+			 * and there's no other way (other than packet
+			 * tags which we consider too expensive to use)
+			 * to pass it along.
+			 */
+			ni = (struct ieee80211_node *) m0->m_pkthdr.rcvif;
+			m0->m_pkthdr.rcvif = NULL;
+
 			m_copydata(m0, 4, ETHER_ADDR_LEN * 2,
 			    (caddr_t)&frmhdr.wi_ehdr);
 			frmhdr.wi_ehdr.ether_type = 0;
@@ -854,26 +867,12 @@ wi_start(struct ifnet *ifp)
 			BPF_MTAP(ifp, m0);
 #endif
 
-			if ((m0 = ieee80211_encap(ifp, m0)) == NULL) {
+			m0 = ieee80211_encap(ifp, m0, &ni);
+			if (m0 == NULL) {
 				ifp->if_oerrors++;
 				continue;
 			}
                         wh = mtod(m0, struct ieee80211_frame *);
-			if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
-			    !IEEE80211_IS_MULTICAST(wh->i_addr1) &&
-			    (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
-			    IEEE80211_FC0_TYPE_DATA) {
-				struct ieee80211_node *ni =
-					ieee80211_find_node(ic, wh->i_addr1);
-			        int err = (ni == NULL || ni->ni_associd == 0);
-				if (ni != NULL)
-					ieee80211_unref_node(&ni);
-			        if (err) {
-					m_freem(m0);
-					ifp->if_oerrors++;
-					continue;
-				}
-			}
 			if (ic->ic_flags & IEEE80211_F_WEPON)
 				wh->i_fc[1] |= IEEE80211_FC1_WEP;
 
@@ -887,6 +886,8 @@ wi_start(struct ifnet *ifp)
 		    (wh->i_fc[1] & IEEE80211_FC1_WEP)) {
 			if ((m0 = ieee80211_wep_crypt(ifp, m0, 1)) == NULL) {
 				ifp->if_oerrors++;
+				if (ni && ni != ic->ic_bss)
+					ieee80211_free_node(ic, ni);
 				continue;
 			}
 			frmhdr.wi_tx_ctl |= htole16(WI_TXCNTL_NOCRYPT);
@@ -915,13 +916,15 @@ wi_start(struct ifnet *ifp)
 			wi_dump_pkt(&frmhdr, NULL, -1);
 		fid = sc->sc_txd[cur].d_fid;
 		off = sizeof(frmhdr);
-		if (wi_write_bap(sc, fid, 0, &frmhdr, sizeof(frmhdr)) != 0 ||
-		    wi_mwrite_bap(sc, fid, off, m0, m0->m_pkthdr.len) != 0) {
+		error = wi_write_bap(sc, fid, 0, &frmhdr, sizeof(frmhdr)) != 0
+		     || wi_mwrite_bap(sc, fid, off, m0, m0->m_pkthdr.len) != 0;
+		m_freem(m0);
+		if (ni && ni != ic->ic_bss)
+			ieee80211_free_node(ic, ni);
+		if (error) {
 			ifp->if_oerrors++;
-			m_freem(m0);
 			continue;
 		}
-		m_freem(m0);
 		sc->sc_txd[cur].d_len = off;
 		if (sc->sc_txcur == cur) {
 			if (wi_cmd(sc, WI_CMD_TX | WI_RECLAIM, fid, 0, 0)) {
@@ -1355,6 +1358,7 @@ wi_rx_intr(struct wi_softc *sc)
 	struct wi_frame frmhdr;
 	struct mbuf *m;
 	struct ieee80211_frame *wh;
+	struct ieee80211_node *ni;
 	int fid, len, off, rssi;
 	u_int8_t dir;
 	u_int16_t status;
@@ -1471,7 +1475,32 @@ wi_rx_intr(struct wi_softc *sc)
 	if (ic->ic_opmode == IEEE80211_M_IBSS && dir == IEEE80211_FC1_DIR_NODS)
 		wi_sync_bssid(sc, wh->i_addr3);
 
-	ieee80211_input(ifp, m, rssi, rstamp, 0);
+	/*
+	 * Locate the node for sender, track state, and
+	 * then pass this node (referenced) up to the 802.11
+	 * layer for its use.  We are required to pass
+	 * something so we fallback to ic_bss when this frame
+	 * is from an unknown sender.
+	 */
+	if (ic->ic_opmode != IEEE80211_M_STA) {
+		ni = ieee80211_find_node(ic, wh->i_addr2);
+		if (ni == NULL)
+			ni = ieee80211_ref_node(ic->ic_bss);
+	} else
+		ni = ieee80211_ref_node(ic->ic_bss);
+	/*
+	 * Send frame up for processing.
+	 */
+	ieee80211_input(ifp, m, ni, rssi, rstamp);
+	/*
+	 * The frame may have caused the node to be marked for
+	 * reclamation (e.g. in response to a DEAUTH message)
+	 * so use free_node here instead of unref_node.
+	 */
+	if (ni == ic->ic_bss)
+		ieee80211_unref_node(&ni);
+	else
+		ieee80211_free_node(ic, ni);
 }
 
 static void