http://defect.opensolaris.org/bz/show_bug.cgi?id=12025
Michael Hunter <michael.hunter at sun.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P4 |P3
Status|NEW |ACCEPTED
AssignedTo|nwam-dev at opensolaris.org |michael.hunter at sun.com
--- Comment #1 from Michael Hunter <michael.hunter at sun.com> 2009-10-16
11:22:48 UTC ---
What I believe is happening is that the nwamd_ncu_handle_fini_event() destroys
the object_data before the object is removed from the list. So the
wlan_scan_thread() and nwamd_ncu_handle_fini_event() race through the
nwamd_object_find(). nwamd_ncu_handle_fini_event() wins and destroys the
object_data but then has to release the read list lock so it can get a write
list lock in order to remove the object from the list. When that happens
wlan_scan_thread() gets a reference to the object and starts to use it. At
that point the object doesn't have the ncu data and wlan_scan_thread() faults.
We should probably change the order that nwamd_ncu_handle_fini_event() destroys
the various parts of the object. The object should be kept whole until after
it is removed from the list and the reference count has dropped to 0.
What I'll do in this case is to check in wlan_scan_thread() and make sure that
we have valid data. I'll leave the larger (and more intrusive) work to another
time.
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.
