Remove hack used to deal with ifnet teardown now that if_detach and the

bridge do a better job.
o move ether_ifdetach to the top of ieee80211_detach
o do not clear if_softc at the top of ieee80211_detach; we no longer need
  this because we are safeguarded against calls coming back through if_ioctl
o simplify the bpf tracker now that we don't null if_softc

This also fixes an issue where having a bpf consumer active when a vap
is destroyed would cause a crash because bpf referenced free'd memory.

Reviewed by:	imp

sys/net80211/ieee80211.c

@@ -544,24 +544,10 @@ ieee80211_vap_detach(struct ieee80211vap *vap)
 	    __func__, ieee80211_opmode_name[vap->iv_opmode],
 	    ic->ic_ifp->if_xname);
 
-	IEEE80211_LOCK(ic);
-	/* block traffic from above */
-	ifp->if_drv_flags |= IFF_DRV_OACTIVE;
-	/*
-	 * Evil hack.  Clear the backpointer from the ifnet to the
-	 * vap so any requests from above will return an error or
-	 * be ignored.  In particular this short-circuits requests
-	 * by the bridge to turn off promiscuous mode as a result
-	 * of calling ether_ifdetach.
-	 */
-	ifp->if_softc = NULL;
-	/*
-	 * Stop the vap before detaching the ifnet.  Ideally we'd
-	 * do this in the other order so the ifnet is inaccessible
-	 * while we cleanup internal state but that is hard.
-	 */
-	ieee80211_stop_locked(vap);
-	IEEE80211_UNLOCK(ic);
+	/* NB: bpfdetach is called by ether_ifdetach and claims all taps */
+	ether_ifdetach(ifp);
+
+	ieee80211_stop(vap);
 
 	/*
 	 * Flush any deferred vap tasks.
@@ -587,10 +573,6 @@ ieee80211_vap_detach(struct ieee80211vap *vap)
 	ieee80211_syncifflag_locked(ic, IFF_ALLMULTI);
 	IEEE80211_UNLOCK(ic);
 
-	/* XXX can't hold com lock */
-	/* NB: bpfdetach is called by ether_ifdetach and claims all taps */
-	ether_ifdetach(ifp);
-
 	ifmedia_removeall(&vap->iv_media);
 
 	ieee80211_radiotap_vdetach(vap);

sys/net80211/ieee80211_freebsd.c

@@ -710,8 +710,7 @@ bpf_track(void *arg, struct ifnet *ifp, int dlt, int attach)
 			ieee80211_syncflag_ext(vap, IEEE80211_FEXT_BPF);
 			if (vap->iv_opmode == IEEE80211_M_MONITOR)
 				atomic_add_int(&vap->iv_ic->ic_montaps, 1);
-		/* NB: if_softc is NULL on vap detach */
-		} else if (vap != NULL && !bpf_peers_present(vap->iv_rawbpf)) {
+		} else if (!bpf_peers_present(vap->iv_rawbpf)) {
 			ieee80211_syncflag_ext(vap, -IEEE80211_FEXT_BPF);
 			if (vap->iv_opmode == IEEE80211_M_MONITOR)
 				atomic_subtract_int(&vap->iv_ic->ic_montaps, 1);

sys/net80211/ieee80211_ioctl.c

@@ -3202,29 +3202,14 @@ ieee80211_ioctl_updatemulti(struct ieee80211com *ic)
 int
 ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 {
-	struct ieee80211vap *vap;
-	struct ieee80211com *ic;
+	struct ieee80211vap *vap = ifp->if_softc;
+	struct ieee80211com *ic = vap->iv_ic;
 	int error = 0;
 	struct ifreq *ifr;
 	struct ifaddr *ifa;			/* XXX */
 
-	vap = ifp->if_softc;
-	if (vap == NULL) {
-		/*
-		 * During detach we clear the backpointer in the softc
-		 * so any ioctl request through the ifnet that arrives
-		 * before teardown is ignored/rejected.  In particular
-		 * this hack handles destroying a vap used by an app
-		 * like wpa_supplicant that will respond to the vap
-		 * being forced into INIT state by immediately trying
-		 * to force it back up.  We can yank this hack if/when
-		 * we can destroy the ifnet before cleaning up vap state.
-		 */
-		return ENXIO;
-	}
 	switch (cmd) {
 	case SIOCSIFFLAGS:
-		ic = vap->iv_ic;
 		IEEE80211_LOCK(ic);
 		ieee80211_syncifflag_locked(ic, IFF_PROMISC);
 		ieee80211_syncifflag_locked(ic, IFF_ALLMULTI);
@@ -3250,7 +3235,7 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		break;
 	case SIOCADDMULTI:
 	case SIOCDELMULTI:
-		ieee80211_ioctl_updatemulti(vap->iv_ic);
+		ieee80211_ioctl_updatemulti(ic);
 		break;
 	case SIOCSIFMEDIA:
 	case SIOCGIFMEDIA: