Avoid crashing after shutting down WiFi

[bjoernQ]

Thank you for your contribution!

We appreciate the time and effort you've put into this pull request.
To help us review it efficiently, please ensure you've gone through the following checklist:

Submission Checklist 📝

• I have updated existing examples or added new ones (if applicable).
• I have used cargo xtask fmt-packages command to ensure that all changed code is formatted correctly.
• My changes were added to the CHANGELOG.md in the proper section.
• I have added necessary changes to user code to the latest Migration Guide.
• My changes are in accordance to the esp-rs developer guidelines

Extra:

• I have read the CONTRIBUTING.md guide and followed its instructions.

Pull Request Details 📖

Description

See #4639 for a reliable reproducer

Testing

Running the reproducer

[bugadani]

Do we need these checks? From smoltcp's point of view, if we provide a token, we should be able to send the data.

[bjoernQ]

not too sure but my thinking was that we might hand out a token and some other thread might tear down everything after getting the token but before actually starting the transmit

we can be brave and remove it for now and see if someone runs into this problem 🤷‍♂️ but the check should be cheap

[bugadani]

not too sure but my thinking was that we might hand out a token and some other thread might tear down everything after getting the token but before actually starting the transmit

In that case this isn't a solution - if another thread can stop the wifi stack right in the middle of this, then it can stop the stack right after this check, too.

[bugadani]

So I guess we need to acquire an OS-mutex when we hand out a token, and release it when the packet has been sent. We need to acquire the same mutex when we try to change state.

[bjoernQ]

true - not sure if it's worth it? - lets remove it for now and see if someone manages to run into that (I left a comment there for "future us")

[bjoernQ]

(and yes - this is a consequence of detaching the interfaces from the controller's life-cycle 🙈 )

[bugadani]

we'll need some sort of mutexing (or rather a counting semaphore, where changing state needs to take all count) still, to prevent state change during transmission 🤷‍♂️

[bjoernQ]

I guess the only problematic case (having one is already enough - yes) should be de-init / uninitialized state

Other state transitions should be handled by the driver gracefully - might be worth thinking for a moment about first

[bugadani]

Doesn't this limit us to one in-flight packet at a time? I think we should only give back the semaphore in esp_wifi_tx_done_cb, or on an error, basically inside decrement_inflight_counter or when we would otherwise call it.

It's also a bit too late to lock here, we've already given the token, we should be able to send the packet.

[bjoernQ]

It shouldn't limit us to one? - the assumption (which is hard to prove) is that the blobs handle the inflight tx gracefully during tear-down - we just can't schedule another transmission once the buffers etc. are gone.

If that assumption is true we might not even end up in esp_wifi_tx_done_cb - oh wait - that would mean we should reset the inflight counter before creating a (new) controller 🤔

[bugadani]

Yeah it sounds much easier and robust to prevent shutdown if there are any tranmissions running 😅 With the added caveat that attempting to tear the whole system down should block any new packets from being sent, or network traffic can prevent the driver from being shut down.