Fix race condition in handling node reference counts for authenticating

stations in ap mode.  Track when a node's first auth frame is
received and use this to decide whether or not to bump the refcnt.
This insures we only ever bump the refcnt once.

Reviewed by:	avatar
Approved by:	re (scottl)

1 files changed, 15 insertions, 0 deletions

diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c
index 3811f99..b085855 100644
--- a/sys/net80211/ieee80211_node.c
+++ b/sys/net80211/ieee80211_node.c
@@ -850,6 +850,13 @@ node_cleanup(struct ieee80211_node *ni)
 		    "[%s] power save mode off, %u sta's in ps mode\n",
 		    ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta);
 	}
+	/*
+	 * Clear AREF flag that marks the authorization refcnt bump
+	 * has happened.  This is probably not needed as the node
+	 * should always be removed from the table so not found but
+	 * do it just in case.
+	 */
+	ni->ni_flags &= ~IEEE80211_NODE_AREF;
 
 	/*
 	 * Drain power save queue and, if needed, clear TIM.
@@ -1397,6 +1404,14 @@ restart:
 			continue;
 		ni->ni_scangen = gen;
 		/*
+		 * Ignore entries for which have yet to receive an
+		 * authentication frame.  These are transient and
+		 * will be reclaimed when the last reference to them
+		 * goes away (when frame xmits complete).
+		 */
+		if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
+			continue;
+		/*
 		 * Free fragment if not needed anymore
 		 * (last fragment older than 1s).
 		 * XXX doesn't belong here