From 2cd7f030b785e55a0de9824d17ef2394f337ec68 Mon Sep 17 00:00:00 2001
From: sam <sam@FreeBSD.org>
Date: Sun, 31 Jul 2005 06:12:32 +0000
Subject: close a race between reclaiming a node when a station is inactive and
 sending the null data frame used to probe inactive stations

MFC after:	5 days
---
 sys/net80211/ieee80211_node.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'sys/net80211/ieee80211_node.c')

diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c
index 81f6138..72884f0 100644
--- a/sys/net80211/ieee80211_node.c
+++ b/sys/net80211/ieee80211_node.c
@@ -1474,6 +1474,14 @@ IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, "[%s] discard frame, age %u\n", ether
 				    IEEE80211_MSG_INACT | IEEE80211_MSG_NODE,
 				    ni, "%s",
 				    "probe station due to inactivity");
+				/*
+				 * Grab a reference before unlocking the table
+				 * so the node cannot be reclaimed before we
+				 * send the frame. ieee80211_send_nulldata
+				 * understands we've done this and reclaims the
+				 * ref for us as needed.
+				 */
+				ieee80211_ref_node(ni);
 				IEEE80211_NODE_UNLOCK(nt);
 				ieee80211_send_nulldata(ni);
 				/* XXX stat? */
-- 
cgit v1.1