The commit which introduced hostap power management support in athn(4)
had a node refcounting bug. When buffered management or multicast frames
are sent from ic_bss's ni_savedq the Tx node's reference count isn't bumped.
This means the reference count of ic_bss could become negative when the
Tx completion interrupt handler releases the node reference.
Because ic_bss won't be freed this bug should have no bad effects in
practice but it is worth fixing anyway.
ok?
(the 'ni' here is always ic_bss)
diff d5cea33885618bf7e096efc36fffbecc9b13ed21
0cc5b904b4fd02e989e83cfc8a743c3e63ac7c01
blob - 2b77b0d686dd9025de558a94cbb0a5ce75b93747
blob + 0cc05094661dc1221b020d428e698988573a593e
--- sys/dev/ic/ar5008.c
+++ sys/dev/ic/ar5008.c
@@ -1298,6 +1298,7 @@ ar5008_swba_intr(struct athn_softc *sc)
wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA;
}
+ ieee80211_node_incref(ni);
if (sc->ops.tx(sc, m, ni, ATHN_TXFLAG_CAB) != 0) {
ieee80211_release_node(ic, ni);
ifp->if_oerrors++;
