From owner-freebsd-wireless@FreeBSD.ORG  Sat Dec  8 09:53:44 2012
Return-Path: <owner-freebsd-wireless@FreeBSD.ORG>
Delivered-To: freebsd-wireless@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 6C5DCC11
 for <freebsd-wireless@freebsd.org>; Sat,  8 Dec 2012 09:53:44 +0000 (UTC)
 (envelope-from adrian.chadd@gmail.com)
Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52])
 by mx1.freebsd.org (Postfix) with ESMTP id E824C8FC12
 for <freebsd-wireless@freebsd.org>; Sat,  8 Dec 2012 09:53:43 +0000 (UTC)
Received: by mail-wg0-f52.google.com with SMTP id 12so761009wgh.31
 for <freebsd-wireless@freebsd.org>; Sat, 08 Dec 2012 01:53:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date
 :x-google-sender-auth:message-id:subject:from:to:content-type;
 bh=U3xtlmc+L2tW1kbpW2ZweeL+HmpZEGkNiYb/NOWBCqo=;
 b=ynZmAFuOwD3qNSABsCbD4KdoRO9Fo3ck844azxd50yopEHkxgEBmbLlWAPQ8OEUETP
 gHzqpa0htU27O6AjVSpL43EbFaZ0+2PHk6avaSsAoYvWOEEvA5GCBVJHprZwShsUP9Y9
 89JylS1YCX71ikXugUjstZsDPhAKbMwI0P1YQFTp88831VeRHV8tQGbtkdXWUZos47pT
 xqdqXI5YOwWazvvKHS6RMPEaBkZiLtNBPqYPtv/PEi506mlh365tPhXzizuh6fvvFepz
 TiBpwxTAZyJoUwooxjEjUH9SEWIPiNGyUJtJnyYoS+kO/lviAjIa9pMRKgONGft+Qsf/
 k6XA==
MIME-Version: 1.0
Received: by 10.180.97.137 with SMTP id ea9mr2451354wib.13.1354960422741; Sat,
 08 Dec 2012 01:53:42 -0800 (PST)
Sender: adrian.chadd@gmail.com
Received: by 10.217.57.9 with HTTP; Sat, 8 Dec 2012 01:53:42 -0800 (PST)
In-Reply-To: <CAJ-Vmok2TNPvg0Ogtz0LfWLTXkVw_GE+7TPn51gKLvGiUZgGPQ@mail.gmail.com>
References: <CAJ-Vmok2TNPvg0Ogtz0LfWLTXkVw_GE+7TPn51gKLvGiUZgGPQ@mail.gmail.com>
Date: Sat, 8 Dec 2012 01:53:42 -0800
X-Google-Sender-Auth: 7aSPflCTlzKJqUWAAwI3BQ51weQ
Message-ID: <CAJ-Vmomskf=3gCVKRrrB+dHuJRDGtPvePvdTVXt-_mF9zOjfaQ@mail.gmail.com>
Subject: Re: Hm, somehow the fast frames code is broken (surprise)
From: Adrian Chadd <adrian@freebsd.org>
To: freebsd-wireless@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2012 09:53:44 -0000

...

On 8 December 2012 01:24, Adrian Chadd <adrian@freebsd.org> wrote:

> * upon a node purge, there's a panic inside m_free() from
> ieee80211_ff_node_cleanup(), where it dereferences a pointer
> 0xdeadc0de. So there's some use-after-free nonsense going

... aaand look at that, I've just fixed it in -HEAD. The second panic
hasn't shown up yet but I don't believe that fixing the first panic
magically made the second panic go away.
In any case I'll just plod along with some further testing and see how
things go.

Thanks,


Adrian