I'm seeing on messages like:
Data modified on freelist: word 5 of object 0xe02ac000 size 0xffc previous type
devbuf (0xdeadbeed != 0xdeadbeef
on my access point with athn(4). I tracked this down to a reference
count issue in ieee80211_ioctl(); word 5 is exactly where ni_refcnt
happens to be in struct ieee80211_node, and 0xdeadbeed is exactl what
you get if you decrease it after you've freed. verified this by
adding some debug code to ieee80211_release_node().
Calling ieee80211_release_node() at that spot in ieee80211_ioctl()
doesn't make sense, since we don't hold a reference to the node. My
guess is that ieee80211_node_leave() is the proper function to call
here. This seems to fix the issue.
ok?
Index: ieee80211_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.c,v
retrieving revision 1.33
diff -u -p -r1.33 ieee80211_ioctl.c
--- ieee80211_ioctl.c 12 Sep 2009 19:37:27 -0000 1.33
+++ ieee80211_ioctl.c 4 Sep 2010 19:09:25 -0000
@@ -701,7 +701,7 @@ ieee80211_ioctl(struct ifnet *ifp, u_lon
IEEE80211_FC0_SUBTYPE_DEAUTH,
IEEE80211_REASON_AUTH_LEAVE);
- ieee80211_release_node(ic, ni);
+ ieee80211_node_leave(ic, ni);
}
break;
case SIOCG80211ALLNODES:
