Here's a report with all the informations: http://people.freebsd.org/~davide/reports/adrian.txt
Responsible Changed From-To: freebsd-bugs->freebsd-wireless Over to maintainer(s).
http://fxr.watson.org/fxr/source/net80211/ieee80211_output.c?v=FREEBSD91#L2506 enum ieee80211_state ostate = (enum ieee80211_state) arg; casting a pointer to an enum http://fxr.watson.org/fxr/source/net80211/ieee80211_output.c?v=FREEBSD91#L2519 if (vap->iv_state == ostate) So that, this test is always false -> callout_reset() will never be called -> by the time the callout timer runs out, ni could be freed.
Oops. The code casts the enum to the pointer to begin, so it works. Sorry, for the noise. On Fri, Mar 29, 2013 at 3:21 PM, PseudoCylon <moonlightakkiy@yahoo.ca> wrote: > http://fxr.watson.org/fxr/source/net80211/ieee80211_output.c?v=FREEBSD91#L2506 > enum ieee80211_state ostate = (enum ieee80211_state) arg; > casting a pointer to an enum > > http://fxr.watson.org/fxr/source/net80211/ieee80211_output.c?v=FREEBSD91#L2519 > if (vap->iv_state == ostate) > So that, this test is always false -> callout_reset() will never be > called -> by the time the callout timer runs out, ni could be freed.
batch change: For bugs that match the following - Status Is In progress AND - Untouched since 2018-01-01. AND - Affects Base System OR Documentation DO: Reset to open status. Note: I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Fixed in base r257065 (node may be freed during callout delay -> virtual interface pointer is passed instead).