if (ni == NULL) {
ni = ieee80211_alloc_node_table(vap, se->se_macaddr);
IEEE80211_DPRINTF(vap, IEEE80211_MSG_ASSOC,
-@@ -1391,6 +1394,53 @@ ieee80211_add_neighbor(struct ieee80211v
+@@ -1394,6 +1397,53 @@ ieee80211_add_neighbor(struct ieee80211v
return ni;
}
/*
* Return the node for the sender of a frame; if the sender is unknown return
* NULL. The caller is expected to deal with this. (The frame is sent to all
-@@ -1400,10 +1450,10 @@ ieee80211_add_neighbor(struct ieee80211v
+@@ -1403,10 +1453,10 @@ ieee80211_add_neighbor(struct ieee80211v
*/
struct ieee80211_node *
#ifdef IEEE80211_DEBUG_REFCNT
const struct ieee80211_frame_min *wh)
#endif
{
-@@ -1411,9 +1461,8 @@ ieee80211_find_rxnode(struct ieee80211co
+@@ -1414,9 +1464,8 @@ ieee80211_find_rxnode(struct ieee80211co
((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_CTL)
#define IS_PSPOLL(wh) \
((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
const u_int8_t *addr;
if (IS_CTL(wh) && !IS_PSPOLL(wh) /*&& !IS_RTS(ah)*/)
-@@ -1426,32 +1475,21 @@ ieee80211_find_rxnode(struct ieee80211co
+@@ -1429,32 +1478,25 @@ ieee80211_find_rxnode(struct ieee80211co
/* XXX check ic_bss first in station mode */
/* XXX 4-address frames? */
- else
- return NULL;
+ ni = ieee80211_ref_node(avp->iv_wdsnode);
++ return ni;
}
++ if (!(vap->iv_flags_ext & IEEE80211_FEXT_WDS))
++ return NULL;
++ } else {
++ return NULL;
}
-+ return ni;
}
-#ifdef IEEE80211_DEBUG_REFCNT
}
#ifdef IEEE80211_DEBUG_REFCNT
EXPORT_SYMBOL(ieee80211_find_rxnode_debug);
-@@ -1476,15 +1514,14 @@ ieee80211_find_txnode(struct ieee80211va
+@@ -1479,15 +1521,14 @@ ieee80211_find_txnode(struct ieee80211va
struct ieee80211com *ic = vap->iv_ic;
struct ieee80211_node_table *nt;
struct ieee80211_node *ni = NULL;
/*
* The destination address should be in the node table
-@@ -1502,11 +1539,22 @@ ieee80211_find_txnode(struct ieee80211va
+@@ -1505,11 +1546,22 @@ ieee80211_find_txnode(struct ieee80211va
/* XXX: Can't hold lock across dup_bss due to recursive locking. */
nt = &vap->iv_ic->ic_sta;
IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
if (ni == NULL) {
-@@ -1961,13 +2009,29 @@ remove_worse_nodes(void *arg, struct iee
+@@ -1964,13 +2016,32 @@ remove_worse_nodes(void *arg, struct iee
}
}
+ if (ni->ni_vap == rni->ni_vap)
+ return;
+
++ if (!IEEE80211_ADDR_EQ(rni->ni_macaddr, ni->ni_macaddr))
++ return;
++
+ ieee80211_node_leave(ni);
+}
+
--- a/net80211/ieee80211_input.c
+++ b/net80211/ieee80211_input.c
-@@ -227,15 +227,22 @@ ieee80211_input(struct ieee80211vap * va
- if (!dev)
- goto out;
+@@ -216,16 +216,14 @@ ieee80211_input(struct ieee80211vap * va
-+ if ((vap->iv_dev->flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING))
-+ goto out;
-+
-+ if (!vap->iv_bss)
-+ goto out;
+ type = -1; /* undefined */
+
+- if (!vap)
+- goto out;
++ if (!vap || !vap->iv_bss || !vap->iv_dev || !vap->iv_ic)
++ goto discard;
+
+ ic = vap->iv_ic;
+- if (!ic)
+- goto out;
+-
+ dev = vap->iv_dev;
+- if (!dev)
+- goto out;
+
++ if ((vap->iv_dev->flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING))
++ goto discard;
+
/* initialize ni as in the previous API */
if (ni_or_null == NULL) {
- /* This function does not 'own' vap->iv_bss, so we cannot
+@@ -233,9 +231,10 @@ ieee80211_input(struct ieee80211vap * va
* guarantee its existence during the following call, hence
* briefly grab our own reference. */
ni = ieee80211_ref_node(vap->iv_bss);
KASSERT(skb->len >= sizeof(struct ieee80211_frame_min),
("frame length too short: %u", skb->len));
-@@ -933,16 +940,23 @@ int
+@@ -844,10 +843,11 @@ ieee80211_input(struct ieee80211vap * va
+ err:
+ vap->iv_devstats.rx_errors++;
+ out:
+- if (skb != NULL)
+- ieee80211_dev_kfree_skb(&skb);
+ if (ni_or_null == NULL)
+ ieee80211_unref_node(&ni);
++discard:
++ if (skb != NULL)
++ ieee80211_dev_kfree_skb(&skb);
+ return type;
+ #undef HAS_SEQ
+ }
+@@ -929,16 +929,23 @@ int
ieee80211_input_all(struct ieee80211com *ic,
struct sk_buff *skb, int rssi, u_int64_t rtsf)
{
if (TAILQ_NEXT(vap, iv_next) != NULL) {
skb1 = skb_copy(skb, GFP_ATOMIC);
if (skb1 == NULL) {
-@@ -954,8 +968,10 @@ ieee80211_input_all(struct ieee80211com
+@@ -950,8 +957,12 @@ ieee80211_input_all(struct ieee80211com
skb1 = skb;
skb = NULL;
}
- type = ieee80211_input(vap, NULL, skb1, rssi, rtsf);
+ type = ieee80211_input(vap, ni, skb1, rssi, rtsf);
++ if (ni)
++ ieee80211_unref_node(&ni);
}
+
+out:
if (skb != NULL) /* no vaps, reclaim skb */
ieee80211_dev_kfree_skb(&skb);
return type;
-@@ -1146,11 +1162,9 @@ ieee80211_deliver_data(struct ieee80211_
+@@ -1147,11 +1158,9 @@ ieee80211_deliver_data(struct ieee80211_
* sending it will not work; just let it be
* delivered normally.
*/
!ni1->ni_subif &&
ni1 != vap->iv_bss) {
+@@ -3520,6 +3529,7 @@ ieee80211_recv_mgmt(struct ieee80211vap
+ (vap->iv_opmode == IEEE80211_M_WDS)) &&
+ (scan.capinfo & IEEE80211_CAPINFO_ESS))) {
+ struct ieee80211vap *avp = NULL;
++ int do_unref = 0;
+ int found = 0;
+
+ IEEE80211_LOCK_IRQ(vap->iv_ic);
+@@ -3553,10 +3563,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
+ ni->ni_associd |= 0xc000;
+ avp->iv_wdsnode = ieee80211_ref_node(ni);
+ IEEE80211_UNLOCK_IRQ(ic);
+- } else if (vap->iv_opmode == IEEE80211_M_IBSS) {
++ } else if ((vap->iv_opmode == IEEE80211_M_IBSS) &&
++ IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bssid)) {
+ /* Create a new entry in the neighbor table. */
+ ni = ieee80211_add_neighbor(vap, wh, &scan);
+ }
++ do_unref = 1;
+ } else {
+ /*
+ * Copy data from beacon to neighbor table.
+@@ -3595,6 +3607,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
+ ni->ni_rssi = rssi;
+ ni->ni_rtsf = rtsf;
+ ni->ni_last_rx = jiffies;
++ if (do_unref)
++ ieee80211_unref_node(&ni);
+ }
+ }
+ break;
--- a/ath/if_ath.c
+++ b/ath/if_ath.c
-@@ -6577,9 +6577,8 @@ ath_recv_mgmt(struct ieee80211vap * vap,
+@@ -6589,9 +6589,8 @@ ath_recv_mgmt(struct ieee80211vap * vap,
sc->sc_recv_mgmt(vap, ni_or_null, skb, subtype, rssi, rtsf);
(const struct ieee80211_frame_min *)skb->data);
if (ni == NULL) {
DPRINTF(sc, ATH_DEBUG_BEACON, "Dropping; node unknown.\n");
-@@ -6734,7 +6733,9 @@ ath_rx_poll(struct net_device *dev, int
+@@ -6746,7 +6745,9 @@ ath_rx_poll(struct net_device *dev, int
struct ath_desc *ds;
struct ath_rx_status *rs;
struct sk_buff *skb = NULL;
unsigned int len;
int type;
u_int phyerr;
-@@ -6889,12 +6890,15 @@ rx_accept:
+@@ -6901,12 +6902,15 @@ rx_accept:
skb_trim(skb, skb->len - IEEE80211_CRC_LEN);
if (mic_fail) {
if (ni && ni->ni_table) {
ieee80211_check_mic(ni, skb);
-@@ -6956,11 +6960,24 @@ drop_micfail:
+@@ -6968,11 +6972,24 @@ drop_micfail:
* for its use. If the sender is unknown spam the
* frame; it'll be dropped where it's not wanted.
*/
ATH_RSSI_LPF(ATH_NODE(ni)->an_avgrssi, rs->rs_rssi);
type = ieee80211_input(ni->ni_vap, ni, skb, rs->rs_rssi, bf->bf_tsf);
ieee80211_unref_node(&ni);
-@@ -6969,24 +6986,35 @@ drop_micfail:
+@@ -6981,24 +6998,39 @@ drop_micfail:
* No key index or no entry, do a lookup and
* add the node to the mapping table if possible.
*/
- (const struct ieee80211_frame_min *)skb->data);
+
+lookup_slowpath:
-+ vap = ieee80211_find_rxvap(ic, wh->i_addr1);
++ if (IEEE80211_IS_MULTICAST(wh->i_addr1))
++ vap = NULL;
++ else
++ vap = ieee80211_find_rxvap(ic, wh->i_addr1);
++
+ if (vap)
+ ni = ieee80211_find_rxnode(ic, vap, wh);
+ else