From 5698ab1ad338a7f7a6bb7886036a6373a6995c43 Mon Sep 17 00:00:00 2001
From: Sam Leffler <sam@FreeBSD.org>
Date: Tue, 18 Sep 2007 21:01:04 +0000
Subject: [PATCH] Close longstanding race dropping inactive stations; grab a
 reference to the node before starting the work, otherwise the node may go
 away before a reference is made in ieee80211_send_mgmt.

Approved by:	re (blanket wireless)
Obtained from:	Atheros
---
 sys/net80211/ieee80211_node.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c
index 285c4c935bc8..8e59b503518d 100644
--- a/sys/net80211/ieee80211_node.c
+++ b/sys/net80211/ieee80211_node.c
@@ -1549,6 +1549,7 @@ restart:
 			 * in case the driver takes a lock, as this can result
 			 * in a LOR between the node lock and the driver lock.
 			 */
+			ieee80211_ref_node(ni);
 			IEEE80211_NODE_UNLOCK(nt);
 			if (ni->ni_associd != 0) {
 				IEEE80211_SEND_MGMT(ic, ni,
@@ -1556,6 +1557,7 @@ restart:
 				    IEEE80211_REASON_AUTH_EXPIRE);
 			}
 			ieee80211_node_leave(ic, ni);
+			ieee80211_free_node(ni);
 			ic->ic_stats.is_node_timeout++;
 			goto restart;
 		}