On Sun, 6 May 2007 20:37:34 +0200 Michael Buesch wrote: > [...] > static void finish_sta_info_free(struct ieee80211_local *local, > struct sta_info *sta) > { > + sta_info_key_disable(local, sta); > + > #ifdef CONFIG_MAC80211_VERBOSE_DEBUG > printk(KERN_DEBUG "%s: Removed STA " MAC_FMT "\n", > local->mdev->name, MAC_ARG(sta->addr)); > @@ -213,6 +246,16 @@ static void finish_sta_info_free(struct > sta_info_put(sta); > } There is a race here. You already removed the sta from sta_hash list and you're not protected by any lock. Thus, it is possible to add a new station with the same address before finish_sta_info_free is called. When this happens, you call the set_key handler for the new key and after that you call it again with DISABLE_KEY. It's not easy to get this right. I remember also problems with dereferencing already freed key when I thought about possible ways to solve exactly this problem. Thanks, Jiri -- Jiri Benc SUSE Labs - To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html