> Here's an interesting sequence: > > 1) a TX urb is submitted. > 2) p54u_rx_cb() => p54_rx_frame_sent(), which does kfree_skb( the_skb_in_(1) ). > 3) p54u_tx_cb() for (1) is called with the same, now freed, skb. kaboom. > > IOW the skb is freed before the usb completion runs. > > Somehow i don't think this is the reason for the corruption, but it certainly > seems to be responsible for some, if not all, of the crashes/panics. Hmm, if it happens for beacons, it's probably also happening for other frames, which are not freed, but given to ieee80211_tx_status_irqsafe() and that could explain the corruption. Will verify, but probably not before tomorrow. artur -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
