This patch fixes a bug which caused incorrect node pointer to be passed from
ath_rx_tasklet() to ieee80211_input() under some specific circumstances. This
in turn caused subsequent actions (most notably - responses to management
frames) to be executed in a wrong environment, so that STAs were sent frames
not intented for them (and inversely, the intended adressees didn't get the
frames at all).
The "specific circumstances" mentioned above are when:
- a node is freed
- its corresponding keycache entry (sc_keyixmap) is destroyed (ath_hal_keyreset())
- a new keycache entry is allocated for a different node (ath_hal_keyset())
- a frame from the freed node is received prior to or sometime in the meantime of the actions described above
A stale ds_rxstat.rs_keyix causes obtaining wrong struct ieee80211_node *
from sc_keyixmap, which is then passed to net80211 stack.
The patch is a workaround for this problem rather than an ultimate solution.
IMHO the place to perform rs_keyix invalidation is the hal.
http: //dev.lintrack.org/browser/trunk/packages/madwifi/patches/012-keycache_check_rxnode.diff.bz2?format=raw
Signed-off-by: Michal Wrobel <xmxwx@asn.pl>