net80211 adds a tmp peer multiple times when sending error frames

[erikarn]

Here's a fun one!

ieee80211_send_error() calls ieee80211_tmp_node() to send an error frame to a peer that doesn't yet exist. Unfortunately it doesn't plumb the node into the node table. It then will send the frame and expects to be reclaimed once the send is complete.

However, for devices like ath10k, we need firmware nodes when sending data to peers and we're plumbing them up every time we allocate a node. So, when we send a frame to the non-BSS node it's doing this hack, creating multiple peers, and then it tries freeing them all - but the firmware just fails to free the non-existent firmware peer node after the first temp net80211 node is freed.

So, this is an interesting one to wrestle with. Do we try to fix this in ath10k for now? Can we send these error frames using the bss peer as the ath10k firmware peer rather than needing to craft up an entirely new node? Or does this need to be fixed inside of net80211 where we keep a separate tmp_node table that we check when creating temp or new nodes so we don't end up spamming the driver with multiple overlapping node creation/deletions?

[bzfbd]

I think somehow to me this sounds like the need for a proper state machine and a bit of reference counting rather than hacking things on to here and there...