Hm, I'm confused. The whole point of using callout_init_mtx() is so that ieee80211_swbmiss() will be called with the ic lock held. It's supposed to remove any chance of races with adding/removing/running the callout. I'll recompile my test STAs with lock debugging and this patch; see if I can trigger it. Adrian