kern/165149: [ath] [net80211] Ping with data length more than
iv_fragthreshold
Adrian Chadd
adrian at freebsd.org
Wed Feb 15 06:20:12 UTC 2012
The following reply was made to PR kern/165149; it has been noted by GNATS.
From: Adrian Chadd <adrian at freebsd.org>
To: bug-followup at FreeBSD.org, monthadar at gmail.com
Cc:
Subject: Re: kern/165149: [ath] [net80211] Ping with data length more than iv_fragthreshold
Date: Tue, 14 Feb 2012 22:16:31 -0800
The problem is .. well, annoying:
* ieee80211_fragment() creates a fragment list by chaining mbufs
together using m->m_nextpkt;
* IFQ_DEQUEUE() (well, _IF_DEQUEUE()) clears m->m_nextpkt when the
mbuf is being returned;
* ath_start() uses IFQ_DEQUEUE() to dequeue a frame;
* .. since it notes its a fragment, it punts it to ath_txfrag_setup();
* .. and ath_txfrag_setup(), finding m->m_nextpkt to be NULL, bails
out with an error (since the fragment list is empty.)
* ath_start() tosses the initial frame, and nothing is sent.
Now it looks like the rest of the frames in the list are also
unceremoniously ignored (since m->m_nextpkt is completely blanked
out); which is likely the mbuf leak you noticed.
Adrian
More information about the freebsd-wireless
mailing list