From da4552abb0c7d486c0939e69be14398a9231c1fe Mon Sep 17 00:00:00 2001
From: Adrian Chadd <adrian@FreeBSD.org>
Date: Tue, 3 Nov 2015 21:11:30 +0000
Subject: [PATCH] ath(4) - don't try to free buffers / return an error if we've
 committed to transmit the buffer.

ath_tx_start() may manipulate/reallocate the mbuf as part of the DMA
code, so we can't expect the mbuf can be returned back to the caller.
Now, the net80211 ifnet work changed the semantics slightly so
if an error is returned here, the mbuf/reference is freed by the
caller (here, it's net80211.)

So, once we reach ath_tx_start(), we never return failure.  If we fail
then we still return OK and we free the mbuf/noderef ourselves, and
we increment OERRORS.
---
 sys/dev/ath/if_ath.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/sys/dev/ath/if_ath.c b/sys/dev/ath/if_ath.c
index 4166bb73d69..26b1060b5a1 100644
--- a/sys/dev/ath/if_ath.c
+++ b/sys/dev/ath/if_ath.c
@@ -3320,6 +3320,9 @@ nextfrag:
 	 *
 	 * Note: if this fails, then the mbufs are freed but
 	 * not the node reference.
+	 *
+	 * So, we now have to free the node reference ourselves here
+	 * and return OK up to the stack.
 	 */
 	next = m->m_nextpkt;
 	if (ath_tx_start(sc, ni, bf, m)) {
@@ -3336,7 +3339,14 @@ reclaim:
 		 */
 		ath_txfrag_cleanup(sc, &frags, ni);
 		ATH_TXBUF_UNLOCK(sc);
-		retval = ENOBUFS;
+
+		/*
+		 * XXX: And free the node/return OK; ath_tx_start() may have
+		 *      modified the buffer.  We currently have no way to
+		 *      signify that the mbuf was freed but there was an error.
+		 */
+		ieee80211_free_node(ni);
+		retval = 0;
 		goto finish;
 	}