From dcfd99a788241a27da322dc5495f489f2ba8d650 Mon Sep 17 00:00:00 2001 From: Adrian Chadd Date: Fri, 28 Oct 2011 15:44:09 +0000 Subject: [PATCH] When punting frames to the RX tap, free the mbufs since we've tampered with their length. Without this, an error frame mbuf would: * have its size adjusted; * thrown at the radiotap code; * then since it's never consumed, the rxbuf/mbuf is then re-added to the RX descriptor list with the small size; * .. and the hardware ends up (sometimes) only DMA'ing part of a frame into the small buffer, chaining RX frames together (setting the more flag). I discovered this particular issue when doing some promiscuous radiotap testing; I found that I'd occasionally get rs_more set in RX descriptors w/ the first frame length being very small (sub-100 bytes.) The driver handles 2-descriptor RX frames (but not more), so this still worked; it was just odd. This is suboptimal and may benefit from being replaced with caching the m_pkthdr_len and m_len fields, then restoring them after completion. --- sys/dev/ath/if_ath.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/dev/ath/if_ath.c b/sys/dev/ath/if_ath.c index e1d2c0fb218..0bd0e179c3d 100644 --- a/sys/dev/ath/if_ath.c +++ b/sys/dev/ath/if_ath.c @@ -3624,8 +3624,10 @@ rx_error: /* NB: bpf needs the mbuf length setup */ len = rs->rs_datalen; m->m_pkthdr.len = m->m_len = len; + bf->bf_m = NULL; ath_rx_tap(ifp, m, rs, tsf, nf); ieee80211_radiotap_rx_all(ic, m); + m_freem(m); } /* XXX pass MIC errors up for s/w reclaculation */ goto rx_next;