From owner-freebsd-wireless@FreeBSD.ORG  Wed Feb 15 06:20:12 2012
Return-Path: <owner-freebsd-wireless@FreeBSD.ORG>
Delivered-To: freebsd-wireless@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 99FB11065670
	for <freebsd-wireless@hub.freebsd.org>;
	Wed, 15 Feb 2012 06:20:12 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 840988FC0A
	for <freebsd-wireless@hub.freebsd.org>;
	Wed, 15 Feb 2012 06:20:12 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1F6KCIR055016
	for <freebsd-wireless@freefall.freebsd.org>;
	Wed, 15 Feb 2012 06:20:12 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1F6KCLi055015;
	Wed, 15 Feb 2012 06:20:12 GMT (envelope-from gnats)
Date: Wed, 15 Feb 2012 06:20:12 GMT
Message-Id: <201202150620.q1F6KCLi055015@freefall.freebsd.org>
To: freebsd-wireless@FreeBSD.org
From: Adrian Chadd <adrian@freebsd.org>
Cc: 
Subject: Re: kern/165149: [ath] [net80211] Ping with data length more than
	iv_fragthreshold
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Adrian Chadd <adrian@freebsd.org>
List-Id: "Discussions of 802.11 stack,
	tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2012 06:20:12 -0000

The following reply was made to PR kern/165149; it has been noted by GNATS.

From: Adrian Chadd <adrian@freebsd.org>
To: bug-followup@FreeBSD.org, monthadar@gmail.com
Cc:  
Subject: Re: kern/165149: [ath] [net80211] Ping with data length more than iv_fragthreshold
Date: Tue, 14 Feb 2012 22:16:31 -0800

 The problem is .. well, annoying:
 
 * ieee80211_fragment() creates a fragment list by chaining mbufs
 together using m->m_nextpkt;
 * IFQ_DEQUEUE() (well, _IF_DEQUEUE()) clears m->m_nextpkt when the
 mbuf is being returned;
 * ath_start() uses IFQ_DEQUEUE() to dequeue a frame;
 * .. since it notes its a fragment, it punts it to ath_txfrag_setup();
 * .. and ath_txfrag_setup(), finding m->m_nextpkt to be NULL, bails
 out with an error (since the fragment list is empty.)
 * ath_start() tosses the initial frame, and nothing is sent.
 
 Now it looks like the rest of the frames in the list are also
 unceremoniously ignored (since m->m_nextpkt is completely blanked
 out); which is likely the mbuf leak you noticed.
 
 
 
 Adrian