d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

When punting frames to the RX tap, free the mbufs since we've tampered with

Browse Source 
their length.

Without this, an error frame mbuf would:

* have its size adjusted;
* thrown at the radiotap code;
* then since it's never consumed, the rxbuf/mbuf is then re-added to the
  RX descriptor list with the small size;
* .. and the hardware ends up (sometimes) only DMA'ing part of a frame into
  the small buffer, chaining RX frames together (setting the more flag).

I discovered this particular issue when doing some promiscuous radiotap
testing; I found that I'd occasionally get rs_more set in RX descriptors
w/ the first frame length being very small (sub-100 bytes.) The driver
handles 2-descriptor RX frames (but not more), so this still worked; it
was just odd.

This is suboptimal and may benefit from being replaced with caching
the m_pkthdr_len and m_len fields, then restoring them after completion.
This commit is contained in:
Adrian Chadd 2011-10-28 15:44:09 +00:00
parent c241c5e49a
commit dcfd99a788
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/dev/ath/if_ath.c
View File

@ -3624,8 +3624,10 @@ rx_error:
/* NB: bpf needs the mbuf length setup */
len = rs->rs_datalen;
m->m_pkthdr.len = m->m_len = len;
bf->bf_m = NULL;
ath_rx_tap(ifp, m, rs, tsf, nf);
ieee80211_radiotap_rx_all(ic, m);
m_freem(m);
}
/* XXX pass MIC errors up for s/w reclaculation */
goto rx_next;