Download raw body.
plug a node reference leak in qwx
There is a node reference leak in qwx_dp_tx_free_txbuf() which causes
problems with roaming. Roaming with concurrent traffic requires that
ni_refcount will drop to zero eventually and the driver will get stuck
if that never happens.
Most references for transmitted packets are released via a different
code path. But via a debug printf I have seen this code path trigger
occasionally:
printf("%s: release node, refcount=%d\n", __func__, tx_data->ni->ni_refcount);
/bsd: qwx_dp_tx_free_txbuf: release node, refcount=1
ok?
M sys/dev/ic/qwx.c | 4+ 0-
1 file changed, 4 insertions(+), 0 deletions(-)
commit - 776366b88416834a1aab0c2070fed8e2e914efba
commit + ca726c17ebd1641e9d3bf1bb4018cb866fdf52a4
blob - 54088e8c1d65a1934e3318cc5367fefc12eccff1
blob + 9db06691afb97f96c7b0029ba6d6778e828ba254
--- sys/dev/ic/qwx.c
+++ sys/dev/ic/qwx.c
@@ -15696,6 +15696,7 @@ void
qwx_dp_tx_free_txbuf(struct qwx_softc *sc, int msdu_id,
struct dp_tx_ring *tx_ring)
{
+ struct ieee80211com *ic = &sc->sc_ic;
struct qwx_tx_data *tx_data;
if (msdu_id >= sc->hw_params.tx_ring_size)
@@ -15707,6 +15708,9 @@ qwx_dp_tx_free_txbuf(struct qwx_softc *sc, int msdu_id
m_freem(tx_data->m);
tx_data->m = NULL;
+ ieee80211_release_node(ic, tx_data->ni);
+ tx_data->ni = NULL;
+
if (tx_ring->queued > 0)
tx_ring->queued--;
}
plug a node reference leak in qwx