From: Stefan Sperling <stsp@stsp.name>
Subject: plug a node reference leak in qwx
To: tech@openbsd.org
Date: Fri, 25 Jul 2025 01:05:10 +0200

There is a node reference leak in qwx_dp_tx_free_txbuf() which causes
problems with roaming. Roaming with concurrent traffic requires that
ni_refcount will drop to zero eventually and the driver will get stuck
if that never happens.

Most references for transmitted packets are released via a different
code path. But via a debug printf I have seen this code path trigger
occasionally:

  printf("%s: release node, refcount=%d\n", __func__, tx_data->ni->ni_refcount);

  /bsd: qwx_dp_tx_free_txbuf: release node, refcount=1

ok?


M  sys/dev/ic/qwx.c  |  4+  0-

1 file changed, 4 insertions(+), 0 deletions(-)

commit - 776366b88416834a1aab0c2070fed8e2e914efba
commit + ca726c17ebd1641e9d3bf1bb4018cb866fdf52a4
blob - 54088e8c1d65a1934e3318cc5367fefc12eccff1
blob + 9db06691afb97f96c7b0029ba6d6778e828ba254
--- sys/dev/ic/qwx.c
+++ sys/dev/ic/qwx.c
@@ -15696,6 +15696,7 @@ void
 qwx_dp_tx_free_txbuf(struct qwx_softc *sc, int msdu_id,
     struct dp_tx_ring *tx_ring)
 {
+	struct ieee80211com *ic = &sc->sc_ic;
 	struct qwx_tx_data *tx_data;
 
 	if (msdu_id >= sc->hw_params.tx_ring_size)
@@ -15707,6 +15708,9 @@ qwx_dp_tx_free_txbuf(struct qwx_softc *sc, int msdu_id
 	m_freem(tx_data->m);
 	tx_data->m = NULL;
 
+	ieee80211_release_node(ic, tx_data->ni);
+	tx_data->ni = NULL;
+
 	if (tx_ring->queued > 0)
 		tx_ring->queued--;
 }