> Date: Sat, 12 Dec 2015 15:32:58 +0100
> From: Stefan Sperling <s...@stsp.name>
>
> On Sat, Dec 12, 2015 at 03:08:00PM +0100, Mark Kettenis wrote:
> > > @@ -1072,6 +1079,10 @@ ieee80211_amsdu_decap(struct ieee80211co
> > > }
> > > ieee80211_deliver_data(ic, m, ni);
> > >
> > > + if (n->m_len == 0) {
> > > + m_freem(n);
> > > + break;
> > > + }
> >
> > Can this really happen? I would expect that m_split() would have
> > returned NULL if we'd tried to split the packet in a way that there is
> > nothing left. Not sure if that can happen though, but ouldn't it be a
> > bug if it did?
>
> It's definitely happening during my testing.
> An empty mbuf is the result of a successful split with an empty remainder
> (note the second to last line):
>
> ieee80211_amsdu_decap: A-MSDU mbuf 0xffffff0009378900 m_len=3072
> m_pkthdr.len=3072 hdrlen=26
> ieee80211_amsdu_decap: 0 mbuf 0xffffff0009378900 m_len=3046 m_pkthdr.len=3046
> ieee80211_amsdu_decap: subframe DA=34:13:e8:29:7f:61 SA=34:13:e8:29:7f:61
> len=1508
> ieee80211_amsdu_decap: m_split returned 0xffffff00cbb43900 m_len=1524
> m_pkthdr.len=1524
> ieee80211_amsdu_decap: delivering mbuf 0xffffff0009378900 m_len=1514
> m_pkthdr.len=1514
> ieee80211_amsdu_decap: mbuf 0xffffff00cbb43900 pad=2
> ieee80211_amsdu_decap: 1 mbuf 0xffffff00cbb43900 m_len=1522 m_pkthdr.len=1522
> ieee80211_amsdu_decap: subframe DA=34:13:e8:29:7f:61 SA=34:13:e8:29:7f:61
> len=1508
> ieee80211_amsdu_decap: m_split returned 0xffffff00cbb43a00 m_len=0
> m_pkthdr.len=0
> ieee80211_amsdu_decap: delivering mbuf 0xffffff00cbb43900 m_len=1514
> m_pkthdr.len=1514
>
> This should be the if (remain == 0) code path in m_split.
> I could add more printfs in there to show what happens.
> I believe a NULL return would indicate an error.
Actually, you're probably going through the if (m0->m_flags &
M_PKTHDR) code path in m_split(), which will indeed create an empty
mbuf. Guess there is some room for optimization there, but it is fine
not to worry about this at this stage.
