Fix a bug in iwx(4) Tx done interrupt processing.

Clear the byte-count for the correct frame while taking frames off the ring.
This should fix some 'fatal firmware errors' seen under load, and prevent
memory corruption: The device could access an mbuf we have freed, but which
is still marked as used in the byte count table and which still has a DMA
address in its Tx descriptor. Problem observed by mlarkin with NFS while
testing my patch for Tx aggregation support.

diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c
index 807cb3e..a71b7d0 100644 (file)
--- a/sys/dev/pci/if_iwx.c
+++ b/sys/dev/pci/if_iwx.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_iwx.c,v 1.107 2021/09/10 16:38:35 stsp Exp $       */
+/*     $OpenBSD: if_iwx.c,v 1.108 2021/09/11 17:28:04 stsp Exp $       */
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -4442,7 +4442,7 @@ iwx_rx_tx_cmd(struct iwx_softc *sc, struct iwx_rx_packet *pkt,
                txd = &ring->data[ring->tail];
                if (txd->m != NULL) {
                        iwx_txd_done(sc, txd);
-                       iwx_tx_update_byte_tbl(ring, idx, 0, 0);
+                       iwx_tx_update_byte_tbl(ring, ring->tail, 0, 0);
                        ring->queued--;
                }
                ring->tail = (ring->tail + 1) % IWX_TX_RING_COUNT;