Fix a corner case bug in Rx block ack window gap-wait timeout handling.

If ieee80211_input_ba_flush() was called when there was nothing to flush,
the (already pending) gap wait timeout was re-armed.
This is only correct if we flush at least one packet. Otherwise packets
that arrive at a constant rate of about 4-5 packets per second would
extend the gap-wait timeout until the block ack window fills up.
In extreme cases this can result in packets being queued for almost 20s.

Fix this by returning immediately from ieee80211_input_ba_flush() if
the first packet in the reordering buffer is missing.
This prevents the timeout from being re-armed.

Patch by Christian Ehrhardt. Tested by me on iwm(4) 7265.

1 files changed, 5 insertions, 1 deletions

diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index 84576f5f6e9..e6a38d62f51 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_input.c,v 1.230 2021/03/23 11:58:38 stsp Exp $	*/
+/*	$OpenBSD: ieee80211_input.c,v 1.231 2021/03/23 12:03:44 stsp Exp $	*/
 
 /*-
  * Copyright (c) 2001 Atsushi Onoe
@@ -903,6 +903,10 @@ ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni,
 {
 	struct ifnet *ifp = &ic->ic_if;
 
+	/* Do not re-arm the gap timeout if we made no progress. */
+	if (ba->ba_buf[ba->ba_head].m == NULL)
+		return;
+
 	/* pass reordered MPDUs up to the next MAC process */
 	while (ba->ba_buf[ba->ba_head].m != NULL) {
 		ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni,