This has been seen for madwifi driver version 0.4.9-49 in linux 2.6.x.
Madwifi driver seems to free skb prematurely when tcpdump is sniffering on the ath0 interface. This leads to socket buffer mis-accounting in the kernel - ioctl (SIOCOUTQ) always returns 0 and socket never blocks. The troublesome code appears to be:
/* NOTE: This used to be done only for clones, but we are doing this
* here as a defensive measure. XXX: Back off of this later. */
if (!skb_cloned(original_skb)) {
skb = original_skb;
original_skb = NULL;
}
else {
if (NULL == (skb = skb_copy(original_skb, GFP_ATOMIC))) {
DPRINTF(sc, ATH_DEBUG_XMIT, "Dropping; skb_copy failure.\n");
ieee80211_dev_kfree_skb(&original_skb);
return NETDEV_TX_OK;
}
ieee80211_skb_copy_noderef(skb, original_skb);
}
