It is most likely just insufficient locking. active_txq_lock is per AC, can't protect local->aql_total_pending_airtime against racing conditions On Fri, Nov 8, 2019 at 3:17 AM Johannes Berg wrote: > On Fri, 2019-11-08 at 12:10 +0100, Toke Høiland-Jørgensen wrote: > > > Right, bugger. I was thinking maybe there's a case where skbs can be > > cloned (and retain the tx_time_est field) and then released twice? > > They could be cloned, but I don't see how that'd be while *inside* the > stack and then they get reported twice - unless the driver did something > like that? > > I mean, TCP surely does that for example, but it's before we even get to > mac80211. > > > Or > > maybe somewhere that steps on the skb->cb field in some other way? > > Couldn't find anything obvious on a first perusal of the TX path code, > > but maybe you could think of something? > > No, sorry. But I also didn't actually look at the driver at all. > > > Otherwise I guess we'll be forced to go and do some actual, > > old-fashioned debugging ;) > > :) > > johannes > >