Merged from madwifi trunk r3551, r3552

--- a/ath/if_ath.c
+++ b/ath/if_ath.c
@@ -8253,6 +8253,17 @@ ath_tx_processq(struct ath_softc *sc, st
 			goto bf_fail;
 		}
 
+		/* We make sure we don't remove the TX descriptor on
+		 * which the HW is pointing since it contains the
+		 * ds_link field, except if this is the last TX
+		 * descriptor in the queue */
+
+		if ((txq->axq_depth > 1) &&
+		    (bf->bf_daddr == ath_hal_gettxbuf(ah, txq->axq_qnum))) {
+			ATH_TXQ_UNLOCK_IRQ_EARLY(txq);
+			goto bf_fail;
+		}
+
 		ATH_TXQ_REMOVE_HEAD(txq, bf_list);
 		ATH_TXQ_UNLOCK_IRQ(txq);
 
--- a/ath/if_athvar.h
+++ b/ath/if_athvar.h
@@ -586,7 +586,8 @@ struct ath_vap {
 } while (0)
 #define ATH_TXQ_REMOVE_HEAD(_tq, _field) do { \
 	STAILQ_REMOVE_HEAD(&(_tq)->axq_q, _field); \
-	(_tq)->axq_depth--; \
+	if (--(_tq)->axq_depth <= 0) \
+		(_tq)->axq_link = NULL; \
 } while (0)
 /* move buffers from MCASTQ to CABQ */
 #define ATH_TXQ_MOVE_MCASTQ(_tqs,_tqd) do { \