wimax/i2400m: error paths that need to free an skb should use kfree_skb()
authorInaky Perez-Gonzalez <inaky@linux.intel.com>
Mon, 19 Jan 2009 13:19:30 +0000 (13:19 +0000)
committerDavid S. Miller <davem@davemloft.net>
Tue, 20 Jan 2009 01:58:08 +0000 (17:58 -0800)
Roel Kluin reported a bug in two error paths where skbs were wrongly
being freed using kfree(). He provided a fix where it was replaced to
kfree_skb(), as it should be.

However, in i2400mu_rx(), the error path was missing returning an
indication of the failure. Changed to reset rx_skb to NULL and return
it to the caller, i2400mu_rxd(). It will be treated as a transient
error and just ignore the packet.

Depending on the buffering conditions inside the device, the data
packet might be dropped or the device will signal the host again for
data-ready-to-read and the host will retry.

Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/wimax/i2400m/control.c
drivers/net/wimax/i2400m/usb-rx.c

index d3d37fed689382db0f61d1eb045e5ea0ae5c87a8..15d9f51b292c8e5ac1787c8ef5d94174b19b8434 100644 (file)
@@ -609,7 +609,7 @@ void i2400m_msg_to_dev_cancel_wait(struct i2400m *i2400m, int code)
        spin_lock_irqsave(&i2400m->rx_lock, flags);
        ack_skb = i2400m->ack_skb;
        if (ack_skb && !IS_ERR(ack_skb))
-               kfree(ack_skb);
+               kfree_skb(ack_skb);
        i2400m->ack_skb = ERR_PTR(code);
        spin_unlock_irqrestore(&i2400m->rx_lock, flags);
 }
index 074cc1f898532dbf08541c04bcf646d241d7790a..a314799967cf12a313c210017bedfdad708442a5 100644 (file)
@@ -184,6 +184,8 @@ void i2400mu_rx_size_maybe_shrink(struct i2400mu *i2400mu)
  *   NOTE: this function might realloc the skb (if it is too small),
  *   so always update with the one returned.
  *   ERR_PTR() is < 0 on error.
+ *   Will return NULL if it cannot reallocate -- this can be
+ *   considered a transient retryable error.
  */
 static
 struct sk_buff *i2400mu_rx(struct i2400mu *i2400mu, struct sk_buff *rx_skb)
@@ -243,8 +245,8 @@ retry:
                        if (printk_ratelimit())
                                dev_err(dev, "RX: Can't reallocate skb to %d; "
                                        "RX dropped\n", rx_size);
-                       kfree(rx_skb);
-                       result = 0;
+                       kfree_skb(rx_skb);
+                       rx_skb = NULL;
                        goto out;       /* drop it...*/
                }
                kfree_skb(rx_skb);
@@ -344,7 +346,8 @@ int i2400mu_rxd(void *_i2400mu)
                if (IS_ERR(rx_skb))
                        goto out;
                atomic_dec(&i2400mu->rx_pending_count);
-               if (rx_skb->len == 0) { /* some ignorable condition */
+               if (rx_skb == NULL || rx_skb->len == 0) {
+                       /* some "ignorable" condition */
                        kfree_skb(rx_skb);
                        continue;
                }