Commit cad4603
net: qlogic: Fix error paths in ql_alloc_large_buffers()
ql_alloc_large_buffers() has the usual RX buffer allocation
loop where it allocates skbs and maps them for DMA. It also
treats failure as a fatal error.
There are (at least) three bugs in the error paths:
1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the
first buffer that couldn't be allocated will have .skb == NULL.
But the qla_buf[] array is not zero-initialised.
2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[]. This is
incorrect for the last allocated skb, if DMA mapping failed.
3. Commit 1acb8f2 ("net: qlogic: Fix memory leak in
ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any()
after the skb is recorded in lrg_buf[], so ql_free_large_buffers()
will double-free it.
The bugs are somewhat inter-twined, so fix them all at once:
* Clear each entry in qla_buf[] before attempting to allocate
an skb for it. This goes half-way to fixing bug 1.
* Set the .skb field only after the skb is DMA-mapped. This
fixes the rest.
Fixes: 1357bfc ("qla3xxx: Dynamically size the rx buffer queue ...")
Fixes: 0f8ab89 ("qla3xxx: Check return code from pci_map_single() ...")
Fixes: 1acb8f2 ("net: qlogic: Fix memory leak in ql_alloc_large_buffers")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>1 parent 951c6db commit cad4603
1 file changed
+4
-4
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2756 | 2756 | | |
2757 | 2757 | | |
2758 | 2758 | | |
| 2759 | + | |
| 2760 | + | |
| 2761 | + | |
2759 | 2762 | | |
2760 | 2763 | | |
2761 | 2764 | | |
| |||
2766 | 2769 | | |
2767 | 2770 | | |
2768 | 2771 | | |
2769 | | - | |
2770 | | - | |
2771 | | - | |
2772 | 2772 | | |
2773 | | - | |
2774 | 2773 | | |
2775 | 2774 | | |
2776 | 2775 | | |
| |||
2792 | 2791 | | |
2793 | 2792 | | |
2794 | 2793 | | |
| 2794 | + | |
2795 | 2795 | | |
2796 | 2796 | | |
2797 | 2797 | | |
| |||
0 commit comments