Re: [PATCH] ISDN: fix double free bug in isdn_net

From: Jesper Juhl
Date: Wed Aug 16 2006 - 16:20:30 EST

On 15/08/06, Karsten Keil <kkeil@xxxxxxx> wrote:
On Tue, Aug 15, 2006 at 02:15:03AM -0700, David Miller wrote:
> From: "Jesper Juhl" <jesper.juhl@xxxxxxxxx>
> Date: Tue, 15 Aug 2006 11:08:35 +0200
> > Hmm, perhaps I made a mistake and missed a path. Maybe it would be
> > better to fix if by making isdn_writebuf_skb_stub() always set the skb
> > to NULL when it does free it. That would add a few more assignments
> > but should ensure the right result always.
> > What do you say?
> Do we know if the ->writebuf_skb() method ever frees the skb? If it
> never does, then yes your suggestion would be one way to handle this.

It does if it consumes the skb (then it returns skb->len).
But the skb have not to be freed imediately in this case, it maybe
queued or used until all bytes are written to the physical device.

If it returns any other value the skb is not freed.

This logic came from using skb for transparent data too.
Here it was possible, that the hw driver only take some bytes from the
skb (so it returns < skb->len), then the isdn layer should requeue
the skb so no transparent data get lost.

But this mechanism was never used in drivers, only 3 states:

The driver accept the packet then it is responsible for the skb
and return skb->len or the driver do not accept it (e.g. buffer full,
conntection is going down), then it return 0 and does not free the

If some internal error in the HW driver occur, it should return a
negative value and it also do not free the skb.

Ok, if I understand you correctly, then there's no actual problem here.

Jesper Juhl <jesper.juhl@xxxxxxxxx>
Don't top-post
Plain text mails only, please
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at