The code hands off the reponsibility of ctl and ctl->buf to bs_txctl
which will free both buffers if there is an error enqueueing the
command. Only if bs_txctl succeeds in enqueueing and there is a
response timeout we can free it. Thus, not ok. If this pattern
is not understandable then we can work on that, but the diff as is
will add double frees on error.
On Tue, Sep 18, 2018 at 03:52:45PM +1000, Jonathan Gray wrote:
> Index: bwfm.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/ic/bwfm.c,v
> retrieving revision 1.54
> diff -u -p -r1.54 bwfm.c
> --- bwfm.c 25 Jul 2018 20:37:11 -0000 1.54
> +++ bwfm.c 18 Sep 2018 05:21:30 -0000
> @@ -1297,6 +1297,7 @@ bwfm_proto_bcdc_query_dcmd(struct bwfm_s
>
> if (bwfm_proto_bcdc_txctl(sc, reqid, (char *)dcmd, &size)) {
> DPRINTF(("%s: tx failed\n", DEVNAME(sc)));
> + free(dcmd, M_TEMP, size);
> return ret;
> }
>
> @@ -1337,6 +1338,7 @@ bwfm_proto_bcdc_set_dcmd(struct bwfm_sof
>
> if (bwfm_proto_bcdc_txctl(sc, reqid, (char *)dcmd, &size)) {
> DPRINTF(("%s: txctl failed\n", DEVNAME(sc)));
> + free(dcmd, M_TEMP, size);
> return ret;
> }
>
> @@ -1361,6 +1363,7 @@ bwfm_proto_bcdc_txctl(struct bwfm_softc
>
> if (sc->sc_bus_ops->bs_txctl(sc, ctl)) {
> DPRINTF(("%s: tx failed\n", DEVNAME(sc)));
> + free(ctl, M_TEMP, sizeof(*ctl));
> return 1;
> }
>
>
