Index: madwifi-trunk-r3280/net80211/ieee80211_input.c =================================================================== --- madwifi-trunk-r3280.orig/net80211/ieee80211_input.c 2008-01-28 17:36:55.186089457 +0100 +++ madwifi-trunk-r3280/net80211/ieee80211_input.c 2008-01-28 17:38:42.816222949 +0100 @@ -740,8 +740,10 @@ skb1 = skb_copy(skb, GFP_ATOMIC); /* Increment reference count after copy */ - if (skb1 != NULL) - ieee80211_skb_copy_noderef(skb, skb1); + if (skb1 == NULL) + goto err; + + ieee80211_skb_copy_noderef(skb, skb1); /* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP; convert to EthernetII. * Note that the frame is at least IEEE80211_MIN_LEN, due to the driver code. */ @@ -1056,9 +1058,11 @@ * assemble fragments */ ni->ni_rxfrag = skb_copy(skb, GFP_ATOMIC); - /* We duplicate the reference after skb_copy */ - ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag); - ieee80211_dev_kfree_skb(&skb); + if (ni->ni_rxfrag) { + /* We duplicate the reference after skb_copy */ + ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag); + ieee80211_dev_kfree_skb(&skb); + } } /* * Check that we have enough space to hold @@ -1072,7 +1076,7 @@ (skb_end_pointer(skb) - skb->head), GFP_ATOMIC); /* We duplicate the reference after skb_copy */ - if (skb != ni->ni_rxfrag) + if ((skb != ni->ni_rxfrag) && ni->ni_rxfrag) ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag); ieee80211_dev_kfree_skb(&skb); } @@ -1135,7 +1139,8 @@ if (ETHER_IS_MULTICAST(eh->ether_dhost)) { /* Create a SKB for the BSS to send out. */ skb1 = skb_copy(skb, GFP_ATOMIC); - SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss); + if (skb1) + SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss); } else { /* @@ -1278,6 +1283,9 @@ /* XXX: does this always work? */ tskb = skb_copy(skb, GFP_ATOMIC); + if (!tskb) + return skb; + /* We duplicate the reference after skb_copy */ ieee80211_skb_copy_noderef(skb, tskb); ieee80211_dev_kfree_skb(&skb);