xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.

	atomic_dec(&netbk->netfront_count);

	atomic_dec(&netbk->netfront_count);

}

}

static void xen_netbk_idx_release(struct xen_netbk *netbk, u16 pending_idx);

static void xen_netbk_idx_release(struct xen_netbk *netbk, u16 pending_idx,

				  u8 status);

static void make_tx_response(struct xenvif *vif,

static void make_tx_response(struct xenvif *vif,

			     struct xen_netif_tx_request *txp,

			     struct xen_netif_tx_request *txp,

			     s8       st);

			     s8       st);

{

{

	struct gnttab_copy *gop = *gopp;

	struct gnttab_copy *gop = *gopp;

	u16 pending_idx = *((u16 *)skb->data);

	u16 pending_idx = *((u16 *)skb->data);

	struct pending_tx_info *pending_tx_info = netbk->pending_tx_info;

	struct xenvif *vif = pending_tx_info[pending_idx].vif;

	struct xen_netif_tx_request *txp;

	struct skb_shared_info *shinfo = skb_shinfo(skb);

	struct skb_shared_info *shinfo = skb_shinfo(skb);

	int nr_frags = shinfo->nr_frags;

	int nr_frags = shinfo->nr_frags;

	int i, err, start;

	int i, err, start;

	/* Check status of header. */

	/* Check status of header. */

	err = gop->status;

	err = gop->status;

	if (unlikely(err)) {

	if (unlikely(err))

		pending_ring_idx_t index;

		xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_ERROR);

		index = pending_index(netbk->pending_prod++);

		txp = &pending_tx_info[pending_idx].req;

		make_tx_response(vif, txp, XEN_NETIF_RSP_ERROR);

		netbk->pending_ring[index] = pending_idx;

		xenvif_put(vif);

	}

	/* Skip first skb fragment if it is on same page as header fragment. */

	/* Skip first skb fragment if it is on same page as header fragment. */

	start = (frag_get_pending_idx(&shinfo->frags[0]) == pending_idx);

	start = (frag_get_pending_idx(&shinfo->frags[0]) == pending_idx);

	for (i = start; i < nr_frags; i++) {

	for (i = start; i < nr_frags; i++) {

		int j, newerr;

		int j, newerr;

		pending_ring_idx_t index;

		pending_idx = frag_get_pending_idx(&shinfo->frags[i]);

		pending_idx = frag_get_pending_idx(&shinfo->frags[i]);

		if (likely(!newerr)) {

		if (likely(!newerr)) {

			/* Had a previous error? Invalidate this fragment. */

			/* Had a previous error? Invalidate this fragment. */

			if (unlikely(err))

			if (unlikely(err))

				xen_netbk_idx_release(netbk, pending_idx);

				xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_OKAY);

			continue;

			continue;

		}

		}

		/* Error on this fragment: respond to client with an error. */

		/* Error on this fragment: respond to client with an error. */

		txp = &netbk->pending_tx_info[pending_idx].req;

		xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_ERROR);

		make_tx_response(vif, txp, XEN_NETIF_RSP_ERROR);

		index = pending_index(netbk->pending_prod++);

		netbk->pending_ring[index] = pending_idx;

		xenvif_put(vif);

		/* Not the first error? Preceding frags already invalidated. */

		/* Not the first error? Preceding frags already invalidated. */

		if (err)

		if (err)

		/* First error: invalidate header and preceding fragments. */

		/* First error: invalidate header and preceding fragments. */

		pending_idx = *((u16 *)skb->data);

		pending_idx = *((u16 *)skb->data);

		xen_netbk_idx_release(netbk, pending_idx);

		xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_OKAY);

		for (j = start; j < i; j++) {

		for (j = start; j < i; j++) {

			pending_idx = frag_get_pending_idx(&shinfo->frags[j]);

			pending_idx = frag_get_pending_idx(&shinfo->frags[j]);

			xen_netbk_idx_release(netbk, pending_idx);

			xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_OKAY);

		}

		}

		/* Remember the error: invalidate all subsequent fragments. */

		/* Remember the error: invalidate all subsequent fragments. */

		/* Take an extra reference to offset xen_netbk_idx_release */

		/* Take an extra reference to offset xen_netbk_idx_release */

		get_page(netbk->mmap_pages[pending_idx]);

		get_page(netbk->mmap_pages[pending_idx]);

		xen_netbk_idx_release(netbk, pending_idx);

		xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_OKAY);

	}

	}

}

}

			txp->size -= data_len;

			txp->size -= data_len;

		} else {

		} else {

			/* Schedule a response immediately. */

			/* Schedule a response immediately. */

			xen_netbk_idx_release(netbk, pending_idx);

			xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_OKAY);

		}

		}

		if (txp->flags & XEN_NETTXF_csum_blank)

		if (txp->flags & XEN_NETTXF_csum_blank)

	xen_netbk_tx_submit(netbk);

	xen_netbk_tx_submit(netbk);

}

}

static void xen_netbk_idx_release(struct xen_netbk *netbk, u16 pending_idx)

static void xen_netbk_idx_release(struct xen_netbk *netbk, u16 pending_idx,

				  u8 status)

{

{

	struct xenvif *vif;

	struct xenvif *vif;

	struct pending_tx_info *pending_tx_info;

	struct pending_tx_info *pending_tx_info;

	vif = pending_tx_info->vif;

	vif = pending_tx_info->vif;

	make_tx_response(vif, &pending_tx_info->req, XEN_NETIF_RSP_OKAY);

	make_tx_response(vif, &pending_tx_info->req, status);

	index = pending_index(netbk->pending_prod++);

	index = pending_index(netbk->pending_prod++);

	netbk->pending_ring[index] = pending_idx;

	netbk->pending_ring[index] = pending_idx;