projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 823b842)
Bluetooth: btwilink: Fix unexpected skb free
authorLoic Poulain <loic.poulain@intel.com>
Tue, 23 May 2017 09:51:00 +0000 (11:51 +0200)
committerMarcel Holtmann <marcel@holtmann.org>
Tue, 23 May 2017 14:19:38 +0000 (16:19 +0200)
The caller (hci_core) still owns the skb in case of error, releasing
it inside the send function can lead to use-after-free errors.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Loic Poulain <loic.poulain@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
drivers/bluetooth/btwilink.c patch | blob | blame | history

diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c
index b6bb58c41df5b7c553e6bfd05d7c8ce3adece509..85a3978b064fb832d9afeb49b08c111d11d01b06 100644 (file)
--- a/drivers/bluetooth/btwilink.c
+++ b/drivers/bluetooth/btwilink.c
@@ -262,7 +262,6 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
        pkt_type = hci_skb_pkt_type(skb);
        len = hst->st_write(skb);
        if (len < 0) {
-               kfree_skb(skb);
                BT_ERR("ST write failed (%ld)", len);
                /* Try Again, would only fail if UART has gone bad */
                return -EAGAIN;