projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b01377a)
caif: Bugfix double kfree_skb upon xmit failure
authorDmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>
Thu, 2 Feb 2012 01:21:03 +0000 (01:21 +0000)
committerDavid S. Miller <davem@davemloft.net>
Thu, 2 Feb 2012 19:35:12 +0000 (14:35 -0500)
SKB is freed twice upon send error. The Network stack consumes SKB even
when it returns error code.

Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/caif/caif_socket.c patch | blob | blame | history

diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index a986280864523d431e8f30f96af1a346abe2b784..a97d97a3a512706a2e37ecf873407f9b87482409 100644 (file)
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -539,8 +539,10 @@ static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk,
        pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
        memset(skb->cb, 0, sizeof(struct caif_payload_info));
 
-       if (cf_sk->layer.dn == NULL)
+       if (cf_sk->layer.dn == NULL) {
+               kfree_skb(skb);
                return -EINVAL;
+       }
 
        return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
 }
@@ -683,10 +685,10 @@ static int caif_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                }
                err = transmit_skb(skb, cf_sk,
                                msg->msg_flags&MSG_DONTWAIT, timeo);
-               if (err < 0) {
-                       kfree_skb(skb);
+               if (err < 0)
+                       /* skb is already freed */
                        goto pipe_err;
-               }
+
                sent += size;
        }