From: Loic Poulain Date: Tue, 23 May 2017 09:51:00 +0000 (+0200) Subject: Bluetooth: btwilink: Fix unexpected skb free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a6187ffdfcc854ce4d97f307e12508a4bde8bcf3;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git Bluetooth: btwilink: Fix unexpected skb free The caller (hci_core) still owns the skb in case of error, releasing it inside the send function can lead to use-after-free errors. Reported-by: Dan Carpenter Signed-off-by: Loic Poulain Signed-off-by: Marcel Holtmann --- diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c index b6bb58c41df5..85a3978b064f 100644 --- a/drivers/bluetooth/btwilink.c +++ b/drivers/bluetooth/btwilink.c @@ -262,7 +262,6 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb) pkt_type = hci_skb_pkt_type(skb); len = hst->st_write(skb); if (len < 0) { - kfree_skb(skb); BT_ERR("ST write failed (%ld)", len); /* Try Again, would only fail if UART has gone bad */ return -EAGAIN;