From a6187ffdfcc854ce4d97f307e12508a4bde8bcf3 Mon Sep 17 00:00:00 2001 From: Loic Poulain Date: Tue, 23 May 2017 11:51:00 +0200 Subject: [PATCH] Bluetooth: btwilink: Fix unexpected skb free The caller (hci_core) still owns the skb in case of error, releasing it inside the send function can lead to use-after-free errors. Reported-by: Dan Carpenter Signed-off-by: Loic Poulain Signed-off-by: Marcel Holtmann --- drivers/bluetooth/btwilink.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c index b6bb58c41df5..85a3978b064f 100644 --- a/drivers/bluetooth/btwilink.c +++ b/drivers/bluetooth/btwilink.c @@ -262,7 +262,6 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb) pkt_type = hci_skb_pkt_type(skb); len = hst->st_write(skb); if (len < 0) { - kfree_skb(skb); BT_ERR("ST write failed (%ld)", len); /* Try Again, would only fail if UART has gone bad */ return -EAGAIN; -- 2.20.1