caif: Bugfix double kfree_skb upon xmit failure

SKB is freed twice upon send error. The Network stack consumes SKB even when it returns error code. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>

caif: Bugfix double kfree_skb upon xmit failure
SKB is freed twice upon send error. The Network stack consumes SKB even when it returns error code. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Tarnyagin · David S. Miller
1 parent b01377a420
Showing 1 changed file with 6 additions and 4 deletions Side-by-side Diff
net/caif/caif_socket.c
@@ -539,8 +539,10 @@
 	pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
 	memset(skb->cb, 0, sizeof(struct caif_payload_info));
  
-	if (cf_sk->layer.dn == NULL)
+	if (cf_sk->layer.dn == NULL) {
+		kfree_skb(skb);
 		return -EINVAL;
+	}
  
 	return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
 }
  
@@ -683,10 +685,10 @@
 		}
 		err = transmit_skb(skb, cf_sk,
 				msg->msg_flags&MSG_DONTWAIT, timeo);
-		if (err < 0) {
-			kfree_skb(skb);
+		if (err < 0)
+			/* skb is already freed */
 			goto pipe_err;
-		}
+
 		sent += size;
 	}
...	...	@@ -539,8 +539,10 @@
539	539	pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
540	540	memset(skb->cb, 0, sizeof(struct caif_payload_info));
541	541
542		- if (cf_sk->layer.dn == NULL)
	542	+ if (cf_sk->layer.dn == NULL) {
	543	+ kfree_skb(skb);
543	544	return -EINVAL;
	545	+ }
544	546
545	547	return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
546	548	}
547	549
...	...	@@ -683,10 +685,10 @@
683	685	}
684	686	err = transmit_skb(skb, cf_sk,
685	687	msg->msg_flags&MSG_DONTWAIT, timeo);
686		- if (err < 0) {
687		- kfree_skb(skb);
	688	+ if (err < 0)
	689	+ /* skb is already freed */
688	690	goto pipe_err;
689		- }
	691	+
690	692	sent += size;
691	693	}
692	694