Commit 0e087858 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

connector: fix skb double free in cn_rx_skb()

When a skb is delivered to a registered callback, cn_call_callback()
incorrectly returns -ENODEV after freeing the skb, causing cn_rx_skb()
to free the skb a second time.
Reported-by: default avatarEric B Munson <emunson@mgebm.net>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Tested-by: default avatarEric B Munson <emunson@mgebm.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 192910a6
...@@ -142,6 +142,7 @@ static int cn_call_callback(struct sk_buff *skb) ...@@ -142,6 +142,7 @@ static int cn_call_callback(struct sk_buff *skb)
cbq->callback(msg, nsp); cbq->callback(msg, nsp);
kfree_skb(skb); kfree_skb(skb);
cn_queue_release_callback(cbq); cn_queue_release_callback(cbq);
err = 0;
} }
return err; return err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment