[net,2/2] caif: Bugfix double kfree_skb upon xmit failure

Message ID	1328181663-13853-2-git-send-email-sjur.brandeland@stericsson.com
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: =?UTF-8?q?Sjur=20Br=C3=A6ndeland?= <sjur.brandeland@stericsson.com> To: netdev@vger.kernel.org, davem@davemloft.net Cc: sjurbren@gmail.com, Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>, =?UTF-8?q?Sjur=20Br=C3=A6ndeland?= <sjur.brandeland@stericsson.com> Subject: [PATCH net 2/2] caif: Bugfix double kfree_skb upon xmit failure Date: Thu, 2 Feb 2012 12:21:03 +0100 Message-Id: <1328181663-13853-2-git-send-email-sjur.brandeland@stericsson.com> In-Reply-To: <1328181663-13853-1-git-send-email-sjur.brandeland@stericsson.com> References: <1328181663-13853-1-git-send-email-sjur.brandeland@stericsson.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

1328181663-13853-2-git-send-email-sjur.brandeland@stericsson.com

State

Accepted, archived

Delegated to:

David Miller

Headers

From: =?UTF-8?q?Sjur=20Br=C3=A6ndeland?= <sjur.brandeland@stericsson.com>
To: netdev@vger.kernel.org, davem@davemloft.net
Cc: sjurbren@gmail.com, Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>,
	=?UTF-8?q?Sjur=20Br=C3=A6ndeland?= <sjur.brandeland@stericsson.com>
Subject: [PATCH net 2/2] caif: Bugfix double kfree_skb upon xmit failure
Date: Thu,  2 Feb 2012 12:21:03 +0100
Message-Id: <1328181663-13853-2-git-send-email-sjur.brandeland@stericsson.com>
In-Reply-To: <1328181663-13853-1-git-send-email-sjur.brandeland@stericsson.com>
References: <1328181663-13853-1-git-send-email-sjur.brandeland@stericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

sjur.brandeland@stericsson.com Feb. 2, 2012, 11:21 a.m. UTC

From: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>

SKB is freed twice upon send error. The Network stack consumes SKB even
when it returns error code.

Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
---
 net/caif/caif_socket.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

Comments

David Miller Feb. 2, 2012, 7:31 p.m. UTC | #1

From: Sjur Brændeland <sjur.brandeland@stericsson.com>
Date: Thu,  2 Feb 2012 12:21:03 +0100

> From: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>
> 
> SKB is freed twice upon send error. The Network stack consumes SKB even
> when it returns error code.
> 
> Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index a986280..a97d97a 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -539,8 +539,10 @@  static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk,
 	pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
 	memset(skb->cb, 0, sizeof(struct caif_payload_info));
 
-	if (cf_sk->layer.dn == NULL)
+	if (cf_sk->layer.dn == NULL) {
+		kfree_skb(skb);
 		return -EINVAL;
+	}
 
 	return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
 }
@@ -683,10 +685,10 @@  static int caif_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
 		}
 		err = transmit_skb(skb, cf_sk,
 				msg->msg_flags&MSG_DONTWAIT, timeo);
-		if (err < 0) {
-			kfree_skb(skb);
+		if (err < 0)
+			/* skb is already freed */
 			goto pipe_err;
-		}
+
 		sent += size;
 	}

[net,2/2] caif: Bugfix double kfree_skb upon xmit failure

Commit Message

Comments

Patch