Patchwork [net,2/2] caif: Bugfix double kfree_skb upon xmit failure

login
register
mail settings
Submitter sjur.brandeland@stericsson.com
Date Feb. 2, 2012, 11:21 a.m.
Message ID <1328181663-13853-2-git-send-email-sjur.brandeland@stericsson.com>
Download mbox | patch
Permalink /patch/139121/
State Accepted
Delegated to: David Miller
Headers show

Comments

sjur.brandeland@stericsson.com - Feb. 2, 2012, 11:21 a.m.
From: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>

SKB is freed twice upon send error. The Network stack consumes SKB even
when it returns error code.

Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
---
 net/caif/caif_socket.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)
David Miller - Feb. 2, 2012, 7:31 p.m.
From: Sjur Brændeland <sjur.brandeland@stericsson.com>
Date: Thu,  2 Feb 2012 12:21:03 +0100

> From: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>
> 
> SKB is freed twice upon send error. The Network stack consumes SKB even
> when it returns error code.
> 
> Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index a986280..a97d97a 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -539,8 +539,10 @@  static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk,
 	pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
 	memset(skb->cb, 0, sizeof(struct caif_payload_info));
 
-	if (cf_sk->layer.dn == NULL)
+	if (cf_sk->layer.dn == NULL) {
+		kfree_skb(skb);
 		return -EINVAL;
+	}
 
 	return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
 }
@@ -683,10 +685,10 @@  static int caif_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
 		}
 		err = transmit_skb(skb, cf_sk,
 				msg->msg_flags&MSG_DONTWAIT, timeo);
-		if (err < 0) {
-			kfree_skb(skb);
+		if (err < 0)
+			/* skb is already freed */
 			goto pipe_err;
-		}
+
 		sent += size;
 	}