Bluetooth: btwilink: Fix unexpected skb free

The caller (hci_core) still owns the skb in case of error, releasing it inside the send function can lead to use-after-free errors. Reported-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Loic Poulain <loic.poulain@intel.com> Signed-off-by: N Marcel Holtmann <marcel@holtmann.org>

Bluetooth: btwilink: Fix unexpected skb free
The caller (hci_core) still owns the skb in case of error, releasing it inside the send function can lead to use-after-free errors. Reported-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Loic Poulain <loic.poulain@intel.com> Signed-off-by: N Marcel Holtmann <marcel@holtmann.org>
a6187ffd · Loic Poulain · Marcel Holtmann · 823b8420 · a6187ffd
隐藏空白更改
内联并排

Showing with 0 addition and 1 deletion

drivers/bluetooth/btwilink.c drivers/bluetooth/btwilink.c +0 -1

未找到文件。
--- a/drivers/bluetooth/btwilink.c
+++ b/drivers/bluetooth/btwilink.c
@@ -262,7 +262,6 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 	pkt_type = hci_skb_pkt_type(skb);
 	len = hst->st_write(skb);
 	if (len < 0) {
-		kfree_skb(skb);
 		BT_ERR("ST write failed (%ld)", len);
 		/* Try Again, would only fail if UART has gone bad */
 		return -EAGAIN;