提交 ba760574 编写于 作者: D Dmitry Tarnyagin 提交者: David S. Miller

caif: Bugfix double kfree_skb upon xmit failure

SKB is freed twice upon send error. The Network stack consumes SKB even
when it returns error code.
Signed-off-by: NSjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 b01377a4
...@@ -539,8 +539,10 @@ static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk, ...@@ -539,8 +539,10 @@ static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk,
pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb); pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
memset(skb->cb, 0, sizeof(struct caif_payload_info)); memset(skb->cb, 0, sizeof(struct caif_payload_info));
if (cf_sk->layer.dn == NULL) if (cf_sk->layer.dn == NULL) {
kfree_skb(skb);
return -EINVAL; return -EINVAL;
}
return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt); return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
} }
...@@ -683,10 +685,10 @@ static int caif_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, ...@@ -683,10 +685,10 @@ static int caif_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
} }
err = transmit_skb(skb, cf_sk, err = transmit_skb(skb, cf_sk,
msg->msg_flags&MSG_DONTWAIT, timeo); msg->msg_flags&MSG_DONTWAIT, timeo);
if (err < 0) { if (err < 0)
kfree_skb(skb); /* skb is already freed */
goto pipe_err; goto pipe_err;
}
sent += size; sent += size;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册