caif: Bugfix double kfree_skb upon xmit failure

SKB is freed twice upon send error. The Network stack consumes SKB even when it returns error code. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com> 2012-02-02 01:21:03 +0000
committer: David S. Miller <davem@davemloft.net> 2012-02-02 14:35:12 -0500
commit: ba7605745d5c99f0e71b3ec6c7cb5ed6afe540ad (patch)
tree: 24f678ef44d316b79d6301ed3ffde26258d6f2ac /net/caif
parent: b01377a4200d0dfc7b04a8daabb4739727353703 (diff)
download: linux-ba7605745d5c99f0e71b3ec6c7cb5ed6afe540ad.tar.gz
1 files changed, 6 insertions, 4 deletions
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index a98628086452..a97d97a3a512 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -539,8 +539,10 @@ static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk,
 	pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
 	memset(skb->cb, 0, sizeof(struct caif_payload_info));
 
-	if (cf_sk->layer.dn == NULL)
+	if (cf_sk->layer.dn == NULL) {
+		kfree_skb(skb);
 		return -EINVAL;
+	}
 
 	return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
 }
@@ -683,10 +685,10 @@ static int caif_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
 		}
 		err = transmit_skb(skb, cf_sk,
 				msg->msg_flags&MSG_DONTWAIT, timeo);
-		if (err < 0) {
-			kfree_skb(skb);
+		if (err < 0)
+			/* skb is already freed */
 			goto pipe_err;
-		}
+
 		sent += size;
 	}
author	Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>	2012-02-02 01:21:03 +0000
committer	David S. Miller <davem@davemloft.net>	2012-02-02 14:35:12 -0500
commit	ba7605745d5c99f0e71b3ec6c7cb5ed6afe540ad (patch)
tree	24f678ef44d316b79d6301ed3ffde26258d6f2ac /net/caif
parent	b01377a4200d0dfc7b04a8daabb4739727353703 (diff)
download	linux-ba7605745d5c99f0e71b3ec6c7cb5ed6afe540ad.tar.gz