From 0e08785845093ef4ed220463a739bc8d0db95de7 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 12 Apr 2011 05:39:51 +0000 Subject: [PATCH] connector: fix skb double free in cn_rx_skb() When a skb is delivered to a registered callback, cn_call_callback() incorrectly returns -ENODEV after freeing the skb, causing cn_rx_skb() to free the skb a second time. Reported-by: Eric B Munson Signed-off-by: Patrick McHardy Tested-by: Eric B Munson Signed-off-by: David S. Miller --- drivers/connector/connector.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index d77005849af8..219d88a0eeae 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c @@ -142,6 +142,7 @@ static int cn_call_callback(struct sk_buff *skb) cbq->callback(msg, nsp); kfree_skb(skb); cn_queue_release_callback(cbq); + err = 0; } return err;