| Message ID | 1572006880-5800-1-git-send-email-bharat@chelsio.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | d4934f45693651ea15357dd6c7c36be28b6da884 |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | [for-rc] iw_cxgb4: avoid freeing skb twice in arp failure case | expand |
On Fri, Oct 25, 2019 at 06:04:40PM +0530, Potnuri Bharat Teja wrote: > _put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by > process_work(). fix double free by freeing the skb only in process_work(). > > Fixes: 1dad0ebeea1c ("iw_cxgb4: Avoid touch after free error in ARP failure handlers") > Signed-off-by: Dakshaja Uppalapati <dakshaja@chelsio.com> > Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com> > --- > drivers/infiniband/hw/cxgb4/cm.c | 2 -- > 1 file changed, 2 deletions(-) Applied to for-rc, thanks Jason
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c index e87fc0408470..8333442380d5 100644 --- a/drivers/infiniband/hw/cxgb4/cm.c +++ b/drivers/infiniband/hw/cxgb4/cm.c @@ -495,7 +495,6 @@ static int _put_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb) ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *))); release_ep_resources(ep); - kfree_skb(skb); return 0; } @@ -506,7 +505,6 @@ static int _put_pass_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb) ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *))); c4iw_put_ep(&ep->parent_ep->com); release_ep_resources(ep); - kfree_skb(skb); return 0; }
_put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by process_work(). fix double free by freeing the skb only in process_work(). Fixes: 1dad0ebeea1c ("iw_cxgb4: Avoid touch after free error in ARP failure handlers") Signed-off-by: Dakshaja Uppalapati <dakshaja@chelsio.com> Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com> --- drivers/infiniband/hw/cxgb4/cm.c | 2 -- 1 file changed, 2 deletions(-)