connector: fix skb double free in cn_rx_skb()

When a skb is delivered to a registered callback, cn_call_callback()
incorrectly returns -ENODEV after freeing the skb, causing cn_rx_skb()
to free the skb a second time.

Reported-by: Eric B Munson <emunson@mgebm.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Tested-by: Eric B Munson <emunson@mgebm.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy 2011-04-12 05:39:51 +00:00 committed by David S. Miller
parent 192910a6cc
commit 0e08785845

View File

@ -142,6 +142,7 @@ static int cn_call_callback(struct sk_buff *skb)
cbq->callback(msg, nsp);
kfree_skb(skb);
cn_queue_release_callback(cbq);
err = 0;
}
return err;