Commit 78179869 authored by Raveendran Somu's avatar Raveendran Somu Committed by Kalle Valo

brcmfmac: Fix double freeing in the fmac usb data path

When the brcmf_fws_process_skb() fails to get hanger slot for
queuing the skb, it tries to free the skb.
But the caller brcmf_netdev_start_xmit() of that funciton frees
the packet on error return value.
This causes the double freeing and which caused the kernel crash.
Signed-off-by: default avatarRaveendran Somu <raveendran.somu@cypress.com>
Signed-off-by: default avatarChi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1585124429-97371-3-git-send-email-chi-hsien.lin@cypress.com
parent 93a5bfbc
...@@ -2145,8 +2145,7 @@ int brcmf_fws_process_skb(struct brcmf_if *ifp, struct sk_buff *skb) ...@@ -2145,8 +2145,7 @@ int brcmf_fws_process_skb(struct brcmf_if *ifp, struct sk_buff *skb)
brcmf_fws_enq(fws, BRCMF_FWS_SKBSTATE_DELAYED, fifo, skb); brcmf_fws_enq(fws, BRCMF_FWS_SKBSTATE_DELAYED, fifo, skb);
brcmf_fws_schedule_deq(fws); brcmf_fws_schedule_deq(fws);
} else { } else {
bphy_err(drvr, "drop skb: no hanger slot\n"); bphy_err(drvr, "no hanger slot available\n");
brcmf_txfinalize(ifp, skb, false);
rc = -ENOMEM; rc = -ENOMEM;
} }
brcmf_fws_unlock(fws); brcmf_fws_unlock(fws);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment