commit ad676e0dbbe8658ce46e192f449689bf3011bdf5 Author: Patrick McHardy Date: Tue Apr 12 17:37:04 2011 +0200 connector: fix skb double free in cn_rx_skb() When a skb is delivered to a registered callback, cn_call_callback() incorrectly returns -ENODEV after freeing the skb, causing cn_rx_skb() to free the skb a second time. Reported-by: Eric B Munson Signed-off-by: Patrick McHardy diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index d770058..219d88a 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c @@ -142,6 +142,7 @@ static int cn_call_callback(struct sk_buff *skb) cbq->callback(msg, nsp); kfree_skb(skb); cn_queue_release_callback(cbq); + err = 0; } return err;