connector: fix skb double free in cn_rx_skb()

When a skb is delivered to a registered callback, cn_call_callback()
incorrectly returns -ENODEV after freeing the skb, causing cn_rx_skb()
to free the skb a second time.

Reported-by: Eric B Munson <emunson@mgebm.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Tested-by: Eric B Munson <emunson@mgebm.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
index d770058..219d88a 100644 (file)
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -142,6 +142,7 @@ static int cn_call_callback(struct sk_buff *skb)
                cbq->callback(msg, nsp);
                kfree_skb(skb);
                cn_queue_release_callback(cbq);
+               err = 0;
        }
 
        return err;