| From foo@baz Thu Dec 21 09:02:40 CET 2017 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 8 Mar 2017 08:21:52 +0300 |
| Subject: IB/rxe: double free on error |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| |
| [ Upstream commit ded260235308f340b979258a4c736e06ba12c747 ] |
| |
| "goto err;" has it's own kfree_skb() call so it's a double free. We |
| only need to free on the "goto exit;" path. |
| |
| Fixes: 8700e3e7c485 ("Soft RoCE driver") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Doug Ledford <dledford@redhat.com> |
| Signed-off-by: Sasha Levin <alexander.levin@verizon.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/infiniband/sw/rxe/rxe_req.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/infiniband/sw/rxe/rxe_req.c |
| +++ b/drivers/infiniband/sw/rxe/rxe_req.c |
| @@ -726,11 +726,11 @@ next_wqe: |
| ret = rxe_xmit_packet(to_rdev(qp->ibqp.device), qp, &pkt, skb); |
| if (ret) { |
| qp->need_req_skb = 1; |
| - kfree_skb(skb); |
| |
| rollback_state(wqe, qp, &rollback_wqe, rollback_psn); |
| |
| if (ret == -EAGAIN) { |
| + kfree_skb(skb); |
| rxe_run_task(&qp->req.task, 1); |
| goto exit; |
| } |
