connector: fix skb double free in cn_rx_skb()

When a skb is delivered to a registered callback, cn_call_callback() incorrectly returns -ENODEV after freeing the skb, causing cn_rx_skb() to free the skb a second time. Reported-by: Eric B Munson <emunson@mgebm.net> Signed-off-by: Patrick McHardy <kaber@trash.net> Tested-by: Eric B Munson <emunson@mgebm.net> Signed-off-by: David S. Miller <davem@davemloft.net>

connector: fix skb double free in cn_rx_skb()
0e087858 · Patrick McHardy · David S. Miller · 192910a6 · 0e087858
Commit 0e087858 authored 13 years ago by Patrick McHardy Committed by David S. Miller 13 years ago
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -142,6 +142,7 @@ static int cn_call_callback(struct sk_buff *skb)
 		cbq->callback(msg, nsp);
 		kfree_skb(skb);
 		cn_queue_release_callback(cbq);
+		err = 0;
 	}
 	return err;