summaryrefslogtreecommitdiffstats
path: root/drivers/bluetooth
diff options
context:
space:
mode:
authorLoic Poulain <loic.poulain@intel.com>2017-05-23 11:51:00 +0200
committerMarcel Holtmann <marcel@holtmann.org>2017-05-23 16:19:38 +0200
commita6187ffdfcc854ce4d97f307e12508a4bde8bcf3 (patch)
tree01d4ffd7504f07588b22ccc439a86a3b6a5627f2 /drivers/bluetooth
parent823b84201f4a719414d61b105fd23706c5668ab5 (diff)
downloadlinux-a6187ffdfcc854ce4d97f307e12508a4bde8bcf3.tar.gz
linux-a6187ffdfcc854ce4d97f307e12508a4bde8bcf3.tar.bz2
linux-a6187ffdfcc854ce4d97f307e12508a4bde8bcf3.zip
Bluetooth: btwilink: Fix unexpected skb free
The caller (hci_core) still owns the skb in case of error, releasing it inside the send function can lead to use-after-free errors. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Loic Poulain <loic.poulain@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'drivers/bluetooth')
-rw-r--r--drivers/bluetooth/btwilink.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c
index b6bb58c41df5..85a3978b064f 100644
--- a/drivers/bluetooth/btwilink.c
+++ b/drivers/bluetooth/btwilink.c
@@ -262,7 +262,6 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
pkt_type = hci_skb_pkt_type(skb);
len = hst->st_write(skb);
if (len < 0) {
- kfree_skb(skb);
BT_ERR("ST write failed (%ld)", len);
/* Try Again, would only fail if UART has gone bad */
return -EAGAIN;