Commit ce228fff authored Nov 14, 2022 by Wei Yongjun Committed by Greg Kroah-Hartman Jan 08, 2024

scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()



[ Upstream commit 08c94d80b2da481652fb633e79cbc41e9e326a91 ]

skb_share_check() already drops the reference to the skb when returning
NULL. Using kfree_skb() in the error handling path leads to an skb double
free.

Fix this by removing the variable tmp_skb, and return directly when
skb_share_check() returns NULL.

Fixes: 01a4cc4d ("bnx2fc: do not add shared skbs to the fcoe_rx_list")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Link: https://lore.kernel.org/r/20221114110626.526643-1-weiyongjun@huaweicloud.com


Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 5777781b

drivers/scsi/bnx2fc/bnx2fc_fcoe.c

+3 −6

Original line number	Diff line number	Diff line
		@@ -435,7 +435,6 @@ static int bnx2fc_rcv(struct sk_buff skb, struct net_device dev,
		struct fc_frame_header *fh;
		struct fcoe_rcv_info *fr;
		struct fcoe_percpu_s *bg;
		struct sk_buff *tmp_skb;

		interface = container_of(ptype, struct bnx2fc_interface,
		fcoe_packet_type);
		@@ -447,11 +446,9 @@ static int bnx2fc_rcv(struct sk_buff skb, struct net_device dev,
		goto err;
		}

		tmp_skb = skb_share_check(skb, GFP_ATOMIC);
		if (!tmp_skb)
		goto err;

		skb = tmp_skb;
		skb = skb_share_check(skb, GFP_ATOMIC);
		if (!skb)
		return -1;

		if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
		printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");