Bluetooth: btwilink: Fix unexpected skb free

The caller (hci_core) still owns the skb in case of error, releasing it inside the send function can lead to use-after-free errors. Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Loic Poulain <[email protected]> Signed-off-by: Marcel Holtmann <[email protected]>
niw · May 23, 2017 · a6187ff · a6187ff
1 parent 823b842
commit a6187ff
Showing 1 changed file with 0 additions and 1 deletion.
diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c
@@ -262,7 +262,6 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 	pkt_type = hci_skb_pkt_type(skb);
 	len = hst->st_write(skb);
 	if (len < 0) {
-		kfree_skb(skb);
 		BT_ERR("ST write failed (%ld)", len);
 		/* Try Again, would only fail if UART has gone bad */
 		return -EAGAIN;