If skb_reorder_vlan_header() failed, skb is freed and NULL is returned.
Then at skb_vlan_untag(), it will free skbuff again which cause double free.
This patch removes kfree_skb() call in function skb_reorder_vlan_header().
Signed-off-by: Zhang Shengju <zhangshen...@cmss.chinamobile.com>
---
net/core/skbuff.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 488566b..a5f2401 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4349,10 +4349,8 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
{
- if (skb_cow(skb, skb_headroom(skb)) < 0) {
- kfree_skb(skb);
+ if (skb_cow(skb, skb_headroom(skb)) < 0)
return NULL;
- }
memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
2 * ETH_ALEN);
--
1.8.3.1
