[PATCH 4.9 33/66] Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
From: Greg Kroah-Hartman
Date: Mon May 31 2021 - 09:28:20 EST
From: Hoang Le <hoang.h.le@xxxxxxxxxxxxxx>
commit 75016891357a628d2b8acc09e2b9b2576c18d318 upstream.
This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
Above fix is not correct and caused memory leak issue.
Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv")
Acked-by: Jon Maloy <jmaloy@xxxxxxxxxx>
Acked-by: Tung Nguyen <tung.q.nguyen@xxxxxxxxxxxxxx>
Signed-off-by: Hoang Le <hoang.h.le@xxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/tipc/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -741,7 +741,10 @@ void tipc_sk_mcast_rcv(struct net *net,
spin_lock_bh(&inputq->lock);
if (skb_peek(arrvq) == skb) {
skb_queue_splice_tail_init(&tmpq, inputq);
- __skb_dequeue(arrvq);
+ /* Decrease the skb's refcnt as increasing in the
+ * function tipc_skb_peek
+ */
+ kfree_skb(__skb_dequeue(arrvq));
}
spin_unlock_bh(&inputq->lock);
__skb_queue_purge(&tmpq);