scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()

[ Upstream commit 08c94d80b2da481652fb633e79cbc41e9e326a91 ]

skb_share_check() already drops the reference to the skb when returning
NULL. Using kfree_skb() in the error handling path leads to an skb double
free.

Fix this by removing the variable tmp_skb, and return directly when
skb_share_check() returns NULL.

Fixes: 01a4cc4d0cd6 ("bnx2fc: do not add shared skbs to the fcoe_rx_list")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Link: https://lore.kernel.org/r/20221114110626.526643-1-weiyongjun@huaweicloud.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
index e2586472ecad4457e2f4b922df4c26b6306633ab..6090434ad6f3629508914ffb810ec4bbd2fc6a9b 100644 (file)
--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
@@ -432,7 +432,6 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
        struct fcoe_ctlr *ctlr;
        struct fcoe_rcv_info *fr;
        struct fcoe_percpu_s *bg;
-       struct sk_buff *tmp_skb;
 
        interface = container_of(ptype, struct bnx2fc_interface,
                                 fcoe_packet_type);
@@ -444,11 +443,9 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
                goto err;
        }
 
-       tmp_skb = skb_share_check(skb, GFP_ATOMIC);
-       if (!tmp_skb)
-               goto err;
-
-       skb = tmp_skb;
+       skb = skb_share_check(skb, GFP_ATOMIC);
+       if (!skb)
+               return -1;
 
        if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
                printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");