From: Hoang Le <hoang.h.le@dektech.com.au>
Date: Fri, 14 May 2021 01:23:03 +0000 (+0700)
Subject: Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
X-Git-Tag: v4.9.271~33
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9d8a165f747974113c5215539c08a220566f8c64;p=thirdparty%2Fkernel%2Fstable.git

Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"

commit 75016891357a628d2b8acc09e2b9b2576c18d318 upstream.

This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
Above fix is not correct and caused memory leak issue.

Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Acked-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 804cab8f95090..c1b9074f3325e 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -741,7 +741,10 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq,
 		spin_lock_bh(&inputq->lock);
 		if (skb_peek(arrvq) == skb) {
 			skb_queue_splice_tail_init(&tmpq, inputq);
-			__skb_dequeue(arrvq);
+			/* Decrease the skb's refcnt as increasing in the
+			 * function tipc_skb_peek
+			 */
+			kfree_skb(__skb_dequeue(arrvq));
 		}
 		spin_unlock_bh(&inputq->lock);
 		__skb_queue_purge(&tmpq);