> 1 | /home/eparker/tmp/linux/2.4.6/drivers/isdn/isdn_common.c/
> ---------------------------------------------------------
> [BUG] double free (then again, dev_kfree_skb does referece counting--maybe
> not a bug?)
> /home/eparker/tmp/linux/2.4.6/drivers/isdn/isdn_common.c:1978:isdn_writebuf_skb_stub: ERROR:FREE:1960:1978: Use-after-free of 'skb'! set by 'kfree_skb':1960 [nbytes = 168] [distance=36]
> skb_tmp = skb_realloc_headroom(skb, hl);
> printk(KERN_DEBUG "isdn_writebuf_skb_stub: reallocating headroom%s\n", skb_tmp ? "" : " failed");
> if (!skb_tmp) return -ENOMEM; /* 0 better? */
> ret = dev->drv[drvidx]->interface->writebuf_skb(drvidx, chan, ack, skb_tmp);
> if( ret > 0 ){
> Start --->
> dev_kfree_skb(skb);
>
> ... DELETED 12 lines ...
>
> atomic_dec(&dev->v110use[idx]);
> /* For V.110 return unencoded data length */
> ret = v110_ret;
> /* if the complete frame was send we free the skb;
> if not upper function will requeue the skb */
> Error --->
> if (ret == skb->len)
> dev_kfree_skb(skb);
> }
> } else
This is a false positive, since the two dev_kfree_skb() happen in mutually
exclusive branches.
Thanks anyway,
--Kai
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/