ACK: [SRU Bionic/Focal/Impish/OEM-5.14] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path

[Tim Gardner]

Acked-by: Tim Gardner <tim.gardner at canonical.com>

On 4/19/22 06:44, Thadeu Lima de Souza Cascardo wrote:
> From: Hangyu Hua <hbh25y at gmail.com>
> 
> There is no need to call dev_kfree_skb() when usb_submit_urb() fails
> beacause can_put_echo_skb() deletes the original skb and
> can_free_echo_skb() deletes the cloned skb.
> 
> Link: https://lore.kernel.org/all/20220228083639.38183-1-hbh25y@gmail.com
> Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
> Cc: stable at vger.kernel.org
> Cc: Sebastian Haas <haas at ems-wuensche.com>
> Signed-off-by: Hangyu Hua <hbh25y at gmail.com>
> Signed-off-by: Marc Kleine-Budde <mkl at pengutronix.de>
> (cherry picked from commit c70222752228a62135cee3409dccefd494a24646)
> CVE-2022-28390
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> ---
> 
> Fix is already pending on Jammy.
> 
> ---
>   drivers/net/can/usb/ems_usb.c | 1 -
>   1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
> index 047348033e27..25fc17fd2756 100644
> --- a/drivers/net/can/usb/ems_usb.c
> +++ b/drivers/net/can/usb/ems_usb.c
> @@ -827,7 +827,6 @@ static netdev_tx_t ems_usb_start_xmit(struct sk_buff *skb, struct net_device *ne
>   
>   		usb_unanchor_urb(urb);
>   		usb_free_coherent(dev->udev, size, buf, urb->transfer_dma);
> -		dev_kfree_skb(skb);
>   
>   		atomic_dec(&dev->active_tx_urbs);
>   

-- 
-----------
Tim Gardner
Canonical, Inc