The soft-interface transmission function expects that the unicast skb is still available when a send failed. This is not true on failed search for a router. Thus we would try to free the skb twice and create many different and hard to debug memory access failures due to access on not (anymore) allocated memory.

Reported-by: Andreas Langer an.langer@gmx.de Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- I decided that it makes more sense that the called function frees the data. This makes it similar to dev_queue_xmit or our send_skb_packet. This also fixes the problem with fragmented unicast packets

soft-interface.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/soft-interface.c b/soft-interface.c index 38134ae..47e5ada 100644 --- a/soft-interface.c +++ b/soft-interface.c @@ -182,7 +182,7 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface) } else { ret = unicast_send_skb(skb, bat_priv); if (ret != 0) - goto dropped; + goto dropped_freed; }

bat_priv->stats.tx_packets++; @@ -190,8 +190,9 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface) goto end;

dropped: - bat_priv->stats.tx_dropped++; kfree_skb(skb); +dropped_freed: + bat_priv->stats.tx_dropped++; end: return NETDEV_TX_OK; }