If skb_reorder_vlan_header() failed, skb is freed and NULL is returned. Then at skb_vlan_untag(), it will free skbuff again which cause double free.
This patch removes kfree_skb() call in function skb_reorder_vlan_header(). Signed-off-by: Zhang Shengju <zhangshen...@cmss.chinamobile.com> --- net/core/skbuff.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 488566b..1312d4b 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -4350,7 +4350,6 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) { if (skb_cow(skb, skb_headroom(skb)) < 0) { - kfree_skb(skb); return NULL; } -- 1.8.3.1