From d4f8946230392eaeb837f19ff5ada352ee6d192f Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Wed, 27 May 2009 11:37:08 -0700
Subject: [PATCH] datapath: Avoid double-free on skb_clone failure in
 ODPAT_OUTPUT_GROUP.

output_group() has no business freeing the skb passed into it, but it was
doing so in case of allocation failure.  Since execute_actions() would
also later free it, this was a serious error.

Thanks to Justin for pointing out the problem.
---
 datapath/actions.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/datapath/actions.c b/datapath/actions.c
index 6bbb9f99..d9b92f1d 100644
--- a/datapath/actions.c
+++ b/datapath/actions.c
@@ -313,6 +313,8 @@ error:
 	kfree_skb(skb);
 }
 
+/* Never consumes 'skb'.  Returns a port that 'skb' should be sent to, -1 if
+ * none.  */
 static int output_group(struct datapath *dp, __u16 group,
 			struct sk_buff *skb, gfp_t gfp)
 {
@@ -328,10 +330,8 @@ static int output_group(struct datapath *dp, __u16 group,
 			continue;
 		if (prev_port != -1) {
 			struct sk_buff *clone = skb_clone(skb, gfp);
-			if (!clone) {
-				kfree_skb(skb);
+			if (!clone)
 				return -1;
-			}
 			do_output(dp, clone, prev_port);
 		}
 		prev_port = p->port_no;
-- 
2.30.2