| From a4955edfad8e12b037043310676957876849cb9f Mon Sep 17 00:00:00 2001 |
| From: Pan Bian <bianpan2016@163.com> |
| Date: Thu, 7 Nov 2019 09:33:20 +0800 |
| Subject: [PATCH] NFC: st21nfca: fix double free |
| |
| commit 99a8efbb6e30b72ac98cecf81103f847abffb1e5 upstream. |
| |
| The variable nfcid_skb is not changed in the callee nfc_hci_get_param() |
| if error occurs. Consequently, the freed variable nfcid_skb will be |
| freed again, resulting in a double free bug. Set nfcid_skb to NULL after |
| releasing it to fix the bug. |
| |
| Signed-off-by: Pan Bian <bianpan2016@163.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/nfc/st21nfca/core.c b/drivers/nfc/st21nfca/core.c |
| index f9ac176cf257..2ce17932a073 100644 |
| --- a/drivers/nfc/st21nfca/core.c |
| +++ b/drivers/nfc/st21nfca/core.c |
| @@ -708,6 +708,7 @@ static int st21nfca_hci_complete_target_discovered(struct nfc_hci_dev *hdev, |
| NFC_PROTO_FELICA_MASK; |
| } else { |
| kfree_skb(nfcid_skb); |
| + nfcid_skb = NULL; |
| /* P2P in type A */ |
| r = nfc_hci_get_param(hdev, ST21NFCA_RF_READER_F_GATE, |
| ST21NFCA_RF_READER_F_NFCID1, |
| -- |
| 2.7.4 |
| |