releases/3.6.9/nfc-pn533-fix-use-after-free.patch

From 770f750bc2b8312489c8e45306f551d08a319d3c Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@tieto.com>
Date: Mon, 29 Oct 2012 14:04:43 +0100
Subject: NFC: pn533: Fix use after free

From: Szymon Janc <szymon.janc@tieto.com>

commit 770f750bc2b8312489c8e45306f551d08a319d3c upstream.

cmd was freed in pn533_dep_link_up regardless of
pn533_send_cmd_frame_async return code. Cmd is passed as argument to
pn533_in_dep_link_up_complete callback and should be freed there.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nfc/pn533.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/drivers/nfc/pn533.c
+++ b/drivers/nfc/pn533.c
@@ -1759,12 +1759,8 @@ static int pn533_dep_link_up(struct nfc_
 	rc = pn533_send_cmd_frame_async(dev, dev->out_frame, dev->in_frame,
 				dev->in_maxlen,	pn533_in_dep_link_up_complete,
 				cmd, GFP_KERNEL);
-	if (rc)
-		goto out;
-
-
-out:
-	kfree(cmd);
+	if (rc < 0)
+		kfree(cmd);
 
 	return rc;
 }