tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails

skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs,
but follow error handler branch when pn533_fill_fragment_skbs()
fails, skb is freed again, results in double free issue. Fix this
by not free skb in error path of pn533_fill_fragment_skbs.

Fixes: 963a82e07d4e ("NFC: pn533: Split large Tx frames in chunks")
Fixes: 93ad42020c2d ("NFC: pn533: Target mode Tx fragmentation support")
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Chengfeng Ye and committed by
David S. Miller 9fec40f8 62b12ab5

+3 -3
+3 -3
drivers/nfc/pn533/pn533.c
··· 2216 2216 frag = pn533_alloc_skb(dev, frag_size); 2217 2217 if (!frag) { 2218 2218 skb_queue_purge(&dev->fragment_skb); 2219 - break; 2219 + return -ENOMEM; 2220 2220 } 2221 2221 2222 2222 if (!dev->tgt_mode) { ··· 2285 2285 /* jumbo frame ? */ 2286 2286 if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) { 2287 2287 rc = pn533_fill_fragment_skbs(dev, skb); 2288 - if (rc <= 0) 2288 + if (rc < 0) 2289 2289 goto error; 2290 2290 2291 2291 skb = skb_dequeue(&dev->fragment_skb); ··· 2353 2353 /* let's split in multiple chunks if size's too big */ 2354 2354 if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) { 2355 2355 rc = pn533_fill_fragment_skbs(dev, skb); 2356 - if (rc <= 0) 2356 + if (rc < 0) 2357 2357 goto error; 2358 2358 2359 2359 /* get the first skb */