From: Dan Carpenter <dan.carpenter@oracle.com>
To: christophe.ricard@gmail.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] NFC: st21nfca: Fix some skb memory leaks
Date: Fri, 28 Sep 2018 12:28:26 +0300 [thread overview]
Message-ID: <20180928092826.GA2420@mwanda> (raw)
Hello Christophe Ricard,
The patch c490c557b67f: "NFC: st21nfca: Fix some skb memory leaks"
from Jan 25, 2015, leads to the following static checker warning:
drivers/nfc/st21nfca/core.c:742 st21nfca_hci_complete_target_discovered()
warn: 'nfcid_skb' was already freed.
drivers/nfc/st21nfca/core.c
712 /* NFC Forum Digital Protocol Table 44 */
713 if (target->sensf_res[0] == 0x01 &&
714 target->sensf_res[1] == 0xfe)
715 target->supported_protocols =
716 NFC_PROTO_NFC_DEP_MASK;
717 else
718 target->supported_protocols =
719 NFC_PROTO_FELICA_MASK;
720 } else {
721 kfree_skb(nfcid_skb);
^^^^^^^^^^^^^^^^^^^^
Freed.
722 /* P2P in type A */
723 r = nfc_hci_get_param(hdev, ST21NFCA_RF_READER_F_GATE,
724 ST21NFCA_RF_READER_F_NFCID1,
725 &nfcid_skb);
^^^^^^^^^^
This is set to a different new skb on some error paths but if we return
-EADDRNOTAVAIL then it's still the same freed skb.
726 if (r < 0)
727 goto exit;
^^^^^^^^^
We hit this goto and double free.
728
729 if (nfcid_skb->len > NFC_NFCID1_MAXSIZE) {
730 r = -EPROTO;
731 goto exit;
732 }
733 memcpy(target->sensf_res, nfcid_skb->data,
734 nfcid_skb->len);
735 target->sensf_res_len = nfcid_skb->len;
736 target->supported_protocols = NFC_PROTO_NFC_DEP_MASK;
737 }
738 target->hci_reader_gate = ST21NFCA_RF_READER_F_GATE;
739 }
740 r = 1;
741 exit:
742 kfree_skb(nfcid_skb);
743 return r;
744 }
regards,
dan carpenter
reply other threads:[~2018-09-28 9:28 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180928092826.GA2420@mwanda \
--to=dan.carpenter@oracle.com \
--cc=christophe.ricard@gmail.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.