diff mbox

NFC: nfcmrvl: double free on error path

Message ID 20170308052237.GA14542@mwanda (mailing list archive)
State Accepted
Delegated to: Samuel Ortiz
Headers show

Commit Message

Dan Carpenter March 8, 2017, 5:22 a.m. UTC 
The nci_spi_send() function calls kfree_skb(skb) on both error and
success so this extra kfree_skb() is a double free.

Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Static analysis.  Not tested.

Comments

Samuel Ortiz April 1, 2017, 10:11 p.m. UTC | #1 
Hi Dan,

On Wed, Mar 08, 2017 at 08:22:37AM +0300, Dan Carpenter wrote:
> The nci_spi_send() function calls kfree_skb(skb) on both error and
> success so this extra kfree_skb() is a double free.
> 
> Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Static analysis.  Not tested.
Applied to nfc-next, thanks.

Cheers,
Samuel.
Dan Carpenter April 19, 2017, 11:47 a.m. UTC | #2 
On Sun, Apr 02, 2017 at 12:11:17AM +0200, Samuel Ortiz wrote:
> Hi Dan,
> 
> On Wed, Mar 08, 2017 at 08:22:37AM +0300, Dan Carpenter wrote:
> > The nci_spi_send() function calls kfree_skb(skb) on both error and
> > success so this extra kfree_skb() is a double free.
> > 
> > Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > Static analysis.  Not tested.
> Applied to nfc-next, thanks.
> 

This is still not showing up in linux-next.

regards,
dan carpenter
Samuel Ortiz April 19, 2017, 12:52 p.m. UTC | #3 
On Wed, Apr 19, 2017 at 02:47:34PM +0300, Dan Carpenter wrote:
> On Sun, Apr 02, 2017 at 12:11:17AM +0200, Samuel Ortiz wrote:
> > Hi Dan,
> > 
> > On Wed, Mar 08, 2017 at 08:22:37AM +0300, Dan Carpenter wrote:
> > > The nci_spi_send() function calls kfree_skb(skb) on both error and
> > > success so this extra kfree_skb() is a double free.
> > > 
> > > Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > ---
> > > Static analysis.  Not tested.
> > Applied to nfc-next, thanks.
> > 
> 
> This is still not showing up in linux-next.
I sent a pending pull request containing it.

Cheers,
Samuel
Dan Carpenter April 19, 2017, 1:29 p.m. UTC | #4 
On Wed, Apr 19, 2017 at 02:52:29PM +0200, Samuel Ortiz wrote:
> On Wed, Apr 19, 2017 at 02:47:34PM +0300, Dan Carpenter wrote:
> > On Sun, Apr 02, 2017 at 12:11:17AM +0200, Samuel Ortiz wrote:
> > > Hi Dan,
> > > 
> > > On Wed, Mar 08, 2017 at 08:22:37AM +0300, Dan Carpenter wrote:
> > > > The nci_spi_send() function calls kfree_skb(skb) on both error and
> > > > success so this extra kfree_skb() is a double free.
> > > > 
> > > > Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver")
> > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > > ---
> > > > Static analysis.  Not tested.
> > > Applied to nfc-next, thanks.
> > > 
> > 
> > This is still not showing up in linux-next.
> I sent a pending pull request containing it.

Ah.  Sorry for the noise.  I didn't realize your tree didn't feed into
linux-next directly.  Perhaps it should, though?

regards,
dan carpenter
diff mbox

Patch

diff --git a/drivers/nfc/nfcmrvl/spi.c b/drivers/nfc/nfcmrvl/spi.c
index a7faa0bcc01e..fc8e78a29d77 100644
--- a/drivers/nfc/nfcmrvl/spi.c
+++ b/drivers/nfc/nfcmrvl/spi.c
@@ -96,10 +96,9 @@  static int nfcmrvl_spi_nci_send(struct nfcmrvl_private *priv,
 	/* Send the SPI packet */
 	err = nci_spi_send(drv_data->nci_spi, &drv_data->handshake_completion,
 			   skb);
-	if (err != 0) {
+	if (err)
 		nfc_err(priv->dev, "spi_send failed %d", err);
-		kfree_skb(skb);
-	}
+
 	return err;
 }