| Message ID | 20180629124717.2011-2-daniel@zonque.org (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Samuel Ortiz |
| Headers | show |
Hi, I'll resend the two patches in this series as part of a bigger series soon, please ignore them for now. Thanks, Daniel On Friday, June 29, 2018 02:47 PM, Daniel Mack wrote: > In the error path of the IRQ handler, don't free the skb in flight. The > callback in the digital core will do that for us, so this is another > double-free that leads to memory corruptions. > > The assignment of 'wtx' doesn't make sense as the variable is not read > after it is written. Drop it. > > Signed-off-by: Daniel Mack <daniel@zonque.org> > --- > drivers/nfc/st95hf/core.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c > index ef91ca8b53a4..e651e1aae5a3 100644 > --- a/drivers/nfc/st95hf/core.c > +++ b/drivers/nfc/st95hf/core.c > @@ -868,8 +868,6 @@ static irqreturn_t st95hf_irq_thread_handler(int irq, void *st95hfcontext) > return IRQ_HANDLED; > > end: > - kfree_skb(skb_resp); > - wtx = false; > cb_arg->rats = false; > skb_resp = ERR_PTR(result); > /* call of callback with error */ >
diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c index ef91ca8b53a4..e651e1aae5a3 100644 --- a/drivers/nfc/st95hf/core.c +++ b/drivers/nfc/st95hf/core.c @@ -868,8 +868,6 @@ static irqreturn_t st95hf_irq_thread_handler(int irq, void *st95hfcontext) return IRQ_HANDLED; end: - kfree_skb(skb_resp); - wtx = false; cb_arg->rats = false; skb_resp = ERR_PTR(result); /* call of callback with error */
In the error path of the IRQ handler, don't free the skb in flight. The callback in the digital core will do that for us, so this is another double-free that leads to memory corruptions. The assignment of 'wtx' doesn't make sense as the variable is not read after it is written. Drop it. Signed-off-by: Daniel Mack <daniel@zonque.org> --- drivers/nfc/st95hf/core.c | 2 -- 1 file changed, 2 deletions(-)