Patchwork [3.5.y.z,extended,stable] Patch "NFC: pn533: Fix use after free" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Dec. 13, 2012, 4:45 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/205720/
State New
Headers show


Herton Ronaldo Krzesinski - Dec. 13, 2012, 4:45 a.m.
This is a note to let you know that I have just added a patch titled

    NFC: pn533: Fix use after free

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From b573f5e2bef1ee4c5c41c8dbf6a5bf8ffd79d1c6 Mon Sep 17 00:00:00 2001
From: Szymon Janc <>
Date: Mon, 29 Oct 2012 14:04:43 +0100
Subject: [PATCH 01/20] NFC: pn533: Fix use after free

commit 770f750bc2b8312489c8e45306f551d08a319d3c upstream.

cmd was freed in pn533_dep_link_up regardless of
pn533_send_cmd_frame_async return code. Cmd is passed as argument to
pn533_in_dep_link_up_complete callback and should be freed there.

Signed-off-by: Szymon Janc <>
Signed-off-by: Samuel Ortiz <>
Signed-off-by: Herton Ronaldo Krzesinski <>
 drivers/nfc/pn533.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)



diff --git a/drivers/nfc/pn533.c b/drivers/nfc/pn533.c
index 19110f0..3811d60 100644
--- a/drivers/nfc/pn533.c
+++ b/drivers/nfc/pn533.c
@@ -1395,12 +1395,8 @@  static int pn533_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target,
 	rc = pn533_send_cmd_frame_async(dev, dev->out_frame, dev->in_frame,
 				dev->in_maxlen,	pn533_in_dep_link_up_complete,
 				cmd, GFP_KERNEL);
-	if (rc)
-		goto out;
-	kfree(cmd);
+	if (rc < 0)
+		kfree(cmd);

 	return rc;