[3.5.y.z,extended,stable] Patch "NFC: pn533: Fix use after free" has been added to staging queue

Message ID 1355373938-2501-1-git-send-email-herton.krzesinski@canonical.com
State New
Headers show

Commit Message

Herton Ronaldo Krzesinski Dec. 13, 2012, 4:45 a.m.
This is a note to let you know that I have just added a patch titled

    NFC: pn533: Fix use after free

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From b573f5e2bef1ee4c5c41c8dbf6a5bf8ffd79d1c6 Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@tieto.com>
Date: Mon, 29 Oct 2012 14:04:43 +0100
Subject: [PATCH 01/20] NFC: pn533: Fix use after free

commit 770f750bc2b8312489c8e45306f551d08a319d3c upstream.

cmd was freed in pn533_dep_link_up regardless of
pn533_send_cmd_frame_async return code. Cmd is passed as argument to
pn533_in_dep_link_up_complete callback and should be freed there.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
 drivers/nfc/pn533.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)



diff --git a/drivers/nfc/pn533.c b/drivers/nfc/pn533.c
index 19110f0..3811d60 100644
--- a/drivers/nfc/pn533.c
+++ b/drivers/nfc/pn533.c
@@ -1395,12 +1395,8 @@  static int pn533_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target,
 	rc = pn533_send_cmd_frame_async(dev, dev->out_frame, dev->in_frame,
 				dev->in_maxlen,	pn533_in_dep_link_up_complete,
 				cmd, GFP_KERNEL);
-	if (rc)
-		goto out;
-	kfree(cmd);
+	if (rc < 0)
+		kfree(cmd);

 	return rc;