Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp6541561ybx; Mon, 11 Nov 2019 10:38:43 -0800 (PST) X-Google-Smtp-Source: APXvYqyDnC+dlx/eidzlcqg8jCvf3gOn2+Zxia6590fwIW5YR7AAz/SEDpcu/iVbQrRIL7fOki4S X-Received: by 2002:aa7:ca4a:: with SMTP id j10mr28309861edt.54.1573497523698; Mon, 11 Nov 2019 10:38:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573497523; cv=none; d=google.com; s=arc-20160816; b=mEPENvY/Ce21ezXfIsWa3QvO7QlnHFe/5MjuGQnv8h7HVbnomx5dsgAuvFV1sr5SZT 4WUwyQD+9kjJvHguM8Noxz5MxgkXGjFzPlkvIW69gJsjL3GijclGzs3xkcIqsnO3Gcg4 RCtAMhvEh/1E0ThAvu0R8tBLZ/SYd5um96YzXMPdL2+XbBIIV2UDHB7Gr+URHiVrGBJ/ jVZ9CIIPLSkOIYnRC5eLfhp5cZfGVzH5wSE/fHvtl80/dlNOtlY8XXWCrwFzMogVV8g4 /jegL+rJpU0obdsg6YXTlwDwmmVpawl3NCibje1T4EFxQQy7o4AdAC1a3LLk4UoZiERL ED1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ooIs6qM8V5I8HE9YC9PRaTBpcyQlQjCFQcNPILGO4k4=; b=uiidPiU8XmQvqpbWrELD5mzB/HZpvyFip6ZSzUROQXPnMbgYGKiirXsr7X7XHNMBcf lDWRmTHexNoAk20q0nQfe1ycdShZkxTjVS3/1NytF/Cd8H8zr2uIcnNj4MpQoyQaVElc /TDp2tTs6d/t2nJAiPUv+K/EH6EUkSOxAW1ivOM7SB4n857DA7X/xu77YVlsk4DoXZiG lbVuMFYqJ3kZkcKqk8rAEHJz05I5i6xleI4RLfccT2tHl1WmXu+BKuMgtDqLPkbeMg+v VBPiM0fHBgk+kUcXKjqD9AvW3OXupjzb+N/Ylh886GCuKmqSbbq9W3hoNdShj/aV5AHy ZzFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SX1SKmYH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h18si11037188edh.352.2019.11.11.10.38.19; Mon, 11 Nov 2019 10:38:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SX1SKmYH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727587AbfKKSeS (ORCPT + 99 others); Mon, 11 Nov 2019 13:34:18 -0500 Received: from mail.kernel.org ([198.145.29.99]:51888 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727965AbfKKSeR (ORCPT ); Mon, 11 Nov 2019 13:34:17 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EB9C921925; Mon, 11 Nov 2019 18:34:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573497256; bh=0iZaIIXbU/NqbmH15+RRrZpLj+GgN8NzNblxv7/I+gg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SX1SKmYHj9T0h0mX7etQR0Gh4DxARPKm4u11GDm++HX//+AtPqTyZ75ucuaJeClDg aYXoSIE7BhSzJTlo6BOr+IyboiYSAknLjdmT5C57SFHOZj843YwCD9fAV/Lcfim/CI jV/zB9sI/aYOKMEk/Q4paU7aUlzo2C7W/DB4MY8c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pan Bian , "David S. Miller" Subject: [PATCH 4.9 07/65] NFC: st21nfca: fix double free Date: Mon, 11 Nov 2019 19:28:07 +0100 Message-Id: <20191111181336.300618727@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191111181331.917659011@linuxfoundation.org> References: <20191111181331.917659011@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pan Bian [ Upstream commit 99a8efbb6e30b72ac98cecf81103f847abffb1e5 ] The variable nfcid_skb is not changed in the callee nfc_hci_get_param() if error occurs. Consequently, the freed variable nfcid_skb will be freed again, resulting in a double free bug. Set nfcid_skb to NULL after releasing it to fix the bug. Signed-off-by: Pan Bian Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/nfc/st21nfca/core.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/nfc/st21nfca/core.c +++ b/drivers/nfc/st21nfca/core.c @@ -719,6 +719,7 @@ static int st21nfca_hci_complete_target_ NFC_PROTO_FELICA_MASK; } else { kfree_skb(nfcid_skb); + nfcid_skb = NULL; /* P2P in type A */ r = nfc_hci_get_param(hdev, ST21NFCA_RF_READER_F_GATE, ST21NFCA_RF_READER_F_NFCID1,