This is a note to let you know that I've just added the patch titled
NFC: nfcmrvl: double free on error path
to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: nfc-nfcmrvl-double-free-on-error-path.patch and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From foo@baz Sun Mar 18 16:55:33 CET 2018
From: Dan Carpenter dan.carpenter@oracle.com Date: Wed, 8 Mar 2017 08:22:37 +0300 Subject: NFC: nfcmrvl: double free on error path
From: Dan Carpenter dan.carpenter@oracle.com
[ Upstream commit ca42fb9e52d155547e6cf18cf26bce3e1a6af4ea ]
The nci_spi_send() function calls kfree_skb(skb) on both error and success so this extra kfree_skb() is a double free.
Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Samuel Ortiz sameo@linux.intel.com Signed-off-by: Sasha Levin alexander.levin@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/nfc/nfcmrvl/spi.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/nfc/nfcmrvl/spi.c +++ b/drivers/nfc/nfcmrvl/spi.c @@ -96,10 +96,9 @@ static int nfcmrvl_spi_nci_send(struct n /* Send the SPI packet */ err = nci_spi_send(drv_data->nci_spi, &drv_data->handshake_completion, skb); - if (err != 0) { + if (err) nfc_err(priv->dev, "spi_send failed %d", err); - kfree_skb(skb); - } + return err; }
Patches currently in stable-queue which might be from dan.carpenter@oracle.com are
queue-4.9/media-cpia2-fix-a-couple-off-by-one-bugs.patch queue-4.9/nfc-nfcmrvl-double-free-on-error-path.patch queue-4.9/asoc-nuc900-fix-a-loop-timeout-test.patch