[PATCH] NFC: fdp: fix incorrect free object

[PATCH] NFC: fdp: fix incorrect free object

[Pan Bian]

The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is
incorrect, which may result in a system crash or other security impacts.
The expected object to free is *fw_vsc_cfg.

Signed-off-by: Pan Bian <bianpan2016@163.com>
---
 drivers/nfc/fdp/i2c.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
index 1cd113c8d7cb..ad0abb1f0bae 100644
--- a/drivers/nfc/fdp/i2c.c
+++ b/drivers/nfc/fdp/i2c.c
@@ -259,7 +259,7 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,
 						  *fw_vsc_cfg, len);
 
 		if (r) {
-			devm_kfree(dev, fw_vsc_cfg);
+			devm_kfree(dev, *fw_vsc_cfg);
 			goto vsc_read_err;
 		}
 	} else {
-- 
2.7.4

Re: [PATCH] NFC: fdp: fix incorrect free object

[David Miller]

From: Pan Bian <bianpan2016@163.com>
Date: Tue,  5 Nov 2019 16:34:07 +0800

> The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is
> incorrect, which may result in a system crash or other security impacts.
> The expected object to free is *fw_vsc_cfg.
> 
> Signed-off-by: Pan Bian <bianpan2016@163.com>

Applied and queued up for -stable, thanks.