Merge tag 'nfc-fixes-3.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0

This is an NFC LLCP fix for 3.7 and contains only one patch. It fixes a potential crash when receiving an LLCP HDLC frame acking a frame that is not the last sent one. In that case we may dereference an already freed pointer.
author: John W. Linville <linville@tuxdriver.com> 2012-12-06 14:55:57 -0500
committer: John W. Linville <linville@tuxdriver.com> 2012-12-06 14:55:57 -0500
commit: 55cb0797fa779e36f62876a8aa44cbf3984e8d59 (patch)
tree: ea84d334ec666e558d3e4c6dd259a8f239374432 /net/nfc
parent: 795e9364215dc98b1dea888ebae22383ecbbb92a (diff)
parent: 289814918ce3af1296ac7d9b05508bde64e97348 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 2df87056c6df..ec43914c92a9 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -985,15 +985,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
        /* Remove skbs from the pending queue */
        if (llcp_sock->send_ack_n != nr) {
                struct sk_buff *s, *tmp;
+                u8 n;
                llcp_sock->send_ack_n = nr;
                /* Remove and free all skbs until ns == nr */
                skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
+                        n = nfc_llcp_ns(s);
                        skb_unlink(s, &llcp_sock->tx_pending_queue);
                        kfree_skb(s);
-                        if (nfc_llcp_ns(s) == nr)
+                        if (n == nr)
                                break;
                }
author	John W. Linville <linville@tuxdriver.com>	2012-12-06 14:55:57 -0500
committer	John W. Linville <linville@tuxdriver.com>	2012-12-06 14:55:57 -0500
commit	55cb0797fa779e36f62876a8aa44cbf3984e8d59 (patch)
tree	ea84d334ec666e558d3e4c6dd259a8f239374432 /net/nfc
parent	795e9364215dc98b1dea888ebae22383ecbbb92a (diff)
parent	289814918ce3af1296ac7d9b05508bde64e97348 (diff)