In the error path of the IRQ handler, don't free the skb in flight. The callback in the digital core will do that for us, so this is another double-free that leads to memory corruptions. The assignment of 'wtx' doesn't make sense as the variable is not read after it is written. Drop it. Signed-off-by: Daniel Mack <daniel@xxxxxxxxxx> --- drivers/nfc/st95hf/core.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c index ef91ca8b53a4..e651e1aae5a3 100644 --- a/drivers/nfc/st95hf/core.c +++ b/drivers/nfc/st95hf/core.c @@ -868,8 +868,6 @@ static irqreturn_t st95hf_irq_thread_handler(int irq, void *st95hfcontext) return IRQ_HANDLED; end: - kfree_skb(skb_resp); - wtx = false; cb_arg->rats = false; skb_resp = ERR_PTR(result); /* call of callback with error */ -- 2.17.1
