NFC: digital: fix possible memory leak in digital_tg_listen_mdaa()

commit 58e7dcc9ca29c14e44267a4d0ea61e3229124907 upstream.

'params' is allocated in digital_tg_listen_mdaa(), but not free when
digital_send_cmd() failed, which will cause memory leak. Fix it by
freeing 'params' if digital_send_cmd() return failed.

Fixes: 1c7a4c24fbfd ("NFC Digital: Add target NFC-DEP support")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/nfc/digital_core.c b/net/nfc/digital_core.c
index de6dd37d04c7065b9eb9f5186f735136048be335..440322d069bb2646eb42f97f0a4f51b2303fe260 100644 (file)
--- a/net/nfc/digital_core.c
+++ b/net/nfc/digital_core.c
@@ -286,6 +286,7 @@ int digital_tg_configure_hw(struct nfc_digital_dev *ddev, int type, int param)
 static int digital_tg_listen_mdaa(struct nfc_digital_dev *ddev, u8 rf_tech)
 {
        struct digital_tg_mdaa_params *params;
+       int rc;
 
        params = kzalloc(sizeof(*params), GFP_KERNEL);
        if (!params)
@@ -300,8 +301,12 @@ static int digital_tg_listen_mdaa(struct nfc_digital_dev *ddev, u8 rf_tech)
        get_random_bytes(params->nfcid2 + 2, NFC_NFCID2_MAXSIZE - 2);
        params->sc = DIGITAL_SENSF_FELICA_SC;
 
-       return digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params,
-                               500, digital_tg_recv_atr_req, NULL);
+       rc = digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params,
+                             500, digital_tg_recv_atr_req, NULL);
+       if (rc)
+               kfree(params);
+
+       return rc;
 }
 
 static int digital_tg_listen_md(struct nfc_digital_dev *ddev, u8 rf_tech)