Hello Thierry Escande,
The patch 1c7a4c24fbfd: "NFC Digital: Add target NFC-DEP support"
from Sep 19, 2013, leads to the following static checker warning:
net/nfc/digital_dep.c:1303 digital_tg_recv_dep_req()
error: double free of 'resp'
net/nfc/digital_dep.c
1287
1288 goto free_resp;
1289 }
1290
1291 rc = nfc_tm_data_received(ddev->nfc_dev, resp);
This function does a kfree_skb() on the error path. I don't know about
the success path. Other code seems to assume it frees on success so
maybe?
1292
1293 exit:
1294 kfree_skb(ddev->chaining_skb);
1295 ddev->chaining_skb = NULL;
1296
1297 ddev->atn_count = 0;
1298
1299 kfree_skb(ddev->saved_skb);
1300 ddev->saved_skb = NULL;
1301
1302 if (rc)
1303 kfree_skb(resp);
Of course kfree_skb() is refcounted but I think this has to be a bug.
1304
1305 return;
1306
1307 free_resp:
1308 dev_kfree_skb(resp);
But then we do dev_kfree_skb() here. It's not clear to me why sometimes
we use regular kfree_skb() but not here.
1309 }
regards,
dan carpenter
