The skb that is passed in to ->in_send_cmd() is freed by the core when the function returns. Calling kfree_skb() on it from the driver callback will hence lead to a double-free.
Signed-off-by: Daniel Mack <[email protected]> --- drivers/nfc/st95hf/core.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c index 394bdc7b0cf2..a50a95cfcfd8 100644 --- a/drivers/nfc/st95hf/core.c +++ b/drivers/nfc/st95hf/core.c @@ -995,8 +995,6 @@ static int st95hf_in_send_cmd(struct nfc_digital_dev *ddev, goto free_skb_resp; } - kfree_skb(skb); - return rc; free_skb_resp: -- 2.14.3
