Commit 6af3aa57 authored by Johan Hovold's avatar Johan Hovold Committed by Jakub Kicinski

NFC: pn533: fix use-after-free and memleaks

The driver would fail to deregister and its class device and free
related resources on late probe errors.

Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com
Fixes: 32ecc75d ("NFC: pn533: change order operations in dev registation")
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
parent 4b793fec
...@@ -547,18 +547,25 @@ static int pn533_usb_probe(struct usb_interface *interface, ...@@ -547,18 +547,25 @@ static int pn533_usb_probe(struct usb_interface *interface,
rc = pn533_finalize_setup(priv); rc = pn533_finalize_setup(priv);
if (rc) if (rc)
goto error; goto err_deregister;
usb_set_intfdata(interface, phy); usb_set_intfdata(interface, phy);
return 0; return 0;
err_deregister:
pn533_unregister_device(phy->priv);
error: error:
usb_kill_urb(phy->in_urb);
usb_kill_urb(phy->out_urb);
usb_kill_urb(phy->ack_urb);
usb_free_urb(phy->in_urb); usb_free_urb(phy->in_urb);
usb_free_urb(phy->out_urb); usb_free_urb(phy->out_urb);
usb_free_urb(phy->ack_urb); usb_free_urb(phy->ack_urb);
usb_put_dev(phy->udev); usb_put_dev(phy->udev);
kfree(in_buf); kfree(in_buf);
kfree(phy->ack_buffer);
return rc; return rc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment