NFC: pn533: fix use-after-free and memleaks

commit 6af3aa57a0984e061f61308fe181a9a12359fecc upstream. The driver would fail to deregister and its class device and free related resources on late probe errors. Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com Fixes: 32ecc75ded72 ("NFC: pn533: change order operations in dev registation") Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Johan Hovold <johan@kernel.org> 2019-10-07 19:40:59 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-11-06 15:06:25 +0300
commit: 24aaf7f4528f0df0f29667d3921f4a63aa7b806c (patch)
tree: d35ab8f562591ac9128c4502df2827b4d26e4eca /drivers/nfc
parent: 8d9c4a9b867771efbddd6a7d5df6c284babbbd04 (diff)
download: linux-24aaf7f4528f0df0f29667d3921f4a63aa7b806c.tar.xz
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c
index 5d823e965883..fcb57d64d97e 100644
--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@@ -559,18 +559,25 @@ static int pn533_usb_probe(struct usb_interface *interface,
 
 	rc = pn533_finalize_setup(priv);
 	if (rc)
-		goto error;
+		goto err_deregister;
 
 	usb_set_intfdata(interface, phy);
 
 	return 0;
 
+err_deregister:
+	pn533_unregister_device(phy->priv);
 error:
+	usb_kill_urb(phy->in_urb);
+	usb_kill_urb(phy->out_urb);
+	usb_kill_urb(phy->ack_urb);
+
 	usb_free_urb(phy->in_urb);
 	usb_free_urb(phy->out_urb);
 	usb_free_urb(phy->ack_urb);
 	usb_put_dev(phy->udev);
 	kfree(in_buf);
+	kfree(phy->ack_buffer);
 
 	return rc;
 }
author	Johan Hovold <johan@kernel.org>	2019-10-07 19:40:59 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-11-06 15:06:25 +0300
commit	24aaf7f4528f0df0f29667d3921f4a63aa7b806c (patch)
tree	d35ab8f562591ac9128c4502df2827b4d26e4eca /drivers/nfc
parent	8d9c4a9b867771efbddd6a7d5df6c284babbbd04 (diff)
download	linux-24aaf7f4528f0df0f29667d3921f4a63aa7b806c.tar.xz