| Message ID | 20191007164059.5927-1-johan@kernel.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 6af3aa57a0984e061f61308fe181a9a12359fecc |
| Headers | show |
| Series | NFC: pn533: fix use-after-free and memleaks | expand |
On Mon, 7 Oct 2019 18:40:59 +0200, Johan Hovold wrote: > The driver would fail to deregister and its class device and free > related resources on late probe errors. > > Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com > Fixes: 32ecc75ded72 ("NFC: pn533: change order operations in dev registation") > Cc: stable <stable@vger.kernel.org> # 4.11 > Signed-off-by: Johan Hovold <johan@kernel.org> Applied to net, thank you
diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c index c5289eaf17ee..e897e4d768ef 100644 --- a/drivers/nfc/pn533/usb.c +++ b/drivers/nfc/pn533/usb.c @@ -547,18 +547,25 @@ static int pn533_usb_probe(struct usb_interface *interface, rc = pn533_finalize_setup(priv); if (rc) - goto error; + goto err_deregister; usb_set_intfdata(interface, phy); return 0; +err_deregister: + pn533_unregister_device(phy->priv); error: + usb_kill_urb(phy->in_urb); + usb_kill_urb(phy->out_urb); + usb_kill_urb(phy->ack_urb); + usb_free_urb(phy->in_urb); usb_free_urb(phy->out_urb); usb_free_urb(phy->ack_urb); usb_put_dev(phy->udev); kfree(in_buf); + kfree(phy->ack_buffer); return rc; }
The driver would fail to deregister and its class device and free related resources on late probe errors. Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com Fixes: 32ecc75ded72 ("NFC: pn533: change order operations in dev registation") Cc: stable <stable@vger.kernel.org> # 4.11 Signed-off-by: Johan Hovold <johan@kernel.org> --- drivers/nfc/pn533/usb.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)