NFC: pn533: fix use-after-free and memleaks

The driver would fail to deregister and its class device and free related resources on late probe errors. Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com Fixes: 32ecc75ded ("NFC: pn533: change order operations in dev registation") Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
2024-11-23 04:31:50 +00:00 · 2019-10-07 18:40:59 +02:00 · 2019-10-07 18:40:59 +02:00 · 6af3aa57a0
commit 6af3aa57a0
parent 4b793fecca
1 changed files with 8 additions and 1 deletions
--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@ -547,18 +547,25 @@ static int pn533_usb_probe(struct usb_interface *interface,

 	rc = pn533_finalize_setup(priv);
 	if (rc)
-		goto error;
+		goto err_deregister;

 	usb_set_intfdata(interface, phy);

 	return 0;

+err_deregister:
+	pn533_unregister_device(phy->priv);
 error:
+	usb_kill_urb(phy->in_urb);
+	usb_kill_urb(phy->out_urb);
+	usb_kill_urb(phy->ack_urb);
+
 	usb_free_urb(phy->in_urb);
 	usb_free_urb(phy->out_urb);
 	usb_free_urb(phy->ack_urb);
 	usb_put_dev(phy->udev);
 	kfree(in_buf);
+	kfree(phy->ack_buffer);

 	return rc;
 }