Google Git
Sign in
kernel / pub / scm / linux / kernel / git / paulg / longterm-queue-5.2 / refs/tags/v5.2.34 / . / release / 5.2.26 / NFC-pn533-fix-use-after-free-and-memleaks.patch
blob: e04713a2f1b705307bf7f23f9667f04656c5e553 [file] [log] [blame]
From 46c6a3ec4ead5b264e12b72759906cab7648a06f Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@kernel.org>
Date: Mon, 7 Oct 2019 18:40:59 +0200
Subject: [PATCH] NFC: pn533: fix use-after-free and memleaks
commit 6af3aa57a0984e061f61308fe181a9a12359fecc upstream.
The driver would fail to deregister and its class device and free
related resources on late probe errors.
Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com
Fixes: 32ecc75ded72 ("NFC: pn533: change order operations in dev registation")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c
index c5289eaf17ee..e897e4d768ef 100644
--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@@ -547,18 +547,25 @@ static int pn533_usb_probe(struct usb_interface *interface,
rc = pn533_finalize_setup(priv);
if (rc)
- goto error;
+ goto err_deregister;
usb_set_intfdata(interface, phy);
return 0;
+err_deregister:
+ pn533_unregister_device(phy->priv);
error:
+ usb_kill_urb(phy->in_urb);
+ usb_kill_urb(phy->out_urb);
+ usb_kill_urb(phy->ack_urb);
+
usb_free_urb(phy->in_urb);
usb_free_urb(phy->out_urb);
usb_free_urb(phy->ack_urb);
usb_put_dev(phy->udev);
kfree(in_buf);
+ kfree(phy->ack_buffer);
return rc;
}
--
2.7.4