Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4491115ybx; Mon, 4 Nov 2019 14:17:58 -0800 (PST) X-Google-Smtp-Source: APXvYqww1KGHdBaB7U3G/K+cJYUPESGBRWT3KESjmbtDbYxdkaNwCexHMs2l+Pd7DgHXVA439/zM X-Received: by 2002:a17:906:5a83:: with SMTP id l3mr5845900ejq.194.1572905878189; Mon, 04 Nov 2019 14:17:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572905878; cv=none; d=google.com; s=arc-20160816; b=NsS5Mswz9pHemyWgg9Kc8s5d2rmE+DaICLTv2x4ZrXc5hennWdoKBbcWevFH5+jjxT 7Yj0bEWSs3RAsgN4qEYcy8YAn0fkRtRrifOstdaWn+HWBW0/JoytF2vowPze4WkuWxTg ofXvlpSmhXOMQCIonYBO6B2mjOzZc9ie3+/wXQ1I0mhmmmHDagKjDSVXgXyzC3hEuQDq +JoU9Q2x2NDxeV0Cq4nGbpEUQBMYTYEGGilUpW1Zu0Bf2Db4AYPHvm/RA/WChYI8kTQD XqmNnEsULE4nNZRHR/tG+nlEsp53cV6aVB/v71UFjlh6F7eUnArtbbW0Pe+M4DMsO96A l4Gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WfQYVI8wGT9d9Zn34ZP1HyJhXAXSv8U2Jz/kbe+iQJY=; b=C7SftKjMbiFNxJrjDngwz0ESIUPJWtOVTsn3akp+AXdOzmhPh9OSBwJrpS29C7BLP2 Q9T91axlIRJ0PAVv7JtTWTKHMM4x39O9MosOVWml5ziJEDMa6Mez6ypMMtYfg2k2f5L3 OFyDqu4b9CTmE1eB51D6PXgP5dBc1fx+i/Dpu2hPusnPjQLD6VOKdtrlS57TRXIxzGdK ERTZkpX9AcdgjyVO7AQK+cZokcDNdLQNPs09kIR++oIgzn6/TFPuzyBhSoYXrv60ZUSz JSvse2UYcRuRmWmTodzaIC0AwyjbZnI/0tMI34ZyPXoqzQsVS876KzAwJkEOToVUDkDm 9QAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=j7HNJ3YM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z41si8288674edb.166.2019.11.04.14.17.34; Mon, 04 Nov 2019 14:17:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=j7HNJ3YM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388633AbfKDWDN (ORCPT + 99 others); Mon, 4 Nov 2019 17:03:13 -0500 Received: from mail.kernel.org ([198.145.29.99]:33444 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388757AbfKDWDJ (ORCPT ); Mon, 4 Nov 2019 17:03:09 -0500 Received: from localhost (6.204-14-84.ripe.coltfrance.com [84.14.204.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1E62A205C9; Mon, 4 Nov 2019 22:03:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572904988; bh=xxDDr/zM+xU3ky0bYYZKmJYCAwy45XockdaIYNTjliU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=j7HNJ3YMhdQWJOO1Uupi+Jm3xZYHNnhCGFCN0EftzQt6ArLx/10bKgQp9QKu+xcIV /mSkNtK5mNPDRgxMhCa3T20mNnEBa5THntppdtFhRElf+B1Qw0Ru75jKQbE7elmGP1 K2gaPNRBHVf4OkTkrtW4nuP+2qvMXQCFjb2NJL+g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com, Johan Hovold , Jakub Kicinski Subject: [PATCH 4.19 141/149] NFC: pn533: fix use-after-free and memleaks Date: Mon, 4 Nov 2019 22:45:34 +0100 Message-Id: <20191104212146.601835991@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191104212126.090054740@linuxfoundation.org> References: <20191104212126.090054740@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 6af3aa57a0984e061f61308fe181a9a12359fecc upstream. The driver would fail to deregister and its class device and free related resources on late probe errors. Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com Fixes: 32ecc75ded72 ("NFC: pn533: change order operations in dev registation") Signed-off-by: Johan Hovold Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- drivers/nfc/pn533/usb.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/drivers/nfc/pn533/usb.c +++ b/drivers/nfc/pn533/usb.c @@ -559,18 +559,25 @@ static int pn533_usb_probe(struct usb_in rc = pn533_finalize_setup(priv); if (rc) - goto error; + goto err_deregister; usb_set_intfdata(interface, phy); return 0; +err_deregister: + pn533_unregister_device(phy->priv); error: + usb_kill_urb(phy->in_urb); + usb_kill_urb(phy->out_urb); + usb_kill_urb(phy->ack_urb); + usb_free_urb(phy->in_urb); usb_free_urb(phy->out_urb); usb_free_urb(phy->ack_urb); usb_put_dev(phy->udev); kfree(in_buf); + kfree(phy->ack_buffer); return rc; }