USB: usbtmc: fix probe error path
authorJohan Hovold <johan@kernel.org>
Tue, 14 Mar 2017 16:55:46 +0000 (17:55 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 17 Mar 2017 04:22:58 +0000 (13:22 +0900)
Make sure to initialise the return value to avoid having allocation
failures going unnoticed when allocating interrupt-endpoint resources.

This prevents use-after-free or worse when the device is later unbound.

Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Cc: stable <stable@vger.kernel.org> # 4.6
Cc: Dave Penkler <dpenkler@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/class/usbtmc.c

index 5e3446db4513acf14bcbb489714999359b794232..8fb309a0ff6b5dae0c6f867cd323585aeff17252 100644 (file)
@@ -1476,8 +1476,10 @@ static int usbtmc_probe(struct usb_interface *intf,
        if (data->iin_ep_present) {
                /* allocate int urb */
                data->iin_urb = usb_alloc_urb(0, GFP_KERNEL);
-               if (!data->iin_urb)
+               if (!data->iin_urb) {
+                       retcode = -ENOMEM;
                        goto error_register;
+               }
 
                /* Protect interrupt in endpoint data until iin_urb is freed */
                kref_get(&data->kref);
@@ -1485,8 +1487,10 @@ static int usbtmc_probe(struct usb_interface *intf,
                /* allocate buffer for interrupt in */
                data->iin_buffer = kmalloc(data->iin_wMaxPacketSize,
                                        GFP_KERNEL);
-               if (!data->iin_buffer)
+               if (!data->iin_buffer) {
+                       retcode = -ENOMEM;
                        goto error_register;
+               }
 
                /* fill interrupt urb */
                usb_fill_int_urb(data->iin_urb, data->usb_dev,