nfc: port100: handle command failure cleanly

commit 5f9f0b11f0816b35867f2cf71e54d95f53f03902 upstream.

If starting the transfer of a command suceeds but the transfer for the reply
fails, it is not enough to initiate killing the transfer for the
command may still be running. You need to wait for the killing to finish
before you can reuse URB and buffer.

Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
index 073e4a478c89a4db1b47eec392a23823fcf82230..3cd995de1bbb58f94245204d83920faaa3161821 100644 (file)
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -791,7 +791,7 @@ static int port100_send_frame_async(struct port100 *dev, struct sk_buff *out,
 
        rc = port100_submit_urb_for_ack(dev, GFP_KERNEL);
        if (rc)
-               usb_unlink_urb(dev->out_urb);
+               usb_kill_urb(dev->out_urb);
 
 exit:
        mutex_unlock(&dev->out_urb_lock);