nfc: port100: handle command failure cleanly

If starting the transfer of a command suceeds but the transfer for the reply
fails, it is not enough to initiate killing the transfer for the
command may still be running. You need to wait for the killing to finish
before you can reuse URB and buffer.

Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
index 145ddf3..604dba4 100644 (file)
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -783,7 +783,7 @@ static int port100_send_frame_async(struct port100 *dev, struct sk_buff *out,
 
        rc = port100_submit_urb_for_ack(dev, GFP_KERNEL);
        if (rc)
-               usb_unlink_urb(dev->out_urb);
+               usb_kill_urb(dev->out_urb);
 
 exit:
        mutex_unlock(&dev->out_urb_lock);