nfc: port100: handle command failure cleanly

If starting the transfer of a command suceeds but the transfer for the reply
fails, it is not enough to initiate killing the transfer for the
command may still be running. You need to wait for the killing to finish
before you can reuse URB and buffer.

Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
index 145ddf3f0a45e941ae615f9eaaee04d405608dcb..604dba4f18afdb664bdd4a576cc593816ea5527a 100644 (file)
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -783,7 +783,7 @@ static int port100_send_frame_async(struct port100 *dev, struct sk_buff *out,
 
        rc = port100_submit_urb_for_ack(dev, GFP_KERNEL);
        if (rc)
-               usb_unlink_urb(dev->out_urb);
+               usb_kill_urb(dev->out_urb);
 
 exit:
        mutex_unlock(&dev->out_urb_lock);