isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()

commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream.

In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when
setup_instance() fails with an error code. Fix that by freeing the urb
before freeing the hw structure. Also change the error paths to use the
goto ladder style.

Compile tested only. Issue found using a prototype static analysis tool.

Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 1efd17979f240e9000cd219dbc9d72a99ff64c7a..560096bebd3c8b41878ac8fd8c18071e162f163b 100644 (file)
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1903,13 +1903,13 @@ out:
        mISDN_freebchannel(&hw->bch[1]);
        mISDN_freebchannel(&hw->bch[0]);
        mISDN_freedchannel(&hw->dch);
-       kfree(hw);
        return err;
 }
 
 static int
 hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
 {
+       int err;
        struct hfcsusb                  *hw;
        struct usb_device               *dev = interface_to_usbdev(intf);
        struct usb_host_interface       *iface = intf->cur_altsetting;
@@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
        if (!hw->ctrl_urb) {
                pr_warn("%s: No memory for control urb\n",
                        driver_info->vend_name);
-               kfree(hw);
-               return -ENOMEM;
+               err = -ENOMEM;
+               goto err_free_hw;
        }
 
        pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n",
                hw->name, __func__, driver_info->vend_name,
                conf_str[small_match], ifnum, alt_used);
 
-       if (setup_instance(hw, dev->dev.parent))
-               return -EIO;
+       if (setup_instance(hw, dev->dev.parent)) {
+               err = -EIO;
+               goto err_free_urb;
+       }
 
        hw->intf = intf;
        usb_set_intfdata(hw->intf, hw);
        return 0;
+
+err_free_urb:
+       usb_free_urb(hw->ctrl_urb);
+err_free_hw:
+       kfree(hw);
+       return err;
 }
 
 /* function called when an active device is removed */