isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()

commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream.

In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when
setup_instance() fails with an error code. Fix that by freeing the urb
before freeing the hw structure. Also change the error paths to use the
goto ladder style.

Compile tested only. Issue found using a prototype static analysis tool.

Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 111a597ef23c29b4372653941ba2873b593762f3..217968f010be6ac9a5f0131abb5b297fd940d6bb 100644 (file)
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1904,13 +1904,13 @@ out:
        mISDN_freebchannel(&hw->bch[1]);
        mISDN_freebchannel(&hw->bch[0]);
        mISDN_freedchannel(&hw->dch);
-       kfree(hw);
        return err;
 }
 
 static int
 hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
 {
+       int err;
        struct hfcsusb                  *hw;
        struct usb_device               *dev = interface_to_usbdev(intf);
        struct usb_host_interface       *iface = intf->cur_altsetting;
@@ -2101,20 +2101,28 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
        if (!hw->ctrl_urb) {
                pr_warn("%s: No memory for control urb\n",
                        driver_info->vend_name);
-               kfree(hw);
-               return -ENOMEM;
+               err = -ENOMEM;
+               goto err_free_hw;
        }
 
        pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n",
                hw->name, __func__, driver_info->vend_name,
                conf_str[small_match], ifnum, alt_used);
 
-       if (setup_instance(hw, dev->dev.parent))
-               return -EIO;
+       if (setup_instance(hw, dev->dev.parent)) {
+               err = -EIO;
+               goto err_free_urb;
+       }
 
        hw->intf = intf;
        usb_set_intfdata(hw->intf, hw);
        return 0;
+
+err_free_urb:
+       usb_free_urb(hw->ctrl_urb);
+err_free_hw:
+       kfree(hw);
+       return err;
 }
 
 /* function called when an active device is removed */