Bluetooth: btusb: fix use-after-free on registration failure

Make sure to release the sibling interfaces in case controller
registration fails to avoid use-after-free and double-free when they are
eventually disconnected.

This issue was reported by Sashiko while reviewing a fix for a wakeup
source leak in the btusb probe errors paths.

Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
Fixes: 9bfa35fe422c ("[Bluetooth] Add SCO support to btusb driver")
Fixes: 9d08f50401ac ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface")
Cc: stable@vger.kernel.org	# 2.6.27
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 3cbb3c22e20f5b90824922191ce84ee388de2fc8..c181e1a3eb3e228c8aff0b01e31fc966c9a41762 100644 (file)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4427,7 +4427,7 @@ static int btusb_probe(struct usb_interface *intf,
 
        err = hci_register_dev(hdev);
        if (err < 0)
-               goto out_free_dev;
+               goto err_release_siblings;
 
        usb_set_intfdata(intf, data);
 
@@ -4436,6 +4436,15 @@ static int btusb_probe(struct usb_interface *intf,
 
        return 0;
 
+err_release_siblings:
+       if (data->diag) {
+               usb_set_intfdata(data->diag, NULL);
+               usb_driver_release_interface(&btusb_driver, data->diag);
+       }
+       if (data->isoc) {
+               usb_set_intfdata(data->isoc, NULL);
+               usb_driver_release_interface(&btusb_driver, data->isoc);
+       }
 out_free_dev:
        if (data->reset_gpio)
                gpiod_put(data->reset_gpio);