The syzbot fuzzer has reported two separate use-after-free issues, which are fixed by the first two patches. Turns out there were more gems in this driver and the next two patches fixes a memory leak and a potential sleep-while-atomic found through inspection. The last one tightens the seemingly broken endpoint sanity check which would have the driver try to submit a bulk URB to the default pipe (and fail). Tested using a mockup device. Johan Johan Hovold (5): rsi: fix use-after-free on failed probe and unbind rsi: fix use-after-free on probe errors rsi: fix memory leak on failed URB submission rsi: fix non-atomic allocation in completion handler rsi: add missing endpoint sanity checks drivers/net/wireless/rsi/rsi_91x_hal.c | 12 +++---- drivers/net/wireless/rsi/rsi_91x_usb.c | 47 ++++++++++++++++++++------ 2 files changed, 43 insertions(+), 16 deletions(-) -- 2.24.0
