1. Patchew
  2. linux
  3. View series

[PATCH] HID: u2fzero: free allocated URB on probe errors

Myeonghun Pak posted 1 patch 1 month, 3 weeks ago 
drivers/hid/hid-u2fzero.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
[PATCH] HID: u2fzero: free allocated URB on probe errors
Posted by Myeonghun Pak 1 month, 3 weeks ago 
u2fzero_fill_in_urb() allocates dev->urb with usb_alloc_urb(), but
u2fzero_probe() ignored its return value and only freed the URB from
u2fzero_remove().

If LED or hwrng registration fails after the URB allocation, probe returns
an error and the driver core does not call .remove(), leaking the URB. A
failed URB setup was also allowed to continue probing with an unusable
device.

Check the URB setup result and add the missing probe-error unwind so the
URB is freed before returning from later errors.

Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
---
 drivers/hid/hid-u2fzero.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 744a91e6e7..82404b6e2d 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -341,29 +341,33 @@ static int u2fzero_probe(struct hid_device *hdev,
 	if (ret)
 		return ret;
 
-	u2fzero_fill_in_urb(dev);
+	ret = u2fzero_fill_in_urb(dev);
+	if (ret)
+		goto err_hid_hw_stop;
 
 	dev->present = true;
 
 	minor = ((struct hidraw *) hdev->hidraw)->minor;
 
 	ret = u2fzero_init_led(dev, minor);
-	if (ret) {
-		hid_hw_stop(hdev);
-		return ret;
-	}
+	if (ret)
+		goto err_free_urb;
 
 	hid_info(hdev, "%s LED initialised\n", hw_configs[dev->hw_revision].name);
 
 	ret = u2fzero_init_hwrng(dev, minor);
-	if (ret) {
-		hid_hw_stop(hdev);
-		return ret;
-	}
+	if (ret)
+		goto err_free_urb;
 
 	hid_info(hdev, "%s RNG initialised\n", hw_configs[dev->hw_revision].name);
 
 	return 0;
+
+err_free_urb:
+	usb_free_urb(dev->urb);
+err_hid_hw_stop:
+	hid_hw_stop(hdev);
+	return ret;
 }
 
 static void u2fzero_remove(struct hid_device *hdev)
-- 
2.50.1
Re: [PATCH] HID: u2fzero: free allocated URB on probe errors
Posted by Benjamin Tissoires 4 weeks ago 
On Fri, 24 Apr 2026 22:21:31 +0900, Myeonghun Pak wrote:
> u2fzero_fill_in_urb() allocates dev->urb with usb_alloc_urb(), but
> u2fzero_probe() ignored its return value and only freed the URB from
> u2fzero_remove().
> 
> If LED or hwrng registration fails after the URB allocation, probe returns
> an error and the driver core does not call .remove(), leaking the URB. A
> failed URB setup was also allowed to continue probing with an unusable
> device.
> 
> [...]

Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.1/upstream-fixes), thanks!

[1/1] HID: u2fzero: free allocated URB on probe errors
      https://git.kernel.org/hid/hid/c/2e78b21864dd

Cheers,
-- 
Benjamin Tissoires <bentiss@kernel.org>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.