From 0ace5f64f89388fddc52b777ff065f24c2d908e2 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 27 Sep 2018 15:19:00 +0200
Subject: [PATCH] elan: Fix use-after-free if USB transfer is cancelled

---
 libfprint/drivers/elan.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libfprint/drivers/elan.c b/libfprint/drivers/elan.c
index 797c1a53..a2c1105c 100644
--- a/libfprint/drivers/elan.c
+++ b/libfprint/drivers/elan.c
@@ -324,11 +324,18 @@ static void elan_cmd_cb(struct libusb_transfer *transfer,
 			fpi_ssm                *ssm,
 			void                   *user_data)
 {
-	struct fp_img_dev *dev = FP_IMG_DEV(_dev);
-	struct elan_dev *elandev = FP_INSTANCE_DATA(_dev);
+	struct fp_img_dev *dev;
+	struct elan_dev *elandev;
 
 	G_DEBUG_HERE();
 
+	if (transfer->status == LIBUSB_TRANSFER_CANCELLED) {
+		fp_dbg("transfer cancelled");
+		return;
+	}
+
+	dev = FP_IMG_DEV(_dev);
+	elandev = FP_INSTANCE_DATA(_dev);
 	elandev->cur_transfer = NULL;
 
 	switch (transfer->status) {
@@ -349,11 +356,6 @@ static void elan_cmd_cb(struct libusb_transfer *transfer,
 			elan_cmd_read(ssm, dev);
 		}
 		break;
-	case LIBUSB_TRANSFER_CANCELLED:
-		fp_dbg("transfer cancelled");
-		fpi_ssm_mark_failed(ssm, -ECANCELED);
-		elan_deactivate(dev);
-		break;
 	case LIBUSB_TRANSFER_TIMED_OUT:
 		fp_dbg("transfer timed out");
 		fpi_ssm_mark_failed(ssm, -ETIMEDOUT);