Re: [PATCH net] can: peak_usb: fix double free of transfer buffer on URB submit error

Next message: Mohammad Rafi Shaik: "[PATCH v1 2/8] arm64: dts: qcom: shikra: Add QAIF CPU node for audio"
Previous message: Mohammad Rafi Shaik: "[PATCH v1 1/8] ASoC: dt-bindings: qcom,apr: Add modem_apps GLINK channel for shikra"
In reply to: Maoyi Xie: "[PATCH net] can: peak_usb: fix double free of transfer buffer on URB submit error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vincent Mailhol

Date: Tue Jun 16 2026 - 16:16:15 EST

On 16/06/2026 at 20:15, Maoyi Xie wrote:
> In peak_usb_start(), each RX URB transfer buffer is allocated with kmalloc()
> and the URB is flagged URB_FREE_BUFFER so that the final usb_free_urb() also
> frees the transfer buffer.
>
> If usb_submit_urb() fails, the error path frees the buffer explicitly with
> kfree(buf) and then calls usb_free_urb(urb). Because URB_FREE_BUFFER is set,
> usb_free_urb() -> urb_destroy() frees the same buffer a second time, a double
> free of the transfer buffer.
>
> BUG: KASAN: double-free in usb_free_urb.part.0+0x91/0xb0
> Free of addr ffff8881069ccb80 by task trigger.sh/285
>
> Call Trace:
> kfree+0x113/0x3c0
> usb_free_urb.part.0+0x91/0xb0
>
> Drop the redundant kfree(buf); usb_free_urb() already releases the transfer
> buffer. This mirrors commit 03819abbeb11 ("net: usb: lan78xx: Fix double free
> issue with interrupt buffer allocation").
>
> Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
> Closes: https://lore.kernel.org/linux-can/178159320216.2154888.16953451793788581739@xxxxxxxxxxxx/T/#u
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>

Reviewed-by: Vincent Mailhol <mailhol@xxxxxxxxxx>

Yours sincerely,
Vincent Mailhol