[PATCH] fix: drivers/usb/serial: garmin_write_bulk: urb freed prematurely on success path
From: WenTao Liang
Date: Fri Jun 26 2026 - 23:40:47 EST
In garmin_write_bulk(), usb_free_urb(urb) is called unconditionally after
URB submission, even on the success path. When the URB completes later,
the completion callback may perform additional operations on the
already-freed URB structure, causing use-after-free or double free.
Move usb_free_urb(urb) to the error path only, allowing the completion
callback to properly manage the URB lifecycle on success.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: c4ac4496e835 ("USB: serial: garmin_gps: fix memory leak on failed URB submit")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/usb/serial/garmin_gps.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/serial/garmin_gps.c b/drivers/usb/serial/garmin_gps.c
index 7205483a0115..775959e0188d 100644
--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1029,12 +1029,10 @@ static int garmin_write_bulk(struct usb_serial_port *port,
count = status;
usb_unanchor_urb(urb);
kfree(buffer);
+ usb_free_urb(urb);
+ return count;
}
- /* we are done with this urb, so let the host driver
- * really free it when it is finished with it */
- usb_free_urb(urb);
-
return count;
}
--
2.39.5 (Apple Git-154)