staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf [Linux 3.16.72]

This Linux kernel change "staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf" is included in the Linux 3.16.72 release. This change is authored by Ian Abbott <abbotti [at]> on Mon Apr 15 12:52:30 2019 +0100. The commit for this change in Linux stable tree is a5c377c (patch) which is from upstream commit 663d294. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 663d294.

staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf

commit 663d294b4768bfd89e529e069bffa544a830b5bf upstream.

`vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to
allocate RX and TX buffers for USB transfers.  It allocates
`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`.  If the
allocation of `devpriv->usb_tx_buf` fails, it frees
`devpriv->usb_rx_buf`,  leaving the pointer set dangling, and returns an
error.  Later, `vmk80xx_detach()` will be called from the core comedi
module code to clean up.  `vmk80xx_detach()` also frees both
`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
`devpriv->usb_rx_buf` may have already been freed, leading to a
double-free error.  Fix it by removing the call to
`kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying
on `vmk80xx_detach()` to free the memory.

Signed-off-by: Ian Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>

There are 4 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/staging/comedi/drivers/vmk80xx.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c
index 4c3e6a6..87b6e1a 100644
--- a/drivers/staging/comedi/drivers/vmk80xx.c
+++ b/drivers/staging/comedi/drivers/vmk80xx.c
@@ -757,10 +757,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev)

    size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize);
    devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
-   if (!devpriv->usb_tx_buf) {
-       kfree(devpriv->usb_rx_buf);
+   if (!devpriv->usb_tx_buf)
        return -ENOMEM;
-   }

    return 0;

Leave a Reply

Your email address will not be published. Required fields are marked *