Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
net: usb: lan78xx: Fix double free issue with interrupt buffer allocation
In lan78xx_probe(), the buffer buf was being freed twice: once
implicitly through usb_free_urb(dev->urb_intr) with the
URB_FREE_BUFFER flag and again explicitly by kfree(buf). This caused
a double free issue.
To resolve this, reordered kmalloc() and usb_alloc_urb() calls to
simplify the initialization sequence and removed the redundant
kfree(buf). Now, buf is allocated after usb_alloc_urb(), ensuring
it is correctly managed by usb_fill_int_urb() and freed by
usb_free_urb() as intended.
Details
- Affected product:
- AlmaLinux 9.2 ESU
- Affected packages:
- kernel @ 5.14.0
In the Linux kernel, the following vulnerability has been resolved:
net: usb: lan78xx: Fix double free issue with interrupt buffer allocation
In lan78xx_probe(), the buffer buf was being freed twice: once
implicitly through usb_free_urb(dev->urb_intr) with the
URB_FREE_BUFFER flag and again explicitly by kfree(buf). This caused
a double free issue.
To resolve this, reordered kmalloc() and usb_alloc_urb() calls to
simplify the initialization sequence and removed the redundant
kfree(buf). Now, buf is allocated after usb_alloc_urb(), ensuring
it is correctly managed by usb_fill_int_urb() and freed by
usb_free_urb() as intended.