[PATCH] usb: dwc3: Fix crash on fastboot exit due to incorrect memory free
Marek Vasut
marek.vasut at mailbox.org
Wed May 6 17:28:39 CEST 2026
On 5/6/26 5:26 PM, Balaji Selvanathan wrote:
>
> On 5/6/2026 4:55 PM, Marek Vasut wrote:
>> On 5/6/26 8:14 AM, Balaji Selvanathan wrote:
>>> The dwc3_free_one_event_buffer() function incorrectly called free()
>>> on event buffer structures allocated with devm_kzalloc(). This
>>> caused heap corruption and a synchronous abort when exiting
>>> fastboot mode via "fastboot continue".
>>>
>>> Device-managed memory is automatically freed when the device is
>>> removed, so manual deallocation causes the heap allocator to access
>>> corrupted metadata.
>>>
>>> Signed-off-by: Balaji Selvanathan <balaji.selvanathan at oss.qualcomm.com>
>>> ---
>>> drivers/usb/dwc3/core.c | 1 -
>>> 1 file changed, 1 deletion(-)
>>>
>>> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
>>> index 0dee14c8b59..be198041f08 100644
>>> --- a/drivers/usb/dwc3/core.c
>>> +++ b/drivers/usb/dwc3/core.c
>>> @@ -208,7 +208,6 @@ static void dwc3_free_one_event_buffer(struct
>>> dwc3 *dwc,
>>> struct dwc3_event_buffer *evt)
>>> {
>>> dma_free_coherent(evt->buf);
>>> - free(evt);
>>> }
>>> /**
>> Does this need:
>>
>> Fixes: 884b10e86a05 ("usb: dwc3: core: fix memory leaks in event
>> buffer cleanup")
>>
>> ?
>
> Hi Marek,
>
> We remove only "free(evt)"; "free(dwc->ev_buffs);" from this patch
> (884b10e86a05 "usb: dwc3: core: fix memory leaks in event buffer
> cleanup") is needed.
The Fixes tag is only a reference for posterity, to trace which previous
commit this change repairs. The change itself is fine. Thanks !
More information about the U-Boot
mailing list