[PATCH] usb: dwc3: Fix crash on fastboot exit due to incorrect memory free
Balaji Selvanathan
balaji.selvanathan at oss.qualcomm.com
Thu May 7 06:38:56 CEST 2026
On 5/6/2026 8:58 PM, Marek Vasut wrote:
> On 5/6/26 5:26 PM, Balaji Selvanathan wrote:
>>
>> On 5/6/2026 4:55 PM, Marek Vasut wrote:
>>> On 5/6/26 8:14 AM, Balaji Selvanathan wrote:
>>>> The dwc3_free_one_event_buffer() function incorrectly called free()
>>>> on event buffer structures allocated with devm_kzalloc(). This
>>>> caused heap corruption and a synchronous abort when exiting
>>>> fastboot mode via "fastboot continue".
>>>>
>>>> Device-managed memory is automatically freed when the device is
>>>> removed, so manual deallocation causes the heap allocator to access
>>>> corrupted metadata.
>>>>
>>>> Signed-off-by: Balaji Selvanathan
>>>> <balaji.selvanathan at oss.qualcomm.com>
>>>> ---
>>>> drivers/usb/dwc3/core.c | 1 -
>>>> 1 file changed, 1 deletion(-)
>>>>
>>>> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
>>>> index 0dee14c8b59..be198041f08 100644
>>>> --- a/drivers/usb/dwc3/core.c
>>>> +++ b/drivers/usb/dwc3/core.c
>>>> @@ -208,7 +208,6 @@ static void dwc3_free_one_event_buffer(struct
>>>> dwc3 *dwc,
>>>> struct dwc3_event_buffer *evt)
>>>> {
>>>> dma_free_coherent(evt->buf);
>>>> - free(evt);
>>>> }
>>>> /**
>>> Does this need:
>>>
>>> Fixes: 884b10e86a05 ("usb: dwc3: core: fix memory leaks in event
>>> buffer cleanup")
>>>
>>> ?
>>
>> Hi Marek,
>>
>> We remove only "free(evt)"; "free(dwc->ev_buffs);" from this patch
>> (884b10e86a05 "usb: dwc3: core: fix memory leaks in event buffer
>> cleanup") is needed.
> The Fixes tag is only a reference for posterity, to trace which
> previous commit this change repairs. The change itself is fine. Thanks !
Hi Marek,
Got it. Thanks for the feedback. Have added fixes tag and respinned:
https://lore.kernel.org/u-boot/20260507-usb-v2-1-3958b8732553@oss.qualcomm.com/
Regards,
Balaji
More information about the U-Boot
mailing list