[PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup

Alexey Charkov alchark at flipper.net
Fri May 8 13:01:09 CEST 2026 

On Fri, May 8, 2026 at 2:45 PM Gurumoorthy Santhakumar
<gurumoorthy.santhakumar at oss.qualcomm.com> wrote:
>
> In dwc3_free_one_event_buffer(), only the DMA buffer (evt->buf) was
> being freed via dma_free_coherent(), but the evt structure itself was
> never explicitly freed, causing a memory leak.
>
> In dwc3_free_event_buffers(), the ev_buffs pointer array allocated
> with memalign() was never freed after iterating and releasing all
> individual event buffers, causing another memory leak.
>
> Fix both leaks by freeing the evt struct in
> dwc3_free_one_event_buffer() and freeing dwc->ev_buffs in
> dwc3_free_event_buffers() after all entries have been released.
>
> Signed-off-by: Gurumoorthy Santhakumar <gurumoorthy.santhakumar at oss.qualcomm.com>
> ---
> Changes in V2:
> - Removed redundant NULL check before free
> - Removed NULL assignment to the pointer after free
> - Link to V1:
> https://lore.kernel.org/u-boot/20260414055013.2978223-1-gurumoorthy.santhakumar@oss.qualcomm.com/
> ---
> ---
>  drivers/usb/dwc3/core.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
> index 6f22b9232ba..65c4d1a4e6f 100644
> --- a/drivers/usb/dwc3/core.c
> +++ b/drivers/usb/dwc3/core.c
> @@ -206,6 +206,7 @@ static void dwc3_free_one_event_buffer(struct dwc3 *dwc,
>                 struct dwc3_event_buffer *evt)
>  {
>         dma_free_coherent(evt->buf);
> +       free(evt);

Hi Gurumoorthy,

evt is allocated using devm_kzalloc, so this change introduces a
double-free causing a crash when tearing down a USB gadget mode
session on my Rockchip RK3576 board:

=> ums 0 scsi 0:0
...
CTRL+C - Operation aborted
"Synchronous Abort" handler, esr 0x96000004, far 0xfffffffffe04e990
elr: 00000000408333f8 lr : 0000000040869e90 (reloc)
elr: 00000000ffe4a3f8 lr : 00000000ffe80e90
x0 : 00000000ffe592d0 x1 : 00000000ffe592d2
x2 : 7d00000000000000 x3 : fffffffffe04e980
x4 : 00000000ffef1e68 x5 : 00000000fdea7c52
x6 : 00000000ffef1e78 x7 : 00000000fdef81b0
x8 : 0000000000000008 x9 : 0000000000000001
x10: 0000000000000006 x11: 0000000000000008
x12: 00000000fff090ba x13: 0000000000000000
x14: 00000000fff090ba x15: 0000000000ffffff
x16: 00000000ffe793f0 x17: 0000000000000000
x18: 00000000fddf7d70 x19: 0000000000000000
x20: 00000000fdea7c60 x21: 00000000fdea72a8
x22: 00000000ffeebe50 x23: 00000000ffef5e40
x24: 00000000ffef5000 x25: 00000000ffee5966
x26: 00000000fde90b70 x27: 0000000000000000
x28: 0000000000000000 x29: 00000000fddc6350

Code: f0000526 9139e0c6 cb000063 8b000021 (f9400860)
Resetting CPU ...

resetting ...

These offsets translate to:
 ... free at common/dlmalloc.c:1599
      dwc3_free_event_buffers at drivers/usb/dwc3/core.c:253

Reverting this hunk alone fixes the issue for me.

While at that, I see similar asymmetry (devm_kzalloc + kfree) on
dwc->mem, which might also cause double-free issues, but I'm not
hitting them in my usage scenario.

Best regards,
Alexey

More information about the U-Boot mailing list