[PATCH v3] usb: dwc3: Fix crash on fastboot exit due to incorrect memory free
Alexey Charkov
alchark at flipper.net
Mon May 11 19:25:09 CEST 2026
On Mon, May 11, 2026 at 9:21 PM Balaji Selvanathan
<balaji.selvanathan at oss.qualcomm.com> wrote:
>
> The dwc3_free_one_event_buffer() function incorrectly called free()
> on event buffer structures allocated with devm_kzalloc(). This
> caused heap corruption and a synchronous abort when exiting
> fastboot mode via "fastboot continue".
>
> Device-managed memory is automatically freed when the device is
> removed, so manual deallocation causes the heap allocator to access
> corrupted metadata.
>
> Fixes: 884b10e86a05 ("usb: dwc3: core: fix memory leaks in event buffer cleanup")
> Signed-off-by: Balaji Selvanathan <balaji.selvanathan at oss.qualcomm.com>
> ---
> Changes in v3:
> - Move Fixes tag to commit footer in commit description
> - Link to v2: https://lore.kernel.org/u-boot/20260507-usb-v2-1-3958b8732553@oss.qualcomm.com/
>
> Changes in v2:
> - Added Fixes tag in commit description
> - Link to v1: https://lore.kernel.org/u-boot/20260506-usb-v1-1-e0f426bb1e42@oss.qualcomm.com/
> ---
> drivers/usb/dwc3/core.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
> index 0dee14c8b59..be198041f08 100644
> --- a/drivers/usb/dwc3/core.c
> +++ b/drivers/usb/dwc3/core.c
> @@ -208,7 +208,6 @@ static void dwc3_free_one_event_buffer(struct dwc3 *dwc,
> struct dwc3_event_buffer *evt)
> {
> dma_free_coherent(evt->buf);
> - free(evt);
Thanks for the fix Balaji! This fixed a crash I've been seeing on
Rockchip RK3576 trying to use the UMS gadget, so
Tested-by: Alexey Charkov <alchark at flipper.net>
Closes: https://lore.kernel.org/u-boot/CAKTNdwHA_3eJ4D7maBmAAr1DyrvT_meMsJ7_Naux1dKTzOu3OQ@mail.gmail.com/
Best regards,
Alexey
More information about the U-Boot
mailing list