usb_initialize_gadget() installs gadget_release() as the release
callback for the embedded gadget device.  The struct net2280 instance is
therefore released through gadget_release() when the gadget device's last
reference is dropped.

The probe error path calls net2280_remove(), which tears down the
partially initialized device and drops the gadget reference with
usb_put_gadget().  Calling kfree(dev) afterwards can free the same object
again.

Drop the explicit kfree() and let the gadget device release callback
handle the final free. This issue was found by a static analysis tool
I am developing.

Fixes: 2468c877da42 ("usb: gadget: net2280: fix memory leak on probe error handling paths")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/usb/gadget/udc/net2280.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
index d02765bd49ce..90d678e6714f 100644
--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -3792,7 +3792,6 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 done:
 	if (dev) {
 		net2280_remove(pdev);
-		kfree(dev);
 	}
 	return retval;
 }
-- 
2.43.0

On Mon, Apr 27, 2026 at 09:31:07PM +0800, Guangshuo Li wrote:
> usb_initialize_gadget() installs gadget_release() as the release
> callback for the embedded gadget device.  The struct net2280 instance is
> therefore released through gadget_release() when the gadget device's last
> reference is dropped.
> 
> The probe error path calls net2280_remove(), which tears down the
> partially initialized device and drops the gadget reference with
> usb_put_gadget().  Calling kfree(dev) afterwards can free the same object
> again.
> 
> Drop the explicit kfree() and let the gadget device release callback
> handle the final free. This issue was found by a static analysis tool
> I am developing.
> 
> Fixes: 2468c877da42 ("usb: gadget: net2280: fix memory leak on probe error handling paths")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> 
>  drivers/usb/gadget/udc/net2280.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
> index d02765bd49ce..90d678e6714f 100644
> --- a/drivers/usb/gadget/udc/net2280.c
> +++ b/drivers/usb/gadget/udc/net2280.c
> @@ -3792,7 +3792,6 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id)
>  done:
>  	if (dev) {
>  		net2280_remove(pdev);
> -		kfree(dev);
>  	}
>  	return retval;
>  }

You should remove the braces in the "if" statement as they are now 
unnecessary.  Also, the Fixes: tag is wrong; it should say:

Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")

The code before that commit was okay.

Alan Stern

Hi Alan,

Thank you for the review and correction.

On Mon, 27 Apr 2026 at 22:36, Alan Stern <stern@rowland.harvard.edu> wrote:
>
> You should remove the braces in the "if" statement as they are now
> unnecessary.  Also, the Fixes: tag is wrong; it should say:
>
> Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
>
> The code before that commit was okay.
>
> Alan Stern

I will remove the now-unnecessary braces and update the Fixes tag to:

Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")

I will send a v2 shortly.

Best regards,
Guangshuo