1. Patchew
  2. linux
  3. View series

[PATCH v2] usb: gadget: net2280: Fix double free in probe error path

Guangshuo Li posted 1 patch 1 month, 2 weeks ago 
drivers/usb/gadget/udc/net2280.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
[PATCH v2] usb: gadget: net2280: Fix double free in probe error path
Posted by Guangshuo Li 1 month, 2 weeks ago 
usb_initialize_gadget() installs gadget_release() as the release
callback for the embedded gadget device.  The struct net2280 instance is
therefore released through gadget_release() when the gadget device's last
reference is dropped.

The probe error path calls net2280_remove(), which tears down the
partially initialized device and drops the gadget reference with
usb_put_gadget().  Calling kfree(dev) afterwards can free the same object
again.

Drop the explicit kfree() and let the gadget device release callback
handle the final free.  This issue was found by a static analysis tool
I am developing.

Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v2:
  - Remove the unnecessary braces around the single-statement if block.
  - Correct the Fixes tag to f770fbec4165.

 drivers/usb/gadget/udc/net2280.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
index d02765bd49ce..7c5f30cfd24d 100644
--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -3790,10 +3790,8 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 	return 0;
 
 done:
-	if (dev) {
+	if (dev)
 		net2280_remove(pdev);
-		kfree(dev);
-	}
 	return retval;
 }
 
-- 
2.43.0
Re: [PATCH v2] usb: gadget: net2280: Fix double free in probe error path
Posted by Alan Stern 1 month, 2 weeks ago 
On Mon, Apr 27, 2026 at 11:36:51PM +0800, Guangshuo Li wrote:
> usb_initialize_gadget() installs gadget_release() as the release
> callback for the embedded gadget device.  The struct net2280 instance is
> therefore released through gadget_release() when the gadget device's last
> reference is dropped.
> 
> The probe error path calls net2280_remove(), which tears down the
> partially initialized device and drops the gadget reference with
> usb_put_gadget().  Calling kfree(dev) afterwards can free the same object
> again.
> 
> Drop the explicit kfree() and let the gadget device release callback
> handle the final free.  This issue was found by a static analysis tool
> I am developing.
> 
> Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---

Reviewed-by: Alan Stern <stern@rowland.harvard.edu>

> v2:
>   - Remove the unnecessary braces around the single-statement if block.
>   - Correct the Fixes tag to f770fbec4165.
> 
>  drivers/usb/gadget/udc/net2280.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
> index d02765bd49ce..7c5f30cfd24d 100644
> --- a/drivers/usb/gadget/udc/net2280.c
> +++ b/drivers/usb/gadget/udc/net2280.c
> @@ -3790,10 +3790,8 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id)
>  	return 0;
>  
>  done:
> -	if (dev) {
> +	if (dev)
>  		net2280_remove(pdev);
> -		kfree(dev);
> -	}
>  	return retval;
>  }
>  
> -- 
> 2.43.0
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.