From nobody Sun Jun 14 07:37:07 2026
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com
 [209.85.216.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF5A32E92D2
	for <linux-kernel@vger.kernel.org>; Fri,  1 May 2026 04:51:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.46
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777611119; cv=none;
 b=I+x1yEBpJ517orS3JmnBvZzvsa7VfV+a+7s7aJnH3L5r8fxCg5CclN1vjvhSSGjUjfwbSF+kfr/63zHDZzfg8avACqsfKzlEwPFUzzy1hPGHLCoPR7En3cYA4cBniDI1fJby0Sfh1L/B4Rq04AZ4R3ZDJBZYKB/TSyJbsxSwdoM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777611119; c=relaxed/simple;
	bh=jK0DLZYUDEjXV1SYTaRYK5ZSUNylecs/sAz231vAZno=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=Nvqp3jNDEqQw0K/xKN6C+u/32dd0Zo8pTCq4KxzW+gM1pXZahXtkZxPV9nP+30STZ0MZ2eugj8rL21Dl7pYKfkvmSYJJsy9XX71Z7PVRR6MX3X9wjzlSVKi4It47Qwt4plUqZ7ithK1Nr/+Lv9OWu92kHvVgKsEiNUtkKa2IWnI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=YOz+xv8o; arc=none smtp.client-ip=209.85.216.46
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="YOz+xv8o"
Received: by mail-pj1-f46.google.com with SMTP id
 98e67ed59e1d1-35da2d35eccso1147407a91.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 30 Apr 2026 21:51:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777611118; x=1778215918;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=16cUvY4zBFvfqnNuRIHA1BYN079Aq1HpTRIsih+lka0=;
        b=YOz+xv8oHLm0Dew9DtLV8F5rKKWNdc1BCsnIviirYEGkL+eUpWbcQjBpE18KgD4qVp
         3uIEmMBpY8WBig6slS38/+QMrUcnpM0LcTH0svRDKA5qoqrn2LlNokr6wQ9KShgimP1W
         uE7wYury5KTkoI31K70rzyHzpCJp1R9S/E8GTXS13xNLMvBTVRFbH1elHe0M8oNE3AHS
         UVtoa03gThZOpFXTlv/X6C5tL5lf0ggKKLHqZSeW6Ke7FBLKWWI6hGL64IpI/vJWgWlS
         ZwbB+K1+SsWN+YncDQBXkwsTkcuDQdgmQENdjTfc6eJ8eSzNkI1CzV/nCed423RLy4NT
         r9/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777611118; x=1778215918;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=16cUvY4zBFvfqnNuRIHA1BYN079Aq1HpTRIsih+lka0=;
        b=NURvS/ZVorGwDR2c0LddsSttGKCuY8SPNLyWmbfDEWhTG10qYasi2mvVvjqljAuF+8
         hE42fBLJ8brl/5do+hVSuuK0pAvtLkC+6NjTp2JnHvioTsBO/MbBoyDXzVCB4RsRVfVT
         V+8ITwZYP4BYRmO6BAm6QvLy/X1XUqFDQD4V7t7/ET5/arj5QV1wC/7UH46Ju8V3vzTK
         BEG2bYPgmXzeuOAiIqXsuSWtg12nyri9ej4qyXrP0h6h1st/ZP1H/J/Ea7Lox39qlscu
         bH6CeRtCbAs/DxbTP8c35y3xRv4VjveScmotLShgZ0SH8tRqISCUUO3mq54468dLPbHk
         wc3Q==
X-Forwarded-Encrypted: i=1;
 AFNElJ89dw2aiJAgo3Q7Qo+2HvFn4I9O7t6XQSYJxc59V90c7L/1Sus4pgBTCl49AW1ALhlyz8Xhp9Gl0zvRVh4=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz3UQHb9QneHDJ59f3eCuRZqzVbX8znETRSzz0PrHgaAc62rj6t
	Lev+oOUxr9ne+jWHesLS51E+ShHxc39FNlEx2dUH2qL+8YHVzN8XW39s
X-Gm-Gg: AeBDiesh+qeOMcp3RjIwhwAUFLN1IkDc1kjEb4XYy7lmr8sm0Cq3mt+jL6pb1/KTxRV
	10gb0yK9EwxUzgrXnIUHewrftfl8Ic/PgS6RUmQAiKU3gz62AnvDJa+TwSZACIvXJBD5PCZ+gkD
	TNK50Z2lPK7v4LTxIb23UpPQtCxPmR67LKmaYTbmF+pk5F8W5OR2Z3782zp8UZp/z0GQsiwkKZy
	zV5cpbfJq8+VXl05FDsrPniLNFuwb803vCbcm+OYfJu2dH6iLpxyOVULPi++T55gYZeaf0dvYGV
	tjr6uvkW9TbvKGvUJpCPR51TgtWO0lZE7k3jaGeaIZWcz772nLWGPCrrFqC6bG9oDsWyN82u3Ko
	JotMZxFP9RI9LZWd1/K2u9DIPlihSFTjVSpW/hNjHf6Lavuk9iRzTDI77Iecfo5qtBVdlNrEZIk
	LMtyrvCujguFDsfbsj2crCGWZw/PGNOdg=
X-Received: by 2002:a17:90b:4c8c:b0:35f:b69d:7292 with SMTP id
 98e67ed59e1d1-364c309c043mr5879421a91.15.1777611117986;
        Thu, 30 Apr 2026 21:51:57 -0700 (PDT)
Received: from lgs.. ([223.80.110.53])
        by smtp.gmail.com with ESMTPSA id
 41be03b00d2f7-c7ffbc6f063sm1088718a12.20.2026.04.30.21.51.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 30 Apr 2026 21:51:57 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Guangshuo Li <lgs201920130244@gmail.com>,
	Kees Cook <kees@kernel.org>,
	Felipe Balbi <felipe.balbi@linux.intel.com>,
	Alexey Khoroshilov <khoroshilov@ispras.ru>,
	linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org
Subject: [PATCH] usb: gadget: goku_udc: avoid double-free in error path
Date: Fri,  1 May 2026 12:51:13 +0800
Message-ID: <20260501045113.484207-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

goku_probe() allocates struct goku_udc and passes &dev->gadget to
usb_add_gadget_udc_release() with gadget_release() as the release
callback. usb_add_gadget_udc_release() initializes the gadget device with
that release callback before calling usb_add_gadget().

If usb_add_gadget() fails, usb_add_gadget_udc_release() calls
usb_put_gadget(), which invokes gadget_release() and frees dev. The
current error path then falls through to kfree(dev), freeing the same
object again.

Set dev to NULL before jumping to the common error path so the explicit
kfree(dev) is skipped after ownership has already been dropped by the
gadget core.

This issue was found by a static analysis tool I am developing.

Fixes: 2a334cfaf393 ("usb: gadget: goku_udc: fix memory leak in goku_probe(=
)")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/usb/gadget/udc/goku_udc.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/gok=
u_udc.c
index db42a5e3e805..46a7e0f6541e 100644
--- a/drivers/usb/gadget/udc/goku_udc.c
+++ b/drivers/usb/gadget/udc/goku_udc.c
@@ -1819,15 +1819,20 @@ static int goku_probe(struct pci_dev *pdev, const s=
truct pci_device_id *id)
=20
 	retval =3D usb_add_gadget_udc_release(&pdev->dev, &dev->gadget,
 			gadget_release);
-	if (retval)
+	if (retval) {
+		/*
+		 * usb_add_gadget_udc_release() calls the gadget release
+		 * function on failure, and gadget_release() frees dev.
+		 */
+		dev =3D NULL;
 		goto err;
+	}
=20
 	return 0;
=20
 err:
 	if (dev)
 		goku_remove (pdev);
-	/* gadget_release is not registered yet, kfree explicitly */
 	kfree(dev);
 	return retval;
 }
--=20
2.43.0