[PATCH v2] usb: gadget: raw_gadget: fix double free in raw_release

[PATCH v2] usb: gadget: raw_gadget: fix double free in raw_release

[cuiyudong]

In raw_release(), when unregister == true, there are two kref_put() calls:
1. Inside the unregister block (extra)
2. At out_put label

The refcount increments are:
- 1 ref from dev_new() in raw_open()
- 1 ref from kref_get() in raw_ioctl_run()

Total: 2 references.

The original code performed 3 kref_put() operations, which causes the refcount
to drop below zero and leads to a double free in dev_free().

Remove the extra kref_put() inside the unregister block to balance the
reference counter correctly.

Since the extra kref_put() triggers an immediate use-after-free condition
on the dev structure, KASAN reports a double-free instead of a refcount warning.

BUG: KASAN: double-free in dev_free+0x424/0x740
Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface")
Reported-by: syzbot+25612fe5ab3dcafc3aab@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69c401ad.a70a0220.23629d.0000.GAE@google.com/
Signed-off-by: cuiyudong <cuiyudong@kylinos.cn>
---
 drivers/usb/gadget/legacy/raw_gadget.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index 4febf8dac7ca..a1fd3fdf1323 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -465,12 +465,10 @@ static int raw_release(struct inode *inode, struct file *fd)
 			dev_err(dev->dev,
 				"usb_gadget_unregister_driver() failed with %d\n",
 				ret);
-		/* Matches kref_get() in raw_ioctl_run(). */
-		kref_put(&dev->count, dev_free);
 	}
 
 out_put:
-	/* Matches dev_new() in raw_open(). */
+	/* Matches dev_new() in raw_open() and kref_get() in raw_ioctl_run(). */
 	kref_put(&dev->count, dev_free);
 	return ret;
 }
-- 
2.25.1

Re: [PATCH v2] usb: gadget: raw_gadget: fix double free in raw_release

[Greg Kroah-Hartman]

On Thu, Mar 26, 2026 at 04:22:45PM +0800, cuiyudong wrote:
> In raw_release(), when unregister == true, there are two kref_put() calls:
> 1. Inside the unregister block (extra)
> 2. At out_put label
> 
> The refcount increments are:
> - 1 ref from dev_new() in raw_open()
> - 1 ref from kref_get() in raw_ioctl_run()
> 
> Total: 2 references.
> 
> The original code performed 3 kref_put() operations, which causes the refcount
> to drop below zero and leads to a double free in dev_free().
> 
> Remove the extra kref_put() inside the unregister block to balance the
> reference counter correctly.
> 
> Since the extra kref_put() triggers an immediate use-after-free condition
> on the dev structure, KASAN reports a double-free instead of a refcount warning.
> 
> BUG: KASAN: double-free in dev_free+0x424/0x740
> Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface")
> Reported-by: syzbot+25612fe5ab3dcafc3aab@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69c401ad.a70a0220.23629d.0000.GAE@google.com/
> Signed-off-by: cuiyudong <cuiyudong@kylinos.cn>
> ---
>  drivers/usb/gadget/legacy/raw_gadget.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> index 4febf8dac7ca..a1fd3fdf1323 100644
> --- a/drivers/usb/gadget/legacy/raw_gadget.c
> +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> @@ -465,12 +465,10 @@ static int raw_release(struct inode *inode, struct file *fd)
>  			dev_err(dev->dev,
>  				"usb_gadget_unregister_driver() failed with %d\n",
>  				ret);
> -		/* Matches kref_get() in raw_ioctl_run(). */
> -		kref_put(&dev->count, dev_free);
>  	}
>  
>  out_put:
> -	/* Matches dev_new() in raw_open(). */
> +	/* Matches dev_new() in raw_open() and kref_get() in raw_ioctl_run(). */
>  	kref_put(&dev->count, dev_free);
>  	return ret;
>  }
> -- 
> 2.25.1
> 
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

[PATCH v2] usb: gadget: raw_gadget: fix double free in raw_release

[cuiyudong]

In raw_release(), when unregister == true, there are two kref_put() calls:
1. Inside the unregister block (extra)
2. At out_put label

The refcount increments are:
- 1 ref from dev_new() in raw_open()
- 1 ref from kref_get() in raw_ioctl_run()

Total: 2 references.

The original code performed 3 kref_put() operations, which causes the refcount
to drop below zero and leads to a double free in dev_free().

Remove the extra kref_put() inside the unregister block to balance the
reference counter correctly.

Since the extra kref_put() triggers an immediate use-after-free condition
on the dev structure, KASAN reports a double-free instead of a refcount warning.

BUG: KASAN: double-free in dev_free+0x424/0x740
Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface")
Reported-by: syzbot+25612fe5ab3dcafc3aab@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69c401ad.a70a0220.23629d.0000.GAE@google.com/
Signed-off-by: cuiyudong <cuiyudong@kylinos.cn>
---
Changes in v2:
- Removed Tested-by tag (syzbot did not test the patch)
- Expanded commit description to explain refcount imbalance and KASAN report
---
 drivers/usb/gadget/legacy/raw_gadget.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index 4febf8dac7ca..a1fd3fdf1323 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -465,12 +465,10 @@ static int raw_release(struct inode *inode, struct file *fd)
 			dev_err(dev->dev,
 				"usb_gadget_unregister_driver() failed with %d\n",
 				ret);
-		/* Matches kref_get() in raw_ioctl_run(). */
-		kref_put(&dev->count, dev_free);
 	}
 
 out_put:
-	/* Matches dev_new() in raw_open(). */
+	/* Matches dev_new() in raw_open() and kref_get() in raw_ioctl_run(). */
 	kref_put(&dev->count, dev_free);
 	return ret;
 }
-- 
2.25.1

Re: [PATCH v2] usb: gadget: raw_gadget: fix double free in raw_release

[Andrey Konovalov]

On Thu, Mar 26, 2026 at 10:04 AM cuiyudong <cuiyudong@kylinos.cn> wrote:
>
> In raw_release(), when unregister == true, there are two kref_put() calls:
> 1. Inside the unregister block (extra)
> 2. At out_put label
>
> The refcount increments are:
> - 1 ref from dev_new() in raw_open()
> - 1 ref from kref_get() in raw_ioctl_run()
>
> Total: 2 references.
>
> The original code performed 3 kref_put() operations, which causes the refcount
> to drop below zero and leads to a double free in dev_free().

So where is the 3rd one coming from? Just above you say that there are only 2.

>
> Remove the extra kref_put() inside the unregister block to balance the
> reference counter correctly.
>
> Since the extra kref_put() triggers an immediate use-after-free condition
> on the dev structure, KASAN reports a double-free instead of a refcount warning.

This doesn't explain anything. If refcount drops below 0 (as you say
above), shouldn't there be a refcount warning?

>
> BUG: KASAN: double-free in dev_free+0x424/0x740
> Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface")
> Reported-by: syzbot+25612fe5ab3dcafc3aab@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69c401ad.a70a0220.23629d.0000.GAE@google.com/
> Signed-off-by: cuiyudong <cuiyudong@kylinos.cn>
> ---
> Changes in v2:
> - Removed Tested-by tag (syzbot did not test the patch)
> - Expanded commit description to explain refcount imbalance and KASAN report
> ---
>  drivers/usb/gadget/legacy/raw_gadget.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> index 4febf8dac7ca..a1fd3fdf1323 100644
> --- a/drivers/usb/gadget/legacy/raw_gadget.c
> +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> @@ -465,12 +465,10 @@ static int raw_release(struct inode *inode, struct file *fd)
>                         dev_err(dev->dev,
>                                 "usb_gadget_unregister_driver() failed with %d\n",
>                                 ret);
> -               /* Matches kref_get() in raw_ioctl_run(). */
> -               kref_put(&dev->count, dev_free);
>         }
>
>  out_put:
> -       /* Matches dev_new() in raw_open(). */
> +       /* Matches dev_new() in raw_open() and kref_get() in raw_ioctl_run(). */
>         kref_put(&dev->count, dev_free);
>         return ret;
>  }
> --
> 2.25.1
>