[PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup

U-Boot Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup
@ 2026-04-16  5:55 Gurumoorthy Santhakumar
  2026-04-16  9:06 ` Marek Vasut
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Gurumoorthy Santhakumar @ 2026-04-16  5:55 UTC (permalink / raw)
  To: marex, trini, mkorpershoek, macromorgan, casey.connolly,
	quic_varada, felipe.balbi, gurumoorthy.santhakumar, u-boot

In dwc3_free_one_event_buffer(), only the DMA buffer (evt->buf) was
being freed via dma_free_coherent(), but the evt structure itself was
never explicitly freed, causing a memory leak.

In dwc3_free_event_buffers(), the ev_buffs pointer array allocated
with memalign() was never freed after iterating and releasing all
individual event buffers, causing another memory leak.

Fix both leaks by freeing the evt struct in
dwc3_free_one_event_buffer() and freeing dwc->ev_buffs in
dwc3_free_event_buffers() after all entries have been released.

Signed-off-by: Gurumoorthy Santhakumar <gurumoorthy.santhakumar@oss.qualcomm.com>
---
Changes in V2:
- Removed redundant NULL check before free
- Removed NULL assignment to the pointer after free
- Link to V1:
https://lore.kernel.org/u-boot/20260414055013.2978223-1-gurumoorthy.santhakumar@oss.qualcomm.com/
---
---
 drivers/usb/dwc3/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
index 6f22b9232ba..65c4d1a4e6f 100644
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -206,6 +206,7 @@ static void dwc3_free_one_event_buffer(struct dwc3 *dwc,
 		struct dwc3_event_buffer *evt)
 {
 	dma_free_coherent(evt->buf);
+	free(evt);
 }
 
 /**
@@ -252,6 +253,8 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc)
 		if (evt)
 			dwc3_free_one_event_buffer(dwc, evt);
 	}
+
+	free(dwc->ev_buffs);
 }
 
 /**
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup
  2026-04-16  5:55 [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup Gurumoorthy Santhakumar
@ 2026-04-16  9:06 ` Marek Vasut
  2026-04-17  8:14 ` Mattijs Korpershoek
  2026-05-08 11:01 ` Alexey Charkov
  2 siblings, 0 replies; 6+ messages in thread
From: Marek Vasut @ 2026-04-16  9:06 UTC (permalink / raw)
  To: Gurumoorthy Santhakumar, trini, mkorpershoek, macromorgan,
	casey.connolly, quic_varada, felipe.balbi, u-boot

On 4/16/26 7:55 AM, Gurumoorthy Santhakumar wrote:
> In dwc3_free_one_event_buffer(), only the DMA buffer (evt->buf) was
> being freed via dma_free_coherent(), but the evt structure itself was
> never explicitly freed, causing a memory leak.
> 
> In dwc3_free_event_buffers(), the ev_buffs pointer array allocated
> with memalign() was never freed after iterating and releasing all
> individual event buffers, causing another memory leak.
> 
> Fix both leaks by freeing the evt struct in
> dwc3_free_one_event_buffer() and freeing dwc->ev_buffs in
> dwc3_free_event_buffers() after all entries have been released.
> 
> Signed-off-by: Gurumoorthy Santhakumar <gurumoorthy.santhakumar@oss.qualcomm.com>

Reviewed-by: Marek Vasut <marek.vasut+usb@mailbox.org>

Thank you

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup
  2026-04-16  5:55 [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup Gurumoorthy Santhakumar
  2026-04-16  9:06 ` Marek Vasut
@ 2026-04-17  8:14 ` Mattijs Korpershoek
  2026-05-08 11:01 ` Alexey Charkov
  2 siblings, 0 replies; 6+ messages in thread
From: Mattijs Korpershoek @ 2026-04-17  8:14 UTC (permalink / raw)
  To: Gurumoorthy Santhakumar, marex, trini, mkorpershoek, macromorgan,
	casey.connolly, quic_varada, felipe.balbi,
	gurumoorthy.santhakumar, u-boot

Hi Gurumoorthy,

Thank you for the patch.

On Thu, Apr 16, 2026 at 11:25, Gurumoorthy Santhakumar <gurumoorthy.santhakumar@oss.qualcomm.com> wrote:

> In dwc3_free_one_event_buffer(), only the DMA buffer (evt->buf) was
> being freed via dma_free_coherent(), but the evt structure itself was
> never explicitly freed, causing a memory leak.
>
> In dwc3_free_event_buffers(), the ev_buffs pointer array allocated
> with memalign() was never freed after iterating and releasing all
> individual event buffers, causing another memory leak.
>
> Fix both leaks by freeing the evt struct in
> dwc3_free_one_event_buffer() and freeing dwc->ev_buffs in
> dwc3_free_event_buffers() after all entries have been released.
>
> Signed-off-by: Gurumoorthy Santhakumar <gurumoorthy.santhakumar@oss.qualcomm.com>

Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup
  2026-04-16  5:55 [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup Gurumoorthy Santhakumar
  2026-04-16  9:06 ` Marek Vasut
  2026-04-17  8:14 ` Mattijs Korpershoek
@ 2026-05-08 11:01 ` Alexey Charkov
  2026-05-08 11:26   ` Marek Vasut
  2 siblings, 1 reply; 6+ messages in thread
From: Alexey Charkov @ 2026-05-08 11:01 UTC (permalink / raw)
  To: Gurumoorthy Santhakumar
  Cc: marex, trini, mkorpershoek, macromorgan, casey.connolly,
	quic_varada, felipe.balbi, u-boot

On Fri, May 8, 2026 at 2:45 PM Gurumoorthy Santhakumar
<gurumoorthy.santhakumar@oss.qualcomm.com> wrote:
>
> In dwc3_free_one_event_buffer(), only the DMA buffer (evt->buf) was
> being freed via dma_free_coherent(), but the evt structure itself was
> never explicitly freed, causing a memory leak.
>
> In dwc3_free_event_buffers(), the ev_buffs pointer array allocated
> with memalign() was never freed after iterating and releasing all
> individual event buffers, causing another memory leak.
>
> Fix both leaks by freeing the evt struct in
> dwc3_free_one_event_buffer() and freeing dwc->ev_buffs in
> dwc3_free_event_buffers() after all entries have been released.
>
> Signed-off-by: Gurumoorthy Santhakumar <gurumoorthy.santhakumar@oss.qualcomm.com>
> ---
> Changes in V2:
> - Removed redundant NULL check before free
> - Removed NULL assignment to the pointer after free
> - Link to V1:
> https://lore.kernel.org/u-boot/20260414055013.2978223-1-gurumoorthy.santhakumar@oss.qualcomm.com/
> ---
> ---
>  drivers/usb/dwc3/core.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
> index 6f22b9232ba..65c4d1a4e6f 100644
> --- a/drivers/usb/dwc3/core.c
> +++ b/drivers/usb/dwc3/core.c
> @@ -206,6 +206,7 @@ static void dwc3_free_one_event_buffer(struct dwc3 *dwc,
>                 struct dwc3_event_buffer *evt)
>  {
>         dma_free_coherent(evt->buf);
> +       free(evt);

Hi Gurumoorthy,

evt is allocated using devm_kzalloc, so this change introduces a
double-free causing a crash when tearing down a USB gadget mode
session on my Rockchip RK3576 board:

=> ums 0 scsi 0:0
...
CTRL+C - Operation aborted
"Synchronous Abort" handler, esr 0x96000004, far 0xfffffffffe04e990
elr: 00000000408333f8 lr : 0000000040869e90 (reloc)
elr: 00000000ffe4a3f8 lr : 00000000ffe80e90
x0 : 00000000ffe592d0 x1 : 00000000ffe592d2
x2 : 7d00000000000000 x3 : fffffffffe04e980
x4 : 00000000ffef1e68 x5 : 00000000fdea7c52
x6 : 00000000ffef1e78 x7 : 00000000fdef81b0
x8 : 0000000000000008 x9 : 0000000000000001
x10: 0000000000000006 x11: 0000000000000008
x12: 00000000fff090ba x13: 0000000000000000
x14: 00000000fff090ba x15: 0000000000ffffff
x16: 00000000ffe793f0 x17: 0000000000000000
x18: 00000000fddf7d70 x19: 0000000000000000
x20: 00000000fdea7c60 x21: 00000000fdea72a8
x22: 00000000ffeebe50 x23: 00000000ffef5e40
x24: 00000000ffef5000 x25: 00000000ffee5966
x26: 00000000fde90b70 x27: 0000000000000000
x28: 0000000000000000 x29: 00000000fddc6350

Code: f0000526 9139e0c6 cb000063 8b000021 (f9400860)
Resetting CPU ...

resetting ...

These offsets translate to:
 ... free at common/dlmalloc.c:1599
      dwc3_free_event_buffers at drivers/usb/dwc3/core.c:253

Reverting this hunk alone fixes the issue for me.

While at that, I see similar asymmetry (devm_kzalloc + kfree) on
dwc->mem, which might also cause double-free issues, but I'm not
hitting them in my usage scenario.

Best regards,
Alexey

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup
  2026-05-08 11:01 ` Alexey Charkov
@ 2026-05-08 11:26   ` Marek Vasut
  2026-05-11  9:05     ` Mattijs Korpershoek
  0 siblings, 1 reply; 6+ messages in thread
From: Marek Vasut @ 2026-05-08 11:26 UTC (permalink / raw)
  To: Alexey Charkov, Gurumoorthy Santhakumar
  Cc: marex, trini, mkorpershoek, macromorgan, casey.connolly,
	quic_varada, felipe.balbi, u-boot

On 5/8/26 1:01 PM, Alexey Charkov wrote:
> On Fri, May 8, 2026 at 2:45 PM Gurumoorthy Santhakumar
> <gurumoorthy.santhakumar@oss.qualcomm.com> wrote:
>>
>> In dwc3_free_one_event_buffer(), only the DMA buffer (evt->buf) was
>> being freed via dma_free_coherent(), but the evt structure itself was
>> never explicitly freed, causing a memory leak.
>>
>> In dwc3_free_event_buffers(), the ev_buffs pointer array allocated
>> with memalign() was never freed after iterating and releasing all
>> individual event buffers, causing another memory leak.
>>
>> Fix both leaks by freeing the evt struct in
>> dwc3_free_one_event_buffer() and freeing dwc->ev_buffs in
>> dwc3_free_event_buffers() after all entries have been released.
>>
>> Signed-off-by: Gurumoorthy Santhakumar <gurumoorthy.santhakumar@oss.qualcomm.com>
>> ---
>> Changes in V2:
>> - Removed redundant NULL check before free
>> - Removed NULL assignment to the pointer after free
>> - Link to V1:
>> https://lore.kernel.org/u-boot/20260414055013.2978223-1-gurumoorthy.santhakumar@oss.qualcomm.com/
>> ---
>> ---
>>   drivers/usb/dwc3/core.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
>> index 6f22b9232ba..65c4d1a4e6f 100644
>> --- a/drivers/usb/dwc3/core.c
>> +++ b/drivers/usb/dwc3/core.c
>> @@ -206,6 +206,7 @@ static void dwc3_free_one_event_buffer(struct dwc3 *dwc,
>>                  struct dwc3_event_buffer *evt)
>>   {
>>          dma_free_coherent(evt->buf);
>> +       free(evt);
> 
> Hi Gurumoorthy,
> 
> evt is allocated using devm_kzalloc, so this change introduces a
> double-free causing a crash when tearing down a USB gadget mode
> session on my Rockchip RK3576 board:
Can you please also provide a Tested-by: for this fix ?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup
  2026-05-08 11:26   ` Marek Vasut
@ 2026-05-11  9:05     ` Mattijs Korpershoek
  0 siblings, 0 replies; 6+ messages in thread
From: Mattijs Korpershoek @ 2026-05-11  9:05 UTC (permalink / raw)
  To: Marek Vasut, Alexey Charkov, Gurumoorthy Santhakumar
  Cc: marex, trini, mkorpershoek, macromorgan, casey.connolly,
	quic_varada, felipe.balbi, u-boot

Hi Alexey,

Thank you for reporting this issue.

On Fri, May 08, 2026 at 13:26, Marek Vasut <marex@nabladev.com> wrote:

> On 5/8/26 1:01 PM, Alexey Charkov wrote:
>> On Fri, May 8, 2026 at 2:45 PM Gurumoorthy Santhakumar
>> <gurumoorthy.santhakumar@oss.qualcomm.com> wrote:
>>>
>>> In dwc3_free_one_event_buffer(), only the DMA buffer (evt->buf) was
>>> being freed via dma_free_coherent(), but the evt structure itself was
>>> never explicitly freed, causing a memory leak.
>>>
>>> In dwc3_free_event_buffers(), the ev_buffs pointer array allocated
>>> with memalign() was never freed after iterating and releasing all
>>> individual event buffers, causing another memory leak.
>>>
>>> Fix both leaks by freeing the evt struct in
>>> dwc3_free_one_event_buffer() and freeing dwc->ev_buffs in
>>> dwc3_free_event_buffers() after all entries have been released.
>>>
>>> Signed-off-by: Gurumoorthy Santhakumar <gurumoorthy.santhakumar@oss.qualcomm.com>
>>> ---
>>> Changes in V2:
>>> - Removed redundant NULL check before free
>>> - Removed NULL assignment to the pointer after free
>>> - Link to V1:
>>> https://lore.kernel.org/u-boot/20260414055013.2978223-1-gurumoorthy.santhakumar@oss.qualcomm.com/
>>> ---
>>> ---
>>>   drivers/usb/dwc3/core.c | 3 +++
>>>   1 file changed, 3 insertions(+)
>>>
>>> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
>>> index 6f22b9232ba..65c4d1a4e6f 100644
>>> --- a/drivers/usb/dwc3/core.c
>>> +++ b/drivers/usb/dwc3/core.c
>>> @@ -206,6 +206,7 @@ static void dwc3_free_one_event_buffer(struct dwc3 *dwc,
>>>                  struct dwc3_event_buffer *evt)
>>>   {
>>>          dma_free_coherent(evt->buf);
>>> +       free(evt);
>> 
>> Hi Gurumoorthy,
>> 
>> evt is allocated using devm_kzalloc, so this change introduces a
>> double-free causing a crash when tearing down a USB gadget mode
>> session on my Rockchip RK3576 board:
> Can you please also provide a Tested-by: for this fix ?

As mentioned by Marek, we already have a fix in review for the problem
you have reported.

It's available here:
https://lore.kernel.org/u-boot/20260507-usb-v3-1-402b37fc2154@oss.qualcomm.com/

Can you please test the above patch and reply with a Tested-by: if it
fixes your problem?

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-05-11  9:05 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-16  5:55 [PATCH v2] usb: dwc3: core: fix memory leaks in event buffer cleanup Gurumoorthy Santhakumar
2026-04-16  9:06 ` Marek Vasut
2026-04-17  8:14 ` Mattijs Korpershoek
2026-05-08 11:01 ` Alexey Charkov
2026-05-08 11:26   ` Marek Vasut
2026-05-11  9:05     ` Mattijs Korpershoek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox