[PATCH] usb: gadget: raw_gadget: fix double free in raw_release

Next message: Chih Kai Hsu: "[PATCH net-next v4 0/3] r8152: add helper functions for PLA/USB/PHY OCP registers"
Previous message: kernel test robot: "[linus:master] [xfs] 0ff51a1fd7: WARNING:at_arch/x86/mm/fault.c:#do_user_addr_fault"
Next in thread: Andrey Konovalov: "Re: [PATCH] usb: gadget: raw_gadget: fix double free in raw_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: cuiyudong

Date: Thu Mar 26 2026 - 03:44:45 EST

raw_release() had duplicate kref_put() which caused KASAN double-free.
The extra put inside the unregister block is removed to balance refcount.

BUG: KASAN: double-free in dev_free+0x424/0x740
Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface")
Tested-by: syzbot+25612fe5ab3dcafc3aab@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: syzbot+25612fe5ab3dcafc3aab@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/all/69c401ad.a70a0220.23629d.0000.GAE@xxxxxxxxxx/
Signed-off-by: cuiyudong <cuiyudong@xxxxxxxxxx>
---
drivers/usb/gadget/legacy/raw_gadget.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index 4febf8dac7ca..a1fd3fdf1323 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -465,12 +465,10 @@ static int raw_release(struct inode *inode, struct file *fd)
dev_err(dev->dev,
"usb_gadget_unregister_driver() failed with %d\n",
ret);
- /* Matches kref_get() in raw_ioctl_run(). */
- kref_put(&dev->count, dev_free);
}

out_put:
- /* Matches dev_new() in raw_open(). */
+ /* Matches dev_new() in raw_open() and kref_get() in raw_ioctl_run(). */
kref_put(&dev->count, dev_free);
return ret;
}
--
2.25.1