core: release device refs in destructor to fix exit-time leaks (#25)

claude · claude · commit 245350a2308b · 2026-04-26T11:50:29.000Z
NOTE: This patch was generated by an AI coding assistant (Claude). A human contributor should review the diagnosis and the change before merging. See the Assisted-by trailer below, per the format suggested in https://docs.kernel.org/process/coding-assistants.html. The destructor only called libusb_exit(ctx); it never walked usb_busses to free the usb_device wrappers populated by usb_find_devices(). Each wrapper holds a libusb_ref_device() taken in initialize_device(), so at process exit those refs are still outstanding and libusb_exit prints "device X.Y still referenced" warnings. Free the bus/device tree in _usb_exit before libusb_exit so each libusb_unref_device() in free_device() runs. The same helper also fixes the bus-removed branch in usb_find_busses, which previously freed the bus struct without freeing its devices. The ref/unref in initialize_device/free_device is intentionally kept: libusb_free_device_list(dev_list, 1) at the end of usb_find_devices drops the temporary refs, so without the extra ref taken here dev->dev would dangle for any device retained in bus->devices, causing use-after-free in usb_open() and elsewhere (this is what PR #30 missed). Assisted-by: Claude:claude-opus-4-7 https://claude.ai/code/session_01JdNX3ZQuo2ysAVSRJtxNPo
diff --git a/libusb/core.c b/libusb/core.c
@@ -81,8 +81,29 @@ static void __attribute__ ((constructor)) _usb_init (void)
 }
 #endif
 
+static void free_device(struct usb_device *dev);
+
+static void free_bus(struct usb_bus *bus)
+{
+	struct usb_device *dev = bus->devices;
+	while (dev) {
+		struct usb_device *tdev = dev->next;
+		free_device(dev);
+		dev = tdev;
+	}
+	free(bus);
+}
+
 static void __attribute__ ((destructor)) _usb_exit (void)
 {
+	struct usb_bus *bus = usb_busses;
+	while (bus) {
+		struct usb_bus *tbus = bus->next;
+		free_bus(bus);
+		bus = tbus;
+	}
+	usb_busses = NULL;
+
 	if (ctx) {
 		libusb_exit (ctx);
 		ctx = NULL;
@@ -317,7 +338,7 @@ API_EXPORTED int usb_find_busses(void)
 			usbi_dbg("bus %d removed", bus->location);
 			changes++;
 			LIST_DEL(usb_busses, bus);
-			free(bus);
+			free_bus(bus);
 		}
 
 		bus = tbus;
