| Message ID | 20241218071346.2973980-1-make_ruc2021@163.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] usb: fix reference leak in usb_new_device() | expand |
On Wed, Dec 18, 2024 at 03:13:46PM +0800, Ma Ke wrote: > When device_add(&udev->dev) succeeds and a later call fails, > usb_new_device() does not properly call device_del(). As comment of > device_add() says, 'if device_add() succeeds, you should call > device_del() when you want to get rid of it. If device_add() has not > succeeded, use only put_device() to drop the reference count'. > > Found by code review. > > Cc: stable@vger.kernel.org > Fixes: 9f8b17e643fe ("USB: make usbdevices export their device nodes instead of using a separate class") > Signed-off-by: Ma Ke <make_ruc2021@163.com> > --- > Changes in v3: > - modified the bug description according to the changes of the patch; > - removed redundant put_device() in patch v2 as suggestions. > Changes in v2: > - modified the bug description to make it more clear; > - added the missed part of the patch. > --- Reviewed-by: Alan Stern <stern@rowland.harvard.edu> > drivers/usb/core/hub.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c > index 4b93c0bd1d4b..21ac9b464696 100644 > --- a/drivers/usb/core/hub.c > +++ b/drivers/usb/core/hub.c > @@ -2663,13 +2663,13 @@ int usb_new_device(struct usb_device *udev) > err = sysfs_create_link(&udev->dev.kobj, > &port_dev->dev.kobj, "port"); > if (err) > - goto fail; > + goto out_del_dev; > > err = sysfs_create_link(&port_dev->dev.kobj, > &udev->dev.kobj, "device"); > if (err) { > sysfs_remove_link(&udev->dev.kobj, "port"); > - goto fail; > + goto out_del_dev; > } > > if (!test_and_set_bit(port1, hub->child_usage_bits)) > @@ -2683,6 +2683,8 @@ int usb_new_device(struct usb_device *udev) > pm_runtime_put_sync_autosuspend(&udev->dev); > return err; > > +out_del_dev: > + device_del(&udev->dev); > fail: > usb_set_device_state(udev, USB_STATE_NOTATTACHED); > pm_runtime_disable(&udev->dev); > -- > 2.25.1 >
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 4b93c0bd1d4b..21ac9b464696 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -2663,13 +2663,13 @@ int usb_new_device(struct usb_device *udev) err = sysfs_create_link(&udev->dev.kobj, &port_dev->dev.kobj, "port"); if (err) - goto fail; + goto out_del_dev; err = sysfs_create_link(&port_dev->dev.kobj, &udev->dev.kobj, "device"); if (err) { sysfs_remove_link(&udev->dev.kobj, "port"); - goto fail; + goto out_del_dev; } if (!test_and_set_bit(port1, hub->child_usage_bits)) @@ -2683,6 +2683,8 @@ int usb_new_device(struct usb_device *udev) pm_runtime_put_sync_autosuspend(&udev->dev); return err; +out_del_dev: + device_del(&udev->dev); fail: usb_set_device_state(udev, USB_STATE_NOTATTACHED); pm_runtime_disable(&udev->dev);
When device_add(&udev->dev) succeeds and a later call fails, usb_new_device() does not properly call device_del(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable@vger.kernel.org Fixes: 9f8b17e643fe ("USB: make usbdevices export their device nodes instead of using a separate class") Signed-off-by: Ma Ke <make_ruc2021@163.com> --- Changes in v3: - modified the bug description according to the changes of the patch; - removed redundant put_device() in patch v2 as suggestions. Changes in v2: - modified the bug description to make it more clear; - added the missed part of the patch. --- drivers/usb/core/hub.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)