From: Johan Hovold <johan@kernel.org>
To: WenTao Liang <vulab@iscas.ac.cn>
Cc: gregkh@linuxfoundation.org, stern@rowland.harvard.edu,
mathias.nyman@linux.intel.com, khtsai@google.com,
thorsten.blum@linux.dev, kees@kernel.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] usb: hub: fix refcount leak in usb_new_device()
Date: Fri, 12 Jun 2026 11:08:45 +0200 [thread overview]
Message-ID: <aivMnTkZ-jTRH2Jy@hovoldconsulting.com> (raw)
In-Reply-To: <20260611130223.80884-1-vulab@iscas.ac.cn>
On Thu, Jun 11, 2026 at 09:02:23PM +0800, WenTao Liang wrote:
> If usb_new_device() fails after pm_runtime_get_noresume() has
> been called, it does not release the corresponding reference.
> In the successful path, the reference is properly dropped via
> pm_runtime_put_sync_autosuspend(). However, when an error
> occurs during enumeration (e.g. usb_enumerate_device() failure)
> or device registration (e.g. device_add() failure), the function
> jumps to the "fail" label. That error cleanup path only disables
> runtime PM and marks the device as suspended, never putting the
> usage count back.
> This results in a permanent imbalance of
> power.usage_count, preventing future runtime PM state transitions
> and proper device cleanup.
Not really, as the device is about to be freed. Sure, the runtime pm
usage count is never balanced, but it does not have any practical
implications whatsoever.
> Fix the leak by adding a pm_runtime_put_noidle() call before
> pm_runtime_disable() in the fail error path, which releases the
> reference without queuing any suspend work and appropriately
> matches the pm_runtime_get
>
> Cc: stable@vger.kernel.org
> Fixes: 9bbdf1e0afe7 ("USB: convert to the runtime PM framework")
So there is no need for either a Fixes or CC-stable tag here.
> Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
How was this "issue" found? Are you using some kind of static checker or
LLM?
> ---
> drivers/usb/core/hub.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
> index 24960ba9caa9..05f1a4267aec 100644
> --- a/drivers/usb/core/hub.c
> +++ b/drivers/usb/core/hub.c
> @@ -2731,6 +2731,7 @@ int usb_new_device(struct usb_device *udev)
> device_del(&udev->dev);
> fail:
> usb_set_device_state(udev, USB_STATE_NOTATTACHED);
> + pm_runtime_put_noidle(&udev->dev);
The reference should be dropped after disabling (so that the device
cannot possibly be suspended here).
> pm_runtime_disable(&udev->dev);
> pm_runtime_set_suspended(&udev->dev);
> return err;
Johan
prev parent reply other threads:[~2026-06-12 9:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 13:02 [PATCH] usb: hub: fix refcount leak in usb_new_device() WenTao Liang
2026-06-11 14:11 ` Alan Stern
2026-06-12 9:08 ` Johan Hovold [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aivMnTkZ-jTRH2Jy@hovoldconsulting.com \
--to=johan@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=kees@kernel.org \
--cc=khtsai@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=thorsten.blum@linux.dev \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox