drivers/net/mctp/mctp-usb.c | 1 + 1 file changed, 1 insertion(+)
When an error happens in mctp_usb_probe() the reference count on the usb
interface structure needs to be properly dropped as it was incremented
earlier in the function.
Cc: Jeremy Kerr <jk@codeconstruct.com.au>
Cc: Matt Johnston <matt@codeconstruct.com.au>
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/mctp/mctp-usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c
index ef860cfc629f..eef17ae89298 100644
--- a/drivers/net/mctp/mctp-usb.c
+++ b/drivers/net/mctp/mctp-usb.c
@@ -355,6 +355,7 @@ static int mctp_usb_probe(struct usb_interface *intf,
usb_free_urb(dev->tx_urb);
usb_free_urb(dev->rx_urb);
free_netdev(netdev);
+ usb_put_dev(dev->usbdev);
return rc;
}
--
2.53.0Hi Greg, On a second look: > diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c > index ef860cfc629f..eef17ae89298 100644 > --- a/drivers/net/mctp/mctp-usb.c > +++ b/drivers/net/mctp/mctp-usb.c > @@ -355,6 +355,7 @@ static int mctp_usb_probe(struct usb_interface *intf, > usb_free_urb(dev->tx_urb); > usb_free_urb(dev->rx_urb); > free_netdev(netdev); > + usb_put_dev(dev->usbdev); > return rc; > } Should we not do the usb_put_dev() before the free_netdev()? Given we're in NETREG_UNINITIALIZED state, we're likely to be immediately freeing netdev there, which includes the netdev_priv data, ie., dev. Cheers, Jeremy
On Tue, Feb 24, 2026 at 09:50:09AM +0800, Jeremy Kerr wrote: > Hi Greg, > > On a second look: > > > diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c > > index ef860cfc629f..eef17ae89298 100644 > > --- a/drivers/net/mctp/mctp-usb.c > > +++ b/drivers/net/mctp/mctp-usb.c > > @@ -355,6 +355,7 @@ static int mctp_usb_probe(struct usb_interface *intf, > > usb_free_urb(dev->tx_urb); > > usb_free_urb(dev->rx_urb); > > free_netdev(netdev); > > + usb_put_dev(dev->usbdev); > > return rc; > > } > > Should we not do the usb_put_dev() before the free_netdev()? Why? The usb_put_dev() doesn't really do anything, except for the fact that you have to do it because you did a usb_get_dev() earlier. In reality, no USB driver needs to call get/put on a usb device at all, that is a bad pattern I made years ago for no good reason, sorry about that. I really should just sweep the tree to fix that up one of these days, odds are a coccinelle script can do that... > Given we're in NETREG_UNINITIALIZED state, we're likely to be > immediately freeing netdev there, which includes the netdev_priv data, > ie., dev. That's great, but again, the usb device will still be around as the usb core ensures that for the lifetime of probe/remove, the device will be there with a reference. So there's no real reason to put it anywhere in this list, other than last as that mirrors when this was grabbed, right? thanks, greg k-h
Hi Greg, > > > diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c > > > index ef860cfc629f..eef17ae89298 100644 > > > --- a/drivers/net/mctp/mctp-usb.c > > > +++ b/drivers/net/mctp/mctp-usb.c > > > @@ -355,6 +355,7 @@ static int mctp_usb_probe(struct usb_interface *intf, > > > usb_free_urb(dev->tx_urb); > > > usb_free_urb(dev->rx_urb); > > > free_netdev(netdev); > > > + usb_put_dev(dev->usbdev); > > > return rc; > > > } > > > > Should we not do the usb_put_dev() before the free_netdev()? > > Why? The usb_put_dev() doesn't really do anything, except for the fact > that you have to do it because you did a usb_get_dev() earlier. More that the dev-> dereference may be invalid at that point, since the netdev (and hence dev) has been free_netdev()-ed. Cheers, Jeremy
On Tue, Feb 24, 2026 at 02:31:03PM +0800, Jeremy Kerr wrote: > Hi Greg, > > > > > diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c > > > > index ef860cfc629f..eef17ae89298 100644 > > > > --- a/drivers/net/mctp/mctp-usb.c > > > > +++ b/drivers/net/mctp/mctp-usb.c > > > > @@ -355,6 +355,7 @@ static int mctp_usb_probe(struct usb_interface *intf, > > > > usb_free_urb(dev->tx_urb); > > > > usb_free_urb(dev->rx_urb); > > > > free_netdev(netdev); > > > > + usb_put_dev(dev->usbdev); > > > > return rc; > > > > } > > > > > > Should we not do the usb_put_dev() before the free_netdev()? > > > > Why? The usb_put_dev() doesn't really do anything, except for the fact > > that you have to do it because you did a usb_get_dev() earlier. > > More that the dev-> dereference may be invalid at that point, since the > netdev (and hence dev) has been free_netdev()-ed. Argh, I missed that, yes, you are right, let me make a v2 of this, thanks for the review! greg k-h
Hi Greg, > When an error happens in mctp_usb_probe() the reference count on the usb > interface structure needs to be properly dropped as it was incremented > earlier in the function. Looks good, thanks for the fix. Acked-by: Jeremy Kerr <jk@codeconstruct.com.au> Cheers, Jeremy
© 2016 - 2026 Red Hat, Inc.