| Message ID | 20250105111156.277058-1-make24@iscas.ac.cn (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [ARM] fix reference leak in locomo_init_one_child() | expand |
On Sun, Jan 05, 2025 at 07:11:56PM +0800, Ma Ke wrote: > Once device_register() failed, we should call put_device() to > decrement reference count for cleanup. Or it could cause memory leak. > > device_register() includes device_add(). As comment of device_add() > says, 'if device_add() succeeds, you should call device_del() when you > want to get rid of it. If device_add() has not succeeded, use only > put_device() to drop the reference count'. The commit message is not quite correct: "After calling device_register(), the correct way to dispose of the device is to call put_device() as per the device_register() documentation rather than kfree()." This reveals that your patch is not completely correct. > diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c > index cb6ef449b987..7274010218ec 100644 > --- a/arch/arm/common/locomo.c > +++ b/arch/arm/common/locomo.c > @@ -255,6 +255,7 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) > > ret = device_register(&dev->dev); > if (ret) { > + put_device(&dev->dev); > out: > kfree(dev); ... and that leads to the second problem here - this kfree() will lead to a double-free of the device. Once by the reference count dropping to zero, resulting in locomo_dev_release() being called, and then this kfree(). Thanks.
diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c index cb6ef449b987..7274010218ec 100644 --- a/arch/arm/common/locomo.c +++ b/arch/arm/common/locomo.c @@ -255,6 +255,7 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) ret = device_register(&dev->dev); if (ret) { + put_device(&dev->dev); out: kfree(dev); }
Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable@vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ma Ke <make24@iscas.ac.cn> --- arch/arm/common/locomo.c | 1 + 1 file changed, 1 insertion(+)