PCI: fix reference leak in pci_alloc_child_bus()

Commit Message

Ma Ke Jan. 7, 2025, 11:07 a.m. UTC

When device_register(&child->dev) failed, calling put_device() to
explicitly release child->dev. Otherwise, it could cause double free
problem.

Found by code review.

Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
 drivers/pci/probe.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Christophe JAILLET Jan. 7, 2025, 6:48 p.m. UTC | #1

Le 07/01/2025 à 12:07, Ma Ke a écrit :
> When device_register(&child->dev) failed, calling put_device() to
> explicitly release child->dev. Otherwise, it could cause double free
> problem.
> 
> Found by code review.
> 
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
>   drivers/pci/probe.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index 2e81ab0f5a25..a61070ce5f88 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -1174,7 +1174,10 @@ static struct pci_bus *pci_alloc_child_bus(struct pci_bus *parent,
>   add_dev:
>   	pci_set_bus_msi_domain(child);
>   	ret = device_register(&child->dev);
> -	WARN_ON(ret < 0);
> +	if (WARN_ON(ret < 0)) {
> +		put_device(&child->dev);
> +		return ERR_PTR(ret);

Previously, the code was continuing the execution. I don't know it is 
correct to return at this point.

Anyway, returning ERR_PTR(ret) just looks wrong, because 
pci_add_new_bus() expect NULL in case of error.
Should ERR_PTR(ret) be returned, it is likely basd thing would happen there.

CJ

> +	}
>   
>   	pcibios_add_bus(child);
>

Patch

diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 2e81ab0f5a25..a61070ce5f88 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1174,7 +1174,10 @@  static struct pci_bus *pci_alloc_child_bus(struct pci_bus *parent,
 add_dev:
 	pci_set_bus_msi_domain(child);
 	ret = device_register(&child->dev);
-	WARN_ON(ret < 0);
+	if (WARN_ON(ret < 0)) {
+		put_device(&child->dev);
+		return ERR_PTR(ret);
+	}
 
 	pcibios_add_bus(child);