Message ID | 20250110010554.1583411-1-joe@pf.is.s.u-tokyo.ac.jp (mailing list archive) |
---|---|
State | In Next |
Delegated to: | Rafael Wysocki |
Headers | show |
Series | powercap: call put_device() on an error path in powercap_register_control_type() | expand |
On Fri, Jan 10, 2025 at 2:06 AM Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp> wrote: > > powercap_register_control_type() calls device_register(), but does not > release the refcount of the device when it fails. Call put_device() > before returning an error to balance the refcount. Since the > kfree(control_type) will be done by powercap_release(), remove the lines > in powercap_register_control_type() before returning error. > > This bug was found by an experimental verifier that I am developing. > > Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp> > --- > drivers/powercap/powercap_sys.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c > index 52c32dcbf7d8..4112a0097338 100644 > --- a/drivers/powercap/powercap_sys.c > +++ b/drivers/powercap/powercap_sys.c > @@ -627,8 +627,7 @@ struct powercap_control_type *powercap_register_control_type( > dev_set_name(&control_type->dev, "%s", name); > result = device_register(&control_type->dev); > if (result) { > - if (control_type->allocated) > - kfree(control_type); > + put_device(&control_type->dev); > return ERR_PTR(result); > } > idr_init(&control_type->idr); > -- Applied as 6.14-rc material, thanks!
diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c index 52c32dcbf7d8..4112a0097338 100644 --- a/drivers/powercap/powercap_sys.c +++ b/drivers/powercap/powercap_sys.c @@ -627,8 +627,7 @@ struct powercap_control_type *powercap_register_control_type( dev_set_name(&control_type->dev, "%s", name); result = device_register(&control_type->dev); if (result) { - if (control_type->allocated) - kfree(control_type); + put_device(&control_type->dev); return ERR_PTR(result); } idr_init(&control_type->idr);
powercap_register_control_type() calls device_register(), but does not release the refcount of the device when it fails. Call put_device() before returning an error to balance the refcount. Since the kfree(control_type) will be done by powercap_release(), remove the lines in powercap_register_control_type() before returning error. This bug was found by an experimental verifier that I am developing. Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp> --- drivers/powercap/powercap_sys.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)