Using device_find_child() to lookup the proper device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device() to increment the device's reference count before returning the pointer. cxl_port_find_switch_decoder() directly converts this pointer to a cxl_decoder and returns it without releasing the reference properly. We should call put_device() to decrement reference count.
As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use'.
Found by code review.
Cc: stable@vger.kernel.org Fixes: d6879d8cfb81 ("cxl/region: Add function to find a port's switch decoder by range") Signed-off-by: Ma Ke make24@iscas.ac.cn --- drivers/cxl/core/region.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index 6e5e1460068d..cae16d761261 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -3234,6 +3234,9 @@ cxl_port_find_switch_decoder(struct cxl_port *port, struct range *hpa) struct device *cxld_dev = device_find_child(&port->dev, hpa, match_decoder_by_range);
+ /* Drop the refcnt bumped implicitly by device_find_child */ + put_device(cxld_dev); + return cxld_dev ? to_cxl_decoder(cxld_dev) : NULL; }