Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak.
device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'.
Found by code review.
Cc: stable@vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ma Ke make24@iscas.ac.cn --- arch/arm/common/locomo.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c index cb6ef449b987..7274010218ec 100644 --- a/arch/arm/common/locomo.c +++ b/arch/arm/common/locomo.c @@ -255,6 +255,7 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info)
ret = device_register(&dev->dev); if (ret) { + put_device(&dev->dev); out: kfree(dev); }
On Sun, Jan 05, 2025 at 07:11:56PM +0800, Ma Ke wrote:
Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak.
device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'.
The commit message is not quite correct:
"After calling device_register(), the correct way to dispose of the device is to call put_device() as per the device_register() documentation rather than kfree()."
This reveals that your patch is not completely correct.
diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c index cb6ef449b987..7274010218ec 100644 --- a/arch/arm/common/locomo.c +++ b/arch/arm/common/locomo.c @@ -255,6 +255,7 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) ret = device_register(&dev->dev); if (ret) {
out: kfree(dev);put_device(&dev->dev);
... and that leads to the second problem here - this kfree() will lead to a double-free of the device. Once by the reference count dropping to zero, resulting in locomo_dev_release() being called, and then this kfree().
Thanks.
linux-stable-mirror@lists.linaro.org