1. Patchew
  2. linux
  3. View series

[PATCH] media: pci: intel: Balance device refcount when destroying devices

Ma Ke posted 1 patch 2 months, 3 weeks ago 
drivers/media/pci/intel/ipu-bridge.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] media: pci: intel: Balance device refcount when destroying devices
Posted by Ma Ke 2 months, 3 weeks ago 
Using ipu_bridge_get_ivsc_csi_dev() to locate the device could cause
an imbalance in the device's reference count.
ipu_bridge_get_ivsc_csi_dev() calls device_find_child_by_name() to
implement the localization, and device_find_child_by_name() calls an
implicit get_device() to increment the device's reference count before
returning the pointer. Throughout the entire implementation process,
no mechanism releases resources properly. This leads to a memory leak
because the reference count of the device is never decremented.

As the comment of device_find_child_by_name() says, 'NOTE: you will
need to drop the reference with put_device() after use'.

Found by code review.

Cc: stable@vger.kernel.org
Fixes: c66821f381ae ("media: pci: intel: Add IVSC support for IPU bridge driver")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
 drivers/media/pci/intel/ipu-bridge.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/pci/intel/ipu-bridge.c b/drivers/media/pci/intel/ipu-bridge.c
index 83e682e1a4b7..f8b4672accab 100644
--- a/drivers/media/pci/intel/ipu-bridge.c
+++ b/drivers/media/pci/intel/ipu-bridge.c
@@ -192,6 +192,7 @@ static int ipu_bridge_check_ivsc_dev(struct ipu_sensor *sensor,
 
 		sensor->csi_dev = csi_dev;
 		sensor->ivsc_adev = adev;
+		put_device(csi_dev);
 	}
 
 	return 0;
-- 
2.25.1
Re: [PATCH] media: pci: intel: Balance device refcount when destroying devices
Posted by Andy Shevchenko 2 months, 3 weeks ago 
On Mon, Jul 14, 2025 at 09:25:26PM +0800, Ma Ke wrote:
> Using ipu_bridge_get_ivsc_csi_dev() to locate the device could cause
> an imbalance in the device's reference count.
> ipu_bridge_get_ivsc_csi_dev() calls device_find_child_by_name() to
> implement the localization, and device_find_child_by_name() calls an
> implicit get_device() to increment the device's reference count before
> returning the pointer. Throughout the entire implementation process,
> no mechanism releases resources properly. This leads to a memory leak
> because the reference count of the device is never decremented.
> 
> As the comment of device_find_child_by_name() says, 'NOTE: you will
> need to drop the reference with put_device() after use'.
> 
> Found by code review.

Okay, but have you check unregistering process? Does it have the put_device()
for this or not?

(The analysis is partial.)

-- 
With Best Regards,
Andy Shevchenko

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.