drivers/block/sunvdc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
Using device_find_child() to locate a probed virtual-device-port node
causes a device refcount imbalance, as device_find_child() internally
calls get_device() to increment the device’s reference count before
returning its pointer. vdc_port_mpgroup_check() directly returns true
upon finding a matching device without releasing the reference via
put_device(). We should call put_device() to decrement refcount.
As comment of device_find_child() says, 'NOTE: you will need to drop
the reference with put_device() after use'.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
drivers/block/sunvdc.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
index b5727dea15bd..b6dbd5dd2723 100644
--- a/drivers/block/sunvdc.c
+++ b/drivers/block/sunvdc.c
@@ -950,6 +950,7 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev)
{
struct vdc_check_port_data port_data;
struct device *dev;
+ bool found = false;
port_data.dev_no = vdev->dev_no;
port_data.type = (char *)&vdev->type;
@@ -957,10 +958,12 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev)
dev = device_find_child(vdev->dev.parent, &port_data,
vdc_device_probed);
- if (dev)
- return true;
+ if (dev) {
+ found = true;
+ put_device(dev);
+ }
- return false;
+ return found;
}
static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
--
2.25.1
On 7/18/25 1:22 AM, Ma Ke wrote:
> Using device_find_child() to locate a probed virtual-device-port node
> causes a device refcount imbalance, as device_find_child() internally
> calls get_device() to increment the device’s reference count before
> returning its pointer. vdc_port_mpgroup_check() directly returns true
> upon finding a matching device without releasing the reference via
> put_device(). We should call put_device() to decrement refcount.
>
> As comment of device_find_child() says, 'NOTE: you will need to drop
> the reference with put_device() after use'.
>
> Found by code review.
>
> Cc: stable@vger.kernel.org
> Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
> drivers/block/sunvdc.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
> index b5727dea15bd..b6dbd5dd2723 100644
> --- a/drivers/block/sunvdc.c
> +++ b/drivers/block/sunvdc.c
> @@ -950,6 +950,7 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev)
> {
> struct vdc_check_port_data port_data;
> struct device *dev;
> + bool found = false;
>
> port_data.dev_no = vdev->dev_no;
> port_data.type = (char *)&vdev->type;
> @@ -957,10 +958,12 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev)
> dev = device_find_child(vdev->dev.parent, &port_data,
> vdc_device_probed);
>
> - if (dev)
> - return true;
> + if (dev) {
> + found = true;
> + put_device(dev);
> + }
>
> - return false;
> + return found;
Don't bother with adding the extra bits just to get a single point of
exit: keep with the existing style and keep the change simple.
if (dev) {
put_device(dev);
return true;
}
(and why am I getting copied on a block device change?)
sln
> }
>
> static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
© 2016 - 2025 Red Hat, Inc.