nfc_genl_dump_targets() increments the device reference count via
nfc_get_device() but fails to decrement it properly. nfc_get_device()
calls class_find_device() which internally calls get_device() to
increment the reference count. No corresponding put_device() is made
to decrement the reference count.

Add proper reference count decrementing using nfc_put_device() when
the dump operation completes or encounters an error, ensuring balanced
reference counting.

Found by code review.

Cc: stable@vger.kernel.org
Fixes: 4d12b8b129f1 ("NFC: add nfc generic netlink interface")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
 net/nfc/netlink.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index a18e2c503da6..9ae138ee91dd 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -159,6 +159,11 @@ static int nfc_genl_dump_targets(struct sk_buff *skb,
 
 	cb->args[0] = i;
 
+	if (rc < 0 || i >= dev->n_targets) {
+		nfc_put_device(dev);
+		cb->args[1] = 0;
+	}
+
 	return skb->len;
 }
 
-- 
2.17.1

On 21/11/2025 03:27, Ma Ke wrote:
> nfc_genl_dump_targets() increments the device reference count via

Only in some cases, but you drop it unconditionally.

> nfc_get_device() but fails to decrement it properly. nfc_get_device()
> calls class_find_device() which internally calls get_device() to
> increment the reference count. No corresponding put_device() is made
> to decrement the reference count.
> 
> Add proper reference count decrementing using nfc_put_device() when
> the dump operation completes or encounters an error, ensuring balanced
> reference counting.
> 
> Found by code review.

Drop, there is no point nor need to say that humans did the work. This
actually rather suggests you used LLM and disguise your finding as "code
review".

No, LLM is not code review.

> 
> Cc: stable@vger.kernel.org
> Fixes: 4d12b8b129f1 ("NFC: add nfc generic netlink interface")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
>  net/nfc/netlink.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
> index a18e2c503da6..9ae138ee91dd 100644
> --- a/net/nfc/netlink.c
> +++ b/net/nfc/netlink.c
> @@ -159,6 +159,11 @@ static int nfc_genl_dump_targets(struct sk_buff *skb,
>  
>  	cb->args[0] = i;
>  
> +	if (rc < 0 || i >= dev->n_targets) {
> +		nfc_put_device(dev);
> +		cb->args[1] = 0;

Did you test it?


Best regards,
Krzysztof

On 24/11/2025 09:24, Krzysztof Kozlowski wrote:
> On 21/11/2025 03:27, Ma Ke wrote:
>> nfc_genl_dump_targets() increments the device reference count via
> 
> Only in some cases, but you drop it unconditionally.
> 
>> nfc_get_device() but fails to decrement it properly. nfc_get_device()
>> calls class_find_device() which internally calls get_device() to
>> increment the reference count. No corresponding put_device() is made
>> to decrement the reference count.
>>
>> Add proper reference count decrementing using nfc_put_device() when
>> the dump operation completes or encounters an error, ensuring balanced
>> reference counting.
>>
>> Found by code review.
> 
> Drop, there is no point nor need to say that humans did the work. This
> actually rather suggests you used LLM and disguise your finding as "code
> review".
> 
> No, LLM is not code review.

Looks like LLM.

> 
>>
>> Cc: stable@vger.kernel.org
>> Fixes: 4d12b8b129f1 ("NFC: add nfc generic netlink interface")
>> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
>> ---
>>  net/nfc/netlink.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
>> index a18e2c503da6..9ae138ee91dd 100644
>> --- a/net/nfc/netlink.c
>> +++ b/net/nfc/netlink.c
>> @@ -159,6 +159,11 @@ static int nfc_genl_dump_targets(struct sk_buff *skb,
>>  
>>  	cb->args[0] = i;
>>  
>> +	if (rc < 0 || i >= dev->n_targets) {
>> +		nfc_put_device(dev);
>> +		cb->args[1] = 0;
> 
> Did you test it?

I am pretty sure this is double put and thus bug. There is put in done().

Best regards,
Krzysztof