drivers/hwtracing/coresight/coresight-etm-perf.c | 5 +++++ 1 file changed, 5 insertions(+)
In etm_setup_aux(), when a user sink is obtained via
coresight_get_sink_by_id(), it increments the reference count of the
sink device. However, if the sink is used in path building, the path
holds a reference, but the initial reference from
coresight_get_sink_by_id() is not released, causing a reference count
leak. We should release the initial reference after the path is built.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
Changes in v2:
- modified the patch as suggestions.
---
drivers/hwtracing/coresight/coresight-etm-perf.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c
index 17afa0f4cdee..56d012ab6d3a 100644
--- a/drivers/hwtracing/coresight/coresight-etm-perf.c
+++ b/drivers/hwtracing/coresight/coresight-etm-perf.c
@@ -454,6 +454,11 @@ static void *etm_setup_aux(struct perf_event *event, void **pages,
goto err;
out:
+ if (user_sink) {
+ put_device(&user_sink->dev);
+ user_sink = NULL;
+ }
+
return event_data;
err:
--
2.17.1
On 15/12/2025 04:27, Ma Ke wrote:
> In etm_setup_aux(), when a user sink is obtained via
> coresight_get_sink_by_id(), it increments the reference count of the
> sink device. However, if the sink is used in path building, the path
> holds a reference, but the initial reference from
> coresight_get_sink_by_id() is not released, causing a reference count
> leak. We should release the initial reference after the path is built.
>
> Found by code review.
>
> Cc: stable@vger.kernel.org
> Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
> Changes in v2:
> - modified the patch as suggestions.
I think Leo's comment on the previous v2 is still unaddressed. But
releasing it in coresight_get_sink_by_id() would make it consistent with
coresight_find_csdev_by_fwnode() and prevent further mistakes.
It also leads me to see that users of coresight_find_device_by_fwnode()
should also release it, but only one out of two appears to.
James
> ---
> drivers/hwtracing/coresight/coresight-etm-perf.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c
> index 17afa0f4cdee..56d012ab6d3a 100644
> --- a/drivers/hwtracing/coresight/coresight-etm-perf.c
> +++ b/drivers/hwtracing/coresight/coresight-etm-perf.c
> @@ -454,6 +454,11 @@ static void *etm_setup_aux(struct perf_event *event, void **pages,
> goto err;
>
> out:
> + if (user_sink) {
> + put_device(&user_sink->dev);
> + user_sink = NULL;
> + }
> +
> return event_data;
>
> err:
On Mon, Dec 15, 2025 at 11:02:08AM +0200, James Clark wrote:
>
>
> On 15/12/2025 04:27, Ma Ke wrote:
> > In etm_setup_aux(), when a user sink is obtained via
> > coresight_get_sink_by_id(), it increments the reference count of the
> > sink device. However, if the sink is used in path building, the path
> > holds a reference, but the initial reference from
> > coresight_get_sink_by_id() is not released, causing a reference count
> > leak. We should release the initial reference after the path is built.
> >
> > Found by code review.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks")
> > Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> > ---
> > Changes in v2:
> > - modified the patch as suggestions.
>
> I think Leo's comment on the previous v2 is still unaddressed. But releasing
> it in coresight_get_sink_by_id() would make it consistent with
> coresight_find_csdev_by_fwnode() and prevent further mistakes.
The point is the coresight core layer uses coresight_grab_device() to
increase the device's refcnt. This is why we don't need to grab a
device when setup AUX.
> It also leads me to see that users of coresight_find_device_by_fwnode()
> should also release it, but only one out of two appears to.
Good finding!
Thanks,
Leo
On 12/15/2025 5:51 PM, Leo Yan wrote:
> On Mon, Dec 15, 2025 at 11:02:08AM +0200, James Clark wrote:
>>
>>
>> On 15/12/2025 04:27, Ma Ke wrote:
>>> In etm_setup_aux(), when a user sink is obtained via
>>> coresight_get_sink_by_id(), it increments the reference count of the
>>> sink device. However, if the sink is used in path building, the path
>>> holds a reference, but the initial reference from
>>> coresight_get_sink_by_id() is not released, causing a reference count
>>> leak. We should release the initial reference after the path is built.
>>>
>>> Found by code review.
>>>
>>> Cc: stable@vger.kernel.org
>>> Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks")
>>> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
>>> ---
>>> Changes in v2:
>>> - modified the patch as suggestions.
>>
>> I think Leo's comment on the previous v2 is still unaddressed. But releasing
>> it in coresight_get_sink_by_id() would make it consistent with
>> coresight_find_csdev_by_fwnode() and prevent further mistakes.
>
> The point is the coresight core layer uses coresight_grab_device() to
> increase the device's refcnt. This is why we don't need to grab a
> device when setup AUX.
That make sense. We dont need to hold the refcnt for a while and it
should be released immediately after locating the required device.
Thanks,
Jie
>
>> It also leads me to see that users of coresight_find_device_by_fwnode()
>> should also release it, but only one out of two appears to.
>
> Good finding!
>
> Thanks,
> Leo
>
© 2016 - 2025 Red Hat, Inc.