Re: [PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()

Next message: Nayna Jain: "Re: [PATCH v4] KEYS: trusted: Debugging as a feature"
Previous message: Chris Li: "Re: [PATCH v3 3/3] mm/swap_io.c: rename swap_writepage_* to swap_write_folio_*"
In reply to: Yuho Choi: "[PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()"
Next in thread: &#xCD5C;&#xC720;&#xD638;: "Re: [PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Zhihao Cheng

Date: Wed Apr 15 2026 - 23:23:05 EST

在 2026/4/16 9:11, Yuho Choi 写道:

ubi_detach_mtd_dev() calls ubi_get_device() which increments both
ubi->ref_count and the device kref via get_device(). When the device
is busy and anyway==0, the function returns -EBUSY after releasing
ubi_devices_lock, but never calls put_device() to drop the kref
acquired by ubi_get_device(). This leaks the kref, preventing the
device from ever being freed.

Commit 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification
for UBI volumes") moved put_device() to after ubi->is_dead = true
to pair it with the notify+nullify sequence, but inadvertently left
the early -EBUSY return without a matching put_device().

Add put_device(&ubi->dev) before returning -EBUSY to balance the
get_device() inside ubi_get_device().

Fixes: 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification for UBI volumes")
Signed-off-by: Yuho Choi <dbgh9129@xxxxxxxxx>
---
drivers/mtd/ubi/build.c | 1 +
1 file changed, 1 insertion(+)

Reviewed-by: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>

diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 674ad87809df0..d81f5e0395ac0 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -1106,6 +1106,7 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
if (ubi->ref_count) {
if (!anyway) {
spin_unlock(&ubi_devices_lock);
+ put_device(&ubi->dev);
return -EBUSY;
}
/* This may only happen if there is a bug */