[PATCH AUTOSEL 5.4 100/266] staging: gasket: Fix mapping refcnt leak when register/store fails
From: Sasha Levin
Date: Wed Jun 17 2020 - 22:21:13 EST
From: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
[ Upstream commit e3436ce60cf5f5eaedda2b8c622f69feb97595e2 ]
gasket_sysfs_register_store() invokes get_mapping(), which returns a
reference of the specified gasket_sysfs_mapping object to "mapping" with
increased refcnt.
When gasket_sysfs_register_store() returns, local variable "mapping"
becomes invalid, so the refcount should be decreased to keep refcount
balanced.
The reference counting issue happens in one exception handling path of
gasket_sysfs_register_store(). When gasket_dev is NULL, the function
forgets to decrease the refcnt increased by get_mapping(), causing a
refcnt leak.
Fix this issue by calling put_mapping() when gasket_dev is NULL.
Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
Link: https://lore.kernel.org/r/1587618941-13718-1-git-send-email-xiyuyang19@xxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/staging/gasket/gasket_sysfs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/gasket/gasket_sysfs.c b/drivers/staging/gasket/gasket_sysfs.c
index ad852ea1d4a9..af26bc9f184a 100644
--- a/drivers/staging/gasket/gasket_sysfs.c
+++ b/drivers/staging/gasket/gasket_sysfs.c
@@ -373,6 +373,7 @@ ssize_t gasket_sysfs_register_store(struct device *device,
gasket_dev = mapping->gasket_dev;
if (!gasket_dev) {
dev_err(device, "Device driver may have been removed\n");
+ put_mapping(mapping);
return 0;
}
--
2.25.1