Re: [PATCH v3] drivers/mmc: fix reference count leaks in moxart_probe
From: Ulf Hansson
Date: Thu Sep 30 2021 - 07:14:39 EST
On Tue, 28 Sept 2021 at 04:15, Xin Xiong <xiongx18@xxxxxxxxxxxx> wrote:
>
> The issue happens in several error handling paths on two refcounted
> object related to the object "host" (dma_chan_rx, dma_chan_tx). In
> these paths, the function forgets to decrement one or both objects'
> reference count increased earlier by dma_request_chan(), causing
> reference count leaks.
>
> Fix it by balancing the refcounts of both objects in some error
> handling paths.
>
> Signed-off-by: Xin Xiong <xiongx18@xxxxxxxxxxxx>
> Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
> Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
> ---
> drivers/mmc/host/moxart-mmc.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
> index 6c9d38132..f421be7ce 100644
> --- a/drivers/mmc/host/moxart-mmc.c
> +++ b/drivers/mmc/host/moxart-mmc.c
> @@ -621,6 +621,14 @@ static int moxart_probe(struct platform_device *pdev)
> ret = -EPROBE_DEFER;
> goto out;
> }
> + if (!IS_ERR(host->dma_chan_tx)) {
> + dma_release_channel(host->dma_chan_tx);
> + host->dma_chan_tx = NULL;
> + }
> + if (!IS_ERR(host->dma_chan_rx)) {
> + dma_release_channel(host->dma_chan_rx);
> + host->dma_chan_rx = NULL;
> + }
> dev_dbg(dev, "PIO mode transfer enabled\n");
> host->have_dma = false;
> } else {
> @@ -675,6 +683,10 @@ static int moxart_probe(struct platform_device *pdev)
> return 0;
>
> out:
> + if (!IS_ERR_OR_NULL(host->dma_chan_tx))
> + dma_release_channel(host->dma_chan_tx);
> + if (!IS_ERR_OR_NULL(host->dma_chan_rx))
> + dma_release_channel(host->dma_chan_rx);
> if (mmc)
> mmc_free_host(mmc);
> return ret;
This looks much better! However, it seems like we also need to deal
with the NULL case in moxart_remove(), similar to as above.
Kind regards
Uffe