Re: [PATCH net 2/2] fsl/fman: Fix refcount handling of fman-related devices

From: Aleksandr Mishin
Date: Thu Oct 17 2024 - 06:55:49 EST

Next message: Rafael J. Wysocki: "Re: [PATCH v3] thermal/of: support thermal zones w/o trips subnode"
Previous message: Geert Uytterhoeven: "Re: [PATCH v3 06/12] rtc: renesas-rtca3: Add driver for RTCA-3 available on Renesas RZ/G3S SoC"
In reply to: Paolo Abeni: "Re: [PATCH net 2/2] fsl/fman: Fix refcount handling of fman-related devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 17.10.2024 13:01, Paolo Abeni wrote:

On 10/15/24 08:01, Aleksandr Mishin wrote:

In mac_probe() there are multiple calls to of_find_device_by_node(),
fman_bind() and fman_port_bind() which takes references to of_dev->dev.
Not all references taken by these calls are released later on error path
in mac_probe() and in mac_remove() which lead to reference leaks.

Add references release.

Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver")
Signed-off-by: Aleksandr Mishin <amishin@xxxxxxxxxx>
---
Compile tested only.

drivers/net/ethernet/freescale/fman/mac.c | 62 +++++++++++++++++------
1 file changed, 47 insertions(+), 15 deletions(-)

diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c
index 9b863db0bf08..11da139082e1 100644
--- a/drivers/net/ethernet/freescale/fman/mac.c
+++ b/drivers/net/ethernet/freescale/fman/mac.c
@@ -204,7 +204,7 @@ static int mac_probe(struct platform_device *_of_dev)
      if (err) {
          dev_err(dev, "failed to read cell-index for %pOF\n", dev_node);
          err = -EINVAL;
-        goto _return_of_node_put;
+        goto _return_dev_put;

We are after a succesful of_find_device_by_node and prior to fman_bind(), mac_dev->fman_dev refcount is 1

Indeed. refcounts = 1.

@@ -213,40 +213,51 @@ static int mac_probe(struct platform_device *_of_dev)
      if (!priv->fman) {
          dev_err(dev, "fman_bind(%pOF) failed\n", dev_node);
          err = -ENODEV;
-        goto _return_of_node_put;
+        goto _return_dev_put;
      }

refcounts: 1 + 1 = 2.

+    /* Two references have been taken in of_find_device_by_node()
+     * and fman_bind(). Release one of them here. The second one
+     * will be released in mac_remove().
+     */
+    put_device(mac_dev->fman_dev);

refcounts: 2 - 1 = 1.

      of_node_put(dev_node);
+    dev_node = NULL;
      /* Get the address of the memory mapped registers */
      mac_dev->res = platform_get_mem_or_io(_of_dev, 0);
      if (!mac_dev->res) {
          dev_err(dev, "could not get registers\n");
-        return -EINVAL;
+        err = -EINVAL;
+        goto _return_dev_put;

Here we are after a successful fman_bind(), mac_dev->fman_dev refcount is 2. _return_dev_put will drop a single reference, this error path looks buggy.

We released 1 reference above with "put_device(mac_dev->fman_dev);".

Similar issue for the _return_dev_arr_put error path below.

Similar situation: we release 1 reference with "put_device(mac_dev->fman_port_devs[i]);".

Cheers,

Paolo

--
Kind regards
Aleksandr

Next message: Rafael J. Wysocki: "Re: [PATCH v3] thermal/of: support thermal zones w/o trips subnode"
Previous message: Geert Uytterhoeven: "Re: [PATCH v3 06/12] rtc: renesas-rtca3: Add driver for RTCA-3 available on Renesas RZ/G3S SoC"
In reply to: Paolo Abeni: "Re: [PATCH net 2/2] fsl/fman: Fix refcount handling of fman-related devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]