Re: [PATCH v2] dmaengine: Fix refcount leak in channel register error path

Next message: christian . koever-draxl: "[PATCH v2 0/2] Add support for Amediatech X98Q (Amlogic S905W2)"
Previous message: christian . koever-draxl: "[PATCH v2 2/2] arm64: dts: amlogic: add support for X98Q"
Next in thread: Guangshuo Li: "Re: [PATCH v2] dmaengine: Fix refcount leak in channel register error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Frank Li

Date: Mon Apr 20 2026 - 02:23:49 EST

On Mon, Apr 13, 2026 at 09:58:57PM +0800, Guangshuo Li wrote:
> After device_register(), the lifetime of the embedded struct device is
> expected to be managed through the device core reference counting.
>
> In __dma_async_device_channel_register(), if device_register() fails,
> the error path frees chan->dev directly instead of releasing the device
> reference with put_device(). This bypasses the normal device lifetime
> rules and may leave the reference count of the embedded struct device
> unbalanced, resulting in a refcount leak.
>
> The issue was identified by a static analysis tool I developed and
> confirmed by manual review.

I think it is meanless, no one reproduce this. Provide tools link if open
source. Or you descript how problem happen.

> diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
> index ca13cd39330b..6bb1212ae0e1 100644
> --- a/drivers/dma/dmaengine.c
> +++ b/drivers/dma/dmaengine.c
> @@ -1111,8 +1111,12 @@ static int __dma_async_device_channel_register(struct dma_device *device,
>
> err_out_ida:
> ida_free(&device->chan_ida, chan->chan_id);
> + put_device(&chan->dev->device);
> + chan->dev = NULL;
> + goto err_free_local;

avoid err path goto again

Frank

> err_free_dev:
> kfree(chan->dev);
> + chan->dev = NULL;
> err_free_local:
> free_percpu(chan->local);
> chan->local = NULL;
> --
> 2.43.0
>