Re: [PATCH] PCI/TSM: fix use-after-free in find_dsm_dev()

Next message: Jie Wang: "[PATCH] Input: yealink - stop URB resubmission on completion error"
Previous message: Wenchao Hao: "[PATCH v5 3/4] mm/zsmalloc: drop class lock before freeing zspage"
In reply to: Wentao Liang: "[PATCH] PCI/TSM: fix use-after-free in find_dsm_dev()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lukas Wunner

Date: Mon Jun 15 2026 - 23:17:24 EST

On Tue, Jun 16, 2026 at 03:02:43AM +0000, Wentao Liang wrote:
> In find_dsm_dev(), pf0 is obtained via pf0_dev_get() which returns a
> reference-counted pointer. It is declared with __free(pci_dev_put),
> so pci_dev_put() will be called when the variable goes out of scope.
> Returning 'pf0' directly while it still has __free cleanup causes the
> reference to be dropped before the caller can use the pointer, leading
> to a use-after-free.

No, the code comment preceding find_dsm_dev() explicitly states:

"Note that no additional reference is held for the resulting device
because that resulting object always has a registered lifetime
greater-than-or-equal to that of the @pdev argument."

Your patch looks like it may be an LLM-generated hallucination.
Did you use an LLM to come up with the patch? If so, please use
an Assisted-by tag per Documentation/process/coding-assistants.rst
so that we know to expect hallucinations.

Thanks,

Lukas