Re: [PATCH] dax/hmem: Fix refcount leak in dax_hmem_probe()

From: Paul Cassella
Date: Thu Jun 01 2023 - 22:32:41 EST

Next message: Namhyung Kim: "Re: [PATCH V11 05/10] arm64/perf: Add branch stack support in ARMV8 PMU"
Previous message: Hugh Dickins: "Re: [PATCH 01/31] mm: use pmdp_get_lockless() without surplus barrier()"
Next in thread: Ira Weiny: "Re: [PATCH] dax/hmem: Fix refcount leak in dax_hmem_probe()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 3 Dec 2022, Ira Weiny wrote:
> On Sat, Dec 03, 2022 at 09:58:58AM +0000, Yongqiang Liu wrote:

> > We should always call dax_region_put() whenever devm_create_dev_dax()
> > succeed or fail to avoid refcount leak of dax_region. Move the return
> > value check after dax_region_put().

> I think dax_region_put is called from dax_region_unregister() automatically on
> tear down.

Hi Ira,

Note the reference dax_region_unregister() will be putting is the one
devm_create_dev_dax() takes by kref_get(&dax_region->kref). I think
dax_hmem_probe() needs to put its reference in the error case, as in the
successful case.

Consider, devm_create_dev_dax() has error paths that return without
involving dax_region_unregister(), prior to kref_get() and device_add().
dax_hmem_probe() is clearly responsible for freeing the region in those
cases.

dax_hmem_probe() drops its own reference in the successful case because
(per the comment) "child dev_dax instances now own the lifetime of the
dax_region". That ownership is the reference that the error-case
dax_region_unregister() is dropping. dax_hmem_probe()'s initial reference
also needs to be dropped in the error case, as in the successful case.

> > Fixes: c01044cc8191 ("ACPI: HMAT: refactor hmat_register_target_device to hmem_register_device")
>
> I'm also not sure how this patch is related to this fix.
>
> Ira
>
> > Signed-off-by: Yongqiang Liu <liuyongqiang13@xxxxxxxxxx>
> > ---
> > drivers/dax/hmem/hmem.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/dax/hmem/hmem.c b/drivers/dax/hmem/hmem.c
> > index 1bf040dbc834..09f5cd7b6c8e 100644
> > --- a/drivers/dax/hmem/hmem.c
> > +++ b/drivers/dax/hmem/hmem.c
> > @@ -36,12 +36,11 @@ static int dax_hmem_probe(struct platform_device *pdev)
> > .size = region_idle ? 0 : resource_size(res),
> > };
> > dev_dax = devm_create_dev_dax(&data);
> > - if (IS_ERR(dev_dax))
> > - return PTR_ERR(dev_dax);
> >
> > /* child dev_dax instances now own the lifetime of the dax_region */

This comment should probably be updated now. :)

--
Paul Cassella

> > dax_region_put(dax_region);
> > - return 0;
> > +
> > + return IS_ERR(dev_dax) ? PTR_ERR(dev_dax) : 0;
> > }
> >
> > static int dax_hmem_remove(struct platform_device *pdev)
> > --
> > 2.25.1
> >
> >
>

Next message: Namhyung Kim: "Re: [PATCH V11 05/10] arm64/perf: Add branch stack support in ARMV8 PMU"
Previous message: Hugh Dickins: "Re: [PATCH 01/31] mm: use pmdp_get_lockless() without surplus barrier()"
Next in thread: Ira Weiny: "Re: [PATCH] dax/hmem: Fix refcount leak in dax_hmem_probe()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]