From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
To: Ian Abbott <abbotti@mev.co.uk>,
H Hartley Sweeten <hsweeten@visionengravers.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Xiyu Yang <xiyuyang19@fudan.edu.cn>,
Xin Tan <tanxin.ctf@gmail.com>,
devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org
Cc: yuanxzhang@fudan.edu.cn, kjlu@umn.edu
Subject: [PATCH] staging: comedi: Fix comedi_device refcnt leak in comedi_open
Date: Mon, 20 Apr 2020 13:44:16 +0800 [thread overview]
Message-ID: <1587361459-83622-1-git-send-email-xiyuyang19@fudan.edu.cn> (raw)
comedi_open() invokes comedi_dev_get_from_minor(), which returns a
reference of the COMEDI device to "dev" with increased refcount.
When comedi_open() returns, "dev" becomes invalid, so the refcount
should be decreased to keep refcount balanced.
The reference counting issue happens in one exception handling path of
comedi_open(). When "cfp" allocation is failed, the refcnt increased by
comedi_dev_get_from_minor() is not decreased, causing a refcnt leak.
Fix this issue by calling comedi_dev_put() on this error path when "cfp"
allocation is failed.
Fixes: 20f083c07565 ("staging: comedi: prepare support for per-file read
and write subdevices")
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
drivers/staging/comedi/comedi_fops.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 08d1bbbebf2d..e84b4fb493d6 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -2725,8 +2725,10 @@ static int comedi_open(struct inode *inode, struct file *file)
}
cfp = kzalloc(sizeof(*cfp), GFP_KERNEL);
- if (!cfp)
+ if (!cfp) {
+ comedi_dev_put(dev);
return -ENOMEM;
+ }
cfp->dev = dev;
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
To: Ian Abbott <abbotti@mev.co.uk>,
H Hartley Sweeten <hsweeten@visionengravers.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Xiyu Yang <xiyuyang19@fudan.edu.cn>,
Xin Tan <tanxin.ctf@gmail.com>,
devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org
Cc: yuanxzhang@fudan.edu.cn, kjlu@umn.edu
Subject: [PATCH] staging: comedi: Fix comedi_device refcnt leak in comedi_open
Date: Mon, 20 Apr 2020 13:44:16 +0800 [thread overview]
Message-ID: <1587361459-83622-1-git-send-email-xiyuyang19@fudan.edu.cn> (raw)
comedi_open() invokes comedi_dev_get_from_minor(), which returns a
reference of the COMEDI device to "dev" with increased refcount.
When comedi_open() returns, "dev" becomes invalid, so the refcount
should be decreased to keep refcount balanced.
The reference counting issue happens in one exception handling path of
comedi_open(). When "cfp" allocation is failed, the refcnt increased by
comedi_dev_get_from_minor() is not decreased, causing a refcnt leak.
Fix this issue by calling comedi_dev_put() on this error path when "cfp"
allocation is failed.
Fixes: 20f083c07565 ("staging: comedi: prepare support for per-file read
and write subdevices")
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
drivers/staging/comedi/comedi_fops.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 08d1bbbebf2d..e84b4fb493d6 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -2725,8 +2725,10 @@ static int comedi_open(struct inode *inode, struct file *file)
}
cfp = kzalloc(sizeof(*cfp), GFP_KERNEL);
- if (!cfp)
+ if (!cfp) {
+ comedi_dev_put(dev);
return -ENOMEM;
+ }
cfp->dev = dev;
--
2.7.4
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next reply other threads:[~2020-04-20 5:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-20 5:44 Xiyu Yang [this message]
2020-04-20 5:44 ` [PATCH] staging: comedi: Fix comedi_device refcnt leak in comedi_open Xiyu Yang
2020-04-20 10:15 ` Ian Abbott
2020-04-20 10:15 ` Ian Abbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1587361459-83622-1-git-send-email-xiyuyang19@fudan.edu.cn \
--to=xiyuyang19@fudan.edu.cn \
--cc=abbotti@mev.co.uk \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=hsweeten@visionengravers.com \
--cc=kjlu@umn.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=tanxin.ctf@gmail.com \
--cc=yuanxzhang@fudan.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.