Re: [PATCH] dax/hmem: Fix refcount leak in dax_hmem_probe()

Thu, 01 Jun 2023 19:59:14 -0700 

On Sat, 3 Dec 2022, Ira Weiny wrote:
> On Sat, Dec 03, 2022 at 09:58:58AM +0000, Yongqiang Liu wrote:

> > We should always call dax_region_put() whenever devm_create_dev_dax()
> > succeed or fail to avoid refcount leak of dax_region. Move the return
> > value check after dax_region_put().

> I think dax_region_put is called from dax_region_unregister() automatically on
> tear down.

Hi Ira,

Note the reference dax_region_unregister() will be putting is the one 
devm_create_dev_dax() takes by kref_get(&dax_region->kref). I think 
dax_hmem_probe() needs to put its reference in the error case, as in the 
successful case.

Consider, devm_create_dev_dax() has error paths that return without 
involving dax_region_unregister(), prior to kref_get() and device_add().  
dax_hmem_probe() is clearly responsible for freeing the region in those 
cases.


dax_hmem_probe() drops its own reference in the successful case because 
(per the comment) "child dev_dax instances now own the lifetime of the 
dax_region".  That ownership is the reference that the error-case 
dax_region_unregister() is dropping.  dax_hmem_probe()'s initial reference 
also needs to be dropped in the error case, as in the successful case.


> > Fixes: c01044cc8191 ("ACPI: HMAT: refactor hmat_register_target_device to 
> > hmem_register_device")
> 
> I'm also not sure how this patch is related to this fix.
> 
> Ira
> 
> > Signed-off-by: Yongqiang Liu <liuyongqian...@huawei.com>
> > ---
> >  drivers/dax/hmem/hmem.c | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/dax/hmem/hmem.c b/drivers/dax/hmem/hmem.c
> > index 1bf040dbc834..09f5cd7b6c8e 100644
> > --- a/drivers/dax/hmem/hmem.c
> > +++ b/drivers/dax/hmem/hmem.c
> > @@ -36,12 +36,11 @@ static int dax_hmem_probe(struct platform_device *pdev)
> >             .size = region_idle ? 0 : resource_size(res),
> >     };
> >     dev_dax = devm_create_dev_dax(&data);
> > -   if (IS_ERR(dev_dax))
> > -           return PTR_ERR(dev_dax);
> >  
> >     /* child dev_dax instances now own the lifetime of the dax_region */

This comment should probably be updated now.  :)


-- 
Paul Cassella


> >     dax_region_put(dax_region);
> > -   return 0;
> > +
> > +   return IS_ERR(dev_dax) ? PTR_ERR(dev_dax) : 0;
> >  }
> >  
> >  static int dax_hmem_remove(struct platform_device *pdev)
> > -- 
> > 2.25.1
> > 
> > 
>

Reply via email to