> -----Original Message-----
> From: 亿一 <teroi...@gmail.com>
> Sent: Wednesday, May 06, 2020 17:47
> To: Winkler, Tomas <tomas.wink...@intel.com>
> Cc: linux-kernel@vger.kernel.org
> Subject: [BUG]is there a refcount leak in function mei_me_cl_rm_by_uuid?
Unfortunately you are correct, but currently it is very hard to hit the issue
in real life.
The patch is coming.
Thanks
Tomas
>
> HI, all
> When reviewing function mei_me_cl_rm_by_uuid, I notice that function
> __mei_me_cl_by_uuid increases me_cl refcount and function _mei_me_cl_del
> delete a list node with decrement me_cl refcount , actually here cause a
> refcount leak as we haven't release the refcount by __mei_me_cl_by_uuid ?
> similar issue happens in mei_me_cl_rm_by_uuid_id too.
>
> void mei_me_cl_rm_by_uuid(struct mei_device *dev, const uuid_le *uuid) {
> struct mei_me_client *me_cl;
>
> dev_dbg(dev->dev, "remove %pUl\n", uuid);
>
> down_write(&dev->me_clients_rwsem);
> me_cl = __mei_me_cl_by_uuid(dev, uuid); /* increase a refcount */
> __mei_me_cl_del(dev, me_cl); /* release the refcount with a list node
> deteled
> */
> up_write(&dev->me_clients_rwsem);
> }
>
> Best regards,
>
> Lin Yi.
