From: Jie Gan <jie.gan@oss.qualcomm.com>
To: James Clark <james.clark@linaro.org>
Cc: coresight@lists.linaro.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Mike Leach <mike.leach@arm.com>, Leo Yan <leo.yan@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Mathieu Poirier <mathieu.poirier@linaro.org>,
Tingwei Zhang <tingwei.zhang@oss.qualcomm.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] coresight: fix resource leaks on path build failure
Date: Wed, 20 May 2026 09:55:56 +0800 [thread overview]
Message-ID: <5b3785a1-0f53-4b61-bc18-880091c2ce12@oss.qualcomm.com> (raw)
In-Reply-To: <f347bad3-4a11-4f65-b35f-f59c6360ac5b@linaro.org>
On 5/19/2026 9:57 PM, James Clark wrote:
>
>
> On 13/05/2026 2:32 am, Jie Gan wrote:
>> Two related leaks when _coresight_build_path() encounters an error after
>> coresight_grab_device() has already incremented the pm_runtime, module,
>> and device references for a node:
>>
>> 1. In _coresight_build_path(), if kzalloc_obj() for the path node fails
>> after coresight_grab_device() succeeds, coresight_drop_device() was
>> never called, permanently leaking all three references.
>>
>> 2. In coresight_build_path(), on failure the partial path was freed with
>> kfree(path) instead of coresight_release_path(path). kfree() only
>> frees the coresight_path struct itself; it does not iterate path_list
>> to call coresight_drop_device() and kfree() for each coresight_node
>> already added by deeper recursive calls, leaking both the pm_runtime,
>> module, and device references and the node memory for every element
>> on the partial path.
>>
>> Fix both by adding coresight_drop_device() in the OOM unwind of
>> _coresight_build_path(), and replacing kfree(path) with
>> coresight_release_path(path) in coresight_build_path().
>>
>> Fixes: 32b0707a4182 ("coresight: Add try_get_module() in
>> coresight_grab_device()")
>> Fixes: b3e94405941e ("coresight: associating path with session rather
>> than tracer")
>> Signed-off-by: Jie Gan <jie.gan@oss.qualcomm.com>
>> ---
>> drivers/hwtracing/coresight/coresight-core.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/
>> hwtracing/coresight/coresight-core.c
>> index 46f247f73cf6..c1354ea8e11d 100644
>> --- a/drivers/hwtracing/coresight/coresight-core.c
>> +++ b/drivers/hwtracing/coresight/coresight-core.c
>> @@ -825,8 +825,10 @@ static int _coresight_build_path(struct
>> coresight_device *csdev,
>> return ret;
>> node = kzalloc_obj(struct coresight_node);
>> - if (!node)
>> + if (!node) {
>> + coresight_drop_device(csdev);
>> return -ENOMEM;
>> + }
>> node->csdev = csdev;
>> list_add(&node->link, &path->path_list);
>> @@ -851,7 +853,7 @@ struct coresight_path *coresight_build_path(struct
>> coresight_device *source,
>> rc = _coresight_build_path(source, source, sink, path);
>> if (rc) {
>> - kfree(path);
>> + coresight_release_path(path);
>> return ERR_PTR(rc);
>> }
>>
>> ---
>> base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83
>> change-id: 20260513-fix-memory-leak-issue-034b4a45265e
>>
>> Best regards,
>
> Looks good to me, but sashiko is complaining: https://sashiko.dev/#/
> patchset/20260513-fix-memory-leak-issue-
> v1-1-49822d7bc7d4%40oss.qualcomm.com
>
> I'm trying to understand why it's saying that, but I think the scenario
> is that if there are multiple correct paths to a sink, when one path
> partially fails and a second path succeeds you could get a path_list
> with some garbage entries in it.
I think the coresight_release_path is added to address this situation.
We suffered the path partially failure, and we need release all nodes
already added to the path.
>
> That's kind of a different and existing issue to the one you've fixed,
> and assumes that multiple paths to one sink are possible, which I'm not
> sure is supported?
Each path is unique. We only deal with the issue path for balancing the
reference count.
Thanks,
Jie
>
> It might be as easy as breaking the loop early for any return value
> other than -ENODEV, but I'll leave it to you to decide whether to do
> that here or not.
>
> Reviewed-by: James Clark <james.clark@linaro.org>
>
next prev parent reply other threads:[~2026-05-20 1:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 1:32 [PATCH] coresight: fix resource leaks on path build failure Jie Gan
2026-05-19 13:57 ` James Clark
2026-05-20 1:55 ` Jie Gan [this message]
2026-05-20 8:38 ` James Clark
2026-05-20 9:27 ` Mike Leach
2026-05-20 10:13 ` Jie Gan
2026-05-20 15:31 ` James Clark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5b3785a1-0f53-4b61-bc18-880091c2ce12@oss.qualcomm.com \
--to=jie.gan@oss.qualcomm.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=coresight@lists.linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=james.clark@linaro.org \
--cc=leo.yan@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
--cc=mike.leach@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=tingwei.zhang@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox