* [PATCH] media: pci: intel: Balance device refcount when destroying devices
@ 2025-07-14 13:25 Ma Ke
2025-07-15 7:56 ` Andy Shevchenko
0 siblings, 1 reply; 2+ messages in thread
From: Ma Ke @ 2025-07-14 13:25 UTC (permalink / raw)
To: mchehab, ribalda, rafael.j.wysocki, dongcheng.yan, gregkh, make24,
peterz, wentong.wu, sakari.ailus, andriy.shevchenko
Cc: linux-media, linux-kernel, stable
Using ipu_bridge_get_ivsc_csi_dev() to locate the device could cause
an imbalance in the device's reference count.
ipu_bridge_get_ivsc_csi_dev() calls device_find_child_by_name() to
implement the localization, and device_find_child_by_name() calls an
implicit get_device() to increment the device's reference count before
returning the pointer. Throughout the entire implementation process,
no mechanism releases resources properly. This leads to a memory leak
because the reference count of the device is never decremented.
As the comment of device_find_child_by_name() says, 'NOTE: you will
need to drop the reference with put_device() after use'.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: c66821f381ae ("media: pci: intel: Add IVSC support for IPU bridge driver")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
drivers/media/pci/intel/ipu-bridge.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/pci/intel/ipu-bridge.c b/drivers/media/pci/intel/ipu-bridge.c
index 83e682e1a4b7..f8b4672accab 100644
--- a/drivers/media/pci/intel/ipu-bridge.c
+++ b/drivers/media/pci/intel/ipu-bridge.c
@@ -192,6 +192,7 @@ static int ipu_bridge_check_ivsc_dev(struct ipu_sensor *sensor,
sensor->csi_dev = csi_dev;
sensor->ivsc_adev = adev;
+ put_device(csi_dev);
}
return 0;
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] media: pci: intel: Balance device refcount when destroying devices
2025-07-14 13:25 [PATCH] media: pci: intel: Balance device refcount when destroying devices Ma Ke
@ 2025-07-15 7:56 ` Andy Shevchenko
0 siblings, 0 replies; 2+ messages in thread
From: Andy Shevchenko @ 2025-07-15 7:56 UTC (permalink / raw)
To: Ma Ke
Cc: mchehab, ribalda, rafael.j.wysocki, dongcheng.yan, gregkh, peterz,
wentong.wu, sakari.ailus, linux-media, linux-kernel, stable
On Mon, Jul 14, 2025 at 09:25:26PM +0800, Ma Ke wrote:
> Using ipu_bridge_get_ivsc_csi_dev() to locate the device could cause
> an imbalance in the device's reference count.
> ipu_bridge_get_ivsc_csi_dev() calls device_find_child_by_name() to
> implement the localization, and device_find_child_by_name() calls an
> implicit get_device() to increment the device's reference count before
> returning the pointer. Throughout the entire implementation process,
> no mechanism releases resources properly. This leads to a memory leak
> because the reference count of the device is never decremented.
>
> As the comment of device_find_child_by_name() says, 'NOTE: you will
> need to drop the reference with put_device() after use'.
>
> Found by code review.
Okay, but have you check unregistering process? Does it have the put_device()
for this or not?
(The analysis is partial.)
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-07-15 7:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-14 13:25 [PATCH] media: pci: intel: Balance device refcount when destroying devices Ma Ke
2025-07-15 7:56 ` Andy Shevchenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).