[PATCH] PCI/AER: Fix device reference leak in aer_inject()

[PATCH] PCI/AER: Fix device reference leak in aer_inject()

[Aadityarangan Shridhar Iyengar]

In aer_inject(), pcie_port_find_device() returns a device with an
incremented reference count. The function returns this device but never
calls put_device() to release the reference, resulting in a reference leak.

Fix this by calling put_device() after using the device in both the success
and error paths.

Fixes: 0e98db259fd8 ("PCI/AER: Reuse existing pcie_port_find_device() interface")
Signed-off-by: Aadityarangan Shridhar Iyengar <adiyenga@cisco.com>
---
 drivers/pci/pcie/aer_inject.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/pci/pcie/aer_inject.c b/drivers/pci/pcie/aer_inject.c
index 09bfc7194ef3..5025843157b1 100644
--- a/drivers/pci/pcie/aer_inject.c
+++ b/drivers/pci/pcie/aer_inject.c
@@ -467,11 +467,13 @@ static int aer_inject(struct aer_error_inj *einj)
 		if (!get_service_data(edev)) {
 			pci_warn(edev->port, "AER service is not initialized\n");
 			ret = -EPROTONOSUPPORT;
+			put_device(device);
 			goto out_put;
 		}
 		pci_info(edev->port, "Injecting errors %08x/%08x into device %s\n",
 			 einj->cor_status, einj->uncor_status, pci_name(dev));
 		ret = irq_inject_interrupt(edev->irq);
+		put_device(device);
 	} else {
 		pci_err(rpdev, "AER device not found\n");
 		ret = -ENODEV;
-- 
2.35.6

Re: [PATCH] PCI/AER: Fix device reference leak in aer_inject()

[Bjorn Helgaas]

On Tue, Mar 17, 2026 at 10:57:32PM +0530, Aadityarangan Shridhar Iyengar wrote:
> In aer_inject(), pcie_port_find_device() returns a device with an
> incremented reference count. The function returns this device but never
> calls put_device() to release the reference, resulting in a reference leak.

From AI
(https://sashiko.dev/#/patchset/20260317172732.58053-1-adiyenga%40cisco.com):

  Is this description accurate? Looking at pcie_port_find_device(), it
  uses device_for_each_child() with the find_service_iter() callback.
  Unlike device_find_child(), neither of these functions calls
  get_device() on the matched child device to increment its reference
  count.

> Fix this by calling put_device() after using the device in both the success
> and error paths.
> 
> Fixes: 0e98db259fd8 ("PCI/AER: Reuse existing pcie_port_find_device() interface")
> Signed-off-by: Aadityarangan Shridhar Iyengar <adiyenga@cisco.com>
> ---
>  drivers/pci/pcie/aer_inject.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/pci/pcie/aer_inject.c b/drivers/pci/pcie/aer_inject.c
> index 09bfc7194ef3..5025843157b1 100644
> --- a/drivers/pci/pcie/aer_inject.c
> +++ b/drivers/pci/pcie/aer_inject.c
> @@ -467,11 +467,13 @@ static int aer_inject(struct aer_error_inj *einj)
>  		if (!get_service_data(edev)) {
>  			pci_warn(edev->port, "AER service is not initialized\n");
>  			ret = -EPROTONOSUPPORT;
> +			put_device(device);
>  			goto out_put;
>  		}
>  		pci_info(edev->port, "Injecting errors %08x/%08x into device %s\n",
>  			 einj->cor_status, einj->uncor_status, pci_name(dev));
>  		ret = irq_inject_interrupt(edev->irq);
> +		put_device(device);
>  	} else {
>  		pci_err(rpdev, "AER device not found\n");
>  		ret = -ENODEV;
> -- 
> 2.35.6
> 

Re: [PATCH] PCI/AER: Fix device reference leak in aer_inject()

[Aadityarangan Shridhar Iyengar]

On Mon, Mar 17, 2026 at 09:17:00PM +0000, Bjorn Helgaas wrote:
> From AI
> (https://sashiko.dev/#/patchset/20260317172732.58053-1-adiyenga%40cisco.com):
> 
>   Is this description accurate? Looking at pcie_port_find_device(), it
>   uses device_for_each_child() with the find_service_iter() callback.
>   Unlike device_find_child(), neither of these functions calls
>   get_device() on the matched child device to increment its reference
>   count.

You're right, the description is inaccurate. I confused
device_for_each_child() with device_find_child(). The latter explicitly
calls get_device() on the matched child and documents that the caller
must call put_device(), but device_for_each_child() does not — the
iterator ref is dropped by klist_iter_exit() and no caller-owned
reference is returned.

Adding put_device() here would underflow the refcount, which is worse
than the original code.

Please drop this patch. Sorry for the noise.

Aditya

[PATCH] PCI/PTM: Fix memory leak in pcie_ptm_create_debugfs() error path

[Aadityarangan Shridhar Iyengar]

In pcie_ptm_create_debugfs(), if devm_kasprintf() fails after successfully
allocating ptm_debugfs with kzalloc(), the function returns NULL without
freeing the allocated memory, resulting in a memory leak.

Fix this by adding kfree(ptm_debugfs) before returning NULL in the
devm_kasprintf() error path.

This leak is particularly problematic during memory pressure situations
where devm_kasprintf() is more likely to fail, potentially compounding
the memory exhaustion issue.

Fixes: 132833405e61 ("PCI: Add debugfs support for exposing PTM context")
Signed-off-by: Aadityarangan Shridhar Iyengar <adiyenga@cisco.com>
---
 drivers/pci/pcie/ptm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/pcie/ptm.c b/drivers/pci/pcie/ptm.c
index ed0f9691e7d1..09c0167048a3 100644
--- a/drivers/pci/pcie/ptm.c
+++ b/drivers/pci/pcie/ptm.c
@@ -542,8 +542,10 @@ struct pci_ptm_debugfs *pcie_ptm_create_debugfs(struct device *dev, void *pdata,
 		return NULL;
 
 	dirname = devm_kasprintf(dev, GFP_KERNEL, "pcie_ptm_%s", dev_name(dev));
-	if (!dirname)
+	if (!dirname) {
+		kfree(ptm_debugfs);
 		return NULL;
+	}
 
 	ptm_debugfs->debugfs = debugfs_create_dir(dirname, NULL);
 	ptm_debugfs->pdata = pdata;
-- 
2.35.6

[PATCH] PCI/AER: Fix device reference leak in aer_inject()

[Aadityarangan Shridhar Iyengar]

Thanks Bjorn, Mani,
Aditya