[PATCH] sunvdc: Balance device refcount in vdc_port_mpgroup_check

[PATCH] sunvdc: Balance device refcount in vdc_port_mpgroup_check

[Ma Ke]

Using device_find_child() to locate a probed virtual-device-port node
causes a device refcount imbalance, as device_find_child() internally
calls get_device() to increment the device’s reference count before
returning its pointer. vdc_port_mpgroup_check() directly returns true
upon finding a matching device without releasing the reference via
put_device(). We should call put_device() to decrement refcount.

As comment of device_find_child() says, 'NOTE: you will need to drop
the reference with put_device() after use'.

Found by code review.

Cc: stable@vger.kernel.org
Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
 drivers/block/sunvdc.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
index b5727dea15bd..b6dbd5dd2723 100644
--- a/drivers/block/sunvdc.c
+++ b/drivers/block/sunvdc.c
@@ -950,6 +950,7 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev)
 {
 	struct vdc_check_port_data port_data;
 	struct device *dev;
+	bool found = false;
 
 	port_data.dev_no = vdev->dev_no;
 	port_data.type = (char *)&vdev->type;
@@ -957,10 +958,12 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev)
 	dev = device_find_child(vdev->dev.parent, &port_data,
 				vdc_device_probed);
 
-	if (dev)
-		return true;
+	if (dev) {
+		found = true;
+		put_device(dev);
+	}
 
-	return false;
+	return found;
 }
 
 static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
-- 
2.25.1

Re: [PATCH] sunvdc: Balance device refcount in vdc_port_mpgroup_check

[Shannon Nelson]

On 7/18/25 1:22 AM, Ma Ke wrote:
> Using device_find_child() to locate a probed virtual-device-port node
> causes a device refcount imbalance, as device_find_child() internally
> calls get_device() to increment the device’s reference count before
> returning its pointer. vdc_port_mpgroup_check() directly returns true
> upon finding a matching device without releasing the reference via
> put_device(). We should call put_device() to decrement refcount.
>
> As comment of device_find_child() says, 'NOTE: you will need to drop
> the reference with put_device() after use'.
>
> Found by code review.
>
> Cc: stable@vger.kernel.org
> Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
>   drivers/block/sunvdc.c | 9 ++++++---
>   1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
> index b5727dea15bd..b6dbd5dd2723 100644
> --- a/drivers/block/sunvdc.c
> +++ b/drivers/block/sunvdc.c
> @@ -950,6 +950,7 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev)
>   {
>   	struct vdc_check_port_data port_data;
>   	struct device *dev;
> +	bool found = false;
>   
>   	port_data.dev_no = vdev->dev_no;
>   	port_data.type = (char *)&vdev->type;
> @@ -957,10 +958,12 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev)
>   	dev = device_find_child(vdev->dev.parent, &port_data,
>   				vdc_device_probed);
>   
> -	if (dev)
> -		return true;
> +	if (dev) {
> +		found = true;
> +		put_device(dev);
> +	}
>   
> -	return false;
> +	return found;

Don't bother with adding the extra bits just to get a single point of 
exit: keep with the existing style and keep the change simple.

if (dev) {
     put_device(dev);
     return true;
}

(and why am I getting copied on a block device change?)

sln



>   }
>   
>   static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)