[PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()

[PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()

[Yuho Choi]

ubi_detach_mtd_dev() calls ubi_get_device() which increments both
ubi->ref_count and the device kref via get_device(). When the device
is busy and anyway==0, the function returns -EBUSY after releasing
ubi_devices_lock, but never calls put_device() to drop the kref
acquired by ubi_get_device(). This leaks the kref, preventing the
device from ever being freed.

Commit 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification
for UBI volumes") moved put_device() to after ubi->is_dead = true
to pair it with the notify+nullify sequence, but inadvertently left
the early -EBUSY return without a matching put_device().

Add put_device(&ubi->dev) before returning -EBUSY to balance the
get_device() inside ubi_get_device().

Fixes: 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification for UBI volumes")
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
---
 drivers/mtd/ubi/build.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 674ad87809df0..d81f5e0395ac0 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -1106,6 +1106,7 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
 	if (ubi->ref_count) {
 		if (!anyway) {
 			spin_unlock(&ubi_devices_lock);
+			put_device(&ubi->dev);
 			return -EBUSY;
 		}
 		/* This may only happen if there is a bug */
-- 
2.50.1 (Apple Git-155)

Re: [PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()

[Zhihao Cheng]

在 2026/4/16 9:11, Yuho Choi 写道:
> ubi_detach_mtd_dev() calls ubi_get_device() which increments both
> ubi->ref_count and the device kref via get_device(). When the device
> is busy and anyway==0, the function returns -EBUSY after releasing
> ubi_devices_lock, but never calls put_device() to drop the kref
> acquired by ubi_get_device(). This leaks the kref, preventing the
> device from ever being freed.
> 
> Commit 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification
> for UBI volumes") moved put_device() to after ubi->is_dead = true
> to pair it with the notify+nullify sequence, but inadvertently left
> the early -EBUSY return without a matching put_device().
> 
> Add put_device(&ubi->dev) before returning -EBUSY to balance the
> get_device() inside ubi_get_device().
> 
> Fixes: 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification for UBI volumes")
> Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
> ---
>   drivers/mtd/ubi/build.c | 1 +
>   1 file changed, 1 insertion(+)

Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
> 
> diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> index 674ad87809df0..d81f5e0395ac0 100644
> --- a/drivers/mtd/ubi/build.c
> +++ b/drivers/mtd/ubi/build.c
> @@ -1106,6 +1106,7 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
>   	if (ubi->ref_count) {
>   		if (!anyway) {
>   			spin_unlock(&ubi_devices_lock);
> +			put_device(&ubi->dev);
>   			return -EBUSY;
>   		}
>   		/* This may only happen if there is a bug */
> 

Re: [PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()

[최유호]

Dear Zhihao,

Thank you for the review. I appreciate your feedback on this fix.

Best regards,
Yuho

On Wed, 15 Apr 2026 at 23:22, Zhihao Cheng <chengzhihao1@huawei.com> wrote:
>
> 在 2026/4/16 9:11, Yuho Choi 写道:
> > ubi_detach_mtd_dev() calls ubi_get_device() which increments both
> > ubi->ref_count and the device kref via get_device(). When the device
> > is busy and anyway==0, the function returns -EBUSY after releasing
> > ubi_devices_lock, but never calls put_device() to drop the kref
> > acquired by ubi_get_device(). This leaks the kref, preventing the
> > device from ever being freed.
> >
> > Commit 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification
> > for UBI volumes") moved put_device() to after ubi->is_dead = true
> > to pair it with the notify+nullify sequence, but inadvertently left
> > the early -EBUSY return without a matching put_device().
> >
> > Add put_device(&ubi->dev) before returning -EBUSY to balance the
> > get_device() inside ubi_get_device().
> >
> > Fixes: 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification for UBI volumes")
> > Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
> > ---
> >   drivers/mtd/ubi/build.c | 1 +
> >   1 file changed, 1 insertion(+)
>
> Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
> >
> > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> > index 674ad87809df0..d81f5e0395ac0 100644
> > --- a/drivers/mtd/ubi/build.c
> > +++ b/drivers/mtd/ubi/build.c
> > @@ -1106,6 +1106,7 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
> >       if (ubi->ref_count) {
> >               if (!anyway) {
> >                       spin_unlock(&ubi_devices_lock);
> > +                     put_device(&ubi->dev);
> >                       return -EBUSY;
> >               }
> >               /* This may only happen if there is a bug */
> >
>