lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aNDqzIXpHHKZRiju@kekkonen.localdomain>
Date: Mon, 22 Sep 2025 09:21:00 +0300
From: Sakari Ailus <sakari.ailus@...ux.intel.com>
To: Ma Ke <make24@...as.ac.cn>
Cc: bingbu.cao@...el.com, lixu.zhang@...el.com,
	stanislaw.gruszka@...ux.intel.com, mchehab@...nel.org,
	wentong.wu@...el.com, linux-media@...r.kernel.org,
	linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] media: pci: intel: ivsc: fix error handling in
 scan_one_device()

Hi Ma,

Thank you for the patch.

On Sat, Sep 20, 2025 at 09:42:52PM +0800, Ma Ke wrote:
> The mei_ace driver contains a device reference count leak in
> mei_ace_setup_dev_link() where device_find_child_by_name() increases
> the reference count of the found device but this reference is not
> properly decreased in the success path. Add put_device() in
> mei_ace_setup_dev_link() and delete put_device() in mei_ace_remove(),
> which ensures that the reference count of the device is correctly
> managed regardless of whether the probe is successful or fails.
> 
> Found by code review.
> 
> Cc: stable@...r.kernel.org
> Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule")
> Signed-off-by: Ma Ke <make24@...as.ac.cn>
> ---
>  drivers/media/pci/intel/ivsc/mei_ace.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/pci/intel/ivsc/mei_ace.c b/drivers/media/pci/intel/ivsc/mei_ace.c
> index 98310b8511b1..261b30788118 100644
> --- a/drivers/media/pci/intel/ivsc/mei_ace.c
> +++ b/drivers/media/pci/intel/ivsc/mei_ace.c
> @@ -421,6 +421,7 @@ static int mei_ace_setup_dev_link(struct mei_ace *ace)
>  	}
>  
>  	ace->csi_dev = csi_dev;
> +	put_device(csi_dev);
>  
>  	return 0;
>  
> @@ -522,7 +523,6 @@ static void mei_ace_remove(struct mei_cl_device *cldev)
>  	cancel_work_sync(&ace->work);
>  
>  	device_link_del(ace->csi_link);
> -	put_device(ace->csi_dev);
>  
>  	pm_runtime_disable(&cldev->dev);
>  	pm_runtime_set_suspended(&cldev->dev);

Is this a bug?

device_link_add() will get both devices in success case so you could
unconditionally put the csi_dev right after calling device_link_add().

-- 
Regards,

Sakari Ailus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ