Commit d7d77b72 authored by Alexander Shishkin's avatar Alexander Shishkin Committed by Stefan Bader

stm class: Fix unbalanced module/device refcounting

BugLink: https://bugs.launchpad.net/bugs/1826212

[ Upstream commit f7c81c71 ]

STM code takes references to the stm device and its module for the
duration of the character device's existence or the stm_source link.
Dropping these references is not well balanced everywhere, which may
lead to leaks.

This patch balances the acquisition and releasing of these two
references and annotates each site so that it's easier to verify
correctness by reading the code.
Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent cc4ef5e3
...@@ -114,6 +114,7 @@ struct stm_device *stm_find_device(const char *buf) ...@@ -114,6 +114,7 @@ struct stm_device *stm_find_device(const char *buf)
stm = to_stm_device(dev); stm = to_stm_device(dev);
if (!try_module_get(stm->owner)) { if (!try_module_get(stm->owner)) {
/* matches class_find_device() above */
put_device(dev); put_device(dev);
return NULL; return NULL;
} }
...@@ -126,7 +127,7 @@ struct stm_device *stm_find_device(const char *buf) ...@@ -126,7 +127,7 @@ struct stm_device *stm_find_device(const char *buf)
* @stm: stm device, previously acquired by stm_find_device() * @stm: stm device, previously acquired by stm_find_device()
* *
* This drops the module reference and device reference taken by * This drops the module reference and device reference taken by
* stm_find_device(). * stm_find_device() or stm_char_open().
*/ */
void stm_put_device(struct stm_device *stm) void stm_put_device(struct stm_device *stm)
{ {
...@@ -369,6 +370,8 @@ static int stm_char_open(struct inode *inode, struct file *file) ...@@ -369,6 +370,8 @@ static int stm_char_open(struct inode *inode, struct file *file)
return nonseekable_open(inode, file); return nonseekable_open(inode, file);
err_free: err_free:
/* matches class_find_device() above */
put_device(dev);
kfree(stmf); kfree(stmf);
return err; return err;
...@@ -379,6 +382,11 @@ static int stm_char_release(struct inode *inode, struct file *file) ...@@ -379,6 +382,11 @@ static int stm_char_release(struct inode *inode, struct file *file)
struct stm_file *stmf = file->private_data; struct stm_file *stmf = file->private_data;
stm_output_free(stmf->stm, &stmf->output); stm_output_free(stmf->stm, &stmf->output);
/*
* matches the stm_char_open()'s
* class_find_device() + try_module_get()
*/
stm_put_device(stmf->stm); stm_put_device(stmf->stm);
kfree(stmf); kfree(stmf);
...@@ -540,10 +548,8 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg) ...@@ -540,10 +548,8 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
ret = stm->data->link(stm->data, stmf->output.master, ret = stm->data->link(stm->data, stmf->output.master,
stmf->output.channel); stmf->output.channel);
if (ret) { if (ret)
stm_output_free(stmf->stm, &stmf->output); stm_output_free(stmf->stm, &stmf->output);
stm_put_device(stmf->stm);
}
err_free: err_free:
kfree(id); kfree(id);
...@@ -680,6 +686,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, ...@@ -680,6 +686,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data,
return 0; return 0;
err_device: err_device:
/* matches device_initialize() above */
put_device(&stm->dev); put_device(&stm->dev);
err_free: err_free:
vfree(stm); vfree(stm);
...@@ -792,7 +799,6 @@ static int stm_source_link_add(struct stm_source_device *src, ...@@ -792,7 +799,6 @@ static int stm_source_link_add(struct stm_source_device *src,
fail_free_output: fail_free_output:
stm_output_free(stm, &src->output); stm_output_free(stm, &src->output);
stm_put_device(stm);
fail_detach: fail_detach:
mutex_lock(&stm->link_mutex); mutex_lock(&stm->link_mutex);
...@@ -906,8 +912,10 @@ static ssize_t stm_source_link_store(struct device *dev, ...@@ -906,8 +912,10 @@ static ssize_t stm_source_link_store(struct device *dev,
return -EINVAL; return -EINVAL;
err = stm_source_link_add(src, link); err = stm_source_link_add(src, link);
if (err) if (err) {
/* matches the stm_find_device() above */
stm_put_device(link); stm_put_device(link);
}
return err ? : count; return err ? : count;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment