The issue happens in several error handling paths on two refcounted
object related to the object "host" (dma_chan_rx, dma_chan_tx). In
these paths, the function forgets to decrement one or both objects'
reference count increased earlier by dma_request_chan(), causing
reference count leaks.
Fix it by balancing the refcounts of both objects in some error
handling paths.
Signed-off-by: Xin Xiong <[email protected]>
Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
drivers/mmc/host/moxart-mmc.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
index 6c9d38132..f421be7ce 100644
--- a/drivers/mmc/host/moxart-mmc.c
+++ b/drivers/mmc/host/moxart-mmc.c
@@ -621,6 +621,14 @@ static int moxart_probe(struct platform_device *pdev)
ret = -EPROBE_DEFER;
goto out;
}
+ if (!IS_ERR(host->dma_chan_tx)) {
+ dma_release_channel(host->dma_chan_tx);
+ host->dma_chan_tx = NULL;
+ }
+ if (!IS_ERR(host->dma_chan_rx)) {
+ dma_release_channel(host->dma_chan_rx);
+ host->dma_chan_rx = NULL;
+ }
dev_dbg(dev, "PIO mode transfer enabled\n");
host->have_dma = false;
} else {
@@ -675,6 +683,10 @@ static int moxart_probe(struct platform_device *pdev)
return 0;
out:
+ if (!IS_ERR_OR_NULL(host->dma_chan_tx))
+ dma_release_channel(host->dma_chan_tx);
+ if (!IS_ERR_OR_NULL(host->dma_chan_rx))
+ dma_release_channel(host->dma_chan_rx);
if (mmc)
mmc_free_host(mmc);
return ret;
--
2.25.1
On Tue, 28 Sept 2021 at 04:15, Xin Xiong <[email protected]> wrote:
>
> The issue happens in several error handling paths on two refcounted
> object related to the object "host" (dma_chan_rx, dma_chan_tx). In
> these paths, the function forgets to decrement one or both objects'
> reference count increased earlier by dma_request_chan(), causing
> reference count leaks.
>
> Fix it by balancing the refcounts of both objects in some error
> handling paths.
>
> Signed-off-by: Xin Xiong <[email protected]>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
> ---
> drivers/mmc/host/moxart-mmc.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
> index 6c9d38132..f421be7ce 100644
> --- a/drivers/mmc/host/moxart-mmc.c
> +++ b/drivers/mmc/host/moxart-mmc.c
> @@ -621,6 +621,14 @@ static int moxart_probe(struct platform_device *pdev)
> ret = -EPROBE_DEFER;
> goto out;
> }
> + if (!IS_ERR(host->dma_chan_tx)) {
> + dma_release_channel(host->dma_chan_tx);
> + host->dma_chan_tx = NULL;
> + }
> + if (!IS_ERR(host->dma_chan_rx)) {
> + dma_release_channel(host->dma_chan_rx);
> + host->dma_chan_rx = NULL;
> + }
> dev_dbg(dev, "PIO mode transfer enabled\n");
> host->have_dma = false;
> } else {
> @@ -675,6 +683,10 @@ static int moxart_probe(struct platform_device *pdev)
> return 0;
>
> out:
> + if (!IS_ERR_OR_NULL(host->dma_chan_tx))
> + dma_release_channel(host->dma_chan_tx);
> + if (!IS_ERR_OR_NULL(host->dma_chan_rx))
> + dma_release_channel(host->dma_chan_rx);
> if (mmc)
> mmc_free_host(mmc);
> return ret;
This looks much better! However, it seems like we also need to deal
with the NULL case in moxart_remove(), similar to as above.
Kind regards
Uffe