On Mon, Sep 22, 2025 at 04:45:12PM +0800, Ma Ke wrote:
The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_attach_impl() and add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed.
Found by code review.
Cc: stable@vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke make24@iscas.ac.cn
Changes in v2:
- modified the free operations as suggestions. Thanks for dan carpenter's instructions.
Actually, it turns out that this isn't the right approach. Sorry. This will introduce double frees.
The caller looks like this:
drivers/staging/gpib/common/iblib.c 204 int ibonline(struct gpib_board *board) 205 { 206 int retval; 207 208 if (board->online) 209 return -EBUSY; 210 if (!board->interface) 211 return -ENODEV; 212 retval = gpib_allocate_board(board); 213 if (retval < 0) 214 return retval; 215 216 board->dev = NULL; 217 board->local_ppoll_mode = 0; 218 retval = board->interface->attach(board, &board->config); 219 if (retval < 0) { 220 board->interface->detach(board);
So if the attach() fails, we call ->detach() which works.
221 return retval; 222 }
It's weird because the fmh_gpib_pci_detach() function does have a put_device() in it:
if (board->dev) pci_dev_put(to_pci_dev(board->dev)); ^^^^^^^^^^^
The detach functions are really similar...
regards, dan carpenter