nfc_genl_dump_targets() increments the device reference count via nfc_get_device() but fails to decrement it properly. nfc_get_device() calls class_find_device() which internally calls get_device() to increment the reference count. No corresponding put_device() is made to decrement the reference count.
Add proper reference count decrementing using nfc_put_device() when the dump operation completes or encounters an error, ensuring balanced reference counting.
Found by code review.
Cc: stable@vger.kernel.org Fixes: 4d12b8b129f1 ("NFC: add nfc generic netlink interface") Signed-off-by: Ma Ke make24@iscas.ac.cn --- net/nfc/netlink.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c index a18e2c503da6..9ae138ee91dd 100644 --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -159,6 +159,11 @@ static int nfc_genl_dump_targets(struct sk_buff *skb,
cb->args[0] = i;
+ if (rc < 0 || i >= dev->n_targets) { + nfc_put_device(dev); + cb->args[1] = 0; + } + return skb->len; }
On 21/11/2025 03:27, Ma Ke wrote:
nfc_genl_dump_targets() increments the device reference count via
Only in some cases, but you drop it unconditionally.
nfc_get_device() but fails to decrement it properly. nfc_get_device() calls class_find_device() which internally calls get_device() to increment the reference count. No corresponding put_device() is made to decrement the reference count.
Add proper reference count decrementing using nfc_put_device() when the dump operation completes or encounters an error, ensuring balanced reference counting.
Found by code review.
Drop, there is no point nor need to say that humans did the work. This actually rather suggests you used LLM and disguise your finding as "code review".
No, LLM is not code review.
Cc: stable@vger.kernel.org Fixes: 4d12b8b129f1 ("NFC: add nfc generic netlink interface") Signed-off-by: Ma Ke make24@iscas.ac.cn
net/nfc/netlink.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c index a18e2c503da6..9ae138ee91dd 100644 --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -159,6 +159,11 @@ static int nfc_genl_dump_targets(struct sk_buff *skb, cb->args[0] = i;
- if (rc < 0 || i >= dev->n_targets) {
nfc_put_device(dev);cb->args[1] = 0;
Did you test it?
Best regards, Krzysztof
On 24/11/2025 09:24, Krzysztof Kozlowski wrote:
On 21/11/2025 03:27, Ma Ke wrote:
nfc_genl_dump_targets() increments the device reference count via
Only in some cases, but you drop it unconditionally.
nfc_get_device() but fails to decrement it properly. nfc_get_device() calls class_find_device() which internally calls get_device() to increment the reference count. No corresponding put_device() is made to decrement the reference count.
Add proper reference count decrementing using nfc_put_device() when the dump operation completes or encounters an error, ensuring balanced reference counting.
Found by code review.
Drop, there is no point nor need to say that humans did the work. This actually rather suggests you used LLM and disguise your finding as "code review".
No, LLM is not code review.
Looks like LLM.
Cc: stable@vger.kernel.org Fixes: 4d12b8b129f1 ("NFC: add nfc generic netlink interface") Signed-off-by: Ma Ke make24@iscas.ac.cn
net/nfc/netlink.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c index a18e2c503da6..9ae138ee91dd 100644 --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -159,6 +159,11 @@ static int nfc_genl_dump_targets(struct sk_buff *skb, cb->args[0] = i;
- if (rc < 0 || i >= dev->n_targets) {
nfc_put_device(dev);cb->args[1] = 0;Did you test it?
I am pretty sure this is double put and thus bug. There is put in done().
Best regards, Krzysztof
linux-stable-mirror@lists.linaro.org
-
Krzysztof Kozlowski -
Ma Ke