staging: comedi: Fix comedi_device refcnt leak in comedi_open

sherlly · gregkh · commit 332e0e17ad49 · 2020-04-23T13:45:24.000+02:00
comedi_open() invokes comedi_dev_get_from_minor(), which returns a reference of the COMEDI device to "dev" with increased refcount. When comedi_open() returns, "dev" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of comedi_open(). When "cfp" allocation is failed, the refcnt increased by comedi_dev_get_from_minor() is not decreased, causing a refcnt leak. Fix this issue by calling comedi_dev_put() on this error path when "cfp" allocation is failed. Fixes: 20f083c ("staging: comedi: prepare support for per-file read and write subdevices") Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> Cc: stable <stable@vger.kernel.org> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://lore.kernel.org/r/1587361459-83622-1-git-send-email-xiyuyang19@fudan.edu.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
@@ -2725,8 +2725,10 @@ static int comedi_open(struct inode *inode, struct file *file)
 	}
 
 	cfp = kzalloc(sizeof(*cfp), GFP_KERNEL);
-	if (!cfp)
+	if (!cfp) {
+		comedi_dev_put(dev);
 		return -ENOMEM;
+	}
 
 	cfp->dev = dev;
 

Original file line number	Diff line number	Diff line change
`@@ -2725,8 +2725,10 @@ static int comedi_open(struct inode inode, struct file file)`
`2725`	`2725`	`}`
`2726`	`2726`
`2727`	`2727`	`cfp = kzalloc(sizeof(*cfp), GFP_KERNEL);`
`2728`		`- if (!cfp)`
	`2728`	`+ if (!cfp) {`
	`2729`	`+ comedi_dev_put(dev);`
`2729`	`2730`	`return -ENOMEM;`
	`2731`	`+ }`
`2730`	`2732`
`2731`	`2733`	`cfp->dev = dev;`
`2732`	`2734`