[PATCH v2 RESEND] coresight: etm-perf: Fix reference count leak in etm_setup_aux

[Ma Ke]

On 12/15/2025 10:09 AM, Jie Gan wrote:
> On 12/15/2025 5:51 PM, Leo Yan wrote:
>> On Mon, Dec 15, 2025 at 11:02:08AM +0200, James Clark wrote:
>>>
>>>
>>> On 15/12/2025 04:27, Ma Ke wrote:
>>>> In etm_setup_aux(), when a user sink is obtained via
>>>> coresight_get_sink_by_id(), it increments the reference count of the
>>>> sink device. However, if the sink is used in path building, the path
>>>> holds a reference, but the initial reference from
>>>> coresight_get_sink_by_id() is not released, causing a reference count
>>>> leak. We should release the initial reference after the path is built.
>>>>
>>>> Found by code review.
>>>>
>>>> Cc: stable at vger.kernel.org
>>>> Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks")
>>>> Signed-off-by: Ma Ke <make24 at iscas.ac.cn>
>>>> ---
>>>> Changes in v2:
>>>> - modified the patch as suggestions.
>>>
>>> I think Leo's comment on the previous v2 is still unaddressed. But releasing
>>> it in coresight_get_sink_by_id() would make it consistent with
>>> coresight_find_csdev_by_fwnode() and prevent further mistakes.
>> 
>> The point is the coresight core layer uses coresight_grab_device() to
>> increase the device's refcnt.  This is why we don't need to grab a
>> device when setup AUX.
>
> That make sense. We dont need to hold the refcnt for a while and it 
> should be released immediately after locating the required device.
>
> Thanks,
> Jie

>> 
>>> It also leads me to see that users of coresight_find_device_by_fwnode()
>>> should also release it, but only one out of two appears to.
>> 
>> Good finding!
>> 
>> Thanks,
>> Leo
>> 
Hi all,

Thank you for the insightful discussion. I've carefully read the 
feedback from Leo, James, and Jie, and now have a clear understanding 
of the reference count management.

The core issue: coresight_get_sink_by_id() internally calls 
bus_find_device(), which increases reference count via get_device().

>From the discussion, I note two possible fix directions:

1. Release the initial reference in etm_setup_aux() (current v2 patch)
2. Modify the behavior of coresight_get_sink_by_id() itself so it 
doesn't increase the reference count. 

Leo mentioned referencing how acpi_dev_present() does it, and James 
also pointed out that APIs should be consistent. I think it makes 
sense that following the principle like "lookup doesn't hold a 
reference" could prevent similar leaks in the future.

To ensure the correctness of the v3 patch, I'd like to confirm which 
patch is preferred. If option 2 is the consensus, I'm happy to modify 
the implementation of coresight_get_sink_by_id() as suggested.

Looking forward to your further guidance.

Thanks!