[PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()
Zhihao Cheng
chengzhihao1 at huawei.com
Wed Apr 15 20:22:49 PDT 2026
在 2026/4/16 9:11, Yuho Choi 写道:
> ubi_detach_mtd_dev() calls ubi_get_device() which increments both
> ubi->ref_count and the device kref via get_device(). When the device
> is busy and anyway==0, the function returns -EBUSY after releasing
> ubi_devices_lock, but never calls put_device() to drop the kref
> acquired by ubi_get_device(). This leaks the kref, preventing the
> device from ever being freed.
>
> Commit 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification
> for UBI volumes") moved put_device() to after ubi->is_dead = true
> to pair it with the notify+nullify sequence, but inadvertently left
> the early -EBUSY return without a matching put_device().
>
> Add put_device(&ubi->dev) before returning -EBUSY to balance the
> get_device() inside ubi_get_device().
>
> Fixes: 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification for UBI volumes")
> Signed-off-by: Yuho Choi <dbgh9129 at gmail.com>
> ---
> drivers/mtd/ubi/build.c | 1 +
> 1 file changed, 1 insertion(+)
Reviewed-by: Zhihao Cheng <chengzhihao1 at huawei.com>
>
> diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> index 674ad87809df0..d81f5e0395ac0 100644
> --- a/drivers/mtd/ubi/build.c
> +++ b/drivers/mtd/ubi/build.c
> @@ -1106,6 +1106,7 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
> if (ubi->ref_count) {
> if (!anyway) {
> spin_unlock(&ubi_devices_lock);
> + put_device(&ubi->dev);
> return -EBUSY;
> }
> /* This may only happen if there is a bug */
>
More information about the linux-mtd
mailing list