[PATCH v1] mtd: ubi: fix kref leak on -EBUSY return in ubi_detach_mtd_dev()
최유호
dbgh9129 at gmail.com
Wed Apr 15 20:34:51 PDT 2026
Dear Zhihao,
Thank you for the review. I appreciate your feedback on this fix.
Best regards,
Yuho
On Wed, 15 Apr 2026 at 23:22, Zhihao Cheng <chengzhihao1 at huawei.com> wrote:
>
> 在 2026/4/16 9:11, Yuho Choi 写道:
> > ubi_detach_mtd_dev() calls ubi_get_device() which increments both
> > ubi->ref_count and the device kref via get_device(). When the device
> > is busy and anyway==0, the function returns -EBUSY after releasing
> > ubi_devices_lock, but never calls put_device() to drop the kref
> > acquired by ubi_get_device(). This leaks the kref, preventing the
> > device from ever being freed.
> >
> > Commit 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification
> > for UBI volumes") moved put_device() to after ubi->is_dead = true
> > to pair it with the notify+nullify sequence, but inadvertently left
> > the early -EBUSY return without a matching put_device().
> >
> > Add put_device(&ubi->dev) before returning -EBUSY to balance the
> > get_device() inside ubi_get_device().
> >
> > Fixes: 7e84c961b2eb ("mtd: ubi: introduce pre-removal notification for UBI volumes")
> > Signed-off-by: Yuho Choi <dbgh9129 at gmail.com>
> > ---
> > drivers/mtd/ubi/build.c | 1 +
> > 1 file changed, 1 insertion(+)
>
> Reviewed-by: Zhihao Cheng <chengzhihao1 at huawei.com>
> >
> > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> > index 674ad87809df0..d81f5e0395ac0 100644
> > --- a/drivers/mtd/ubi/build.c
> > +++ b/drivers/mtd/ubi/build.c
> > @@ -1106,6 +1106,7 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
> > if (ubi->ref_count) {
> > if (!anyway) {
> > spin_unlock(&ubi_devices_lock);
> > + put_device(&ubi->dev);
> > return -EBUSY;
> > }
> > /* This may only happen if there is a bug */
> >
>
More information about the linux-mtd
mailing list