s390/cio: Fix device lifecycle handling in css_alloc_subchannel()

salah-triki · hcahca · commit f65c75b0b9b5 · 2026-02-05T13:02:48.000+01:00
`css_alloc_subchannel()` calls `device_initialize()` before setting up the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails, the error path frees the subchannel structure directly, bypassing the device model reference counting. Once `device_initialize()` has been called, the embedded struct device must be released via `put_device()`, allowing the release callback to free the container structure. Fix the error path by dropping the initial device reference with `put_device()` instead of calling `kfree()` directly. This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues. Fixes: e5dcf00 ("s390/css: move subchannel lock allocation") Signed-off-by: Salah Triki <salah.triki@gmail.com> Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
@@ -235,7 +235,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,
 	return sch;
 
 err:
-	kfree(sch);
+	put_device(&sch->dev);
 	return ERR_PTR(ret);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -235,7 +235,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,`
`235`	`235`	`return sch;`
`236`	`236`
`237`	`237`	`err:`
`238`		`- kfree(sch);`
	`238`	`+ put_device(&sch->dev);`
`239`	`239`	`return ERR_PTR(ret);`
`240`	`240`	`}`
`241`	`241`