s390/cio: Fix device lifecycle handling in css_alloc_subchannel()

salah-triki · Sasha Levin · commit fd295a75d828 · 2026-03-04T07:19:26.000-05:00
[ Upstream commit f65c75b ] `css_alloc_subchannel()` calls `device_initialize()` before setting up the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails, the error path frees the subchannel structure directly, bypassing the device model reference counting. Once `device_initialize()` has been called, the embedded struct device must be released via `put_device()`, allowing the release callback to free the container structure. Fix the error path by dropping the initial device reference with `put_device()` instead of calling `kfree()` directly. This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues. Fixes: e5dcf00 ("s390/css: move subchannel lock allocation") Signed-off-by: Salah Triki <salah.triki@gmail.com> Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
@@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,
 err_lock:
 	kfree(sch->lock);
 err:
-	kfree(sch);
+	put_device(&sch->dev);
 	return ERR_PTR(ret);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,`
`247`	`247`	`err_lock:`
`248`	`248`	`kfree(sch->lock);`
`249`	`249`	`err:`
`250`		`- kfree(sch);`
	`250`	`+ put_device(&sch->dev);`
`251`	`251`	`return ERR_PTR(ret);`
`252`	`252`	`}`
`253`	`253`