s390/cio: Fix device lifecycle handling in css_alloc_subchannel()

[ Upstream commit f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7 ]

`css_alloc_subchannel()` calls `device_initialize()` before setting up
the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails,
the error path frees the subchannel structure directly, bypassing
the device model reference counting.

Once `device_initialize()` has been called, the embedded struct device
must be released via `put_device()`, allowing the release callback to
free the container structure.

Fix the error path by dropping the initial device reference with
`put_device()` instead of calling `kfree()` directly.

This ensures correct device lifetime handling and avoids potential
use-after-free or double-free issues.

Fixes: e5dcf0025d ("s390/css: move subchannel lock allocation")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

This commit is contained in:

Salah Triki

2026-01-30 21:47:59 +01:00

committed by

Greg Kroah-Hartman

parent af5b0854fb

commit 6715560527

1 changed files with 1 additions and 1 deletions

									
										2

drivers/s390/cio/css.c

										View File
									
				@ -236,7 +236,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,

					return sch;

				err:

					kfree(sch);

					put_device(&sch->dev);

					return ERR_PTR(ret);

				}

s390/cio: Fix device lifecycle handling in css_alloc_subchannel()

2 drivers/s390/cio/css.c Unescape Escape View File

2

drivers/s390/cio/css.c

View File