* [PATCH] maple: Fix refcount leak in maple_attach_driver() error path
@ 2026-03-23 13:55 Guangshuo Li
0 siblings, 0 replies; 3+ messages in thread
From: Guangshuo Li @ 2026-03-23 13:55 UTC (permalink / raw)
To: Yoshinori Sato, Rich Felker, John Paul Adrian Glaubitz,
Guangshuo Li, Adrian McMenamin, Paul Mundt, linux-sh,
linux-kernel
Cc: stable
As device_register() calls device_initialize() before device_add(), the
failure path in maple_attach_driver() is reached after the embedded
struct device has already been initialized and its lifetime is expected
to be managed through the device core reference counting. However, that
path frees mdev and its associated resources directly via
maple_free_dev(), rather than releasing them through put_device() and
the normal release path. This may leave the reference count of the
embedded struct device unbalanced, resulting in a refcount leak and
potentially leading to a use-after-free.
A possible fix would be to use put_device() in the error path and let
maple_release_device() handle the final cleanup.
Fixes: b3c69e248176 ("maple: more robust device detection.")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
drivers/sh/maple/maple.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/sh/maple/maple.c b/drivers/sh/maple/maple.c
index 6dc0549f7900..20b7c2cd852b 100644
--- a/drivers/sh/maple/maple.c
+++ b/drivers/sh/maple/maple.c
@@ -393,7 +393,7 @@ static void maple_attach_driver(struct maple_device *mdev)
dev_warn(&mdev->dev, "could not register device at"
" (%d, %d), with error 0x%X\n", mdev->unit,
mdev->port, error);
- maple_free_dev(mdev);
+ put_device(&mdev->dev);
mdev = NULL;
return;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH] maple: Fix refcount leak in maple_attach_driver() error path
@ 2026-03-22 8:44 Guangshuo Li
2026-03-22 9:18 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Guangshuo Li @ 2026-03-22 8:44 UTC (permalink / raw)
Cc: Guangshuo Li, stable
As device_register() calls device_initialize() before device_add(), the
failure path in maple_attach_driver() is reached after the embedded
struct device has already been initialized and its lifetime is expected
to be managed through the device core reference counting. However, that
path frees mdev and its associated resources directly via
maple_free_dev(), rather than releasing them through put_device() and
the normal release path. This may leave the reference count of the
embedded struct device unbalanced, resulting in a refcount leak and
potentially leading to a use-after-free.
A possible fix would be to use put_device() in the error path and let
maple_release_device() handle the final cleanup.
Fixes: b3c69e248176 ("maple: more robust device detection.")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
drivers/sh/maple/maple.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/sh/maple/maple.c b/drivers/sh/maple/maple.c
index 6dc0549f7900..20b7c2cd852b 100644
--- a/drivers/sh/maple/maple.c
+++ b/drivers/sh/maple/maple.c
@@ -393,7 +393,7 @@ static void maple_attach_driver(struct maple_device *mdev)
dev_warn(&mdev->dev, "could not register device at"
" (%d, %d), with error 0x%X\n", mdev->unit,
mdev->port, error);
- maple_free_dev(mdev);
+ put_device(&mdev->dev);
mdev = NULL;
return;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] maple: Fix refcount leak in maple_attach_driver() error path
2026-03-22 8:44 Guangshuo Li
@ 2026-03-22 9:18 ` Greg KH
0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2026-03-22 9:18 UTC (permalink / raw)
To: Guangshuo Li; +Cc: stable
On Sun, Mar 22, 2026 at 04:44:05PM +0800, Guangshuo Li wrote:
> As device_register() calls device_initialize() before device_add(), the
> failure path in maple_attach_driver() is reached after the embedded
> struct device has already been initialized and its lifetime is expected
> to be managed through the device core reference counting. However, that
> path frees mdev and its associated resources directly via
> maple_free_dev(), rather than releasing them through put_device() and
> the normal release path. This may leave the reference count of the
> embedded struct device unbalanced, resulting in a refcount leak and
> potentially leading to a use-after-free.
>
> A possible fix would be to use put_device() in the error path and let
> maple_release_device() handle the final cleanup.
>
> Fixes: b3c69e248176 ("maple: more robust device detection.")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> drivers/sh/maple/maple.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/sh/maple/maple.c b/drivers/sh/maple/maple.c
> index 6dc0549f7900..20b7c2cd852b 100644
> --- a/drivers/sh/maple/maple.c
> +++ b/drivers/sh/maple/maple.c
> @@ -393,7 +393,7 @@ static void maple_attach_driver(struct maple_device *mdev)
> dev_warn(&mdev->dev, "could not register device at"
> " (%d, %d), with error 0x%X\n", mdev->unit,
> mdev->port, error);
> - maple_free_dev(mdev);
> + put_device(&mdev->dev);
> mdev = NULL;
> return;
> }
> --
> 2.43.0
>
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-23 13:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 13:55 [PATCH] maple: Fix refcount leak in maple_attach_driver() error path Guangshuo Li
-- strict thread matches above, loose matches on Subject: below --
2026-03-22 8:44 Guangshuo Li
2026-03-22 9:18 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox