[v1] enclosure: Fix refcount leak in enclosure_register() error path

[PATCH] enclosure: Fix refcount leak in enclosure_register() error path

Guangshuo Li posted 1 patch 2 months ago

Diff against v2
Download mbox

There is a newer version of this series

drivers/misc/enclosure.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

Expand all Fold all

[PATCH] enclosure: Fix refcount leak in enclosure_register() error path

Posted by Guangshuo Li 2 months ago

After device_register(), the lifetime of the embedded struct device is
expected to be managed through the device core reference counting.

In enclosure_register(), if device_register() fails, the error path
drops the parent device reference and frees edev directly instead of
releasing the device reference with put_device(&edev->edev). This
bypasses the normal device lifetime rules and may leave the reference
count of the embedded struct device unbalanced, resulting in a refcount
leak and potentially leading to a use-after-free.

Fix this by using put_device(&edev->edev) in the failure path and let
enclosure_release() handle the final cleanup.

Fixes: ee959b00c335 ("SCSI: convert struct class_device to struct device")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/misc/enclosure.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c
index ca4c420e4a2f..9532ad8f8b4e 100644
--- a/drivers/misc/enclosure.c
+++ b/drivers/misc/enclosure.c
@@ -148,8 +148,7 @@ enclosure_register(struct device *dev, const char *name, int components,
 	return edev;
 
  err:
-	put_device(edev->edev.parent);
-	kfree(edev);
+	put_device(&edev->edev);
 	return ERR_PTR(err);
 }
 EXPORT_SYMBOL_GPL(enclosure_register);
-- 
2.43.0