From nobody Mon Jun 15 15:09:29 2026 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CDA2954768 for ; Sat, 11 Apr 2026 12:21:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775910096; cv=none; b=okkFxgT7uUlFy3NJlbQ1J8uU51D9W2L2oxvWk0BW2EKRM9CbBcTaGoz4Pefhog0PyF0K2v/jeftzi8OA2aGs8ITr1Fn0MfnyuGa8egrchqSeuYDMSm6Qqw9k9lxTQ4Wo+8O+XvyJYCPfHmmFzZQKL5/OWyXi7f/6E/bMWw5oEA8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775910096; c=relaxed/simple; bh=dncHFYmx2lD4i3iuabbimop9yucPCZTFPtZn1GhKhDk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=LSijfdilmg5y2SQbuDvfpxDI4WmDw9tL0w9B7Byy1kH5J/XEU11F45EPtlN3VHuzRx+qqZ/FQh3uzOxCVguGjd4KT4owFc4SgU84LVomqLOCjZCgClVmeg1yAzCslzQkDKv/vKBHyGzdvmc5TU/NUAN9gpeqODIl0FdeJxUh4io= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OpY7rEit; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OpY7rEit" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2b2503753efso24502505ad.0 for ; Sat, 11 Apr 2026 05:21:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775910095; x=1776514895; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=iDhxS46WB9cNJon+ZSJd5o32lpx1Hn2DEDhx5qw0Ti8=; b=OpY7rEitu0d4P4Sc61G18lhUFoY544YoI4iGieCEeHFZbGTfYBPTz3ZYuvbf69lPn0 1KszIrTxk6WF30wYWWGj6fYpPcy72RKcrb2mfQYl1qdVSlmpPFFbKQeRJzvrNIymI6kR LNX95op9oDWffeXYfaxRtyInuPxgsFlCqla4Pded1oj3zU7Wfeve/lX+TaGGG3HxiqCA vp6hNkrGPfwy2TiVSLw4U9VAW2DZUZ/fPO7OFStSS96IHTRJXobQ7MLxjvKjeYajvU5Z XdH6nBzFomgGYCFzAs+EyG9gfHyAQ72FzJUF/La+jjaBEcZrhZJ3un6AAoABur88PG4t +eVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775910095; x=1776514895; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=iDhxS46WB9cNJon+ZSJd5o32lpx1Hn2DEDhx5qw0Ti8=; b=IHnm6Bki9lV/2gmWtDAPDt+31M8oN1lFcL6LMOK1ZGGzHZnuDnHbiaXDm+xPmw01fJ Dh3G/6VifXm8E9UIkG1JvtFOlHITTvjSzzU5nXS0bxxotOxckrmtjxSDj75a6AwaKqCw u35yoxBFQ9mdvN+bQE0KqLZSGQqbKPgHeDkhHjPdoh5L0iweyUktmsLvZ1Hn+S04HqCa FBR34xEYdPy3JLdh6076Mdad2aKhGbw/oKwE66NbFF0Kw4OKNnrr7xtyERRCbHyheLn4 UleN+QW2IHVFZpRzuoAxiehGPZv+VCtc/3FmjJvHAWMwDS3SfgEUH8/+d2NB6l45PwMa VEeg== X-Forwarded-Encrypted: i=1; AJvYcCU59D6TQKAVC4y56sUmhMdNZed8LDsYzUfhH+RQJ1Y4WIZB089VkoHxxwB5KCUrhTR9vbK2sEfxsskQrBY=@vger.kernel.org X-Gm-Message-State: AOJu0YzmWs4yMMRWbrWzlg1WtndO3SXHyRONvbykxXVoGvisFhpupiXE 0ARqxBF4kmKhmHPrGFQsWzIQSoRwT/uN14r3gDPSzI5WwRIk1DOoqif2 X-Gm-Gg: AeBDieuN6e2RZCpeZPPwYOI2MIWZfcFTHsGD6hN6wUNJ09tvZ7RT2S83POnggi2THH7 uWk39paQ/z2XbQYUeQ5G3x5g5kWJgmEJ/lsyW9Tj0/nBHk0kHxrvCf08l0mIg1voqYrOlcpGE7h MM/0ILfOppnR+oO10AidqLDALLPZ59pn1SUb5K5GESfEMzcAKrvsb5IY04gcB8+uupJcfLKErSR +w8VqYV9VIPVFSRcRZM+rKn5le82te4+ncyEJNeao6Zv5zghc9cBTfTxl2GtDdzLSY8PIhPA25M NlCLATVl4rYnRqFAjJ24YeIT79tvAEuYAz1HWI1Z9qXtZsYw2MtxMvWUPlD3nRjzcHVAkvRQVd0 rmTJBx1LfIf/y+5y8+7hQ6tZlMxgPkqvNbgHYdRrawR+DTDBORUO++02FR0SAAHCBo9VM1pER64 QsbYegKvCI2gQ50ns= X-Received: by 2002:a17:903:3b51:b0:2b2:42da:25cb with SMTP id d9443c01a7336-2b2d59aaa97mr50470925ad.19.1775910095243; Sat, 11 Apr 2026 05:21:35 -0700 (PDT) Received: from lgs.. ([199.182.234.55]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b2d4f0a393sm60736815ad.40.2026.04.11.05.21.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 05:21:34 -0700 (PDT) From: Guangshuo Li To: Ioana Ciornei , "J. German Rivera" , Stuart Yoder , Alexander Graf , Greg Kroah-Hartman , linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH] bus: fsl-mc: Fix refcount leak in fsl_mc_device_add() error path Date: Sat, 11 Apr 2026 20:21:18 +0800 Message-ID: <20260411122118.2196540-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After device_initialize(), the lifetime of the embedded struct device is expected to be managed through the device core reference counting. In fsl_mc_device_add(), all failures after device_initialize() jump to error_cleanup_dev, where mc_dev and its associated resources are freed directly instead of releasing the device reference with put_device(&mc_dev->dev). This bypasses the normal device lifetime rules and may leave the reference count of the embedded struct device unbalanced, resulting in a refcount leak and potentially leading to a use-after-free. Fix this by using put_device(&mc_dev->dev) in the error path and let fsl_mc_device_release() handle the final cleanup. Fixes: bbf9d17d9875 ("staging: fsl-mc: Freescale Management Complex (fsl-mc= ) bus driver") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bu= s.c index 25845c04e562..6d132144ce25 100644 --- a/drivers/bus/fsl-mc/fsl-mc-bus.c +++ b/drivers/bus/fsl-mc/fsl-mc-bus.c @@ -905,11 +905,7 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc, return 0; =20 error_cleanup_dev: - kfree(mc_dev->regions); - if (mc_bus) - kfree(mc_bus); - else - kfree(mc_dev); + put_device(&mc_dev->dev); =20 return error; } --=20 2.43.0