From nobody Sat Jun 20 18:40:35 2026 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 283D03A873D for ; Sat, 11 Apr 2026 15:59:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775923191; cv=none; b=cEbB3WUQRw9X3UhfH5Aj7sGKARgZk8ZmOiM1X9cWqQSe8RuojYtd7+BeHMXUWA6aQ5jRr6iuQdPc7I8nfto4YmIILei9Cax+kKveOI1KMM0sEWhxjMIVaq2fHsulafYU3n7Lj4VoT7JXdcOXhaWNdNk7V+KIh8YknDu/RaZ+1/k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775923191; c=relaxed/simple; bh=2KuqzLq2TTMM7/M26PrKOuxml9mVo/X+sBMTMo+n/ss=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=EGHCXNNnd4N2HroWC3uOiFONW92ucVjCyWsjM2thQMcKSjQj7r6lqwlXkZa3+li6ZpK7klUjflD7/xTP3aLqAYBoDXSgU/afcuPUrR8uTWzB19VbRAjdi5P2l/WjB6v2V/UmSB1O7j+fEl+H2xdGxN4zOI+LXRWkcjjkqdHcwOs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kdx8Dk7f; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kdx8Dk7f" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-82cdb4ab547so1531320b3a.2 for ; Sat, 11 Apr 2026 08:59:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775923189; x=1776527989; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=/oUmcpWT9pX8ZG0MeVbZtVLCnJJW8fXpeclOgK9M9OY=; b=kdx8Dk7fwqM70jy7Z2Io+uCnYeCL1MlyxqePS7ftruugosq5YDD3O1ItCX4XtfiV3S XRyyLTe+scGaOrNhKNCqDlDGpuXetwulzDGFjC6ul6epesDz2VlMb553MPQPdQ/CFVGz pR4x+oDo6s7FnIRgQa/CJFSmgJUtTAG3bD9F86SR62Xi+NAOCCXj5r0PMIhguNOkwcjG bmKuncLs4cZlfHbRIvmtU1wNkp7TIBkdj0MFYRMdxAT9Ulb7ZZfcsdC5vZIl1MRRuonb ACXnHCznnqK9+x4eVx1nhhp8Zoih4acUQdZY4Zb9TSWHWxVz8zCQm4j8TX1R13TGAf8s 1TUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775923189; x=1776527989; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/oUmcpWT9pX8ZG0MeVbZtVLCnJJW8fXpeclOgK9M9OY=; b=LN0flkoNWJw6oWVgj4OLnFhL2c+77gJWk6J2eoCaAOWuiE9qmmYbARtGIhF7fhN6Tn 2XDR2Vb3VBq0Dy+bS+aSYc4u1t56c0XJ06cqARK0FBG6Xs8/BrfbjJQHhx9sMm9k5Hsx TJi3Yhj2kzcsudFY3nfGbDKq6KL9vWJQgAW9+Fy289AlG056y+IRYVsby0DMSnGKuQa0 lLsiKhKRpkkKolADEWJ/V4oalHXfaqtSmEW2vg2QZO8b7rZmumdgwLAatilClJ2NpWO5 ghXJGY2JBEfQqrqcQ5XBlfCsfouccR7oF5ylqt1hOd70XvNIPw81LPxZvLX/g95SueAO O4Tw== X-Forwarded-Encrypted: i=1; AJvYcCVdGswsWJshjQmZ2yUIJuuLgbGAQS4ld8BYmNH90IFLQ22BPEpk8ukBE+QIoqDjRQLE+2a/0CTRhivg3MY=@vger.kernel.org X-Gm-Message-State: AOJu0Yx2ss8cFIgVz9CDiExgXx28qmY+8MqrzbKmj2EDfd0MyhurPpeX 9hUFDmTR1udlBPZ83KiOIpEw/FkU30Jix0qV9//hLFxwUlk3tH5kYaHO X-Gm-Gg: AeBDietzxTVUbcomH6BfNWyVf50QX7iUZBhwKF3gNRQOwqE4W+Iz/bvV/RH3tk4dT5+ a40ALKDkE45cpP7QNoL6DHVa2PQ+mfPVGRggjmkxSqv2YHYQ9qg3jJaOzptoXbLIBiuLiTSmg5U WCwPRaQx2pedLlasJiU8F8L5hlpXvDaapUgbz7sQvEKMtTeck80AFWAgHih5GU2NRAOfu4lNyG4 Qsde6MpCCVPucwZ+A4bKS1dIhOo4nqe07y5AKVsdR6wdm8MuamZPNdRtyxNksgn4qFkVcoCnB09 A15HQOyWQLmwJgmkmuxX6eC5SdM291qnGcHq5VzAQPcqrLWoEJIu6X+zlNyH3i7n9nqK18J9zzP cvWkJJUHJMFI7+GjwuUHgqwKl9m7u+g4dT2RnJWkX54WPpCqWpD3BoeEdxjQwPNRbck6TS42h8O u9vWZ2jQ/pvONp3Q== X-Received: by 2002:a05:6a00:3987:b0:82c:249d:d84f with SMTP id d2e1a72fcca58-82f0c38a1demr8020722b3a.37.1775923189476; Sat, 11 Apr 2026 08:59:49 -0700 (PDT) Received: from lgs.. ([101.32.189.54]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f0c4df7f5sm8009079b3a.43.2026.04.11.08.59.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 08:59:49 -0700 (PDT) From: Guangshuo Li To: Vinod Koul , Dave Jiang , dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH] dmaengine: Fix refcount leak in channel register error path Date: Sat, 11 Apr 2026 23:59:38 +0800 Message-ID: <20260411155938.2350613-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After device_register(), the lifetime of the embedded struct device is expected to be managed through the device core reference counting. In __dma_async_device_channel_register(), if device_register() fails, the error path frees chan->dev directly instead of releasing the device reference with put_device(). This bypasses the normal device lifetime rules and may leave the reference count of the embedded struct device unbalanced, resulting in a refcount leak and potentially leading to a use-after-free. Fix this by using put_device() in the device_register() failure path and let chan_dev_release() handle the final cleanup. Fixes: d2fb0a043838 ("dmaengine: break out channel registration") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- drivers/dma/dmaengine.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c index ca13cd39330b..6bb1212ae0e1 100644 --- a/drivers/dma/dmaengine.c +++ b/drivers/dma/dmaengine.c @@ -1111,8 +1111,12 @@ static int __dma_async_device_channel_register(struc= t dma_device *device, =20 err_out_ida: ida_free(&device->chan_ida, chan->chan_id); + put_device(&chan->dev->device); + chan->dev =3D NULL; + goto err_free_local; err_free_dev: kfree(chan->dev); + chan->dev =3D NULL; err_free_local: free_percpu(chan->local); chan->local =3D NULL; --=20 2.43.0