From nobody Sat Jun 20 17:33:36 2026 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 494CE1A6824 for ; Sun, 12 Apr 2026 07:00:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775977224; cv=none; b=gXMoSyZuFOAjxNyG/y1wmDHNjMGt4XO/zcDQ/g6ovOin8IjUj0OZ3MFTOpEQjMiNgXeW5BhJMTBMtQHO0RAWV5oNPsxFlqITUJoXzPuH8doM2+2ch90/HbMtRq2N4iOLryvwOHgDMObJYyYz9hgyDxKHXl2yN89+nMPqQ6aKSYw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775977224; c=relaxed/simple; bh=ad9MM76H3qA9Zm7zGQguyywPJdrDLgkSlTE6M7PNjQo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=jsg22BgVt0bK2qMaG+ZIlYYdStn7bTHeDRLAf+d4j0RjPMmqQpexMESpZHh2wBoJpAhCcGQItxYslcIi0JfNeaw01x7P/eU9H65Rm3nal8ve58OY5LW3dNTWhDO5e9EYQUQseCGt1OwI/Abn3NndCjHM4xdenBBd5EYLntwTLlw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gfnPXx//; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gfnPXx//" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2ab232cc803so16701995ad.3 for ; Sun, 12 Apr 2026 00:00:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775977222; x=1776582022; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=agxSRs+wZOd7cJK+5GqSX8xmNcbffxfyow5lUhwJHXU=; b=gfnPXx//imeCfZ5b7jrvJdddCO7F+zybX0Evly5HuU4f0XNbqgHuWwrqHLxAQssXWM aNP+YPh/axBABeFzzOTUmPq8SGzkLprdHZLyG5cIzS1mFc9w34SQdibIS86kHnI52a4X S/+7VHZhYWVtTDPSDcZw7aL7COb02vYeqJiHdVIQ923JuCc9x2NP20IeFlVo/aMWDIV2 A614mf7bLosWSZEY8EzWO7rYV9Fq0vzWMjGU3jLd2PFiYolo738nUFtU/YPYfhdJ0Vqr EoeefH6+jkWUut4wTwiOR9dqI8iR2xuFsYqwnWGo3GONWHvXn7Zd6PUSKlHdtlN1BsFq ec5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775977222; x=1776582022; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=agxSRs+wZOd7cJK+5GqSX8xmNcbffxfyow5lUhwJHXU=; b=QHDiOg3A1m8AoQoD0q++Cfg0dlYlHoGRVCkg0Ag9rftTb6rDZoTq1GbAQFck/HU/Ud dduwKq2BwiIT2ibOL2OtHYp9c9YF5oUdk7Gtc4FEYpeRN0x83jnsWAhIlJp8jfDPf1Q0 PGm72fba4Y+kCEX6qPvkQCHtgruIb2tiBpnNnJjIqTbdMYOSO+PV5K1z62jn9HZcZKWE 7pKw39YRD3QpVqdfo4U5LwClsRSE1r9q4Zih/kFewx5S7pCIZTKno/lDxQwLQ3jtmTSF qm7LuSKzSILoUh4AV8d91JeLXg6ILu3IXGYZUp9fWkz9iizM4pq6qyAbL8JC5sk5at1W UlKw== X-Forwarded-Encrypted: i=1; AFNElJ9lHAPx/8/TVVJf1AGCIgMLO71UanPVM3Xz3bPKmh5blOJS3YxVz16W1ZqBMVCe80aDvgIwQpG/UVclA0A=@vger.kernel.org X-Gm-Message-State: AOJu0YzkRalilVLHTwGq2Iy1Tnn6i2KtcohpT5UI9iSbH6kh4RRWcOdF Uyss2izPTVq5ccpLLyQGAO1MnkdcWKIg9qR0J79swrBlL6aDzY2GEL8Z X-Gm-Gg: AeBDieu2NBejDhhrfedwKlf024bcc9bRqaqdCBRhEFZY68o7mMSko0xRrpj8HEK0Lcq 8P13CYfonN4sLs1XfDBxSg09GHZeGhRpuzNb1L11mk1fMoBn7/QS6yEDusTOb4kvZCEjEXHup3X q6lV3d94hN3dOU/lZ24OI5f9loDSRu9AyD3O2+QnSpdvvqAWEbU7aikZfHe8qHzsphpU690FG0J Skcjo5bXo69kCPQH5I08k8cbC/Cv+F4/YBQgeqTfoLUSmiO1U+1wlZL7xRbEP2m0Zo7oPF1fv0z JI4LJJd1aLD7YHIuLvp1NxP7d34UeEEn5qLpI3IItawsZiehx1RdYfkPl2giERXtAHkmH702nwJ Mlvzmz+TcCOmyRMrPlH5e0GXW3qgnTtx3UhZFX74EU54z78IXTqPw31/rQs7EDU3V8CoNYE6lq3 nSWb2e+uWG85ht7ixqsf0V X-Received: by 2002:a17:903:b8e:b0:2b2:647b:a744 with SMTP id d9443c01a7336-2b2d5a584d8mr101853925ad.24.1775977222380; Sun, 12 Apr 2026 00:00:22 -0700 (PDT) Received: from lgs.. ([223.80.110.53]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b45c217ba6sm1798355ad.36.2026.04.12.00.00.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Apr 2026 00:00:22 -0700 (PDT) From: Guangshuo Li To: Dan Williams , Vishal Verma , Dave Jiang , Andrew Morton , nvdimm@lists.linux.dev, linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH v2] device-dax: Fix refcount leak in __devm_create_dev_dax() error path Date: Sun, 12 Apr 2026 15:00:10 +0800 Message-ID: <20260412070010.2402830-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After device_initialize(), the embedded struct device in dev_dax is expected to be released through the device core with put_device(). In __devm_create_dev_dax(), several failure paths after device_initialize() free dev_dax directly instead of dropping the device reference, which bypasses the normal device core lifetime handling and leaks the reference held on the embedded struct device. Fix this by assigning dev->type before device_initialize(), so the release callback is available, use put_device() in the post-initialization error paths, and keep dev_dax range cleanup explicit since it is not handled by dev_dax_release(). Fixes: c2f3011ee697f ("device-dax: add an allocation interface for device-d= ax instances") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- v2: - clarify the commit message around the device reference leak - drop the unsupported use-after-free claim - set dev->type before device_initialize() so put_device() can use the release callback on post-init failures - simplify the post-initialization error paths to use explicit range cleanup plus put_device() drivers/dax/bus.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c index fde29e0ad68b..2d92674d0d6e 100644 --- a/drivers/dax/bus.c +++ b/drivers/dax/bus.c @@ -1453,6 +1453,7 @@ static struct dev_dax *__devm_create_dev_dax(struct d= ev_dax_data *data) } =20 dev =3D &dev_dax->dev; + dev->type =3D &dev_dax_type; device_initialize(dev); dev_set_name(dev, "dax%d.%d", dax_region->id, dev_dax->id); =20 @@ -1499,7 +1500,6 @@ static struct dev_dax *__devm_create_dev_dax(struct d= ev_dax_data *data) dev->devt =3D inode->i_rdev; dev->bus =3D &dax_bus_type; dev->parent =3D parent; - dev->type =3D &dev_dax_type; =20 rc =3D device_add(dev); if (rc) { @@ -1522,14 +1522,13 @@ static struct dev_dax *__devm_create_dev_dax(struct= dev_dax_data *data) return dev_dax; =20 err_alloc_dax: - kfree(dev_dax->pgmap); err_pgmap: free_dev_dax_ranges(dev_dax); err_range: - free_dev_dax_id(dev_dax); + put_device(dev); + return ERR_PTR(rc); err_id: kfree(dev_dax); - return ERR_PTR(rc); } =20 --=20 2.43.0