From nobody Fri Jun 12 14:18:25 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 39C8933EB13 for ; Mon, 13 Apr 2026 11:52:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776081149; cv=none; b=cSOPDGTWcJRaGRvca2Nq2TmZe6kIVieCr0gn8OPwJ4Niu2aVObaZXB1V/SAJiu7tnjjjbGD+hORdEAK5CigfGUMAmgOGOWs0Ekuwrdi0mU37TBcCLONHYxU1NEMTuM7kzimFmO5I3iKXpnovtfWVzeThC9ILmCY5PwHpRPkKTfU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776081149; c=relaxed/simple; bh=cmDKEDrj3j0+aRKmq47EjxqYLMX/XMHXJ7KKwL7jLZw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=nngHr7C2EUnSI8nn6a2ypfr+dxPRbvt7zv7NA2y4qIGXwmcihPERu8RloFPEgq4RNiKSrg7xPgK3wyJoMur/HTslrgx4o1AyKccWTK39AyPVm7Ggu1NI2HB/uG4Nkmx9M3Kg/c3gbvmSqRGdzsoW9lJbbBOgmO7/XbWYfAyDLv0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FSwjEYDJ; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FSwjEYDJ" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-82d0b68837aso2301492b3a.2 for ; Mon, 13 Apr 2026 04:52:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776081147; x=1776685947; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=IPDCJKxAcXMt3zuchNniT/tk14qXxePsxp4RuDFr95g=; b=FSwjEYDJ8Uu/9Wy2grrcnkfCrW2jVU4IABCan67P3UeJz9VZRB2R8cRgf44NPdw5jq pJF371Mp/bsjPTps8X+W6IZwvryUjxcro5wohukSK1gi5tXgrMmfWkKlfLMCTlqyowre aH2ooSP9N178Svt4mWpap/sfWO3VX35ZNEamfOKaY+jUuYQe8Cpreun5r4WkSkkiFXH/ QoZx8wrvHRSzSt4ZgGJakkxwlU3K68g3mpA7XwDYBfONz24TOBgst7GLCOhNDsK/GnqU ArL3CTGfTr38QmsVbylagWxVA3mhuZhugRHUgSIGYCOP0hPmutc+WkJLJxArnVv26i/F 1Xlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776081147; x=1776685947; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=IPDCJKxAcXMt3zuchNniT/tk14qXxePsxp4RuDFr95g=; b=rDuZNSx5OFihfXNHCFLJCs8S93iZ7yuMrRLGLHzbwa9CkujPJY8DUwMopfKCds4SzF U5RYt8CryutHJNHjz3t+Z9+uPbweRjQPW/RFLfY6PHgxBZYNIAkNicaVQMKk9KMk5UqQ gvv30+yb82YyU/fBkvs0Evk86yI5xm+YDfZardeYCd43y4MqIAg+4a7cCgOuckd/+Wu+ 9NGlqbsXfthhr2OXJDy/Fl+kvm8OclqblLVi3CNEuMi6sf29QvaYBxFl5Whti7dWWKzk hUasnm/3VEhnE7R8fJNl11R75+Apt16jO9fejzbuiJUj1Be29WDBenIlXbY/GwvA5KTx M5jQ== X-Forwarded-Encrypted: i=1; AFNElJ84dF0i/ukUNij5qMWv0rEu80HvPr/cmn5oVKl9BuN8v+/2TXaGXdqmS1887ShiWodqf6ihsJ0uYOKWKG0=@vger.kernel.org X-Gm-Message-State: AOJu0YzLAAOTJvVALKe9PARQf4fDxBs7x6Qdg6IRSeY6c6eExsBo909Y CQOvih2wZnamRGIXqjZCr1fPXTVxzIyS35kp3TKP+p1UAHSUB4uAcjTB X-Gm-Gg: AeBDieulq9FP7Opf+Wy5Xk4ix32oDMtkI16KAQQfKL35RyFKDxoAwqVFGqZDcECl3J5 eFMTlzprMEhEhtxxIkK2qJBNhImWvtlJt1gwmECNJI70TEZPJiRQEubJr56aCMYA9qJ5zJmQK/r 5nXjjRDRRKaEQVEQv5PufB8iNRWpDjO2fx20J9QvfVxSA+Etr+rfqB2iEClH4HWLlVjXYVuEcQe fX6hCkDlmDNcDNuGjtuOaPSR1XzY9xUmWzwS5oFsEO7x+nBj2YLewCofm0UEB51tPrhaCmbggA1 XPvc2VBuoBHKC2VSW7UBfFBJt0WNxGnCzlrFkYh4GbSE+dN7pqYSgxJrgmAyE2I0VyD3MxDxFll EUptwKc5TsJxe3owa3okh/Ym09qy//o49lCPFRniASkfvIRyPWblAP9qQSv4ysSYRx034J8JcVG s3jjwyrvhdou9VgzuZ0hc3OdW8gkSSXTqO X-Received: by 2002:a05:6a00:8c2:b0:82c:9897:70ef with SMTP id d2e1a72fcca58-82f0c302abbmr14245589b3a.27.1776081147564; Mon, 13 Apr 2026 04:52:27 -0700 (PDT) Received: from lgs.. ([2409:893d:1188:142d:db27:7a46:955d:48f7]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f0c30f5c3sm11077943b3a.3.2026.04.13.04.52.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 04:52:27 -0700 (PDT) From: Guangshuo Li To: Eddie James , Ninad Palsule , Benjamin Herrenschmidt , linux-fsi@lists.ozlabs.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH v2] fsi: Fix refcount leak in slave init error path Date: Mon, 13 Apr 2026 19:52:15 +0800 Message-ID: <20260413115215.2772502-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After device_initialize(), the lifetime of slave is expected to be managed through the device core reference counting. In the cdev_device_add() failure path, slave and its associated resources are freed directly, rather than releasing the device reference with put_device(). This may leave the reference count of the embedded struct device unbalanced, resulting in a refcount leak and potentially leading to a use-after-free. The issue was identified by a static analysis tool I developed and confirmed by manual review. A possible fix would be to use put_device() in the failure path and let fsi_slave_release() handle the final cleanup. Fixes: d1dcd6782576 ("fsi: Add cfam char devices") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- v2: - note that the issue was identified by my static analysis tool - and confirmed by manual review drivers/fsi/fsi-core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c index c6c115993ebc..f447dd53db62 100644 --- a/drivers/fsi/fsi-core.c +++ b/drivers/fsi/fsi-core.c @@ -1084,7 +1084,7 @@ static int fsi_slave_init(struct fsi_master *master, = int link, uint8_t id) rc =3D cdev_device_add(&slave->cdev, &slave->dev); if (rc) { dev_err(&slave->dev, "Error %d creating slave device\n", rc); - goto err_free_ida; + goto err_put_dev; } =20 /* Now that we have the cdev registered with the core, any fatal @@ -1110,8 +1110,9 @@ static int fsi_slave_init(struct fsi_master *master, = int link, uint8_t id) =20 return 0; =20 -err_free_ida: - fsi_free_minor(slave->dev.devt); +err_put_dev: + put_device(&slave->dev); + return rc; err_free: of_node_put(slave->dev.of_node); kfree(slave); --=20 2.43.0