From nobody Fri Jun 12 14:18:39 2026 Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91827366569 for ; Mon, 13 Apr 2026 11:54:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776081270; cv=none; b=iupuHZJPEm9mW2DW2D8xLo68h2BMDOjlXZtrHmxsTYi7t7QO2xb1zYAvkatMBUR4RzWOJM+lj/juL5QBEsysk81dpAUItGIaR6ird3fBargnu8LRcj/DLZ4U3ks4zW3Vi0JyNXL9gKUIzsAzDb5rZTFnOUbU9o/yTbhAm9FDjPo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776081270; c=relaxed/simple; bh=DpIntkKN3iEhgCt9UIkBGF4XZ4jGPxiV3R2ublbIpVA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=mRh9CoXjjDQl4bjGPA5dK53kJ+b7p78vzt+sKKh596vU+0L/sFDSGSvY29ZRr+BYIIDTmpa7e3XJeVDumL9mmCgdw5rqkOQcAnSM19MSRvxyQtRsNBnZWM6FPUrthpF1iT/1WhY6ri5yGRcAvM7V3qatvtNHuaZOTPmuATXvRA8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HzlIKv1J; arc=none smtp.client-ip=209.85.215.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HzlIKv1J" Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-b6ce6d1d3dcso1504991a12.3 for ; Mon, 13 Apr 2026 04:54:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776081269; x=1776686069; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Kbf6f/mBggx7CBkqLB4oD03Dp2SeRdAQ/IF7C0fyt8o=; b=HzlIKv1JoAOpWUuWPf+XLcFzylORAsmEMu/fnvpQ641CWo3f7NM7UK9cY9i/xe/V1T VbGcCq5tvok6A1AeiES6Z6KI2lcJBxEOuB6fdObr3ZA8vKB16Gh7Nxl1Q2qxbIRloISL qx1eM3aVRbIzgPgAL9To/D8SoqLl6ULpwGELV4LUh2MeNtLKRcTVhXKqIcLNUSck8g8V Z4XDT3nxVNeW7hJkYjttCldKvtn7wPn09N8qPslJCWtr4Dv30ZmXU+kvYcv6BuWyeMwy pfkXDojDCy/J+CHN8ndnDBqc4Dk/qUwq5nQKoLGcmzTDcJv9NiikwPUU2BV1XMiDf7Nc NKgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776081269; x=1776686069; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Kbf6f/mBggx7CBkqLB4oD03Dp2SeRdAQ/IF7C0fyt8o=; b=d7NbUPaLcd2rBwoN7uBlmqE8lB+iPCwVTP/Rt6G35wGChMtFkq4d+vuDY9CMrjeXCh /+L7F5SsdPOHAokt7geL/iz+wb78O83E6io+eZ3RKFxux1B5wNDE5VitjSez+RgCCdwq B4UJo7d0dJWUShhvRUgTU9rJZRgjKMy1NL8EiWmIQhNT96jV3N5/f3tE2x0Y1DDRQ1IG Jvtpho3oN7mKW+uNF4ldPKqfIScHb6n759DVv9F/rkW/K2PWU8etKjareO0qnevz2/wK mkWmnHMCD7wg86VuZvQ1LriBThoWUmzgAMpsbPLk5pDwgpuuDLKKUDbEYZV33c95QzJF 8ATQ== X-Forwarded-Encrypted: i=1; AFNElJ/5jXRmb9YlTYA5IL5TxsDRcS1QImbKz1fJ7bIuqIxiBCRL7s/q47wOMVCQJ2lWzKVhTDh4SSKMF+/QcHo=@vger.kernel.org X-Gm-Message-State: AOJu0Yz1f8qJpTd8PHsjXuPSb25daL835dVNtwmqKgz27FYSkvIdJaA0 3LiSCNQbbqFUTab/E24wLKr3mU6tHAwlz4c80cohkZHkgjIRulz3bMq4 X-Gm-Gg: AeBDies99VBgPFJTLc9pqSKzU4iIO+CF9SNGCAVAWPBl+gW8+yG/BCj0a2kpPF2hitw kZ3DVBx9X0vYKSqYNFtDtOAOQQtkaIduU4Ndy7KRAGE37JFMM8fm8a7u9wcaj0VZ2f5lyKXWNO6 YXz0EU75pWELpeZ64VcLUT8lFIx5DrHMJ5rum738+oXhscJF6y5xE6x7xF8ZNrlLoGEjlKeilXv egIhMa+UPdNNab48F74kbv8zw8gBiHVAFTeca97Po3mBNJzSsuo9sRJzZ6CNUgzJLhNvi8qFzc1 I2xlTYKzMNHn5CWync08+b3zRokpEJpS4bDGs7KtfJRkTG9LJk2AMJpwORqVDFoZekIQQBdT7A+ Cc6EPRESHg8uO1xrnFmdzQrkwPaZvepdIfgIP0rM2WI4RspD8z3Q9jJo9avkXTjXBfcdWpxvghY sgnAcATsaKuvKhhKClNUcyaxXp8XE3j4uqRe+HqigwTA== X-Received: by 2002:a17:90b:1a8f:b0:359:83d3:27d3 with SMTP id 98e67ed59e1d1-35e4274e363mr10973143a91.2.1776081268925; Mon, 13 Apr 2026 04:54:28 -0700 (PDT) Received: from lgs.. ([2409:893d:1188:142d:db27:7a46:955d:48f7]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35e34fdc4bcsm15474300a91.7.2026.04.13.04.54.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 04:54:28 -0700 (PDT) From: Guangshuo Li To: Yoshinori Sato , Rich Felker , John Paul Adrian Glaubitz , Guangshuo Li , Adrian McMenamin , Paul Mundt , linux-sh@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Subject: [PATCH v2] maple: Fix refcount leak in maple_attach_driver() error path Date: Mon, 13 Apr 2026 19:54:18 +0800 Message-ID: <20260413115418.2780881-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" As device_register() calls device_initialize() before device_add(), the failure path in maple_attach_driver() is reached after the embedded struct device has already been initialized and its lifetime is expected to be managed through the device core reference counting. However, that path frees mdev and its associated resources directly via maple_free_dev(), rather than releasing them through put_device() and the normal release path. This may leave the reference count of the embedded struct device unbalanced, resulting in a refcount leak and potentially leading to a use-after-free. The issue was identified by a static analysis tool I developed and confirmed by manual review. A possible fix would be to use put_device() in the error path and let maple_release_device() handle the final cleanup. Fixes: b3c69e248176 ("maple: more robust device detection.") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- v2: - note that the issue was identified by my static analysis tool - and confirmed by manual review drivers/sh/maple/maple.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/sh/maple/maple.c b/drivers/sh/maple/maple.c index 6dc0549f7900..20b7c2cd852b 100644 --- a/drivers/sh/maple/maple.c +++ b/drivers/sh/maple/maple.c @@ -393,7 +393,7 @@ static void maple_attach_driver(struct maple_device *md= ev) dev_warn(&mdev->dev, "could not register device at" " (%d, %d), with error 0x%X\n", mdev->unit, mdev->port, error); - maple_free_dev(mdev); + put_device(&mdev->dev); mdev =3D NULL; return; } --=20 2.43.0