1. Patchew
  2. linux
  3. View series

[PATCH v3] ACPI: scan: Use acpi_dev_put() in object add error paths

Guangshuo Li posted 1 patch 2 months ago 
drivers/acpi/power.c | 2 +-
drivers/acpi/scan.c  | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
[PATCH v3] ACPI: scan: Use acpi_dev_put() in object add error paths
Posted by Guangshuo Li 2 months ago 
After acpi_init_device_object(), the lifetime of struct acpi_device is
managed by the driver core through reference counting.

Both acpi_add_power_resource() and acpi_add_single_object() call
acpi_init_device_object() and then invoke acpi_device_add(). If that
fails, their error paths call the release callback directly instead of
dropping the device reference through acpi_dev_put().

This bypasses the normal device lifetime rules and frees the object
without releasing the reference acquired by device_initialize(), which
may lead to a refcount leak.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

Fix both error paths by using acpi_dev_put() and let the release
callback handle the final cleanup.

Fixes: 781d737c7466 ("ACPI: Drop power resources driver")
Fixes: 718fb0de8ff88 ("ACPI: fix NULL bug for HID/UID string")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v3:
  - Note that the issue was identified by my static analysis tool
  - and confirmed by manual review

v2:
  - Use acpi_dev_put() instead of put_device()
  - Fix acpi_add_single_object() together with acpi_add_power_resource()
  - Update the subject and commit message accordingly

 drivers/acpi/power.c | 2 +-
 drivers/acpi/scan.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/power.c b/drivers/acpi/power.c
index 361a7721a6a8..542e182f94f1 100644
--- a/drivers/acpi/power.c
+++ b/drivers/acpi/power.c
@@ -991,7 +991,7 @@ struct acpi_device *acpi_add_power_resource(acpi_handle handle)
 	return device;
 
  err:
-	acpi_release_power_resource(&device->dev);
+	acpi_dev_put(device);
 	return NULL;
 }
 
diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
index 416d87f9bd10..5124ed02debc 100644
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -1910,7 +1910,7 @@ static int acpi_add_single_object(struct acpi_device **child,
 		result = acpi_device_add(device);
 
 	if (result) {
-		acpi_device_release(&device->dev);
+		acpi_dev_put(device);
 		return result;
 	}
 
-- 
2.43.0
Re: [PATCH v3] ACPI: scan: Use acpi_dev_put() in object add error paths
Posted by Rafael J. Wysocki 2 months ago 
On Mon, Apr 13, 2026 at 3:54 PM Guangshuo Li <lgs201920130244@gmail.com> wrote:
>
> After acpi_init_device_object(), the lifetime of struct acpi_device is
> managed by the driver core through reference counting.
>
> Both acpi_add_power_resource() and acpi_add_single_object() call
> acpi_init_device_object() and then invoke acpi_device_add(). If that
> fails, their error paths call the release callback directly instead of
> dropping the device reference through acpi_dev_put().
>
> This bypasses the normal device lifetime rules and frees the object
> without releasing the reference acquired by device_initialize(), which
> may lead to a refcount leak.
>
> The issue was identified by a static analysis tool I developed and
> confirmed by manual review.
>
> Fix both error paths by using acpi_dev_put() and let the release
> callback handle the final cleanup.
>
> Fixes: 781d737c7466 ("ACPI: Drop power resources driver")
> Fixes: 718fb0de8ff88 ("ACPI: fix NULL bug for HID/UID string")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> v3:
>   - Note that the issue was identified by my static analysis tool
>   - and confirmed by manual review
>
> v2:
>   - Use acpi_dev_put() instead of put_device()
>   - Fix acpi_add_single_object() together with acpi_add_power_resource()
>   - Update the subject and commit message accordingly
>
>  drivers/acpi/power.c | 2 +-
>  drivers/acpi/scan.c  | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/acpi/power.c b/drivers/acpi/power.c
> index 361a7721a6a8..542e182f94f1 100644
> --- a/drivers/acpi/power.c
> +++ b/drivers/acpi/power.c
> @@ -991,7 +991,7 @@ struct acpi_device *acpi_add_power_resource(acpi_handle handle)
>         return device;
>
>   err:
> -       acpi_release_power_resource(&device->dev);
> +       acpi_dev_put(device);
>         return NULL;
>  }
>
> diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
> index 416d87f9bd10..5124ed02debc 100644
> --- a/drivers/acpi/scan.c
> +++ b/drivers/acpi/scan.c
> @@ -1910,7 +1910,7 @@ static int acpi_add_single_object(struct acpi_device **child,
>                 result = acpi_device_add(device);
>
>         if (result) {
> -               acpi_device_release(&device->dev);
> +               acpi_dev_put(device);
>                 return result;
>         }
>

Applied as 7.1-rc material, thanks!

> --
> 2.43.0
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.