1. Patchew
  2. linux
  3. View series

[PATCH v2] edd: Fix kobject reference leak in edd_init() error path

Guangshuo Li posted 1 patch 2 months ago 
drivers/firmware/edd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH v2] edd: Fix kobject reference leak in edd_init() error path
Posted by Guangshuo Li 2 months ago 
edd_device_register() initializes the embedded kobject for struct
edd_device via:

  edd_device_register()
    -> kobject_init_and_add(&edev->kobj, &edd_ktype, ...)
       -> edd_ktype.release = edd_release()
          -> kfree(edev)

So once edd_device_register() has called kobject_init_and_add(), edev
should be released via kobject_put(), not by freeing it directly.

However, in edd_init(), when edd_device_register() fails, the error path
calls kfree(edev) directly. That bypasses the normal kobject lifetime
handling and leaks the reference held on the embedded kobject.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

Fix this by using kobject_put() in the edd_device_register() failure
path so the object is released through edd_release().

Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v2:
  - note that the issue was identified by my static analysis tool
  - and confirmed by manual review

 drivers/firmware/edd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/edd.c b/drivers/firmware/edd.c
index 55dec4eb2c00..82b326ce83ce 100644
--- a/drivers/firmware/edd.c
+++ b/drivers/firmware/edd.c
@@ -748,7 +748,7 @@ edd_init(void)
 
 		rc = edd_device_register(edev, i);
 		if (rc) {
-			kfree(edev);
+			kobject_put(&edev->kobj);
 			goto out;
 		}
 		edd_devices[i] = edev;
-- 
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.