1. Patchew
  2. linux
  3. View series

[PATCH v2] gpu: host1x: Fix device reference leak in device_add() error path

Guangshuo Li posted 1 patch 2 months ago 
drivers/firmware/edd.c   | 2 +-
drivers/gpu/host1x/bus.c | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
[PATCH v2] gpu: host1x: Fix device reference leak in device_add() error path
Posted by Guangshuo Li 2 months ago 
After device_initialize(), the embedded struct device in struct
host1x_device should be released through the device core with
put_device().

In host1x_device_add(), the empty-subdevice path calls
device_add(&device->dev), but if that fails it only logs the error and
continues without dropping the device reference. That leaks the
reference held on the embedded struct device.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

Fix this by removing the device from host1x->devices and calling
put_device() when device_add() fails.

Fixes: fab823d82ee50 ("gpu: host1x: Allow loading tegra-drm without enabled engines")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v2:
  - note that the issue was identified by my static analysis tool
  - and confirmed by manual review

 drivers/firmware/edd.c   | 2 +-
 drivers/gpu/host1x/bus.c | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/edd.c b/drivers/firmware/edd.c
index 55dec4eb2c00..82b326ce83ce 100644
--- a/drivers/firmware/edd.c
+++ b/drivers/firmware/edd.c
@@ -748,7 +748,7 @@ edd_init(void)
 
 		rc = edd_device_register(edev, i);
 		if (rc) {
-			kfree(edev);
+			kobject_put(&edev->kobj);
 			goto out;
 		}
 		edd_devices[i] = edev;
diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c
index 723a80895cd4..63fe037c3b65 100644
--- a/drivers/gpu/host1x/bus.c
+++ b/drivers/gpu/host1x/bus.c
@@ -477,8 +477,12 @@ static int host1x_device_add(struct host1x *host1x,
 	 */
 	if (list_empty(&device->subdevs)) {
 		err = device_add(&device->dev);
-		if (err < 0)
+		if (err < 0) {
 			dev_err(&device->dev, "failed to add device: %d\n", err);
+			list_del(&device->list);
+			put_device(&device->dev);
+			return err;
+		}
 		else
 			device->registered = true;
 	}
-- 
2.43.0
Re: [PATCH v2] gpu: host1x: Fix device reference leak in device_add() error path
Posted by Mikko Perttunen 1 month, 3 weeks ago 
On Monday, April 13, 2026 11:13 PM Guangshuo Li wrote:
> After device_initialize(), the embedded struct device in struct
> host1x_device should be released through the device core with
> put_device().
> 
> In host1x_device_add(), the empty-subdevice path calls
> device_add(&device->dev), but if that fails it only logs the error and
> continues without dropping the device reference. That leaks the
> reference held on the embedded struct device.
> 
> The issue was identified by a static analysis tool I developed and
> confirmed by manual review.
> 
> Fix this by removing the device from host1x->devices and calling
> put_device() when device_add() fails.
> 
> Fixes: fab823d82ee50 ("gpu: host1x: Allow loading tegra-drm without enabled engines")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> v2:
>   - note that the issue was identified by my static analysis tool
>   - and confirmed by manual review
> 
>  drivers/firmware/edd.c   | 2 +-
>  drivers/gpu/host1x/bus.c | 6 +++++-
>  2 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/firmware/edd.c b/drivers/firmware/edd.c
> index 55dec4eb2c00..82b326ce83ce 100644
> --- a/drivers/firmware/edd.c
> +++ b/drivers/firmware/edd.c
> @@ -748,7 +748,7 @@ edd_init(void)
>  
>  		rc = edd_device_register(edev, i);
>  		if (rc) {
> -			kfree(edev);
> +			kobject_put(&edev->kobj);
>  			goto out;
>  		}
>  		edd_devices[i] = edev;

Unrelated ..

> diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c
> index 723a80895cd4..63fe037c3b65 100644
> --- a/drivers/gpu/host1x/bus.c
> +++ b/drivers/gpu/host1x/bus.c
> @@ -477,8 +477,12 @@ static int host1x_device_add(struct host1x *host1x,
>  	 */
>  	if (list_empty(&device->subdevs)) {
>  		err = device_add(&device->dev);
> -		if (err < 0)
> +		if (err < 0) {
>  			dev_err(&device->dev, "failed to add device: %d\n", err);
> +			list_del(&device->list);
> +			put_device(&device->dev);
> +			return err;
> +		}
>  		else
>  			device->registered = true;

This isn't a leak -- if device_add fails, the device is still on the
device list, though in a "stuck" state, and will get cleaned up through
host1x_device_del.

Thanks
Mikko

>  	}
> -- 
> 2.43.0
> 
>
Re: [PATCH v2] gpu: host1x: Fix device reference leak in device_add() error path
Posted by Guangshuo Li 1 month, 3 weeks ago 
Hi Mikko,

Thanks for reviewing.

On Mon, 20 Apr 2026 at 15:19, Mikko Perttunen <mperttunen@nvidia.com> wrote:
>
> Unrelated ..
>
Sorry about the unrelated change in drivers/firmware/edd.c. It was
included by mistake due to my carelessness when doing git add.

> This isn't a leak -- if device_add fails, the device is still on the
> device list, though in a "stuck" state, and will get cleaned up through
> host1x_device_del.
>
You're right. I misunderstood this path: if device_add() fails here,
the device remains on host1x->devices and can still be cleaned up
later via host1x_device_del(), so this is not a real leak.

I'll drop this host1x change.

Best regards,
Guangshuo

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.