When platform_device_register() fails in do_floppy_init(), the embedded
struct device in floppy_device[drive] has already been initialized by
device_initialize(), but the failure path jumps to out_remove_drives
without dropping the device reference for the current drive.

Previously registered floppy devices are cleaned up in out_remove_drives,
but the device for the drive that fails registration is not, leading to
a reference leak.

The issue was identified by a static analysis tool I developed and
confirmed by manual review. Fix this by calling put_device() for the
current floppy device before jumping to the common cleanup path.

Fixes: 94fd0db7bfb4a ("[PATCH] Floppy: Add cmos attribute to floppy driver")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v2:
  - Replace put_device() with platform_device_put() in the
    platform_device_register() failure path
  - Fix the device_add_disk() failure path by unregistering the current
    platform device before jumping to out_remove_drives


 drivers/block/floppy.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 92e446a64371..461e14d19422 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -4724,15 +4724,19 @@ static int __init do_floppy_init(void)
 		floppy_device[drive].dev.groups = floppy_dev_groups;
 
 		err = platform_device_register(&floppy_device[drive]);
-		if (err)
+		if (err) {
+			platform_device_put(&floppy_device[drive]);
 			goto out_remove_drives;
-
+		}
 		registered[drive] = true;
 
 		err = device_add_disk(&floppy_device[drive].dev,
 				      disks[drive][0], NULL);
-		if (err)
+		if (err) {
+			platform_device_unregister(&floppy_device[drive]);
+			registered[drive] = false;
 			goto out_remove_drives;
+		}
 	}
 
 	return 0;
-- 
2.43.0

On Wed, 15 Apr 2026 22:57:08 +0800, Guangshuo Li wrote:
> When platform_device_register() fails in do_floppy_init(), the embedded
> struct device in floppy_device[drive] has already been initialized by
> device_initialize(), but the failure path jumps to out_remove_drives
> without dropping the device reference for the current drive.
> 
> Previously registered floppy devices are cleaned up in out_remove_drives,
> but the device for the drive that fails registration is not, leading to
> a reference leak.
> 
> [...]

Applied, thanks!

[1/1] floppy: fix reference leak on platform_device_register() failure
      commit: e784f2ea0b4fd0e7b70028ff8218f22456c5dcf8

Best regards,
-- 
Jens Axboe

On 17. 04. 26, 22:39, Jens Axboe wrote:
> 
> On Wed, 15 Apr 2026 22:57:08 +0800, Guangshuo Li wrote:
>> When platform_device_register() fails in do_floppy_init(), the embedded
>> struct device in floppy_device[drive] has already been initialized by
>> device_initialize(), but the failure path jumps to out_remove_drives
>> without dropping the device reference for the current drive.
>>
>> Previously registered floppy devices are cleaned up in out_remove_drives,
>> but the device for the drive that fails registration is not, leading to
>> a reference leak.
>>
>> [...]
> 
> Applied, thanks!
> 
> [1/1] floppy: fix reference leak on platform_device_register() failure
>        commit: e784f2ea0b4fd0e7b70028ff8218f22456c5dcf8

The patch is likely wrong. Given the pdev is static, the struct device 
has no ->release, so releasing it will trigger a warning. AFAIR, the 
consensus was to fix platform_device_register() proper.

thanks,
-- 
js
suse labs

On 4/22/26 11:11 PM, Jiri Slaby wrote:
> On 17. 04. 26, 22:39, Jens Axboe wrote:
>>
>> On Wed, 15 Apr 2026 22:57:08 +0800, Guangshuo Li wrote:
>>> When platform_device_register() fails in do_floppy_init(), the embedded
>>> struct device in floppy_device[drive] has already been initialized by
>>> device_initialize(), but the failure path jumps to out_remove_drives
>>> without dropping the device reference for the current drive.
>>>
>>> Previously registered floppy devices are cleaned up in out_remove_drives,
>>> but the device for the drive that fails registration is not, leading to
>>> a reference leak.
>>>
>>> [...]
>>
>> Applied, thanks!
>>
>> [1/1] floppy: fix reference leak on platform_device_register() failure
>>        commit: e784f2ea0b4fd0e7b70028ff8218f22456c5dcf8
> 
> The patch is likely wrong. Given the pdev is static, the struct device
> has no ->release, so releasing it will trigger a warning. AFAIR, the
> consensus was to fix platform_device_register() proper.

Thanks for letting me know, I'll revert this change for now.

-- 
Jens Axboe

Hi Jiri, Jens,

Thanks for the review and for catching this.

On Thu, 23 Apr 2026 at 19:06, Jens Axboe <axboe@kernel.dk> wrote:
>
> > The patch is likely wrong. Given the pdev is static, the struct device
> > has no ->release, so releasing it will trigger a warning. AFAIR, the
> > consensus was to fix platform_device_register() proper.
>
> Thanks for letting me know, I'll revert this change for now.
>

You are right that this fix is not appropriate for this case. Since the
platform device is static and the embedded struct device has no release
callback, calling platform_device_put() / releasing it here is wrong and
can trigger warnings.

Please disregard this patch. I will drop it and not pursue it further in
its current form.

Sorry for the noise, and thanks again for the clarification.

Best regards,
Guangshuo Li