ssb: fix reference leaks on failed flash device registration

[PATCH] ssb: fix reference leaks on failed flash device registration

Posted by Guangshuo Li 2 months ago

When platform_device_register() fails in ssb_devices_register(), the
embedded struct device in ssb_pflash_dev or ssb_sflash_dev has already
been initialized by device_initialize(), but the failure paths only
report the error and do not drop the device reference for the current
platform device:

  ssb_devices_register()
    -> platform_device_register(&ssb_pflash_dev)
       -> device_initialize(&ssb_pflash_dev.dev)
       -> setup_pdev_dma_masks(&ssb_pflash_dev)
       -> platform_device_add(&ssb_pflash_dev)

  ssb_devices_register()
    -> platform_device_register(&ssb_sflash_dev)
       -> device_initialize(&ssb_sflash_dev.dev)
       -> setup_pdev_dma_masks(&ssb_sflash_dev)
       -> platform_device_add(&ssb_sflash_dev)

This leads to reference leaks when platform_device_register() fails.
Fix this by calling platform_device_put() after reporting the error.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

Fixes: c7a4a9e3880cc ("ssb: register platform device for parallel flash")
Fixes: 7b5d6043de312 ("ssb: register serial flash as platform device")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/ssb/main.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c
index b2d339eb57d5..5cdf612a8516 100644
--- a/drivers/ssb/main.c
+++ b/drivers/ssb/main.c
@@ -535,16 +535,20 @@ static int ssb_devices_register(struct ssb_bus *bus)
 #ifdef CONFIG_SSB_DRIVER_MIPS
 	if (bus->mipscore.pflash.present) {
 		err = platform_device_register(&ssb_pflash_dev);
-		if (err)
+		if (err) {
 			pr_err("Error registering parallel flash\n");
+			platform_device_put(&ssb_pflash_dev);
+		}
 	}
 #endif
 
 #ifdef CONFIG_SSB_SFLASH
 	if (bus->mipscore.sflash.present) {
 		err = platform_device_register(&ssb_sflash_dev);
-		if (err)
+		if (err) {
 			pr_err("Error registering serial flash\n");
+			platform_device_put(&ssb_sflash_dev);
+		}
 	}
 #endif
 
-- 
2.43.0

Re: [PATCH] ssb: fix reference leaks on failed flash device registration

Posted by Guangshuo Li 1 month, 3 weeks ago

Hi,

Please disregard this patch.

On Thu, 16 Apr 2026 at 02:30, Guangshuo Li <lgs201920130244@gmail.com> wrote:
>
> When platform_device_register() fails in ssb_devices_register(), the
> embedded struct device in ssb_pflash_dev or ssb_sflash_dev has already
> been initialized by device_initialize(), but the failure paths only
> report the error and do not drop the device reference for the current
> platform device:
>
>   ssb_devices_register()
>     -> platform_device_register(&ssb_pflash_dev)
>        -> device_initialize(&ssb_pflash_dev.dev)
>        -> setup_pdev_dma_masks(&ssb_pflash_dev)
>        -> platform_device_add(&ssb_pflash_dev)
>
>   ssb_devices_register()
>     -> platform_device_register(&ssb_sflash_dev)
>        -> device_initialize(&ssb_sflash_dev.dev)
>        -> setup_pdev_dma_masks(&ssb_sflash_dev)
>        -> platform_device_add(&ssb_sflash_dev)
>
> This leads to reference leaks when platform_device_register() fails.
> Fix this by calling platform_device_put() after reporting the error.
>
> The issue was identified by a static analysis tool I developed and
> confirmed by manual review.
>
> Fixes: c7a4a9e3880cc ("ssb: register platform device for parallel flash")
> Fixes: 7b5d6043de312 ("ssb: register serial flash as platform device")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
>  drivers/ssb/main.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c
> index b2d339eb57d5..5cdf612a8516 100644
> --- a/drivers/ssb/main.c
> +++ b/drivers/ssb/main.c
> @@ -535,16 +535,20 @@ static int ssb_devices_register(struct ssb_bus *bus)
>  #ifdef CONFIG_SSB_DRIVER_MIPS
>         if (bus->mipscore.pflash.present) {
>                 err = platform_device_register(&ssb_pflash_dev);
> -               if (err)
> +               if (err) {
>                         pr_err("Error registering parallel flash\n");
> +                       platform_device_put(&ssb_pflash_dev);
> +               }
>         }
>  #endif
>
>  #ifdef CONFIG_SSB_SFLASH
>         if (bus->mipscore.sflash.present) {
>                 err = platform_device_register(&ssb_sflash_dev);
> -               if (err)
> +               if (err) {
>                         pr_err("Error registering serial flash\n");
> +                       platform_device_put(&ssb_sflash_dev);
> +               }
>         }
>  #endif
>
> --
> 2.43.0
>

After re-checking it, ssb_pflash_dev and ssb_sflash_dev are global
platform_device objects and they do not provide dev.release callbacks.
Therefore calling platform_device_put() on the platform_device_register()
failure paths is not appropriate here and can trigger the missing release
callback warning.

This falls into the same static platform_device pattern pointed out in
the other reviews, so I will drop this patch.

Sorry for the noise.

Best regards,
Guangshuo Li