[PATCH v2] enclosure: Fix refcount leak in enclosure_register() error path

Next message: Paolo Abeni: "Re: [PATCH v10 1/2] net: mhi: Enable Ethernet interface support"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net-next v7 00/10] Decouple receive and transmit enablement in team driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guangshuo Li

Date: Mon Apr 13 2026 - 09:39:14 EST

After device_register(), the lifetime of the embedded struct device is
expected to be managed through the device core reference counting.

In enclosure_register(), if device_register() fails, the error path
drops the parent device reference and frees edev directly instead of
releasing the device reference with put_device(&edev->edev). This
bypasses the normal device lifetime rules and may leave the reference
count of the embedded struct device unbalanced, resulting in a refcount
leak and potentially leading to a use-after-free.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

Fix this by using put_device(&edev->edev) in the failure path and let
enclosure_release() handle the final cleanup.

Fixes: ee959b00c335 ("SCSI: convert struct class_device to struct device")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
---
v2:
- note that the issue was identified by my static analysis tool
- and confirmed by manual review

drivers/misc/enclosure.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c
index ca4c420e4a2f..9532ad8f8b4e 100644
--- a/drivers/misc/enclosure.c
+++ b/drivers/misc/enclosure.c
@@ -148,8 +148,7 @@ enclosure_register(struct device *dev, const char *name, int components,
return edev;

err:
- put_device(edev->edev.parent);
- kfree(edev);
+ put_device(&edev->edev);
return ERR_PTR(err);
}
EXPORT_SYMBOL_GPL(enclosure_register);
--
2.43.0