[PATCH v2] driver core: Fix refcount leak in node_init_node_access() error path

Next message: Damon Ding: "[PATCH v14 2/8] drm/bridge: analogix_dp: Apply drm_bridge_connector helper"
Previous message: Paolo Abeni: "Re: [PATCH v10 1/2] net: mhi: Enable Ethernet interface support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guangshuo Li

Date: Mon Apr 13 2026 - 09:41:36 EST

After device_register(), the lifetime of the embedded struct device is
expected to be managed through the device core reference counting.

In node_init_node_access(), if device_register() fails, the error path
frees access_node directly instead of releasing the device reference
with put_device(). This bypasses the normal device lifetime rules and
may leave the reference count of the embedded struct device unbalanced,
resulting in a refcount leak and potentially leading to a use-after-free.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

Fix this by using put_device(dev) in the device_register() failure path
and let node_access_release() handle the final cleanup.

Fixes: 08d9dbe72b1f ("node: Link memory nodes to their compute nodes")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
---
v2:
- note that the issue was identified by my static analysis tool
- and confirmed by manual review

drivers/base/node.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/base/node.c b/drivers/base/node.c
index 00cf4532f121..2b19959a374c 100644
--- a/drivers/base/node.c
+++ b/drivers/base/node.c
@@ -171,13 +171,13 @@ static struct node_access_nodes *node_init_node_access(struct node *node,
goto free;

if (device_register(dev))
- goto free_name;
+ goto put_device;

pm_runtime_no_callbacks(dev);
list_add_tail(&access_node->list_node, &node->access_list);
return access_node;
-free_name:
- kfree_const(dev->kobj.name);
+put_device:
+ put_device(dev);
free:
kfree(access_node);
return NULL;
--
2.43.0