[PATCH v2] edd: Fix kobject reference leak in edd_init() error path

Next message: Yeoreum Yun: "[PATCH v4 2/9] coresight: etm4x: exclude ss_status from drvdata-&gt;config"
Previous message: Stefan Wiehler: "Re: [PATCH v2] mips: mm: Call rcutree_report_cpu_starting() even earlier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guangshuo Li

Date: Mon Apr 13 2026 - 10:20:06 EST

edd_device_register() initializes the embedded kobject for struct
edd_device via:

edd_device_register()
-> kobject_init_and_add(&edev->kobj, &edd_ktype, ...)
-> edd_ktype.release = edd_release()
-> kfree(edev)

So once edd_device_register() has called kobject_init_and_add(), edev
should be released via kobject_put(), not by freeing it directly.

However, in edd_init(), when edd_device_register() fails, the error path
calls kfree(edev) directly. That bypasses the normal kobject lifetime
handling and leaks the reference held on the embedded kobject.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

Fix this by using kobject_put() in the edd_device_register() failure
path so the object is released through edd_release().

Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
---
v2:
- note that the issue was identified by my static analysis tool
- and confirmed by manual review

drivers/firmware/edd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/edd.c b/drivers/firmware/edd.c
index 55dec4eb2c00..82b326ce83ce 100644
--- a/drivers/firmware/edd.c
+++ b/drivers/firmware/edd.c
@@ -748,7 +748,7 @@ edd_init(void)

rc = edd_device_register(edev, i);
if (rc) {
- kfree(edev);
+ kobject_put(&edev->kobj);
goto out;
}
edd_devices[i] = edev;
--
2.43.0