Re: [PATCH v3] device-dax: Fix refcount leak in __devm_create_dev_dax() error path

Next message: Joe Perches: "Re: [PATCH v1] tools clang-format: Add a tools clang-format that overrides some kernel behaviors"
Previous message: deep: "[PATCH v2] staging: rtl8723bs: remove unused struct rtw_regulatory"
In reply to: Jonathan Cameron: "Re: [PATCH v3] device-dax: Fix refcount leak in __devm_create_dev_dax() error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Williams

Date: Mon Apr 13 2026 - 11:45:01 EST

On Mon, Apr 13, 2026, at 6:56 AM, Guangshuo Li wrote:
> After device_initialize(), the embedded struct device in dev_dax is
> expected to be released through the device core with put_device().
>
> In __devm_create_dev_dax(), several failure paths after
> device_initialize() free dev_dax directly instead of dropping the device
> reference, which bypasses the normal device core lifetime handling and
> leaks the reference held on the embedded struct device.

Like I said before please focus on the practical problem this causes. It is always the case that device setup will have some steps that are handlded by direct kfree before switching to a put_device() model.

In this case the practical problem is that the memory allocation from dev_set_name() is leaked. Also the error return from dev_set_name() is ignored.

> The issue was identified by a static analysis tool I developed and
> confirmed by manual review.

If you are going to be doing more of these please make sure not to just rework code just to get all freeing done by put_device() when not strictly necessary.

One issue to avoid is early returns in the error goto path.

In this case I believe you can address this by moving the device_initialize() later in the function. Make it so that the switch from error unwind to put_device() is the last step of the setup.

It would be nice to fix the dev_set_name() error handling in a follow-on patch as well.