Re: [PATCH v2] gpu: host1x: Fix device reference leak in device_add() error path

[Mikko Perttunen]

On Monday, April 13, 2026 11:13 PM Guangshuo Li wrote:
> After device_initialize(), the embedded struct device in struct
> host1x_device should be released through the device core with
> put_device().
> 
> In host1x_device_add(), the empty-subdevice path calls
> device_add(&device->dev), but if that fails it only logs the error and
> continues without dropping the device reference. That leaks the
> reference held on the embedded struct device.
> 
> The issue was identified by a static analysis tool I developed and
> confirmed by manual review.
> 
> Fix this by removing the device from host1x->devices and calling
> put_device() when device_add() fails.
> 
> Fixes: fab823d82ee50 ("gpu: host1x: Allow loading tegra-drm without enabled engines")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> ---
> v2:
>   - note that the issue was identified by my static analysis tool
>   - and confirmed by manual review
> 
>  drivers/firmware/edd.c   | 2 +-
>  drivers/gpu/host1x/bus.c | 6 +++++-
>  2 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/firmware/edd.c b/drivers/firmware/edd.c
> index 55dec4eb2c00..82b326ce83ce 100644
> --- a/drivers/firmware/edd.c
> +++ b/drivers/firmware/edd.c
> @@ -748,7 +748,7 @@ edd_init(void)
>  
>  		rc = edd_device_register(edev, i);
>  		if (rc) {
> -			kfree(edev);
> +			kobject_put(&edev->kobj);
>  			goto out;
>  		}
>  		edd_devices[i] = edev;

Unrelated ..

> diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c
> index 723a80895cd4..63fe037c3b65 100644
> --- a/drivers/gpu/host1x/bus.c
> +++ b/drivers/gpu/host1x/bus.c
> @@ -477,8 +477,12 @@ static int host1x_device_add(struct host1x *host1x,
>  	 */
>  	if (list_empty(&device->subdevs)) {
>  		err = device_add(&device->dev);
> -		if (err < 0)
> +		if (err < 0) {
>  			dev_err(&device->dev, "failed to add device: %d\n", err);
> +			list_del(&device->list);
> +			put_device(&device->dev);
> +			return err;
> +		}
>  		else
>  			device->registered = true;

This isn't a leak -- if device_add fails, the device is still on the
device list, though in a "stuck" state, and will get cleaned up through
host1x_device_del.

Thanks
Mikko

>  	}
> -- 
> 2.43.0
> 
>