[PATCH] devcoredump: Fix double free on device_add() failure

Next message: hehuan1: "[PATCH v4 2/2] hwmon: Add Eswin EIC7700 PVT sensor driver"
Previous message: Maulik Shah (mkshah): "Re: [PATCH] pinctrl: qcom: Unconditionally mark gpio as wakeup enable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guangshuo Li

Date: Thu Apr 30 2026 - 02:45:42 EST

If device_add() fails after device_initialize(), the error path calls
put_device(&devcd->devcd_dev). This may drop the last reference to the
device and invoke devcd_dev_release(), which frees the coredump data,
drops the module reference and frees the devcd entry.

The error path then falls through to put_module and free, causing the
module reference and the coredump data to be released a second time.

Return after put_device() in this path since the device release callback
has already taken care of the resources owned by the devcd entry.

This issue was found by a static analysis tool I am developing.

Fixes: 833c95456a70 ("device coredump: add new device coredump class")
Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
---
drivers/base/devcoredump.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/base/devcoredump.c b/drivers/base/devcoredump.c
index 7e4a491bf15e..cdefdc8e83eb 100644
--- a/drivers/base/devcoredump.c
+++ b/drivers/base/devcoredump.c
@@ -437,6 +437,7 @@ void dev_coredumpm_timeout(struct device *dev, struct module *owner,
mutex_unlock(&devcd->mutex);
cancel_delayed_work_sync(&devcd->del_wk);
put_device(&devcd->devcd_dev);
+ return;

put_module:
module_put(owner);
--
2.43.0