[PATCH] block/partitions/of: Fix of_node reference leak in of_partition()

From: Wentao Liang

Date: Thu Jun 25 2026 - 05:37:01 EST


of_partition() calls of_node_get(ddev->of_node) at entry to take a
reference on the device node, but only releases it on the validation
error path. On three other exit paths the reference is leaked:

- When the device node is not compatible with "fixed-partitions",
the function returns 0 without calling of_node_put().
- On normal success (return 1), partitions_np is never released.
- When the partition slot limit is reached in the second child
loop (break followed by return 1), partitions_np is also leaked.

Fix by splitting the NULL check from the compatible check so that
of_node_put() can be called before the early return on incompatibility,
and add of_node_put(partitions_np) before the final return 1 to cover
both the normal and the break paths.

The NULL case is safe because of_node_get(NULL) is a no-op.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 2e3a191e89f9 ("block: add support for partition table defined in OF")
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
block/partitions/of.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/block/partitions/of.c b/block/partitions/of.c
index c22b60661098..afaaae5e72a1 100644
--- a/block/partitions/of.c
+++ b/block/partitions/of.c
@@ -73,9 +73,12 @@ int of_partition(struct parsed_partitions *state)

struct device_node *partitions_np = of_node_get(ddev->of_node);

- if (!partitions_np ||
- !of_device_is_compatible(partitions_np, "fixed-partitions"))
+ if (!partitions_np)
return 0;
+ if (!of_device_is_compatible(partitions_np, "fixed-partitions")) {
+ of_node_put(partitions_np);
+ return 0;
+ }

slot = 1;
/* Validate parition offset and size */
@@ -104,5 +107,7 @@ int of_partition(struct parsed_partitions *state)

seq_buf_puts(&state->pp_buf, "\n");

+ of_node_put(partitions_np);
+
return 1;
}
--
2.39.5 (Apple Git-154)