firmware_loader: fix device reference leak in firmware_upload_register()

firmware_upload_register()
  -> fw_create_instance()
     -> device_initialize()

After fw_create_instance() succeeds, the lifetime of the embedded struct
device is expected to be managed through the device core reference
counting, since fw_create_instance() has already called
device_initialize().

In firmware_upload_register(), if alloc_lookup_fw_priv() fails after
fw_create_instance() succeeds, the code reaches free_fw_sysfs and frees
fw_sysfs directly instead of releasing the device reference with
put_device(). This may leave the reference count of the embedded struct
device unbalanced, resulting in a refcount leak.

The issue was identified by a static analysis tool I developed and
confirmed by manual review. Fix this by using put_device(fw_dev) in the
failure path and letting fw_dev_release() handle the final cleanup,
instead of freeing the instance directly from the error path.

Fixes: 97730bbb242c ("firmware_loader: Add firmware-upload support")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260505091231.607089-1-lgs201920130244@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>

diff --git a/drivers/base/firmware_loader/sysfs_upload.c b/drivers/base/firmware_loader/sysfs_upload.c
index f59a7856934cec54e7d889ca0a185eb502ae3e7a..efc33294212fd82bb1a8c426d7430ef96c6620b2 100644 (file)
--- a/drivers/base/firmware_loader/sysfs_upload.c
+++ b/drivers/base/firmware_loader/sysfs_upload.c
@@ -343,7 +343,6 @@ firmware_upload_register(struct module *module, struct device *parent,
                goto free_fw_upload_priv;
        }
        fw_upload->priv = fw_sysfs;
-       fw_sysfs->fw_upload_priv = fw_upload_priv;
        fw_dev = &fw_sysfs->dev;
 
        ret = alloc_lookup_fw_priv(name, &fw_cache, &fw_priv,  NULL, 0, 0,
@@ -351,10 +350,12 @@ firmware_upload_register(struct module *module, struct device *parent,
        if (ret != 0) {
                if (ret > 0)
                        ret = -EINVAL;
-               goto free_fw_sysfs;
+               put_device(fw_dev);
+               goto free_fw_upload_priv;
        }
        fw_priv->is_paged_buf = true;
        fw_sysfs->fw_priv = fw_priv;
+       fw_sysfs->fw_upload_priv = fw_upload_priv;
 
        ret = device_add(fw_dev);
        if (ret) {
@@ -365,9 +366,6 @@ firmware_upload_register(struct module *module, struct device *parent,
 
        return fw_upload;
 
-free_fw_sysfs:
-       kfree(fw_sysfs);
-
 free_fw_upload_priv:
        kfree(fw_upload_priv);