From: Pei Xiao xiaopei01@kylinos.cn
[ Upstream commit 4910da6b36b122db50a27fabf6ab7f8611b60bf8 ]
The for_each_child_of_node() macro automatically manages device node reference counts during normal iteration. However, when breaking out of the loop early with return, the current iteration's node is not automatically released, leading to a reference count leak.
Fix this by adding of_node_put(child) before returning from the loop when emc2305_set_single_tz() fails.
This issue could lead to memory leaks over multiple probe cycles.
Signed-off-by: Pei Xiao xiaopei01@kylinos.cn Link: https://lore.kernel.org/r/tencent_5CDC08544C901D5ECA270573D5AEE3117108@qq.co... Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## Analysis of Commit: hwmon: (emc2305) fix device node refcount leak in error path
### 1. COMMIT MESSAGE ANALYSIS
**Subject:** Clear "fix" language indicates a bug fix targeting a "refcount leak" in an "error path"
**Body explanation:** - The `for_each_child_of_node()` macro manages device node reference counts internally - When breaking out of the loop early with `return`, the current node's reference is NOT automatically released - This causes a reference count leak leading to memory leaks over multiple probe cycles
**Tags present:** - `Signed-off-by` from author and maintainer (Guenter Roeck) - `Link:` to mailing list discussion
**Tags missing:** - No `Cc: stable@vger.kernel.org` - No `Fixes:` tag
### 2. CODE CHANGE ANALYSIS
The fix is extremely small and surgical:
```c for_each_child_of_node(dev->of_node, child) { ret = emc2305_set_single_tz(dev, child, i); - if (ret != 0) + if (ret != 0) { + of_node_put(child); return ret; + } i++; } ```
**Technical mechanism:** - `for_each_child_of_node()` calls `of_node_get()` on each child internally - On normal loop completion, the macro decrements the refcount - On early exit (return/break), the caller must manually call `of_node_put()` to release the reference - Without this, each failed probe leaves an unreleased reference → memory leak
**Root cause:** Missing required cleanup call when breaking out of device tree iterator macro
**Why fix is correct:** This is the standard, well-documented pattern in the Linux kernel for handling early exits from `for_each_child_of_node()`. Adding `of_node_put(child)` before return is textbook correct.
### 3. CLASSIFICATION
- **Bug type:** Resource leak (reference count / memory leak) - **Category:** Standard bug fix - **Security:** Not a security issue - **New features:** None
### 4. SCOPE AND RISK ASSESSMENT
| Metric | Value | |--------|-------| | Lines changed | 3 (effectively +1 functional line) | | Files touched | 1 | | Complexity | Very low | | Risk | Near zero |
**Risk analysis:** - The fix only adds a cleanup call in an error path that already returns immediately - Cannot possibly affect normal operation - The `of_node_put()` function is well-tested core kernel infrastructure - Adding required cleanup where it was missing cannot cause regression
### 5. USER IMPACT
**Affected users:** Those with EMC2305 fan controller hardware using device tree
**Trigger conditions:** 1. Device must have child nodes in device tree 2. `emc2305_set_single_tz()` must fail 3. Must happen repeatedly over time
**Severity:** Low to medium - memory leak that accumulates over multiple failed probe cycles. Not a crash or security issue, but can eventually exhaust memory on long-running systems.
### 6. STABILITY INDICATORS
- Accepted by hwmon subsystem maintainer (Guenter Roeck) - Simple, well-understood fix pattern - No complex interactions possible
### 7. DEPENDENCY CHECK
- No dependencies on other commits - `for_each_child_of_node()` and `of_node_put()` are long-standing kernel APIs - The emc2305 driver must exist in the target stable tree
---
## Summary
**What the commit fixes:** A device node reference count leak in the emc2305 hwmon driver that occurs when `emc2305_set_single_tz()` fails during probe. This can lead to memory leaks over multiple probe cycles.
**Stable kernel rules assessment:** 1. ✅ **Obviously correct:** Standard kernel pattern, textbook fix 2. ✅ **Fixes real bug:** Yes, reference count leak causing memory leak 3. ⚠️ **Important issue:** Moderate severity - memory leak in error path 4. ✅ **Small and contained:** 3 lines changed in 1 file 5. ✅ **No new features:** Pure bug fix 6. ✅ **Clean application:** Should apply cleanly
**Risk vs Benefit:** - **Risk:** Essentially zero - adds required cleanup in error path - **Benefit:** Prevents memory leak on systems using this hardware
**Concerns:** - No explicit `Cc: stable` tag from maintainer - Bug requires specific error condition to trigger - Affects only specific hardware
**Verdict:** Despite the lack of explicit stable tagging, this fix is a textbook example of a safe backport candidate. The fix is trivially correct, follows a well-established kernel pattern, has zero risk of regression, and fixes a real (if low-severity) resource leak. Similar `for_each_child_of_node()` refcount leak fixes are regularly backported to stable trees.
**YES**
drivers/hwmon/emc2305.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hwmon/emc2305.c b/drivers/hwmon/emc2305.c index 60809289f8169..84cb9b72cb6c2 100644 --- a/drivers/hwmon/emc2305.c +++ b/drivers/hwmon/emc2305.c @@ -685,8 +685,10 @@ static int emc2305_probe(struct i2c_client *client) i = 0; for_each_child_of_node(dev->of_node, child) { ret = emc2305_set_single_tz(dev, child, i); - if (ret != 0) + if (ret != 0) { + of_node_put(child); return ret; + } i++; } } else {