CVE-2026-46030
Description
In the Linux kernel, the following vulnerability has been resolved:
EDAC/versalnet: Fix device_node leak in mc_probe()
of_parse_phandle() returns a device_node reference that must be released with of_node_put(). The original code never freed r5_core_node on any exit path, causing a memory leak.
Fix this by using the automatic cleanup attribute __free(device_node) which ensures of_node_put() is called when the variable goes out of scope.
Affected products
1Patches
6b6e61356ad24EDAC/versalnet: Fix device_node leak in mc_probe()
1 file changed · +2 −3
drivers/edac/versalnet_edac.c+2 −3 modifieddiff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c index 1a1092793092a8..dce08dc7f32e7e 100644 --- a/drivers/edac/versalnet_edac.c +++ b/drivers/edac/versalnet_edac.c @@ -868,12 +868,12 @@ static void remove_versalnet(struct mc_priv *priv) static int mc_probe(struct platform_device *pdev) { - struct device_node *r5_core_node; struct mc_priv *priv; struct rproc *rp; int rc; - r5_core_node = of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); + struct device_node *r5_core_node __free(device_node) = + of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); if (!r5_core_node) { dev_err(&pdev->dev, "amd,rproc: invalid phandle\n"); return -EINVAL; -- cgit 1.3-korg
17e136993b2bEDAC/versalnet: Fix device_node leak in mc_probe()
1 file changed · +2 −3
drivers/edac/versalnet_edac.c+2 −3 modifieddiff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c index 2cbc13d9bd00b8..bd66287ec073cd 100644 --- a/drivers/edac/versalnet_edac.c +++ b/drivers/edac/versalnet_edac.c @@ -868,12 +868,12 @@ static void remove_versalnet(struct mc_priv *priv) static int mc_probe(struct platform_device *pdev) { - struct device_node *r5_core_node; struct mc_priv *priv; struct rproc *rp; int rc; - r5_core_node = of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); + struct device_node *r5_core_node __free(device_node) = + of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); if (!r5_core_node) { dev_err(&pdev->dev, "amd,rproc: invalid phandle\n"); return -EINVAL; -- cgit 1.3-korg
5c709b376460EDAC/versalnet: Fix device_node leak in mc_probe()
1 file changed · +2 −3
drivers/edac/versalnet_edac.c+2 −3 modifieddiff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c index b87fe57aa8425a..ec13155824141d 100644 --- a/drivers/edac/versalnet_edac.c +++ b/drivers/edac/versalnet_edac.c @@ -888,12 +888,12 @@ static void remove_versalnet(struct mc_priv *priv) static int mc_probe(struct platform_device *pdev) { - struct device_node *r5_core_node; struct mc_priv *priv; struct rproc *rp; int rc; - r5_core_node = of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); + struct device_node *r5_core_node __free(device_node) = + of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); if (!r5_core_node) { dev_err(&pdev->dev, "amd,rproc: invalid phandle\n"); return -EINVAL; -- cgit 1.3-korg
17e136993b2bEDAC/versalnet: Fix device_node leak in mc_probe()
1 file changed · +2 −3
drivers/edac/versalnet_edac.c+2 −3 modifieddiff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c index 2cbc13d9bd00b8..bd66287ec073cd 100644 --- a/drivers/edac/versalnet_edac.c +++ b/drivers/edac/versalnet_edac.c @@ -868,12 +868,12 @@ static void remove_versalnet(struct mc_priv *priv) static int mc_probe(struct platform_device *pdev) { - struct device_node *r5_core_node; struct mc_priv *priv; struct rproc *rp; int rc; - r5_core_node = of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); + struct device_node *r5_core_node __free(device_node) = + of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); if (!r5_core_node) { dev_err(&pdev->dev, "amd,rproc: invalid phandle\n"); return -EINVAL; -- cgit 1.3-korg
5c709b376460EDAC/versalnet: Fix device_node leak in mc_probe()
1 file changed · +2 −3
drivers/edac/versalnet_edac.c+2 −3 modifieddiff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c index b87fe57aa8425a..ec13155824141d 100644 --- a/drivers/edac/versalnet_edac.c +++ b/drivers/edac/versalnet_edac.c @@ -888,12 +888,12 @@ static void remove_versalnet(struct mc_priv *priv) static int mc_probe(struct platform_device *pdev) { - struct device_node *r5_core_node; struct mc_priv *priv; struct rproc *rp; int rc; - r5_core_node = of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); + struct device_node *r5_core_node __free(device_node) = + of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); if (!r5_core_node) { dev_err(&pdev->dev, "amd,rproc: invalid phandle\n"); return -EINVAL; -- cgit 1.3-korg
b6e61356ad24EDAC/versalnet: Fix device_node leak in mc_probe()
1 file changed · +2 −3
drivers/edac/versalnet_edac.c+2 −3 modifieddiff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c index 1a1092793092a8..dce08dc7f32e7e 100644 --- a/drivers/edac/versalnet_edac.c +++ b/drivers/edac/versalnet_edac.c @@ -868,12 +868,12 @@ static void remove_versalnet(struct mc_priv *priv) static int mc_probe(struct platform_device *pdev) { - struct device_node *r5_core_node; struct mc_priv *priv; struct rproc *rp; int rc; - r5_core_node = of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); + struct device_node *r5_core_node __free(device_node) = + of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0); if (!r5_core_node) { dev_err(&pdev->dev, "amd,rproc: invalid phandle\n"); return -EINVAL; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing of_node_put() call for the device_node returned by of_parse_phandle() in mc_probe(), causing a reference-count leak on every probe path."
Attack vector
An attacker does not directly trigger this bug; it is a memory leak that occurs during normal driver probe. Whenever the EDAC driver for the AMD Versal NET DDR controller is probed (e.g., at boot or on device hot-plug), of_parse_phandle() increments the reference count of the "amd,rproc" phandle node, but the original code never calls of_node_put() to release it. Over repeated probe cycles or module reloads, the leaked references accumulate, eventually exhausting the device_node slab and causing a denial of service.
Affected code
The vulnerable function is mc_probe() in drivers/edac/versalnet_edac.c. The variable r5_core_node is obtained via of_parse_phandle() but was never freed with of_node_put() on any exit path.
What the fix does
The patch replaces the manual struct device_node *r5_core_node declaration with a variable annotated __free(device_node) [patch_id=2660291]. This Linux kernel cleanup attribute ensures that of_node_put() is automatically invoked when r5_core_node goes out of scope, covering all exit paths (including the error return when the phandle is invalid) without requiring explicit of_node_put() calls. The fix is minimal and correct because it leverages the kernel's existing scope-based resource management pattern.
Preconditions
- configThe kernel must have the AMD Versal NET EDAC driver built or loaded as a module.
- inputThe device tree must contain an 'amd,rproc' phandle property for the EDAC device node.
- authNo authentication or network access is required; the leak occurs during normal driver probe.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.