From: Leon Romanovsky <leon@kernel.org>
To: Guangshuo Li <lgs201920130244@gmail.com>
Cc: Yishai Hadas <yishaih@nvidia.com>, Jason Gunthorpe <jgg@ziepe.ca>,
Jack Morgenstein <jackm@dev.mellanox.co.il>,
Roland Dreier <roland@purestorage.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] IB/mlx4: Fix refcount leak in add_port() error path
Date: Mon, 13 Apr 2026 17:30:12 +0300 [thread overview]
Message-ID: <20260413143012.GH21470@unreal> (raw)
In-Reply-To: <20260411091626.2141130-1-lgs201920130244@gmail.com>
On Sat, Apr 11, 2026 at 05:16:26PM +0800, Guangshuo Li wrote:
> After kobject_init_and_add(), the lifetime of the embedded struct
> kobject is expected to be managed through the kobject core reference
> counting.
>
> In add_port(), if kobject_init_and_add() fails, the error path frees p
> directly instead of releasing the kobject reference with kobject_put().
> This may leave the reference count of the embedded struct kobject
> unbalanced, resulting in a refcount leak and potentially leading to a
> use-after-free.
>
> Fix this by using kobject_put(&p->kobj) in the kobject_init_and_add()
> failure path.
The analysis is correct, the implementation is wrong.
>
> Fixes: c1e7e466120b ("IB/mlx4: Add iov directory in sysfs under the ib device")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> drivers/infiniband/hw/mlx4/sysfs.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx4/sysfs.c
> index 88f534cf690e..15b36b9e4bd6 100644
> --- a/drivers/infiniband/hw/mlx4/sysfs.c
> +++ b/drivers/infiniband/hw/mlx4/sysfs.c
> @@ -642,7 +642,7 @@ static int add_port(struct mlx4_ib_dev *dev, int port_num, int slave)
> kobject_get(dev->dev_ports_parent[slave]),
> "%d", port_num);
> if (ret)
> - goto err_alloc;
> + goto err_kobj;
>
> p->pkey_group.name = "pkey_idx";
> p->pkey_group.attrs =
> @@ -689,6 +689,11 @@ static int add_port(struct mlx4_ib_dev *dev, int port_num, int slave)
> kobject_put(dev->dev_ports_parent[slave]);
> kfree(p);
This needs to be changed to: “kobject_put(&p->kobj);”.
> return ret;
> +
> +err_kobj:
> + kobject_put(&p->kobj);
I’m also wondering why we don’t call kobject_put() in the port deletion
path as well.
Thanks
> + return ret;
> +
> }
>
> static int register_one_pkey_tree(struct mlx4_ib_dev *dev, int slave)
> --
> 2.43.0
>
prev parent reply other threads:[~2026-04-13 14:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-11 9:16 [PATCH] IB/mlx4: Fix refcount leak in add_port() error path Guangshuo Li
2026-04-13 14:30 ` Leon Romanovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413143012.GH21470@unreal \
--to=leon@kernel.org \
--cc=jackm@dev.mellanox.co.il \
--cc=jgg@ziepe.ca \
--cc=lgs201920130244@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=roland@purestorage.com \
--cc=stable@vger.kernel.org \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.