Re: [PATCH v2] md: fix kobject reference leak in md_import_device()

[Su Yue <l@damenly.org>]

On Mon 13 Apr 2026 at 22:17, Guangshuo Li 
<lgs201920130244@gmail.com> wrote:

> md_import_device() initializes rdev->kobj with kobject_init() 
> before
> checking the device size and loading the superblock.
>
> When one of the later checks fails, the error path still frees 
> rdev
> directly with kfree(). This bypasses the kobject release path 
> and leaves
> the kobject reference unbalanced.
>
> The issue was identified by a static analysis tool I developed 
> and
> confirmed by manual review.
>
> After kobject_init(), release rdev through kobject_put() instead 
> of
> kfree().
>
> Fixes: f9cb074bff8e ("Kobject: rename kobject_init_ng() to 
> kobject_init()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> v2:
>   - note that the issue was identified by my static analysis 
>   tool
>   - and confirmed by manual review
>
>  drivers/md/md.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 6d73f6e196a9..4ce7512dc834 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -3871,6 +3871,9 @@ static struct md_rdev 
> *md_import_device(dev_t newdev, int super_format, int supe
>
>  out_blkdev_put:
>  	fput(rdev->bdev_file);
> +	md_rdev_clear(rdev);
> +	kobject_put(&rdev->kobj);
> +	return ERR_PTR(err);
>
Why not just:

out_blkdev_put:
	kobject_put(&rdev->kobj);
	fput(rdev->bdev_file);
out_clear_rdev:
	md_rdev_clear(rdev);
out_free_rdev:
	kfree(rdev);
	return ERR_PTR(err);

--
Su