* [PATCH v2] md: fix kobject reference leak in md_import_device()
@ 2026-04-13 14:17 Guangshuo Li
2026-04-14 1:28 ` Su Yue
0 siblings, 1 reply; 4+ messages in thread
From: Guangshuo Li @ 2026-04-13 14:17 UTC (permalink / raw)
To: Song Liu, Yu Kuai, Greg Kroah-Hartman, linux-raid, linux-kernel
Cc: Guangshuo Li, stable
md_import_device() initializes rdev->kobj with kobject_init() before
checking the device size and loading the superblock.
When one of the later checks fails, the error path still frees rdev
directly with kfree(). This bypasses the kobject release path and leaves
the kobject reference unbalanced.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
After kobject_init(), release rdev through kobject_put() instead of
kfree().
Fixes: f9cb074bff8e ("Kobject: rename kobject_init_ng() to kobject_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v2:
- note that the issue was identified by my static analysis tool
- and confirmed by manual review
drivers/md/md.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 6d73f6e196a9..4ce7512dc834 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3871,6 +3871,9 @@ static struct md_rdev *md_import_device(dev_t newdev, int super_format, int supe
out_blkdev_put:
fput(rdev->bdev_file);
+ md_rdev_clear(rdev);
+ kobject_put(&rdev->kobj);
+ return ERR_PTR(err);
out_clear_rdev:
md_rdev_clear(rdev);
out_free_rdev:
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] md: fix kobject reference leak in md_import_device()
2026-04-13 14:17 [PATCH v2] md: fix kobject reference leak in md_import_device() Guangshuo Li
@ 2026-04-14 1:28 ` Su Yue
2026-04-14 11:32 ` Guangshuo Li
0 siblings, 1 reply; 4+ messages in thread
From: Su Yue @ 2026-04-14 1:28 UTC (permalink / raw)
To: Guangshuo Li
Cc: Song Liu, Yu Kuai, Greg Kroah-Hartman, linux-raid, linux-kernel,
stable
On Mon 13 Apr 2026 at 22:17, Guangshuo Li
<lgs201920130244@gmail.com> wrote:
> md_import_device() initializes rdev->kobj with kobject_init()
> before
> checking the device size and loading the superblock.
>
> When one of the later checks fails, the error path still frees
> rdev
> directly with kfree(). This bypasses the kobject release path
> and leaves
> the kobject reference unbalanced.
>
> The issue was identified by a static analysis tool I developed
> and
> confirmed by manual review.
>
> After kobject_init(), release rdev through kobject_put() instead
> of
> kfree().
>
> Fixes: f9cb074bff8e ("Kobject: rename kobject_init_ng() to
> kobject_init()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> v2:
> - note that the issue was identified by my static analysis
> tool
> - and confirmed by manual review
>
> drivers/md/md.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 6d73f6e196a9..4ce7512dc834 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -3871,6 +3871,9 @@ static struct md_rdev
> *md_import_device(dev_t newdev, int super_format, int supe
>
> out_blkdev_put:
> fput(rdev->bdev_file);
> + md_rdev_clear(rdev);
> + kobject_put(&rdev->kobj);
> + return ERR_PTR(err);
>
Why not just:
out_blkdev_put:
kobject_put(&rdev->kobj);
fput(rdev->bdev_file);
out_clear_rdev:
md_rdev_clear(rdev);
out_free_rdev:
kfree(rdev);
return ERR_PTR(err);
--
Su
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] md: fix kobject reference leak in md_import_device()
2026-04-14 1:28 ` Su Yue
@ 2026-04-14 11:32 ` Guangshuo Li
2026-04-14 14:05 ` Su Yue
0 siblings, 1 reply; 4+ messages in thread
From: Guangshuo Li @ 2026-04-14 11:32 UTC (permalink / raw)
To: Su Yue
Cc: Song Liu, Yu Kuai, Greg Kroah-Hartman, linux-raid, linux-kernel,
stable
Hi Su,
Thanks for reviewing.
On Tue, 14 Apr 2026 at 09:29, Su Yue <l@damenly.org> wrote:
> Why not just:
>
> out_blkdev_put:
> kobject_put(&rdev->kobj);
> fput(rdev->bdev_file);
> out_clear_rdev:
> md_rdev_clear(rdev);
> out_free_rdev:
> kfree(rdev);
> return ERR_PTR(err);
>
> --
> Su
I wonder if that ordering might cause a problem.
After kobject_init(&rdev->kobj, &rdev_ktype), kobject_put(&rdev->kobj)
may immediately drop the last reference and run the release callback
from rdev_ktype:
static const struct kobj_type rdev_ktype = {
.release = rdev_free,
.sysfs_ops = &rdev_sysfs_ops,
.default_groups = rdev_default_groups,
};
static void rdev_free(struct kobject *ko)
{
struct md_rdev *rdev = container_of(ko, struct md_rdev, kobj);
kfree(rdev);
}
So in:
out_blkdev_put:
kobject_put(&rdev->kobj);
fput(rdev->bdev_file);
it seems possible that kobject_put() would already free rdev via
rdev_free(), and then fput(rdev->bdev_file) would dereference rdev
after free.
That was why I changed it to:
out_blkdev_put:
fput(rdev->bdev_file);
md_rdev_clear(rdev);
kobject_put(&rdev->kobj);
return ERR_PTR(err);
so that the cleanup which still needs rdev is done before
kobject_put(), and this path returns directly instead of falling
through to the old kfree(rdev) path.
Please let me know if I overlooked something.
Thanks,
Guangshuo
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] md: fix kobject reference leak in md_import_device()
2026-04-14 11:32 ` Guangshuo Li
@ 2026-04-14 14:05 ` Su Yue
0 siblings, 0 replies; 4+ messages in thread
From: Su Yue @ 2026-04-14 14:05 UTC (permalink / raw)
To: Guangshuo Li
Cc: Song Liu, Yu Kuai, Greg Kroah-Hartman, linux-raid, linux-kernel,
stable
On Tue 14 Apr 2026 at 19:32, Guangshuo Li
<lgs201920130244@gmail.com> wrote:
> Hi Su,
>
> Thanks for reviewing.
>
> On Tue, 14 Apr 2026 at 09:29, Su Yue <l@damenly.org> wrote:
>> Why not just:
>>
>> out_blkdev_put:
>> kobject_put(&rdev->kobj);
>> fput(rdev->bdev_file);
>> out_clear_rdev:
>> md_rdev_clear(rdev);
>> out_free_rdev:
>> kfree(rdev);
>> return ERR_PTR(err);
>>
>> --
>> Su
>
> I wonder if that ordering might cause a problem.
>
> After kobject_init(&rdev->kobj, &rdev_ktype),
> kobject_put(&rdev->kobj)
> may immediately drop the last reference and run the release
> callback
> from rdev_ktype:
>
> static const struct kobj_type rdev_ktype = {
> .release = rdev_free,
> .sysfs_ops = &rdev_sysfs_ops,
> .default_groups = rdev_default_groups,
> };
>
> static void rdev_free(struct kobject *ko)
> {
> struct md_rdev *rdev = container_of(ko, struct md_rdev,
> kobj);
> kfree(rdev);
> }
>
> So in:
>
> out_blkdev_put:
> kobject_put(&rdev->kobj);
> fput(rdev->bdev_file);
>
> it seems possible that kobject_put() would already free rdev via
> rdev_free(), and then fput(rdev->bdev_file) would dereference
> rdev
> after free.
>
> That was why I changed it to:
>
> out_blkdev_put:
> fput(rdev->bdev_file);
> md_rdev_clear(rdev);
> kobject_put(&rdev->kobj);
> return ERR_PTR(err);
>
> so that the cleanup which still needs rdev is done before
> kobject_put(), and this path returns directly instead of falling
> through to the old kfree(rdev) path.
>
> Please let me know if I overlooked something.
>
Thanks for your detailed explanation. It's totally correct.
--
Su
> Thanks,
> Guangshuo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-14 14:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13 14:17 [PATCH v2] md: fix kobject reference leak in md_import_device() Guangshuo Li
2026-04-14 1:28 ` Su Yue
2026-04-14 11:32 ` Guangshuo Li
2026-04-14 14:05 ` Su Yue
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox