[BUG] x86/sgx: missing kref_put() in sgx_encl_mm

public inbox for linux-sgx@vger.kernel.org
 help / color / mirror / Atom feed

* [BUG] x86/sgx: missing kref_put() in sgx_encl_mm_add() error path
@ 2026-03-30 21:09 Dingisoul
  2026-03-30 21:15 ` Dave Hansen
  2026-04-08  8:58 ` Jarkko Sakkinen
  0 siblings, 2 replies; 4+ messages in thread
From: Dingisoul @ 2026-03-30 21:09 UTC (permalink / raw)
  To: linux-sgx
  Cc: jarkko, dave.hansen, tglx, mingo, bp, x86, hpa, shuangpeng.kernel

Hi Kernel maintainers,

We found a possible refcount leak in sgx_encl_mm_add().

In this function, a reference to encl->refcount is taken before registering the MMU notifier:

/* Grab a refcount for the encl_mm->encl reference: */
kref_get(&encl->refcount);  // 1. Reference acquired here.
encl_mm->encl = encl;

ret = __mmu_notifier_register(&encl_mm->mmu_notifier, mm);
if (ret) {
	kfree(encl_mm);     
	return ret;         // 2. Returns without kref_put.
}

If __mmu_notifier_register() fails, the function frees encl_mm but does not drop the reference acquired by kref_get(&encl->refcount). This seems to leak one reference to encl.

Please let us know if the kref_put is unnecessary here.

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [BUG] x86/sgx: missing kref_put() in sgx_encl_mm_add() error path
  2026-03-30 21:09 [BUG] x86/sgx: missing kref_put() in sgx_encl_mm_add() error path Dingisoul
@ 2026-03-30 21:15 ` Dave Hansen
  2026-03-30 21:25   ` Dingisoul
  2026-04-08  8:58 ` Jarkko Sakkinen
  1 sibling, 1 reply; 4+ messages in thread
From: Dave Hansen @ 2026-03-30 21:15 UTC (permalink / raw)
  To: Dingisoul, linux-sgx
  Cc: jarkko, dave.hansen, tglx, mingo, bp, x86, hpa, shuangpeng.kernel

On 3/30/26 14:09, Dingisoul wrote:
> If __mmu_notifier_register() fails, the function frees encl_mm but
> does not drop the reference acquired by kref_get(&encl->refcount).
> This seems to leak one reference to encl.

Yep it looks like a leak.

> Please let us know if the kref_put is unnecessary here.

The easiest way to fix it is to just move the kref_get() until after the
notifier has been registered. There's no risk of encl going away in this
context, so it doesn't matter when the kref_get() happens as long as it
_does_ happen.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Re: [BUG] x86/sgx: missing kref_put() in sgx_encl_mm_add() error path
  2026-03-30 21:15 ` Dave Hansen
@ 2026-03-30 21:25   ` Dingisoul
  0 siblings, 0 replies; 4+ messages in thread
From: Dingisoul @ 2026-03-30 21:25 UTC (permalink / raw)
  To: dave.hansen
  Cc: bp, dave.hansen, dingiso.kernel, hpa, jarkko, linux-sgx, mingo,
	shuangpeng.kernel, tglx, x86

Hi Dave,

Thanks for the confirmation and the suggestion. 

Moving the kref_get() after the successful mmu_notifier 
registration looks great and keeps the error path clean. 

Should we send a formal patch?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [BUG] x86/sgx: missing kref_put() in sgx_encl_mm_add() error path
  2026-03-30 21:09 [BUG] x86/sgx: missing kref_put() in sgx_encl_mm_add() error path Dingisoul
  2026-03-30 21:15 ` Dave Hansen
@ 2026-04-08  8:58 ` Jarkko Sakkinen
  1 sibling, 0 replies; 4+ messages in thread
From: Jarkko Sakkinen @ 2026-04-08  8:58 UTC (permalink / raw)
  To: Dingisoul
  Cc: linux-sgx, dave.hansen, tglx, mingo, bp, x86, hpa,
	shuangpeng.kernel

On Mon, Mar 30, 2026 at 05:09:57PM -0400, Dingisoul wrote:
> Hi Kernel maintainers,
> 
> We found a possible refcount leak in sgx_encl_mm_add().
> 
> In this function, a reference to encl->refcount is taken before registering the MMU notifier:
> 
> /* Grab a refcount for the encl_mm->encl reference: */
> kref_get(&encl->refcount);  // 1. Reference acquired here.
> encl_mm->encl = encl;
> 
> ret = __mmu_notifier_register(&encl_mm->mmu_notifier, mm);
> if (ret) {
> 	kfree(encl_mm);     
> 	return ret;         // 2. Returns without kref_put.
> }
> 
> If __mmu_notifier_register() fails, the function frees encl_mm but does not drop the reference acquired by kref_get(&encl->refcount). This seems to leak one reference to encl.
> 
> Please let us know if the kref_put is unnecessary here.
> 
> Thanks.

It is a leak as encl's, stored in file, will retain increased refcount.

BR, Jarkko

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-08  8:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-30 21:09 [BUG] x86/sgx: missing kref_put() in sgx_encl_mm_add() error path Dingisoul
2026-03-30 21:15 ` Dave Hansen
2026-03-30 21:25   ` Dingisoul
2026-04-08  8:58 ` Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox