From: "Kurt Borja" <kuurtb@gmail.com>
To: "Guangshuo Li" <lgs201920130244@gmail.com>,
"Mark Pearson" <mpearson-lenovo@squebb.ca>,
"Derek J. Clark" <derekjohn.clark@gmail.com>,
"Hans de Goede" <hansg@kernel.org>,
"Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>,
"Kurt Borja" <kuurtb@gmail.com>,
platform-driver-x86@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] platform/x86: think-lmi: fix possible memory leak in tlmi_sysfs_init()
Date: Tue, 28 Apr 2026 09:10:17 -0500 [thread overview]
Message-ID: <DI4UJOJMXTFT.2TJBNTE9ESN7E@gmail.com> (raw)
In-Reply-To: <20260428082207.357522-1-lgs201920130244@gmail.com>
Hi Guangshuo,
On Tue Apr 28, 2026 at 3:22 AM -05, Guangshuo Li wrote:
> Once kobject_init_and_add() fails, kobject_put() should be called to
> decrement the reference count for cleanup. Otherwise, the memory associated
> with the object may leak.
>
> tlmi_sysfs_init() jumps to fail_create_attr after kobject_init_and_add()
> fails. The error path calls tlmi_release_attr(), which walks the kset
> lists and puts the kobjects found there. However, when the add operation
> fails, the kobject core removes the failed object from the kset list
> before returning the error. Therefore tlmi_release_attr() cannot put the
> kobject whose kobject_init_and_add() failed.
>
> Fix this by calling kobject_put() for the failed kobject before jumping to
> the common error path. Since pwd_admin's saved signatures are released
> outside of its kobject release callback, release them before putting a
> failed pwd_admin object.
>
> This issue was found by a static analysis tool I am developing.
Thanks!
Just a comment bellow.
>
> Fixes: 9110056fe10b ("platform/x86: think-lmi: Fix kobject cleanup")
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> drivers/platform/x86/lenovo/think-lmi.c | 40 ++++++++++++++++++++-----
> 1 file changed, 32 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
> index e215e86e3db7..994475eb0b9c 100644
> --- a/drivers/platform/x86/lenovo/think-lmi.c
> +++ b/drivers/platform/x86/lenovo/think-lmi.c
...
> @@ -1548,33 +1553,52 @@ static int tlmi_sysfs_init(void)
> tlmi_priv.pwd_admin->kobj.kset = tlmi_priv.authentication_kset;
> ret = kobject_init_and_add(&tlmi_priv.pwd_admin->kobj, &tlmi_pwd_setting_ktype,
> NULL, "%s", "Admin");
> - if (ret)
> + if (ret) {
> + kfree(tlmi_priv.pwd_admin->signature);
> + kfree(tlmi_priv.pwd_admin->save_signature);
> + tlmi_priv.pwd_admin->signature = NULL;
> + tlmi_priv.pwd_admin->save_signature = NULL;
I think, up until now (in the probe path that leads to this), we have
not yet allocated signature and save_signature. These are allocated and
reallocated once the sysfs files are created.
Other than that, this looks good.
Reviewed-by: Kurt Borja <kuurtb@gmail.com>
--
Thanks,
~ Kurt
prev parent reply other threads:[~2026-04-28 14:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 8:22 [PATCH] platform/x86: think-lmi: fix possible memory leak in tlmi_sysfs_init() Guangshuo Li
2026-04-28 13:52 ` Mark Pearson
2026-04-28 14:10 ` Kurt Borja [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI4UJOJMXTFT.2TJBNTE9ESN7E@gmail.com \
--to=kuurtb@gmail.com \
--cc=derekjohn.clark@gmail.com \
--cc=hansg@kernel.org \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=lgs201920130244@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpearson-lenovo@squebb.ca \
--cc=platform-driver-x86@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox