From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-108-mta188.mxroute.com (mail-108-mta188.mxroute.com [136.175.108.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C448D286D70 for ; Tue, 14 Apr 2026 01:29:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=136.175.108.188 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776130144; cv=none; b=I9Wb7dBBQwQo0fT6nL01Ofiv04NnmTDqerCyDTvSY4ChHH0BOstTYC6jMrk2wnM81K4wJxovNNhzbQsD1mLjUJ6ECom2GgoGBddlcLX6e7CzSN6IHRdc951N0U7f0gIrhC+qXNnwXEZhxxzzWFKEuZaTDcqwfvkfMQ8iJ25kka0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776130144; c=relaxed/simple; bh=65wyp3E473q3cPWKhu0d8QdZ1vasYZilIoTTRWFWu2w=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=dV/akGCEc4DO1E3SyDcF6APweHrpoEq+pi4bcfLajgmhjQGg40gN8o4lT1ZFlnm5CY5HDDU5dPg7kI/5KIlnH8Nh2dGFFCcD2Piw8eKfdHY67Hfh/iICJs/FWm0uUrBn8l73B2+9snR+wLVBG7y0HIxR9KYAZaKR61xy9y+Y3BM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=damenly.org; spf=pass smtp.mailfrom=damenly.org; dkim=pass (2048-bit key) header.d=damenly.org header.i=@damenly.org header.b=dupXwnHV; arc=none smtp.client-ip=136.175.108.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=damenly.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=damenly.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=damenly.org header.i=@damenly.org header.b="dupXwnHV" Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta188.mxroute.com (ZoneMTA) with ESMTPSA id 19d899b1e7a00032bf.005 for (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 14 Apr 2026 01:28:57 +0000 X-Zone-Loop: 97f3ca78fb7daffcc4ebc345b8834dcdd631402f5a0b DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=damenly.org ; s=x; h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To: Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bwKl389HggphIjcNcM0l3ZnumC07Nc1a7tFYVzaVGD4=; b=dupXwnHVPDfUgYYKtZExWs/t+M x8XdqKgQld1eaqbj9iu0tFsdQxlZgdl3sHfj+QV9HhCQ6ieVdWM8YOPJP3zw/l+YFubTmv6U9SMJ5 L4KnsUdo8LCIIcs52KS+081V2G1Vv8o1tUCp/6z2htNdC3/uKyDdKGITEqXFZBo2qjnBJS3n9ZXyb Z5h2WdYif6twu44J/KvIa/FKdyGuBKQohFWcl2lA0ZjNLhSPsPHqxVuOLsovyTV6xdrmyDC9q/gfv esU7BbHkSIy0su5lsq5UfVB2aQBWrSjUEh+HeFnExiibC0SvO3nXn8OysU8I27VDb50+hcQHe2zyL 9rbLitjw==; From: Su Yue To: Guangshuo Li Cc: Song Liu , Yu Kuai , Greg Kroah-Hartman , linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2] md: fix kobject reference leak in md_import_device() In-Reply-To: <20260413141759.2970973-1-lgs201920130244@gmail.com> (Guangshuo Li's message of "Mon, 13 Apr 2026 22:17:59 +0800") References: <20260413141759.2970973-1-lgs201920130244@gmail.com> User-Agent: mu4e 1.12.7; emacs 30.2 Date: Tue, 14 Apr 2026 09:28:48 +0800 Message-ID: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Authenticated-Id: l@damenly.org On Mon 13 Apr 2026 at 22:17, Guangshuo Li wrote: > md_import_device() initializes rdev->kobj with kobject_init() > before > checking the device size and loading the superblock. > > When one of the later checks fails, the error path still frees > rdev > directly with kfree(). This bypasses the kobject release path > and leaves > the kobject reference unbalanced. > > The issue was identified by a static analysis tool I developed > and > confirmed by manual review. > > After kobject_init(), release rdev through kobject_put() instead > of > kfree(). > > Fixes: f9cb074bff8e ("Kobject: rename kobject_init_ng() to > kobject_init()") > Cc: stable@vger.kernel.org > Signed-off-by: Guangshuo Li > --- > v2: > - note that the issue was identified by my static analysis > tool > - and confirmed by manual review > > drivers/md/md.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/md/md.c b/drivers/md/md.c > index 6d73f6e196a9..4ce7512dc834 100644 > --- a/drivers/md/md.c > +++ b/drivers/md/md.c > @@ -3871,6 +3871,9 @@ static struct md_rdev > *md_import_device(dev_t newdev, int super_format, int supe > > out_blkdev_put: > fput(rdev->bdev_file); > + md_rdev_clear(rdev); > + kobject_put(&rdev->kobj); > + return ERR_PTR(err); > Why not just: out_blkdev_put: kobject_put(&rdev->kobj); fput(rdev->bdev_file); out_clear_rdev: md_rdev_clear(rdev); out_free_rdev: kfree(rdev); return ERR_PTR(err); -- Su