From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sg-3-28.ptr.tlmpb.com (sg-3-28.ptr.tlmpb.com [101.45.255.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F5E7371056 for ; Sun, 19 Apr 2026 04:43:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=101.45.255.28 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776573805; cv=none; b=t22l7zahNtYjRn7e8K2NLv9ImI08vN0QTjQzmjBdxKaIvfYLdsQvaa0rMXKLBkxvT/1wkaXZjGJoiYcirke3eJvbqi/FDhfEoEBj8owIqIg4ossBFbfR6T8q4jdJgc5i+R+1U6LmHIckDVT9YO+MZOMy8usP1ypl+Zqp3BoJaoM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776573805; c=relaxed/simple; bh=o92FNG+o8yVlytdVp9668qDC9TykpyHWOXrALR21bQQ=; h=Cc:Subject:Content-Type:References:Date:To:From:Message-Id: Mime-Version:In-Reply-To; b=CMoszleVsGq5rW7fb+VSnUNB8kbGXF24GAjQjfLWODsKLo5ex7q74hLwPQRkjqGed9VWJgK7DO+kdtV6yiT4wlcxY2PnbbH62GE314CW8J0Xfn61kckebSqsUBWLPFRHd+ueTpc3B1LS7/AQQnonqraU2IctzPcM/rOZ827LwMs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fnnas.com; spf=pass smtp.mailfrom=fnnas.com; dkim=pass (2048-bit key) header.d=fnnas-com.20200927.dkim.feishu.cn header.i=@fnnas-com.20200927.dkim.feishu.cn header.b=KYaA8dW0; arc=none smtp.client-ip=101.45.255.28 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fnnas.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fnnas.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fnnas-com.20200927.dkim.feishu.cn header.i=@fnnas-com.20200927.dkim.feishu.cn header.b="KYaA8dW0" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=s1; d=fnnas-com.20200927.dkim.feishu.cn; t=1776573753; h=from:subject:mime-version:from:date:message-id:subject:to:cc: reply-to:content-type:mime-version:in-reply-to:message-id; bh=7Bgv2tBKVpKFjQdOeZ5XJrGcrpcG4WqyuCOUQGmT50o=; b=KYaA8dW0Uoa4iw1tTQMaF/V/Nel6DbcBj6PuTX+CIKAnXFjvbwoi3ti7h1P7tjg8sLzLPY oeVFDUaOerLuiDPHg1Av8mak3SrPUblkeDmNG4NvZED1usrFys2bhQZTOGDT8FrXaeBTOS RNfoX7qGtIYV6OrhDSaz4Waqc56wM3cPPW2jMIjEN3g+ULTibOQNVKpsX3GcyRtXcU0qYE MsEMIZ1dh6IpPbPJMb0SWM1n8w5sg8bH4DyZ5fos81nHzANBg7y4gavMcelNin3cfirQ8M AVKgIGEqzrxh1hRzI/a3GuWjMcl17m5Aq+ZM+Hisa4jr+2LcnokagUccaHzh5w== Reply-To: yukuai@fnnas.com Cc: Subject: Re: [PATCH v2] md: fix kobject reference leak in md_import_device() X-Lms-Return-Path: Received: from [192.168.1.104] ([39.182.0.144]) by smtp.feishu.cn with ESMTPS; Sun, 19 Apr 2026 12:42:31 +0800 Content-Type: text/plain; charset=UTF-8 References: <20260413141759.2970973-1-lgs201920130244@gmail.com> Content-Language: en-US Date: Sun, 19 Apr 2026 12:42:29 +0800 Content-Transfer-Encoding: quoted-printable User-Agent: Mozilla Thunderbird To: "Guangshuo Li" , "Song Liu" , "Greg Kroah-Hartman" , , , From: "Yu Kuai" Message-Id: Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 In-Reply-To: <20260413141759.2970973-1-lgs201920130244@gmail.com> X-Original-From: Yu Kuai Hi, =E5=9C=A8 2026/4/13 22:17, Guangshuo Li =E5=86=99=E9=81=93: > md_import_device() initializes rdev->kobj with kobject_init() before > checking the device size and loading the superblock. > > When one of the later checks fails, the error path still frees rdev > directly with kfree(). This bypasses the kobject release path and leaves > the kobject reference unbalanced. > > The issue was identified by a static analysis tool I developed and > confirmed by manual review. > > After kobject_init(), release rdev through kobject_put() instead of > kfree(). > > Fixes: f9cb074bff8e ("Kobject: rename kobject_init_ng() to kobject_init()= ") > Cc: stable@vger.kernel.org > Signed-off-by: Guangshuo Li > --- > v2: > - note that the issue was identified by my static analysis tool > - and confirmed by manual review > > drivers/md/md.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/md/md.c b/drivers/md/md.c > index 6d73f6e196a9..4ce7512dc834 100644 > --- a/drivers/md/md.c > +++ b/drivers/md/md.c > @@ -3871,6 +3871,9 @@ static struct md_rdev *md_import_device(dev_t newde= v, int super_format, int supe > =20 > out_blkdev_put: > fput(rdev->bdev_file); > + md_rdev_clear(rdev); > + kobject_put(&rdev->kobj); > + return ERR_PTR(err); I think it's cleaner to move kobject_init() after everything in rdev is ready. > out_clear_rdev: > md_rdev_clear(rdev); > out_free_rdev: --=20 Thansk, Kuai