From nobody Mon Jun 15 15:09:35 2026
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com
 [209.85.216.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDCE32F5491
	for <linux-kernel@vger.kernel.org>; Sat, 11 Apr 2026 06:22:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775888532; cv=none;
 b=jslCE7zNb4xtIJ4i7Va5l+Xx5U05dnuOkSfA6THxanGPZ+vgODrA/fYo/dd0dsWrK0GS9eD9BeDrh6NGjPkYbiAr7lBHeCoLNphtcJPcdOQesocHGyYbm5UaMjELmwZAh6I8O2YfVCpl0PQn1TB0hLP/DlventXsNN9q7eROhQA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775888532; c=relaxed/simple;
	bh=ezbnLKObzxWsEZhhwlrdDzWmHnEKMRaJ/Hw/qDz8cLE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=UTFIUMDhEBbdOFx03mBjPgMdLa9VjlSvNWeINWrtPy9Zf2IgM4ILK09C3YyRS93ppTZjsHFC0eu6CnCA3CuXxRH/Nay6gPcE9S6lnwV1YMFz9us56gfrtoqXGmvBgLuxNlQhHAfCiVb0BwKh/tIVMDWUkvbvLQCm84BBs5B/6WI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=CIPQ2qDv; arc=none smtp.client-ip=209.85.216.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="CIPQ2qDv"
Received: by mail-pj1-f50.google.com with SMTP id
 98e67ed59e1d1-35d9c7bf9a1so2603801a91.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 10 Apr 2026 23:22:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775888530; x=1776493330;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=rjzGaFEIwJAqPl0XoclvOseGR/HD6ox/UHRHYtHUC04=;
        b=CIPQ2qDvffhH/8slp7wxa9NyjBvDtFcOgUQH8U71SvTYLc4DgAsbpX/Kp8xorhbYLz
         89/avPxL+a+MUTMx4Nu6hZ35eNtiSb2TxaJj1qn2N07SdxCbOGvRSxqzYzyr9uAk9lxu
         C3C598BkWsJkPXE71M/BWtbnY2j9Inyj+X9hzdnQ+e1HSks8+ieUXX1wi0X7z4hWMZWZ
         kReKpElVDhATTVoKc5M+Bbw1BwB+D4GLzhn8pHdBKFYbQ/aGvZvJWZ5lJN5w365vwU3j
         UvYtAHZELAVDfTSz3OZjrmmI/AoWg/TYdXx4BYtgkbrylYZnk1rsXjgnNgYFp6ma/acH
         zZrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775888530; x=1776493330;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=rjzGaFEIwJAqPl0XoclvOseGR/HD6ox/UHRHYtHUC04=;
        b=Iss3SPVve8+Iy0UQXi9cYpq37E/QbjsIEp7dvpkaJ533OeYLPi/M56dIfVFBOnRhc6
         epJOgRfyiS2Z8TODSirr3LTAUpnmCtT/K9P6J9Uev4t64sPE3D5KpB6NfHAtngmG9xPV
         H7Src0pjV8BR+X3/6og3IZtUm2dlzcWvSG3LQKHT51GWcdifqzFoPiBX3jXR4Up7hXZ5
         /FmsheqZLxK/Z3VAJUpNgpwqrqwy3ojzEIFnhTm0hNplLoYGw9x0cVUARJriNzbb84Qh
         uY5XVzOl/Cl1BaU+ZgmKicXngUum30KWnWJm6R6+6nSquaTU50iFgzCTHZGJyW/leh+T
         Qdqw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUKno0vHkwfq8JUh5kvs46mxXNtORgxji8ibeB24D/YGPypT4+aNi92Yx6Xspb/7DIGUxGETxIw8SGj59Q=@vger.kernel.org
X-Gm-Message-State: AOJu0YzPT0tqetggq211pbeVkJs8PAN9lMY7XVbZ/5/LNE6Ha9KHVQC3
	4rVX8W058Z+F8fYx8XKoG6sLXmieIGP0XMgEUmRZKKPQDoQnR5vzx7oP
X-Gm-Gg: AeBDieuXf6+NO3LZzXrSTRnxEWk7ZaiTxItYekWvPn0oAuzB72Cw5ssPDIbsMztmIdA
	ZQiMVyA4Jka8ENWIWx0GcIKvCgzYgrVCnmB7C3Y4ryWE28gDli9pO9Ud8ac++1fWNvuum+dN6do
	2eKdggkQbYjpsG5Z9YBhDQY2PWuiJ7bk3DzGtPmjkQVkcBWsMRTCDl7Qdr2tEMyG1w4eb8iapVK
	Au0Bz+gCsvOftUv0NEp3yDjFs3YBUq0yu0MyRKp4xhxM4dJYVoaNtpvi+IdGRFEgQRmw7VXUNY3
	1cf5NgO9BfjvPszsvOsUp3CPAwuDlXvI6F4SIGxeFQ20K2QEB8gnPTxRxD8LrBj3zoxIRWI8LvA
	7Rpw22pw7ERN/7em/TIBA9VsL5Dt6VZoLC5droIyd7ciH+ySGpHQFo/tHgmxCXewRzAZVvsWILm
	i+BJx66acQX2Pkqg==
X-Received: by 2002:a17:90a:e7cf:b0:34c:fe57:2793 with SMTP id
 98e67ed59e1d1-35e42881e54mr6189487a91.20.1775888530399;
        Fri, 10 Apr 2026 23:22:10 -0700 (PDT)
Received: from lgs.. ([101.32.189.54])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-35e41345f63sm5345346a91.16.2026.04.10.23.22.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 10 Apr 2026 23:22:10 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	David Hildenbrand <david@kernel.org>,
	Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
	Zi Yan <ziy@nvidia.com>,
	Baolin Wang <baolin.wang@linux.alibaba.com>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Nico Pache <npache@redhat.com>,
	Ryan Roberts <ryan.roberts@arm.com>,
	Dev Jain <dev.jain@arm.com>,
	Barry Song <baohua@kernel.org>,
	Lance Yang <lance.yang@linux.dev>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH] mm: thp: Fix refcount leak in thpsize_create() error path
Date: Sat, 11 Apr 2026 14:21:52 +0800
Message-ID: <20260411062152.2092967-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

After kobject_init_and_add(), the lifetime of the embedded struct
kobject is expected to be managed through the kobject core reference
counting.

In thpsize_create(), if kobject_init_and_add() fails, thpsize is freed
directly with kfree() rather than releasing the kobject reference with
kobject_put(). This may leave the reference count of the embedded struct
kobject unbalanced, resulting in a refcount leak and potentially leading
to a use-after-free.

Fix this by using kobject_put(&thpsize->kobj) in the failure path and
letting thpsize_release() handle the final cleanup.

Fixes: 3485b88390b0 ("mm: thp: introduce multi-size THP sysfs interface")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Reviewed-by: Barry Song <baohua@kernel.org>
Reviewed-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Zi Yan <ziy@nvidia.com>
---
 mm/huge_memory.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 40cf59301c21..ae6ed483cd53 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -726,11 +726,8 @@ static struct thpsize *thpsize_create(int order, struc=
t kobject *parent)
=20
 	ret =3D kobject_init_and_add(&thpsize->kobj, &thpsize_ktype, parent,
 				   "hugepages-%lukB", size);
-	if (ret) {
-		kfree(thpsize);
-		goto err;
-	}
-
+	if (ret)
+		goto err_put;
=20
 	ret =3D sysfs_add_group(&thpsize->kobj, &any_ctrl_attr_grp);
 	if (ret)
--=20
2.43.0