From nobody Mon Jun 15 15:11:07 2026 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C5E6D150997 for ; Sat, 11 Apr 2026 09:16:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775899005; cv=none; b=XjHmBFgmD6q0Ism9F+gP3OSlC9z10L26NbvV2+9BjuQLhkmvWhLhnF+XjsMo/gEdfWPgYN/akVw8tMRs4zruTHi9Tz39DDg1AduLsuJ6O9q29lflPgf2eURc2Oi7/4d1DNjn77Jl6TFO0xgCM3tzHKIPNDWoxgQ+q9neMykdOUA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775899005; c=relaxed/simple; bh=4cJBpCDiEBe7qt7GJPuMpwIfRIEI0o7LsoLWIcKcUEM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=USombKWHG80b/cXkdXFdQiKhrwPgMlpLyMfiuX0bSaGvmK+yKVruggdFq4Os2XLro03K51HAU67gfUxmuCAEFbPCUw28zJVGukSCGeZIUu9Bo4iM7TnaKd2UJW4+Wh2ju5yL0Jx6OuDRTP4C3HcdRK9X6AMRPJ4cNmJ3LqI4+ls= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iH3weYPj; arc=none smtp.client-ip=209.85.216.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iH3weYPj" Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-3567e2b4159so1936855a91.0 for ; Sat, 11 Apr 2026 02:16:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775899004; x=1776503804; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Ee1xBpF696KRQU5YuPaGT3opYPvf2ZuzXEPOX6aVSzc=; b=iH3weYPjRPO1VQjlmSazAUImG/kOpk8MJEJMKg0OVtPJEmd/NSuCaOXA8giuQHEN2L 8FLLa8n9ue7tPJOwvj2o3iZcfOqYdhzQk7T9yU+dQXLTU/uxDrGnSGNOOv1oEZVB2V3E AenMFvVWBK9Lp/de25tCpXpHSdqMgHC+RVyNMjR5cA2uJr+QSSgWA3o2cOk3NPbSN899 WohGt71nbnWfAAX6w+OqijmrO0XISlP4hAS9/l1A97XjmgqArQ7ANtXJHjAx/kMBcwxF X4iAheCQwqL1OgGD9Sm+BfVsEsj6j9n4f0eiAJXSYyL0Q69N53l6WjA3OwZrGsXHoUwl c5qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775899004; x=1776503804; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ee1xBpF696KRQU5YuPaGT3opYPvf2ZuzXEPOX6aVSzc=; b=TXGmneElzvv5eMU2jO7R4+iwYCpJdzVXKi0SXcYrpGozR7WPcAW4UQGMvRTjaV/ruN 9C7IgBlxWx61/LQ0ZYKS4XuFMad7NXSSV+PKrq3UVWmPSSiSWegumexy8NffNliYoB80 f1H4KsLx+Qf//mbGLR6PG5ThCmQLe74HBapiAbghGHrKumfHcqa1hjBW3LS39j+7C9Dz Uk0Uixv6KCISfhcwMS0A4zEaDkxvUSj267ORcTxAKz0nnXYDHKoaqg/c+iXTtOEzUXoQ JYykhfa3ilh0uHpJRyBB3WE+8JuUYVkm9tIrFiF5a1f5c2uIv6dy0BIuxHGwoCauKu8R EOdA== X-Forwarded-Encrypted: i=1; AJvYcCVWrh0UyAMJ+76dBrZUQzkFZkpx/cfnkM/GlLutemp+kE6Xu4zVdNIaFetIyV3I8tUZxLAry3gEbjF/Kfw=@vger.kernel.org X-Gm-Message-State: AOJu0YyUmQ70HzBKDStimA103wqQeMVsNGAYydNYaYZCbPs4xbnhODdo OkIha677qMh3xo10dkke87wJmvfHTgNzZh/fL3LCDfBfI9/wfSeQQRe7 X-Gm-Gg: AeBDietjCcp+fbXtZERNcUR9bJsy0ZHYntR13eFBz+fZwrEJJwLoTfpG0dRt2xLdj78 7m2OBoMyoE9IgaN1SPMNs03m8Xjrt44RLt77PMpt6echvzHQWX5jnel1ezk6PEk5ryNfVvnORFm kQowtqTfRO0rX+e1P8XGzt7QUEMkHDPz7k12NWm4ZMnp2Chxnz3FFrBn0CSP9R+2dJFClvvcow6 U+xET1hzB1F5VdAi1jKhw1Ir4Bd0D9bj596DBwgr0UcxMsY/zRhOlHKrI1A27CzwAHWFomVqxn5 K1W3F6zhjmvvdNBoTX4SGoyp36wCTCy6JkvKdfrjPSTlL0H/NOo1sfQq1HFprdt6c5hzV2dArIP k7m7DUWUX+aSAJ2M3XcXReqo/Vkok6EdnW3cXx6D6RiYNAzKCvNyvrKwHu0lpvUP9f0ibTUbYoj EiiFcXMjXAtT196utGSHIK7g== X-Received: by 2002:a05:6a20:9155:b0:398:79a8:a303 with SMTP id adf61e73a8af0-39fe3c1a654mr7200265637.2.1775899004214; Sat, 11 Apr 2026 02:16:44 -0700 (PDT) Received: from lgs.. ([112.224.67.108]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f0c4b62c2sm5362693b3a.38.2026.04.11.02.16.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 02:16:43 -0700 (PDT) From: Guangshuo Li To: Yishai Hadas , Jason Gunthorpe , Leon Romanovsky , Jack Morgenstein , Roland Dreier , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH] IB/mlx4: Fix refcount leak in add_port() error path Date: Sat, 11 Apr 2026 17:16:26 +0800 Message-ID: <20260411091626.2141130-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After kobject_init_and_add(), the lifetime of the embedded struct kobject is expected to be managed through the kobject core reference counting. In add_port(), if kobject_init_and_add() fails, the error path frees p directly instead of releasing the kobject reference with kobject_put(). This may leave the reference count of the embedded struct kobject unbalanced, resulting in a refcount leak and potentially leading to a use-after-free. Fix this by using kobject_put(&p->kobj) in the kobject_init_and_add() failure path. Fixes: c1e7e466120b ("IB/mlx4: Add iov directory in sysfs under the ib devi= ce") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- drivers/infiniband/hw/mlx4/sysfs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx= 4/sysfs.c index 88f534cf690e..15b36b9e4bd6 100644 --- a/drivers/infiniband/hw/mlx4/sysfs.c +++ b/drivers/infiniband/hw/mlx4/sysfs.c @@ -642,7 +642,7 @@ static int add_port(struct mlx4_ib_dev *dev, int port_n= um, int slave) kobject_get(dev->dev_ports_parent[slave]), "%d", port_num); if (ret) - goto err_alloc; + goto err_kobj; =20 p->pkey_group.name =3D "pkey_idx"; p->pkey_group.attrs =3D @@ -689,6 +689,11 @@ static int add_port(struct mlx4_ib_dev *dev, int port_= num, int slave) kobject_put(dev->dev_ports_parent[slave]); kfree(p); return ret; + +err_kobj: + kobject_put(&p->kobj); + return ret; + } =20 static int register_one_pkey_tree(struct mlx4_ib_dev *dev, int slave) --=20 2.43.0