From nobody Wed Jun 17 02:51:47 2026
Received: from mail-vk1-f173.google.com (mail-vk1-f173.google.com
 [209.85.221.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C1E8743CEC8
	for <linux-kernel@vger.kernel.org>; Tue, 28 Apr 2026 13:08:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777381717; cv=none;
 b=AkQ0JCfUQzfxJYpZy9Sy+OucQmkcdSET15O0VtKEGvwjB9yfPOWPAT/N/6kInPv5XsKjr3oDQa+63jWc8Du3dvvbpCpWfwHIFVQBqYHFyC/R13UclO1N0T9xvWimwvZDXo7BozkyqP+laamCvGFYRNiPuSwkX89NhLz8sISiA5k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777381717; c=relaxed/simple;
	bh=YdXrtZwKYvjpk2mhair6rMBKIDkt4nCJFEM/iu8SLYM=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=FsEBPeHrUgmGHb/gMhToIunRke8BWf6nusB+VdyXybkUdgqeVkAz7vsfmtnKJfAS4OwJhGtGlmfcD1P4wUSctVt94x8NcBpqgZz0JLSTs+tTChbU+hdLEInLzd+JoJvuKvMh1Iytgy1nVwbdK3UTiO1Po/MPGPOGXWw0KL3r3zE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=s8uEURU1; arc=none smtp.client-ip=209.85.221.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="s8uEURU1"
Received: by mail-vk1-f173.google.com with SMTP id
 71dfb90a1353d-56d8a5f0e44so10619373e0c.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 28 Apr 2026 06:08:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777381715; x=1777986515;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=1C9bdjarJ68xik6wQFz6rZrA9qRQsuuRujyzlx0N/rA=;
        b=s8uEURU1JidqZIjRHiNAIRjWDMc47T4DLnBrUk6gIUL1rRZjxIsBJ6oBB80eXvqvFp
         x0iNJAJGvHp/M3MwUN4nJyUTQlv/Hi/1jMkWUSGppr4puHoMj6wYCFxSNUaDtMM7nJyP
         xbtxLAtBmbDF7c6+C8n1yl5Mqz0otsauqZK6gt3d/F5sxyDfLFFzRtiAaZvEwHC/s1Rd
         Y2Ij8n978jUYeQLXnX3aZL4wQSZkizneZYTQuohj1pcxsnZsCLOcxVkceYEHCpu3n84Y
         XSW0b3QZnHbeBw11cledvuV4qe+KNv3NL6s/2p0BQh4uhbwiPI7qB00ho2kMwHUwxLyA
         JO5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777381715; x=1777986515;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=1C9bdjarJ68xik6wQFz6rZrA9qRQsuuRujyzlx0N/rA=;
        b=qYlYOkYd6L27+DYqgPBKYjiP/jcZnCZ5S9x3lb3ij5S89O0crn9Kf+TtpSXetrPstr
         xLP+oB1ecDwdVQuvw7R384Yib7pWbQt+FBIne5H+F5CONk5ZLEx+TkRNYLZ2Eh0UuNe6
         FmUqTGvNGcqDkHOaYsVwqXSIBCggB1UUNs+/u5oYLZ3fVHMPbI8kNaGAtz1PiF974LKT
         dD1GykofcRPMRGYUVcC7Pu9nWnYr5C47QVPEvuozsXXRPmtXfL+gfB/iJ2zpzJMTEbxI
         sdqBy53Wzldr24lULR4PIO9R3mAENsLWskusPpHUKk50aynQcYb3AgJxRg8RSRIB6PzV
         vPNQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ/UdMAMqq4yRTCOx+EXoJ2mFQI2ISVszrBObCrQ52RKoJLXvVAw01QrUgs15p+qwLwTdhVUs864nvCiJcg=@vger.kernel.org
X-Gm-Message-State: AOJu0YzhtO8BAMc8t9t52Wqajv4SCsVzynpf2kVZRQjsPp3x0llsUHhN
	WhPWALD4BeaAVTxLj1Woi6LGTFYI7VKDihrbwvVuswqSj+Y8/+oJZ5xx
X-Gm-Gg: AeBDieuyW0nd+BOINxPcYjV9mF5CAzsdQcVD0O1dT3zmK8eZGh3QAD6QHSEe4BI8UTy
	IoFUTfVcIrNnWZ/qwX6mg9xj667UKC19B25z3bXo5Yi0j/Vo1yaGWQOpODUGfH36hBSRdkHVXex
	BCuB0RQP48lpNFGGmP3eJN/B0sKc4B5+9SfwGFEdqr9/705m4upfylurTLpkCoB2T2MZLY+vCxB
	Oc5kUAXrD/drqRRa77uaZqFqIc+PmX5BarWlkiTvO4hS3r0ha9cqjfqw3dr1QXD7HfjuQIObAF3
	35mokcG7JHVVXaVHl+2HbHnPMOea4OXTMmimE+pNx3cphVb6X7kdvB2BIxORLb8oKN0HZbzQy+7
	TKNkWRjIRmxgNsBLCySrzT4d7EYI9nlkTLxafdJwAQyiEwjEaPe3KuOoR8qqLT+HkkOX5NhsTii
	0i/g5g+ii1BKLBCtzx
X-Received: by 2002:a05:6102:5613:b0:608:276d:d65b with SMTP id
 ada2fe7eead31-628068f2c43mr835972137.8.1777381714614;
        Tue, 28 Apr 2026 06:08:34 -0700 (PDT)
Received: from lgs.. ([2001:250:5800:1000::5a26])
        by smtp.gmail.com with ESMTPSA id
 ada2fe7eead31-627f5668c8csm1189378137.4.2026.04.28.06.08.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Apr 2026 06:08:34 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: Borislav Petkov <bp@alien8.de>,
	Tony Luck <tony.luck@intel.com>,
	Qiushi Wu <wu000273@umn.edu>,
	linux-edac@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>
Subject: [PATCH] EDAC/sysfs: Fix UAF in edac_device_register_sysfs_main_kobj()
Date: Tue, 28 Apr 2026 21:06:08 +0800
Message-ID: <20260428130608.368025-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

If kobject_init_and_add() fails, the error path drops the kobject
reference with kobject_put(). This may call
edac_device_ctrl_master_release(), which drops the module reference and
frees the edac_device_ctl_info object.

However, the same error path then calls module_put(edac_dev->owner),
which dereferences edac_dev after it may have been freed. This can cause
a use-after-free and also drops the module reference twice.

Track whether kobject_init_and_add() has been called. If it has, rely on
the kobject release callback to drop the module reference. Otherwise,
drop the module reference directly.

This issue was found by a static analysis tool I am developing.

Fixes: 17ed808ad2431 ("EDAC: Fix reference count leaks")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/edac/edac_device_sysfs.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sy=
sfs.c
index fcebc4ffea26..32460c6dfb7c 100644
--- a/drivers/edac/edac_device_sysfs.c
+++ b/drivers/edac/edac_device_sysfs.c
@@ -231,6 +231,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_de=
vice_ctl_info *edac_dev)
 	struct device *dev_root;
 	const struct bus_type *edac_subsys;
 	int err =3D -ENODEV;
+	bool kobj_initialized =3D false;
=20
 	edac_dbg(1, "\n");
=20
@@ -261,6 +262,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_de=
vice_ctl_info *edac_dev)
 	if (err) {
 		edac_dbg(1, "Failed to register '.../edac/%s'\n",
 			 edac_dev->name);
+		kobj_initialized =3D true;
 		goto err_kobj_reg;
 	}
 	kobject_uevent(&edac_dev->kobj, KOBJ_ADD);
@@ -275,8 +277,10 @@ int edac_device_register_sysfs_main_kobj(struct edac_d=
evice_ctl_info *edac_dev)
=20
 	/* Error exit stack */
 err_kobj_reg:
-	kobject_put(&edac_dev->kobj);
-	module_put(edac_dev->owner);
+	if (kobj_initialized)
+		kobject_put(&edac_dev->kobj);
+	else
+		module_put(edac_dev->owner);
=20
 err_out:
 	return err;
--=20
2.43.0