From nobody Wed Jun 17 01:35:38 2026 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41E4344DB95 for ; Tue, 28 Apr 2026 16:08:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777392523; cv=none; b=JWxEGTD9JUUpCkr7VSwEFKmryyzTTzNmydlzs9neIO59lY5rAejWTw0SSwyio1mT0JSlCOcXN1zjLuuWrnvXXHyXzBEMvLAvN2SRwvkSDrImGTxsABh5NNYOemaAnYq3P2NGNvxDaJsfATeoPYhTXnUSHt9gyp0s2W0UeDNjs3o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777392523; c=relaxed/simple; bh=V1pGAOnjlC+TOwNhol7IbkGiJw+8SmDe9aTyVJEfC2c=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=QhOVW4lG24czYgjjkzcAFUVlrENcE7Uj0bZMNu02BqeekkvgRBKgyTlGXMYs+DZ0OVqG1/IfrmqBMH30tDJ6tNrk5LSLoqzDhPaHSs/8znPLmA5CuNB0RiQwbCRg+i90v4BKkyrB9kAnq7mjl3kuEoEF4+cSbmNr315g321PDFM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HYD+VUBM; arc=none smtp.client-ip=209.85.215.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HYD+VUBM" Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-c795a47186bso4704164a12.0 for ; Tue, 28 Apr 2026 09:08:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777392522; x=1777997322; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=/HW/8Jj6I5ZLjOIJ6JOHc8L+USqcEpOBHmjRUGy0yb8=; b=HYD+VUBM2uTTIVnZkEi19P5j8ba676OWjY6R9VrKsIfio4MWjeUJBl8NEIO+JjQ03D eNKj7Eh2FXQK0QGYHSuS4mZEcmg79v4+X60AqZP5it97pvQmcJMZnBJNJmQiGpj/SXEw lxOWDwdcYw2lp/BE54KCmLR+LnBGojEu0xSNQnBHeUbbBavbuDGD+/qrNkDhBljY6BgY 54fAMSlFy9NPjE/LJg4ZcHRjG8vcS7FH7OFHh9rkPc26RxvjCUA7ad6S2tJ0jlsemiML VzI+uWct6bxc+7wBTK9leLAh3HN2Q6EFejYl64Kmi0I5hVNPFmYIYoLiFt5nJ9UaWfvj Za8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777392522; x=1777997322; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/HW/8Jj6I5ZLjOIJ6JOHc8L+USqcEpOBHmjRUGy0yb8=; b=jqUxc69TMt33bXlLxBwI5U20RtqAoXnLdbI19NqzVH4paaky9bPacTxDhEJvgITPSH 4T5k5LBSfX8e3qp+htpgbcpQmGCOYsa0meJKGatD2fyZrk3zLxGF59GNdsxHaNi/GSSf M5A4822/K0LbONRojqHZZUe3ywZAMlV4//X7Xuf/kkw1VJExKd6VRvU6gRz5ZWywgI/H vZ3b6smljRCXCvGr++li3BsEKyOBfN8Vj7+yHHXwWr9TSHY5fOQ8EdHgIQIDl7H08eSz sHuiow8DnReQ6ZSLk3OvniGYgwkOz/+JP/8yq/TUQLPHr8lPdxXsUhlW9Rq9ZLHY0ckz D2ww== X-Forwarded-Encrypted: i=1; AFNElJ8J2g4T5uv1yFdJx8h7PafZaHh9DWIjT3s6B+HjzO1SrVIUzErBnBqyM74EWpp+pO8U6dcegLTbDUmAhjY=@vger.kernel.org X-Gm-Message-State: AOJu0Yw0FSYVgD8ci0NyqTvkmES2duJ8/wk1BjEEHeW4eYPgahN1nmo3 ln0AfpTGVgp+uZh0qkyGyp4rmh3tDX62P6nOmFMcV0p+hVx688oEdWkLThdqpUkckYov6A== X-Gm-Gg: AeBDietM0cnOXhq8R+vFR0Mw/4zTiFxVmPr5+0xfrAhNiTsT0NLapNGOL3GPOW0DHgv TeCX1nOHM/2LGi7ICMDA/L0rUp0awUGFS3ZRby+6DXiZiO6+IAqcW8jnx8E/lyRuG0PZPbpyvUg D+WjbgMezrn5zrsTJc7kNb1sFN0ub+z20MQL5fndm/meHwCKajKXp/8OiZ+APyV34Sg3bu7+YO/ bD9OJC64dGfsoTXApB5hMR4KnXrMI1Uw+611HztHdoOhUnFFa3cqW4RDu70ofE+CvrIb0PXwPUN p2JAZL5+YPhACeSTQdVuGuKjtYE78v9hr348UQ9ph+iLbg3JfROL5bOzmkYMn4dQBm52CNlTrno dXozI95unV0GBO/MjGPWuNJSo+i+e2hwq6gYMzI2PGm4lcfUl5Ns39SgjXDNYzoAoViiAIqarfc 9JycYS4zm6bRvnj+GGXuDsaB0= X-Received: by 2002:a05:6a20:734b:b0:3a3:1f78:2025 with SMTP id adf61e73a8af0-3a39c14962fmr3553432637.27.1777392521387; Tue, 28 Apr 2026 09:08:41 -0700 (PDT) Received: from lgs.. ([101.36.106.46]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c7fc299f556sm3637526a12.6.2026.04.28.09.08.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 09:08:40 -0700 (PDT) From: Guangshuo Li To: Borislav Petkov , Tony Luck , Qiushi Wu , linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li Subject: [PATCH v2] EDAC/sysfs: Fix UAF in edac_device_register_sysfs_main_kobj() Date: Wed, 29 Apr 2026 00:08:28 +0800 Message-ID: <20260428160828.377129-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If kobject_init_and_add() fails, the error path drops the kobject reference with kobject_put(). This may call edac_device_ctrl_master_release(), which drops the module reference and frees the edac_device_ctl_info object. However, the same error path then calls module_put(edac_dev->owner), which dereferences edac_dev after it may have been freed. This can cause a use-after-free and also drops the module reference twice. Track whether kobject_init_and_add() has been called. If it has, rely on the kobject release callback to drop the module reference. Otherwise, drop the module reference directly. This issue was found by a static analysis tool I am developing. Fixes: 17ed808ad2431 ("EDAC: Fix reference count leaks") Signed-off-by: Guangshuo Li --- v2: - Move kobj_initialized assignment to the kobject_init_and_add() call site so it records whether the kobject has actually been initialized. drivers/edac/edac_device_sysfs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sy= sfs.c index fcebc4ffea26..042a30ed55c6 100644 --- a/drivers/edac/edac_device_sysfs.c +++ b/drivers/edac/edac_device_sysfs.c @@ -231,6 +231,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_de= vice_ctl_info *edac_dev) struct device *dev_root; const struct bus_type *edac_subsys; int err =3D -ENODEV; + bool kobj_initialized =3D false; =20 edac_dbg(1, "\n"); =20 @@ -256,6 +257,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_de= vice_ctl_info *edac_dev) if (dev_root) { err =3D kobject_init_and_add(&edac_dev->kobj, &ktype_device_ctrl, &dev_root->kobj, "%s", edac_dev->name); + kobj_initialized =3D true; put_device(dev_root); } if (err) { @@ -275,8 +277,10 @@ int edac_device_register_sysfs_main_kobj(struct edac_d= evice_ctl_info *edac_dev) =20 /* Error exit stack */ err_kobj_reg: - kobject_put(&edac_dev->kobj); - module_put(edac_dev->owner); + if (kobj_initialized) + kobject_put(&edac_dev->kobj); + else + module_put(edac_dev->owner); =20 err_out: return err; --=20 2.43.0