From nobody Wed Jun 17 01:36:16 2026
Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com
 [209.85.210.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81B6B322A2E
	for <linux-kernel@vger.kernel.org>; Tue, 28 Apr 2026 16:32:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777393949; cv=none;
 b=heNeyKmgpHTPjdbw0gx/P5bNE0NKmLW1SIgkJz0SCPhpACMtBu+LL7E1k5QUa6N6sR7OeSOS0GP+sWMzQT8C4ERm5PElyWEXzp9Zi4GW8KDIUFJivpkKQNiw9yUL4Yeae8t8RK8KV5076WcTIfV6ToNLtJrwLi7Ha5CyTnI0A4c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777393949; c=relaxed/simple;
	bh=0ENRuXWI0OBYQahVdx+XhQkYgeiN8tN1qPvBInEH5dM=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=lcArcoA1ysh0Aprmbd0UTfYUNd8/fH8e/bdWAjffJ04caPEXkCG19STa9095s8nIrM2wuuTA2W9uJiuXTiJ+JWsogc6LfAmBbcevNl3pTLHVzow2LzdJFSiOROwTB+QMTxBKWbREMJC/H8Ipq44IJUElsKRwsVeH4udqgAwdlWQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=PFWpn26c; arc=none smtp.client-ip=209.85.210.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="PFWpn26c"
Received: by mail-pf1-f180.google.com with SMTP id
 d2e1a72fcca58-82f69a286dbso8754425b3a.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 28 Apr 2026 09:32:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777393947; x=1777998747;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=kF3liaLTsQt3vcqZoazicjJL/7jtNYNyKZT6lA6QbTA=;
        b=PFWpn26cswgQcVH0Y8W1MjOJEM3M9b7bYA+E908TKr9TTnGfgcVEYBbScM9kQUpq6K
         BoRMll+fJSyRMos+S3B92XCSpJbPpVi8mUftBLzNnc9g8+A/rW86GdjV3lw6H6uIboj6
         ZYWIjlcJkaSsncQ99bNcet7NsfM+CR6Yjoxq4h7KAO5FDkUpVXFFQPx9V/FB7P7YIxU5
         YCAtQH2QAlvb77NfvuJdCeLj1vLDXI8qQcWPguq3QzHWj+5lPSNNfGD9Lo5Nb2evNQpD
         u5cTrR61w2THeQNig+dbPHpWkFuHkZxZ2bJRQscvRhXGZtiunLINEZDo1kwb/wu9wHUK
         0ICQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777393947; x=1777998747;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=kF3liaLTsQt3vcqZoazicjJL/7jtNYNyKZT6lA6QbTA=;
        b=dwkFrud94/2fbemKefA+KCw6r8+AfbEa1v7Q4/tBspJagmzGxT/cfMsaq7qSg5/QtX
         lLBEo4tVN6hDZzYMJKLi7g5PZ5qPaqSKuvTZN+GZqCpImz6QC4+/aSxzsIv3H11TInqi
         R5tlHlkJPiG7s1wDoHhf7ZHE2ihh1xp7FFyte7//gzRfJVnFwX9vc953cLkTJF9jozB7
         2kcnruwnPexEnHOzjOFFwL/jAtvFidhbMv6Fs2GpBG88PmK+7JIadY4Qfnyx2dp9xk6R
         zWs7FTtgnTD7c1JpcLBFSsRu+oGtpOo0EUH8HrJ31P8j7+d76pgnKIR9s3JP+0GuN09+
         yYAQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ+31rRxj1Xj1fkZkf+HRawBFjCKtWDRav8W83wNA49AVeJttvOOQTAeIDhdBwy/+Qg/6YODgYsUf7ZvMAE=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxv1qENJdFhYg0r1HZ4/Dqz7CecaQ7jhakSOPz8mLMGAUtE66sw
	4bq6pCVcEhXaZ6BToBhLC57LllnHLanciAp5AG29IvqxqTsjGjFTbKUO
X-Gm-Gg: AeBDieurpjhwrbSn8nS+7cFvamK4hC6CG7kYtvqMIiaKCyEvwSPEj1kuas7BxgQoLAc
	0UzvYstBbXXi1uzk1z+TK0oWsrCz7PIhCg38+SEgnqDEoJiAAjk+Xwq2LRW6FVJD9KA/nqhAkez
	YlSSDRYrNdBFGfzk+rYjHxWaKn+1PJ14tmZdIZa5tr0KDD/XMcR4v5+KXj+k7J5tnyIPILAg2zx
	8FwBvarrEo08G2MskyJ1zQrnN/JYJH5Bim9HmfmnHTOXmtpwstZLizr8uttPoI9AoCyeeulV0VZ
	YvynTGt8C4pXk+MOQRhtYMOTQrHFCtxGLWksca4Afzs+S9fMWYo02A5jlQJHicneBJQPXHHswv6
	qLSGCygtXzs6/egcs5Iiwo1h2IXJfP+tYmJ4a7m26HPYLSn2NPHK59YnkpdUUaXe1du3TJdJhER
	CwrNbjMs+IQiSo939t/b/PqovQ934=
X-Received: by 2002:a05:6a00:f93:b0:82f:8b20:9165 with SMTP id
 d2e1a72fcca58-834ddc9b31dmr4003728b3a.44.1777393946400;
        Tue, 28 Apr 2026 09:32:26 -0700 (PDT)
Received: from lgs.. ([2001:250:5800:1000::5a26])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-834dae00a4fsm3212266b3a.5.2026.04.28.09.32.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Apr 2026 09:32:25 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: Yishai Hadas <yishaih@nvidia.com>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	Leon Romanovsky <leon@kernel.org>,
	Roland Dreier <roland@purestorage.com>,
	Jack Morgenstein <jackm@dev.mellanox.co.il>,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>
Subject: [PATCH v4] IB/mlx4: Fix refcount leak in add_port() error path
Date: Wed, 29 Apr 2026 00:30:14 +0800
Message-ID: <20260428163014.379069-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

After kobject_init_and_add(), the lifetime of the embedded struct
kobject is expected to be managed through the kobject core reference
counting.

In add_port(), several failure paths after kobject_init_and_add() free
struct mlx4_port directly instead of releasing the embedded kobject with
kobject_put(). This leaves the kobject reference count unbalanced and can
lead to incorrect lifetime handling.

Fix this by routing all failures after kobject_init_and_add() through a
single kobject_put() based error path. Since the release callback may now
be called for partially initialized mlx4_port objects, make
mlx4_port_release() tolerate NULL attribute arrays.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

Fixes: c1e7e466120b ("IB/mlx4: Add iov directory in sysfs under the ib devi=
ce")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v4:
  - route all add_port() failures after kobject_init_and_add() through
    a single kobject_put() based error path
  - remove duplicated attribute array frees from add_port()
  - keep mlx4_port_release() tolerant of partially initialized objects

v3:
  - make mlx4_port_release() tolerate NULL attribute arrays
  - drop the parent kobject reference on the kobject_init_and_add()
    failure path before putting the embedded kobject

v2:
  - note that the issue was identified by my static analysis tool
  - and confirmed by manual review

 drivers/infiniband/hw/mlx4/sysfs.c | 44 ++++++++++++++----------------
 1 file changed, 20 insertions(+), 24 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx=
4/sysfs.c
index b8fa4ecfc961..fe505e07849d 100644
--- a/drivers/infiniband/hw/mlx4/sysfs.c
+++ b/drivers/infiniband/hw/mlx4/sysfs.c
@@ -380,12 +380,17 @@ static void mlx4_port_release(struct kobject *kobj)
 	struct attribute *a;
 	int i;
=20
-	for (i =3D 0; (a =3D p->pkey_group.attrs[i]); ++i)
-		kfree(a);
-	kfree(p->pkey_group.attrs);
-	for (i =3D 0; (a =3D p->gid_group.attrs[i]); ++i)
-		kfree(a);
-	kfree(p->gid_group.attrs);
+	if (p->pkey_group.attrs) {
+		for (i =3D 0; (a =3D p->pkey_group.attrs[i]); ++i)
+			kfree(a);
+		kfree(p->pkey_group.attrs);
+	}
+
+	if (p->gid_group.attrs) {
+		for (i =3D 0; (a =3D p->gid_group.attrs[i]); ++i)
+			kfree(a);
+		kfree(p->gid_group.attrs);
+	}
 	kfree(p);
 }
=20
@@ -623,7 +628,6 @@ static void remove_vf_smi_entries(struct mlx4_port *p)
 static int add_port(struct mlx4_ib_dev *dev, int port_num, int slave)
 {
 	struct mlx4_port *p;
-	int i;
 	int ret;
 	int is_eth =3D rdma_port_get_link_layer(&dev->ib_dev, port_num) =3D=3D
 			IB_LINK_LAYER_ETHERNET;
@@ -640,7 +644,7 @@ static int add_port(struct mlx4_ib_dev *dev, int port_n=
um, int slave)
 				   kobject_get(dev->dev_ports_parent[slave]),
 				   "%d", port_num);
 	if (ret)
-		goto err_alloc;
+		goto err_put;
=20
 	p->pkey_group.name  =3D "pkey_idx";
 	p->pkey_group.attrs =3D
@@ -649,44 +653,36 @@ static int add_port(struct mlx4_ib_dev *dev, int port=
_num, int slave)
 				  dev->dev->caps.pkey_table_len[port_num]);
 	if (!p->pkey_group.attrs) {
 		ret =3D -ENOMEM;
-		goto err_alloc;
+		goto err_put;
 	}
=20
 	ret =3D sysfs_create_group(&p->kobj, &p->pkey_group);
 	if (ret)
-		goto err_free_pkey;
+		goto err_put;
=20
 	p->gid_group.name  =3D "gid_idx";
 	p->gid_group.attrs =3D alloc_group_attrs(show_port_gid_idx, NULL, 1);
 	if (!p->gid_group.attrs) {
 		ret =3D -ENOMEM;
-		goto err_free_pkey;
+		goto err_put;
 	}
=20
 	ret =3D sysfs_create_group(&p->kobj, &p->gid_group);
 	if (ret)
-		goto err_free_gid;
+		goto err_put;
=20
 	ret =3D add_vf_smi_entries(p);
 	if (ret)
-		goto err_free_gid;
+		goto err_put;
=20
 	list_add_tail(&p->kobj.entry, &dev->pkeys.pkey_port_list[slave]);
 	return 0;
=20
-err_free_gid:
-	kfree(p->gid_group.attrs[0]);
-	kfree(p->gid_group.attrs);
-
-err_free_pkey:
-	for (i =3D 0; i < dev->dev->caps.pkey_table_len[port_num]; ++i)
-		kfree(p->pkey_group.attrs[i]);
-	kfree(p->pkey_group.attrs);
-
-err_alloc:
+err_put:
 	kobject_put(dev->dev_ports_parent[slave]);
-	kfree(p);
+	kobject_put(&p->kobj);
 	return ret;
+
 }
=20
 static int register_one_pkey_tree(struct mlx4_ib_dev *dev, int slave)
--=20
2.43.0