From nobody Fri Jun 12 14:19:20 2026
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 969B039478D
	for <linux-kernel@vger.kernel.org>; Thu, 14 May 2026 11:05:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778756708; cv=none;
 b=MHmhQUXjKG15/zr6/6qR3lmDMqpcZSB3pFBzsYdYpDsTWK2hOWM/F1DeK/7Ij5PkSEG8TO70Kq/qD1r4/T5rbH+ZQLmUScMNXlzt0DV70ZTqeFDEugPXMJKCgrVilEbxIbPnoAlgYfkvl1MDZbxQNzfrCEvekN4yxir17wac7Lw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778756708; c=relaxed/simple;
	bh=2IJhF+iwhH0daRljtdGQOGv59DLUiPhUZ8llNuzuSB4=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=r6IYFM05fHTyLGCS9HeASszJqVwrTFdg05+hAm9GBk6txrcN9P3z2aDcnWXYzXzoWdvfZrCNJcaevoMRQ6Jn1HrLr4hYvim00h8p3hEZCvM6TB/6VjLuLXa1GrLy6P1VaPW1UA9WmghuVUSRZgezzuVOyk1lhJISZkPnTywTW88=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Q5ATa12B; arc=none smtp.client-ip=209.85.216.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Q5ATa12B"
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-36931e4f5e8so636409a91.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 14 May 2026 04:05:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778756707; x=1779361507;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=VdojlyrzhDEJxjpjW25tCjgmnw9si3YuJBr21UjVzKI=;
        b=Q5ATa12BTvjjaJWCKNAHsP18b2kcS+fKC6JM+1IoEaiRP6sRRrlpqK4hEp6B6z1hSv
         f6KbFQMMxp6KcAU/iJK992p0oMhfmKhdNoKT+rlvXtxUM8la7SGyi86F5F0O1C1k4gZo
         yRCXEEpopn/ryUngDhuKA467Ln7I9k/EPFCdy/VSbaz+OJu4JjHdidMp1QsA7+wwG54e
         yZYNpbpOABqFffBtjAd7XkJOFXlJlSVcjiDUllJyk+tU7593Ml8UCkbIpi2GZBIuEpWj
         oa2/dUIaCegSO+ui9lrumujmmLRQ2zy3AcbW7AmOQ0bPlg35WgF7GMid8qbRlpovrI01
         nAPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778756707; x=1779361507;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VdojlyrzhDEJxjpjW25tCjgmnw9si3YuJBr21UjVzKI=;
        b=IwaTwCtIbZXLp8E30IeNtmaZteSrSeYxGhEzGhH1sQ6gZMfm4GUTwd5v2bW25iSx9i
         xmdRjG69aFcKrAp8XCPdpKlvqR6gvRYwTMBIearp6fj4+QwCwfLc6tYHhX2uuNkHEteB
         jPrELiuB4q5yWTwOeyCgNQYdAR3KWmr2aB597M/wCTma7LfxoYoDuNI6iGISA/MmcgiV
         MUa04lldt8EpIqsbXXFtZ4Z3tT6QhphuEG7T+1EbmXvW4/3XQN8hbpFa9Q21B5hA0pGi
         60Tv2CTU9aJVXrKG9Z+aonGSDqcgCEvEsOMqgMgKHG/BkX3VWnatFnUsikcFBERnfwoj
         yCUg==
X-Forwarded-Encrypted: i=1;
 AFNElJ/Y17laJwlica2oTCsby0JZJj1YHF+FjgwpcRqFFzhFNRm/Te92R6ZUQdywDHkuMPsMbvGyoC4qVFeZXsk=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy16MbOfBOUa51WjrysurwVZlvSAjXMDnZAbB3+QA/oecIeVI3k
	tkohRsqEeZzwR5IjuP2WZqcGyPuH2gpD5xmWCBmp9qzOaaYGNSQLkSAs
X-Gm-Gg: Acq92OGPW+NrfAdyXV9IgTeNOakLQM2uCNwjOAJerQcK1ll3T1ykjk+xSdgjMF+FLuf
	15VmPfTsNH242Wn3QADCgQESDFYYNIKGb8d5XZIckl1+rRjRY9lxTCFuYWhAJW+MgP1eVd7sAJG
	Y3CcFX9Djo16+A+CexKf0KlXenBw80jSJnD33fWi3/l8ewFiM7so4Yqv0NkGV/rBfaJfSPWLBUo
	GfvX/6OU4ZBQ6vqtjOgiB1MDYIQ76xtaMC1OEaLwapf0zQ63ZaCayqwPOWs9UPAsHxQiyAP+jWz
	mirSQa/yUReCvaH89fTi5lZaMhpW4+RBEhOFrmp3RKx+cbCUjfMduL6n+sLWHsLdtV5ok3kTmxI
	lp6Wzbu97Bao7jPmj8DxC+TRb6wsjf+6eQ/FF8w68W6KZnZMHXHyjr6F3GFmZRX26ewqO2JwcRJ
	4Elw7G4B4SISNTtanyRL90wvxv1B8=
X-Received: by 2002:a17:90a:d00e:b0:368:b724:6d53 with SMTP id
 98e67ed59e1d1-368f398cc9dmr7642042a91.4.1778756706624;
        Thu, 14 May 2026 04:05:06 -0700 (PDT)
Received: from lgs.. ([2001:250:5800:1000::f280])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-368edf4d935sm6016880a91.5.2026.05.14.04.05.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 14 May 2026 04:05:06 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: Yishai Hadas <yishaih@nvidia.com>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	Leon Romanovsky <leon@kernel.org>,
	Jack Morgenstein <jackm@dev.mellanox.co.il>,
	Roland Dreier <roland@purestorage.com>,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>
Subject: [PATCH v6] IB/mlx4: Fix refcount leak in add_port() error path
Date: Thu, 14 May 2026 19:01:39 +0800
Message-ID: <20260514110139.864340-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

After kobject_init_and_add(), the lifetime of the embedded struct
kobject is expected to be managed through the kobject core reference
counting.

In add_port(), several failure paths after kobject_init_and_add() free
struct mlx4_port directly instead of releasing the embedded kobject with
kobject_put(). This leaves the kobject reference count unbalanced and can
lead to incorrect lifetime handling.

Allocate the pkey and gid attribute arrays before kobject_init_and_add(),
so failures before kobject initialization can be handled by directly
freeing the allocated memory. Once kobject_init_and_add() has been
called, route failures through kobject_put(), and call kobject_del()
before kobject_put() on later failure paths after the kobject has been
successfully added.

Fixes: c1e7e466120b ("IB/mlx4: Add iov directory in sysfs under the ib devi=
ce")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v6:
  - drop the Cc stable tag
  - allocate pkey and gid attribute arrays before kobject_init_and_add()
  - keep the release callback unchanged by ensuring the attribute arrays
    are initialized before kobject_init_and_add()

v5:
  - split the add_port() error paths after kobject_init_and_add()
  - call kobject_del() before kobject_put() for failures after
    kobject_init_and_add() succeeds

v4:
  - route all add_port() failures after kobject_init_and_add() through
    a single kobject_put() based error path
  - remove duplicated attribute array frees from add_port()
  - keep mlx4_port_release() tolerant of partially initialized objects

v3:
  - make mlx4_port_release() tolerate NULL attribute arrays
  - drop the parent kobject reference on the kobject_init_and_add()
    failure path before putting the embedded kobject

v2:
  - note that the issue was identified by my static analysis tool
  - and confirmed by manual review

 drivers/infiniband/hw/mlx4/sysfs.c | 39 ++++++++++++++++--------------
 1 file changed, 21 insertions(+), 18 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx=
4/sysfs.c
index b8fa4ecfc961..e4c822c96ee6 100644
--- a/drivers/infiniband/hw/mlx4/sysfs.c
+++ b/drivers/infiniband/hw/mlx4/sysfs.c
@@ -636,12 +636,6 @@ static int add_port(struct mlx4_ib_dev *dev, int port_=
num, int slave)
 	p->port_num =3D port_num;
 	p->slave =3D slave;
=20
-	ret =3D kobject_init_and_add(&p->kobj, &port_type,
-				   kobject_get(dev->dev_ports_parent[slave]),
-				   "%d", port_num);
-	if (ret)
-		goto err_alloc;
-
 	p->pkey_group.name  =3D "pkey_idx";
 	p->pkey_group.attrs =3D
 		alloc_group_attrs(show_port_pkey,
@@ -649,13 +643,9 @@ static int add_port(struct mlx4_ib_dev *dev, int port_=
num, int slave)
 				  dev->dev->caps.pkey_table_len[port_num]);
 	if (!p->pkey_group.attrs) {
 		ret =3D -ENOMEM;
-		goto err_alloc;
+		goto err_free_port;
 	}
=20
-	ret =3D sysfs_create_group(&p->kobj, &p->pkey_group);
-	if (ret)
-		goto err_free_pkey;
-
 	p->gid_group.name  =3D "gid_idx";
 	p->gid_group.attrs =3D alloc_group_attrs(show_port_gid_idx, NULL, 1);
 	if (!p->gid_group.attrs) {
@@ -663,28 +653,41 @@ static int add_port(struct mlx4_ib_dev *dev, int port=
_num, int slave)
 		goto err_free_pkey;
 	}
=20
+	ret =3D kobject_init_and_add(&p->kobj, &port_type,
+				   kobject_get(dev->dev_ports_parent[slave]),
+				   "%d", port_num);
+	if (ret)
+		goto err_put;
+
+	ret =3D sysfs_create_group(&p->kobj, &p->pkey_group);
+	if (ret)
+		goto err_del;
+
 	ret =3D sysfs_create_group(&p->kobj, &p->gid_group);
 	if (ret)
-		goto err_free_gid;
+		goto err_del;
=20
 	ret =3D add_vf_smi_entries(p);
 	if (ret)
-		goto err_free_gid;
+		goto err_del;
=20
 	list_add_tail(&p->kobj.entry, &dev->pkeys.pkey_port_list[slave]);
 	return 0;
=20
-err_free_gid:
-	kfree(p->gid_group.attrs[0]);
-	kfree(p->gid_group.attrs);
+err_del:
+	kobject_del(&p->kobj);
+
+err_put:
+	kobject_put(dev->dev_ports_parent[slave]);
+	kobject_put(&p->kobj);
+	return ret;
=20
 err_free_pkey:
 	for (i =3D 0; i < dev->dev->caps.pkey_table_len[port_num]; ++i)
 		kfree(p->pkey_group.attrs[i]);
 	kfree(p->pkey_group.attrs);
=20
-err_alloc:
-	kobject_put(dev->dev_ports_parent[slave]);
+err_free_port:
 	kfree(p);
 	return ret;
 }
--=20
2.43.0