From nobody Mon May 25 09:57:54 2026
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9B68237649E
	for <linux-kernel@vger.kernel.org>; Mon, 18 May 2026 02:28:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779071290; cv=none;
 b=h9HCA1YQGjpuz81gu2Zj02WKGCzZe1EEMml4Gn2iEbyQGUy4Rc3/v9dJeB8qXC4NLe1f1KmhUDxbnvVTILPtRnd7N8caPHtThYnyDSVcoX9w7nY3yCEiNA2IkIgoVYDpPlp9i2BR8Biuon3WRJukR1Sw1BPUmhYOcbL2aOfvtFM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779071290; c=relaxed/simple;
	bh=M4ZD7F5P/kUsY4X7ToRKhptIAy7vGngfalRm5DpYQdk=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=Ejzcsoe93bmb4MUQtW3DTMNKJND7bvtYvabYTfQXQNo6QfZom84aOdlCDCeeJp8iIyjklTyqqPmAOmB8RsHuYVgsqpg7MfMo+pRPosjB30m4XK9vvRW/y2PjXargU9bRY4LpqRToetQQSABOUPAty2y5b4qWokHbPKunoT8lcsI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=eM3Wf4hT; arc=none smtp.client-ip=209.85.210.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="eM3Wf4hT"
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-835386ff122so1827081b3a.3
        for <linux-kernel@vger.kernel.org>;
 Sun, 17 May 2026 19:28:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779071286; x=1779676086;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=WtwvvlGg4mzt0KkyXLT6Zi9TNTsz3hit8A05dFJNp7I=;
        b=eM3Wf4hT8OoRsgHgeJ0iEK/4BRj3RT4jEruM71a2qojWkMGTQfgAh5JaCOqvqGYfFy
         uKC4S2t9jhxm/st+cYP21EzlJ384YkE848orgdlIzct/FN2kk+gNfLx4lbonBjNgAGo2
         gyq2wfMOMg2BWI4RYJSeAsVNGylhNkdhB+fCU0TO4U+opCKlT5a23QCLFh8hCXxqf1PA
         BNvK+8JXQy6+itDQLUs8mrnsVST65Aic5a2NQupYDkKkxPL+zZFhBEXiO7xsAdvJ1jev
         FtzhWqBYFdHfaPJb6+jndKp+n3tlXC1iI3wNNjGc78w5AHrzqBf1/77oOZsjRmUU+1IZ
         dUBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779071286; x=1779676086;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WtwvvlGg4mzt0KkyXLT6Zi9TNTsz3hit8A05dFJNp7I=;
        b=hKayzh7BAQgbNk1TfThYDPYTXwaWVzfGvNg4QTLoDYX4UB/+9sUZr7qxMR1xbVWFem
         yzgUa1hBkUkNA/9SVY3cPMuT/hjVX10W5MT/o+HXYP+2wj0kS/w6Cp20xC+HzJROocSz
         RUQUcvyM6GDY7kg3qknVGaN8YVJxTHzAshW8wpNvSHFK2sgzQH5iJPqhz8x0QYYqtZqW
         E6x3Is2lYSY7DeB9kURAVQ+OhUBoxsx+Cn9tZ8XLCMrU43JeMZNgtTyBjizYHYIgVpVl
         6u+SnWuUpvcq5Hqw75eb6qirKp4WVVJmLM0kRqEcy0fNxMj7o0hVCr1r52IkaFr50i9h
         rzkA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/CrUtC4nxauEk1ZQa3TWoXk+lb4GPQJqW/I69z8m8UZmJtahrUWMt0nARd1qm2+DPf7L/c5UoUnhjg6QM=@vger.kernel.org
X-Gm-Message-State: AOJu0YzjcFsYUjIxLNkgpjofWUxvEozJqsd10LCd5Y0VeIaTa0pY8RK4
	nEyb/37qLga0r588DvvV/dQ/DCCRGTSjCD/879u5gUfHPpu+lcmNQz9C
X-Gm-Gg: Acq92OFMb97mFnTcni3ezi+jWNZYLBF1gfGY+MNWZyIT9BPWJciq2WawY/j1xyzBCqC
	0LDOtoiNDO5RG6NcIys3f1GrRZkJ/RFoEQwrxBfyOM04JNreCWjnB6PrDwVxfiJ5B0h2z7639i0
	S+E54yL+YC3mzuXgk0yK+/AgXWBzF/IiCOBxXZ1oeFEkE5LaHiG59BfWtmB4CWv3TjL9VCsQHw+
	ItmkOvVTN93jYn5dzjRdLfCXt0htBo1s4by+l1j77/xmjVynovfFT5Pupn0/FQxYUUD/BH+t9j3
	w+7Pzs0OrWoxjYIqo3W4tja9RC4UDLB3MtcJANbT+ddA6LxXxX+Ml4yAdtGI67MZiNQE9zsYv26
	HK30AzjNBVoFYo6UWDHLQ2/GXSbirInQbyHVXBT8oMVTDg6nNcu/XYI78AQml/i8sQSTmy6CBl8
	gyRwpZYg==
X-Received: by 2002:a05:6a00:bd8c:b0:82f:4f63:31e1 with SMTP id
 d2e1a72fcca58-83f33aebdb9mr13742406b3a.8.1779071285742;
        Sun, 17 May 2026 19:28:05 -0700 (PDT)
Received: from lgs.. ([2001:250:5800:1000::f280])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-83f196660easm12434842b3a.11.2026.05.17.19.28.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 17 May 2026 19:28:05 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: Yishai Hadas <yishaih@nvidia.com>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	Leon Romanovsky <leon@kernel.org>,
	Jack Morgenstein <jackm@dev.mellanox.co.il>,
	Roland Dreier <roland@purestorage.com>,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>
Subject: [PATCH v7] IB/mlx4: Fix refcount leak in add_port() error path
Date: Mon, 18 May 2026 10:19:10 +0800
Message-ID: <20260518021910.972900-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

After kobject_init_and_add(), the lifetime of the embedded struct
kobject is expected to be managed through the kobject core reference
counting.

In add_port(), failure paths after kobject_init_and_add() must not free
struct mlx4_port directly, because the embedded kobject is then managed
by the kobject core. Freeing it directly leaves the kobject reference
counting unbalanced and can lead to incorrect lifetime handling.

Allocate the pkey and gid attribute arrays before kobject_init_and_add(),
so failures before kobject initialization can be handled by directly
freeing the allocated memory. Once kobject_init_and_add() has been
called, unwind later failures by removing any successfully created sysfs
groups, calling kobject_del(), and then releasing the embedded kobject
with kobject_put().

Fixes: c1e7e466120b ("IB/mlx4: Add iov directory in sysfs under the ib devi=
ce")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v7:
  - remove already created sysfs groups on add_port() error paths before
    deleting and putting the kobject

v6:
  - drop the Cc stable tag
  - allocate pkey and gid attribute arrays before kobject_init_and_add()
  - keep the release callback unchanged by ensuring the attribute arrays
    are initialized before kobject_init_and_add()

v5:
  - split the add_port() error paths after kobject_init_and_add()
  - call kobject_del() before kobject_put() for failures after
    kobject_init_and_add() succeeds

v4:
  - route all add_port() failures after kobject_init_and_add() through
    a single kobject_put() based error path
  - remove duplicated attribute array frees from add_port()
  - keep mlx4_port_release() tolerant of partially initialized objects

v3:
  - make mlx4_port_release() tolerate NULL attribute arrays
  - drop the parent kobject reference on the kobject_init_and_add()
    failure path before putting the embedded kobject

v2:
  - note that the issue was identified by my static analysis tool
  - and confirmed by manual review

 drivers/infiniband/hw/mlx4/sysfs.c | 45 ++++++++++++++++++------------
 1 file changed, 27 insertions(+), 18 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx=
4/sysfs.c
index b8fa4ecfc961..e688ad66a895 100644
--- a/drivers/infiniband/hw/mlx4/sysfs.c
+++ b/drivers/infiniband/hw/mlx4/sysfs.c
@@ -636,12 +636,6 @@ static int add_port(struct mlx4_ib_dev *dev, int port_=
num, int slave)
 	p->port_num =3D port_num;
 	p->slave =3D slave;
=20
-	ret =3D kobject_init_and_add(&p->kobj, &port_type,
-				   kobject_get(dev->dev_ports_parent[slave]),
-				   "%d", port_num);
-	if (ret)
-		goto err_alloc;
-
 	p->pkey_group.name  =3D "pkey_idx";
 	p->pkey_group.attrs =3D
 		alloc_group_attrs(show_port_pkey,
@@ -649,13 +643,9 @@ static int add_port(struct mlx4_ib_dev *dev, int port_=
num, int slave)
 				  dev->dev->caps.pkey_table_len[port_num]);
 	if (!p->pkey_group.attrs) {
 		ret =3D -ENOMEM;
-		goto err_alloc;
+		goto err_free_port;
 	}
=20
-	ret =3D sysfs_create_group(&p->kobj, &p->pkey_group);
-	if (ret)
-		goto err_free_pkey;
-
 	p->gid_group.name  =3D "gid_idx";
 	p->gid_group.attrs =3D alloc_group_attrs(show_port_gid_idx, NULL, 1);
 	if (!p->gid_group.attrs) {
@@ -663,28 +653,47 @@ static int add_port(struct mlx4_ib_dev *dev, int port=
_num, int slave)
 		goto err_free_pkey;
 	}
=20
+	ret =3D kobject_init_and_add(&p->kobj, &port_type,
+				   kobject_get(dev->dev_ports_parent[slave]),
+				   "%d", port_num);
+	if (ret)
+		goto err_put;
+
+	ret =3D sysfs_create_group(&p->kobj, &p->pkey_group);
+	if (ret)
+		goto err_del;
+
 	ret =3D sysfs_create_group(&p->kobj, &p->gid_group);
 	if (ret)
-		goto err_free_gid;
+		goto err_remove_pkey;
=20
 	ret =3D add_vf_smi_entries(p);
 	if (ret)
-		goto err_free_gid;
+		goto err_remove_gid;
=20
 	list_add_tail(&p->kobj.entry, &dev->pkeys.pkey_port_list[slave]);
 	return 0;
=20
-err_free_gid:
-	kfree(p->gid_group.attrs[0]);
-	kfree(p->gid_group.attrs);
+err_remove_gid:
+	sysfs_remove_group(&p->kobj, &p->gid_group);
+
+err_remove_pkey:
+	sysfs_remove_group(&p->kobj, &p->pkey_group);
+
+err_del:
+	kobject_del(&p->kobj);
+
+err_put:
+	kobject_put(dev->dev_ports_parent[slave]);
+	kobject_put(&p->kobj);
+	return ret;
=20
 err_free_pkey:
 	for (i =3D 0; i < dev->dev->caps.pkey_table_len[port_num]; ++i)
 		kfree(p->pkey_group.attrs[i]);
 	kfree(p->pkey_group.attrs);
=20
-err_alloc:
-	kobject_put(dev->dev_ports_parent[slave]);
+err_free_port:
 	kfree(p);
 	return ret;
 }
--=20
2.43.0