Re: [PATCH] mm: thp: Fix refcount leak in thpsize_create() error path

Next message: Ziran Zhang: "[PATCH v2 v2] FAT: Allow 0xE9 near jump in fat_read_static_bpb()"
Previous message: Balbir Singh: "Re: [PATCH] mm/zone_device: Do not touch device folio after calling -&gt;folio_free()"
In reply to: Andrew Morton: "Re: [PATCH] mm: thp: Fix refcount leak in thpsize_create() error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Zi Yan

Date: Sat Apr 11 2026 - 21:38:01 EST

On 11 Apr 2026, at 2:21, Guangshuo Li wrote:

> After kobject_init_and_add(), the lifetime of the embedded struct
> kobject is expected to be managed through the kobject core reference
> counting.
>
> In thpsize_create(), if kobject_init_and_add() fails, thpsize is freed
> directly with kfree() rather than releasing the kobject reference with
> kobject_put(). This may leave the reference count of the embedded struct
> kobject unbalanced, resulting in a refcount leak and potentially leading
> to a use-after-free.
>
> Fix this by using kobject_put(&thpsize->kobj) in the failure path and
> letting thpsize_release() handle the final cleanup.
>
> Fixes: 3485b88390b0 ("mm: thp: introduce multi-size THP sysfs interface")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> ---
> mm/huge_memory.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
LGTM.

Reviewed-by: Zi Yan <ziy@xxxxxxxxxx>

--
Best Regards,
Yan, Zi