Re: [PATCH] md: fix kobject reference leak in md_import_device()

Next message: kernel test robot: "Re: [PATCH] crash: Support high memory reservation for range syntax"
Previous message: Deepanshu Kartikey: "Re: [PATCH v2] hfsplus: fix ignored error return in hfsplus_delete_cat"
In reply to: Guangshuo Li: "[PATCH] md: fix kobject reference leak in md_import_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Li Nan

Date: Tue Apr 14 2026 - 21:42:01 EST

在 2026/4/12 23:42, Guangshuo Li 写道:

md_import_device() initializes rdev->kobj with kobject_init() before
checking the device size and loading the superblock.

When one of the later checks fails, the error path still frees rdev
directly with kfree(). This bypasses the kobject release path and leaves
the kobject reference unbalanced.

After kobject_init(), release rdev through kobject_put() instead of
kfree().

Fixes: f9cb074bff8e ("Kobject: rename kobject_init_ng() to kobject_init()")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
---
drivers/md/md.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 6d73f6e196a9..4ce7512dc834 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3871,6 +3871,9 @@ static struct md_rdev *md_import_device(dev_t newdev, int super_format, int supe
out_blkdev_put:
fput(rdev->bdev_file);
+ md_rdev_clear(rdev);
+ kobject_put(&rdev->kobj);
+ return ERR_PTR(err);
out_clear_rdev:
md_rdev_clear(rdev);
out_free_rdev:

Multiple return points in error handling are strange. Can we move
kobject_init() before return rdev? It would be simpler.

--
Thanks,
Nan