[PATCH v2] md: fix kobject reference leak in md_import_device()

Next message: Eugenio Perez Martin: "Re: [PATCH] virtio_pci_modern: Use GFP_ATOMIC with spin_lock_irqsave held in virtqueue_exec_admin_cmd()"
Previous message: Yeoreum Yun: "[PATCH v4 8/9] coresight: etm3x: fix inconsistencies with sysfs configuration"
Next in thread: Su Yue: "Re: [PATCH v2] md: fix kobject reference leak in md_import_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guangshuo Li

Date: Mon Apr 13 2026 - 10:22:24 EST

md_import_device() initializes rdev->kobj with kobject_init() before
checking the device size and loading the superblock.

When one of the later checks fails, the error path still frees rdev
directly with kfree(). This bypasses the kobject release path and leaves
the kobject reference unbalanced.

The issue was identified by a static analysis tool I developed and
confirmed by manual review.

After kobject_init(), release rdev through kobject_put() instead of
kfree().

Fixes: f9cb074bff8e ("Kobject: rename kobject_init_ng() to kobject_init()")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
---
v2:
- note that the issue was identified by my static analysis tool
- and confirmed by manual review

drivers/md/md.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 6d73f6e196a9..4ce7512dc834 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3871,6 +3871,9 @@ static struct md_rdev *md_import_device(dev_t newdev, int super_format, int supe

out_blkdev_put:
fput(rdev->bdev_file);
+ md_rdev_clear(rdev);
+ kobject_put(&rdev->kobj);
+ return ERR_PTR(err);
out_clear_rdev:
md_rdev_clear(rdev);
out_free_rdev:
--
2.43.0