RE: [PATCH v3] EDAC/sysfs: Fix kobject cleanup after kobject_init_and_add() failure

[Zhuo, Qiuxu]

> From: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> Sent: Saturday, May 2, 2026 4:07 PM
> To: Borislav Petkov <bp@xxxxxxxxx>; Luck, Tony <tony.luck@xxxxxxxxx>;
> Qiushi Wu <wu000273@xxxxxxx>; Doug Thompson
> <dougthompson@xxxxxxxxxxxx>; Greg Kroah-Hartman <gregkh@xxxxxxx>;
> linux-edac@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
> Cc: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> Subject: [PATCH v3] EDAC/sysfs: Fix kobject cleanup after
> kobject_init_and_add() failure
> 
> If kobject_init_and_add() fails, the initialized kobject should be released with
> kobject_put(). Otherwise the kobject may leak resources associated with it.
> 
> Some EDAC sysfs error paths currently drop the parent kobject reference
> directly after kobject_init_and_add() fails. However, the corresponding
> release callbacks of the child kobjects already drop those parent references.
> Call kobject_put() on the initialized child kobject instead, so the release
> callbacks can unwind the references properly.
> 
> In edac_device_register_sysfs_main_kobj(), kobject_put() may call
> edac_device_ctrl_master_release(), which drops the module reference and
> frees the edac_device_ctl_info object. The error path then calls
> module_put(edac_dev->owner). This dereferences edac_dev after it may
> have been freed, causing a possible use-after-free, and also drops the module
> reference twice.
> 
> Track whether kobject_init_and_add() has actually been called. If it has, rely
> on the kobject release callback to drop the module reference; otherwise, drop
> the module reference directly.
> 
> Also handle the EDAC PCI top-level kobject setup carefully: if
> kobject_init_and_add() was called and failed, use kobject_put(); if it was
> never called, free the allocated kobject directly.
> 
> These issues were found by a static analysis tool I am developing.
> 
> Fixes: 17ed808ad2431 ("EDAC: Fix reference count leaks")
> Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use
> kobject_init_and_add")
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> ---
> v2:
>   - Move kobj_initialized assignment to the kobject_init_and_add() call
>     site so it records whether the kobject has actually been initialized.
> v3:
>   - Fix similar kobject_init_and_add() error paths under drivers/edac/.
>   - Fold in the previous edac_device_create_instance() cleanup fix.
>   - Put the initialized child kobject instead of the parent kobject.
>   - Avoid calling kobject_put() on edac_pci_top_main_kobj if
>     kobject_init_and_add() was not called.
> 

LGTM. Thanks.

  Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@xxxxxxxxx>