RE: [PATCH v2] EDAC/sysfs: Fix UAF in edac_device_register_sysfs_main_kobj()

Next message: Garg, Shivank: "Re: [PATCH 0/7] Accelerate page migration with batch copying and hardware offload"
Previous message: David Hildenbrand (Arm): "Re: [PATCH] x86/mm: fix freeing of PMD-sized vmemmap pages"
In reply to: Guangshuo Li: "[PATCH v2] EDAC/sysfs: Fix UAF in edac_device_register_sysfs_main_kobj()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Zhuo, Qiuxu

Date: Wed Apr 29 2026 - 01:51:43 EST

> From: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> Sent: Wednesday, April 29, 2026 12:08 AM
> To: Borislav Petkov <bp@xxxxxxxxx>; Luck, Tony <tony.luck@xxxxxxxxx>;
> Qiushi Wu <wu000273@xxxxxxx>; linux-edac@xxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx
> Cc: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> Subject: [PATCH v2] EDAC/sysfs: Fix UAF in
> edac_device_register_sysfs_main_kobj()
>
> If kobject_init_and_add() fails, the error path drops the kobject reference with
> kobject_put(). This may call edac_device_ctrl_master_release(), which drops
> the module reference and frees the edac_device_ctl_info object.
>
> However, the same error path then calls module_put(edac_dev->owner),
> which dereferences edac_dev after it may have been freed. This can cause a
> use-after-free and also drops the module reference twice.
>
> Track whether kobject_init_and_add() has been called. If it has, rely on the
> kobject release callback to drop the module reference. Otherwise, drop the
> module reference directly.
>
> This issue was found by a static analysis tool I am developing.
>
> Fixes: 17ed808ad2431 ("EDAC: Fix reference count leaks")
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>

LGTM,

Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@xxxxxxxxx>