lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6d56e691114294ed3187e7a6f281c98293393a1a.camel@kernel.org>
Date: Sat, 31 Jan 2026 11:54:06 -0500
From: Trond Myklebust <trondmy@...nel.org>
To: Benjamin Coddington <bcodding@...merspace.com>, Salah Triki
	 <salah.triki@...il.com>
Cc: Anna Schumaker <anna@...nel.org>, linux-nfs@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] nfs: fix memory leak in nfs_sysfs_init if kset_register
 fails

On Sat, 2026-01-31 at 07:21 -0500, Benjamin Coddington wrote:
> On 30 Jan 2026, at 19:09, Salah Triki wrote:
> 
> > When `kset_register()` fails, it does not clean up the underlying
> > kobject. Calling `kfree()` directly is incorrect because the
> > kobject
> > within the kset has already been initialized, and its internal
> > resources or reference counting must be handled properly.
> > 
> > As stated in the kobject documentation, once a kobject is
> > registered
> > (or even just initialized), you must use `kobject_put()` instead of
> > `kfree()` to let the reference counting mechanism perform the
> > cleanup
> > via the ktype's release callback.
> 
> I don't think this patch is correct - the kobj is not initialized
> yet, and
> on error return from kset_register() you'll likely get the WARN from
> lib/kobject.c:734 kobject_put() when calling kset_put().
> 
> That said it does look like that path might leak kobj->name, you
> might
> look at doing kfree_const() on it.
> 
> Did you test this - how did you determine this was a problem?
> 
> Ben

If you take a look at kset_register(), you'll see that it does free the
kobj.name pointer if there is an error when adding the kobject.

IOW: there is no bug in the current code.

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trondmy@...nel.org, trond.myklebust@...merspace.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ