| Message ID | 20220713210623.14705-1-logang@deltatee.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Song Liu |
| Headers | show |
| Series | md: Ensure mddev object is cleaned up with kobject_put on error path | expand |
On Wed, Jul 13, 2022 at 03:06:23PM -0600, Logan Gunthorpe wrote: > The documentation for kobject_init() clearly states that the new > object must be cleaned up with a call to kobject_put(), not a > kfree() call directly. > > However, the error path in mddev_alloc() frees the newly allocated > mddev object directly with kfree() after kobject_init() is called > in mddev_init(). > > Fix this by changing the kfree() call to a kobject_put(). I think the right answer is to only initialize the kobject just before we add it. I'll send an updated patch for that in a bit.
diff --git a/drivers/md/md.c b/drivers/md/md.c index 198d4ceae55a..d9e0e38be38c 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -769,7 +769,7 @@ static struct mddev *mddev_alloc(dev_t unit) return new; out_free_new: spin_unlock(&all_mddevs_lock); - kfree(new); + kobject_put(&new->kobj); return ERR_PTR(error); }
The documentation for kobject_init() clearly states that the new object must be cleaned up with a call to kobject_put(), not a kfree() call directly. However, the error path in mddev_alloc() frees the newly allocated mddev object directly with kfree() after kobject_init() is called in mddev_init(). Fix this by changing the kfree() call to a kobject_put(). Signed-off-by: Logan Gunthorpe <logang@deltatee.com> --- drivers/md/md.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) base-commit: 922f4b5c75aa13532382ffb4964d2d12ad98747e