On 5/7/25 08:50, Dmitry Antipov wrote: > In 'lookup_or_create_module_kobject()', an internal kobject is created > using 'module_ktype'. So call to 'kobject_put()' on error handling > path causes an attempt to use an uninitialized completion pointer in > 'module_kobject_release()'. In this scenario, we just want to release > kobject without an extra synchronization required for a regular module > unloading process, so adding an extra check whether 'complete()' is > actually required makes 'kobject_put()' safe. > > Reported-by: syzbot+7fb8a372e1f6add936dd@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=7fb8a372e1f6add936dd > Fixes: 942e443127e9 ("module: Fix mod->mkobj.kobj potentially freed too early") > Suggested-by: Petr Pavlu <petr.pavlu@xxxxxxxx> > Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx> Added on modules-fixes. I plan to send the fix to Linus on Friday. While the underlying problem was already there, commit f95bbfe18512 ("drivers: base: handle module_kobject creation"), merged in v6.15-rc5, made it more exposed and I think it's better to have it fixed in this cycle. The patch itself is also safe. -- Thanks, Petr
