On Mon, Mar 30, 2026 at 05:09:57PM -0400, Dingisoul wrote:
> Hi Kernel maintainers,
>
> We found a possible refcount leak in sgx_encl_mm_add().
>
> In this function, a reference to encl->refcount is taken before registering
> the MMU notifier:
>
> /* Grab a refcount for the encl_mm->encl reference: */
> kref_get(&encl->refcount); // 1. Reference acquired here.
> encl_mm->encl = encl;
>
> ret = __mmu_notifier_register(&encl_mm->mmu_notifier, mm);
> if (ret) {
> kfree(encl_mm);
> return ret; // 2. Returns without kref_put.
> }
>
> If __mmu_notifier_register() fails, the function frees encl_mm but does not
> drop the reference acquired by kref_get(&encl->refcount). This seems to leak
> one reference to encl.
>
> Please let us know if the kref_put is unnecessary here.
>
> Thanks.
It is a leak as encl's, stored in file, will retain increased refcount.
BR, Jarkko
