Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

["wanghai (M)" <wanghai26@huawei.com>]

在 2019/3/18 23:57, Stephen Hemminger 写道:
> On Tue, 19 Mar 2019 01:06:57 -0400
> Wang Hai <wanghai26@huawei.com> wrote:
>
>> When registering struct net_device, it will call
>> 	register_netdevice ->
>> 		netdev_register_kobject ->
>> 			device_add(dev)
>> 			register_queue_kobjects(ndev)
>>
>> If device_add(dev) or register_queue_kobjects(ndev) fails.
>> Register_netdevice() will return error, causing netdev_freemem(ndev)
>> to be called to free net_device, however (&ndev->dev)->kobj.name will
>> not be freed, resulting in a memory leak.
>>
>> syzkaller report this:
>> BUG: memory leak
>> unreferenced object 0xffff8881f4fad168 (size 8):
>> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
>> hex dump (first 8 bytes):
>>    77 70 61 6e 30 00 ff ff                          wpan0...
>> backtrace:
>>    [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
>>    [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
>>    [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
>>    [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
>>    [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
>>    [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
>>    [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
>>    [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
>>    [<00000000e4b3df51>] 0xffffffffc1500e0e
>>    [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
>>    [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
>>    [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
>>    [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
>>    [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
>>    [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
>>    [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
>>
>> Reported-by: Hulk Robot <hulkci@huawei.com>
>> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
>> Signed-off-by: Wang Hai <wanghai26@huawei.com>
>> ---
>>   net/core/net-sysfs.c | 15 ++++++++++-----
>>   1 file changed, 10 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
>> index 4ff661f..f0e53dc 100644
>> --- a/net/core/net-sysfs.c
>> +++ b/net/core/net-sysfs.c
>> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev)
>>   
>>   	error = device_add(dev);
>>   	if (error)
>> -		return error;
>> +		goto device_add_error;
>>   
>>   	error = register_queue_kobjects(ndev);
>> -	if (error) {
>> -		device_del(dev);
>> -		return error;
>> -	}
>> +	if (error)
>> +		goto register_error;
>>   
>>   	pm_runtime_set_memalloc_noio(dev, true);
>>   
>> +out:
>>   	return error;
>> +
>> +register_error:
>> +	device_del(dev);
>> +device_add_error:
>> +	kfree_const(dev->kobj.name);
> This looks a bug in device_add() not here.
> In general, it is better for an api to clean up after itself.
> Since dev->kobj.name is created in device_add and normally freed
> in device_del; why is device_add leaving it behind?\

When registering struct net_device, it will call
register_netdevice ->
     netdev_register_kobject ->
         dev_set_name(dev, "%s", ndev->name)
          device_add(dev)
          register_queue_kobjects(ndev)

The dev->kobj.name that causes the memory leak is created in 
dev_set_name(dev, "%s", ndev-> name) in the function 
netdev_register_kobject(), not in device_add(dev). If device_add(dev) or 
register_queue_kobjects(ndev) fails, it should release dev-> kobj.name 
in netdev_register_kobject()