From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8A51C43381 for ; Tue, 19 Mar 2019 03:04:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A130E2084F for ; Tue, 19 Mar 2019 03:04:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727469AbfCSDEg (ORCPT ); Mon, 18 Mar 2019 23:04:36 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:4705 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726788AbfCSDEf (ORCPT ); Mon, 18 Mar 2019 23:04:35 -0400 Received: from DGGEMS413-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 7F23DA162836022F013B; Tue, 19 Mar 2019 11:04:33 +0800 (CST) Received: from [127.0.0.1] (10.184.227.228) by DGGEMS413-HUB.china.huawei.com (10.3.19.213) with Microsoft SMTP Server id 14.3.408.0; Tue, 19 Mar 2019 11:04:32 +0800 Subject: Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject To: Stephen Hemminger CC: , , , , , , , , , , References: <20190319050657.61327-1-wanghai26@huawei.com> <20190318085724.1e0c017b@shemminger-XPS-13-9360> From: "wanghai (M)" Message-ID: Date: Tue, 19 Mar 2019 11:03:54 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: <20190318085724.1e0c017b@shemminger-XPS-13-9360> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.184.227.228] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2019/3/18 23:57, Stephen Hemminger 写道: > On Tue, 19 Mar 2019 01:06:57 -0400 > Wang Hai wrote: > >> When registering struct net_device, it will call >> register_netdevice -> >> netdev_register_kobject -> >> device_add(dev) >> register_queue_kobjects(ndev) >> >> If device_add(dev) or register_queue_kobjects(ndev) fails. >> Register_netdevice() will return error, causing netdev_freemem(ndev) >> to be called to free net_device, however (&ndev->dev)->kobj.name will >> not be freed, resulting in a memory leak. >> >> syzkaller report this: >> BUG: memory leak >> unreferenced object 0xffff8881f4fad168 (size 8): >> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) >> hex dump (first 8 bytes): >> 77 70 61 6e 30 00 ff ff wpan0... >> backtrace: >> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 >> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 >> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 >> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 >> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 >> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 >> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] >> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] >> [<00000000e4b3df51>] 0xffffffffc1500e0e >> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 >> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 >> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 >> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 >> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 >> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 >> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 >> >> Reported-by: Hulk Robot >> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") >> Signed-off-by: Wang Hai >> --- >> net/core/net-sysfs.c | 15 ++++++++++----- >> 1 file changed, 10 insertions(+), 5 deletions(-) >> >> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c >> index 4ff661f..f0e53dc 100644 >> --- a/net/core/net-sysfs.c >> +++ b/net/core/net-sysfs.c >> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) >> >> error = device_add(dev); >> if (error) >> - return error; >> + goto device_add_error; >> >> error = register_queue_kobjects(ndev); >> - if (error) { >> - device_del(dev); >> - return error; >> - } >> + if (error) >> + goto register_error; >> >> pm_runtime_set_memalloc_noio(dev, true); >> >> +out: >> return error; >> + >> +register_error: >> + device_del(dev); >> +device_add_error: >> + kfree_const(dev->kobj.name); > This looks a bug in device_add() not here. > In general, it is better for an api to clean up after itself. > Since dev->kobj.name is created in device_add and normally freed > in device_del; why is device_add leaving it behind?\ When registering struct net_device, it will call register_netdevice ->     netdev_register_kobject ->         dev_set_name(dev, "%s", ndev->name)          device_add(dev)          register_queue_kobjects(ndev) The dev->kobj.name that causes the memory leak is created in dev_set_name(dev, "%s", ndev-> name) in the function netdev_register_kobject(), not in device_add(dev). If device_add(dev) or register_queue_kobjects(ndev) fails, it should release dev-> kobj.name in netdev_register_kobject()