[syzbot] memory leak in __mdiobus_register

[syzbot] memory leak in __mdiobus_register

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d9fb678414c0 Merge tag 'afs-fixes-20210913' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=131c754b300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f0de362a1f17687e
dashboard link: https://syzkaller.appspot.com/bug?extid=398e7dc692ddbbb4cfec
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145650d1300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=105ccde7300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888114032e00 (size 256):
  comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff  ................
    08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff  .........ve.....
  backtrace:
    [<ffffffff8265cfab>] kmalloc include/linux/slab.h:591 [inline]
    [<ffffffff8265cfab>] kzalloc include/linux/slab.h:721 [inline]
    [<ffffffff8265cfab>] device_private_init drivers/base/core.c:3203 [inline]
    [<ffffffff8265cfab>] device_add+0x89b/0xdf0 drivers/base/core.c:3253
    [<ffffffff828dd643>] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537
    [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
    [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
    [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
    [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
    [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
    [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
    [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
    [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
    [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
    [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
    [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
    [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
    [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
    [<ffffffff82660916>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
    [<ffffffff8265cd0b>] device_add+0x5fb/0xdf0 drivers/base/core.c:3359
    [<ffffffff82c343b9>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170
    [<ffffffff82c4473c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238

BUG: memory leak
unreferenced object 0xffff888116f06900 (size 32):
  comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s)
  hex dump (first 32 bytes):
    75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00  usb-001:003.....
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81484516>] kstrdup+0x36/0x70 mm/util.c:60
    [<ffffffff814845a3>] kstrdup_const+0x53/0x80 mm/util.c:83
    [<ffffffff82296ba2>] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
    [<ffffffff82358d4b>] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
    [<ffffffff826575f3>] dev_set_name+0x63/0x90 drivers/base/core.c:3147
    [<ffffffff828dd63b>] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535
    [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
    [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
    [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
    [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
    [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
    [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
    [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
    [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
    [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
    [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
    [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
    [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
    [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] memory leak in __mdiobus_register

[Pavel Skripkin]

[-- Attachment #1: Type: text/plain, Size: 1204 bytes --]

On 9/26/21 04:28, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    d9fb678414c0 Merge tag 'afs-fixes-20210913' of git://git.k..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=131c754b300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f0de362a1f17687e
> dashboard link: https://syzkaller.appspot.com/bug?extid=398e7dc692ddbbb4cfec
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145650d1300000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=105ccde7300000
> 

Looks like MDIOBUS_ALLOCATED indicated 2 states:

	1. Bus is only allocated
	2. Bus allocated and __mdiobus_register() fails, but
	   device_register() was called

These 2 cases should be handled separately, i.e. we need to call 
put_device() if device_register() was called.

To handle this situation we can add new state MDIOBUS_DEV_REGISTERED and 
handle it properly


Just for thoughts and syzbot testing

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


With regards,
Pavel Skripkin






[-- Attachment #2: ph --]
[-- Type: text/plain, Size: 998 bytes --]

diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index 53f034fc2ef7..ed764638b449 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -540,6 +540,8 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
 		return -EINVAL;
 	}
 
+	bus->state = MDIOBUS_DEV_REGISTERED;
+
 	mutex_init(&bus->mdio_lock);
 	mutex_init(&bus->shared_lock);
 
@@ -647,7 +649,7 @@ void mdiobus_free(struct mii_bus *bus)
 		return;
 	}
 
-	BUG_ON(bus->state != MDIOBUS_UNREGISTERED);
+	BUG_ON(bus->state != MDIOBUS_UNREGISTERED && bus->state != MDIOBUS_DEV_REGISTERED);
 	bus->state = MDIOBUS_RELEASED;
 
 	put_device(&bus->dev);
diff --git a/include/linux/phy.h b/include/linux/phy.h
index 736e1d1a47c4..41d2ccdacd5e 100644
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -343,6 +343,7 @@ struct mii_bus {
 		MDIOBUS_REGISTERED,
 		MDIOBUS_UNREGISTERED,
 		MDIOBUS_RELEASED,
+		MDIOBUS_DEV_REGISTERED,
 	} state;
 
 	/** @dev: Kernel device representation */

Re: [syzbot] memory leak in __mdiobus_register

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com

Tested on:

commit:         5816b3e6 Linux 5.15-rc3
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=41799858eb55f380
dashboard link: https://syzkaller.appspot.com/bug?extid=398e7dc692ddbbb4cfec
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1147b840b00000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] memory leak in __mdiobus_register

[Dongliang Mu]

On Mon, Sep 27, 2021 at 7:44 AM syzbot
<syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-and-tested-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
>
> Tested on:
>
> commit:         5816b3e6 Linux 5.15-rc3
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=41799858eb55f380
> dashboard link: https://syzkaller.appspot.com/bug?extid=398e7dc692ddbbb4cfec
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1147b840b00000
>
> Note: testing is done by a robot and is best-effort only.

Hi Pavel,

Confirm the patch you posted [1] is the real fix of this bug report.

I tested the patch from Yanfei Xu [2] in my local workspace, and the
memory leak is still triggered. In addition, I have pushed a patch
request for that patch. The result would prove that patch is not
working for this bug.

BTW, there occur incorrect fix commits on the syzbot dashboard
sometimes. Maybe it should be cleaned in the future.

[1] https://lkml.org/lkml/2021/9/27/289
[2] https://www.spinics.net/lists/kernel/msg4089781.html

>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000005252e105ccee8e1b%40google.com.

Re: [syzbot] memory leak in __mdiobus_register

[Pavel Skripkin]

On 9/28/21 10:42, Dongliang Mu wrote:
> On Mon, Sep 27, 2021 at 7:44 AM syzbot
> <syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>>
>> Reported-and-tested-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
>>
>> Tested on:
>>
>> commit:         5816b3e6 Linux 5.15-rc3
>> git tree:       upstream
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=41799858eb55f380
>> dashboard link: https://syzkaller.appspot.com/bug?extid=398e7dc692ddbbb4cfec
>> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1147b840b00000
>>
>> Note: testing is done by a robot and is best-effort only.
> 
> Hi Pavel,
> 
> Confirm the patch you posted [1] is the real fix of this bug report.
> 
> I tested the patch from Yanfei Xu [2] in my local workspace, and the
> memory leak is still triggered. In addition, I have pushed a patch
> request for that patch. The result would prove that patch is not
> working for this bug.
> 
> BTW, there occur incorrect fix commits on the syzbot dashboard
> sometimes. Maybe it should be cleaned in the future.
> 


Hi, Dongliang,

thank you for confirmation. As I said in reply to [1] Yanfei's patch is 
also correct, but it solves other memory leak in same function.

AFAIU, if my patch will be applied too there will be 2 fix patches on 
syzkaller bug report page, so no need to remove Yanfei's patch from bug 
report page :)


> [1] https://lkml.org/lkml/2021/9/27/289
> [2] https://www.spinics.net/lists/kernel/msg4089781.html
> 


With regards,
Pavel Skripkin

Re: [syzbot] memory leak in __mdiobus_register

[Dongliang Mu]

On Tue, Sep 28, 2021 at 4:15 PM Pavel Skripkin <paskripkin@gmail.com> wrote:
>
> On 9/28/21 10:42, Dongliang Mu wrote:
> > On Mon, Sep 27, 2021 at 7:44 AM syzbot
> > <syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com> wrote:
> >>
> >> Hello,
> >>
> >> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
> >>
> >> Reported-and-tested-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
> >>
> >> Tested on:
> >>
> >> commit:         5816b3e6 Linux 5.15-rc3
> >> git tree:       upstream
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=41799858eb55f380
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=398e7dc692ddbbb4cfec
> >> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1147b840b00000
> >>
> >> Note: testing is done by a robot and is best-effort only.
> >
> > Hi Pavel,
> >
> > Confirm the patch you posted [1] is the real fix of this bug report.
> >
> > I tested the patch from Yanfei Xu [2] in my local workspace, and the
> > memory leak is still triggered. In addition, I have pushed a patch
> > request for that patch. The result would prove that patch is not
> > working for this bug.
> >
> > BTW, there occur incorrect fix commits on the syzbot dashboard
> > sometimes. Maybe it should be cleaned in the future.
> >
>
>
> Hi, Dongliang,
>
> thank you for confirmation. As I said in reply to [1] Yanfei's patch is
> also correct, but it solves other memory leak in same function.
>

It's fine as I was debugging this case locally.

> AFAIU, if my patch will be applied too there will be 2 fix patches on
> syzkaller bug report page, so no need to remove Yanfei's patch from bug
> report page :)

I don't understand why Dan in other threads said Yanfei's patch is
also working in the bug report. The patch testing request already
shows the same memory leak still triggers. Really confused.

>
>
> > [1] https://lkml.org/lkml/2021/9/27/289
> > [2] https://www.spinics.net/lists/kernel/msg4089781.html
> >
>
>
> With regards,
> Pavel Skripkin