* [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject
@ 2019-03-19 5:06 Wang Hai
2019-03-18 15:57 ` Stephen Hemminger
2019-03-18 18:02 ` Eric Dumazet
0 siblings, 2 replies; 12+ messages in thread
From: Wang Hai @ 2019-03-19 5:06 UTC (permalink / raw)
To: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli
Cc: amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev,
linux-kernel, wanghai26
When registering struct net_device, it will call
register_netdevice ->
netdev_register_kobject ->
device_add(dev)
register_queue_kobjects(ndev)
If device_add(dev) or register_queue_kobjects(ndev) fails.
Register_netdevice() will return error, causing netdev_freemem(ndev)
to be called to free net_device, however (&ndev->dev)->kobj.name will
not be freed, resulting in a memory leak.
syzkaller report this:
BUG: memory leak
unreferenced object 0xffff8881f4fad168 (size 8):
comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
hex dump (first 8 bytes):
77 70 61 6e 30 00 ff ff wpan0...
backtrace:
[<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
[<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
[<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
[<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
[<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
[<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
[<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
[<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
[<00000000e4b3df51>] 0xffffffffc1500e0e
[<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
[<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
[<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
[<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
[<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
[<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
[<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
Signed-off-by: Wang Hai <wanghai26@huawei.com>
---
net/core/net-sysfs.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 4ff661f..f0e53dc 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev)
error = device_add(dev);
if (error)
- return error;
+ goto device_add_error;
error = register_queue_kobjects(ndev);
- if (error) {
- device_del(dev);
- return error;
- }
+ if (error)
+ goto register_error;
pm_runtime_set_memalloc_noio(dev, true);
+out:
return error;
+
+register_error:
+ device_del(dev);
+device_add_error:
+ kfree_const(dev->kobj.name);
+ goto out;
}
int netdev_class_create_file_ns(const struct class_attribute *class_attr,
--
1.8.3.1
^ permalink raw reply related [flat|nested] 12+ messages in thread* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 5:06 [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject Wang Hai @ 2019-03-18 15:57 ` Stephen Hemminger 2019-03-18 16:19 ` Andy Shevchenko 2019-03-19 3:03 ` wanghai (M) 2019-03-18 18:02 ` Eric Dumazet 1 sibling, 2 replies; 12+ messages in thread From: Stephen Hemminger @ 2019-03-18 15:57 UTC (permalink / raw) To: Wang Hai Cc: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel On Tue, 19 Mar 2019 01:06:57 -0400 Wang Hai <wanghai26@huawei.com> wrote: > When registering struct net_device, it will call > register_netdevice -> > netdev_register_kobject -> > device_add(dev) > register_queue_kobjects(ndev) > > If device_add(dev) or register_queue_kobjects(ndev) fails. > Register_netdevice() will return error, causing netdev_freemem(ndev) > to be called to free net_device, however (&ndev->dev)->kobj.name will > not be freed, resulting in a memory leak. > > syzkaller report this: > BUG: memory leak > unreferenced object 0xffff8881f4fad168 (size 8): > comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) > hex dump (first 8 bytes): > 77 70 61 6e 30 00 ff ff wpan0... > backtrace: > [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 > [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 > [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 > [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 > [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 > [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 > [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] > [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] > [<00000000e4b3df51>] 0xffffffffc1500e0e > [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 > [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 > [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 > [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 > [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 > [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 > [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 > > Reported-by: Hulk Robot <hulkci@huawei.com> > Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") > Signed-off-by: Wang Hai <wanghai26@huawei.com> > --- > net/core/net-sysfs.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > index 4ff661f..f0e53dc 100644 > --- a/net/core/net-sysfs.c > +++ b/net/core/net-sysfs.c > @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) > > error = device_add(dev); > if (error) > - return error; > + goto device_add_error; > > error = register_queue_kobjects(ndev); > - if (error) { > - device_del(dev); > - return error; > - } > + if (error) > + goto register_error; > > pm_runtime_set_memalloc_noio(dev, true); > > +out: > return error; > + > +register_error: > + device_del(dev); > +device_add_error: > + kfree_const(dev->kobj.name); This looks a bug in device_add() not here. In general, it is better for an api to clean up after itself. Since dev->kobj.name is created in device_add and normally freed in device_del; why is device_add leaving it behind? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-18 15:57 ` Stephen Hemminger @ 2019-03-18 16:19 ` Andy Shevchenko [not found] ` <c1c266af-7aaa-00a7-aa7a-e61c65665741@huawei.com> 2019-03-19 3:03 ` wanghai (M) 1 sibling, 1 reply; 12+ messages in thread From: Andy Shevchenko @ 2019-03-18 16:19 UTC (permalink / raw) To: Stephen Hemminger Cc: Wang Hai, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Mon, Mar 18, 2019 at 08:57:24AM -0700, Stephen Hemminger wrote: > On Tue, 19 Mar 2019 01:06:57 -0400 > Wang Hai <wanghai26@huawei.com> wrote: > > > When registering struct net_device, it will call > > register_netdevice -> > > netdev_register_kobject -> > > device_add(dev) > > register_queue_kobjects(ndev) > > > > If device_add(dev) or register_queue_kobjects(ndev) fails. > > Register_netdevice() will return error, causing netdev_freemem(ndev) > > to be called to free net_device, however (&ndev->dev)->kobj.name will > > not be freed, resulting in a memory leak. > > > > syzkaller report this: > > BUG: memory leak > > unreferenced object 0xffff8881f4fad168 (size 8): > > comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) > > hex dump (first 8 bytes): > > 77 70 61 6e 30 00 ff ff wpan0... > > backtrace: > > [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 > > [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 > > [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 > > [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 > > [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 > > [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 > > [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] > > [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] > > [<00000000e4b3df51>] 0xffffffffc1500e0e > > [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 > > [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 > > [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 > > [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 > > [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 > > [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 > > [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 > > > > Reported-by: Hulk Robot <hulkci@huawei.com> > > Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") > > Signed-off-by: Wang Hai <wanghai26@huawei.com> > > --- > > net/core/net-sysfs.c | 15 ++++++++++----- > > 1 file changed, 10 insertions(+), 5 deletions(-) > > > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > > index 4ff661f..f0e53dc 100644 > > --- a/net/core/net-sysfs.c > > +++ b/net/core/net-sysfs.c > > @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) > > > > error = device_add(dev); > > if (error) > > - return error; > > + goto device_add_error; > > > > error = register_queue_kobjects(ndev); > > - if (error) { > > - device_del(dev); > > - return error; > > - } > > + if (error) > > + goto register_error; > > > > pm_runtime_set_memalloc_noio(dev, true); > > > > +out: > > return error; > > + > > +register_error: > > + device_del(dev); > > +device_add_error: > > + kfree_const(dev->kobj.name); > > This looks a bug in device_add() not here. > In general, it is better for an api to clean up after itself. > Since dev->kobj.name is created in device_add and normally freed > in device_del; why is device_add leaving it behind? It's more likely the bug in syzkaller. Look at the kobject_cleanup() last lines of code... -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <c1c266af-7aaa-00a7-aa7a-e61c65665741@huawei.com>]
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject [not found] ` <c1c266af-7aaa-00a7-aa7a-e61c65665741@huawei.com> @ 2019-03-19 10:30 ` Andy Shevchenko [not found] ` <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com> 0 siblings, 1 reply; 12+ messages in thread From: Andy Shevchenko @ 2019-03-19 10:30 UTC (permalink / raw) To: wanghai (M) Cc: Stephen Hemminger, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Tue, Mar 19, 2019 at 11:19:24AM +0800, wanghai (M) wrote: > > 在 2019/3/19 0:19, Andy Shevchenko 写道: > > On Mon, Mar 18, 2019 at 08:57:24AM -0700, Stephen Hemminger wrote: > > > On Tue, 19 Mar 2019 01:06:57 -0400 > > > Wang Hai <wanghai26@huawei.com> wrote: > > > This looks a bug in device_add() not here. > > > In general, it is better for an api to clean up after itself. > > > Since dev->kobj.name is created in device_add and normally freed > > > in device_del; why is device_add leaving it behind? > > It's more likely the bug in syzkaller. > > > > Look at the kobject_cleanup() last lines of code... > If device_add(dev) or register_queue_kobjects(ndev) fails, > In register_netdevice(), dev-> reg_state = NETREG_UNINITIALIZED and returns > an error, causing put_device(&dev-> dev) -> ..-> kobject_cleanup() not to be > called. OK, that's true, but your patch is wrong. See error handling in device_create_groups_vargs() for example. -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com>]
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject [not found] ` <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com> @ 2019-03-19 14:00 ` Andy Shevchenko 2019-03-19 15:44 ` Stephen Hemminger 1 sibling, 0 replies; 12+ messages in thread From: Andy Shevchenko @ 2019-03-19 14:00 UTC (permalink / raw) To: wanghai (M) Cc: Stephen Hemminger, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Tue, Mar 19, 2019 at 08:17:01PM +0800, wanghai (M) wrote: > 在 2019/3/19 18:30, Andy Shevchenko 写道: > > On Tue, Mar 19, 2019 at 11:19:24AM +0800, wanghai (M) wrote: > > > 在 2019/3/19 0:19, Andy Shevchenko 写道: > > > If device_add(dev) or register_queue_kobjects(ndev) fails, > > > In register_netdevice(), dev-> reg_state = NETREG_UNINITIALIZED and returns > > > an error, causing put_device(&dev-> dev) -> ..-> kobject_cleanup() not to be > > > called. > > OK, that's true, but your patch is wrong. > > See error handling in device_create_groups_vargs() for example. > Hi Andy > Thanks for your advice. I understand the problem of my patch. > Can you help me see if it can be fixed like this? > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > index 4ff661f..6fe5b8e 100644 > --- a/net/core/net-sysfs.c > +++ b/net/core/net-sysfs.c > @@ -1745,17 +1745,21 @@ int netdev_register_kobject(struct net_device *ndev) > > error = device_add(dev); > if (error) > - return error; > + goto device_add_error; This part seems correct now. > error = register_queue_kobjects(ndev); > - if (error) { > - device_del(dev); > - return error; > - } > + if (error) > + goto register_error; Yes, seems correct order here, i.e. device_del() followed by put_device(). > > pm_runtime_set_memalloc_noio(dev, true); > > +out: Better return 0; > return error; > +register_error: Better to describe what you will do here, i.e. error_device_del: > + device_del(dev); > +device_add_error: Ditto. error_put_device: > + put_device(dev); > + goto out; Better return error; > } -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject [not found] ` <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com> 2019-03-19 14:00 ` Andy Shevchenko @ 2019-03-19 15:44 ` Stephen Hemminger 1 sibling, 0 replies; 12+ messages in thread From: Stephen Hemminger @ 2019-03-19 15:44 UTC (permalink / raw) To: wanghai (M) Cc: Andy Shevchenko, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Tue, 19 Mar 2019 20:17:01 +0800 "wanghai (M)" <wanghai26@huawei.com> wrote: > +out: > return error; > +register_error: > + device_del(dev); > +device_add_error: > + put_device(dev); > + goto out; Everything looks fine, but I would redo the last part without the last goto out. Using a goto back to single return reduces readability. if (error) goto register_error; pm_runtime_set_memalloc_noio(dev, true); return 0; register_error: device_del(dev); device_add_error: put_device(dev); return error; ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-18 15:57 ` Stephen Hemminger 2019-03-18 16:19 ` Andy Shevchenko @ 2019-03-19 3:03 ` wanghai (M) 2019-03-19 3:15 ` Stephen Hemminger 1 sibling, 1 reply; 12+ messages in thread From: wanghai (M) @ 2019-03-19 3:03 UTC (permalink / raw) To: Stephen Hemminger Cc: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel 在 2019/3/18 23:57, Stephen Hemminger 写道: > On Tue, 19 Mar 2019 01:06:57 -0400 > Wang Hai <wanghai26@huawei.com> wrote: > >> When registering struct net_device, it will call >> register_netdevice -> >> netdev_register_kobject -> >> device_add(dev) >> register_queue_kobjects(ndev) >> >> If device_add(dev) or register_queue_kobjects(ndev) fails. >> Register_netdevice() will return error, causing netdev_freemem(ndev) >> to be called to free net_device, however (&ndev->dev)->kobj.name will >> not be freed, resulting in a memory leak. >> >> syzkaller report this: >> BUG: memory leak >> unreferenced object 0xffff8881f4fad168 (size 8): >> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) >> hex dump (first 8 bytes): >> 77 70 61 6e 30 00 ff ff wpan0... >> backtrace: >> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 >> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 >> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 >> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 >> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 >> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 >> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] >> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] >> [<00000000e4b3df51>] 0xffffffffc1500e0e >> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 >> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 >> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 >> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 >> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 >> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 >> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 >> >> Reported-by: Hulk Robot <hulkci@huawei.com> >> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") >> Signed-off-by: Wang Hai <wanghai26@huawei.com> >> --- >> net/core/net-sysfs.c | 15 ++++++++++----- >> 1 file changed, 10 insertions(+), 5 deletions(-) >> >> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c >> index 4ff661f..f0e53dc 100644 >> --- a/net/core/net-sysfs.c >> +++ b/net/core/net-sysfs.c >> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) >> >> error = device_add(dev); >> if (error) >> - return error; >> + goto device_add_error; >> >> error = register_queue_kobjects(ndev); >> - if (error) { >> - device_del(dev); >> - return error; >> - } >> + if (error) >> + goto register_error; >> >> pm_runtime_set_memalloc_noio(dev, true); >> >> +out: >> return error; >> + >> +register_error: >> + device_del(dev); >> +device_add_error: >> + kfree_const(dev->kobj.name); > This looks a bug in device_add() not here. > In general, it is better for an api to clean up after itself. > Since dev->kobj.name is created in device_add and normally freed > in device_del; why is device_add leaving it behind?\ When registering struct net_device, it will call register_netdevice -> netdev_register_kobject -> dev_set_name(dev, "%s", ndev->name) device_add(dev) register_queue_kobjects(ndev) The dev->kobj.name that causes the memory leak is created in dev_set_name(dev, "%s", ndev-> name) in the function netdev_register_kobject(), not in device_add(dev). If device_add(dev) or register_queue_kobjects(ndev) fails, it should release dev-> kobj.name in netdev_register_kobject() ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 3:03 ` wanghai (M) @ 2019-03-19 3:15 ` Stephen Hemminger 2019-03-19 3:39 ` wanghai (M) 0 siblings, 1 reply; 12+ messages in thread From: Stephen Hemminger @ 2019-03-19 3:15 UTC (permalink / raw) To: wanghai (M) Cc: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel On Tue, 19 Mar 2019 11:03:54 +0800 "wanghai (M)" <wanghai26@huawei.com> wrote: > 在 2019/3/18 23:57, Stephen Hemminger 写道: > > On Tue, 19 Mar 2019 01:06:57 -0400 > > Wang Hai <wanghai26@huawei.com> wrote: > > > >> When registering struct net_device, it will call > >> register_netdevice -> > >> netdev_register_kobject -> > >> device_add(dev) > >> register_queue_kobjects(ndev) > >> > >> If device_add(dev) or register_queue_kobjects(ndev) fails. > >> Register_netdevice() will return error, causing netdev_freemem(ndev) > >> to be called to free net_device, however (&ndev->dev)->kobj.name will > >> not be freed, resulting in a memory leak. > >> > >> syzkaller report this: > >> BUG: memory leak > >> unreferenced object 0xffff8881f4fad168 (size 8): > >> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) > >> hex dump (first 8 bytes): > >> 77 70 61 6e 30 00 ff ff wpan0... > >> backtrace: > >> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 > >> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 > >> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 > >> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 > >> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 > >> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 > >> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] > >> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] > >> [<00000000e4b3df51>] 0xffffffffc1500e0e > >> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 > >> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 > >> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 > >> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 > >> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 > >> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 > >> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 > >> > >> Reported-by: Hulk Robot <hulkci@huawei.com> > >> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") > >> Signed-off-by: Wang Hai <wanghai26@huawei.com> > >> --- > >> net/core/net-sysfs.c | 15 ++++++++++----- > >> 1 file changed, 10 insertions(+), 5 deletions(-) > >> > >> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > >> index 4ff661f..f0e53dc 100644 > >> --- a/net/core/net-sysfs.c > >> +++ b/net/core/net-sysfs.c > >> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) > >> > >> error = device_add(dev); > >> if (error) > >> - return error; > >> + goto device_add_error; > >> > >> error = register_queue_kobjects(ndev); > >> - if (error) { > >> - device_del(dev); > >> - return error; > >> - } > >> + if (error) > >> + goto register_error; > >> > >> pm_runtime_set_memalloc_noio(dev, true); > >> > >> +out: > >> return error; > >> + > >> +register_error: > >> + device_del(dev); > >> +device_add_error: > >> + kfree_const(dev->kobj.name); > > This looks a bug in device_add() not here. > > In general, it is better for an api to clean up after itself. > > Since dev->kobj.name is created in device_add and normally freed > > in device_del; why is device_add leaving it behind?\ > > When registering struct net_device, it will call > register_netdevice -> > netdev_register_kobject -> > dev_set_name(dev, "%s", ndev->name) > device_add(dev) > register_queue_kobjects(ndev) > > The dev->kobj.name that causes the memory leak is created in > dev_set_name(dev, "%s", ndev-> name) in the function > netdev_register_kobject(), not in device_add(dev). If device_add(dev) or > register_queue_kobjects(ndev) fails, it should release dev-> kobj.name > in netdev_register_kobject() Good catch, dev_set_name is using asprintf to allocate new memory for the name. The problem with your patch is that device_del() already cleans up the device (including name). The device object should really not be touched after device_del. Where is the name freed in the normal case? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 3:15 ` Stephen Hemminger @ 2019-03-19 3:39 ` wanghai (M) 2019-03-19 10:22 ` Andy Shevchenko 0 siblings, 1 reply; 12+ messages in thread From: wanghai (M) @ 2019-03-19 3:39 UTC (permalink / raw) To: Stephen Hemminger Cc: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel 在 2019/3/19 11:15, Stephen Hemminger 写道: > On Tue, 19 Mar 2019 11:03:54 +0800 > "wanghai (M)" <wanghai26@huawei.com> wrote: > >> 在 2019/3/18 23:57, Stephen Hemminger 写道: >>> On Tue, 19 Mar 2019 01:06:57 -0400 >>> Wang Hai <wanghai26@huawei.com> wrote: >>> >>>> When registering struct net_device, it will call >>>> register_netdevice -> >>>> netdev_register_kobject -> >>>> device_add(dev) >>>> register_queue_kobjects(ndev) >>>> >>>> If device_add(dev) or register_queue_kobjects(ndev) fails. >>>> Register_netdevice() will return error, causing netdev_freemem(ndev) >>>> to be called to free net_device, however (&ndev->dev)->kobj.name will >>>> not be freed, resulting in a memory leak. >>>> >>>> syzkaller report this: >>>> BUG: memory leak >>>> unreferenced object 0xffff8881f4fad168 (size 8): >>>> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) >>>> hex dump (first 8 bytes): >>>> 77 70 61 6e 30 00 ff ff wpan0... >>>> backtrace: >>>> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 >>>> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 >>>> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 >>>> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 >>>> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 >>>> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 >>>> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] >>>> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] >>>> [<00000000e4b3df51>] 0xffffffffc1500e0e >>>> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 >>>> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 >>>> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 >>>> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 >>>> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 >>>> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 >>>> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 >>>> >>>> Reported-by: Hulk Robot <hulkci@huawei.com> >>>> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") >>>> Signed-off-by: Wang Hai <wanghai26@huawei.com> >>>> --- >>>> net/core/net-sysfs.c | 15 ++++++++++----- >>>> 1 file changed, 10 insertions(+), 5 deletions(-) >>>> >>>> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c >>>> index 4ff661f..f0e53dc 100644 >>>> --- a/net/core/net-sysfs.c >>>> +++ b/net/core/net-sysfs.c >>>> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) >>>> >>>> error = device_add(dev); >>>> if (error) >>>> - return error; >>>> + goto device_add_error; >>>> >>>> error = register_queue_kobjects(ndev); >>>> - if (error) { >>>> - device_del(dev); >>>> - return error; >>>> - } >>>> + if (error) >>>> + goto register_error; >>>> >>>> pm_runtime_set_memalloc_noio(dev, true); >>>> >>>> +out: >>>> return error; >>>> + >>>> +register_error: >>>> + device_del(dev); >>>> +device_add_error: >>>> + kfree_const(dev->kobj.name); >>> This looks a bug in device_add() not here. >>> In general, it is better for an api to clean up after itself. >>> Since dev->kobj.name is created in device_add and normally freed >>> in device_del; why is device_add leaving it behind?\ >> When registering struct net_device, it will call >> register_netdevice -> >> netdev_register_kobject -> >> dev_set_name(dev, "%s", ndev->name) >> device_add(dev) >> register_queue_kobjects(ndev) >> >> The dev->kobj.name that causes the memory leak is created in >> dev_set_name(dev, "%s", ndev-> name) in the function >> netdev_register_kobject(), not in device_add(dev). If device_add(dev) or >> register_queue_kobjects(ndev) fails, it should release dev-> kobj.name >> in netdev_register_kobject() > Good catch, dev_set_name is using asprintf to allocate new memory > for the name. The problem with your patch is that device_del() > already cleans up the device (including name). The device object > should really not be touched after device_del. > > Where is the name freed in the normal case? > > > . Device_del just delete device from system, but do not clean up dev->kobj.name. In normal case, the name is freed in free_netdev(dev)->put_device(&dev->dev)->kobject_put(&dev->kobj)->kobject_cleanup() ,not in device_del() ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 3:39 ` wanghai (M) @ 2019-03-19 10:22 ` Andy Shevchenko 0 siblings, 0 replies; 12+ messages in thread From: Andy Shevchenko @ 2019-03-19 10:22 UTC (permalink / raw) To: wanghai (M) Cc: Stephen Hemminger, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Tue, Mar 19, 2019 at 11:39:54AM +0800, wanghai (M) wrote: > 在 2019/3/19 11:15, Stephen Hemminger 写道: > Device_del just delete device from system, but do not clean up > dev->kobj.name. May I ask how you get this conclusion? > In normal case, the name is freed in free_netdev(dev)->put_device(&dev->dev)->kobject_put(&dev->kobj)->kobject_cleanup() > ,not in device_del() -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 5:06 [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject Wang Hai 2019-03-18 15:57 ` Stephen Hemminger @ 2019-03-18 18:02 ` Eric Dumazet 2019-03-19 3:47 ` wanghai (M) 1 sibling, 1 reply; 12+ messages in thread From: Eric Dumazet @ 2019-03-18 18:02 UTC (permalink / raw) To: Wang Hai, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli Cc: amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel On 03/18/2019 10:06 PM, Wang Hai wrote: > When registering struct net_device, it will call > register_netdevice -> > netdev_register_kobject -> > device_add(dev) > register_queue_kobjects(ndev) > > If device_add(dev) or register_queue_kobjects(ndev) fails. > Register_netdevice() will return error, causing netdev_freemem(ndev) > to be called to free net_device, however (&ndev->dev)->kobj.name will > not be freed, resulting in a memory leak. > > syzkaller report this: > BUG: memory leak > unreferenced object 0xffff8881f4fad168 (size 8): > comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) > hex dump (first 8 bytes): > 77 70 61 6e 30 00 ff ff wpan0... > backtrace: > [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 > [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 > [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 > [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 > [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 > [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 > [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] > [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] > [<00000000e4b3df51>] 0xffffffffc1500e0e > [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 > [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 > [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 > [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 > [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 > [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 > [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 > > Reported-by: Hulk Robot <hulkci@huawei.com> > Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") The bug was there before this commit, right ? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-18 18:02 ` Eric Dumazet @ 2019-03-19 3:47 ` wanghai (M) 0 siblings, 0 replies; 12+ messages in thread From: wanghai (M) @ 2019-03-19 3:47 UTC (permalink / raw) To: Eric Dumazet, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli Cc: amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel 在 2019/3/19 2:02, Eric Dumazet 写道: > > On 03/18/2019 10:06 PM, Wang Hai wrote: >> When registering struct net_device, it will call >> register_netdevice -> >> netdev_register_kobject -> >> device_add(dev) >> register_queue_kobjects(ndev) >> >> If device_add(dev) or register_queue_kobjects(ndev) fails. >> Register_netdevice() will return error, causing netdev_freemem(ndev) >> to be called to free net_device, however (&ndev->dev)->kobj.name will >> not be freed, resulting in a memory leak. >> >> syzkaller report this: >> BUG: memory leak >> unreferenced object 0xffff8881f4fad168 (size 8): >> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) >> hex dump (first 8 bytes): >> 77 70 61 6e 30 00 ff ff wpan0... >> backtrace: >> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 >> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 >> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 >> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 >> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 >> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 >> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] >> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] >> [<00000000e4b3df51>] 0xffffffffc1500e0e >> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 >> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 >> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 >> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 >> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 >> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 >> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 >> >> Reported-by: Hulk Robot <hulkci@huawei.com> >> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") > The bug was there before this commit, right ? > > . Sorry, I read the code carefully, this is a mistake, the correct fix commit is 1fa5ae857bb1(driver core: get rid of struct device's bus_id string array). I will send a patch v2 ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2019-03-19 15:45 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-19 5:06 [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject Wang Hai
2019-03-18 15:57 ` Stephen Hemminger
2019-03-18 16:19 ` Andy Shevchenko
[not found] ` <c1c266af-7aaa-00a7-aa7a-e61c65665741@huawei.com>
2019-03-19 10:30 ` Andy Shevchenko
[not found] ` <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com>
2019-03-19 14:00 ` Andy Shevchenko
2019-03-19 15:44 ` Stephen Hemminger
2019-03-19 3:03 ` wanghai (M)
2019-03-19 3:15 ` Stephen Hemminger
2019-03-19 3:39 ` wanghai (M)
2019-03-19 10:22 ` Andy Shevchenko
2019-03-18 18:02 ` Eric Dumazet
2019-03-19 3:47 ` wanghai (M)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).