* [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject @ 2019-03-19 5:06 Wang Hai 2019-03-18 15:57 ` Stephen Hemminger 2019-03-18 18:02 ` Eric Dumazet 0 siblings, 2 replies; 12+ messages in thread From: Wang Hai @ 2019-03-19 5:06 UTC (permalink / raw) To: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli Cc: amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel, wanghai26 When registering struct net_device, it will call register_netdevice -> netdev_register_kobject -> device_add(dev) register_queue_kobjects(ndev) If device_add(dev) or register_queue_kobjects(ndev) fails. Register_netdevice() will return error, causing netdev_freemem(ndev) to be called to free net_device, however (&ndev->dev)->kobj.name will not be freed, resulting in a memory leak. syzkaller report this: BUG: memory leak unreferenced object 0xffff8881f4fad168 (size 8): comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) hex dump (first 8 bytes): 77 70 61 6e 30 00 ff ff wpan0... backtrace: [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] [<00000000e4b3df51>] 0xffffffffc1500e0e [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 Reported-by: Hulk Robot <hulkci@huawei.com> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") Signed-off-by: Wang Hai <wanghai26@huawei.com> --- net/core/net-sysfs.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index 4ff661f..f0e53dc 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) error = device_add(dev); if (error) - return error; + goto device_add_error; error = register_queue_kobjects(ndev); - if (error) { - device_del(dev); - return error; - } + if (error) + goto register_error; pm_runtime_set_memalloc_noio(dev, true); +out: return error; + +register_error: + device_del(dev); +device_add_error: + kfree_const(dev->kobj.name); + goto out; } int netdev_class_create_file_ns(const struct class_attribute *class_attr, -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 5:06 [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject Wang Hai @ 2019-03-18 15:57 ` Stephen Hemminger 2019-03-18 16:19 ` Andy Shevchenko 2019-03-19 3:03 ` wanghai (M) 2019-03-18 18:02 ` Eric Dumazet 1 sibling, 2 replies; 12+ messages in thread From: Stephen Hemminger @ 2019-03-18 15:57 UTC (permalink / raw) To: Wang Hai Cc: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel On Tue, 19 Mar 2019 01:06:57 -0400 Wang Hai <wanghai26@huawei.com> wrote: > When registering struct net_device, it will call > register_netdevice -> > netdev_register_kobject -> > device_add(dev) > register_queue_kobjects(ndev) > > If device_add(dev) or register_queue_kobjects(ndev) fails. > Register_netdevice() will return error, causing netdev_freemem(ndev) > to be called to free net_device, however (&ndev->dev)->kobj.name will > not be freed, resulting in a memory leak. > > syzkaller report this: > BUG: memory leak > unreferenced object 0xffff8881f4fad168 (size 8): > comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) > hex dump (first 8 bytes): > 77 70 61 6e 30 00 ff ff wpan0... > backtrace: > [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 > [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 > [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 > [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 > [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 > [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 > [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] > [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] > [<00000000e4b3df51>] 0xffffffffc1500e0e > [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 > [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 > [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 > [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 > [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 > [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 > [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 > > Reported-by: Hulk Robot <hulkci@huawei.com> > Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") > Signed-off-by: Wang Hai <wanghai26@huawei.com> > --- > net/core/net-sysfs.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > index 4ff661f..f0e53dc 100644 > --- a/net/core/net-sysfs.c > +++ b/net/core/net-sysfs.c > @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) > > error = device_add(dev); > if (error) > - return error; > + goto device_add_error; > > error = register_queue_kobjects(ndev); > - if (error) { > - device_del(dev); > - return error; > - } > + if (error) > + goto register_error; > > pm_runtime_set_memalloc_noio(dev, true); > > +out: > return error; > + > +register_error: > + device_del(dev); > +device_add_error: > + kfree_const(dev->kobj.name); This looks a bug in device_add() not here. In general, it is better for an api to clean up after itself. Since dev->kobj.name is created in device_add and normally freed in device_del; why is device_add leaving it behind? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-18 15:57 ` Stephen Hemminger @ 2019-03-18 16:19 ` Andy Shevchenko [not found] ` <c1c266af-7aaa-00a7-aa7a-e61c65665741@huawei.com> 2019-03-19 3:03 ` wanghai (M) 1 sibling, 1 reply; 12+ messages in thread From: Andy Shevchenko @ 2019-03-18 16:19 UTC (permalink / raw) To: Stephen Hemminger Cc: Wang Hai, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Mon, Mar 18, 2019 at 08:57:24AM -0700, Stephen Hemminger wrote: > On Tue, 19 Mar 2019 01:06:57 -0400 > Wang Hai <wanghai26@huawei.com> wrote: > > > When registering struct net_device, it will call > > register_netdevice -> > > netdev_register_kobject -> > > device_add(dev) > > register_queue_kobjects(ndev) > > > > If device_add(dev) or register_queue_kobjects(ndev) fails. > > Register_netdevice() will return error, causing netdev_freemem(ndev) > > to be called to free net_device, however (&ndev->dev)->kobj.name will > > not be freed, resulting in a memory leak. > > > > syzkaller report this: > > BUG: memory leak > > unreferenced object 0xffff8881f4fad168 (size 8): > > comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) > > hex dump (first 8 bytes): > > 77 70 61 6e 30 00 ff ff wpan0... > > backtrace: > > [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 > > [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 > > [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 > > [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 > > [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 > > [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 > > [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] > > [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] > > [<00000000e4b3df51>] 0xffffffffc1500e0e > > [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 > > [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 > > [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 > > [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 > > [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 > > [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 > > [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 > > > > Reported-by: Hulk Robot <hulkci@huawei.com> > > Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") > > Signed-off-by: Wang Hai <wanghai26@huawei.com> > > --- > > net/core/net-sysfs.c | 15 ++++++++++----- > > 1 file changed, 10 insertions(+), 5 deletions(-) > > > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > > index 4ff661f..f0e53dc 100644 > > --- a/net/core/net-sysfs.c > > +++ b/net/core/net-sysfs.c > > @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) > > > > error = device_add(dev); > > if (error) > > - return error; > > + goto device_add_error; > > > > error = register_queue_kobjects(ndev); > > - if (error) { > > - device_del(dev); > > - return error; > > - } > > + if (error) > > + goto register_error; > > > > pm_runtime_set_memalloc_noio(dev, true); > > > > +out: > > return error; > > + > > +register_error: > > + device_del(dev); > > +device_add_error: > > + kfree_const(dev->kobj.name); > > This looks a bug in device_add() not here. > In general, it is better for an api to clean up after itself. > Since dev->kobj.name is created in device_add and normally freed > in device_del; why is device_add leaving it behind? It's more likely the bug in syzkaller. Look at the kobject_cleanup() last lines of code... -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <c1c266af-7aaa-00a7-aa7a-e61c65665741@huawei.com>]
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject [not found] ` <c1c266af-7aaa-00a7-aa7a-e61c65665741@huawei.com> @ 2019-03-19 10:30 ` Andy Shevchenko [not found] ` <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com> 0 siblings, 1 reply; 12+ messages in thread From: Andy Shevchenko @ 2019-03-19 10:30 UTC (permalink / raw) To: wanghai (M) Cc: Stephen Hemminger, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Tue, Mar 19, 2019 at 11:19:24AM +0800, wanghai (M) wrote: > > 在 2019/3/19 0:19, Andy Shevchenko 写道: > > On Mon, Mar 18, 2019 at 08:57:24AM -0700, Stephen Hemminger wrote: > > > On Tue, 19 Mar 2019 01:06:57 -0400 > > > Wang Hai <wanghai26@huawei.com> wrote: > > > This looks a bug in device_add() not here. > > > In general, it is better for an api to clean up after itself. > > > Since dev->kobj.name is created in device_add and normally freed > > > in device_del; why is device_add leaving it behind? > > It's more likely the bug in syzkaller. > > > > Look at the kobject_cleanup() last lines of code... > If device_add(dev) or register_queue_kobjects(ndev) fails, > In register_netdevice(), dev-> reg_state = NETREG_UNINITIALIZED and returns > an error, causing put_device(&dev-> dev) -> ..-> kobject_cleanup() not to be > called. OK, that's true, but your patch is wrong. See error handling in device_create_groups_vargs() for example. -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com>]
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject [not found] ` <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com> @ 2019-03-19 14:00 ` Andy Shevchenko 2019-03-19 15:44 ` Stephen Hemminger 1 sibling, 0 replies; 12+ messages in thread From: Andy Shevchenko @ 2019-03-19 14:00 UTC (permalink / raw) To: wanghai (M) Cc: Stephen Hemminger, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Tue, Mar 19, 2019 at 08:17:01PM +0800, wanghai (M) wrote: > 在 2019/3/19 18:30, Andy Shevchenko 写道: > > On Tue, Mar 19, 2019 at 11:19:24AM +0800, wanghai (M) wrote: > > > 在 2019/3/19 0:19, Andy Shevchenko 写道: > > > If device_add(dev) or register_queue_kobjects(ndev) fails, > > > In register_netdevice(), dev-> reg_state = NETREG_UNINITIALIZED and returns > > > an error, causing put_device(&dev-> dev) -> ..-> kobject_cleanup() not to be > > > called. > > OK, that's true, but your patch is wrong. > > See error handling in device_create_groups_vargs() for example. > Hi Andy > Thanks for your advice. I understand the problem of my patch. > Can you help me see if it can be fixed like this? > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > index 4ff661f..6fe5b8e 100644 > --- a/net/core/net-sysfs.c > +++ b/net/core/net-sysfs.c > @@ -1745,17 +1745,21 @@ int netdev_register_kobject(struct net_device *ndev) > > error = device_add(dev); > if (error) > - return error; > + goto device_add_error; This part seems correct now. > error = register_queue_kobjects(ndev); > - if (error) { > - device_del(dev); > - return error; > - } > + if (error) > + goto register_error; Yes, seems correct order here, i.e. device_del() followed by put_device(). > > pm_runtime_set_memalloc_noio(dev, true); > > +out: Better return 0; > return error; > +register_error: Better to describe what you will do here, i.e. error_device_del: > + device_del(dev); > +device_add_error: Ditto. error_put_device: > + put_device(dev); > + goto out; Better return error; > } -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject [not found] ` <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com> 2019-03-19 14:00 ` Andy Shevchenko @ 2019-03-19 15:44 ` Stephen Hemminger 1 sibling, 0 replies; 12+ messages in thread From: Stephen Hemminger @ 2019-03-19 15:44 UTC (permalink / raw) To: wanghai (M) Cc: Andy Shevchenko, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Tue, 19 Mar 2019 20:17:01 +0800 "wanghai (M)" <wanghai26@huawei.com> wrote: > +out: > return error; > +register_error: > + device_del(dev); > +device_add_error: > + put_device(dev); > + goto out; Everything looks fine, but I would redo the last part without the last goto out. Using a goto back to single return reduces readability. if (error) goto register_error; pm_runtime_set_memalloc_noio(dev, true); return 0; register_error: device_del(dev); device_add_error: put_device(dev); return error; ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-18 15:57 ` Stephen Hemminger 2019-03-18 16:19 ` Andy Shevchenko @ 2019-03-19 3:03 ` wanghai (M) 2019-03-19 3:15 ` Stephen Hemminger 1 sibling, 1 reply; 12+ messages in thread From: wanghai (M) @ 2019-03-19 3:03 UTC (permalink / raw) To: Stephen Hemminger Cc: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel 在 2019/3/18 23:57, Stephen Hemminger 写道: > On Tue, 19 Mar 2019 01:06:57 -0400 > Wang Hai <wanghai26@huawei.com> wrote: > >> When registering struct net_device, it will call >> register_netdevice -> >> netdev_register_kobject -> >> device_add(dev) >> register_queue_kobjects(ndev) >> >> If device_add(dev) or register_queue_kobjects(ndev) fails. >> Register_netdevice() will return error, causing netdev_freemem(ndev) >> to be called to free net_device, however (&ndev->dev)->kobj.name will >> not be freed, resulting in a memory leak. >> >> syzkaller report this: >> BUG: memory leak >> unreferenced object 0xffff8881f4fad168 (size 8): >> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) >> hex dump (first 8 bytes): >> 77 70 61 6e 30 00 ff ff wpan0... >> backtrace: >> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 >> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 >> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 >> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 >> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 >> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 >> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] >> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] >> [<00000000e4b3df51>] 0xffffffffc1500e0e >> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 >> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 >> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 >> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 >> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 >> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 >> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 >> >> Reported-by: Hulk Robot <hulkci@huawei.com> >> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") >> Signed-off-by: Wang Hai <wanghai26@huawei.com> >> --- >> net/core/net-sysfs.c | 15 ++++++++++----- >> 1 file changed, 10 insertions(+), 5 deletions(-) >> >> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c >> index 4ff661f..f0e53dc 100644 >> --- a/net/core/net-sysfs.c >> +++ b/net/core/net-sysfs.c >> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) >> >> error = device_add(dev); >> if (error) >> - return error; >> + goto device_add_error; >> >> error = register_queue_kobjects(ndev); >> - if (error) { >> - device_del(dev); >> - return error; >> - } >> + if (error) >> + goto register_error; >> >> pm_runtime_set_memalloc_noio(dev, true); >> >> +out: >> return error; >> + >> +register_error: >> + device_del(dev); >> +device_add_error: >> + kfree_const(dev->kobj.name); > This looks a bug in device_add() not here. > In general, it is better for an api to clean up after itself. > Since dev->kobj.name is created in device_add and normally freed > in device_del; why is device_add leaving it behind?\ When registering struct net_device, it will call register_netdevice -> netdev_register_kobject -> dev_set_name(dev, "%s", ndev->name) device_add(dev) register_queue_kobjects(ndev) The dev->kobj.name that causes the memory leak is created in dev_set_name(dev, "%s", ndev-> name) in the function netdev_register_kobject(), not in device_add(dev). If device_add(dev) or register_queue_kobjects(ndev) fails, it should release dev-> kobj.name in netdev_register_kobject() ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 3:03 ` wanghai (M) @ 2019-03-19 3:15 ` Stephen Hemminger 2019-03-19 3:39 ` wanghai (M) 0 siblings, 1 reply; 12+ messages in thread From: Stephen Hemminger @ 2019-03-19 3:15 UTC (permalink / raw) To: wanghai (M) Cc: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel On Tue, 19 Mar 2019 11:03:54 +0800 "wanghai (M)" <wanghai26@huawei.com> wrote: > 在 2019/3/18 23:57, Stephen Hemminger 写道: > > On Tue, 19 Mar 2019 01:06:57 -0400 > > Wang Hai <wanghai26@huawei.com> wrote: > > > >> When registering struct net_device, it will call > >> register_netdevice -> > >> netdev_register_kobject -> > >> device_add(dev) > >> register_queue_kobjects(ndev) > >> > >> If device_add(dev) or register_queue_kobjects(ndev) fails. > >> Register_netdevice() will return error, causing netdev_freemem(ndev) > >> to be called to free net_device, however (&ndev->dev)->kobj.name will > >> not be freed, resulting in a memory leak. > >> > >> syzkaller report this: > >> BUG: memory leak > >> unreferenced object 0xffff8881f4fad168 (size 8): > >> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) > >> hex dump (first 8 bytes): > >> 77 70 61 6e 30 00 ff ff wpan0... > >> backtrace: > >> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 > >> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 > >> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 > >> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 > >> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 > >> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 > >> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] > >> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] > >> [<00000000e4b3df51>] 0xffffffffc1500e0e > >> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 > >> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 > >> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 > >> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 > >> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 > >> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 > >> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 > >> > >> Reported-by: Hulk Robot <hulkci@huawei.com> > >> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") > >> Signed-off-by: Wang Hai <wanghai26@huawei.com> > >> --- > >> net/core/net-sysfs.c | 15 ++++++++++----- > >> 1 file changed, 10 insertions(+), 5 deletions(-) > >> > >> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > >> index 4ff661f..f0e53dc 100644 > >> --- a/net/core/net-sysfs.c > >> +++ b/net/core/net-sysfs.c > >> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) > >> > >> error = device_add(dev); > >> if (error) > >> - return error; > >> + goto device_add_error; > >> > >> error = register_queue_kobjects(ndev); > >> - if (error) { > >> - device_del(dev); > >> - return error; > >> - } > >> + if (error) > >> + goto register_error; > >> > >> pm_runtime_set_memalloc_noio(dev, true); > >> > >> +out: > >> return error; > >> + > >> +register_error: > >> + device_del(dev); > >> +device_add_error: > >> + kfree_const(dev->kobj.name); > > This looks a bug in device_add() not here. > > In general, it is better for an api to clean up after itself. > > Since dev->kobj.name is created in device_add and normally freed > > in device_del; why is device_add leaving it behind?\ > > When registering struct net_device, it will call > register_netdevice -> > netdev_register_kobject -> > dev_set_name(dev, "%s", ndev->name) > device_add(dev) > register_queue_kobjects(ndev) > > The dev->kobj.name that causes the memory leak is created in > dev_set_name(dev, "%s", ndev-> name) in the function > netdev_register_kobject(), not in device_add(dev). If device_add(dev) or > register_queue_kobjects(ndev) fails, it should release dev-> kobj.name > in netdev_register_kobject() Good catch, dev_set_name is using asprintf to allocate new memory for the name. The problem with your patch is that device_del() already cleans up the device (including name). The device object should really not be touched after device_del. Where is the name freed in the normal case? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 3:15 ` Stephen Hemminger @ 2019-03-19 3:39 ` wanghai (M) 2019-03-19 10:22 ` Andy Shevchenko 0 siblings, 1 reply; 12+ messages in thread From: wanghai (M) @ 2019-03-19 3:39 UTC (permalink / raw) To: Stephen Hemminger Cc: davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel 在 2019/3/19 11:15, Stephen Hemminger 写道: > On Tue, 19 Mar 2019 11:03:54 +0800 > "wanghai (M)" <wanghai26@huawei.com> wrote: > >> 在 2019/3/18 23:57, Stephen Hemminger 写道: >>> On Tue, 19 Mar 2019 01:06:57 -0400 >>> Wang Hai <wanghai26@huawei.com> wrote: >>> >>>> When registering struct net_device, it will call >>>> register_netdevice -> >>>> netdev_register_kobject -> >>>> device_add(dev) >>>> register_queue_kobjects(ndev) >>>> >>>> If device_add(dev) or register_queue_kobjects(ndev) fails. >>>> Register_netdevice() will return error, causing netdev_freemem(ndev) >>>> to be called to free net_device, however (&ndev->dev)->kobj.name will >>>> not be freed, resulting in a memory leak. >>>> >>>> syzkaller report this: >>>> BUG: memory leak >>>> unreferenced object 0xffff8881f4fad168 (size 8): >>>> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) >>>> hex dump (first 8 bytes): >>>> 77 70 61 6e 30 00 ff ff wpan0... >>>> backtrace: >>>> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 >>>> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 >>>> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 >>>> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 >>>> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 >>>> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 >>>> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] >>>> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] >>>> [<00000000e4b3df51>] 0xffffffffc1500e0e >>>> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 >>>> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 >>>> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 >>>> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 >>>> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 >>>> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 >>>> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 >>>> >>>> Reported-by: Hulk Robot <hulkci@huawei.com> >>>> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") >>>> Signed-off-by: Wang Hai <wanghai26@huawei.com> >>>> --- >>>> net/core/net-sysfs.c | 15 ++++++++++----- >>>> 1 file changed, 10 insertions(+), 5 deletions(-) >>>> >>>> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c >>>> index 4ff661f..f0e53dc 100644 >>>> --- a/net/core/net-sysfs.c >>>> +++ b/net/core/net-sysfs.c >>>> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev) >>>> >>>> error = device_add(dev); >>>> if (error) >>>> - return error; >>>> + goto device_add_error; >>>> >>>> error = register_queue_kobjects(ndev); >>>> - if (error) { >>>> - device_del(dev); >>>> - return error; >>>> - } >>>> + if (error) >>>> + goto register_error; >>>> >>>> pm_runtime_set_memalloc_noio(dev, true); >>>> >>>> +out: >>>> return error; >>>> + >>>> +register_error: >>>> + device_del(dev); >>>> +device_add_error: >>>> + kfree_const(dev->kobj.name); >>> This looks a bug in device_add() not here. >>> In general, it is better for an api to clean up after itself. >>> Since dev->kobj.name is created in device_add and normally freed >>> in device_del; why is device_add leaving it behind?\ >> When registering struct net_device, it will call >> register_netdevice -> >> netdev_register_kobject -> >> dev_set_name(dev, "%s", ndev->name) >> device_add(dev) >> register_queue_kobjects(ndev) >> >> The dev->kobj.name that causes the memory leak is created in >> dev_set_name(dev, "%s", ndev-> name) in the function >> netdev_register_kobject(), not in device_add(dev). If device_add(dev) or >> register_queue_kobjects(ndev) fails, it should release dev-> kobj.name >> in netdev_register_kobject() > Good catch, dev_set_name is using asprintf to allocate new memory > for the name. The problem with your patch is that device_del() > already cleans up the device (including name). The device object > should really not be touched after device_del. > > Where is the name freed in the normal case? > > > . Device_del just delete device from system, but do not clean up dev->kobj.name. In normal case, the name is freed in free_netdev(dev)->put_device(&dev->dev)->kobject_put(&dev->kobj)->kobject_cleanup() ,not in device_del() ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 3:39 ` wanghai (M) @ 2019-03-19 10:22 ` Andy Shevchenko 0 siblings, 0 replies; 12+ messages in thread From: Andy Shevchenko @ 2019-03-19 10:22 UTC (permalink / raw) To: wanghai (M) Cc: Stephen Hemminger, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli, amritha.nambiar, joe, dmitry.torokhov, netdev, linux-kernel On Tue, Mar 19, 2019 at 11:39:54AM +0800, wanghai (M) wrote: > 在 2019/3/19 11:15, Stephen Hemminger 写道: > Device_del just delete device from system, but do not clean up > dev->kobj.name. May I ask how you get this conclusion? > In normal case, the name is freed in free_netdev(dev)->put_device(&dev->dev)->kobject_put(&dev->kobj)->kobject_cleanup() > ,not in device_del() -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-19 5:06 [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject Wang Hai 2019-03-18 15:57 ` Stephen Hemminger @ 2019-03-18 18:02 ` Eric Dumazet 2019-03-19 3:47 ` wanghai (M) 1 sibling, 1 reply; 12+ messages in thread From: Eric Dumazet @ 2019-03-18 18:02 UTC (permalink / raw) To: Wang Hai, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli Cc: amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel On 03/18/2019 10:06 PM, Wang Hai wrote: > When registering struct net_device, it will call > register_netdevice -> > netdev_register_kobject -> > device_add(dev) > register_queue_kobjects(ndev) > > If device_add(dev) or register_queue_kobjects(ndev) fails. > Register_netdevice() will return error, causing netdev_freemem(ndev) > to be called to free net_device, however (&ndev->dev)->kobj.name will > not be freed, resulting in a memory leak. > > syzkaller report this: > BUG: memory leak > unreferenced object 0xffff8881f4fad168 (size 8): > comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) > hex dump (first 8 bytes): > 77 70 61 6e 30 00 ff ff wpan0... > backtrace: > [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 > [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 > [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 > [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 > [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 > [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 > [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] > [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] > [<00000000e4b3df51>] 0xffffffffc1500e0e > [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 > [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 > [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 > [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 > [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 > [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 > [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 > > Reported-by: Hulk Robot <hulkci@huawei.com> > Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") The bug was there before this commit, right ? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-18 18:02 ` Eric Dumazet @ 2019-03-19 3:47 ` wanghai (M) 0 siblings, 0 replies; 12+ messages in thread From: wanghai (M) @ 2019-03-19 3:47 UTC (permalink / raw) To: Eric Dumazet, davem, idosch, alexander.h.duyck, tyhicks, f.fainelli Cc: amritha.nambiar, joe, dmitry.torokhov, andriy.shevchenko, netdev, linux-kernel 在 2019/3/19 2:02, Eric Dumazet 写道: > > On 03/18/2019 10:06 PM, Wang Hai wrote: >> When registering struct net_device, it will call >> register_netdevice -> >> netdev_register_kobject -> >> device_add(dev) >> register_queue_kobjects(ndev) >> >> If device_add(dev) or register_queue_kobjects(ndev) fails. >> Register_netdevice() will return error, causing netdev_freemem(ndev) >> to be called to free net_device, however (&ndev->dev)->kobj.name will >> not be freed, resulting in a memory leak. >> >> syzkaller report this: >> BUG: memory leak >> unreferenced object 0xffff8881f4fad168 (size 8): >> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) >> hex dump (first 8 bytes): >> 77 70 61 6e 30 00 ff ff wpan0... >> backtrace: >> [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 >> [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 >> [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 >> [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 >> [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 >> [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 >> [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] >> [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] >> [<00000000e4b3df51>] 0xffffffffc1500e0e >> [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 >> [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 >> [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 >> [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 >> [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 >> [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 >> [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 >> >> Reported-by: Hulk Robot <hulkci@huawei.com> >> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") > The bug was there before this commit, right ? > > . Sorry, I read the code carefully, this is a mistake, the correct fix commit is 1fa5ae857bb1(driver core: get rid of struct device's bus_id string array). I will send a patch v2 ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2019-03-19 15:45 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-03-19 5:06 [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject Wang Hai 2019-03-18 15:57 ` Stephen Hemminger 2019-03-18 16:19 ` Andy Shevchenko [not found] ` <c1c266af-7aaa-00a7-aa7a-e61c65665741@huawei.com> 2019-03-19 10:30 ` Andy Shevchenko [not found] ` <18553079-7bbd-fcfe-ef1c-6717e963e0a5@huawei.com> 2019-03-19 14:00 ` Andy Shevchenko 2019-03-19 15:44 ` Stephen Hemminger 2019-03-19 3:03 ` wanghai (M) 2019-03-19 3:15 ` Stephen Hemminger 2019-03-19 3:39 ` wanghai (M) 2019-03-19 10:22 ` Andy Shevchenko 2019-03-18 18:02 ` Eric Dumazet 2019-03-19 3:47 ` wanghai (M)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).