linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Yanfei Xu <yanfei.xu@windriver.com>
Cc: andrew@lunn.ch, hkallweit1@gmail.com, linux@armlinux.org.uk,
	davem@davemloft.net, kuba@kernel.org, p.zabel@pengutronix.de,
	syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] net: mdiobus: Fix memory leak in __mdiobus_register
Date: Tue, 28 Sep 2021 11:55:49 +0300	[thread overview]
Message-ID: <20210928085549.GA6559@kili> (raw)
In-Reply-To: <20210926045313.2267655-1-yanfei.xu@windriver.com>

On Sun, Sep 26, 2021 at 12:53:13PM +0800, Yanfei Xu wrote:
> Once device_register() failed, we should call put_device() to
> decrement reference count for cleanup. Or it will cause memory
> leak.
> 

[ snipped stack trace ]

> 
> Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> ---
>  drivers/net/phy/mdio_bus.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
> index 53f034fc2ef7..6f4b4e5df639 100644
> --- a/drivers/net/phy/mdio_bus.c
> +++ b/drivers/net/phy/mdio_bus.c
> @@ -537,6 +537,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
>  	err = device_register(&bus->dev);
>  	if (err) {
>  		pr_err("mii_bus %s failed to register\n", bus->id);
> +		put_device(&bus->dev);

No this isn't right.  The dev.class is &mdio_bus_class.  It's set a few
lines earlier.

	bus->dev.class = &mdio_bus_class;

The release function is mdiobus_release().  It will free bus and lead to
use after frees in the callers.  Look at greth_mdio_init().  There are
a lot of callers which will crash now.

This patch was a clear layering violation.  If you didn't allocate "bus"
then you should not free it.  Keeping that rule in mind can help prevent
future bugs.  Also he other error handling paths are careful not to call
put_device() so why would this one be special?  It should have stood out
that this one error path is the only place that doesn't use a goto to
clean up.

I don't have a solution.  I have commented before that I hate kobjects
for this reason because they lead to unfixable memory leaks during
probe.  But this leak will only happen with fault injection and so it
doesn't affect real life.  And even if it did, a leak it preferable to a
crash.

Unfortunately, this patch has already been applied so please can you
send a patch to revert it?

regards,
dan carpenter


  parent reply	other threads:[~2021-09-28  8:56 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-26  4:53 [PATCH] net: mdiobus: Fix memory leak in __mdiobus_register Yanfei Xu
2021-09-26 15:34 ` Andrew Lunn
2021-09-27 12:30 ` patchwork-bot+netdevbpf
2021-09-28  8:55 ` Dan Carpenter [this message]
2021-09-28  9:26   ` Dan Carpenter
2021-09-28  9:45     ` Pavel Skripkin
2021-09-28 10:39       ` Dan Carpenter
2021-09-28 10:46         ` Pavel Skripkin
2021-09-28 10:55           ` Dan Carpenter
2021-09-28 11:04             ` Pavel Skripkin
2021-09-28 10:59           ` Dan Carpenter
2021-09-28 11:06             ` Pavel Skripkin
2021-09-28 11:09               ` Pavel Skripkin
2021-09-28 11:30                 ` Dan Carpenter
2021-09-28 11:45                   ` Pavel Skripkin
2021-09-28 12:23                     ` Dan Carpenter
2021-09-28 12:58                   ` Russell King (Oracle)
2021-09-28 13:52                     ` Dan Carpenter
2021-09-28 15:41                       ` Russell King (Oracle)
2021-09-28 15:48                         ` Dongliang Mu
2021-09-29  2:05                           ` Xu, Yanfei
2021-09-28 13:11 ` Russell King (Oracle)
2021-09-29 21:31 ` Denis Efremov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210928085549.GA6559@kili \
    --to=dan.carpenter@oracle.com \
    --cc=andrew@lunn.ch \
    --cc=davem@davemloft.net \
    --cc=hkallweit1@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@armlinux.org.uk \
    --cc=netdev@vger.kernel.org \
    --cc=p.zabel@pengutronix.de \
    --cc=syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com \
    --cc=yanfei.xu@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).