2019-08-14 20:17:33

by Wenwen Wang

Subject: [PATCH] hv_netvsc: Fix a memory leak bug

In rndis_filter_device_add(), 'rndis_device' is allocated through kzalloc()
by invoking get_rndis_device(). In the following execution, if an error
occurs, the execution will go to the 'err_dev_remv' label. However, the
allocated 'rndis_device' is not deallocated, leading to a memory leak bug.

Signed-off-by: Wenwen Wang <[email protected]>
---
drivers/net/hyperv/rndis_filter.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index 317dbe9..ed35085 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -1420,6 +1420,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,

err_dev_remv:
rndis_filter_device_remove(dev, net_device);
+ kfree(rndis_device);
return ERR_PTR(ret);
}

--
2.7.4

2019-08-14 20:44:34

by Stephen Hemminger

Subject: Re: [PATCH] hv_netvsc: Fix a memory leak bug

On Wed, 14 Aug 2019 15:16:11 -0500
Wenwen Wang <[email protected]> wrote:

> In rndis_filter_device_add(), 'rndis_device' is allocated through kzalloc()
> by invoking get_rndis_device(). In the following execution, if an error
> occurs, the execution will go to the 'err_dev_remv' label. However, the
> allocated 'rndis_device' is not deallocated, leading to a memory leak bug.
>
> Signed-off-by: Wenwen Wang <[email protected]>
> ---
> drivers/net/hyperv/rndis_filter.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
> index 317dbe9..ed35085 100644
> --- a/drivers/net/hyperv/rndis_filter.c
> +++ b/drivers/net/hyperv/rndis_filter.c
> @@ -1420,6 +1420,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
>
> err_dev_remv:
> rndis_filter_device_remove(dev, net_device);
> + kfree(rndis_device);
> return ERR_PTR(ret);
> }
>

The rndis_device is already freed by:

rndis_filter_device_remove
netvsc_device_remove
free_netvsc_device_rcu

free_netvsc_device called by rcu

static void free_netvsc_device(struct rcu_head *head)
{
struct netvsc_device *nvdev
= container_of(head, struct netvsc_device, rcu);
int i;

kfree(nvdev->extension); << here

2019-08-14 21:33:03

by Haiyang Zhang

Subject: RE: [PATCH] hv_netvsc: Fix a memory leak bug

> -----Original Message-----
> From: Wenwen Wang <[email protected]>
> Sent: Wednesday, August 14, 2019 4:16 PM
> To: Wenwen Wang <[email protected]>
> Cc: KY Srinivasan <[email protected]>; Haiyang Zhang
> <[email protected]>; Stephen Hemminger
> <[email protected]>; Sasha Levin <[email protected]>; David S.
> Miller <[email protected]>; open list:Hyper-V CORE AND DRIVERS
> <[email protected]>; open list:NETWORKING DRIVERS
> <[email protected]>; open list <[email protected]>
> Subject: [PATCH] hv_netvsc: Fix a memory leak bug
>
> In rndis_filter_device_add(), 'rndis_device' is allocated through kzalloc()
> by invoking get_rndis_device(). In the following execution, if an error
> occurs, the execution will go to the 'err_dev_remv' label. However, the
> allocated 'rndis_device' is not deallocated, leading to a memory leak bug.
>
> Signed-off-by: Wenwen Wang <[email protected]>
> ---
> drivers/net/hyperv/rndis_filter.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/hyperv/rndis_filter.c
> b/drivers/net/hyperv/rndis_filter.c
> index 317dbe9..ed35085 100644
> --- a/drivers/net/hyperv/rndis_filter.c
> +++ b/drivers/net/hyperv/rndis_filter.c
> @@ -1420,6 +1420,7 @@ struct netvsc_device
> *rndis_filter_device_add(struct hv_device *dev,
>
> err_dev_remv:
> rndis_filter_device_remove(dev, net_device);
> + kfree(rndis_device);

The kfree() is not necessary here.
Because it is already freed by --
rndis_filter_device_remove() --> netvsc_device_remove()
--> free_netvsc_device_rcu() --> free_netvsc_device()
--> kfree(nvdev->extension); //This frees rndis_device.

Thanks,
- Haiyang