Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5052636yba; Tue, 30 Apr 2019 08:24:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqwQgt94yyS+GXLIaCM6KzngbShAta2MSsoY6pfKudI6wsMx5tG1qIq+rqUku1hAIXEyKVqE X-Received: by 2002:a63:31d7:: with SMTP id x206mr13753063pgx.74.1556637877678; Tue, 30 Apr 2019 08:24:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556637877; cv=none; d=google.com; s=arc-20160816; b=pMbzKpIeYdKxkCzIa/y8DayE4fQC9zD2edqgNhEMCa70yJ7kkNY0QIYIqgjH5VhA3F fK0CAGoleZ/U2dV25CDm3dBj+v2w+3FLHQV/7Mwubjvsczm0qpl63m/M+4U+2GRwiQ3s mypv9s1WgL1dSs4LM5WQ50MTMBhNT1cCVl0YfiEc/TTPdh9mhxpUJl2s57QEFfXz+DgV 0Kalg0InnyYyn8rBIXXYIG5fk0anKkhp53a7WryhpptvqsMFVYFfN55Ji/MlQOzIAafD t9zmjvp6oN6R5o8k+J71TvHQCbhKFgnH8wxzuOOJdpllIE5Vb0XmSWDJAjFJb2tCkuFM P5qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=9NYFmk8Sruw5fGI1xTPtOmU1+PxkbG2/U29Z0YHuTbU=; b=kQQDGYLalvb+UZ/OxhpRoh4Vps3d+pbtKg3XNKSpz4gZjsc0AfTLb4/SYvwMYZxqyB BODaY3AoZqZq5K7GjgvYeNldKP6tVnw0X/n5AnCm5qHiQx2uXU7CmW2unshnQDLcT48t D3scaVT3RxwhXT+wApPj+C+TL83XriziNhW68aU3E7CMro0UWn2abBn7VSOOws1qgwKa DLmLpYoavqHKQd+s3nEFXZPdE2YUB5AQfgsK1MvT60ok3TjLDlJKwJoB8BYqQKv+kWB9 eNBZpIv8rRLG67lC7DmZwiMe2fF7BnvH6B5dsIpd5i8V8TQ41DDlHQ2CG4Sm8Gn9GrCX 7bxw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w19si13045311pgh.527.2019.04.30.08.24.21; Tue, 30 Apr 2019 08:24:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726124AbfD3PXZ (ORCPT + 99 others); Tue, 30 Apr 2019 11:23:25 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:53026 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725906AbfD3PXZ (ORCPT ); Tue, 30 Apr 2019 11:23:25 -0400 Received: from 162-237-133-238.lightspeed.rcsntx.sbcglobal.net ([162.237.133.238] helo=lindsey) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1hLUbG-0006rZ-5q; Tue, 30 Apr 2019 15:23:18 +0000 Date: Tue, 30 Apr 2019 10:23:13 -0500 From: Tyler Hicks To: "Tobin C. Harding" Cc: "David S. Miller" , Greg Kroah-Hartman , Andy Shevchenko , Ido Schimmel , Alexander Duyck , Florian Fainelli , Wang Hai , YueHaibing , Amritha Nambiar , Dmitry Torokhov , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/3] bridge: Fix error path for kobject_init_and_add() Message-ID: <20190430152312.GB13709@lindsey> References: <20190430002817.10785-1-tobin@kernel.org> <20190430002817.10785-2-tobin@kernel.org> <20190430151437.GA13709@lindsey> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190430151437.GA13709@lindsey> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019-04-30 10:14:37, Tyler Hicks wrote: > On 2019-04-30 10:28:15, Tobin C. Harding wrote: > > Currently error return from kobject_init_and_add() is not followed by a > > call to kobject_put(). This means there is a memory leak. > > > > Add call to kobject_put() in error path of kobject_init_and_add(). > > > > Signed-off-by: Tobin C. Harding > > --- > > net/bridge/br_if.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c > > index 41f0a696a65f..e5c8c9941c51 100644 > > --- a/net/bridge/br_if.c > > +++ b/net/bridge/br_if.c > > @@ -607,8 +607,10 @@ int br_add_if(struct net_bridge *br, struct net_device *dev, > > > > err = kobject_init_and_add(&p->kobj, &brport_ktype, &(dev->dev.kobj), > > SYSFS_BRIDGE_PORT_ATTR); > > - if (err) > > + if (err) { > > + kobject_put(&p->kobj); > > goto err1; > > + } > > I think this is duplicating the code under the err2 label and doing so > in a way that would introduce a double free. > > If the refcount hits 0 in the kobject_put(), release_nbp() is called > which calls kfree() on the p pointer. However, the p pointer is never > set to NULL like what's done under the err2 label. Once we're back in > br_add_if(), kfree() is called on the p pointer again just before > returning. > > I think it would be better if you just jumped to the err2 label instead > of err1. err1 will no longer be used so, unfortunately, you'll have to > refactor all the labels at the same time. I noticed that the last paragraph is bad advice after looking at patch #2 in this series. I guess you'd be better off calling kobject_put(), setting p to NULL (the only thing that's missing), and jumping to err1 in this patch. Tyler > > Tyler > > > > > err = br_sysfs_addif(p); > > if (err) > > -- > > 2.21.0 > >