Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
From:   jouni.hogander@unikie.com
To:     linux-kernel@vger.kernel.org
Cc:     Jouni Hogander <jouni.hogander@unikie.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "Rafael J. Wysocki" <rafael@kernel.org>,
        Lukas Bulwahn <lukas.bulwahn@gmail.com>
Subject: [PATCH] drivers/base: Fix memory leak in error paths
Date:   Thu, 14 Nov 2019 14:18:40 +0200
Message-Id: <20191114121840.5585-1-jouni.hogander@unikie.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

From: Jouni Hogander <jouni.hogander@unikie.com>

Currently error paths are using device_del to clean-up preparations
done by device_add. This is causing memory leak as free of dev->p
allocated in device_add is freed in device_release. This is fixed by
moving freeing dev->p to counterpart of device_add i.e. device_del.

This memory leak was reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
  comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
    [<000000002340019b>] device_add+0x882/0x1750
    [<000000001d588c3a>] netdev_register_kobject+0x128/0x380
    [<0000000011ef5535>] register_netdevice+0xa1b/0xf00
    [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
    [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
    [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
    [<00000000fba062ea>] ksys_ioctl+0x99/0xb0
    [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
    [<00000000984cabb9>] do_syscall_64+0x16f/0x580
    [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<00000000e6ca2d9f>] 0xffffffffffffffff

Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
---
 drivers/base/core.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/base/core.c b/drivers/base/core.c
index 7bd9cd366d41..cb4b27e82a9f 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -1080,7 +1080,6 @@ EXPORT_SYMBOL_GPL(device_show_bool);
 static void device_release(struct kobject *kobj)
 {
 	struct device *dev = kobj_to_dev(kobj);
-	struct device_private *p = dev->p;
 
 	/*
 	 * Some platform devices are driven without driver attached
@@ -1102,7 +1101,6 @@ static void device_release(struct kobject *kobj)
 	else
 		WARN(1, KERN_ERR "Device '%s' does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt.\n",
 			dev_name(dev));
-	kfree(p);
 }
 
 static const void *device_namespace(struct kobject *kobj)
@@ -2388,6 +2386,7 @@ void device_del(struct device *dev)
 	kobject_del(&dev->kobj);
 	cleanup_glue_dir(dev, glue_dir);
 	put_device(parent);
+	kfree(dev->p);
 }
 EXPORT_SYMBOL_GPL(device_del);
 
-- 
2.17.1