Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp4301172ybc;
        Fri, 15 Nov 2019 02:22:47 -0800 (PST)
X-Google-Smtp-Source: APXvYqyu1tz6mDIMFIdpQzS8Nl3EjPmLfDtlJpcQZMvCNjDra4JaT/PJ8htnYZQpf/DFhyk3XS8a
X-Received: by 2002:a7b:c18c:: with SMTP id y12mr14104804wmi.145.1573813367383;
        Fri, 15 Nov 2019 02:22:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573813367; cv=none;
        d=google.com; s=arc-20160816;
        b=O0RozEDm35TspR6G3iOsdHOCuzfqy5MWW5j+DQntPkkJMzEyVqFAn7cc6/GIx8dPyV
         c+HA9DxQYblGN42JFXcdcX1KPM5HqgVibD377FTPAp7nmhRFuL6JyQGHPlx/K/sch7qk
         ukuqMbs3BeNn4CF0d45Vdl0bT/xe44OwakX5nTfkdgqkqKZkGLmnXsQV0QCbY/5pzytu
         S/znTcGM4VJgAARzIjllQrCIZC8tEhC2Ct8Cu8xfV43vxY8il9XtRp02EKrQCi8jUYQb
         nQiXpQlBwjeIzvKImX6e+wgrA8vTahWcDDaqXYh7fRqL1lo09Tl4XI1utlbiF3G0ooYb
         AsMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=8c177DxH/Ax6/WDczxechx733gB1159rlBy+5rYUtqk=;
        b=Kj98xIGGdxccuajXQPL+VqdrgatN9rDilRFY17gP2XWnmkI2RxwLKOOUZxGPyiYrbW
         FjwwP9PjCHuvYIZrXjoAIDYv19R8qZyRo9fUaZ0riTeem+K2XS72pF8gCEmSZey2BPp/
         AJIYe4jn6zMczZd7p59sgrlrZ5OJAonrxARbht45b6nv2q7aageVIXIlIYiwdQ7+kXQE
         my8ae+ztvL9ilgS+UyTQpFpM0GlUOIx9wkpw2zDtIstOJVDXQIRJqaikg/dUcW3i4ad5
         jkVdXJOEpo/4XShePPRlhI89vOC+cYbVh/I/Y8V6ZS9WEiDF6F3zREw+xnPNKD2VcK7v
         X7BQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=By8G6G5e;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l5si5503844edv.108.2019.11.15.02.22.22;
        Fri, 15 Nov 2019 02:22:47 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=By8G6G5e;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727642AbfKOKTG (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Fri, 15 Nov 2019 05:19:06 -0500
Received: from mail.kernel.org ([198.145.29.99]:45934 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725829AbfKOKTG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 15 Nov 2019 05:19:06 -0500
Received: from localhost (unknown [104.132.150.99])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 8604420718;
        Fri, 15 Nov 2019 10:19:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1573813145;
        bh=NZ63NmQNdqqOg8QZk/cSBZAcCPCaW4OKgvlGkuOPuu8=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=By8G6G5e28iA0Gr4bOhEr021LSlPDBGfHVO0N5aCMvrVTJJvlcseP8YM2r4e+EJYq
         TQQAo+FYUxYBJ7e2EpyKYTq3uMup1e9SWyd6iEUlzU7hd8hRDAKNDTxWgS8qc3CwBU
         xaheU4z7POPb7ogz3JHCyaVaoGyErw0LNtkwTLPY=
Date:   Fri, 15 Nov 2019 18:19:02 +0800
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     Jouni =?iso-8859-1?Q?H=F6gander?= <jouni.hogander@unikie.com>
Cc:     linux-kernel@vger.kernel.org,
        "Rafael J. Wysocki" <rafael@kernel.org>,
        Lukas Bulwahn <lukas.bulwahn@gmail.com>
Subject: Re: [PATCH] drivers/base: Fix memory leak in error paths
Message-ID: <20191115101902.GB337025@kroah.com>
References: <20191114121840.5585-1-jouni.hogander@unikie.com>
 <20191115032603.GG793701@kroah.com>
 <878soha7tc.fsf@unikie.com>
 <20191115082022.GB55909@kroah.com>
 <8736epa202.fsf@unikie.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <8736epa202.fsf@unikie.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Nov 15, 2019 at 12:05:17PM +0200, Jouni H?gander wrote:
> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> 
> >> >> This memory leak was reported by Syzkaller:
> >> >> 
> >> >> BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
> >> >>   comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
> >> >>   hex dump (first 32 bytes):
> >> >>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> >> >>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> >> >>   backtrace:
> >> >>     [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
> >> >>     [<000000002340019b>] device_add+0x882/0x1750
> >> >>     [<000000001d588c3a>] netdev_register_kobject+0x128/0x380
> >> >>     [<0000000011ef5535>] register_netdevice+0xa1b/0xf00
> >> >>     [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
> >> >>     [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
> >> >>     [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
> >> >>     [<00000000fba062ea>] ksys_ioctl+0x99/0xb0
> >> >>     [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
> >> >>     [<00000000984cabb9>] do_syscall_64+0x16f/0x580
> >> >>     [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >> >>     [<00000000e6ca2d9f>] 0xffffffffffffffff
> >> >
> >> > How is this a leak?  This is in device_add(), not removing the device.
> >> > When the structure really is freed then it can be removed.
> >> 
> >> In net/core/net-sysfs.c:netdev_register_kobject device_add allocates
> >> dev->p. Now if register_queue_kobjects fails the error path is calling
> >> device_del and dev->p is never freed. Proper fix here could be to call
> >> put_device after device_del?
> >
> > Hm, this sounds like you have a reference count leak here, as
> > put_device() should be properly called already in this case.  You might
> > want to look further to see where exactly the register_queue_kobjects()
> > call fails in order to see if we grabbed a reference we forgot to put
> > back on an error path.
> 
> Ok, did some more debugging on
> this. net/core/net-sysfs.c:netdev_register_kobject is doing
> device_initialize(dev). This is in
> drivers/base/core.c:device_initialize:
> 
>  * NOTE: Use put_device() to give up your reference instead of freeing
>  * @dev directly once you have called this function.
> 
> My understanding is that remaining reference on error path is taken by
> device_initialize and as instructed in the note above it should be given
> up using put_device?

Yes, that is correct.

> Tested this and it's fixing the memory leak I found in my Syzkaller
> exercise. Addition to that it seems to be fixing also this one:
> 
> https://syzkaller.appspot.com/bug?id=f5f4af9fb9ffb3112ad6e30f717f769decdccdfc

Great!  Care to submit a patch for this?

thanks,

greg k-h