[PATCH] phy: fix phy_device_free memory leak

[PATCH] phy: fix phy_device_free memory leak

[Petr Malat]

From: Petr Malat <oss@malat.biz>

Fix memory leak in phy_device_free() for the case when phy_device*
returned by phy_device_create() is not registered in the system.
Signed-off-by: Petr Malat <oss@malat.biz>
---
Bug description:
phy_device_create() sets name of kobject using dev_set_name(), which 
allocates memory using kvasprintf(), but this memory isn't freed if 
the underlying device isn't registered properly, because kobject_cleanup()
is not called in that case. This can happen (and actually is happening on 
our machines) if phy_device_register(), called by mdiobus_scan(), fails. 

Patch description:
Name is freed by phy_device_free(). In the case a device is released 
trough kobject_cleanup()->device_release()->phy_device_release(), the name
is set to NULL and it is not freed by phy_device_free(), because it will 
be freed later by kobject_cleanup().

Please put me on CC, I'm not signed into the mailing list.

--- linux-v2.6.32.60.orig/drivers/net/phy/phy_device.c	2013-02-06 19:44:11.000000000 +0100
+++ linux-v2.6.32.60/drivers/net/phy/phy_device.c	2013-02-06 20:56:57.000000000 +0100
@@ -41,12 +41,16 @@ MODULE_LICENSE("GPL");
 
 void phy_device_free(struct phy_device *phydev)
 {
+	kfree(phydev->dev.kobj.name);
 	kfree(phydev);
 }
 EXPORT_SYMBOL(phy_device_free);
 
 static void phy_device_release(struct device *dev)
 {
+	/* Name will be freed by kobject_cleanup() */
+	dev->kobj.name = NULL; 
+
 	phy_device_free(to_phy_device(dev));
 }
 

Re: [PATCH] phy: fix phy_device_free memory leak

[David Miller]

From: Petr Malat <oss@malat.biz>
Date: Mon, 11 Feb 2013 12:28:27 +0100

> From: Petr Malat <oss@malat.biz>
> 
> Fix memory leak in phy_device_free() for the case when phy_device*
> returned by phy_device_create() is not registered in the system.
> Signed-off-by: Petr Malat <oss@malat.biz>
> ---
> Bug description:
> phy_device_create() sets name of kobject using dev_set_name(), which 
> allocates memory using kvasprintf(), but this memory isn't freed if 
> the underlying device isn't registered properly, because kobject_cleanup()
> is not called in that case. This can happen (and actually is happening on 
> our machines) if phy_device_register(), called by mdiobus_scan(), fails. 
> 
> Patch description:
> Name is freed by phy_device_free(). In the case a device is released 
> trough kobject_cleanup()->device_release()->phy_device_release(), the name
> is set to NULL and it is not freed by phy_device_free(), because it will 
> be freed later by kobject_cleanup().

All of this descriptive information belongs in the commit message
proper.

[PATCH] phy: fix phy_device_free memory leak

[Petr Malat]

From: Petr Malat <oss@malat.biz>

Fix memory leak in phy_device_free() for the case when phy_device*
returned by phy_device_create() is not registered in the system.

Bug description:
phy_device_create() sets name of kobject using dev_set_name(), which 
allocates memory using kvasprintf(), but this memory isn't freed if 
the underlying device isn't registered properly, because kobject_cleanup()
is not called in that case. This can happen (and actually is happening on 
our machines) if phy_device_register(), called by mdiobus_scan(), fails. 

Patch description:
Name is freed by phy_device_free(). In the case a device is released 
trough kobject_cleanup()->device_release()->phy_device_release(), the name
is set to NULL and it is not freed by phy_device_free(), because it will 
be freed later by kobject_cleanup().

Signed-off-by: Petr Malat <oss@malat.biz>
---
Please put me on CC, I'm not signed into the mailing list.

--- linux-v2.6.32.60.orig/drivers/net/phy/phy_device.c	2013-02-06 19:44:11.000000000 +0100
+++ linux-v2.6.32.60/drivers/net/phy/phy_device.c	2013-02-06 20:56:57.000000000 +0100
@@ -41,12 +41,16 @@ MODULE_LICENSE("GPL");
 
 void phy_device_free(struct phy_device *phydev)
 {
+	kfree(phydev->dev.kobj.name);
 	kfree(phydev);
 }
 EXPORT_SYMBOL(phy_device_free);
 
 static void phy_device_release(struct device *dev)
 {
+	/* Name will be freed by kobject_cleanup() */
+	dev->kobj.name = NULL; 
+
 	phy_device_free(to_phy_device(dev));
 }
 

Re: [PATCH] phy: fix phy_device_free memory leak

[David Miller]

From: Petr Malat <oss@malat.biz>
Date: Tue, 19 Feb 2013 20:36:46 +0100

> From: Petr Malat <oss@malat.biz>
> 
> Fix memory leak in phy_device_free() for the case when phy_device*
> returned by phy_device_create() is not registered in the system.
> 
> Bug description:
> phy_device_create() sets name of kobject using dev_set_name(), which 
> allocates memory using kvasprintf(), but this memory isn't freed if 
> the underlying device isn't registered properly, because kobject_cleanup()
> is not called in that case. This can happen (and actually is happening on 
> our machines) if phy_device_register(), called by mdiobus_scan(), fails. 
> 
> Patch description:
> Name is freed by phy_device_free(). In the case a device is released 
> trough kobject_cleanup()->device_release()->phy_device_release(), the name
> is set to NULL and it is not freed by phy_device_free(), because it will 
> be freed later by kobject_cleanup().
> 
> Signed-off-by: Petr Malat <oss@malat.biz>
> ---
> Please put me on CC, I'm not signed into the mailing list.

I think it's cleaner to have phy_device_register() use the kobject
reference count properly.

Have it first go:

	device_initialize(&phydev->dev);

And change the device_register() to device_add().

Finally, on the failure paths, do a put_device().

No funny NULL pointer assignments and state to maintainer, just using
kobject reference counting to handle it all transparently.