[PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Wang Hai]

When registering struct net_device, it will call
	register_netdevice ->
		netdev_register_kobject ->
			device_add(dev)
			register_queue_kobjects(ndev)

If device_add(dev) or register_queue_kobjects(ndev) fails.
Register_netdevice() will return error, causing netdev_freemem(ndev)
to be called to free net_device, however (&ndev->dev)->kobj.name will
not be freed, resulting in a memory leak.

syzkaller report this:
BUG: memory leak
unreferenced object 0xffff8881f4fad168 (size 8):
comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
hex dump (first 8 bytes):
  77 70 61 6e 30 00 ff ff                          wpan0...
backtrace:
  [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
  [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
  [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
  [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
  [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
  [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
  [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
  [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
  [<00000000e4b3df51>] 0xffffffffc1500e0e
  [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
  [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
  [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
  [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
  [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
  [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
  [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
Signed-off-by: Wang Hai <wanghai26@huawei.com>
---
 net/core/net-sysfs.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 4ff661f..f0e53dc 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev)
 
 	error = device_add(dev);
 	if (error)
-		return error;
+		goto device_add_error;
 
 	error = register_queue_kobjects(ndev);
-	if (error) {
-		device_del(dev);
-		return error;
-	}
+	if (error)
+		goto register_error;
 
 	pm_runtime_set_memalloc_noio(dev, true);
 
+out:
 	return error;
+
+register_error:
+	device_del(dev);
+device_add_error:
+	kfree_const(dev->kobj.name);
+	goto out;
 }
 
 int netdev_class_create_file_ns(const struct class_attribute *class_attr,
-- 
1.8.3.1

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Stephen Hemminger]

On Tue, 19 Mar 2019 01:06:57 -0400
Wang Hai <wanghai26@huawei.com> wrote:

> When registering struct net_device, it will call
> 	register_netdevice ->
> 		netdev_register_kobject ->
> 			device_add(dev)
> 			register_queue_kobjects(ndev)
> 
> If device_add(dev) or register_queue_kobjects(ndev) fails.
> Register_netdevice() will return error, causing netdev_freemem(ndev)
> to be called to free net_device, however (&ndev->dev)->kobj.name will
> not be freed, resulting in a memory leak.
> 
> syzkaller report this:
> BUG: memory leak
> unreferenced object 0xffff8881f4fad168 (size 8):
> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
> hex dump (first 8 bytes):
>   77 70 61 6e 30 00 ff ff                          wpan0...
> backtrace:
>   [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
>   [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
>   [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
>   [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
>   [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
>   [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
>   [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
>   [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
>   [<00000000e4b3df51>] 0xffffffffc1500e0e
>   [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
>   [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
>   [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
>   [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
>   [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
>   [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
>   [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
> 
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
> Signed-off-by: Wang Hai <wanghai26@huawei.com>
> ---
>  net/core/net-sysfs.c | 15 ++++++++++-----
>  1 file changed, 10 insertions(+), 5 deletions(-)
> 
> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> index 4ff661f..f0e53dc 100644
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev)
>  
>  	error = device_add(dev);
>  	if (error)
> -		return error;
> +		goto device_add_error;
>  
>  	error = register_queue_kobjects(ndev);
> -	if (error) {
> -		device_del(dev);
> -		return error;
> -	}
> +	if (error)
> +		goto register_error;
>  
>  	pm_runtime_set_memalloc_noio(dev, true);
>  
> +out:
>  	return error;
> +
> +register_error:
> +	device_del(dev);
> +device_add_error:
> +	kfree_const(dev->kobj.name);

This looks a bug in device_add() not here.
In general, it is better for an api to clean up after itself.
Since dev->kobj.name is created in device_add and normally freed
in device_del; why is device_add leaving it behind?

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Andy Shevchenko]

On Mon, Mar 18, 2019 at 08:57:24AM -0700, Stephen Hemminger wrote:
> On Tue, 19 Mar 2019 01:06:57 -0400
> Wang Hai <wanghai26@huawei.com> wrote:
> 
> > When registering struct net_device, it will call
> > 	register_netdevice ->
> > 		netdev_register_kobject ->
> > 			device_add(dev)
> > 			register_queue_kobjects(ndev)
> > 
> > If device_add(dev) or register_queue_kobjects(ndev) fails.
> > Register_netdevice() will return error, causing netdev_freemem(ndev)
> > to be called to free net_device, however (&ndev->dev)->kobj.name will
> > not be freed, resulting in a memory leak.
> > 
> > syzkaller report this:
> > BUG: memory leak
> > unreferenced object 0xffff8881f4fad168 (size 8):
> > comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
> > hex dump (first 8 bytes):
> >   77 70 61 6e 30 00 ff ff                          wpan0...
> > backtrace:
> >   [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
> >   [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
> >   [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
> >   [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
> >   [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
> >   [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
> >   [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
> >   [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
> >   [<00000000e4b3df51>] 0xffffffffc1500e0e
> >   [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
> >   [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
> >   [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
> >   [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
> >   [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
> >   [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
> >   [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
> > 
> > Reported-by: Hulk Robot <hulkci@huawei.com>
> > Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
> > Signed-off-by: Wang Hai <wanghai26@huawei.com>
> > ---
> >  net/core/net-sysfs.c | 15 ++++++++++-----
> >  1 file changed, 10 insertions(+), 5 deletions(-)
> > 
> > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> > index 4ff661f..f0e53dc 100644
> > --- a/net/core/net-sysfs.c
> > +++ b/net/core/net-sysfs.c
> > @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev)
> >  
> >  	error = device_add(dev);
> >  	if (error)
> > -		return error;
> > +		goto device_add_error;
> >  
> >  	error = register_queue_kobjects(ndev);
> > -	if (error) {
> > -		device_del(dev);
> > -		return error;
> > -	}
> > +	if (error)
> > +		goto register_error;
> >  
> >  	pm_runtime_set_memalloc_noio(dev, true);
> >  
> > +out:
> >  	return error;
> > +
> > +register_error:
> > +	device_del(dev);
> > +device_add_error:
> > +	kfree_const(dev->kobj.name);
> 
> This looks a bug in device_add() not here.
> In general, it is better for an api to clean up after itself.
> Since dev->kobj.name is created in device_add and normally freed
> in device_del; why is device_add leaving it behind?

It's more likely the bug in syzkaller.

Look at the kobject_cleanup() last lines of code...

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Andy Shevchenko]

On Tue, Mar 19, 2019 at 11:19:24AM +0800, wanghai (M) wrote:
> 
> 在 2019/3/19 0:19, Andy Shevchenko 写道:
> > On Mon, Mar 18, 2019 at 08:57:24AM -0700, Stephen Hemminger wrote:
> > > On Tue, 19 Mar 2019 01:06:57 -0400
> > > Wang Hai <wanghai26@huawei.com> wrote:

> > > This looks a bug in device_add() not here.
> > > In general, it is better for an api to clean up after itself.
> > > Since dev->kobj.name is created in device_add and normally freed
> > > in device_del; why is device_add leaving it behind?
> > It's more likely the bug in syzkaller.
> > 
> > Look at the kobject_cleanup() last lines of code...
> If device_add(dev) or register_queue_kobjects(ndev) fails,
> In register_netdevice(), dev-> reg_state = NETREG_UNINITIALIZED and returns
> an error, causing put_device(&dev-> dev) -> ..-> kobject_cleanup() not to be
> called.

OK, that's true, but your patch is wrong.
See error handling in device_create_groups_vargs() for example.

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Andy Shevchenko]

On Tue, Mar 19, 2019 at 08:17:01PM +0800, wanghai (M) wrote:
> 在 2019/3/19 18:30, Andy Shevchenko 写道:
> > On Tue, Mar 19, 2019 at 11:19:24AM +0800, wanghai (M) wrote:
> > > 在 2019/3/19 0:19, Andy Shevchenko 写道:

> > > If device_add(dev) or register_queue_kobjects(ndev) fails,
> > > In register_netdevice(), dev-> reg_state = NETREG_UNINITIALIZED and returns
> > > an error, causing put_device(&dev-> dev) -> ..-> kobject_cleanup() not to be
> > > called.
> > OK, that's true, but your patch is wrong.
> > See error handling in device_create_groups_vargs() for example.

> Hi Andy
> Thanks for your advice. I understand the problem of my patch.
> Can you help me see if it can be fixed like this?
> 
> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> index 4ff661f..6fe5b8e 100644
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -1745,17 +1745,21 @@ int netdev_register_kobject(struct net_device *ndev)
> 
>         error = device_add(dev);
>         if (error)
> -               return error;
> +               goto device_add_error;

This part seems correct now.

>         error = register_queue_kobjects(ndev);
> -       if (error) {
> -               device_del(dev);
> -               return error;
> -       }
> +       if (error)
> +               goto register_error;

Yes, seems correct order here, i.e. device_del() followed by put_device().

> 
>         pm_runtime_set_memalloc_noio(dev, true);
> 

> +out:

Better

	return 0;

>         return error;
> +register_error:

Better to describe what you will do here, i.e.

error_device_del:

> +       device_del(dev);

> +device_add_error:

Ditto.

error_put_device:

> +       put_device(dev);

> +       goto out;

Better

	return error;

>  }

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Stephen Hemminger]

On Tue, 19 Mar 2019 20:17:01 +0800
"wanghai (M)" <wanghai26@huawei.com> wrote:

> +out:
>          return error;
> +register_error:
> +       device_del(dev);
> +device_add_error:
> +       put_device(dev);
> +       goto out;

Everything looks fine, but I would redo the last part without
the last goto out. Using a goto back to single return reduces
readability.

	if (error)
               goto register_error;
        
	pm_runtime_set_memalloc_noio(dev, true);
	return 0;

register_error:
      device_del(dev);
device_add_error:
       put_device(dev);
       return error;

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[wanghai (M)]

在 2019/3/18 23:57, Stephen Hemminger 写道:
> On Tue, 19 Mar 2019 01:06:57 -0400
> Wang Hai <wanghai26@huawei.com> wrote:
>
>> When registering struct net_device, it will call
>> 	register_netdevice ->
>> 		netdev_register_kobject ->
>> 			device_add(dev)
>> 			register_queue_kobjects(ndev)
>>
>> If device_add(dev) or register_queue_kobjects(ndev) fails.
>> Register_netdevice() will return error, causing netdev_freemem(ndev)
>> to be called to free net_device, however (&ndev->dev)->kobj.name will
>> not be freed, resulting in a memory leak.
>>
>> syzkaller report this:
>> BUG: memory leak
>> unreferenced object 0xffff8881f4fad168 (size 8):
>> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
>> hex dump (first 8 bytes):
>>    77 70 61 6e 30 00 ff ff                          wpan0...
>> backtrace:
>>    [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
>>    [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
>>    [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
>>    [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
>>    [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
>>    [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
>>    [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
>>    [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
>>    [<00000000e4b3df51>] 0xffffffffc1500e0e
>>    [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
>>    [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
>>    [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
>>    [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
>>    [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
>>    [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
>>    [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
>>
>> Reported-by: Hulk Robot <hulkci@huawei.com>
>> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
>> Signed-off-by: Wang Hai <wanghai26@huawei.com>
>> ---
>>   net/core/net-sysfs.c | 15 ++++++++++-----
>>   1 file changed, 10 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
>> index 4ff661f..f0e53dc 100644
>> --- a/net/core/net-sysfs.c
>> +++ b/net/core/net-sysfs.c
>> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev)
>>   
>>   	error = device_add(dev);
>>   	if (error)
>> -		return error;
>> +		goto device_add_error;
>>   
>>   	error = register_queue_kobjects(ndev);
>> -	if (error) {
>> -		device_del(dev);
>> -		return error;
>> -	}
>> +	if (error)
>> +		goto register_error;
>>   
>>   	pm_runtime_set_memalloc_noio(dev, true);
>>   
>> +out:
>>   	return error;
>> +
>> +register_error:
>> +	device_del(dev);
>> +device_add_error:
>> +	kfree_const(dev->kobj.name);
> This looks a bug in device_add() not here.
> In general, it is better for an api to clean up after itself.
> Since dev->kobj.name is created in device_add and normally freed
> in device_del; why is device_add leaving it behind?\

When registering struct net_device, it will call
register_netdevice ->
     netdev_register_kobject ->
         dev_set_name(dev, "%s", ndev->name)
          device_add(dev)
          register_queue_kobjects(ndev)

The dev->kobj.name that causes the memory leak is created in 
dev_set_name(dev, "%s", ndev-> name) in the function 
netdev_register_kobject(), not in device_add(dev). If device_add(dev) or 
register_queue_kobjects(ndev) fails, it should release dev-> kobj.name 
in netdev_register_kobject()

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Stephen Hemminger]

On Tue, 19 Mar 2019 11:03:54 +0800
"wanghai (M)" <wanghai26@huawei.com> wrote:

> 在 2019/3/18 23:57, Stephen Hemminger 写道:
> > On Tue, 19 Mar 2019 01:06:57 -0400
> > Wang Hai <wanghai26@huawei.com> wrote:
> >  
> >> When registering struct net_device, it will call
> >> 	register_netdevice ->
> >> 		netdev_register_kobject ->
> >> 			device_add(dev)
> >> 			register_queue_kobjects(ndev)
> >>
> >> If device_add(dev) or register_queue_kobjects(ndev) fails.
> >> Register_netdevice() will return error, causing netdev_freemem(ndev)
> >> to be called to free net_device, however (&ndev->dev)->kobj.name will
> >> not be freed, resulting in a memory leak.
> >>
> >> syzkaller report this:
> >> BUG: memory leak
> >> unreferenced object 0xffff8881f4fad168 (size 8):
> >> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
> >> hex dump (first 8 bytes):
> >>    77 70 61 6e 30 00 ff ff                          wpan0...
> >> backtrace:
> >>    [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
> >>    [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
> >>    [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
> >>    [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
> >>    [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
> >>    [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
> >>    [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
> >>    [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
> >>    [<00000000e4b3df51>] 0xffffffffc1500e0e
> >>    [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
> >>    [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
> >>    [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
> >>    [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
> >>    [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
> >>    [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
> >>    [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
> >>
> >> Reported-by: Hulk Robot <hulkci@huawei.com>
> >> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
> >> Signed-off-by: Wang Hai <wanghai26@huawei.com>
> >> ---
> >>   net/core/net-sysfs.c | 15 ++++++++++-----
> >>   1 file changed, 10 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> >> index 4ff661f..f0e53dc 100644
> >> --- a/net/core/net-sysfs.c
> >> +++ b/net/core/net-sysfs.c
> >> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev)
> >>   
> >>   	error = device_add(dev);
> >>   	if (error)
> >> -		return error;
> >> +		goto device_add_error;
> >>   
> >>   	error = register_queue_kobjects(ndev);
> >> -	if (error) {
> >> -		device_del(dev);
> >> -		return error;
> >> -	}
> >> +	if (error)
> >> +		goto register_error;
> >>   
> >>   	pm_runtime_set_memalloc_noio(dev, true);
> >>   
> >> +out:
> >>   	return error;
> >> +
> >> +register_error:
> >> +	device_del(dev);
> >> +device_add_error:
> >> +	kfree_const(dev->kobj.name);  
> > This looks a bug in device_add() not here.
> > In general, it is better for an api to clean up after itself.
> > Since dev->kobj.name is created in device_add and normally freed
> > in device_del; why is device_add leaving it behind?\  
> 
> When registering struct net_device, it will call
> register_netdevice ->
>      netdev_register_kobject ->
>          dev_set_name(dev, "%s", ndev->name)
>           device_add(dev)
>           register_queue_kobjects(ndev)
> 
> The dev->kobj.name that causes the memory leak is created in 
> dev_set_name(dev, "%s", ndev-> name) in the function 
> netdev_register_kobject(), not in device_add(dev). If device_add(dev) or 
> register_queue_kobjects(ndev) fails, it should release dev-> kobj.name 
> in netdev_register_kobject()

Good catch, dev_set_name is using asprintf to allocate new memory
for the name. The problem with your patch is that device_del()
already cleans up the device (including name). The device object
should really not be touched after device_del.

Where is the name freed in the normal case?

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[wanghai (M)]

在 2019/3/19 11:15, Stephen Hemminger 写道:
> On Tue, 19 Mar 2019 11:03:54 +0800
> "wanghai (M)" <wanghai26@huawei.com> wrote:
>
>> 在 2019/3/18 23:57, Stephen Hemminger 写道:
>>> On Tue, 19 Mar 2019 01:06:57 -0400
>>> Wang Hai <wanghai26@huawei.com> wrote:
>>>   
>>>> When registering struct net_device, it will call
>>>> 	register_netdevice ->
>>>> 		netdev_register_kobject ->
>>>> 			device_add(dev)
>>>> 			register_queue_kobjects(ndev)
>>>>
>>>> If device_add(dev) or register_queue_kobjects(ndev) fails.
>>>> Register_netdevice() will return error, causing netdev_freemem(ndev)
>>>> to be called to free net_device, however (&ndev->dev)->kobj.name will
>>>> not be freed, resulting in a memory leak.
>>>>
>>>> syzkaller report this:
>>>> BUG: memory leak
>>>> unreferenced object 0xffff8881f4fad168 (size 8):
>>>> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
>>>> hex dump (first 8 bytes):
>>>>     77 70 61 6e 30 00 ff ff                          wpan0...
>>>> backtrace:
>>>>     [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
>>>>     [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
>>>>     [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
>>>>     [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
>>>>     [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
>>>>     [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
>>>>     [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
>>>>     [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
>>>>     [<00000000e4b3df51>] 0xffffffffc1500e0e
>>>>     [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
>>>>     [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
>>>>     [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
>>>>     [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
>>>>     [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
>>>>     [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
>>>>     [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
>>>>
>>>> Reported-by: Hulk Robot <hulkci@huawei.com>
>>>> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
>>>> Signed-off-by: Wang Hai <wanghai26@huawei.com>
>>>> ---
>>>>    net/core/net-sysfs.c | 15 ++++++++++-----
>>>>    1 file changed, 10 insertions(+), 5 deletions(-)
>>>>
>>>> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
>>>> index 4ff661f..f0e53dc 100644
>>>> --- a/net/core/net-sysfs.c
>>>> +++ b/net/core/net-sysfs.c
>>>> @@ -1745,17 +1745,22 @@ int netdev_register_kobject(struct net_device *ndev)
>>>>    
>>>>    	error = device_add(dev);
>>>>    	if (error)
>>>> -		return error;
>>>> +		goto device_add_error;
>>>>    
>>>>    	error = register_queue_kobjects(ndev);
>>>> -	if (error) {
>>>> -		device_del(dev);
>>>> -		return error;
>>>> -	}
>>>> +	if (error)
>>>> +		goto register_error;
>>>>    
>>>>    	pm_runtime_set_memalloc_noio(dev, true);
>>>>    
>>>> +out:
>>>>    	return error;
>>>> +
>>>> +register_error:
>>>> +	device_del(dev);
>>>> +device_add_error:
>>>> +	kfree_const(dev->kobj.name);
>>> This looks a bug in device_add() not here.
>>> In general, it is better for an api to clean up after itself.
>>> Since dev->kobj.name is created in device_add and normally freed
>>> in device_del; why is device_add leaving it behind?\
>> When registering struct net_device, it will call
>> register_netdevice ->
>>       netdev_register_kobject ->
>>           dev_set_name(dev, "%s", ndev->name)
>>            device_add(dev)
>>            register_queue_kobjects(ndev)
>>
>> The dev->kobj.name that causes the memory leak is created in
>> dev_set_name(dev, "%s", ndev-> name) in the function
>> netdev_register_kobject(), not in device_add(dev). If device_add(dev) or
>> register_queue_kobjects(ndev) fails, it should release dev-> kobj.name
>> in netdev_register_kobject()
> Good catch, dev_set_name is using asprintf to allocate new memory
> for the name. The problem with your patch is that device_del()
> already cleans up the device (including name). The device object
> should really not be touched after device_del.
>
> Where is the name freed in the normal case?
>
>
> .
Device_del just delete device from system, but do not clean up 
dev->kobj.name. In normal case,     the name is freed  in 
free_netdev(dev)->put_device(&dev->dev)->kobject_put(&dev->kobj)->kobject_cleanup() 
,not in device_del()

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Andy Shevchenko]

On Tue, Mar 19, 2019 at 11:39:54AM +0800, wanghai (M) wrote:
> 在 2019/3/19 11:15, Stephen Hemminger 写道:

> Device_del just delete device from system, but do not clean up
> dev->kobj.name.

May I ask how you get this conclusion?

>	In normal case,     the name is freed  in free_netdev(dev)->put_device(&dev->dev)->kobject_put(&dev->kobj)->kobject_cleanup()
> ,not in device_del()

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[Eric Dumazet]

On 03/18/2019 10:06 PM, Wang Hai wrote:
> When registering struct net_device, it will call
> 	register_netdevice ->
> 		netdev_register_kobject ->
> 			device_add(dev)
> 			register_queue_kobjects(ndev)
> 
> If device_add(dev) or register_queue_kobjects(ndev) fails.
> Register_netdevice() will return error, causing netdev_freemem(ndev)
> to be called to free net_device, however (&ndev->dev)->kobj.name will
> not be freed, resulting in a memory leak.
> 
> syzkaller report this:
> BUG: memory leak
> unreferenced object 0xffff8881f4fad168 (size 8):
> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
> hex dump (first 8 bytes):
>   77 70 61 6e 30 00 ff ff                          wpan0...
> backtrace:
>   [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
>   [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
>   [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
>   [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
>   [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
>   [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
>   [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
>   [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
>   [<00000000e4b3df51>] 0xffffffffc1500e0e
>   [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
>   [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
>   [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
>   [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
>   [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
>   [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
>   [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
> 
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")

The bug was there before this commit, right ?

Re: [PATCH] net-sysfs: Fix memory leak in netdev_register_kobject

[wanghai (M)]

在 2019/3/19 2:02, Eric Dumazet 写道:
>
> On 03/18/2019 10:06 PM, Wang Hai wrote:
>> When registering struct net_device, it will call
>> 	register_netdevice ->
>> 		netdev_register_kobject ->
>> 			device_add(dev)
>> 			register_queue_kobjects(ndev)
>>
>> If device_add(dev) or register_queue_kobjects(ndev) fails.
>> Register_netdevice() will return error, causing netdev_freemem(ndev)
>> to be called to free net_device, however (&ndev->dev)->kobj.name will
>> not be freed, resulting in a memory leak.
>>
>> syzkaller report this:
>> BUG: memory leak
>> unreferenced object 0xffff8881f4fad168 (size 8):
>> comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
>> hex dump (first 8 bytes):
>>    77 70 61 6e 30 00 ff ff                          wpan0...
>> backtrace:
>>    [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
>>    [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
>>    [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
>>    [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
>>    [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
>>    [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
>>    [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
>>    [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
>>    [<00000000e4b3df51>] 0xffffffffc1500e0e
>>    [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
>>    [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
>>    [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
>>    [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
>>    [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
>>    [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
>>    [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
>>
>> Reported-by: Hulk Robot <hulkci@huawei.com>
>> Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
> The bug was there before this commit, right ?
>
> .

Sorry, I read the code carefully, this is a mistake, the correct fix commit is 1fa5ae857bb1(driver core: get rid of struct device's bus_id string array). I will send a patch v2