diff mbox series

[net] wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new()

Message ID 20221018131607.1901641-1-yangyingliang@huawei.com (mailing list archive)
State Accepted
Commit 258ad2fe5ede773625adfda88b173f4123e59f45
Delegated to: Netdev Maintainers
Headers show
Series [net] wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new() | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 3 maintainers not CCed: kuba@kernel.org edumazet@google.com pabeni@redhat.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Yang Yingliang Oct. 18, 2022, 1:16 p.m. UTC 
Inject fault while probing module, if device_register() fails,
but the refcount of kobject is not decreased to 0, the name
allocated in dev_set_name() is leaked. Fix this by calling
put_device(), so that name can be freed in callback function
kobject_cleanup().

unreferenced object 0xffff88810152ad20 (size 8):
  comm "modprobe", pid 252, jiffies 4294849206 (age 22.713s)
  hex dump (first 8 bytes):
    68 77 73 69 6d 30 00 ff                          hwsim0..
  backtrace:
    [<000000009c3504ed>] __kmalloc_node_track_caller+0x44/0x1b0
    [<00000000c0228a5e>] kvasprintf+0xb5/0x140
    [<00000000cff8c21f>] kvasprintf_const+0x55/0x180
    [<0000000055a1e073>] kobject_set_name_vargs+0x56/0x150
    [<000000000a80b139>] dev_set_name+0xab/0xe0

Fixes: f36a111a74e7 ("wwan_hwsim: WWAN device simulator")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/net/wwan/wwan_hwsim.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Loic Poulain Oct. 18, 2022, 1:48 p.m. UTC | #1 
On Tue, 18 Oct 2022 at 15:17, Yang Yingliang <yangyingliang@huawei.com> wrote:
>
> Inject fault while probing module, if device_register() fails,
> but the refcount of kobject is not decreased to 0, the name
> allocated in dev_set_name() is leaked. Fix this by calling
> put_device(), so that name can be freed in callback function
> kobject_cleanup().
>
> unreferenced object 0xffff88810152ad20 (size 8):
>   comm "modprobe", pid 252, jiffies 4294849206 (age 22.713s)
>   hex dump (first 8 bytes):
>     68 77 73 69 6d 30 00 ff                          hwsim0..
>   backtrace:
>     [<000000009c3504ed>] __kmalloc_node_track_caller+0x44/0x1b0
>     [<00000000c0228a5e>] kvasprintf+0xb5/0x140
>     [<00000000cff8c21f>] kvasprintf_const+0x55/0x180
>     [<0000000055a1e073>] kobject_set_name_vargs+0x56/0x150
>     [<000000000a80b139>] dev_set_name+0xab/0xe0
>
> Fixes: f36a111a74e7 ("wwan_hwsim: WWAN device simulator")
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

Indeed, device_register() must be balanced with a put_device(), even
in the error case, as it includes device initialization.

Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
Sergey Ryazanov Oct. 18, 2022, 1:50 p.m. UTC | #2 
Hello Yang,

On Tue, Oct 18, 2022 at 5:17 PM Yang Yingliang <yangyingliang@huawei.com> wrote:
> Inject fault while probing module, if device_register() fails,
> but the refcount of kobject is not decreased to 0, the name
> allocated in dev_set_name() is leaked. Fix this by calling
> put_device(), so that name can be freed in callback function
> kobject_cleanup().
>
> unreferenced object 0xffff88810152ad20 (size 8):
>   comm "modprobe", pid 252, jiffies 4294849206 (age 22.713s)
>   hex dump (first 8 bytes):
>     68 77 73 69 6d 30 00 ff                          hwsim0..
>   backtrace:
>     [<000000009c3504ed>] __kmalloc_node_track_caller+0x44/0x1b0
>     [<00000000c0228a5e>] kvasprintf+0xb5/0x140
>     [<00000000cff8c21f>] kvasprintf_const+0x55/0x180
>     [<0000000055a1e073>] kobject_set_name_vargs+0x56/0x150
>     [<000000000a80b139>] dev_set_name+0xab/0xe0
>
> Fixes: f36a111a74e7 ("wwan_hwsim: WWAN device simulator")
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

Nice catch!

Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
patchwork-bot+netdevbpf@kernel.org Oct. 20, 2022, 12:30 a.m. UTC | #3 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 18 Oct 2022 21:16:07 +0800 you wrote:
> Inject fault while probing module, if device_register() fails,
> but the refcount of kobject is not decreased to 0, the name
> allocated in dev_set_name() is leaked. Fix this by calling
> put_device(), so that name can be freed in callback function
> kobject_cleanup().
> 
> unreferenced object 0xffff88810152ad20 (size 8):
>   comm "modprobe", pid 252, jiffies 4294849206 (age 22.713s)
>   hex dump (first 8 bytes):
>     68 77 73 69 6d 30 00 ff                          hwsim0..
>   backtrace:
>     [<000000009c3504ed>] __kmalloc_node_track_caller+0x44/0x1b0
>     [<00000000c0228a5e>] kvasprintf+0xb5/0x140
>     [<00000000cff8c21f>] kvasprintf_const+0x55/0x180
>     [<0000000055a1e073>] kobject_set_name_vargs+0x56/0x150
>     [<000000000a80b139>] dev_set_name+0xab/0xe0
> 
> [...]

Here is the summary with links:
  - [net] wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new()
    https://git.kernel.org/netdev/net/c/258ad2fe5ede

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/wwan/wwan_hwsim.c b/drivers/net/wwan/wwan_hwsim.c
index ff09a8cedf93..2397a903d8f5 100644
--- a/drivers/net/wwan/wwan_hwsim.c
+++ b/drivers/net/wwan/wwan_hwsim.c
@@ -311,7 +311,7 @@  static struct wwan_hwsim_dev *wwan_hwsim_dev_new(void)
 	return ERR_PTR(err);
 
 err_free_dev:
-	kfree(dev);
+	put_device(&dev->dev);
 
 	return ERR_PTR(err);
 }