[thirdparty/kernel/stable-queue.git] / queue-4.19 / net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch

From foo@baz Thu Mar 28 21:54:17 CET 2019
From: Wang Hai <wanghai26@huawei.com>
Date: Wed, 20 Mar 2019 14:25:05 -0400
Subject: net-sysfs: Fix memory leak in netdev_register_kobject

From: Wang Hai <wanghai26@huawei.com>

[ Upstream commit 6b70fc94afd165342876e53fc4b2f7d085009945 ]

When registering struct net_device, it will call
	register_netdevice ->
		netdev_register_kobject ->
			device_initialize(dev);
			dev_set_name(dev, "%s", ndev->name)
			device_add(dev)
			register_queue_kobjects(ndev)

In netdev_register_kobject(), if device_add(dev) or
register_queue_kobjects(ndev) failed. Register_netdevice()
will return error, causing netdev_freemem(ndev) to be
called to free net_device, however put_device(&dev->dev)->..->
kobject_cleanup() won't be called, resulting in a memory leak.

syzkaller report this:
BUG: memory leak
unreferenced object 0xffff8881f4fad168 (size 8):
comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
hex dump (first 8 bytes):
  77 70 61 6e 30 00 ff ff                          wpan0...
backtrace:
  [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
  [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
  [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
  [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
  [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
  [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
  [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
  [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
  [<00000000e4b3df51>] 0xffffffffc1500e0e
  [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
  [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
  [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
  [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
  [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
  [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
  [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Wang Hai <wanghai26@huawei.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/net-sysfs.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1755,16 +1755,20 @@ int netdev_register_kobject(struct net_d
 
 	error = device_add(dev);
 	if (error)
-		return error;
+		goto error_put_device;
 
 	error = register_queue_kobjects(ndev);
-	if (error) {
-		device_del(dev);
-		return error;
-	}
+	if (error)
+		goto error_device_del;
 
 	pm_runtime_set_memalloc_noio(dev, true);
 
+	return 0;
+
+error_device_del:
+	device_del(dev);
+error_put_device:
+	put_device(dev);
 	return error;
 }
Commit	Line	Data
38568109 GKH	1	From foo@baz Thu Mar 28 21:54:17 CET 2019
	2	From: Wang Hai <wanghai26@huawei.com>
	3	Date: Wed, 20 Mar 2019 14:25:05 -0400
	4	Subject: net-sysfs: Fix memory leak in netdev_register_kobject
	5
	6	From: Wang Hai <wanghai26@huawei.com>
	7
	8	[ Upstream commit 6b70fc94afd165342876e53fc4b2f7d085009945 ]
	9
	10	When registering struct net_device, it will call
	11	register_netdevice ->
	12	netdev_register_kobject ->
	13	device_initialize(dev);
	14	dev_set_name(dev, "%s", ndev->name)
	15	device_add(dev)
	16	register_queue_kobjects(ndev)
	17
	18	In netdev_register_kobject(), if device_add(dev) or
	19	register_queue_kobjects(ndev) failed. Register_netdevice()
	20	will return error, causing netdev_freemem(ndev) to be
	21	called to free net_device, however put_device(&dev->dev)->..->
	22	kobject_cleanup() won't be called, resulting in a memory leak.
	23
	24	syzkaller report this:
	25	BUG: memory leak
	26	unreferenced object 0xffff8881f4fad168 (size 8):
	27	comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s)
	28	hex dump (first 8 bytes):
	29	77 70 61 6e 30 00 ff ff wpan0...
	30	backtrace:
	31	[<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73
	32	[<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
	33	[<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281
	34	[<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
	35	[<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727
	36	[<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711
	37	[<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154]
	38	[<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154]
	39	[<00000000e4b3df51>] 0xffffffffc1500e0e
	40	[<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614
	41	[<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509
	42	[<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671
	43	[<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945
	44	[<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022
	45	[<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304
	46	[<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645
	47
	48	Reported-by: Hulk Robot <hulkci@huawei.com>
	49	Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
	50	Signed-off-by: Wang Hai <wanghai26@huawei.com>
	51	Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
	52	Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
	53	Signed-off-by: David S. Miller <davem@davemloft.net>
	54	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	55	---
	56	net/core/net-sysfs.c \| 14 +++++++++-----
	57	1 file changed, 9 insertions(+), 5 deletions(-)
	58
	59	--- a/net/core/net-sysfs.c
	60	+++ b/net/core/net-sysfs.c
	61	@@ -1755,16 +1755,20 @@ int netdev_register_kobject(struct net_d
	62
	63	error = device_add(dev);
	64	if (error)
65	- return error;
66	+ goto error_put_device;
67
68	error = register_queue_kobjects(ndev);
69	- if (error) {
70	- device_del(dev);
71	- return error;
72	- }
73	+ if (error)
74	+ goto error_device_del;
75
76	pm_runtime_set_memalloc_noio(dev, true);
77
78	+ return 0;
79	+
80	+error_device_del:
81	+ device_del(dev);
82	+error_put_device:
83	+ put_device(dev);
84	return error;
85	}
86