lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191115082022.GB55909@kroah.com>
Date:   Fri, 15 Nov 2019 16:20:22 +0800
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Jouni Högander <jouni.hogander@...kie.com>
Cc:     linux-kernel@...r.kernel.org,
        "Rafael J. Wysocki" <rafael@...nel.org>,
        Lukas Bulwahn <lukas.bulwahn@...il.com>
Subject: Re: [PATCH] drivers/base: Fix memory leak in error paths

On Fri, Nov 15, 2019 at 09:59:43AM +0200, Jouni Högander wrote:
> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
> 
> > On Thu, Nov 14, 2019 at 02:18:40PM +0200, jouni.hogander@...kie.com wrote:
> >> From: Jouni Hogander <jouni.hogander@...kie.com>
> >> 
> >> Currently error paths are using device_del to clean-up preparations
> >> done by device_add. This is causing memory leak as free of dev->p
> >> allocated in device_add is freed in device_release. This is fixed by
> >> moving freeing dev->p to counterpart of device_add i.e. device_del.
> >
> > Are you sure that is safe?  The device can still be "alive" after
> > device_del() is called.  The only place you know that it should be freed
> > is in the release callback.
> 
> Now as you pointed this out I'm not.
> 
> >
> >> This memory leak was reported by Syzkaller:
> >> 
> >> BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
> >>   comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
> >>   hex dump (first 32 bytes):
> >>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> >>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> >>   backtrace:
> >>     [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
> >>     [<000000002340019b>] device_add+0x882/0x1750
> >>     [<000000001d588c3a>] netdev_register_kobject+0x128/0x380
> >>     [<0000000011ef5535>] register_netdevice+0xa1b/0xf00
> >>     [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
> >>     [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
> >>     [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
> >>     [<00000000fba062ea>] ksys_ioctl+0x99/0xb0
> >>     [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
> >>     [<00000000984cabb9>] do_syscall_64+0x16f/0x580
> >>     [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >>     [<00000000e6ca2d9f>] 0xffffffffffffffff
> >
> > How is this a leak?  This is in device_add(), not removing the device.
> > When the structure really is freed then it can be removed.
> 
> In net/core/net-sysfs.c:netdev_register_kobject device_add allocates
> dev->p. Now if register_queue_kobjects fails the error path is calling
> device_del and dev->p is never freed. Proper fix here could be to call
> put_device after device_del?

Hm, this sounds like you have a reference count leak here, as
put_device() should be properly called already in this case.  You might
want to look further to see where exactly the register_queue_kobjects()
call fails in order to see if we grabbed a reference we forgot to put
back on an error path.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ