| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Nov 2019 11:26:03 +0800
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: jouni.hogander@...kie.com
Cc: linux-kernel@...r.kernel.org,
"Rafael J. Wysocki" <rafael@...nel.org>,
Lukas Bulwahn <lukas.bulwahn@...il.com>
Subject: Re: [PATCH] drivers/base: Fix memory leak in error paths
On Thu, Nov 14, 2019 at 02:18:40PM +0200, jouni.hogander@...kie.com wrote:
> From: Jouni Hogander <jouni.hogander@...kie.com>
>
> Currently error paths are using device_del to clean-up preparations
> done by device_add. This is causing memory leak as free of dev->p
> allocated in device_add is freed in device_release. This is fixed by
> moving freeing dev->p to counterpart of device_add i.e. device_del.
Are you sure that is safe? The device can still be "alive" after
device_del() is called. The only place you know that it should be freed
is in the release callback.
> This memory leak was reported by Syzkaller:
>
> BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
> comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
> [<000000002340019b>] device_add+0x882/0x1750
> [<000000001d588c3a>] netdev_register_kobject+0x128/0x380
> [<0000000011ef5535>] register_netdevice+0xa1b/0xf00
> [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
> [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
> [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
> [<00000000fba062ea>] ksys_ioctl+0x99/0xb0
> [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
> [<00000000984cabb9>] do_syscall_64+0x16f/0x580
> [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [<00000000e6ca2d9f>] 0xffffffffffffffff
How is this a leak? This is in device_add(), not removing the device.
When the structure really is freed then it can be removed.
Or are you triggering an error in device_add() somehow to trigger this
callback?
thanks,
greg k-h
Powered by blists - more mailing lists