lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANn89iKswhYk4ASH0oG1YbvNsP9Yxuk4vSX5P45Tj_UY+s16VQ@mail.gmail.com>
Date: Fri, 7 Nov 2025 03:20:03 -0800
From: Eric Dumazet <edumazet@...gle.com>
To: Ma Ke <make24@...as.ac.cn>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, 
	sdf@...ichev.me, atenart@...nel.org, kuniyu@...gle.com, yajun.deng@...ux.dev, 
	gregkh@...e.de, ebiederm@...ssion.com, netdev@...r.kernel.org, 
	linux-kernel@...r.kernel.org, akpm@...ux-foundation.org, 
	stable@...r.kernel.org
Subject: Re: [PATCH] net: Fix error handling in netdev_register_kobject

On Fri, Nov 7, 2025 at 12:01 AM Ma Ke <make24@...as.ac.cn> wrote:
>
> After calling device_initialize(), the reference count of the device
> is set to 1. If device_add() fails or register_queue_kobjects() fails,
> the function returns without calling put_device() to release the
> initial reference, causing a memory leak of the device structure.
> Similarly, in netdev_unregister_kobject(), after calling device_del(),
> there is no call to put_device() to release the initial reference,
> leading to a memory leak. Add put_device() in the error paths of
> netdev_register_kobject() and after device_del() in
> netdev_unregister_kobject() to properly release the device references.
>
> Found by code review.
>
> Cc: stable@...r.kernel.org
> Fixes: a1b3f594dc5f ("net: Expose all network devices in a namespaces in sysfs")
> Signed-off-by: Ma Ke <make24@...as.ac.cn>
> ---
>  net/core/net-sysfs.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> index ca878525ad7c..d3895f26a0c8 100644
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -2327,6 +2327,7 @@ void netdev_unregister_kobject(struct net_device *ndev)
>         pm_runtime_set_memalloc_noio(dev, false);
>
>         device_del(dev);
> +       put_device(dev);

Please take a look at free_netdev()

>  }
>
>  /* Create sysfs entries for network device. */
> @@ -2357,7 +2358,7 @@ int netdev_register_kobject(struct net_device *ndev)
>
>         error = device_add(dev);
>         if (error)
> -               return error;
> +               goto out_put_device;
>
>         error = register_queue_kobjects(ndev);
>         if (error) {
> @@ -2367,6 +2368,10 @@ int netdev_register_kobject(struct net_device *ndev)
>
>         pm_runtime_set_memalloc_noio(dev, true);
>
> +       return 0;
> +
> +out_put_device:
> +       put_device(dev);
>         return error;

This seems bogus.

Was your report based on AI or some tooling ?

You would think that syzbot would have found an issue a long time ago...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ