Message ID | 2324212c8d0a713eba0aae3c25635b3ca5c5243f.1632861239.git.paskripkin@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [v2,1/2] Revert "net: mdiobus: Fix memory leak in __mdiobus_register" | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Guessing tree name failed - patch did not apply |
On 9/29/21 4:39 AM, Pavel Skripkin wrote: > This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e. > > This patch is correct in the sense that we_should_ call device_put() in > case of device_register() failure, but the problem in this code is more > vast. > > We need to set bus->state to UNMDIOBUS_REGISTERED before calling > device_register() to correctly release the device in mdiobus_free(). > This patch prevents us from doing it, since in case of device_register() > failure put_device() will be called 2 times and it will cause UAF or > something else. > > Also, Reported-by: tag in revered commit was wrong, since syzbot > reported different leak in same function. > > Link:https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/ > Cc: Yanfei Xu<yanfei.xu@windriver.com> > Signed-off-by: Pavel Skripkin<paskripkin@gmail.com> > --- > > Changes in v2: > Added this revert Acked-by: Yanfei Xu<yanfei.xu@windriver.com> Thanks, Yanfei
diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c index 6f4b4e5df639..53f034fc2ef7 100644 --- a/drivers/net/phy/mdio_bus.c +++ b/drivers/net/phy/mdio_bus.c @@ -537,7 +537,6 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner) err = device_register(&bus->dev); if (err) { pr_err("mii_bus %s failed to register\n", bus->id); - put_device(&bus->dev); return -EINVAL; }
This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e. This patch is correct in the sense that we _should_ call device_put() in case of device_register() failure, but the problem in this code is more vast. We need to set bus->state to UNMDIOBUS_REGISTERED before calling device_register() to correctly release the device in mdiobus_free(). This patch prevents us from doing it, since in case of device_register() failure put_device() will be called 2 times and it will cause UAF or something else. Also, Reported-by: tag in revered commit was wrong, since syzbot reported different leak in same function. Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/ Cc: Yanfei Xu <yanfei.xu@windriver.com> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- Changes in v2: Added this revert --- drivers/net/phy/mdio_bus.c | 1 - 1 file changed, 1 deletion(-)