diff mbox series

[v2,1/2] Revert "net: mdiobus: Fix memory leak in __mdiobus_register"

Message ID 2324212c8d0a713eba0aae3c25635b3ca5c5243f.1632861239.git.paskripkin@gmail.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [v2,1/2] Revert "net: mdiobus: Fix memory leak in __mdiobus_register" | expand

Checks

Context Check Description
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Pavel Skripkin Sept. 28, 2021, 8:39 p.m. UTC 
This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.

This patch is correct in the sense that we _should_ call device_put() in
case of device_register() failure, but the problem in this code is more
vast.

We need to set bus->state to UNMDIOBUS_REGISTERED before calling
device_register() to correctly release the device in mdiobus_free().
This patch prevents us from doing it, since in case of device_register()
failure put_device() will be called 2 times and it will cause UAF or
something else.

Also, Reported-by: tag in revered commit was wrong, since syzbot
reported different leak in same function.

Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
Cc: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---

Changes in v2:
	Added this revert

---
 drivers/net/phy/mdio_bus.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Xu, Yanfei Sept. 29, 2021, 6:32 a.m. UTC | #1 
On 9/29/21 4:39 AM, Pavel Skripkin wrote:
> This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.
> 
> This patch is correct in the sense that we_should_  call device_put() in
> case of device_register() failure, but the problem in this code is more
> vast.
> 
> We need to set bus->state to UNMDIOBUS_REGISTERED before calling
> device_register() to correctly release the device in mdiobus_free().
> This patch prevents us from doing it, since in case of device_register()
> failure put_device() will be called 2 times and it will cause UAF or
> something else.
> 
> Also, Reported-by: tag in revered commit was wrong, since syzbot
> reported different leak in same function.
> 
> Link:https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
> Cc: Yanfei Xu<yanfei.xu@windriver.com>
> Signed-off-by: Pavel Skripkin<paskripkin@gmail.com>
> ---
> 
> Changes in v2:
>          Added this revert


Acked-by: Yanfei Xu<yanfei.xu@windriver.com>

Thanks,
Yanfei
diff mbox series

Patch

diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index 6f4b4e5df639..53f034fc2ef7 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -537,7 +537,6 @@  int __mdiobus_register(struct mii_bus *bus, struct module *owner)
 	err = device_register(&bus->dev);
 	if (err) {
 		pr_err("mii_bus %s failed to register\n", bus->id);
-		put_device(&bus->dev);
 		return -EINVAL;
 	}