[net] net: phy: phy_device: free the phy_device on the phy_device_create error path
Message ID | 20240223160155.861528-1-maxime.chevallier@bootlin.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel+bounces-78661-ouuuleilei=gmail.com@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:a81b:b0:108:e6aa:91d0 with SMTP id bq27csp676213dyb; Fri, 23 Feb 2024 08:02:23 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVcaeOT5vvRdTkPul6nb4Vu4TtlctHY/PXwO+dfUV0ZTA3CExZMZRIJjZle4FKZjO8nDJUkla1wQoDCGu/gtobNTKMEww== X-Google-Smtp-Source: AGHT+IEbg5IRdA1CgiuQ4r+0fluUKl82cKvbeR+t4StFjzpb47/ztMDmbJCTlVFePwFDk2BrXbDA X-Received: by 2002:a17:902:ec8a:b0:1dc:22b9:d88c with SMTP id x10-20020a170902ec8a00b001dc22b9d88cmr221385plg.1.1708704142981; Fri, 23 Feb 2024 08:02:22 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708704142; cv=pass; d=google.com; s=arc-20160816; b=RKgLU5Ka9uxBuUAa1D7NEaOv7hJbokfctT9lkS/dOgLADkPrI3x59fAdRsvx2jCym/ LP4d3IoUsVrJpkw/ovGNa3jyY13NqbBn+a8U9RKbDpCby2J7cWEOej0SFZOLUFICP0sl l/q+eVIJnY0sYQe+3azuM7zXfdkpshUmkNJ+3tjpgLjrJwWRidKMkTJCaU4tfUMbrJsf xSjaGvXHlPktlpuC0eiS3yXOft5SbrBekVNwDsivYo4dw20IQShhVxH7ScyjD6pbzyvA 3dzHFWJGIw1fTfekRVjx4ao8PMYMRwCxoEeR10GN/5oZGR+V2rrS/VqfLN1eeRnjpiX9 DI7Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=wuOxqHDRO4c85kOWnz8YWbV2JxBU725ZE17Xns/ymXY=; fh=9/3HQUaYeJmsNEVms9NamWsbvU3izTXvPSaAmr5479A=; b=xZfQCRrTH/wcwC83GxPmquOc2H70jhr/V0v447MWNNFsyDgpgNYV7GlAEQcHcOo5rx AGQXGu20nDiblyLhnwpjML5EllM5PHo3MEHEEQqlCf4peAMDYqxSEsytmv9HMNH6qAjx KKzGG2d9MwN6omv6GzDaoudbRPXTEKbnPcKEUY2iTYmv6d++Zh5jkiNgmI5Cl/7Vy9yq dMEj+wKA1dhPBGIx0ehCmG1WNER6ytnYGF5trx37qHZUkFB5wfP5yzRAQxTSWtZs+tVp glAmQ1Vfk4IBx7a9jJ8/+YwnM30tI5Tr2X/AFkqqZbn43Kvq39XPcVW7kAusjpSAhU0+ AhLg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=HYmO3Zcf; arc=pass (i=1 spf=pass spfdomain=bootlin.com dkim=pass dkdomain=bootlin.com dmarc=pass fromdomain=bootlin.com); spf=pass (google.com: domain of linux-kernel+bounces-78661-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-78661-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bootlin.com Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id b21-20020a170902d31500b001dc6235019asi2166328plc.574.2024.02.23.08.02.22 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Feb 2024 08:02:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-78661-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=HYmO3Zcf; arc=pass (i=1 spf=pass spfdomain=bootlin.com dkim=pass dkdomain=bootlin.com dmarc=pass fromdomain=bootlin.com); spf=pass (google.com: domain of linux-kernel+bounces-78661-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-78661-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bootlin.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id C81A5285C45 for <ouuuleilei@gmail.com>; Fri, 23 Feb 2024 16:02:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 343B684A40; Fri, 23 Feb 2024 16:02:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b="HYmO3Zcf" Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C02EB839E7; Fri, 23 Feb 2024 16:02:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708704124; cv=none; b=ZPctSxAw/uJQ57Cp04qiYSbr9g4o1n/jnAMZJRcYP3Q21XJ9ktbvoTVUeeUXsSWXlcz8D5xdLdjYfgliYOIdc1m2vzU8gjrUi4Z8TNvhlATq4m2Oq33gl2qtLrVavuvVr21ltgz0xFMidnbrZH58Ww9DXjkGykBe2vLgpaFpAQ0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708704124; c=relaxed/simple; bh=q8gayPiwbn3DoQkReGZdNHiZIgysS8TjOWehSXNblhI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=o2l4psD7Ee2Rqta784eCTIQzknyk84ZyoVJQNoopX0HndjZFoAflDV+r6XIwSq+k9+/1eHg1qcdXoJNNWYqmMxjnbP0zGfgqt2NbLuuD7kwyrOsmDd/ClCoClQ8QFm80H0gUBkUm8eSBrBDe5KSlzahNvlEJ0U3FUh00u70ZfGo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com; spf=pass smtp.mailfrom=bootlin.com; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b=HYmO3Zcf; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bootlin.com Received: by mail.gandi.net (Postfix) with ESMTPSA id 36D7D60003; Fri, 23 Feb 2024 16:01:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1708704120; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=wuOxqHDRO4c85kOWnz8YWbV2JxBU725ZE17Xns/ymXY=; b=HYmO3ZcfXfkVIqM0zZfeZ4LXgyhsb578iADrwbLeuQKX6sl6blGv5LMut/OrTSWD72C5v9 Qt7t0PgVqB8XpaIGVXg+XAYEYrluMr3OPhXehMFEYSPnS9nWQGW+loeVPNIwbVla//4v8L Z+XSdAalA0ZtpoAs9bKUJoB/Gk6zDhL9xOC5ngoi1fT11SYkXNikUguAOJxwRd43OcXtGa l3JQcP2F9x+vZY+yXX5tGDDTWM+AuHJ/jkNr9wbtZ6UxC2+B3Z296luzD9ncU0YkAU/Pd3 XgCZE7qYrVXkQTibypvoGd8WewYSLGzUWrf+or7ECSM0mZfu3OVkpxp3+8Z8aw== From: Maxime Chevallier <maxime.chevallier@bootlin.com> To: Andrew Lunn <andrew@lunn.ch>, Heiner Kallweit <hkallweit1@gmail.com>, Russell King <linux@armlinux.org.uk>, davem@davemloft.net, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Johan Hovold <johan@kernel.org> Cc: Maxime Chevallier <maxime.chevallier@bootlin.com>, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, thomas.petazzoni@bootlin.com Subject: [PATCH net] net: phy: phy_device: free the phy_device on the phy_device_create error path Date: Fri, 23 Feb 2024 17:01:54 +0100 Message-ID: <20240223160155.861528-1-maxime.chevallier@bootlin.com> X-Mailer: git-send-email 2.43.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-GND-Sasl: maxime.chevallier@bootlin.com X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1791706155494259795 X-GMAIL-MSGID: 1791706155494259795 |
Series |
[net] net: phy: phy_device: free the phy_device on the phy_device_create error path
|
|
Commit Message
Maxime Chevallier
Feb. 23, 2024, 4:01 p.m. UTC
When error'ing out from phy_device_create(), the previously kzalloc'd "dev"
pointer gets overwritten with an error pointer, without freeing it
beforehand, thus leaking the allocated phy_device. Add the missing kfree
back.
Fixes: d02cbc461361 ("net: phy: fix memory leak in device-create error path")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
drivers/net/phy/phy_device.c | 1 +
1 file changed, 1 insertion(+)
Comments
On Fri, 23 Feb 2024 17:01:54 +0100 Maxime Chevallier <maxime.chevallier@bootlin.com> wrote: > When error'ing out from phy_device_create(), the previously kzalloc'd "dev" > pointer gets overwritten with an error pointer, without freeing it > beforehand, thus leaking the allocated phy_device. Add the missing kfree > back. Disregard , I immediatly realised that this was freed in phy_device_release in our case. Sorry about the noise. Maxime
On Fri, Feb 23, 2024 at 05:01:54PM +0100, Maxime Chevallier wrote: > When error'ing out from phy_device_create(), the previously kzalloc'd "dev" > pointer gets overwritten with an error pointer, without freeing it > beforehand, thus leaking the allocated phy_device. Add the missing kfree > back. > > Fixes: d02cbc461361 ("net: phy: fix memory leak in device-create error path") No, it doesn't fix anything. Sadly, this is the second patch that I've received recently which shows a complete lack of understanding of the driver model, so I suspect someone has documented something as a task, and that documentation is either incomplete, or basically wrong. In this case: /* We allocate the device, and initialize the default values */ dev = kzalloc(sizeof(*dev), GFP_KERNEL); if (!dev) return ERR_PTR(-ENOMEM); mdiodev = &dev->mdio; .. device_initialize(&mdiodev->dev); This sets the reference count on dev->mdio.dev to '1', and means that at _this_ point, "dev" becomes a refcounted object. device_initialize() is documented thusly: /** * device_initialize - init device structure. * @dev: device. * * This prepares the device for use by other layers by initializing * its fields. .. * NOTE: Use put_device() to give up your reference instead of freeing * @dev directly once you have called this function. */ Now, the error path does this: if (ret) { put_device(&mdiodev->dev); dev = ERR_PTR(ret); } which is (a) compliant with the device_initialize() documentation, and (b) will drop the reference count of '1' down to '0' resulting in the release function being called - and it is the responsibility of the release function to free the memory. Adding a kfree() in this path will lead to a double-kfree() of the allocated memory, and that is _incorrect_. So, given that this is the second such instance of someone wanting to incorrectly kfree() a structure after a call to device_initialize(), can I please ask everyone who reads this message, and who receives a patch like this to _please_ not assume that it is correct, and check it _very_ _carefully_. Can I also ask those who propose to send out such patches _also_ do the due dilligence and check this before creating noise. Thanks.
On Fri, Feb 23, 2024 at 05:06:07PM +0100, Maxime Chevallier wrote: > On Fri, 23 Feb 2024 17:01:54 +0100 > Maxime Chevallier <maxime.chevallier@bootlin.com> wrote: > > > When error'ing out from phy_device_create(), the previously kzalloc'd "dev" > > pointer gets overwritten with an error pointer, without freeing it > > beforehand, thus leaking the allocated phy_device. Add the missing kfree > > back. > > Disregard , I immediatly realised that this was freed in > phy_device_release in our case. Sorry about the noise. Sorry your emails came in in reverse order.
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c index 3611ea64875e..2b4d04e3d479 100644 --- a/drivers/net/phy/phy_device.c +++ b/drivers/net/phy/phy_device.c @@ -711,6 +711,7 @@ struct phy_device *phy_device_create(struct mii_bus *bus, int addr, u32 phy_id, if (ret) { put_device(&mdiodev->dev); + kfree(dev); dev = ERR_PTR(ret); }