Patchwork phy: fix phy_device_free memory leak

login
register
mail settings
Submitter Petr Malat
Date Feb. 19, 2013, 7:36 p.m.
Message ID <20130219193646.GA10851@bordel.klfree.net>
Download mbox | patch
Permalink /patch/221860/
State Changes Requested
Delegated to: David Miller
Headers show

Comments

Petr Malat - Feb. 19, 2013, 7:36 p.m.
From: Petr Malat <oss@malat.biz>

Fix memory leak in phy_device_free() for the case when phy_device*
returned by phy_device_create() is not registered in the system.

Bug description:
phy_device_create() sets name of kobject using dev_set_name(), which 
allocates memory using kvasprintf(), but this memory isn't freed if 
the underlying device isn't registered properly, because kobject_cleanup()
is not called in that case. This can happen (and actually is happening on 
our machines) if phy_device_register(), called by mdiobus_scan(), fails. 

Patch description:
Name is freed by phy_device_free(). In the case a device is released 
trough kobject_cleanup()->device_release()->phy_device_release(), the name
is set to NULL and it is not freed by phy_device_free(), because it will 
be freed later by kobject_cleanup().

Signed-off-by: Petr Malat <oss@malat.biz>
---
Please put me on CC, I'm not signed into the mailing list.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller - Feb. 20, 2013, 3:48 a.m.
From: Petr Malat <oss@malat.biz>
Date: Tue, 19 Feb 2013 20:36:46 +0100

> From: Petr Malat <oss@malat.biz>
> 
> Fix memory leak in phy_device_free() for the case when phy_device*
> returned by phy_device_create() is not registered in the system.
> 
> Bug description:
> phy_device_create() sets name of kobject using dev_set_name(), which 
> allocates memory using kvasprintf(), but this memory isn't freed if 
> the underlying device isn't registered properly, because kobject_cleanup()
> is not called in that case. This can happen (and actually is happening on 
> our machines) if phy_device_register(), called by mdiobus_scan(), fails. 
> 
> Patch description:
> Name is freed by phy_device_free(). In the case a device is released 
> trough kobject_cleanup()->device_release()->phy_device_release(), the name
> is set to NULL and it is not freed by phy_device_free(), because it will 
> be freed later by kobject_cleanup().
> 
> Signed-off-by: Petr Malat <oss@malat.biz>
> ---
> Please put me on CC, I'm not signed into the mailing list.

I think it's cleaner to have phy_device_register() use the kobject
reference count properly.

Have it first go:

	device_initialize(&phydev->dev);

And change the device_register() to device_add().

Finally, on the failure paths, do a put_device().

No funny NULL pointer assignments and state to maintainer, just using
kobject reference counting to handle it all transparently.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

--- linux-v2.6.32.60.orig/drivers/net/phy/phy_device.c	2013-02-06 19:44:11.000000000 +0100
+++ linux-v2.6.32.60/drivers/net/phy/phy_device.c	2013-02-06 20:56:57.000000000 +0100
@@ -41,12 +41,16 @@  MODULE_LICENSE("GPL");
 
 void phy_device_free(struct phy_device *phydev)
 {
+	kfree(phydev->dev.kobj.name);
 	kfree(phydev);
 }
 EXPORT_SYMBOL(phy_device_free);
 
 static void phy_device_release(struct device *dev)
 {
+	/* Name will be freed by kobject_cleanup() */
+	dev->kobj.name = NULL; 
+
 	phy_device_free(to_phy_device(dev));
 }