Re: [syzbot] memory leak in __mdiobus_register

From: Pavel Skripkin
Date: Sun Sep 26 2021 - 19:43:05 EST

Next message: Dmitry Osipenko: "[PATCH v1 3/3] ARM: tegra: Update Broadcom Bluetooth device-tree nodes"
Previous message: Dmitry Osipenko: "[PATCH v1 2/3] ARM: tegra: Name clock and regulator nodes according to DT-schema"
In reply to: syzbot: "[syzbot] memory leak in __mdiobus_register"
Next in thread: syzbot: "Re: [syzbot] memory leak in __mdiobus_register"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/26/21 04:28, syzbot wrote:

Hello,

syzbot found the following issue on:

HEAD commit: d9fb678414c0 Merge tag 'afs-fixes-20210913' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=131c754b300000
kernel config: https://syzkaller.appspot.com/x/.config?x=f0de362a1f17687e
dashboard link: https://syzkaller.appspot.com/bug?extid=398e7dc692ddbbb4cfec
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=145650d1300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105ccde7300000

Looks like MDIOBUS_ALLOCATED indicated 2 states:

1. Bus is only allocated
2. Bus allocated and __mdiobus_register() fails, but
device_register() was called

These 2 cases should be handled separately, i.e. we need to call put_device() if device_register() was called.

To handle this situation we can add new state MDIOBUS_DEV_REGISTERED and handle it properly

Just for thoughts and syzbot testing

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

With regards,
Pavel Skripkin

diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index 53f034fc2ef7..ed764638b449 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -540,6 +540,8 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
return -EINVAL;
}

+ bus->state = MDIOBUS_DEV_REGISTERED;
+
mutex_init(&bus->mdio_lock);
mutex_init(&bus->shared_lock);

@@ -647,7 +649,7 @@ void mdiobus_free(struct mii_bus *bus)
return;
}

- BUG_ON(bus->state != MDIOBUS_UNREGISTERED);
+ BUG_ON(bus->state != MDIOBUS_UNREGISTERED && bus->state != MDIOBUS_DEV_REGISTERED);
bus->state = MDIOBUS_RELEASED;

put_device(&bus->dev);
diff --git a/include/linux/phy.h b/include/linux/phy.h
index 736e1d1a47c4..41d2ccdacd5e 100644
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -343,6 +343,7 @@ struct mii_bus {
MDIOBUS_REGISTERED,
MDIOBUS_UNREGISTERED,
MDIOBUS_RELEASED,
+ MDIOBUS_DEV_REGISTERED,
} state;

/** @dev: Kernel device representation */

Next message: Dmitry Osipenko: "[PATCH v1 3/3] ARM: tegra: Update Broadcom Bluetooth device-tree nodes"
Previous message: Dmitry Osipenko: "[PATCH v1 2/3] ARM: tegra: Name clock and regulator nodes according to DT-schema"
In reply to: syzbot: "[syzbot] memory leak in __mdiobus_register"
Next in thread: syzbot: "Re: [syzbot] memory leak in __mdiobus_register"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]