On Tue, Sep 28, 2021 at 02:09:06PM +0300, Pavel Skripkin wrote:

On 9/28/21 14:06, Pavel Skripkin wrote:

quoted

quoted

It's not actually the same.  The state has to be set before the
device_register() or there is still a leak.

Ah, I see... I forgot to handle possible device_register() error. Will
send v2 soon, thank you

Wait... Yanfei's patch is already applied to net tree and if I understand
correctly, calling put_device() 2 times will cause UAF or smth else.

Yes.  It causes a UAF.

Huh...  You're right that the log should say "failed to register".  But
I don't think that's the correct syzbot link for your patch either
because I don't think anyone calls mdiobus_free() if
__devm_mdiobus_register() fails.  I have looked at these callers.  It
would be a bug as well.

Anyway, your patch is required and the __devm_mdiobus_register()
function has leaks as well.  And perhaps there are more bugs we have not
discovered.

regards,
dan carpenter