On 9/28/21 14:30, Dan Carpenter wrote:

On Tue, Sep 28, 2021 at 02:09:06PM +0300, Pavel Skripkin wrote:

quoted

On 9/28/21 14:06, Pavel Skripkin wrote:

quoted

quoted

It's not actually the same.  The state has to be set before the
device_register() or there is still a leak.

Ah, I see... I forgot to handle possible device_register() error. Will
send v2 soon, thank you

Wait... Yanfei's patch is already applied to net tree and if I understand
correctly, calling put_device() 2 times will cause UAF or smth else.

Yes.  It causes a UAF.

Huh...  You're right that the log should say "failed to register".  But
I don't think that's the correct syzbot link for your patch either
because I don't think anyone calls mdiobus_free() if
__devm_mdiobus_register() fails.  I have looked at these callers.  It
would be a bug as well.

mdiobus_free() is called in case of ->probe() failure, because devres 
clean up function for bus is devm_mdiobus_free(). It simply calls 
mdiobus_free().


So, i imagine following calltrace:

ax88772_bind
   ax88772_init_mdio
     devm_mdiobus_alloc() <- bus registered as devres
     devm_mdiobus_register() <- fail (->probe failure)

...

devres_release_all
   mdiobus_free()


Also, syzbot has tested my patch :)

Anyway, your patch is required and the __devm_mdiobus_register()
function has leaks as well.  And perhaps there are more bugs we have not
discovered.

regards,
dan carpenter

With regards,
Pavel Skripkin