| Message ID | 20250402120613.1116711-1-ulf.hansson@linaro.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | pmdomain: core: Reset genpd->states to avoid freeing invalid data | expand |
On Apr 02, 2025 at 14:06:13 +0200, Ulf Hansson wrote: > If genpd_alloc_data() allocates data for the default power-states for the > genpd, let's make sure to also reset the pointer in the error path. This > makes sure a genpd provider driver doesn't end up trying to free the data > again, but using an invalid pointer. I maybe missing something but if kfree works similar to [1]GNU free() won't it make the genpd->states NULL anyway? Have you actually seen scenarios where the genpd->states is remaining non-NULL even after kfree? [1] https://www.gnu.org/software/libc/manual/html_node/Freeing-after-Malloc.html#:~:text=The%20free%20function%20deallocates%20the%20block%20of%20memory%20pointed%20at%20by%20ptr%20.&text=Occasionally%2C%20free%20can%20actually%20return,malloc%20to%20reuse%20the%20space. > > Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> > --- > drivers/pmdomain/core.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c > index 9b2f28b34bb5..c179464047fe 100644 > --- a/drivers/pmdomain/core.c > +++ b/drivers/pmdomain/core.c > @@ -2229,8 +2229,10 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) > return 0; > put: > put_device(&genpd->dev); > - if (genpd->free_states == genpd_free_default_power_state) > + if (genpd->free_states == genpd_free_default_power_state) { > kfree(genpd->states); > + genpd->states = NULL; Also the coding convention for kfree in other places in pmdomains doesn't seem to follow this practise either... $> rg -A1 kfree drivers/pmdomain Is this something we're planning to start following in pmdomains from now on? > + } > free: > if (genpd_is_cpu_domain(genpd)) > free_cpumask_var(genpd->cpus); > -- > 2.43.0 > >
On Thu, 3 Apr 2025 at 10:08, Dhruva Gole <d-gole@ti.com> wrote: > > On Apr 02, 2025 at 14:06:13 +0200, Ulf Hansson wrote: > > If genpd_alloc_data() allocates data for the default power-states for the > > genpd, let's make sure to also reset the pointer in the error path. This > > makes sure a genpd provider driver doesn't end up trying to free the data > > again, but using an invalid pointer. > > I maybe missing something but if kfree works similar to [1]GNU free() won't > it make the genpd->states NULL anyway? Have you actually seen scenarios > where the genpd->states is remaining non-NULL even after kfree? Yes. kfree() doesn't reset the pointer to the data. > > [1] > https://www.gnu.org/software/libc/manual/html_node/Freeing-after-Malloc.html#:~:text=The%20free%20function%20deallocates%20the%20block%20of%20memory%20pointed%20at%20by%20ptr%20.&text=Occasionally%2C%20free%20can%20actually%20return,malloc%20to%20reuse%20the%20space. > > > > Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> > > --- > > drivers/pmdomain/core.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c > > index 9b2f28b34bb5..c179464047fe 100644 > > --- a/drivers/pmdomain/core.c > > +++ b/drivers/pmdomain/core.c > > @@ -2229,8 +2229,10 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) > > return 0; > > put: > > put_device(&genpd->dev); > > - if (genpd->free_states == genpd_free_default_power_state) > > + if (genpd->free_states == genpd_free_default_power_state) { > > kfree(genpd->states); > > + genpd->states = NULL; > > Also the coding convention for kfree in other places in pmdomains > doesn't seem to follow this practise either... Right. I am not suggesting changing them all. Only this one, as it's a special case and an error path. genpd->states may be allocated by both the genpd provider driver and internally by genpd via pm_genpd_init(), hence we need to be a bit more careful. > > $> rg -A1 kfree drivers/pmdomain > > Is this something we're planning to start following in pmdomains from > now on? As I said, this is a special case. > > > + } > > free: > > if (genpd_is_cpu_domain(genpd)) > > free_cpumask_var(genpd->cpus); > > -- > > 2.43.0 > > > > Kind regards Uffe
diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index 9b2f28b34bb5..c179464047fe 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -2229,8 +2229,10 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) return 0; put: put_device(&genpd->dev); - if (genpd->free_states == genpd_free_default_power_state) + if (genpd->free_states == genpd_free_default_power_state) { kfree(genpd->states); + genpd->states = NULL; + } free: if (genpd_is_cpu_domain(genpd)) free_cpumask_var(genpd->cpus);
If genpd_alloc_data() allocates data for the default power-states for the genpd, let's make sure to also reset the pointer in the error path. This makes sure a genpd provider driver doesn't end up trying to free the data again, but using an invalid pointer. Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> --- drivers/pmdomain/core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)