| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Feb 2022 14:54:24 +0100
From: Daniel Lezcano <daniel.lezcano@...aro.org>
To: Ulf Hansson <ulf.hansson@...aro.org>
Cc: rjw@...ysocki.net, heiko@...ech.de, lukasz.luba@....com,
linux-kernel@...r.kernel.org, linux-pm@...r.kernel.org,
Daniel Lezcano <daniel.lezcano@...nel.org>,
"Rafael J. Wysocki" <rafael@...nel.org>
Subject: Re: [PATCH v1 3/7] powercap/dtpm: Fixup kfree for virtual node
On 17/02/2022 14:17, Ulf Hansson wrote:
> On Wed, 16 Feb 2022 at 19:10, Daniel Lezcano <daniel.lezcano@...aro.org> wrote:
>>
>> On 16/02/2022 17:22, Ulf Hansson wrote:
>>> On Sun, 30 Jan 2022 at 22:02, Daniel Lezcano <daniel.lezcano@...aro.org> wrote:
>>>>
>>>> When the node is virtual there is no release function associated which
>>>> can free the memory.
>>>>
>>>> Free the memory when no 'ops' exists.
>>>>
>>>> Signed-off-by: Daniel Lezcano <daniel.lezcano@...aro.org>
>>>> ---
>>>> drivers/powercap/dtpm.c | 4 ++--
>>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/drivers/powercap/dtpm.c b/drivers/powercap/dtpm.c
>>>> index 0b0121c37a1b..7bddd25a6767 100644
>>>> --- a/drivers/powercap/dtpm.c
>>>> +++ b/drivers/powercap/dtpm.c
>>>> @@ -181,12 +181,12 @@ int dtpm_release_zone(struct powercap_zone *pcz)
>>>>
>>>> if (dtpm->ops)
>>>> dtpm->ops->release(dtpm);
>>>> + else
>>>> + kfree(dtpm);
>>>>
>>>
>>> This doesn't look correct. Below you check dtpm against "root", which
>>> may be after its memory has been freed.
>>>
>>> If the ->release() function should be responsible for freeing the
>>> dtpm, it needs to be called after the check below.
>>
>> It is harmless, 'root' is not dereferenced but used as an ID
>>
>> Moreover, in the patch 5/7 it is moved out this function.
>
> Right. It just looks a bit odd here.
>
>>
>>
>>>> if (root == dtpm)
>>>> root = NULL;
>>>>
>>>> - kfree(dtpm);
>
> So then why doesn't this kfree do the job already?
>
> kfree(NULL) works fine, if dtpm->ops->release(dtpm) already freed the data.
The description is confusing.
Actually, there is a double kfree. When there is a ops->release, the
kfree is done there and again a few lines after.
The issue was introduced with the change where dtpm had a private data
field to store the backend specific structure and was converted to a
backend specific structure containing a dtpm node [1].
So this function was calling release from the dtpm backend which was
freeing the specific data in the dtpm->private and then here was freeing
the dtpm. Now, the backend frees the structure which contains the dtpm
structure, so when returning from ops->release(), dtpm is already free.
I should change the description and add a Fixes tag to the change
described above.
[1]
https://lore.kernel.org/r/20210312130411.29833-4-daniel.lezcano@linaro.org
--
<http://www.linaro.org/> Linaro.org │ Open source software for ARM SoCs
Follow Linaro: <http://www.facebook.com/pages/Linaro> Facebook |
<http://twitter.com/#!/linaroorg> Twitter |
<http://www.linaro.org/linaro-blog/> Blog
Powered by blists - more mailing lists