lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAPDyKFrgYVMvaBf13ksdJ6Zr6bvLo1Jmz8yLiyg_43hs65STVQ@mail.gmail.com>
Date: Thu, 3 Apr 2025 17:55:41 +0200
From: Ulf Hansson <ulf.hansson@...aro.org>
To: Dhruva Gole <d-gole@...com>
Cc: linux-pm@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] pmdomain: core: Reset genpd->states to avoid freeing
 invalid data

On Thu, 3 Apr 2025 at 10:08, Dhruva Gole <d-gole@...com> wrote:
>
> On Apr 02, 2025 at 14:06:13 +0200, Ulf Hansson wrote:
> > If genpd_alloc_data() allocates data for the default power-states for the
> > genpd, let's make sure to also reset the pointer in the error path. This
> > makes sure a genpd provider driver doesn't end up trying to free the data
> > again, but using an invalid pointer.
>
> I maybe missing something but if kfree works similar to [1]GNU free() won't
> it make the genpd->states NULL anyway? Have you actually seen scenarios
> where the genpd->states is remaining non-NULL even after kfree?

Yes. kfree() doesn't reset the pointer to the data.

>
> [1]
> https://www.gnu.org/software/libc/manual/html_node/Freeing-after-Malloc.html#:~:text=The%20free%20function%20deallocates%20the%20block%20of%20memory%20pointed%20at%20by%20ptr%20.&text=Occasionally%2C%20free%20can%20actually%20return,malloc%20to%20reuse%20the%20space.
> >
> > Signed-off-by: Ulf Hansson <ulf.hansson@...aro.org>
> > ---
> >  drivers/pmdomain/core.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
> > index 9b2f28b34bb5..c179464047fe 100644
> > --- a/drivers/pmdomain/core.c
> > +++ b/drivers/pmdomain/core.c
> > @@ -2229,8 +2229,10 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd)
> >       return 0;
> >  put:
> >       put_device(&genpd->dev);
> > -     if (genpd->free_states == genpd_free_default_power_state)
> > +     if (genpd->free_states == genpd_free_default_power_state) {
> >               kfree(genpd->states);
> > +             genpd->states = NULL;
>
> Also the coding convention for kfree in other places in pmdomains
> doesn't seem to follow this practise either...

Right. I am not suggesting changing them all. Only this one, as it's a
special case and an error path.

genpd->states may be allocated by both the genpd provider driver and
internally by genpd via pm_genpd_init(), hence we need to be a bit
more careful.

>
> $> rg -A1 kfree drivers/pmdomain
>
> Is this something we're planning to start following in pmdomains from
> now on?

As I said, this is a special case.

>
> > +     }
> >  free:
> >       if (genpd_is_cpu_domain(genpd))
> >               free_cpumask_var(genpd->cpus);
> > --
> > 2.43.0
> >
> >

Kind regards
Uffe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ