1. Patchew
  2. linux
  3. View series

[PATCH] pmdomain: core: Reset genpd->states to avoid freeing invalid data

Ulf Hansson posted 1 patch 10 months, 1 week ago 
drivers/pmdomain/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
[PATCH] pmdomain: core: Reset genpd->states to avoid freeing invalid data
Posted by Ulf Hansson 10 months, 1 week ago 
If genpd_alloc_data() allocates data for the default power-states for the
genpd, let's make sure to also reset the pointer in the error path. This
makes sure a genpd provider driver doesn't end up trying to free the data
again, but using an invalid pointer.

Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
---
 drivers/pmdomain/core.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
index 9b2f28b34bb5..c179464047fe 100644
--- a/drivers/pmdomain/core.c
+++ b/drivers/pmdomain/core.c
@@ -2229,8 +2229,10 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd)
 	return 0;
 put:
 	put_device(&genpd->dev);
-	if (genpd->free_states == genpd_free_default_power_state)
+	if (genpd->free_states == genpd_free_default_power_state) {
 		kfree(genpd->states);
+		genpd->states = NULL;
+	}
 free:
 	if (genpd_is_cpu_domain(genpd))
 		free_cpumask_var(genpd->cpus);
-- 
2.43.0
Re: [PATCH] pmdomain: core: Reset genpd->states to avoid freeing invalid data
Posted by Dhruva Gole 10 months, 1 week ago 
On Apr 02, 2025 at 14:06:13 +0200, Ulf Hansson wrote:
> If genpd_alloc_data() allocates data for the default power-states for the
> genpd, let's make sure to also reset the pointer in the error path. This
> makes sure a genpd provider driver doesn't end up trying to free the data
> again, but using an invalid pointer.

I maybe missing something but if kfree works similar to [1]GNU free() won't
it make the genpd->states NULL anyway? Have you actually seen scenarios
where the genpd->states is remaining non-NULL even after kfree?

[1]
https://www.gnu.org/software/libc/manual/html_node/Freeing-after-Malloc.html#:~:text=The%20free%20function%20deallocates%20the%20block%20of%20memory%20pointed%20at%20by%20ptr%20.&text=Occasionally%2C%20free%20can%20actually%20return,malloc%20to%20reuse%20the%20space.
> 
> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
> ---
>  drivers/pmdomain/core.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
> index 9b2f28b34bb5..c179464047fe 100644
> --- a/drivers/pmdomain/core.c
> +++ b/drivers/pmdomain/core.c
> @@ -2229,8 +2229,10 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd)
>  	return 0;
>  put:
>  	put_device(&genpd->dev);
> -	if (genpd->free_states == genpd_free_default_power_state)
> +	if (genpd->free_states == genpd_free_default_power_state) {
>  		kfree(genpd->states);
> +		genpd->states = NULL;

Also the coding convention for kfree in other places in pmdomains
doesn't seem to follow this practise either...

$> rg -A1 kfree drivers/pmdomain

Is this something we're planning to start following in pmdomains from
now on?

> +	}
>  free:
>  	if (genpd_is_cpu_domain(genpd))
>  		free_cpumask_var(genpd->cpus);
> -- 
> 2.43.0
> 
> 

-- 
Best regards,
Dhruva Gole
Texas Instruments Incorporated
Re: [PATCH] pmdomain: core: Reset genpd->states to avoid freeing invalid data
Posted by Ulf Hansson 10 months, 1 week ago 
On Thu, 3 Apr 2025 at 10:08, Dhruva Gole <d-gole@ti.com> wrote:
>
> On Apr 02, 2025 at 14:06:13 +0200, Ulf Hansson wrote:
> > If genpd_alloc_data() allocates data for the default power-states for the
> > genpd, let's make sure to also reset the pointer in the error path. This
> > makes sure a genpd provider driver doesn't end up trying to free the data
> > again, but using an invalid pointer.
>
> I maybe missing something but if kfree works similar to [1]GNU free() won't
> it make the genpd->states NULL anyway? Have you actually seen scenarios
> where the genpd->states is remaining non-NULL even after kfree?

Yes. kfree() doesn't reset the pointer to the data.

>
> [1]
> https://www.gnu.org/software/libc/manual/html_node/Freeing-after-Malloc.html#:~:text=The%20free%20function%20deallocates%20the%20block%20of%20memory%20pointed%20at%20by%20ptr%20.&text=Occasionally%2C%20free%20can%20actually%20return,malloc%20to%20reuse%20the%20space.
> >
> > Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
> > ---
> >  drivers/pmdomain/core.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
> > index 9b2f28b34bb5..c179464047fe 100644
> > --- a/drivers/pmdomain/core.c
> > +++ b/drivers/pmdomain/core.c
> > @@ -2229,8 +2229,10 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd)
> >       return 0;
> >  put:
> >       put_device(&genpd->dev);
> > -     if (genpd->free_states == genpd_free_default_power_state)
> > +     if (genpd->free_states == genpd_free_default_power_state) {
> >               kfree(genpd->states);
> > +             genpd->states = NULL;
>
> Also the coding convention for kfree in other places in pmdomains
> doesn't seem to follow this practise either...

Right. I am not suggesting changing them all. Only this one, as it's a
special case and an error path.

genpd->states may be allocated by both the genpd provider driver and
internally by genpd via pm_genpd_init(), hence we need to be a bit
more careful.

>
> $> rg -A1 kfree drivers/pmdomain
>
> Is this something we're planning to start following in pmdomains from
> now on?

As I said, this is a special case.

>
> > +     }
> >  free:
> >       if (genpd_is_cpu_domain(genpd))
> >               free_cpumask_var(genpd->cpus);
> > --
> > 2.43.0
> >
> >

Kind regards
Uffe
Re: [PATCH] pmdomain: core: Reset genpd->states to avoid freeing invalid data
Posted by Dhruva Gole 10 months, 1 week ago 
On Apr 03, 2025 at 17:55:41 +0200, Ulf Hansson wrote:
> On Thu, 3 Apr 2025 at 10:08, Dhruva Gole <d-gole@ti.com> wrote:
> >
> > On Apr 02, 2025 at 14:06:13 +0200, Ulf Hansson wrote:
> > > If genpd_alloc_data() allocates data for the default power-states for the
> > > genpd, let's make sure to also reset the pointer in the error path. This
> > > makes sure a genpd provider driver doesn't end up trying to free the data
> > > again, but using an invalid pointer.
> >
> > I maybe missing something but if kfree works similar to [1]GNU free() won't
> > it make the genpd->states NULL anyway? Have you actually seen scenarios
> > where the genpd->states is remaining non-NULL even after kfree?
> 
> Yes. kfree() doesn't reset the pointer to the data.

Gotcha.

[...]
> > >       put_device(&genpd->dev);
> > > -     if (genpd->free_states == genpd_free_default_power_state)
> > > +     if (genpd->free_states == genpd_free_default_power_state) {
> > >               kfree(genpd->states);
> > > +             genpd->states = NULL;
> >
> > Also the coding convention for kfree in other places in pmdomains
> > doesn't seem to follow this practise either...
> 
> Right. I am not suggesting changing them all. Only this one, as it's a
> special case and an error path.
> 
> genpd->states may be allocated by both the genpd provider driver and
> internally by genpd via pm_genpd_init(), hence we need to be a bit
> more careful.
> 

I see.. okay then,
Reviewed-by: Dhruva Gole <d-gole@ti.com>


-- 
Best regards,
Dhruva Gole
Texas Instruments Incorporated

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.