* [PATCH] drivers/base/node: Fix double free in register_one_node()
@ 2025-09-18 5:41 Donet Tom
2025-09-18 5:55 ` David Hildenbrand
2025-09-18 13:29 ` Oscar Salvador
0 siblings, 2 replies; 6+ messages in thread
From: Donet Tom @ 2025-09-18 5:41 UTC (permalink / raw)
To: akpm, clm
Cc: Jonathan.Cameron, alison.schofield, dakr, dave.jiang, david,
gregkh, kamezawa.hiroyu, linux-kernel, linux-mm, osalvador,
rafael, ritesh.list, yury.norov, ziy, Donet Tom
When device_register() fails in register_node(), it calls
put_device(&node->dev). This triggers node_device_release(),
which calls kfree(to_node(dev)), thereby freeing the entire
node structure.
As a result, when register_node() returns an error, the node
memory has already been freed. Calling kfree(node) again in
register_one_node() leads to a double free.
This patch removes the redundant kfree(node) from
register_one_node() to prevent the double free.
Fixes: 786eb990cfb7 ("drivers/base/node: handle error properly in register_one_node()")
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
---
drivers/base/node.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/base/node.c b/drivers/base/node.c
index 1608816de67f..6b6e55a98b79 100644
--- a/drivers/base/node.c
+++ b/drivers/base/node.c
@@ -885,7 +885,6 @@ int register_one_node(int nid)
error = register_node(node_devices[nid], nid);
if (error) {
node_devices[nid] = NULL;
- kfree(node);
return error;
}
--
2.51.0
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] drivers/base/node: Fix double free in register_one_node() 2025-09-18 5:41 [PATCH] drivers/base/node: Fix double free in register_one_node() Donet Tom @ 2025-09-18 5:55 ` David Hildenbrand 2025-09-18 5:56 ` David Hildenbrand ` (2 more replies) 2025-09-18 13:29 ` Oscar Salvador 1 sibling, 3 replies; 6+ messages in thread From: David Hildenbrand @ 2025-09-18 5:55 UTC (permalink / raw) To: Donet Tom, akpm, clm Cc: Jonathan.Cameron, alison.schofield, dakr, dave.jiang, gregkh, kamezawa.hiroyu, linux-kernel, linux-mm, osalvador, rafael, ritesh.list, yury.norov, ziy On 18.09.25 07:41, Donet Tom wrote: > When device_register() fails in register_node(), it calls > put_device(&node->dev). This triggers node_device_release(), > which calls kfree(to_node(dev)), thereby freeing the entire > node structure. > > As a result, when register_node() returns an error, the node > memory has already been freed. Calling kfree(node) again in > register_one_node() leads to a double free. > > This patch removes the redundant kfree(node) from > register_one_node() to prevent the double free. > > Fixes: 786eb990cfb7 ("drivers/base/node: handle error properly in register_one_node()") > Signed-off-by: Donet Tom <donettom@linux.ibm.com> > --- > drivers/base/node.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/base/node.c b/drivers/base/node.c > index 1608816de67f..6b6e55a98b79 100644 > --- a/drivers/base/node.c > +++ b/drivers/base/node.c > @@ -885,7 +885,6 @@ int register_one_node(int nid) > error = register_node(node_devices[nid], nid); > if (error) { > node_devices[nid] = NULL; > - kfree(node); > return error; > } > Yes, that matches what other users (staring at mm/memory-tiers.c) do. I wonder if we should just inline register_node() into register_one_node(). Then it's clearer that we perform a put_device() already in there. On top of that, we could then just s/register_one_node/register_node/ And then we could do a similar cleanup for unregister_one_node / unregister_node where I don't consider the split function really valuable. -- Cheers David / dhildenb ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] drivers/base/node: Fix double free in register_one_node() 2025-09-18 5:55 ` David Hildenbrand @ 2025-09-18 5:56 ` David Hildenbrand 2025-09-18 6:45 ` Donet Tom 2025-09-18 13:28 ` Oscar Salvador 2 siblings, 0 replies; 6+ messages in thread From: David Hildenbrand @ 2025-09-18 5:56 UTC (permalink / raw) To: Donet Tom, akpm, clm Cc: Jonathan.Cameron, alison.schofield, dakr, dave.jiang, gregkh, kamezawa.hiroyu, linux-kernel, linux-mm, osalvador, rafael, ritesh.list, yury.norov, ziy On 18.09.25 07:55, David Hildenbrand wrote: > On 18.09.25 07:41, Donet Tom wrote: >> When device_register() fails in register_node(), it calls >> put_device(&node->dev). This triggers node_device_release(), >> which calls kfree(to_node(dev)), thereby freeing the entire >> node structure. >> >> As a result, when register_node() returns an error, the node >> memory has already been freed. Calling kfree(node) again in >> register_one_node() leads to a double free. >> >> This patch removes the redundant kfree(node) from >> register_one_node() to prevent the double free. >> >> Fixes: 786eb990cfb7 ("drivers/base/node: handle error properly in register_one_node()") >> Signed-off-by: Donet Tom <donettom@linux.ibm.com> >> --- >> drivers/base/node.c | 1 - >> 1 file changed, 1 deletion(-) >> >> diff --git a/drivers/base/node.c b/drivers/base/node.c >> index 1608816de67f..6b6e55a98b79 100644 >> --- a/drivers/base/node.c >> +++ b/drivers/base/node.c >> @@ -885,7 +885,6 @@ int register_one_node(int nid) >> error = register_node(node_devices[nid], nid); >> if (error) { >> node_devices[nid] = NULL; >> - kfree(node); >> return error; >> } >> > > Yes, that matches what other users (staring at mm/memory-tiers.c) do. I forgot Acked-by: David Hildenbrand <david@redhat.com> -- Cheers David / dhildenb ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] drivers/base/node: Fix double free in register_one_node() 2025-09-18 5:55 ` David Hildenbrand 2025-09-18 5:56 ` David Hildenbrand @ 2025-09-18 6:45 ` Donet Tom 2025-09-18 13:28 ` Oscar Salvador 2 siblings, 0 replies; 6+ messages in thread From: Donet Tom @ 2025-09-18 6:45 UTC (permalink / raw) To: David Hildenbrand, akpm, clm Cc: Jonathan.Cameron, alison.schofield, dakr, dave.jiang, gregkh, kamezawa.hiroyu, linux-kernel, linux-mm, osalvador, rafael, ritesh.list, yury.norov, ziy On 9/18/25 11:25 AM, David Hildenbrand wrote: > On 18.09.25 07:41, Donet Tom wrote: >> When device_register() fails in register_node(), it calls >> put_device(&node->dev). This triggers node_device_release(), >> which calls kfree(to_node(dev)), thereby freeing the entire >> node structure. >> >> As a result, when register_node() returns an error, the node >> memory has already been freed. Calling kfree(node) again in >> register_one_node() leads to a double free. >> >> This patch removes the redundant kfree(node) from >> register_one_node() to prevent the double free. >> >> Fixes: 786eb990cfb7 ("drivers/base/node: handle error properly in >> register_one_node()") >> Signed-off-by: Donet Tom <donettom@linux.ibm.com> >> --- >> drivers/base/node.c | 1 - >> 1 file changed, 1 deletion(-) >> >> diff --git a/drivers/base/node.c b/drivers/base/node.c >> index 1608816de67f..6b6e55a98b79 100644 >> --- a/drivers/base/node.c >> +++ b/drivers/base/node.c >> @@ -885,7 +885,6 @@ int register_one_node(int nid) >> error = register_node(node_devices[nid], nid); >> if (error) { >> node_devices[nid] = NULL; >> - kfree(node); >> return error; >> } > > Yes, that matches what other users (staring at mm/memory-tiers.c) do. > > I wonder if we should just inline register_node() into > register_one_node(). > > Then it's clearer that we perform a put_device() already in there. > > On top of that, we could then just s/register_one_node/register_node/ > > And then we could do a similar cleanup for unregister_one_node / > unregister_node where I don't consider the split function really > valuable. Sure David, I will work on it and send it as a separate patch. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] drivers/base/node: Fix double free in register_one_node() 2025-09-18 5:55 ` David Hildenbrand 2025-09-18 5:56 ` David Hildenbrand 2025-09-18 6:45 ` Donet Tom @ 2025-09-18 13:28 ` Oscar Salvador 2 siblings, 0 replies; 6+ messages in thread From: Oscar Salvador @ 2025-09-18 13:28 UTC (permalink / raw) To: David Hildenbrand Cc: Donet Tom, akpm, clm, Jonathan.Cameron, alison.schofield, dakr, dave.jiang, gregkh, kamezawa.hiroyu, linux-kernel, linux-mm, rafael, ritesh.list, yury.norov, ziy On Thu, Sep 18, 2025 at 07:55:07AM +0200, David Hildenbrand wrote: > Yes, that matches what other users (staring at mm/memory-tiers.c) do. > > I wonder if we should just inline register_node() into register_one_node(). > > Then it's clearer that we perform a put_device() already in there. > > On top of that, we could then just s/register_one_node/register_node/ > > And then we could do a similar cleanup for unregister_one_node / > unregister_node where I don't consider the split function really valuable. Yap, that makes sense to me as well. -- Oscar Salvador SUSE Labs ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] drivers/base/node: Fix double free in register_one_node() 2025-09-18 5:41 [PATCH] drivers/base/node: Fix double free in register_one_node() Donet Tom 2025-09-18 5:55 ` David Hildenbrand @ 2025-09-18 13:29 ` Oscar Salvador 1 sibling, 0 replies; 6+ messages in thread From: Oscar Salvador @ 2025-09-18 13:29 UTC (permalink / raw) To: Donet Tom Cc: akpm, clm, Jonathan.Cameron, alison.schofield, dakr, dave.jiang, david, gregkh, kamezawa.hiroyu, linux-kernel, linux-mm, rafael, ritesh.list, yury.norov, ziy On Thu, Sep 18, 2025 at 11:11:44AM +0530, Donet Tom wrote: > When device_register() fails in register_node(), it calls > put_device(&node->dev). This triggers node_device_release(), > which calls kfree(to_node(dev)), thereby freeing the entire > node structure. > > As a result, when register_node() returns an error, the node > memory has already been freed. Calling kfree(node) again in > register_one_node() leads to a double free. > > This patch removes the redundant kfree(node) from > register_one_node() to prevent the double free. > > Fixes: 786eb990cfb7 ("drivers/base/node: handle error properly in register_one_node()") > Signed-off-by: Donet Tom <donettom@linux.ibm.com> Acked-by: Oscar Salvador <osalvador@suse.de> -- Oscar Salvador SUSE Labs ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-09-18 13:30 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-09-18 5:41 [PATCH] drivers/base/node: Fix double free in register_one_node() Donet Tom 2025-09-18 5:55 ` David Hildenbrand 2025-09-18 5:56 ` David Hildenbrand 2025-09-18 6:45 ` Donet Tom 2025-09-18 13:28 ` Oscar Salvador 2025-09-18 13:29 ` Oscar Salvador
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox