From: Donet Tom <donettom@linux.ibm.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Chris Mason <clm@meta.com>, David Hildenbrand <david@redhat.com>,
Oscar Salvador <osalvador@suse.de>, Zi Yan <ziy@nvidia.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Ritesh Harjani <ritesh.list@gmail.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
"Rafael J . Wysocki" <rafael@kernel.org>,
Danilo Krummrich <dakr@kernel.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Alison Schofield <alison.schofield@intel.com>,
Yury Norov <yury.norov@gmail.com>,
Dave Jiang <dave.jiang@intel.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Subject: Re: [PATCH v2] drivers/base/node: Handle error properly in register_one_node()
Date: Thu, 18 Sep 2025 10:19:38 +0530 [thread overview]
Message-ID: <e6f5d1e6-afe5-4225-a672-7523d04c6504@linux.ibm.com> (raw)
In-Reply-To: <20250917144844.e8d9b9593aac9f3a4b52a0cb@linux-foundation.org>
On 9/18/25 3:18 AM, Andrew Morton wrote:
> On Wed, 17 Sep 2025 20:25:48 +0530 Donet Tom <donettom@linux.ibm.com> wrote:
>
>>> Can this cause a double-free? Looking at register_node(), when
>>> device_register() fails, it calls put_device(&node->dev). The put_device()
>>> call triggers node_device_release() which does kfree(to_node(dev)), freeing
>>> the entire node structure. So when register_node() returns an error, the
>>> node memory is already freed, but this code calls kfree(node) again on the
>>> same memory.
>>>
>>> The call chain is: register_node()->device_register() fails->
>>> put_device()->node_device_release()->kfree(to_node(dev)).
>>
>> Thank you for pointing this out. I will address it and send a v3.
> This patch is now in mm.git's non-rebasing mm-stable branch, so no
> replacements, please.
>
> A standalone patch with
>
> Fixes: 786eb990cfb7 ("drivers/base/node: handle error properly in register_one_node()")
>
> is the way to go.
Sure Andrew .I will send it today.
>
>
prev parent reply other threads:[~2025-09-18 4:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-22 8:48 Donet Tom
2025-08-22 9:48 ` David Hildenbrand
2025-09-17 13:45 ` Chris Mason
2025-09-17 14:55 ` Donet Tom
2025-09-17 21:48 ` Andrew Morton
2025-09-18 4:49 ` Donet Tom [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e6f5d1e6-afe5-4225-a672-7523d04c6504@linux.ibm.com \
--to=donettom@linux.ibm.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=alison.schofield@intel.com \
--cc=clm@meta.com \
--cc=dakr@kernel.org \
--cc=dave.jiang@intel.com \
--cc=david@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=osalvador@suse.de \
--cc=rafael@kernel.org \
--cc=ritesh.list@gmail.com \
--cc=yury.norov@gmail.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox