Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp2934593iog; Mon, 20 Jun 2022 07:48:19 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tXJeKWXuBMKOPUff9PR+Bp6h0BXeDnWbRbEVVo9PINvH8ManCuRu/ng53gnVSkII8enaCo X-Received: by 2002:a63:794c:0:b0:40a:88ed:db99 with SMTP id u73-20020a63794c000000b0040a88eddb99mr20453653pgc.81.1655736499150; Mon, 20 Jun 2022 07:48:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655736499; cv=none; d=google.com; s=arc-20160816; b=ittdQGfyY9O6yv+BRoDMmP4qYtazyPZ+nMvyX9nEemx/491YDNsXyRRpVDv+Iwfrmz a4j5L7lvuAHYkxkI+q3TlbXEf6PYzkXqhy94LjyKPQls1pBfiW+FgMfQW6h4l9mnJUjR 3uLJiQkxIxVYLx8qNrVvRoRaIZN7FSNcSZ7bDNl6PBQ9W51BUdD4CB17uhvfE2eq4jmx LDMWRYRL97NPNYBI7KPHiFFIBpQIVlA6fHD2YlIGNogHlgRQf/5PWeZNexnhMKRnYDzs 2mWKh5kyhoZhyXIkyfjqxElcKjl0eL790Puq0msDy4Qpj9spfa3TDDIUFpV4PLSlCgCR 80sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=+8jTfhR0oHdBUO9FqBwxmCYKrazlECCHBtpjRH4I6/w=; b=n5AV+60hvaT4GXPtA4B4bjUMfKZHoqXsmOZ9mMalMXxE+TxJ+Z5XuE3BlO8bc31GyW fjtDADJ9MT4lt20KoXmh0XPd71SyRWLGD8xis005YrnC6vygE6vPyBinj7+6wtPFFPAe 5GrErXDr3mi4MRC4FT76NMQYfT9xnTVDtm0itfRT4hus5Fy/YtKM4Q/MuCdt9JZGNI4Q L2yIrXVB5jU6SxoUq7Sl7ATWN1cdejLk+Ho2Z8nDsl+f0dSX4nMhnaBD0zzwR3kT8+b5 bu/ds5elL9/yF+ISo99p3hEA+n77ZenFfterRdaxN92q3hTdK3L+Ok3+xJFayD7tuahd oTUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=J2E5MXye; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mn6-20020a17090b188600b001ec9e904597si4476196pjb.27.2022.06.20.07.48.07; Mon, 20 Jun 2022 07:48:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=J2E5MXye; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242839AbiFTOjZ (ORCPT + 99 others); Mon, 20 Jun 2022 10:39:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348649AbiFTOim (ORCPT ); Mon, 20 Jun 2022 10:38:42 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6BD28C5C for ; Mon, 20 Jun 2022 06:56:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id F411F611D0 for ; Mon, 20 Jun 2022 13:56:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 65199C3411B; Mon, 20 Jun 2022 13:56:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1655733360; bh=cNga3wLmI9V97jkEz2+oGgn7LYpWHhGgN0ZFwAqekGg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=J2E5MXyeN1c1H6mn2i+PFZ2j4M7F90rw3bvAdwoHwHKUAUv+Wewug6e5LnnfjweS/ BGRZc00cRYr05xktVVqRnqojDLmDg0MUCVWtpN5/9BF3mpsdwLzdQbubj0uH5eeu76 3gGsvejs6UnYVkH7Qrbz5HrElLYNMkWer1V+kvMb+99XlF2Q7p/PFlXddvXLY6X4fX Ex/IbIvYoc3EN4nZ8/0EKcW2focxt8vYS2DkySTv0WT57IsI5g7AomWcnmlcvyhJ33 FvIHidEmWqdfI86CVPVpwmGHTMtsBcfmmJBZcp+BWuXRpZpS7S4vrfDaer42Q4ekgs BEdmjDaPXNGvw== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1o3Hsi-0001LT-BV; Mon, 20 Jun 2022 15:55:57 +0200 Date: Mon, 20 Jun 2022 15:55:56 +0200 From: Johan Hovold To: Zhi Song Cc: gregkh@linuxfoundation.org, rafael@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3] node: put_device after failing to device_register Message-ID: References: <20220615151738.1766206-1-zhi.song@bytedance.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220615151738.1766206-1-zhi.song@bytedance.com> X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 15, 2022 at 11:17:38PM +0800, Zhi Song wrote: > device_register() is used to register a device with the system. > We need to call put_device() to give up the reference initialized > in device_register() when it returns an error and this will clean > up correctly. > > Fixes: 08d9dbe72b1f ("node: Link memory nodes to their compute nodes") > Signed-off-by: Zhi Song > --- > V1 -> V2: Fix up the changelog text correct. > V2 -> V3: Add a fixes tag line specifying the commit where this bug was > introduced. > --- > drivers/base/node.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/base/node.c b/drivers/base/node.c > index 0ac6376ef7a1..88a3337c546e 100644 > --- a/drivers/base/node.c > +++ b/drivers/base/node.c > @@ -154,6 +154,7 @@ static struct node_access_nodes *node_init_node_access(struct node *node, > list_add_tail(&access_node->list_node, &node->access_list); > return access_node; > free_name: > + put_device(dev); > kfree_const(dev->kobj.name); That's a pretty obvious use-after-free you just added here. You can't access dev after you've just freed it. The name is freed along with the rest of the struct device so you need to remove the second explicit free. And you should rename the label too. > free: > kfree(access_node); But here's another use after free... The put_device() call you added will have freed access_node by calling node_access_release(). Johan