| Message ID | 148787772308.30127.18437190636864555810.stgit@dwillia2-desk3.amr.corp.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Feb 23, 2017 at 11:22:03AM -0800, Dan Williams wrote: > If device_add() fails, cleanup the cdev. Otherwise, we leak a kobj_map() > with a stale device number. > > Fixes: ba09c01d2fa8 ("dax: convert to the cdev api") > Cc: <stable@vger.kernel.org> > Cc: Logan Gunthorpe <logang@deltatee.com> > Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> > Signed-off-by: Dan Williams <dan.j.williams@intel.com> > drivers/dax/dax.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c > index ed758b74ddf0..0f8008dd0b0c 100644 > +++ b/drivers/dax/dax.c > @@ -724,6 +724,7 @@ struct dax_dev *devm_create_dax_dev(struct dax_region *dax_region, > dev_set_name(dev, "dax%d.%d", dax_region->id, dax_dev->id); > rc = device_add(dev); > if (rc) { > + cdev_del(&dax_dev->cdev); This probably should call into unregister_dax_dev and just skip the device_unregister part. Once cdev_add returns it is possible for a mmap to have been created, so cleanup after that point has to go through all the other unregister_dax_dev steps. Jason
On Thu, Feb 23, 2017 at 12:20 PM, Jason Gunthorpe <jgunthorpe@obsidianresearch.com> wrote: > On Thu, Feb 23, 2017 at 11:22:03AM -0800, Dan Williams wrote: >> If device_add() fails, cleanup the cdev. Otherwise, we leak a kobj_map() >> with a stale device number. >> >> Fixes: ba09c01d2fa8 ("dax: convert to the cdev api") >> Cc: <stable@vger.kernel.org> >> Cc: Logan Gunthorpe <logang@deltatee.com> >> Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> >> Signed-off-by: Dan Williams <dan.j.williams@intel.com> >> drivers/dax/dax.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c >> index ed758b74ddf0..0f8008dd0b0c 100644 >> +++ b/drivers/dax/dax.c >> @@ -724,6 +724,7 @@ struct dax_dev *devm_create_dax_dev(struct dax_region *dax_region, >> dev_set_name(dev, "dax%d.%d", dax_region->id, dax_dev->id); >> rc = device_add(dev); >> if (rc) { >> + cdev_del(&dax_dev->cdev); > > This probably should call into unregister_dax_dev and just skip the > device_unregister part. > > Once cdev_add returns it is possible for a mmap to have been created, > so cleanup after that point has to go through all the other > unregister_dax_dev steps. Ah true. I was thinking the device node is not auto-created if the device_add() fails, but there's theoretically nothing stopping userspace from trying to hit this race with its own self-created device-node.
diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c index ed758b74ddf0..0f8008dd0b0c 100644 --- a/drivers/dax/dax.c +++ b/drivers/dax/dax.c @@ -724,6 +724,7 @@ struct dax_dev *devm_create_dax_dev(struct dax_region *dax_region, dev_set_name(dev, "dax%d.%d", dax_region->id, dax_dev->id); rc = device_add(dev); if (rc) { + cdev_del(&dax_dev->cdev); put_device(dev); return ERR_PTR(rc); }
If device_add() fails, cleanup the cdev. Otherwise, we leak a kobj_map() with a stale device number. Fixes: ba09c01d2fa8 ("dax: convert to the cdev api") Cc: <stable@vger.kernel.org> Cc: Logan Gunthorpe <logang@deltatee.com> Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> --- drivers/dax/dax.c | 1 + 1 file changed, 1 insertion(+)