Message ID | 20210526081055.1932084-1-ming.lei@redhat.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | scsi: core: fix failure handling of scsi_add_host_with_dma | expand |
On 26/05/2021 09:10, Ming Lei wrote: > When scsi_add_host_with_dma() return failure, the caller will call > scsi_host_put(shost) to release everything allocated for this host > instance. So we can't free allocated stuff in scsi_add_host_with_dma(), > otherwise double free will be caused. > > Strictly speaking, these host resources allocation should have been > moved to scsi_host_alloc(), but the allocation may need driver's > info which can be built between calling scsi_host_alloc() and > scsi_add_host(), so just keep the allocations in > scsi_add_host_with_dma(). > Hi Ming, I did an experiment by making scsi_add_host_with_dma() fail by hacking the code, like: snprintf(shost->work_q_name, sizeof(shost->work_q_name), "scsi_wq_%d", shost->host_no); #if 0 shost->work_q = alloc_workqueue("%s", WQ_SYSFS | __WQ_LEGACY | WQ_MEM_RECLAIM | WQ_UNBOUND, 1, shost->work_q_name); #endif I was finding that the shost gendev kobj kref count was 2 at the "fail" label - I would expect 1. Did you actually ever see the release function - scsi_host_dev_release() - being called and causing the double free? Thanks, John > Fixes the problem by relying on host device's release handler to > release everything. > > Cc: Bart Van Assche <bvanassche@acm.org> > Cc: John Garry <john.garry@huawei.com> > Cc: Hannes Reinecke <hare@suse.de> > Signed-off-by: Ming Lei <ming.lei@redhat.com> > --- > drivers/scsi/hosts.c | 14 ++++++-------- > 1 file changed, 6 insertions(+), 8 deletions(-) > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > index 624e2582c3df..ef8d2f512fe3 100644 > --- a/drivers/scsi/hosts.c > +++ b/drivers/scsi/hosts.c > @@ -281,23 +281,22 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, > > if (!shost->work_q) { > error = -EINVAL; > - goto out_free_shost_data; > + goto out_del_dev; > } > } > > error = scsi_sysfs_add_host(shost); > if (error) > - goto out_destroy_host; > + goto out_del_dev; > > scsi_proc_host_add(shost); > scsi_autopm_put_host(shost); > return error; > > - out_destroy_host: > - if (shost->work_q) > - destroy_workqueue(shost->work_q); > - out_free_shost_data: > - kfree(shost->shost_data); > + /* > + * any host allocation in this function will be freed in > + * scsi_host_dev_release, so not free them in the failure path > + */ > out_del_dev: > device_del(&shost->shost_dev); > out_del_gendev: > @@ -307,7 +306,6 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, > pm_runtime_disable(&shost->shost_gendev); > pm_runtime_set_suspended(&shost->shost_gendev); > pm_runtime_put_noidle(&shost->shost_gendev); > - scsi_mq_destroy_tags(shost); > fail: > return error; > } >
On Thu, May 27, 2021 at 06:50:57PM +0100, John Garry wrote: > On 26/05/2021 09:10, Ming Lei wrote: > > When scsi_add_host_with_dma() return failure, the caller will call > > scsi_host_put(shost) to release everything allocated for this host > > instance. So we can't free allocated stuff in scsi_add_host_with_dma(), > > otherwise double free will be caused. > > > > Strictly speaking, these host resources allocation should have been > > moved to scsi_host_alloc(), but the allocation may need driver's > > info which can be built between calling scsi_host_alloc() and > > scsi_add_host(), so just keep the allocations in > > scsi_add_host_with_dma(). > > > > Hi Ming, > > I did an experiment by making scsi_add_host_with_dma() fail by hacking the > code, like: > > snprintf(shost->work_q_name, sizeof(shost->work_q_name), > "scsi_wq_%d", shost->host_no); > #if 0 > shost->work_q = alloc_workqueue("%s", > WQ_SYSFS | __WQ_LEGACY | WQ_MEM_RECLAIM | > WQ_UNBOUND, > 1, shost->work_q_name); > #endif > > I was finding that the shost gendev kobj kref count was 2 at the "fail" > label - I would expect 1. > > Did you actually ever see the release function - scsi_host_dev_release() - > being called and causing the double free? There is one new leak issue in the failure path and the following patch should address it: diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index ea50856cb203..47b4ba16b017 100644 --- a/drivers/scsi/hosts.c +++ b/drivers/scsi/hosts.c @@ -296,6 +296,7 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, */ out_del_dev: device_del(&shost->shost_dev); + put_device(&shost->shost_gendev); out_del_gendev: device_del(&shost->shost_gendev); out_disable_runtime_pm: Thanks, Ming
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index 624e2582c3df..ef8d2f512fe3 100644 --- a/drivers/scsi/hosts.c +++ b/drivers/scsi/hosts.c @@ -281,23 +281,22 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, if (!shost->work_q) { error = -EINVAL; - goto out_free_shost_data; + goto out_del_dev; } } error = scsi_sysfs_add_host(shost); if (error) - goto out_destroy_host; + goto out_del_dev; scsi_proc_host_add(shost); scsi_autopm_put_host(shost); return error; - out_destroy_host: - if (shost->work_q) - destroy_workqueue(shost->work_q); - out_free_shost_data: - kfree(shost->shost_data); + /* + * any host allocation in this function will be freed in + * scsi_host_dev_release, so not free them in the failure path + */ out_del_dev: device_del(&shost->shost_dev); out_del_gendev: @@ -307,7 +306,6 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, pm_runtime_disable(&shost->shost_gendev); pm_runtime_set_suspended(&shost->shost_gendev); pm_runtime_put_noidle(&shost->shost_gendev); - scsi_mq_destroy_tags(shost); fail: return error; }
When scsi_add_host_with_dma() return failure, the caller will call scsi_host_put(shost) to release everything allocated for this host instance. So we can't free allocated stuff in scsi_add_host_with_dma(), otherwise double free will be caused. Strictly speaking, these host resources allocation should have been moved to scsi_host_alloc(), but the allocation may need driver's info which can be built between calling scsi_host_alloc() and scsi_add_host(), so just keep the allocations in scsi_add_host_with_dma(). Fixes the problem by relying on host device's release handler to release everything. Cc: Bart Van Assche <bvanassche@acm.org> Cc: John Garry <john.garry@huawei.com> Cc: Hannes Reinecke <hare@suse.de> Signed-off-by: Ming Lei <ming.lei@redhat.com> --- drivers/scsi/hosts.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-)