| Message ID | 20210602133029.2864069-4-ming.lei@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | scsi: fix failure handling of alloc/add host | expand |
On 6/2/21 6:30 AM, Ming Lei wrote: > scsi_host_dev_release() only works around for us by freeing > dev_name(&shost->shost_dev) when host state is SHOST_CREATED. After host > state is changed to SHOST_RUNNING, scsi_host_dev_release() doesn't do > that any more. > > So fix the issue by put .shost_dev in failure path if host state becomes > running, meantime move get_device(&shost->shost_gendev) before > device_add(&shost->shost_dev), so that scsi_host_cls_release() can put > this reference. > > Reported-by: John Garry <john.garry@huawei.com> > Cc: Bart Van Assche <bvanassche@acm.org> > Cc: Hannes Reinecke <hare@suse.de> > Signed-off-by: Ming Lei <ming.lei@redhat.com> > --- > drivers/scsi/hosts.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > index 796736e47764..7049844adb6b 100644 > --- a/drivers/scsi/hosts.c > +++ b/drivers/scsi/hosts.c > @@ -257,12 +257,11 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, > > device_enable_async_suspend(&shost->shost_dev); > > + get_device(&shost->shost_gendev); > error = device_add(&shost->shost_dev); > if (error) > goto out_del_gendev; > > - get_device(&shost->shost_gendev); > - > if (shost->transportt->host_size) { > shost->shost_data = kzalloc(shost->transportt->host_size, > GFP_KERNEL); > @@ -300,6 +299,11 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, > out_del_dev: > device_del(&shost->shost_dev); > out_del_gendev: > + /* > + * host state has become SHOST_RUNNING, so we have to release > + * ->shost_dev explicitly > + */ > + put_device(&shost->shost_dev); > device_del(&shost->shost_gendev); > out_disable_runtime_pm: > device_disable_async_suspend(&shost->shost_gendev); Shouldn't this change be merged into patch 2/4 since both patches touch the same function? Anyway, this patch also looks good to me. Bart.
On Wed, Jun 02, 2021 at 08:06:31PM -0700, Bart Van Assche wrote: > On 6/2/21 6:30 AM, Ming Lei wrote: > > scsi_host_dev_release() only works around for us by freeing > > dev_name(&shost->shost_dev) when host state is SHOST_CREATED. After host > > state is changed to SHOST_RUNNING, scsi_host_dev_release() doesn't do > > that any more. > > > > So fix the issue by put .shost_dev in failure path if host state becomes > > running, meantime move get_device(&shost->shost_gendev) before > > device_add(&shost->shost_dev), so that scsi_host_cls_release() can put > > this reference. > > > > Reported-by: John Garry <john.garry@huawei.com> > > Cc: Bart Van Assche <bvanassche@acm.org> > > Cc: Hannes Reinecke <hare@suse.de> > > Signed-off-by: Ming Lei <ming.lei@redhat.com> > > --- > > drivers/scsi/hosts.c | 8 ++++++-- > > 1 file changed, 6 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > > index 796736e47764..7049844adb6b 100644 > > --- a/drivers/scsi/hosts.c > > +++ b/drivers/scsi/hosts.c > > @@ -257,12 +257,11 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, > > > > device_enable_async_suspend(&shost->shost_dev); > > > > + get_device(&shost->shost_gendev); > > error = device_add(&shost->shost_dev); > > if (error) > > goto out_del_gendev; > > > > - get_device(&shost->shost_gendev); > > - > > if (shost->transportt->host_size) { > > shost->shost_data = kzalloc(shost->transportt->host_size, > > GFP_KERNEL); > > @@ -300,6 +299,11 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, > > out_del_dev: > > device_del(&shost->shost_dev); > > out_del_gendev: > > + /* > > + * host state has become SHOST_RUNNING, so we have to release > > + * ->shost_dev explicitly > > + */ > > + put_device(&shost->shost_dev); > > device_del(&shost->shost_gendev); > > out_disable_runtime_pm: > > device_disable_async_suspend(&shost->shost_gendev); > > Shouldn't this change be merged into patch 2/4 since both patches touch > the same function? Anyway, this patch also looks good to me. 2/4 address double-free, this one fixes memory leak. Not mention this one isn't trivial to find & figuring out, so it will be easier to review by splitting them out. Thanks, Ming
On 02/06/2021 14:30, Ming Lei wrote: > scsi_host_dev_release() only works around for us by freeing > dev_name(&shost->shost_dev) when host state is SHOST_CREATED. After host > state is changed to SHOST_RUNNING, scsi_host_dev_release() doesn't do > that any more. > > So fix the issue by put .shost_dev in failure path if host state becomes > running, meantime move get_device(&shost->shost_gendev) before > device_add(&shost->shost_dev), so that scsi_host_cls_release() can put > this reference. > > Reported-by: John Garry<john.garry@huawei.com> > Cc: Bart Van Assche<bvanassche@acm.org> > Cc: Hannes Reinecke<hare@suse.de> > Signed-off-by: Ming Lei<ming.lei@redhat.com> Reviewed-by: John Garry <john.garry@huawei.com>
On 6/2/21 3:30 PM, Ming Lei wrote: > scsi_host_dev_release() only works around for us by freeing > dev_name(&shost->shost_dev) when host state is SHOST_CREATED. After host > state is changed to SHOST_RUNNING, scsi_host_dev_release() doesn't do > that any more. > > So fix the issue by put .shost_dev in failure path if host state becomes > running, meantime move get_device(&shost->shost_gendev) before > device_add(&shost->shost_dev), so that scsi_host_cls_release() can put > this reference. > > Reported-by: John Garry <john.garry@huawei.com> > Cc: Bart Van Assche <bvanassche@acm.org> > Cc: Hannes Reinecke <hare@suse.de> > Signed-off-by: Ming Lei <ming.lei@redhat.com> > --- > drivers/scsi/hosts.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > Reviewed-by: Hannes Reinecke <hare@suse.de> Cheers, Hannes
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index 796736e47764..7049844adb6b 100644 --- a/drivers/scsi/hosts.c +++ b/drivers/scsi/hosts.c @@ -257,12 +257,11 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, device_enable_async_suspend(&shost->shost_dev); + get_device(&shost->shost_gendev); error = device_add(&shost->shost_dev); if (error) goto out_del_gendev; - get_device(&shost->shost_gendev); - if (shost->transportt->host_size) { shost->shost_data = kzalloc(shost->transportt->host_size, GFP_KERNEL); @@ -300,6 +299,11 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev, out_del_dev: device_del(&shost->shost_dev); out_del_gendev: + /* + * host state has become SHOST_RUNNING, so we have to release + * ->shost_dev explicitly + */ + put_device(&shost->shost_dev); device_del(&shost->shost_gendev); out_disable_runtime_pm: device_disable_async_suspend(&shost->shost_gendev);
scsi_host_dev_release() only works around for us by freeing dev_name(&shost->shost_dev) when host state is SHOST_CREATED. After host state is changed to SHOST_RUNNING, scsi_host_dev_release() doesn't do that any more. So fix the issue by put .shost_dev in failure path if host state becomes running, meantime move get_device(&shost->shost_gendev) before device_add(&shost->shost_dev), so that scsi_host_cls_release() can put this reference. Reported-by: John Garry <john.garry@huawei.com> Cc: Bart Van Assche <bvanassche@acm.org> Cc: Hannes Reinecke <hare@suse.de> Signed-off-by: Ming Lei <ming.lei@redhat.com> --- drivers/scsi/hosts.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)