* [PATCH] scsi: core: fix failure handling of scsi_add_host_with_dma
@ 2021-05-26 8:10 Ming Lei
2021-05-27 17:50 ` John Garry
0 siblings, 1 reply; 3+ messages in thread
From: Ming Lei @ 2021-05-26 8:10 UTC (permalink / raw)
To: Martin K . Petersen, linux-scsi
Cc: Ming Lei, Bart Van Assche, John Garry, Hannes Reinecke
When scsi_add_host_with_dma() return failure, the caller will call
scsi_host_put(shost) to release everything allocated for this host
instance. So we can't free allocated stuff in scsi_add_host_with_dma(),
otherwise double free will be caused.
Strictly speaking, these host resources allocation should have been
moved to scsi_host_alloc(), but the allocation may need driver's
info which can be built between calling scsi_host_alloc() and
scsi_add_host(), so just keep the allocations in
scsi_add_host_with_dma().
Fixes the problem by relying on host device's release handler to
release everything.
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: John Garry <john.garry@huawei.com>
Cc: Hannes Reinecke <hare@suse.de>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
drivers/scsi/hosts.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index 624e2582c3df..ef8d2f512fe3 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -281,23 +281,22 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev,
if (!shost->work_q) {
error = -EINVAL;
- goto out_free_shost_data;
+ goto out_del_dev;
}
}
error = scsi_sysfs_add_host(shost);
if (error)
- goto out_destroy_host;
+ goto out_del_dev;
scsi_proc_host_add(shost);
scsi_autopm_put_host(shost);
return error;
- out_destroy_host:
- if (shost->work_q)
- destroy_workqueue(shost->work_q);
- out_free_shost_data:
- kfree(shost->shost_data);
+ /*
+ * any host allocation in this function will be freed in
+ * scsi_host_dev_release, so not free them in the failure path
+ */
out_del_dev:
device_del(&shost->shost_dev);
out_del_gendev:
@@ -307,7 +306,6 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev,
pm_runtime_disable(&shost->shost_gendev);
pm_runtime_set_suspended(&shost->shost_gendev);
pm_runtime_put_noidle(&shost->shost_gendev);
- scsi_mq_destroy_tags(shost);
fail:
return error;
}
--
2.29.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: core: fix failure handling of scsi_add_host_with_dma
2021-05-26 8:10 [PATCH] scsi: core: fix failure handling of scsi_add_host_with_dma Ming Lei
@ 2021-05-27 17:50 ` John Garry
2021-05-28 0:59 ` Ming Lei
0 siblings, 1 reply; 3+ messages in thread
From: John Garry @ 2021-05-27 17:50 UTC (permalink / raw)
To: Ming Lei, Martin K . Petersen, linux-scsi
Cc: Bart Van Assche, Hannes Reinecke
On 26/05/2021 09:10, Ming Lei wrote:
> When scsi_add_host_with_dma() return failure, the caller will call
> scsi_host_put(shost) to release everything allocated for this host
> instance. So we can't free allocated stuff in scsi_add_host_with_dma(),
> otherwise double free will be caused.
>
> Strictly speaking, these host resources allocation should have been
> moved to scsi_host_alloc(), but the allocation may need driver's
> info which can be built between calling scsi_host_alloc() and
> scsi_add_host(), so just keep the allocations in
> scsi_add_host_with_dma().
>
Hi Ming,
I did an experiment by making scsi_add_host_with_dma() fail by hacking
the code, like:
snprintf(shost->work_q_name, sizeof(shost->work_q_name),
"scsi_wq_%d", shost->host_no);
#if 0
shost->work_q = alloc_workqueue("%s",
WQ_SYSFS | __WQ_LEGACY | WQ_MEM_RECLAIM |
WQ_UNBOUND,
1, shost->work_q_name);
#endif
I was finding that the shost gendev kobj kref count was 2 at the "fail"
label - I would expect 1.
Did you actually ever see the release function - scsi_host_dev_release()
- being called and causing the double free?
Thanks,
John
> Fixes the problem by relying on host device's release handler to
> release everything.
>
> Cc: Bart Van Assche <bvanassche@acm.org>
> Cc: John Garry <john.garry@huawei.com>
> Cc: Hannes Reinecke <hare@suse.de>
> Signed-off-by: Ming Lei <ming.lei@redhat.com>
> ---
> drivers/scsi/hosts.c | 14 ++++++--------
> 1 file changed, 6 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
> index 624e2582c3df..ef8d2f512fe3 100644
> --- a/drivers/scsi/hosts.c
> +++ b/drivers/scsi/hosts.c
> @@ -281,23 +281,22 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev,
>
> if (!shost->work_q) {
> error = -EINVAL;
> - goto out_free_shost_data;
> + goto out_del_dev;
> }
> }
>
> error = scsi_sysfs_add_host(shost);
> if (error)
> - goto out_destroy_host;
> + goto out_del_dev;
>
> scsi_proc_host_add(shost);
> scsi_autopm_put_host(shost);
> return error;
>
> - out_destroy_host:
> - if (shost->work_q)
> - destroy_workqueue(shost->work_q);
> - out_free_shost_data:
> - kfree(shost->shost_data);
> + /*
> + * any host allocation in this function will be freed in
> + * scsi_host_dev_release, so not free them in the failure path
> + */
> out_del_dev:
> device_del(&shost->shost_dev);
> out_del_gendev:
> @@ -307,7 +306,6 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev,
> pm_runtime_disable(&shost->shost_gendev);
> pm_runtime_set_suspended(&shost->shost_gendev);
> pm_runtime_put_noidle(&shost->shost_gendev);
> - scsi_mq_destroy_tags(shost);
> fail:
> return error;
> }
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: core: fix failure handling of scsi_add_host_with_dma
2021-05-27 17:50 ` John Garry
@ 2021-05-28 0:59 ` Ming Lei
0 siblings, 0 replies; 3+ messages in thread
From: Ming Lei @ 2021-05-28 0:59 UTC (permalink / raw)
To: John Garry
Cc: Martin K . Petersen, linux-scsi, Bart Van Assche, Hannes Reinecke
On Thu, May 27, 2021 at 06:50:57PM +0100, John Garry wrote:
> On 26/05/2021 09:10, Ming Lei wrote:
> > When scsi_add_host_with_dma() return failure, the caller will call
> > scsi_host_put(shost) to release everything allocated for this host
> > instance. So we can't free allocated stuff in scsi_add_host_with_dma(),
> > otherwise double free will be caused.
> >
> > Strictly speaking, these host resources allocation should have been
> > moved to scsi_host_alloc(), but the allocation may need driver's
> > info which can be built between calling scsi_host_alloc() and
> > scsi_add_host(), so just keep the allocations in
> > scsi_add_host_with_dma().
> >
>
> Hi Ming,
>
> I did an experiment by making scsi_add_host_with_dma() fail by hacking the
> code, like:
>
> snprintf(shost->work_q_name, sizeof(shost->work_q_name),
> "scsi_wq_%d", shost->host_no);
> #if 0
> shost->work_q = alloc_workqueue("%s",
> WQ_SYSFS | __WQ_LEGACY | WQ_MEM_RECLAIM |
> WQ_UNBOUND,
> 1, shost->work_q_name);
> #endif
>
> I was finding that the shost gendev kobj kref count was 2 at the "fail"
> label - I would expect 1.
>
> Did you actually ever see the release function - scsi_host_dev_release() -
> being called and causing the double free?
There is one new leak issue in the failure path and the following patch
should address it:
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index ea50856cb203..47b4ba16b017 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -296,6 +296,7 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev,
*/
out_del_dev:
device_del(&shost->shost_dev);
+ put_device(&shost->shost_gendev);
out_del_gendev:
device_del(&shost->shost_gendev);
out_disable_runtime_pm:
Thanks,
Ming
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-28 0:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-26 8:10 [PATCH] scsi: core: fix failure handling of scsi_add_host_with_dma Ming Lei
2021-05-27 17:50 ` John Garry
2021-05-28 0:59 ` Ming Lei
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.