From: Bodo Stroesser <bostroesser@gmail.com>
To: Mike Christie <michael.christie@oracle.com>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] scsi: target: tcmu: Fix wrong uio handling causing big memory leak
Date: Wed, 13 Jan 2021 18:59:10 +0100 [thread overview]
Message-ID: <aa95b4db-ca88-e38c-3871-fb935f1e2212@gmail.com> (raw)
In-Reply-To: <73dc2d01-6398-c1d1-df47-66034d184eec@oracle.com>
On 12.01.21 19:36, Mike Christie wrote:
> On 12/18/20 8:15 AM, Bodo Stroesser wrote:
>> tcmu calls uio_unregister_device from tcmu_destroy_device.
>> After that uio will never call tcmu_release for this device.
>> If userspace still had the uio device open and / or mmap'ed
>> during uio_unregister_device, tcmu_release will not be called and
>> udev->kref will never go down to 0.
>>
>
> I didn't get why the release function is not called if you call
> uio_unregister_device while a device is open. Does the device_destroy call in
> uio_unregister_device completely free the device or does it set some bits so
> uio_release is not called later?
uio_unregister_device() resets the pointer (idev->info) to the struct
uio_info which tcmu provided in uio_register_device().
The uio device itself AFAICS is kept while it is open / mmap'ed.
But no matter what userspace does, uio will not call tcmu's callbacks
since info pointer now is NULL.
When userspace finally closes the uio device, uio_release is called, but
tcmu_release can not be called.
>
> Do other drivers hit this? Should uio have refcounting so uio_release is called
> when the last ref (from userspace open/close/mmap calls and from the kernel by
> drivers like target_core_user) is done?
>
To be honest I don't know exactly.
tcmu seems to be a special case in that is has it's own mmap callback.
That allows us to map pages allocated by tcmu.
As long as userspace still holds the mapping, we should not unmap those
pages, because userspace then could get killed by SIGSEGV.
So we have to wait for userspace closing uio before we may unmap and
free the pages.
next prev parent reply other threads:[~2021-01-13 18:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-18 14:15 [PATCH] scsi: target: tcmu: Fix wrong uio handling causing big memory leak Bodo Stroesser
2021-01-11 18:22 ` Bodo Stroesser
2021-01-12 18:36 ` Mike Christie
2021-01-13 17:59 ` Bodo Stroesser [this message]
2021-01-13 21:04 ` Mike Christie
2021-01-14 16:50 ` Bodo Stroesser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa95b4db-ca88-e38c-3871-fb935f1e2212@gmail.com \
--to=bostroesser@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=michael.christie@oracle.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.