On Thu 16-04-20 16:34:13, Yufen Yu wrote: > Hi, > > On 2020/4/16 15:15, Christoph Hellwig wrote: > > Cache a copy of the name for the life time of the backing_dev_info > > structure so that we can reference it even after unregistering. > > > > Fixes: 68f23b89067f ("memcg: fix a crash in wb_workfn when a device disappears") > > Reported-by: Yufen Yu <yuyufen@xxxxxxxxxx> > > Signed-off-by: Christoph Hellwig <hch@xxxxxx> > > --- > > include/linux/backing-dev-defs.h | 1 + > > mm/backing-dev.c | 13 ++++++++++--- > > 2 files changed, 11 insertions(+), 3 deletions(-) > > > > diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h > > index 4fc87dee005a..249590bcccf7 100644 > > --- a/include/linux/backing-dev-defs.h > > +++ b/include/linux/backing-dev-defs.h > > @@ -220,6 +220,7 @@ struct backing_dev_info { > > wait_queue_head_t wb_waitq; > > struct device *dev; > > + const char *dev_name; > > struct device *owner; > > struct timer_list laptop_mode_wb_timer; > > diff --git a/mm/backing-dev.c b/mm/backing-dev.c > > index c2c44c89ee5d..4f6c05df72f9 100644 > > --- a/mm/backing-dev.c > > +++ b/mm/backing-dev.c > > @@ -938,9 +938,15 @@ int bdi_register_va(struct backing_dev_info *bdi, const char *fmt, va_list args) > > if (bdi->dev) /* The driver needs to use separate queues per device */ > > return 0; > > - dev = device_create_vargs(bdi_class, NULL, MKDEV(0, 0), bdi, fmt, args); > > - if (IS_ERR(dev)) > > + bdi->dev_name = kvasprintf(GFP_KERNEL, fmt, args); > > + if (!bdi->dev_name) > > + return -ENOMEM; > > + > > + dev = device_create(bdi_class, NULL, MKDEV(0, 0), bdi, bdi->dev_name); > > + if (IS_ERR(dev)) { > > + kfree(bdi->dev_name); > > return PTR_ERR(dev); > > + } > > cgwb_bdi_register(bdi); > > bdi->dev = dev; > > @@ -1034,6 +1040,7 @@ static void release_bdi(struct kref *ref) > > WARN_ON_ONCE(bdi->dev); > > wb_exit(&bdi->wb); > > cgwb_bdi_exit(bdi); > > + kfree(bdi->dev_name); > > kfree(bdi); > > } > > > When driver try to to re-register bdi but without release_bdi(), the old > dev_name will be cover directly by the newer in bdi_register_va(). So, I > am not sure whether it can cause memory leak for bdi->dev_name. Yes, that can indeed happen. E.g. I remember that drivers/scsi/sd.c calls device_add_disk() + del_gendisk() repeatedly for one request_queue and that would result in leaking the name (and possibly cause use-after-free issues). I think dev_name has to be just a static array inside backing_dev_info which gets overwritten on reregistration. The question is how big should be this array... Some grepping shows that 40 bytes should be enough for everybody except fs/vboxsf/super.c which puts 'fc->source' into the name which can be presumably rather large. Anyway, I'd make it 40 and just truncate it case in case it does not fit. bdi_dev_name() is used for informational purposes anyway... Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR