On Thu, Apr 16, 2020 at 02:02:23PM +0200, Jan Kara wrote: > Yes, that can indeed happen. E.g. I remember that drivers/scsi/sd.c calls > device_add_disk() + del_gendisk() repeatedly for one request_queue and that > would result in leaking the name (and possibly cause use-after-free > issues). Sd calls device_add_disk once in ->probe, and del_gendisk once in sd_remove. Note that sd_probe allocates a new scsi_disk structure and a new gendisk everytime, but it does indeed reuse the request_queue and thus bdi. > I think dev_name has to be just a static array inside > backing_dev_info which gets overwritten on reregistration. The question is > how big should be this array... Some grepping shows that 40 bytes should be > enough for everybody except fs/vboxsf/super.c which puts 'fc->source' into > the name which can be presumably rather large. Anyway, I'd make it 40 and > just truncate it case in case it does not fit. bdi_dev_name() is used for > informational purposes anyway... We could just make it a variable sized array at the end of the structure and size it based on the len.
