On Thu, Apr 16, 2020 at 02:19:01PM +0200, Christoph Hellwig wrote: > On Thu, Apr 16, 2020 at 02:02:23PM +0200, Jan Kara wrote: > > Yes, that can indeed happen. E.g. I remember that drivers/scsi/sd.c calls > > device_add_disk() + del_gendisk() repeatedly for one request_queue and that > > would result in leaking the name (and possibly cause use-after-free > > issues). > > Sd calls device_add_disk once in ->probe, and del_gendisk once in > sd_remove. Note that sd_probe allocates a new scsi_disk structure and > a new gendisk everytime, but it does indeed reuse the request_queue > and thus bdi. > > > I think dev_name has to be just a static array inside > > backing_dev_info which gets overwritten on reregistration. The question is > > how big should be this array... Some grepping shows that 40 bytes should be > > enough for everybody except fs/vboxsf/super.c which puts 'fc->source' into > > the name which can be presumably rather large. Anyway, I'd make it 40 and > > just truncate it case in case it does not fit. bdi_dev_name() is used for > > informational purposes anyway... > > We could just make it a variable sized array at the end of the structure > and size it based on the len. Which doesn't always work as the size might not always be the same. But I think the fundamental problem is that we are trying to re-register previous unregistered bdis. We really should not have bdi_alloc separate from bdi_register and solve this properly.
