On Thu 16-04-20 14:22:35, Christoph Hellwig wrote: > On Thu, Apr 16, 2020 at 02:19:01PM +0200, Christoph Hellwig wrote: > > On Thu, Apr 16, 2020 at 02:02:23PM +0200, Jan Kara wrote: > > > Yes, that can indeed happen. E.g. I remember that drivers/scsi/sd.c calls > > > device_add_disk() + del_gendisk() repeatedly for one request_queue and that > > > would result in leaking the name (and possibly cause use-after-free > > > issues). > > > > Sd calls device_add_disk once in ->probe, and del_gendisk once in > > sd_remove. Note that sd_probe allocates a new scsi_disk structure and > > a new gendisk everytime, but it does indeed reuse the request_queue > > and thus bdi. > > > > > I think dev_name has to be just a static array inside > > > backing_dev_info which gets overwritten on reregistration. The question is > > > how big should be this array... Some grepping shows that 40 bytes should be > > > enough for everybody except fs/vboxsf/super.c which puts 'fc->source' into > > > the name which can be presumably rather large. Anyway, I'd make it 40 and > > > just truncate it case in case it does not fit. bdi_dev_name() is used for > > > informational purposes anyway... > > > > We could just make it a variable sized array at the end of the structure > > and size it based on the len. > > Which doesn't always work as the size might not always be the same. > But I think the fundamental problem is that we are trying to re-register > previous unregistered bdis. We really should not have bdi_alloc > separate from bdi_register and solve this properly. Yes, that would be easier then but it seems like a much larger change because currently bdi is disassociated from request_queue only in __blk_release_queue() (blk_exit_queue()). I guess the separate bdi registration / deregistration is partially a leftover from times when bdi was still embedded in request_queue but now it's difficult to undo it. Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
