On 2022/7/22 10:36, Ming Lei wrote:
> ublk_device is allocated in ublk_ctrl_add_dev(), so code will become more
> readable by just letting ublk_ctrl_add_dev() destroy ublk_device in case
> of ublk_add_dev() failure.
>
> Meantime ub->mutex is destroyed in __ublk_destroy_dev(), but it may
> not be initialized when ublk_add_dev() fails, so fix it by moving
> mutex_init(ub->mutex) before any failure path.
>
> Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
> ---
> drivers/block/ublk_drv.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
> index f058f40b639c..d03563286c76 100644
> --- a/drivers/block/ublk_drv.c
> +++ b/drivers/block/ublk_drv.c
> @@ -1106,9 +1106,10 @@ static int ublk_add_dev(struct ublk_device *ub)
>
> INIT_WORK(&ub->stop_work, ublk_stop_work_fn);
> INIT_DELAYED_WORK(&ub->monitor_work, ublk_daemon_monitor_work);
> + mutex_init(&ub->mutex);
>
> if (ublk_init_queues(ub))
> - goto out_destroy_dev;
> + return err;
>
> ub->tag_set.ops = &ublk_mq_ops;
> ub->tag_set.nr_hw_queues = ub->dev_info.nr_hw_queues;
> @@ -1122,7 +1123,6 @@ static int ublk_add_dev(struct ublk_device *ub)
> goto out_deinit_queues;
>
> ublk_align_max_io_size(ub);
> - mutex_init(&ub->mutex);
> spin_lock_init(&ub->mm_lock);
>
> /* add char dev so that ublksrv daemon can be setup */
> @@ -1130,8 +1130,6 @@ static int ublk_add_dev(struct ublk_device *ub)
>
> out_deinit_queues:
> ublk_deinit_queues(ub);
> -out_destroy_dev:
> - __ublk_destroy_dev(ub);
> return err;
> }
>
> @@ -1331,8 +1329,10 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd)
> ub->dev_info.dev_id = ub->ub_number;
>
> ret = ublk_add_dev(ub);
> - if (ret)
> + if (ret) {
> + __ublk_destroy_dev(ub);
> goto out_unlock;
> + }
Hi, Ming.
Now, if ublk_add_dev() returns failure, __ublk_destroy_dev() is called anyway.
However, in current ublk_drv:ublk_add_dev():
...
return ublk_add_chdev(ub); <---- here
out_deinit_queues:
ublk_deinit_queues(ub);
out_destroy_dev:
__ublk_destroy_dev(ub);
return err;
ublk_add_chdev() returns and the returned value(maybe a failure) directly
pass to ublk_ctrl_add_dev which does NOT call __ublk_destroy_dev()
please check it is correct to call __ublk_destroy_dev() if ublk_add_chdev() fails.
>
> if (copy_to_user(argp, &ub->dev_info, sizeof(info))) {
> ublk_remove(ub);
