Re: [PATCH 3/4] scsi: core: put .shost_dev in failure path if host state becomes running

Ming Lei <ming.lei@xxxxxxxxxx> · Thu, 3 Jun 2021 11:22:48 +0800

On Wed, Jun 02, 2021 at 08:06:31PM -0700, Bart Van Assche wrote:
> On 6/2/21 6:30 AM, Ming Lei wrote:
> > scsi_host_dev_release() only works around for us by freeing
> > dev_name(&shost->shost_dev) when host state is SHOST_CREATED. After host
> > state is changed to SHOST_RUNNING, scsi_host_dev_release() doesn't do
> > that any more.
> > 
> > So fix the issue by put .shost_dev in failure path if host state becomes
> > running, meantime move get_device(&shost->shost_gendev) before
> > device_add(&shost->shost_dev), so that scsi_host_cls_release() can put
> > this reference.
> > 
> > Reported-by: John Garry <john.garry@xxxxxxxxxx>
> > Cc: Bart Van Assche <bvanassche@xxxxxxx>
> > Cc: Hannes Reinecke <hare@xxxxxxx>
> > Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
> > ---
> >  drivers/scsi/hosts.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
> > index 796736e47764..7049844adb6b 100644
> > --- a/drivers/scsi/hosts.c
> > +++ b/drivers/scsi/hosts.c
> > @@ -257,12 +257,11 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev,
> >  
> >  	device_enable_async_suspend(&shost->shost_dev);
> >  
> > +	get_device(&shost->shost_gendev);
> >  	error = device_add(&shost->shost_dev);
> >  	if (error)
> >  		goto out_del_gendev;
> >  
> > -	get_device(&shost->shost_gendev);
> > -
> >  	if (shost->transportt->host_size) {
> >  		shost->shost_data = kzalloc(shost->transportt->host_size,
> >  					 GFP_KERNEL);
> > @@ -300,6 +299,11 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev,
> >   out_del_dev:
> >  	device_del(&shost->shost_dev);
> >   out_del_gendev:
> > +	/*
> > +	 * host state has become SHOST_RUNNING, so we have to release
> > +	 * ->shost_dev explicitly
> > +	 */
> > +	put_device(&shost->shost_dev);
> >  	device_del(&shost->shost_gendev);
> >   out_disable_runtime_pm:
> >  	device_disable_async_suspend(&shost->shost_gendev);
> 
> Shouldn't this change be merged into patch 2/4 since both patches touch
> the same function? Anyway, this patch also looks good to me.

2/4 address double-free, this one fixes memory leak. Not mention this
one isn't trivial to find & figuring out, so it will be easier to review by
splitting them out.

Thanks,
Ming