On Thu, Sep 09, 2021 at 11:46:08AM +0800, Zenghui Yu wrote:
> We use device_initialize() to take refcount for the device but forget to
> put_device() on device teardown, which ends up leaking private data of the
> driver core, dev_name(), etc. This is reported by kmemleak at boot time if
> we compile kernel with DEBUG_TEST_DRIVER_REMOVE.
>
> Note that adding the missing put_device() is _not_ sufficient to fix device
> unregistration. As we don't provide the .release() method for device, which
> turned out to be typically wrong and will be complained loudly by the
> driver core.
>
> Fix both of them.
>
> Fixes: ead09dd3aed5 ("scsi: bsg: Simplify device registration")
> Signed-off-by: Zenghui Yu <yuzenghui@xxxxxxxxxx>
> ---
> block/bsg.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
> +static void bsg_device_release(struct device *dev)
> +{
> + struct bsg_device *bd = container_of(dev, struct bsg_device, device);
> +
> + ida_simple_remove(&bsg_minor_ida, MINOR(bd->device.devt));
> + kfree(bd);
> +}
> @@ -198,6 +205,7 @@ struct bsg_device *bsg_register_queue(struct request_queue *q,
> bd->device.devt = MKDEV(bsg_major, ret);
> bd->device.class = bsg_class;
> bd->device.parent = parent;
> + bd->device.release = bsg_device_release;
> dev_set_name(&bd->device, "%s", name);
> device_initialize(&bd->device);
>
> @@ -218,6 +226,7 @@ struct bsg_device *bsg_register_queue(struct request_queue *q,
> out_device_del:
> cdev_device_del(&bd->cdev, &bd->device);
> out_ida_remove:
> + put_device(&bd->device);
> ida_simple_remove(&bsg_minor_ida, MINOR(bd->device.devt));
> out_kfree:
> kfree(bd);
Ehh, what about the blatant use-after-free and double-free you just
added here?
Martin, can this still be dropped from the scsi tree or does it need to
be fixed incrementally?
Johan
