On Thu, Feb 23, 2017 at 12:20 PM, Jason Gunthorpe <jgunthorpe@xxxxxxxxxxxxxxxxxxxx> wrote: > On Thu, Feb 23, 2017 at 11:22:03AM -0800, Dan Williams wrote: >> If device_add() fails, cleanup the cdev. Otherwise, we leak a kobj_map() >> with a stale device number. >> >> Fixes: ba09c01d2fa8 ("dax: convert to the cdev api") >> Cc: <stable@xxxxxxxxxxxxxxx> >> Cc: Logan Gunthorpe <logang@xxxxxxxxxxxx> >> Reported-by: Jason Gunthorpe <jgunthorpe@xxxxxxxxxxxxxxxxxxxx> >> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx> >> drivers/dax/dax.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c >> index ed758b74ddf0..0f8008dd0b0c 100644 >> +++ b/drivers/dax/dax.c >> @@ -724,6 +724,7 @@ struct dax_dev *devm_create_dax_dev(struct dax_region *dax_region, >> dev_set_name(dev, "dax%d.%d", dax_region->id, dax_dev->id); >> rc = device_add(dev); >> if (rc) { >> + cdev_del(&dax_dev->cdev); > > This probably should call into unregister_dax_dev and just skip the > device_unregister part. > > Once cdev_add returns it is possible for a mmap to have been created, > so cleanup after that point has to go through all the other > unregister_dax_dev steps. Ah true. I was thinking the device node is not auto-created if the device_add() fails, but there's theoretically nothing stopping userspace from trying to hit this race with its own self-created device-node.