On Thu, Feb 23, 2017 at 12:20 PM, Jason Gunthorpe
<jgunthorpe@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Thu, Feb 23, 2017 at 11:22:03AM -0800, Dan Williams wrote:
>> If device_add() fails, cleanup the cdev. Otherwise, we leak a kobj_map()
>> with a stale device number.
>>
>> Fixes: ba09c01d2fa8 ("dax: convert to the cdev api")
>> Cc: <stable@xxxxxxxxxxxxxxx>
>> Cc: Logan Gunthorpe <logang@xxxxxxxxxxxx>
>> Reported-by: Jason Gunthorpe <jgunthorpe@xxxxxxxxxxxxxxxxxxxx>
>> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx>
>> drivers/dax/dax.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c
>> index ed758b74ddf0..0f8008dd0b0c 100644
>> +++ b/drivers/dax/dax.c
>> @@ -724,6 +724,7 @@ struct dax_dev *devm_create_dax_dev(struct dax_region *dax_region,
>> dev_set_name(dev, "dax%d.%d", dax_region->id, dax_dev->id);
>> rc = device_add(dev);
>> if (rc) {
>> + cdev_del(&dax_dev->cdev);
>
> This probably should call into unregister_dax_dev and just skip the
> device_unregister part.
>
> Once cdev_add returns it is possible for a mmap to have been created,
> so cleanup after that point has to go through all the other
> unregister_dax_dev steps.
Ah true. I was thinking the device node is not auto-created if the
device_add() fails, but there's theoretically nothing stopping
userspace from trying to hit this race with its own self-created
device-node.