On Wed, 2017-05-17 at 04:34 -0500, Mike Christie wrote: > We currently do > > tcmu_free_device ->tcmu_netlink_event(TCMU_CMD_REMOVED_DEVICE) -> > uio_unregister_device -> kfree(tcmu_dev). > > The problem is that the kernel does not wait for userspace to > do the close() on the uio device before freeing the tcmu_dev. > We can then hit a race where the kernel frees the tcmu_dev before > userspace does close() and so when close() -> release -> tcmu_release > is done, we try to access a freed tcmu_dev. > > This patch made over the target-pending master branch moves the freeing > of the tcmu_dev to when the last reference has been dropped. > > This also fixes a leak where if tcmu_configure_device was not called on a > device we did not free udev->name which was allocated at tcmu_alloc_device time. > > Signed-off-by: Mike Christie <mchristi@xxxxxxxxxx> > --- > > v2: > > - Add refcount to handle case where userspce might call close() while the kernel > is still accessing the device. > > > drivers/target/target_core_user.c | 46 ++++++++++++++++++++++++++++----------- > 1 file changed, 33 insertions(+), 13 deletions(-) Applied to target-pending/master. Thanks MNC. -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
