| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260117193221.152540-1-tzungbi@kernel.org>
Date: Sun, 18 Jan 2026 03:32:21 +0800
From: Tzung-Bi Shih <tzungbi@...nel.org>
To: "James E.J. Bottomley" <James.Bottomley@...senPartnership.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Greg KH <gregkh@...uxfoundation.org>
Cc: linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org,
tzungbi@...nel.org
Subject: [PATCH] scsi: core: Don't free dev_name() manually
scsi_host_alloc() is designed to hold initial reference count of
`&shost->shost_gendev` and `&shost->shost_dev`. In the error handling
paths [1], only drop a reference count to `&shost->shost_gendev` is
sufficient as scsi_host_dev_release() will be called and the reference
count of `&shost->shost_dev` should be dropped at that time.
Drivers shouldn't need to free the device name and hold a reference
count to its parent device as the driver core automatically handles
that. Remove them.
[1] Either at "fail" label in scsi_host_alloc() or in SCSI drivers that
a subsequent scsi_add_host{,_with_dma}() fails.
Fixes: b49493f99690 ("Fix a memory leak in scsi_host_dev_release()")
Signed-off-by: Tzung-Bi Shih <tzungbi@...nel.org>
---
drivers/scsi/hosts.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index 1b3fbd328277..b88d553cdde6 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -55,7 +55,6 @@ static DEFINE_IDA(host_index_ida);
static void scsi_host_cls_release(struct device *dev)
{
- put_device(&class_to_shost(dev)->shost_gendev);
}
static struct class shost_class = {
@@ -279,11 +278,9 @@ int scsi_add_host_with_dma(struct Scsi_Host *shost, struct device *dev,
goto out_disable_runtime_pm;
scsi_host_set_state(shost, SHOST_RUNNING);
- get_device(shost->shost_gendev.parent);
device_enable_async_suspend(&shost->shost_dev);
- get_device(&shost->shost_gendev);
error = device_add(&shost->shost_dev);
if (error)
goto out_del_gendev;
@@ -352,7 +349,6 @@ EXPORT_SYMBOL(scsi_add_host_with_dma);
static void scsi_host_dev_release(struct device *dev)
{
struct Scsi_Host *shost = dev_to_shost(dev);
- struct device *parent = dev->parent;
/* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */
rcu_barrier();
@@ -366,22 +362,20 @@ static void scsi_host_dev_release(struct device *dev)
if (shost->shost_state == SHOST_CREATED) {
/*
- * Free the shost_dev device name and remove the proc host dir
+ * Drop the reference to shost_dev and remove the proc host dir
* here if scsi_host_{alloc,put}() have been called but neither
- * scsi_host_add() nor scsi_remove_host() has been called.
+ * scsi_add_host() nor scsi_remove_host() has been called.
* This avoids that the memory allocated for the shost_dev
* name as well as the proc dir structure are leaked.
*/
scsi_proc_hostdir_rm(shost->hostt);
- kfree(dev_name(&shost->shost_dev));
+ put_device(&shost->shost_dev);
}
kfree(shost->shost_data);
ida_free(&host_index_ida, shost->host_no);
- if (shost->shost_state != SHOST_CREATED)
- put_device(parent);
kfree(shost);
}
@@ -550,8 +544,8 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv
fail:
/*
* Host state is still SHOST_CREATED and that is enough to release
- * ->shost_gendev. scsi_host_dev_release() will free
- * dev_name(&shost->shost_dev).
+ * ->shost_gendev. scsi_host_dev_release() will
+ * put_device(&shost->shost_dev).
*/
put_device(&shost->shost_gendev);
--
2.48.1
Powered by blists - more mailing lists