Re: Slab corruption in floppy driver module

[Suresh Jayaraman <sjayaraman@suse.com>]

On 01/27/2012 01:07 AM, Vivek Goyal wrote:
> On Thu, Jan 26, 2012 at 10:05:32AM -0800, Tejun Heo wrote:
>>
>> Yeah, this looks correct to me.  It might be better to tone down the
>> comment a bit tho.  Wouldn't it be sufficient to say put_disk() isn't
>> paired with add_disk() and will put one extra time?
> 
> Sure. Toned down the comment as suggested. Here is the new patch.
> 
> floppy: Cleanup disk->queue before caling put_disk() if add_disk() was never called
> 
> add_disk() takes gendisk reference on request queue. If driver failed during
> initialization and never called add_disk() then that extra reference is not
> taken. That reference is put in put_disk(). floppy driver allocates the
> disk, allocates queue, sets disk->queue and then relizes that floppy
> controller is not present. It tries to tear down everything and tries to
> put a reference down in put_disk() which was never taken.
> 
> In such error cases cleanup disk->queue before calling put_disk() so that
> we never try to put down a reference which was never taken in first place.
> 
> Reported-by: Suresh Jayaraman <sjayaraman@suse.com>
> Tested-by: Dirk Gouders <gouders@et.bocholt.fh-gelsenkirchen.de>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> ---
>  drivers/block/floppy.c |    8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> Index: linux-2.6/drivers/block/floppy.c
> ===================================================================
> --- linux-2.6.orig/drivers/block/floppy.c	2012-01-15 09:49:14.000000000 -0500
> +++ linux-2.6/drivers/block/floppy.c	2012-01-26 14:35:14.662374464 -0500
> @@ -4368,8 +4368,14 @@ out_unreg_blkdev:
>  out_put_disk:
>  	while (dr--) {
>  		del_timer_sync(&motor_off_timer[dr]);
> -		if (disks[dr]->queue)
> +		if (disks[dr]->queue) {
>  			blk_cleanup_queue(disks[dr]->queue);
> +			/*
> +			 * put_disk() is not paired with add_disk() and
> +			 * will put queue reference one extra time. fix it.
> +			 */
> +			disks[dr]->queue = NULL;
> +		}
>  		put_disk(disks[dr]);
>  	}
>  	return err;
> 

Thanks. With this patch I'm no longer seeing the slab corruption or Oops
which was seen earlier.

   Reported-and-Tested-by: Suresh Jayaraman <sjayaraman@suse.com>


OTOH, is there a small chance that this problem pattern being present
(waiting to be discovered) in other block devices as well...
So far haven't found anything during a quick auditing.