Re: [PATCH] rust: devres: fix leaking call to devm_add_action()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Danilo Krummrich" <dakr@kernel.org>
To: "Benno Lossin" <lossin@kernel.org>
Cc: <gregkh@linuxfoundation.org>, <rafael@kernel.org>,
	<ojeda@kernel.org>, <alex.gaynor@gmail.com>,
	<boqun.feng@gmail.com>, <gary@garyguo.net>,
	<bjorn3_gh@protonmail.com>, <a.hindborg@kernel.org>,
	<aliceryhl@google.com>, <tmgross@umich.edu>,
	<rust-for-linux@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<stable@vger.kernel.org>
Subject: Re: [PATCH] rust: devres: fix leaking call to devm_add_action()
Date: Tue, 12 Aug 2025 01:15:43 +0200	[thread overview]
Message-ID: <DBZZBNP278NH.2DR4PMWX9HKST@kernel.org> (raw)
In-Reply-To: <DBZYO8O9YTO3.10MKWPYN8YEOB@kernel.org>

On Tue Aug 12, 2025 at 12:45 AM CEST, Benno Lossin wrote:
> On Mon Aug 11, 2025 at 11:44 PM CEST, Danilo Krummrich wrote:
>> When the data argument of Devres::new() is Err(), we leak the preceding
>> call to devm_add_action().
>>
>> In order to fix this, call devm_add_action() in a unit type initializer in
>> try_pin_init!() after the initializers of all other fields.
>>
>> Cc: stable@vger.kernel.org
>> Fixes: f5d3ef25d238 ("rust: devres: get rid of Devres' inner Arc")
>> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
>> ---
>>  rust/kernel/devres.rs | 17 ++++++++++-------
>>  1 file changed, 10 insertions(+), 7 deletions(-)
>>
>> diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
>> index da18091143a6..bfccf4177644 100644
>> --- a/rust/kernel/devres.rs
>> +++ b/rust/kernel/devres.rs
>> @@ -119,6 +119,7 @@ pub struct Devres<T: Send> {
>>      // impls can be removed.
>>      #[pin]
>>      inner: Opaque<Inner<T>>,
>> +    _add_action: (),
>>  }
>>  
>>  impl<T: Send> Devres<T> {
>> @@ -140,7 +141,15 @@ pub fn new<'a, E>(
>>              dev: dev.into(),
>>              callback,
>>              // INVARIANT: `inner` is properly initialized.
>> -            inner <- {
>> +            inner <- Opaque::pin_init(try_pin_init!(Inner {
>> +                    devm <- Completion::new(),
>> +                    revoke <- Completion::new(),
>> +                    data <- Revocable::new(data),
>> +            })),
>> +            // TODO: Replace with "initializer code blocks" [1] once available.
>> +            //
>> +            // [1] https://github.com/Rust-for-Linux/pin-init/pull/69
>> +            _add_action: {
>>                  // SAFETY: `this` is a valid pointer to uninitialized memory.
>>                  let inner = unsafe { &raw mut (*this.as_ptr()).inner };
>>  
>> @@ -153,12 +162,6 @@ pub fn new<'a, E>(
>>                  to_result(unsafe {
>>                      bindings::devm_add_action(dev.as_raw(), Some(callback), inner.cast())
>>                  })?;
>
> I have some bad news, I think this is also wrong: if the
> `devm_add_action` fails, we never drop the contents of `inner`, since
> the destructor of `Opaque` does nothing and we never finished
> construction of `Devres`, so its `Drop` will never be called.

Good catch! For some reason I already had UnsafePinned in mind, but it's still a
TODO to replace the Opaque with UnsafePinned.

> One solution would be to use `pin_chain` on the initializer for `Inner`
> (not opaque). Another one would be to not use opaque, `UnsafePinned`
> actually looks like the better fit for this use-case.

Yeah, the problem should go away with UnsafePinned. Maybe, until we have it, we
can just do the following:

diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index bfccf4177644..1981201fa7f9 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -161,6 +161,9 @@ pub fn new<'a, E>(
                 //    live at least as long as the returned `impl PinInit<Self, Error>`.
                 to_result(unsafe {
                     bindings::devm_add_action(dev.as_raw(), Some(callback), inner.cast())
+                }).inspect_err(|_| {
+                    // SAFETY: `inner` is valid for dropping.
+                    unsafe { core::ptr::drop_in_place(inner) };
                 })?;
             },
         })

next prev parent reply	other threads:[~2025-08-11 23:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-11 21:44 [PATCH] rust: devres: fix leaking call to devm_add_action() Danilo Krummrich
2025-08-11 22:45 ` Benno Lossin
2025-08-11 23:15   ` Danilo Krummrich [this message]
2025-08-12  7:10     ` Benno Lossin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bfccf417764 dfblob:1981201fa7f )
 OR (
bs:"Re: [PATCH] rust: devres: fix leaking call to devm_add_action()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DBZZBNP278NH.2DR4PMWX9HKST@kernel.org \
    --to=dakr@kernel.org \
    --cc=a.hindborg@kernel.org \
    --cc=alex.gaynor@gmail.com \
    --cc=aliceryhl@google.com \
    --cc=bjorn3_gh@protonmail.com \
    --cc=boqun.feng@gmail.com \
    --cc=gary@garyguo.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lossin@kernel.org \
    --cc=ojeda@kernel.org \
    --cc=rafael@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tmgross@umich.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.