From: Dan Carpenter <dan.carpenter@oracle.com>
To: ming.lei@redhat.com
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>,
linux-block@vger.kernel.org
Subject: [bug report] zram: avoid race between zram_remove and disksize_store
Date: Thu, 4 Nov 2021 14:48:30 +0300 [thread overview]
Message-ID: <20211104114830.GA4962@kili> (raw)
Hello Ming Lei,
The patch 5a4b653655d5: "zram: avoid race between zram_remove and
disksize_store" from Oct 25, 2021, leads to the following Smatch
static checker warning:
drivers/block/zram/zram_drv.c:2044 zram_remove()
warn: 'zram->mem_pool' double freed
drivers/block/zram/zram_drv.c
2002 static int zram_remove(struct zram *zram)
2003 {
2004 struct block_device *bdev = zram->disk->part0;
2005 bool claimed;
2006
2007 mutex_lock(&bdev->bd_disk->open_mutex);
2008 if (bdev->bd_openers) {
2009 mutex_unlock(&bdev->bd_disk->open_mutex);
2010 return -EBUSY;
2011 }
2012
2013 claimed = zram->claim;
2014 if (!claimed)
2015 zram->claim = true;
2016 mutex_unlock(&bdev->bd_disk->open_mutex);
2017
2018 zram_debugfs_unregister(zram);
2019
2020 if (claimed) {
2021 /*
2022 * If we were claimed by reset_store(), del_gendisk() will
2023 * wait until reset_store() is done, so nothing need to do.
2024 */
2025 ;
2026 } else {
2027 /* Make sure all the pending I/O are finished */
2028 sync_blockdev(bdev);
2029 zram_reset_device(zram);
^^^^^^^^^^^^^^^^^^^^^^^^
This frees zram->mem_pool in zram_meta_free().
2030 }
2031
2032 pr_info("Removed device: %s\n", zram->disk->disk_name);
2033
2034 del_gendisk(zram->disk);
2035
2036 /* del_gendisk drains pending reset_store */
2037 WARN_ON_ONCE(claimed && zram->claim);
2038
2039 /*
2040 * disksize_store() may be called in between zram_reset_device()
2041 * and del_gendisk(), so run the last reset to avoid leaking
2042 * anything allocated with disksize_store()
2043 */
--> 2044 zram_reset_device(zram);
This double frees it.
2045
2046 blk_cleanup_disk(zram->disk);
2047 kfree(zram);
2048 return 0;
2049 }
regards,
dan carpenter
next reply other threads:[~2021-11-04 11:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-04 11:48 Dan Carpenter [this message]
2021-11-04 11:49 ` [bug report] zram: avoid race between zram_remove and disksize_store Dan Carpenter
2021-11-05 0:23 ` Ming Lei
2021-11-05 9:18 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211104114830.GA4962@kili \
--to=dan.carpenter@oracle.com \
--cc=linux-block@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=senozhatsky@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox