[PATCH] null_blk: fix kmemleak by releasing references to fault configfs items

[PATCH] null_blk: fix kmemleak by releasing references to fault configfs items

[Nilay Shroff]

When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk
driver sets up fault injection support by creating the timeout_inject,
requeue_inject, and init_hctx_fault_inject configfs items as children
of the top-level nullb configfs group.

However, when the nullb device is removed, the references taken to
these fault-config configfs items are not released. As a result,
kmemleak reports a memory leak, for example:

unreferenced object 0xc00000021ff25c40 (size 32):
  comm "mkdir", pid 10665, jiffies 4322121578
  hex dump (first 32 bytes):
    69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f  init_hctx_fault_
    69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00  inject..........
  backtrace (crc 1a018c86):
    __kmalloc_node_track_caller_noprof+0x494/0xbd8
    kvasprintf+0x74/0xf4
    config_item_set_name+0xf0/0x104
    config_group_init_type_name+0x48/0xfc
    fault_config_init+0x48/0xf0
    0xc0080000180559e4
    configfs_mkdir+0x304/0x814
    vfs_mkdir+0x49c/0x604
    do_mkdirat+0x314/0x3d0
    sys_mkdir+0xa0/0xd8
    system_call_exception+0x1b0/0x4f0
    system_call_vectored_common+0x15c/0x2ec

Fix this by explicitly releasing the references to the fault-config
configfs items when dropping the reference to the top-level nullb
configfs group.

Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
---
 drivers/block/null_blk/main.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
index c7c0fb79a6bf..4c0632ab4e1b 100644
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -665,12 +665,22 @@ static void nullb_add_fault_config(struct nullb_device *dev)
 	configfs_add_default_group(&dev->init_hctx_fault_config.group, &dev->group);
 }
 
+static void nullb_del_fault_config(struct nullb_device *dev)
+{
+	config_item_put(&dev->init_hctx_fault_config.group.cg_item);
+	config_item_put(&dev->requeue_config.group.cg_item);
+	config_item_put(&dev->timeout_config.group.cg_item);
+}
+
 #else
 
 static void nullb_add_fault_config(struct nullb_device *dev)
 {
 }
 
+static void nullb_del_fault_config(struct nullb_device *dev)
+{
+}
 #endif
 
 static struct
@@ -702,7 +712,7 @@ nullb_group_drop_item(struct config_group *group, struct config_item *item)
 		null_del_dev(dev->nullb);
 		mutex_unlock(&lock);
 	}
-
+	nullb_del_fault_config(dev);
 	config_item_put(item);
 }
 
-- 
2.52.0

Re: [PATCH] null_blk: fix kmemleak by releasing references to fault configfs items

[Jens Axboe]

On 1/12/26 10:39 AM, Nilay Shroff wrote:
> When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk
> driver sets up fault injection support by creating the timeout_inject,
> requeue_inject, and init_hctx_fault_inject configfs items as children
> of the top-level nullb configfs group.
> 
> However, when the nullb device is removed, the references taken to
> these fault-config configfs items are not released. As a result,
> kmemleak reports a memory leak, for example:
> 
> unreferenced object 0xc00000021ff25c40 (size 32):
>   comm "mkdir", pid 10665, jiffies 4322121578
>   hex dump (first 32 bytes):
>     69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f  init_hctx_fault_
>     69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00  inject..........
>   backtrace (crc 1a018c86):
>     __kmalloc_node_track_caller_noprof+0x494/0xbd8
>     kvasprintf+0x74/0xf4
>     config_item_set_name+0xf0/0x104
>     config_group_init_type_name+0x48/0xfc
>     fault_config_init+0x48/0xf0
>     0xc0080000180559e4
>     configfs_mkdir+0x304/0x814
>     vfs_mkdir+0x49c/0x604
>     do_mkdirat+0x314/0x3d0
>     sys_mkdir+0xa0/0xd8
>     system_call_exception+0x1b0/0x4f0
>     system_call_vectored_common+0x15c/0x2ec
> 
> Fix this by explicitly releasing the references to the fault-config
> configfs items when dropping the reference to the top-level nullb
> configfs group.

Seems like this should have a fixes and stable tag, too?

-- 
Jens Axboe

Re: [PATCH] null_blk: fix kmemleak by releasing references to fault configfs items

[Chaitanya Kulkarni]

On 1/12/26 09:39, Nilay Shroff wrote:
> When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk
> driver sets up fault injection support by creating the timeout_inject,
> requeue_inject, and init_hctx_fault_inject configfs items as children
> of the top-level nullb configfs group.
>
> However, when the nullb device is removed, the references taken to
> these fault-config configfs items are not released. As a result,
> kmemleak reports a memory leak, for example:
>
> unreferenced object 0xc00000021ff25c40 (size 32):
>    comm "mkdir", pid 10665, jiffies 4322121578
>    hex dump (first 32 bytes):
>      69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f  init_hctx_fault_
>      69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00  inject..........
>    backtrace (crc 1a018c86):
>      __kmalloc_node_track_caller_noprof+0x494/0xbd8
>      kvasprintf+0x74/0xf4
>      config_item_set_name+0xf0/0x104
>      config_group_init_type_name+0x48/0xfc
>      fault_config_init+0x48/0xf0
>      0xc0080000180559e4
>      configfs_mkdir+0x304/0x814
>      vfs_mkdir+0x49c/0x604
>      do_mkdirat+0x314/0x3d0
>      sys_mkdir+0xa0/0xd8
>      system_call_exception+0x1b0/0x4f0
>      system_call_vectored_common+0x15c/0x2ec
>
> Fix this by explicitly releasing the references to the fault-config
> configfs items when dropping the reference to the top-level nullb
> configfs group.
>
> Signed-off-by: Nilay Shroff<nilay@linux.ibm.com>


with fixes tag added :-

Looks good.

Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>

-ck

Re: [PATCH] null_blk: fix kmemleak by releasing references to fault configfs items

[Nilay Shroff]

On 1/13/26 1:51 AM, Jens Axboe wrote:
> On 1/12/26 10:39 AM, Nilay Shroff wrote:
>> When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk
>> driver sets up fault injection support by creating the timeout_inject,
>> requeue_inject, and init_hctx_fault_inject configfs items as children
>> of the top-level nullb configfs group.
>>
>> However, when the nullb device is removed, the references taken to
>> these fault-config configfs items are not released. As a result,
>> kmemleak reports a memory leak, for example:
>>
>> unreferenced object 0xc00000021ff25c40 (size 32):
>>   comm "mkdir", pid 10665, jiffies 4322121578
>>   hex dump (first 32 bytes):
>>     69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f  init_hctx_fault_
>>     69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00  inject..........
>>   backtrace (crc 1a018c86):
>>     __kmalloc_node_track_caller_noprof+0x494/0xbd8
>>     kvasprintf+0x74/0xf4
>>     config_item_set_name+0xf0/0x104
>>     config_group_init_type_name+0x48/0xfc
>>     fault_config_init+0x48/0xf0
>>     0xc0080000180559e4
>>     configfs_mkdir+0x304/0x814
>>     vfs_mkdir+0x49c/0x604
>>     do_mkdirat+0x314/0x3d0
>>     sys_mkdir+0xa0/0xd8
>>     system_call_exception+0x1b0/0x4f0
>>     system_call_vectored_common+0x15c/0x2ec
>>
>> Fix this by explicitly releasing the references to the fault-config
>> configfs items when dropping the reference to the top-level nullb
>> configfs group.
> 
> Seems like this should have a fixes and stable tag, too?
> 
Yeah, I will send out v2 with these changes.

Thanks,
--Nilay

[PATCH] null_blk: fix kmemleak by releasing references to fault configfs items

[Nilay Shroff]

When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk
driver sets up fault injection support by creating the timeout_inject,
requeue_inject, and init_hctx_fault_inject configfs items as children
of the top-level nullbX configfs group.

However, when the nullbX device is removed, the references taken to
these fault-config configfs items are not released. As a result,
kmemleak reports a memory leak, for example:

unreferenced object 0xc00000021ff25c40 (size 32):
  comm "mkdir", pid 10665, jiffies 4322121578
  hex dump (first 32 bytes):
    69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f  init_hctx_fault_
    69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00  inject..........
  backtrace (crc 1a018c86):
    __kmalloc_node_track_caller_noprof+0x494/0xbd8
    kvasprintf+0x74/0xf4
    config_item_set_name+0xf0/0x104
    config_group_init_type_name+0x48/0xfc
    fault_config_init+0x48/0xf0
    0xc0080000180559e4
    configfs_mkdir+0x304/0x814
    vfs_mkdir+0x49c/0x604
    do_mkdirat+0x314/0x3d0
    sys_mkdir+0xa0/0xd8
    system_call_exception+0x1b0/0x4f0
    system_call_vectored_common+0x15c/0x2ec

Fix this by explicitly releasing the references to the fault-config
configfs items when dropping the reference to the top-level nullbX
configfs group.

Cc: stable@vger.kernel.org
Fixes: bb4c19e030f4 ("block: null_blk: make fault-injection dynamically configurable per device")
Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
---
v1->v2:
    Added fixes and stable tags
---
 drivers/block/null_blk/main.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
index c7c0fb79a6bf..4c0632ab4e1b 100644
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -665,12 +665,22 @@ static void nullb_add_fault_config(struct nullb_device *dev)
 	configfs_add_default_group(&dev->init_hctx_fault_config.group, &dev->group);
 }
 
+static void nullb_del_fault_config(struct nullb_device *dev)
+{
+	config_item_put(&dev->init_hctx_fault_config.group.cg_item);
+	config_item_put(&dev->requeue_config.group.cg_item);
+	config_item_put(&dev->timeout_config.group.cg_item);
+}
+
 #else
 
 static void nullb_add_fault_config(struct nullb_device *dev)
 {
 }
 
+static void nullb_del_fault_config(struct nullb_device *dev)
+{
+}
 #endif
 
 static struct
@@ -702,7 +712,7 @@ nullb_group_drop_item(struct config_group *group, struct config_item *item)
 		null_del_dev(dev->nullb);
 		mutex_unlock(&lock);
 	}
-
+	nullb_del_fault_config(dev);
 	config_item_put(item);
 }
 
-- 
2.52.0