* [PATCH] scsi: core: Correct wrong kfree() usage for `kobj->name`
@ 2026-01-16 8:13 Tzung-Bi Shih
2026-01-16 9:00 ` Greg KH
0 siblings, 1 reply; 5+ messages in thread
From: Tzung-Bi Shih @ 2026-01-16 8:13 UTC (permalink / raw)
To: James E.J. Bottomley, Martin K. Petersen
Cc: linux-scsi, linux-kernel, tzungbi, stable
`kobj->name` should be freed by kfree_const()[1][2]. Correct it.
[1] https://elixir.bootlin.com/linux/v6.18/source/lib/kasprintf.c#L41
[2] https://elixir.bootlin.com/linux/v6.18/source/lib/kobject.c#L695
Cc: stable@vger.kernel.org
Fixes: b49493f99690 ("Fix a memory leak in scsi_host_dev_release()")
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
drivers/scsi/hosts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index e047747d4ecf..50ec782cf9f4 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -373,7 +373,7 @@ static void scsi_host_dev_release(struct device *dev)
* name as well as the proc dir structure are leaked.
*/
scsi_proc_hostdir_rm(shost->hostt);
- kfree(dev_name(&shost->shost_dev));
+ kfree_const(dev_name(&shost->shost_dev));
}
kfree(shost->shost_data);
--
2.52.0.457.g6b5491de43-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] scsi: core: Correct wrong kfree() usage for `kobj->name` 2026-01-16 8:13 [PATCH] scsi: core: Correct wrong kfree() usage for `kobj->name` Tzung-Bi Shih @ 2026-01-16 9:00 ` Greg KH 2026-01-16 9:37 ` Tzung-Bi Shih 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2026-01-16 9:00 UTC (permalink / raw) To: Tzung-Bi Shih Cc: James E.J. Bottomley, Martin K. Petersen, linux-scsi, linux-kernel, stable On Fri, Jan 16, 2026 at 08:13:59AM +0000, Tzung-Bi Shih wrote: > `kobj->name` should be freed by kfree_const()[1][2]. Correct it. > > [1] https://elixir.bootlin.com/linux/v6.18/source/lib/kasprintf.c#L41 > [2] https://elixir.bootlin.com/linux/v6.18/source/lib/kobject.c#L695 > > Cc: stable@vger.kernel.org > Fixes: b49493f99690 ("Fix a memory leak in scsi_host_dev_release()") > Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> > --- > drivers/scsi/hosts.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > index e047747d4ecf..50ec782cf9f4 100644 > --- a/drivers/scsi/hosts.c > +++ b/drivers/scsi/hosts.c > @@ -373,7 +373,7 @@ static void scsi_host_dev_release(struct device *dev) > * name as well as the proc dir structure are leaked. > */ > scsi_proc_hostdir_rm(shost->hostt); > - kfree(dev_name(&shost->shost_dev)); > + kfree_const(dev_name(&shost->shost_dev)); Shouldn't the struct device name be freed by the driver core for this device when it goes out of scope? Why is it being manually freed here at all? thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: core: Correct wrong kfree() usage for `kobj->name` 2026-01-16 9:00 ` Greg KH @ 2026-01-16 9:37 ` Tzung-Bi Shih 2026-01-16 10:50 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Tzung-Bi Shih @ 2026-01-16 9:37 UTC (permalink / raw) To: Greg KH Cc: James E.J. Bottomley, Martin K. Petersen, linux-scsi, linux-kernel, stable On Fri, Jan 16, 2026 at 10:00:11AM +0100, Greg KH wrote: > On Fri, Jan 16, 2026 at 08:13:59AM +0000, Tzung-Bi Shih wrote: > > `kobj->name` should be freed by kfree_const()[1][2]. Correct it. > > > > [1] https://elixir.bootlin.com/linux/v6.18/source/lib/kasprintf.c#L41 > > [2] https://elixir.bootlin.com/linux/v6.18/source/lib/kobject.c#L695 > > > > Cc: stable@vger.kernel.org > > Fixes: b49493f99690 ("Fix a memory leak in scsi_host_dev_release()") > > Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> > > --- > > drivers/scsi/hosts.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > > index e047747d4ecf..50ec782cf9f4 100644 > > --- a/drivers/scsi/hosts.c > > +++ b/drivers/scsi/hosts.c > > @@ -373,7 +373,7 @@ static void scsi_host_dev_release(struct device *dev) > > * name as well as the proc dir structure are leaked. > > */ > > scsi_proc_hostdir_rm(shost->hostt); > > - kfree(dev_name(&shost->shost_dev)); > > + kfree_const(dev_name(&shost->shost_dev)); > > Shouldn't the struct device name be freed by the driver core for this > device when it goes out of scope? Why is it being manually freed here > at all? Ah, correct. I think the following patch is what it really needs: diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index 1b3fbd328277..e3362f445f93 100644 --- a/drivers/scsi/hosts.c +++ b/drivers/scsi/hosts.c @@ -373,7 +373,6 @@ static void scsi_host_dev_release(struct device *dev) * name as well as the proc dir structure are leaked. */ scsi_proc_hostdir_rm(shost->hostt); - kfree(dev_name(&shost->shost_dev)); } kfree(shost->shost_data); @@ -548,11 +547,7 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv goto fail; return shost; fail: - /* - * Host state is still SHOST_CREATED and that is enough to release - * ->shost_gendev. scsi_host_dev_release() will free - * dev_name(&shost->shost_dev). - */ + put_device(&shost->shost_dev); put_device(&shost->shost_gendev); return NULL; ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: core: Correct wrong kfree() usage for `kobj->name` 2026-01-16 9:37 ` Tzung-Bi Shih @ 2026-01-16 10:50 ` Greg KH 2026-01-17 19:48 ` Tzung-Bi Shih 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2026-01-16 10:50 UTC (permalink / raw) To: Tzung-Bi Shih Cc: James E.J. Bottomley, Martin K. Petersen, linux-scsi, linux-kernel, stable On Fri, Jan 16, 2026 at 09:37:07AM +0000, Tzung-Bi Shih wrote: > On Fri, Jan 16, 2026 at 10:00:11AM +0100, Greg KH wrote: > > On Fri, Jan 16, 2026 at 08:13:59AM +0000, Tzung-Bi Shih wrote: > > > `kobj->name` should be freed by kfree_const()[1][2]. Correct it. > > > > > > [1] https://elixir.bootlin.com/linux/v6.18/source/lib/kasprintf.c#L41 > > > [2] https://elixir.bootlin.com/linux/v6.18/source/lib/kobject.c#L695 > > > > > > Cc: stable@vger.kernel.org > > > Fixes: b49493f99690 ("Fix a memory leak in scsi_host_dev_release()") > > > Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> > > > --- > > > drivers/scsi/hosts.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > > > index e047747d4ecf..50ec782cf9f4 100644 > > > --- a/drivers/scsi/hosts.c > > > +++ b/drivers/scsi/hosts.c > > > @@ -373,7 +373,7 @@ static void scsi_host_dev_release(struct device *dev) > > > * name as well as the proc dir structure are leaked. > > > */ > > > scsi_proc_hostdir_rm(shost->hostt); > > > - kfree(dev_name(&shost->shost_dev)); > > > + kfree_const(dev_name(&shost->shost_dev)); > > > > Shouldn't the struct device name be freed by the driver core for this > > device when it goes out of scope? Why is it being manually freed here > > at all? > > Ah, correct. I think the following patch is what it really needs: > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > index 1b3fbd328277..e3362f445f93 100644 > --- a/drivers/scsi/hosts.c > +++ b/drivers/scsi/hosts.c > @@ -373,7 +373,6 @@ static void scsi_host_dev_release(struct device *dev) > * name as well as the proc dir structure are leaked. > */ > scsi_proc_hostdir_rm(shost->hostt); > - kfree(dev_name(&shost->shost_dev)); > } > > kfree(shost->shost_data); > @@ -548,11 +547,7 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv > goto fail; > return shost; > fail: > - /* > - * Host state is still SHOST_CREATED and that is enough to release > - * ->shost_gendev. scsi_host_dev_release() will free > - * dev_name(&shost->shost_dev). > - */ > + put_device(&shost->shost_dev); > put_device(&shost->shost_gendev); > > return NULL; Can you test this to verify that the leak you were seeing is actually now handled? thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: core: Correct wrong kfree() usage for `kobj->name` 2026-01-16 10:50 ` Greg KH @ 2026-01-17 19:48 ` Tzung-Bi Shih 0 siblings, 0 replies; 5+ messages in thread From: Tzung-Bi Shih @ 2026-01-17 19:48 UTC (permalink / raw) To: Greg KH Cc: James E.J. Bottomley, Martin K. Petersen, linux-scsi, linux-kernel, stable On Fri, Jan 16, 2026 at 11:50:15AM +0100, Greg KH wrote: > On Fri, Jan 16, 2026 at 09:37:07AM +0000, Tzung-Bi Shih wrote: > > On Fri, Jan 16, 2026 at 10:00:11AM +0100, Greg KH wrote: > > > On Fri, Jan 16, 2026 at 08:13:59AM +0000, Tzung-Bi Shih wrote: > > > > `kobj->name` should be freed by kfree_const()[1][2]. Correct it. > > > > > > > > [1] https://elixir.bootlin.com/linux/v6.18/source/lib/kasprintf.c#L41 > > > > [2] https://elixir.bootlin.com/linux/v6.18/source/lib/kobject.c#L695 > > > > > > > > Cc: stable@vger.kernel.org > > > > Fixes: b49493f99690 ("Fix a memory leak in scsi_host_dev_release()") > > > > Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> > > > > --- > > > > drivers/scsi/hosts.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > > > > index e047747d4ecf..50ec782cf9f4 100644 > > > > --- a/drivers/scsi/hosts.c > > > > +++ b/drivers/scsi/hosts.c > > > > @@ -373,7 +373,7 @@ static void scsi_host_dev_release(struct device *dev) > > > > * name as well as the proc dir structure are leaked. > > > > */ > > > > scsi_proc_hostdir_rm(shost->hostt); > > > > - kfree(dev_name(&shost->shost_dev)); > > > > + kfree_const(dev_name(&shost->shost_dev)); > > > > > > Shouldn't the struct device name be freed by the driver core for this > > > device when it goes out of scope? Why is it being manually freed here > > > at all? > > > > Ah, correct. I think the following patch is what it really needs: > > > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c > > index 1b3fbd328277..e3362f445f93 100644 > > --- a/drivers/scsi/hosts.c > > +++ b/drivers/scsi/hosts.c > > @@ -373,7 +373,6 @@ static void scsi_host_dev_release(struct device *dev) > > * name as well as the proc dir structure are leaked. > > */ > > scsi_proc_hostdir_rm(shost->hostt); > > - kfree(dev_name(&shost->shost_dev)); > > } > > > > kfree(shost->shost_data); > > @@ -548,11 +547,7 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv > > goto fail; > > return shost; > > fail: > > - /* > > - * Host state is still SHOST_CREATED and that is enough to release > > - * ->shost_gendev. scsi_host_dev_release() will free > > - * dev_name(&shost->shost_dev). > > - */ > > + put_device(&shost->shost_dev); > > put_device(&shost->shost_gendev); > > > > return NULL; The patch doesn't work well. It can cause an underflow on the reference count of `&shost->shost_gendev`. [3] is a more appropriate fix. > Can you test this to verify that the leak you were seeing is actually > now handled? To clarify, the patch wasn't motivated by the leak. But I can reproduce the leak by reverting b49493f99690, manual fault injection, rebinding the driver, and kmemleak. [3] is tested by the scenario. [3] https://lore.kernel.org/all/20260117193221.152540-1-tzungbi@kernel.org/ ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-01-17 19:48 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-01-16 8:13 [PATCH] scsi: core: Correct wrong kfree() usage for `kobj->name` Tzung-Bi Shih 2026-01-16 9:00 ` Greg KH 2026-01-16 9:37 ` Tzung-Bi Shih 2026-01-16 10:50 ` Greg KH 2026-01-17 19:48 ` Tzung-Bi Shih
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox