mbox series

[0/2] scsi: target: tcmu: Fix memory leak

Message ID 20210218175039.7829-1-bostroesser@gmail.com
Headers show
Series scsi: target: tcmu: Fix memory leak | expand

Message

Bodo Stroesser Feb. 18, 2021, 5:50 p.m. UTC 
This small series applies to Martin's for-next.

This is the third attempt to fix a severe memory leak in tcmu.
Previous patches:
  https://lore.kernel.org/linux-scsi/20201218141534.9918-1-bostroesser@gmail.com/
  and
  https://lore.kernel.org/linux-scsi/20210210194031.7422-1-bostroesser@gmail.com/

Tcmu's refcounting relies on tcmu_open and tcmu_release being
called symmetrically by uio. But that is not true if userspace
daemon holds the uio device open or mmap'ed while tcmu calls
uio_unregister device. So refcount can stay above 0 for ever,
which means that tcmu does not free resources of a tcmu device.
In extreme cases the amount of memory leaked can be > 1 GB for
a single destroyed tcmu device.

This new patch series fixes the problem by moving refcounting from
tcmu_open/tcmu_release to new vm_operations_struct::open/*::close
handlers, which are called under all conditions.

Bodo Stroesser (2):
  scsi: target: tcmu: Move some functions without code change
  scsi: target: tcmu: Fix memory leak caused by wrong uio usage

 drivers/target/target_core_user.c | 189 +++++++++++++++++++++-----------------
 1 file changed, 106 insertions(+), 83 deletions(-)

Comments

Mike Christie Feb. 19, 2021, 7:01 p.m. UTC | #1 
On 2/18/21 11:50 AM, Bodo Stroesser wrote:
> This small series applies to Martin's for-next.

> 

> This is the third attempt to fix a severe memory leak in tcmu.

> Previous patches:

>   https://urldefense.com/v3/__https://lore.kernel.org/linux-scsi/20201218141534.9918-1-bostroesser@gmail.com/__;!!GqivPVa7Brio!Oz9qazrvG2YRDRkm5ey3KEvdVmuukGz523-nIrg5dvnwt1bKlOAjBmh4g8ADxdmcca5_$ 

>   and

>   https://urldefense.com/v3/__https://lore.kernel.org/linux-scsi/20210210194031.7422-1-bostroesser@gmail.com/__;!!GqivPVa7Brio!Oz9qazrvG2YRDRkm5ey3KEvdVmuukGz523-nIrg5dvnwt1bKlOAjBmh4g8ADxY8eTeL_$ 

> 

> Tcmu's refcounting relies on tcmu_open and tcmu_release being

> called symmetrically by uio. But that is not true if userspace

> daemon holds the uio device open or mmap'ed while tcmu calls

> uio_unregister device. So refcount can stay above 0 for ever,

> which means that tcmu does not free resources of a tcmu device.

> In extreme cases the amount of memory leaked can be > 1 GB for

> a single destroyed tcmu device.

> 

> This new patch series fixes the problem by moving refcounting from

> tcmu_open/tcmu_release to new vm_operations_struct::open/*::close

> handlers, which are called under all conditions.

> 

> Bodo Stroesser (2):

>   scsi: target: tcmu: Move some functions without code change

>   scsi: target: tcmu: Fix memory leak caused by wrong uio usage

> 

>  drivers/target/target_core_user.c | 189 +++++++++++++++++++++-----------------

>  1 file changed, 106 insertions(+), 83 deletions(-)

> 


Reviewed-by: Mike Christie <michael.christie@oracle.com>
Martin K. Petersen Feb. 23, 2021, 3:35 a.m. UTC | #2 
Bodo,

> This small series applies to Martin's for-next.

>

> This is the third attempt to fix a severe memory leak in tcmu.


Applied to 5.12/scsi-staging, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering
Martin K. Petersen Feb. 26, 2021, 2:22 a.m. UTC | #3 
On Thu, 18 Feb 2021 18:50:37 +0100, Bodo Stroesser wrote:

> This small series applies to Martin's for-next.

> 

> This is the third attempt to fix a severe memory leak in tcmu.

> Previous patches:

>   https://lore.kernel.org/linux-scsi/20201218141534.9918-1-bostroesser@gmail.com/

>   and

>   https://lore.kernel.org/linux-scsi/20210210194031.7422-1-bostroesser@gmail.com/

> 

> [...]


Applied to 5.12/scsi-queue, thanks!

[1/2] scsi: target: tcmu: Move some functions without code change
      https://git.kernel.org/mkp/scsi/c/43bf922cdd62
[2/2] scsi: target: tcmu: Fix memory leak caused by wrong uio usage
      https://git.kernel.org/mkp/scsi/c/8f33bb2400f4

-- 
Martin K. Petersen	Oracle Linux Engineering