mbox series

[0/2] scsi: target: tcmu: Fix memory leak

Message ID 20210218175039.7829-1-bostroesser@gmail.com (mailing list archive)
Headers show
Series scsi: target: tcmu: Fix memory leak | expand

Message

Bodo Stroesser Feb. 18, 2021, 5:50 p.m. UTC 
This small series applies to Martin's for-next.

This is the third attempt to fix a severe memory leak in tcmu.
Previous patches:
  https://lore.kernel.org/linux-scsi/20201218141534.9918-1-bostroesser@gmail.com/
  and
  https://lore.kernel.org/linux-scsi/20210210194031.7422-1-bostroesser@gmail.com/

Tcmu's refcounting relies on tcmu_open and tcmu_release being
called symmetrically by uio. But that is not true if userspace
daemon holds the uio device open or mmap'ed while tcmu calls
uio_unregister device. So refcount can stay above 0 for ever,
which means that tcmu does not free resources of a tcmu device.
In extreme cases the amount of memory leaked can be > 1 GB for
a single destroyed tcmu device.

This new patch series fixes the problem by moving refcounting from
tcmu_open/tcmu_release to new vm_operations_struct::open/*::close
handlers, which are called under all conditions.

Bodo Stroesser (2):
  scsi: target: tcmu: Move some functions without code change
  scsi: target: tcmu: Fix memory leak caused by wrong uio usage

 drivers/target/target_core_user.c | 189 +++++++++++++++++++++-----------------
 1 file changed, 106 insertions(+), 83 deletions(-)

Comments

Mike Christie Feb. 19, 2021, 7:01 p.m. UTC | #1 
On 2/18/21 11:50 AM, Bodo Stroesser wrote:
> This small series applies to Martin's for-next.
> 
> This is the third attempt to fix a severe memory leak in tcmu.
> Previous patches:
>   https://urldefense.com/v3/__https://lore.kernel.org/linux-scsi/20201218141534.9918-1-bostroesser@gmail.com/__;!!GqivPVa7Brio!Oz9qazrvG2YRDRkm5ey3KEvdVmuukGz523-nIrg5dvnwt1bKlOAjBmh4g8ADxdmcca5_$ 
>   and
>   https://urldefense.com/v3/__https://lore.kernel.org/linux-scsi/20210210194031.7422-1-bostroesser@gmail.com/__;!!GqivPVa7Brio!Oz9qazrvG2YRDRkm5ey3KEvdVmuukGz523-nIrg5dvnwt1bKlOAjBmh4g8ADxY8eTeL_$ 
> 
> Tcmu's refcounting relies on tcmu_open and tcmu_release being
> called symmetrically by uio. But that is not true if userspace
> daemon holds the uio device open or mmap'ed while tcmu calls
> uio_unregister device. So refcount can stay above 0 for ever,
> which means that tcmu does not free resources of a tcmu device.
> In extreme cases the amount of memory leaked can be > 1 GB for
> a single destroyed tcmu device.
> 
> This new patch series fixes the problem by moving refcounting from
> tcmu_open/tcmu_release to new vm_operations_struct::open/*::close
> handlers, which are called under all conditions.
> 
> Bodo Stroesser (2):
>   scsi: target: tcmu: Move some functions without code change
>   scsi: target: tcmu: Fix memory leak caused by wrong uio usage
> 
>  drivers/target/target_core_user.c | 189 +++++++++++++++++++++-----------------
>  1 file changed, 106 insertions(+), 83 deletions(-)
> 

Reviewed-by: Mike Christie <michael.christie@oracle.com>
Martin K. Petersen Feb. 23, 2021, 3:35 a.m. UTC | #2 
Bodo,

> This small series applies to Martin's for-next.
>
> This is the third attempt to fix a severe memory leak in tcmu.

Applied to 5.12/scsi-staging, thanks!
Martin K. Petersen Feb. 26, 2021, 2:22 a.m. UTC | #3 
On Thu, 18 Feb 2021 18:50:37 +0100, Bodo Stroesser wrote:

> This small series applies to Martin's for-next.
> 
> This is the third attempt to fix a severe memory leak in tcmu.
> Previous patches:
>   https://lore.kernel.org/linux-scsi/20201218141534.9918-1-bostroesser@gmail.com/
>   and
>   https://lore.kernel.org/linux-scsi/20210210194031.7422-1-bostroesser@gmail.com/
> 
> [...]

Applied to 5.12/scsi-queue, thanks!

[1/2] scsi: target: tcmu: Move some functions without code change
      https://git.kernel.org/mkp/scsi/c/43bf922cdd62
[2/2] scsi: target: tcmu: Fix memory leak caused by wrong uio usage
      https://git.kernel.org/mkp/scsi/c/8f33bb2400f4