linux/drivers/target
Bodo Stroesser 8f33bb2400 scsi: target: tcmu: Fix memory leak caused by wrong uio usage
When user deletes a tcmu device via configFS, tcmu calls
uio_unregister_device(). During that call uio resets its pointer to struct
uio_info provided by tcmu. That means, after uio_unregister_device() uio
will no longer execute any of the callbacks tcmu had set in uio_info.

Especially, if userspace daemon still holds the corresponding uio device
open or mmap'ed while tcmu calls uio_unregister_device(), uio will not call
tcmu_release() when userspace finally closes and munmaps the uio device.

Since tcmu does refcounting for the tcmu device in tcmu_open() and
tcmu_release(), in the decribed case refcount does not drop to 0 and tcmu
does not free tcmu device's resources.  In extreme cases this can cause
memory leaking of up to 1 GB for a single tcmu device.

After uio_unregister_device(), uio will reject every open, read, write,
mmap from userspace with -EOI. But userspace daemon can still access the
mmap'ed command ring and data area. Therefore tcmu should wait until
userspace munmaps the uio device before it frees the resources, as we don't
want to cause SIGSEGV or SIGBUS to user space.

That said, current refcounting during tcmu_open and tcmu_release does not
work correctly, and refcounting better should be done in the open and close
callouts of the vm_operations_struct, which tcmu assigns to each mmap of
the uio device (because it wants its own page fault handler).

This patch fixes the memory leak by removing refcounting from tcmu_open and
tcmu_close, and instead adding new tcmu_vma_open() and tcmu_vma_close()
handlers that only do refcounting.

Link: https://lore.kernel.org/r/20210218175039.7829-3-bostroesser@gmail.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Bodo Stroesser <bostroesser@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-02-22 22:35:21 -05:00
..
iscsi Merge branch '5.11/scsi-fixes' into 5.12/scsi-queue 2021-01-26 21:52:58 -05:00
loopback scsi: tcm_loop: Allow queues, can_queue and cmd_per_lun to be settable 2020-11-04 22:39:38 -05:00
sbp scsi: target: sbp: Remove unneeded semicolon 2021-02-08 22:08:34 -05:00
tcm_fc scsi: target: Make state_list per CPU 2020-11-04 22:39:38 -05:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile
target_core_alua.c scsi: target: alua: Remove in_interrupt() usage in core_alua_check_nonop_delay() 2021-01-22 20:25:25 -05:00
target_core_alua.h
target_core_configfs.c scsi: target: tcmu: Make pgr_support and alua_support attributes writable 2020-05-07 22:39:22 -04:00
target_core_device.c scsi: target: Make state_list per CPU 2020-11-04 22:39:38 -05:00
target_core_fabric_configfs.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
target_core_fabric_lib.c scsi: target: Handle short iSIDs 2020-07-08 00:14:34 -04:00
target_core_file.c scsi: target: file: Don't zero iter before iov_iter_bvec 2021-01-13 00:09:16 -05:00
target_core_file.h
target_core_hba.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
target_core_iblock.c scsi: target: core: Fix fall-through warnings for Clang 2020-12-02 12:59:47 -05:00
target_core_iblock.h
target_core_internal.h scsi: target: Fix xcopy sess release leak 2020-07-08 00:14:34 -04:00
target_core_pr.c scsi: target: core: Prevent underflow for service actions 2021-02-22 22:21:29 -05:00
target_core_pr.h
target_core_pscsi.c block: remove the nr_sects field in struct hd_struct 2020-12-01 14:53:40 -07:00
target_core_pscsi.h
target_core_rd.c scsi: target: rd: Drop double zeroing 2020-10-07 23:50:03 -04:00
target_core_rd.h
target_core_sbc.c scsi: target: Return COMPARE AND WRITE miscompare offsets 2020-11-04 22:02:43 -05:00
target_core_spc.c scsi: target: use an enum to track emulate_ua_intlck_ctrl 2020-02-21 17:37:16 -05:00
target_core_stat.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
target_core_tmr.c scsi: target: Make state_list per CPU 2020-11-04 22:39:38 -05:00
target_core_tpg.c scsi: target: Drop sess_cmd_lock from I/O path 2020-11-04 22:39:37 -05:00
target_core_transport.c scsi: target: core: Add cmd length set before cmd complete 2021-02-22 22:21:29 -05:00
target_core_ua.c scsi: target: use an enum to track emulate_ua_intlck_ctrl 2020-02-21 17:37:16 -05:00
target_core_ua.h
target_core_user.c scsi: target: tcmu: Fix memory leak caused by wrong uio usage 2021-02-22 22:35:21 -05:00
target_core_xcopy.c scsi: target: Fix xcopy sess release leak 2020-07-08 00:14:34 -04:00
target_core_xcopy.h scsi: target: use the stack for XCOPY passthrough cmds 2020-03-29 18:10:59 -04:00