Re: [PATCH] null_blk: cancel bw_timer on add-device error unwind

Next message: SeongJae Park: "[RFC PATCH 04/11] selftests/damon/sysfs.sh: test multiple probe dirs creation"
Previous message: SeongJae Park: "[RFC PATCH 03/11] mm/damon/tests/core-kunit: test damon_rand()"
In reply to: Cen Zhang: "[PATCH] null_blk: cancel bw_timer on add-device error unwind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nilay Shroff

Date: Wed Jun 24 2026 - 10:23:15 EST

On 6/24/26 12:48 PM, Cen Zhang wrote:

null_blk starts the bandwidth hrtimer before the later add_disk/device_add
failure points. If setup fails after the timer is queued, the shared error
unwind frees struct nullb without draining bw_timer, so the callback can
run on freed owner state.

The buggy scenario involves two paths, with each column showing the order
within that path:

null_add_dev() error unwind: nullb_bwtimer_fn() callback path:
1. Start bw_timer for a throttled 1. The hrtimer expires after the free.
device. 2. nullb_bwtimer_fn() recovers the
2. Hit a later add_disk/device_add embedded owner.
failure. 3. The callback reads nullb->dev and
3. Free struct nullb. nullb->q.
4. Release the remaining queue and 4. The stale owner storage is used
disk resources. after free.

Cancel bw_timer in the shared error unwind before put_disk() and the
remaining frees. The normal delete path already uses the same
hrtimer_cancel() drain.

Looks good to me.
Reviewed-by: Nilay Shroff <nilay@xxxxxxxxxxxxx>