mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Teresa Remmet <t.remmet@phytec.de>
To: barebox@lists.infradead.org
Subject: [PATCH 10/62] UBI: Fix invalid vfree()
Date: Mon, 23 May 2016 10:25:58 +0200	[thread overview]
Message-ID: <1463992010-31537-11-git-send-email-t.remmet@phytec.de> (raw)
In-Reply-To: <1463992010-31537-1-git-send-email-t.remmet@phytec.de>

From: Richard Weinberger <richard@nod.at>

The logic of vfree()'ing vol->upd_buf is tied to vol->updating.
In ubi_start_update() vol->updating is set long before vmalloc()'ing
vol->upd_buf. If we encounter a write failure in ubi_start_update()
before vmalloc() the UBI device release function will try to vfree()
vol->upd_buf because vol->updating is set.
Fix this by allocating vol->upd_buf directly after setting vol->updating.

Fixes:
[   31.559338] UBI warning: vol_cdev_release: update of volume 2 not finished, volume is damaged
[   31.559340] ------------[ cut here ]------------
[   31.559343] WARNING: CPU: 1 PID: 2747 at mm/vmalloc.c:1446 __vunmap+0xe3/0x110()
[   31.559344] Trying to vfree() nonexistent vm area (ffffc90001f2b000)
[   31.559345] Modules linked in:
[   31.565620]  0000000000000bba ffff88002a0cbdb0 ffffffff818f0497 ffff88003b9ba148
[   31.566347]  ffff88002a0cbde0 ffffffff8156f515 ffff88003b9ba148 0000000000000bba
[   31.567073]  0000000000000000 0000000000000000 ffff88002a0cbe88 ffffffff8156c10a
[   31.567793] Call Trace:
[   31.568034]  [<ffffffff818f0497>] dump_stack+0x4e/0x7a
[   31.568510]  [<ffffffff8156f515>] ubi_io_write_vid_hdr+0x155/0x160
[   31.569084]  [<ffffffff8156c10a>] ubi_eba_write_leb+0x23a/0x870
[   31.569628]  [<ffffffff81569b36>] vol_cdev_write+0x226/0x380
[   31.570155]  [<ffffffff81179265>] vfs_write+0xb5/0x1f0
[   31.570627]  [<ffffffff81179f8a>] SyS_pwrite64+0x6a/0xa0
[   31.571123]  [<ffffffff818fde12>] system_call_fastpath+0x16/0x1b

Cc: <stable@vger.kernel.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
---
 drivers/mtd/ubi/upd.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c
index c61c277..5e06753 100644
--- a/drivers/mtd/ubi/upd.c
+++ b/drivers/mtd/ubi/upd.c
@@ -124,6 +124,10 @@ int ubi_start_update(struct ubi_device *ubi, struct ubi_volume *vol,
 	ubi_assert(!vol->updating && !vol->changing_leb);
 	vol->updating = 1;
 
+	vol->upd_buf = vmalloc(ubi->leb_size);
+	if (!vol->upd_buf)
+		return -ENOMEM;
+
 	err = set_update_marker(ubi, vol);
 	if (err)
 		return err;
@@ -143,14 +147,12 @@ int ubi_start_update(struct ubi_device *ubi, struct ubi_volume *vol,
 		err = clear_update_marker(ubi, vol, 0);
 		if (err)
 			return err;
+
+		vfree(vol->upd_buf);
 		vol->updating = 0;
 		return 0;
 	}
 
-	vol->upd_buf = vmalloc(ubi->leb_size);
-	if (!vol->upd_buf)
-		return -ENOMEM;
-
 	vol->upd_ebs = div_u64(bytes + vol->usable_leb_size - 1,
 			       vol->usable_leb_size);
 	vol->upd_bytes = bytes;
-- 
1.9.1


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

  parent reply	other threads:[~2016-05-23  8:28 UTC|newest]

Thread overview: 71+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-23  8:25 [PATCH 00/62] Update UBI Teresa Remmet
2016-05-23  8:25 ` [PATCH 01/62] UBI: add missing kmem_cache_free() in process_pool_aeb error path Teresa Remmet
2016-05-23  8:25 ` [PATCH 02/62] UBI: Improve comment on work_sem Teresa Remmet
2016-05-23  8:25 ` [PATCH 03/62] UBI: ubi_eba_read_leb: Remove in vain variable assignment Teresa Remmet
2016-05-23  8:25 ` [PATCH 04/62] UBI: wl: Rename cancel flag to shutdown Teresa Remmet
2016-05-23  8:25 ` [PATCH 05/62] UBI: Fix trivial typo in __schedule_ubi_work Teresa Remmet
2016-05-23  8:25 ` [PATCH 06/62] UBI: Fastmap: Calc fastmap size correctly Teresa Remmet
2016-05-23  8:25 ` [PATCH 07/62] UBI: Extend UBI layer debug/messaging capabilities Teresa Remmet
2016-05-23  8:25 ` [PATCH 08/62] UBI: vtbl: Use ubi_eba_atomic_leb_change() Teresa Remmet
2016-05-23  8:25 ` [PATCH 09/62] UBI: Fix double free after do_sync_erase() Teresa Remmet
2016-05-23  8:25 ` Teresa Remmet [this message]
2016-05-23  8:25 ` [PATCH 11/62] UBI: extend UBI layer debug/messaging capabilities - cosmetics Teresa Remmet
2016-05-23  8:26 ` [PATCH 12/62] UBI: clean-up printing helpers Teresa Remmet
2016-05-23  8:26 ` [PATCH 13/62] UBI: do propagate positive error codes up Teresa Remmet
2016-05-23  8:26 ` [PATCH 14/62] UBI: Fastmap: Care about the protection queue Teresa Remmet
2016-05-23  8:26 ` [PATCH 15/62] UBI: fix missing brace control flow Teresa Remmet
2016-05-23  8:26 ` [PATCH 16/62] UBI: account for bitflips in both the VID header and data Teresa Remmet
2016-05-23  8:26 ` [PATCH 17/62] UBI: fix out of bounds write Teresa Remmet
2016-05-23  8:26 ` [PATCH 18/62] UBI: initialize LEB number variable Teresa Remmet
2016-05-23  8:26 ` [PATCH 19/62] UBI: align comment for readability Teresa Remmet
2016-05-23  8:26 ` [PATCH 20/62] UBI: Split __wl_get_peb() Teresa Remmet
2016-05-23  8:26 ` [PATCH 21/62] UBI: Fastmap: Make ubi_refill_pools() fair Teresa Remmet
2016-05-23  8:26 ` [PATCH 22/62] UBI: Fastmap: Don't allocate new ubi_wl_entry objects Teresa Remmet
2016-05-23  8:26 ` [PATCH 23/62] UBI: Fastmap: Fix memory leaks while closing the WL sub-system Teresa Remmet
2016-05-23  8:26 ` [PATCH 24/62] UBI: Fastmap: Notify user in case of an ubi_update_fastmap() failure Teresa Remmet
2016-05-23  8:26 ` [PATCH 25/62] UBI: Fastmap: Wrap fastmap specific function in a ifdef Teresa Remmet
2016-05-23  8:26 ` [PATCH 26/62] UBI: Fastmap: Fix fastmap usage in ubi_volume_notify() Teresa Remmet
2016-05-23  8:26 ` [PATCH 27/62] UBI: Fastmap: Fix race in ubi_eba_atomic_leb_change() Teresa Remmet
2016-05-23  8:26 ` [PATCH 28/62] UBI: Fastmap: Remove bogus ubi_assert() Teresa Remmet
2016-05-23  8:26 ` [PATCH 29/62] UBI: Fastmap: Remove eba_orphans logic Teresa Remmet
2016-05-23  8:26 ` [PATCH 30/62] UBI: Fastmap: Switch to ro mode if invalidate_fastmap() fails Teresa Remmet
2016-05-23  8:26 ` [PATCH 31/62] UBI: Fastmap: Make WL pool size 50% of user pool size Teresa Remmet
2016-05-23  8:26 ` [PATCH 32/62] UBI: Fastmap: Fix leb_count unbalance Teresa Remmet
2016-05-23  8:26 ` [PATCH 33/62] UBI: Fastmap: Set used_ebs only for static volumes Teresa Remmet
2016-05-23  8:26 ` [PATCH 34/62] UBI: Fastmap: Prepare for variable sized fastmaps Teresa Remmet
2016-05-23  8:26 ` [PATCH 35/62] UBI: Fastmap: Rework fastmap error paths Teresa Remmet
2016-05-23  8:26 ` [PATCH 36/62] UBI: Fix stale pointers in ubi->lookuptbl Teresa Remmet
2016-05-23  8:26 ` [PATCH 37/62] UBI: Move fastmap specific functions out of wl.c Teresa Remmet
2016-05-23  8:26 ` [PATCH 38/62] UBI: Add accessor functions for WL data structures Teresa Remmet
2016-05-23  8:26 ` [PATCH 39/62] UBI: Fastmap: Wire up WL accessor functions Teresa Remmet
2016-05-23  8:26 ` [PATCH 40/62] UBI: Fastmap: Introduce ubi_fastmap_init() Teresa Remmet
2016-05-23  8:26 ` [PATCH 41/62] UBI: Fastmap: Introduce may_reserve_for_fm() Teresa Remmet
2016-05-23  8:26 ` [PATCH 42/62] UBI: Fastmap: Remove is_fm_block() Teresa Remmet
2016-05-23  8:26 ` [PATCH 43/62] UBI: Fastmap: Fall back to scanning mode after ECC error Teresa Remmet
2016-05-23  8:26 ` [PATCH 44/62] UBI: Fastmap: Use max() to get the larger value Teresa Remmet
2016-05-23  8:26 ` [PATCH 45/62] UBI: Fastmap: Remove unnecessary `\' Teresa Remmet
2016-05-23  8:26 ` [PATCH 46/62] UBI: Fastmap: Rename variables to make them meaningful Teresa Remmet
2016-05-23  8:26 ` [PATCH 47/62] UBI: Init vol->reserved_pebs by assignment Teresa Remmet
2016-05-23  8:26 ` [PATCH 48/62] UBI: Fastmap: Do not add vol if it already exists Teresa Remmet
2016-05-23  8:26 ` [PATCH 49/62] UBI: add a helper function for updatting on-flash layout volumes Teresa Remmet
2016-05-23  8:26 ` [PATCH 50/62] UBI: Remove unnecessary `\' Teresa Remmet
2016-05-23  8:26 ` [PATCH 51/62] UBI: Validate data_size Teresa Remmet
2016-05-23  8:26 ` [PATCH 52/62] UBI: return ENOSPC if no enough space available Teresa Remmet
2016-05-23  8:26 ` [PATCH 53/62] UBI: Fastmap: Simplify expression Teresa Remmet
2016-05-23  8:26 ` [PATCH 54/62] UBI: Fix typo in comment Teresa Remmet
2016-05-23  8:26 ` [PATCH 55/62] UBI: Fix debug message Teresa Remmet
2016-05-23  8:26 ` [PATCH 56/62] UBI: Fastmap: Fix PEB array type Teresa Remmet
2016-05-23  8:26 ` [PATCH 57/62] UBI: fix use of "VID" vs. "EC" in header self-check Teresa Remmet
2016-05-23  8:26 ` [PATCH 58/62] mtd: ubi: fixup error correction in do_sync_erase() Teresa Remmet
2016-05-23  8:26 ` [PATCH 59/62] mtd: ubi: don't leak e if schedule_erase() fails Teresa Remmet
2016-05-23  8:26 ` [PATCH 60/62] mtd: ubi: wl: avoid erasing a PEB which is empty Teresa Remmet
2016-05-23  8:26 ` [PATCH 61/62] ubi: Fix out of bounds write in volume update code Teresa Remmet
2016-05-23  8:26 ` [PATCH 62/62] mtd: UBI: Remove ubi_free_fastmap Teresa Remmet
2016-05-25  7:29 ` [PATCH 00/62] Update UBI Sascha Hauer
2016-05-25 11:38   ` Teresa Remmet
2016-05-25 13:33 ` Robert Schwebel
2016-05-25 14:42   ` Teresa Remmet
2016-05-25 14:54     ` Robert Schwebel
2016-05-25 20:22     ` Sam Ravnborg
2016-05-27  7:26       ` Teresa Remmet
2016-05-26 17:23     ` Sascha Hauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1463992010-31537-11-git-send-email-t.remmet@phytec.de \
    --to=t.remmet@phytec.de \
    --cc=barebox@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox