From: Sascha Hauer <sha@pengutronix.de>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: Holger Assmann <h.assmann@pengutronix.de>, barebox@lists.infradead.org
Subject: Re: [PATCH] fs: jffs2: remove slab cache substitute with malloc
Date: Mon, 22 Nov 2021 10:26:55 +0100 [thread overview]
Message-ID: <20211122092655.GZ6556@pengutronix.de> (raw)
In-Reply-To: <e0d5792d-6c06-5567-9b2f-48f70cecd5c4@pengutronix.de>
On Mon, Nov 22, 2021 at 09:49:35AM +0100, Ahmad Fatoum wrote:
> On 19.11.21 11:10, Holger Assmann wrote:
> > From: Sascha Hauer <s.hauer@pengutronix.de>
> >
> > Function jffs2_create_slab_caches() was called by the probing stage
> > every time a new jffs2 volume was mounted. This has lead to the memory
> > allocation pointers for slab caches to become overwritten. As a result
> > the system crashes at least when trying to unmount more than one volume.
>
> Freeing data still in use is a bug.
>
> > In Barebox, the respective (pseudo) slab caches are designed to work as a
> > substitute when code gets ported from Linux. They are no real caches, but
> > function as an interface for malloc and can therefore directly be replaced
> > by it.
>
> Replacing one API with another is clean up and not really related to the
> issue here.
The bug in the jffs2 code is that it allocates global data structures in
probe():
...
jffs2_compressors_init();
...
jffs2_create_slab_caches();
...
jffs2_create_slab_caches() has several calls to kmem_cache_create()
which does nothing more than allocating the context data structure for
the kmem_cache. Probing a second jffs2 will overwrite the pointers
returned by kmem_cache_create() leading to a double free when it the
two jffs2 fs are unmounted and jffs2_destroy_slab_caches() is called.
Replacing the kmem_caches with pure malloc indeed fixes this as it makes
allocating of kmem_cache context structure unnecessary.
jffs2_compressors_init() has the same problem. We still need this
function though, so the solution here is to introduce a reference
counting so that it is done exactly once in the first probe().
We can introduce the reference counting for both
jffs2_compressors_init() and jffs2_create_slab_caches() in patch 1/2
and replace kmem_cache with malloc in 2/2. Then 2/2 would indeed only be
a cleanup.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
prev parent reply other threads:[~2021-11-22 9:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-19 10:10 Holger Assmann
2021-11-22 8:49 ` Ahmad Fatoum
2021-11-22 9:26 ` Sascha Hauer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211122092655.GZ6556@pengutronix.de \
--to=sha@pengutronix.de \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=h.assmann@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox