On Mon, Nov 22, 2021 at 09:49:35AM +0100, Ahmad Fatoum wrote: > On 19.11.21 11:10, Holger Assmann wrote: > > From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> > > > > Function jffs2_create_slab_caches() was called by the probing stage > > every time a new jffs2 volume was mounted. This has lead to the memory > > allocation pointers for slab caches to become overwritten. As a result > > the system crashes at least when trying to unmount more than one volume. > > Freeing data still in use is a bug. > > > In Barebox, the respective (pseudo) slab caches are designed to work as a > > substitute when code gets ported from Linux. They are no real caches, but > > function as an interface for malloc and can therefore directly be replaced > > by it. > > Replacing one API with another is clean up and not really related to the > issue here. The bug in the jffs2 code is that it allocates global data structures in probe(): ... jffs2_compressors_init(); ... jffs2_create_slab_caches(); ... jffs2_create_slab_caches() has several calls to kmem_cache_create() which does nothing more than allocating the context data structure for the kmem_cache. Probing a second jffs2 will overwrite the pointers returned by kmem_cache_create() leading to a double free when it the two jffs2 fs are unmounted and jffs2_destroy_slab_caches() is called. Replacing the kmem_caches with pure malloc indeed fixes this as it makes allocating of kmem_cache context structure unnecessary. jffs2_compressors_init() has the same problem. We still need this function though, so the solution here is to introduce a reference counting so that it is done exactly once in the first probe(). We can introduce the reference counting for both jffs2_compressors_init() and jffs2_create_slab_caches() in patch 1/2 and replace kmem_cache with malloc in 2/2. Then 2/2 would indeed only be a cleanup. Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox