The Barebox jffs2 driver initialises global slab caches and compressors within the probing stage [1]. In Barebox, jffs2_create_slab_caches() has several calls to kmem_cache_create() which does nothing more than allocating the context data structure for the kmem_cache. Probing a second jffs2 however will overwrite the original pointers returned by kmem_cache_create(), leading to a double free when more than one jffs2 file system gets unmounted and jffs2_destroy_slab_caches() is called. The same issue exists regarding jffs2_compressors_init(). We can fix this bug by introducing reference counting for both the slab caches and the compressors so that the global data structures are kept as long as at least one file system is present. [1] jffs2_compressors_init(), jffs2_create_slab_caches() in probe() Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> Signed-off-by: Holger Assmann <h.assmann@xxxxxxxxxxxxxx> --- fs/jffs2/fs.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c index c1d04c397d..7538252336 100644 --- a/fs/jffs2/fs.c +++ b/fs/jffs2/fs.c @@ -386,6 +386,8 @@ void jffs2_flash_cleanup(struct jffs2_sb_info *c) { } } +static int jffs2_probe_cnt; + static int jffs2_probe(struct device_d *dev) { struct fs_device_d *fsdev; @@ -408,17 +410,19 @@ static int jffs2_probe(struct device_d *dev) sb->s_fs_info = ctx; - ret = jffs2_compressors_init(); - if (ret) { - pr_err("error: Failed to initialise compressors\n"); - goto err_out; - } + if (!jffs2_probe_cnt) { + ret = jffs2_compressors_init(); + if (ret) { + pr_err("error: Failed to initialise compressors\n"); + goto err_out; + } - ret = jffs2_create_slab_caches(); - if (ret) { - pr_err("error: Failed to initialise slab caches\n"); - goto err_compressors; - } + ret = jffs2_create_slab_caches(); + if (ret) { + pr_err("error: Failed to initialise slab caches\n"); + goto err_compressors; + } + } if (jffs2_fill_super(fsdev, 0)) { dev_err(dev, "no valid jffs2 found\n"); @@ -426,6 +430,8 @@ static int jffs2_probe(struct device_d *dev) goto err_slab; } + jffs2_probe_cnt++; + return 0; err_slab: @@ -445,8 +451,12 @@ static void jffs2_remove(struct device_d *dev) fsdev = dev_to_fs_device(dev); sb = &fsdev->sb; - jffs2_destroy_slab_caches(); - jffs2_compressors_exit(); + jffs2_probe_cnt--; + + if (!jffs2_probe_cnt) { + jffs2_destroy_slab_caches(); + jffs2_compressors_exit(); + } jffs2_put_super(sb); } -- 2.30.2 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox