From: Teresa Remmet <t.remmet@phytec.de>
To: barebox@lists.infradead.org
Subject: [PATCH v2 36/62] UBI: Fix stale pointers in ubi->lookuptbl
Date: Fri, 27 May 2016 09:44:29 +0200 [thread overview]
Message-ID: <1464335095-35180-37-git-send-email-t.remmet@phytec.de> (raw)
In-Reply-To: <1464335095-35180-1-git-send-email-t.remmet@phytec.de>
From: Richard Weinberger <richard@nod.at>
In some error paths the WL sub-system gives up on a PEB
and frees it's ubi_wl_entry struct but does not set
the entry in ubi->lookuptbl to NULL.
Fastmap can stumble over such a stale pointer as it uses
ubi->lookuptbl to find all PEBs.
Fix this by introducing a new helper function which free()s
a WL entry and removes the reference from the lookup table.
Signed-off-by: Richard Weinberger <richard@nod.at>
Conflicts:
drivers/mtd/ubi/wl.c
Fixed minor conflict.
Signed-off-by: Teresa Remmet <t.remmet@phytec.de>
---
drivers/mtd/ubi/wl.c | 47 +++++++++++++++++++++++++++++++----------------
1 file changed, 31 insertions(+), 16 deletions(-)
diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
index d168abc..a7ca153 100644
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -194,6 +194,20 @@ static void wl_tree_add(struct ubi_wl_entry *e, struct rb_root *root)
rb_insert_color(&e->u.rb, root);
}
+/**
+ * wl_tree_destroy - destroy a wear-leveling entry.
+ * @ubi: UBI device description object
+ * @e: the wear-leveling entry to add
+ *
+ * This function destroys a wear leveling entry and removes
+ * the reference from the lookup table.
+ */
+static void wl_entry_destroy(struct ubi_device *ubi, struct ubi_wl_entry *e)
+{
+ ubi->lookuptbl[e->pnum] = NULL;
+ kfree(e);
+}
+
#ifndef CONFIG_MTD_UBI_FASTMAP
/**
* do_work - do one pending work.
@@ -1182,7 +1196,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
err = do_sync_erase(ubi, e1, vol_id, lnum, 0);
if (err) {
if (e2)
- kfree(e2);
+ wl_entry_destroy(ubi, e2);
goto out_ro;
}
@@ -1244,8 +1258,8 @@ out_error:
ubi->move_to_put = ubi->wl_scheduled = 0;
ubi_free_vid_hdr(ubi, vid_hdr);
- kfree(e1);
- kfree(e2);
+ wl_entry_destroy(ubi, e1);
+ wl_entry_destroy(ubi, e2);
out_ro:
ubi_ro_mode(ubi);
@@ -1375,7 +1389,7 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
if (shutdown) {
dbg_wl("cancel erasure of PEB %d EC %d", pnum, e->ec);
kfree(wl_wrk);
- kfree(e);
+ wl_entry_destroy(ubi, e);
return 0;
}
@@ -1419,7 +1433,7 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
return err;
}
- kfree(e);
+ wl_entry_destroy(ubi, e);
if (err != -EIO)
/*
* If this is not %-EIO, we have no idea what to do. Scheduling
@@ -1662,9 +1676,10 @@ int ubi_wl_flush(struct ubi_device *ubi, int vol_id, int lnum)
/**
* tree_destroy - destroy an RB-tree.
+ * @ubi: UBI device description object
* @root: the root of the tree to destroy
*/
-static void tree_destroy(struct rb_root *root)
+static void tree_destroy(struct ubi_device *ubi, struct rb_root *root)
{
struct rb_node *rb;
struct ubi_wl_entry *e;
@@ -1686,7 +1701,7 @@ static void tree_destroy(struct rb_root *root)
rb->rb_right = NULL;
}
- kfree(e);
+ wl_entry_destroy(ubi, e);
}
}
}
@@ -1749,7 +1764,7 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
ubi_assert(!ubi_is_fm_block(ubi, e->pnum));
ubi->lookuptbl[e->pnum] = e;
if (schedule_erase(ubi, e, aeb->vol_id, aeb->lnum, 0)) {
- kfree(e);
+ wl_entry_destroy(ubi, e);
goto out_free;
}
@@ -1839,9 +1854,9 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
out_free:
shutdown_work(ubi);
- tree_destroy(&ubi->used);
- tree_destroy(&ubi->free);
- tree_destroy(&ubi->scrub);
+ tree_destroy(ubi, &ubi->used);
+ tree_destroy(ubi, &ubi->free);
+ tree_destroy(ubi, &ubi->scrub);
kfree(ubi->lookuptbl);
return err;
}
@@ -1858,7 +1873,7 @@ static void protection_queue_destroy(struct ubi_device *ubi)
for (i = 0; i < UBI_PROT_QUEUE_LEN; ++i) {
list_for_each_entry_safe(e, tmp, &ubi->pq[i], u.list) {
list_del(&e->u.list);
- kfree(e);
+ wl_entry_destroy(ubi, e);
}
}
}
@@ -1889,10 +1904,10 @@ void ubi_wl_close(struct ubi_device *ubi)
ubi_fastmap_close(ubi);
shutdown_work(ubi);
protection_queue_destroy(ubi);
- tree_destroy(&ubi->used);
- tree_destroy(&ubi->erroneous);
- tree_destroy(&ubi->free);
- tree_destroy(&ubi->scrub);
+ tree_destroy(ubi, &ubi->used);
+ tree_destroy(ubi, &ubi->erroneous);
+ tree_destroy(ubi, &ubi->free);
+ tree_destroy(ubi, &ubi->scrub);
kfree(ubi->lookuptbl);
}
--
1.9.1
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2016-05-27 7:46 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-27 7:43 [PATCH v2 00/62] Update UBI Teresa Remmet
2016-05-27 7:43 ` [PATCH v2 01/62] UBI: add missing kmem_cache_free() in process_pool_aeb error path Teresa Remmet
2016-05-27 7:43 ` [PATCH v2 02/62] UBI: Improve comment on work_sem Teresa Remmet
2016-05-27 7:43 ` [PATCH v2 03/62] UBI: ubi_eba_read_leb: Remove in vain variable assignment Teresa Remmet
2016-05-27 7:43 ` [PATCH v2 04/62] UBI: wl: Rename cancel flag to shutdown Teresa Remmet
2016-05-27 7:43 ` [PATCH v2 05/62] UBI: Fix trivial typo in __schedule_ubi_work Teresa Remmet
2016-05-27 7:43 ` [PATCH v2 06/62] UBI: Fastmap: Calc fastmap size correctly Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 07/62] UBI: Extend UBI layer debug/messaging capabilities Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 08/62] UBI: vtbl: Use ubi_eba_atomic_leb_change() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 09/62] UBI: Fix double free after do_sync_erase() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 10/62] UBI: Fix invalid vfree() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 11/62] UBI: extend UBI layer debug/messaging capabilities - cosmetics Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 12/62] UBI: clean-up printing helpers Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 13/62] UBI: do propagate positive error codes up Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 14/62] UBI: Fastmap: Care about the protection queue Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 15/62] UBI: fix missing brace control flow Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 16/62] UBI: account for bitflips in both the VID header and data Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 17/62] UBI: fix out of bounds write Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 18/62] UBI: initialize LEB number variable Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 19/62] UBI: align comment for readability Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 20/62] UBI: Split __wl_get_peb() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 21/62] UBI: Fastmap: Make ubi_refill_pools() fair Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 22/62] UBI: Fastmap: Don't allocate new ubi_wl_entry objects Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 23/62] UBI: Fastmap: Fix memory leaks while closing the WL sub-system Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 24/62] UBI: Fastmap: Notify user in case of an ubi_update_fastmap() failure Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 25/62] UBI: Fastmap: Wrap fastmap specific function in a ifdef Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 26/62] UBI: Fastmap: Fix fastmap usage in ubi_volume_notify() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 27/62] UBI: Fastmap: Fix race in ubi_eba_atomic_leb_change() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 28/62] UBI: Fastmap: Remove bogus ubi_assert() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 29/62] UBI: Fastmap: Remove eba_orphans logic Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 30/62] UBI: Fastmap: Switch to ro mode if invalidate_fastmap() fails Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 31/62] UBI: Fastmap: Make WL pool size 50% of user pool size Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 32/62] UBI: Fastmap: Fix leb_count unbalance Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 33/62] UBI: Fastmap: Set used_ebs only for static volumes Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 34/62] UBI: Fastmap: Prepare for variable sized fastmaps Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 35/62] UBI: Fastmap: Rework fastmap error paths Teresa Remmet
2016-05-27 7:44 ` Teresa Remmet [this message]
2016-05-27 7:44 ` [PATCH v2 37/62] UBI: Move fastmap specific functions out of wl.c Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 38/62] UBI: Add accessor functions for WL data structures Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 39/62] UBI: Fastmap: Wire up WL accessor functions Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 40/62] UBI: Fastmap: Introduce ubi_fastmap_init() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 41/62] UBI: Fastmap: Introduce may_reserve_for_fm() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 42/62] UBI: Fastmap: Remove is_fm_block() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 43/62] UBI: Fastmap: Fall back to scanning mode after ECC error Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 44/62] UBI: Fastmap: Use max() to get the larger value Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 45/62] UBI: Fastmap: Remove unnecessary `\' Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 46/62] UBI: Fastmap: Rename variables to make them meaningful Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 47/62] UBI: Init vol->reserved_pebs by assignment Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 48/62] UBI: Fastmap: Do not add vol if it already exists Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 49/62] UBI: add a helper function for updatting on-flash layout volumes Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 50/62] UBI: Remove unnecessary `\' Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 51/62] UBI: Validate data_size Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 52/62] UBI: return ENOSPC if no enough space available Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 53/62] UBI: Fastmap: Simplify expression Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 54/62] UBI: Fix typo in comment Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 55/62] UBI: Fix debug message Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 56/62] UBI: Fastmap: Fix PEB array type Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 57/62] UBI: fix use of "VID" vs. "EC" in header self-check Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 58/62] mtd: ubi: fixup error correction in do_sync_erase() Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 59/62] mtd: ubi: don't leak e if schedule_erase() fails Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 60/62] mtd: ubi: wl: avoid erasing a PEB which is empty Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 61/62] ubi: Fix out of bounds write in volume update code Teresa Remmet
2016-05-27 7:44 ` [PATCH v2 62/62] mtd: UBI: Remove ubi_free_fastmap Teresa Remmet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1464335095-35180-37-git-send-email-t.remmet@phytec.de \
--to=t.remmet@phytec.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox